From: Wayne Davison Date: Mon, 15 Jun 2020 16:51:20 +0000 (-0700) Subject: Choose openssl before stunnel. X-Git-Tag: v3.2.0pre2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=628dcceb8daf6aa2cf79bb03dfd22d36f97561e2;p=thirdparty%2Frsync.git Choose openssl before stunnel. --- diff --git a/rsync-ssl b/rsync-ssl index 4f0e86ba..f520d5dd 100755 --- a/rsync-ssl +++ b/rsync-ssl @@ -1,6 +1,6 @@ #!/bin/bash -# This script supports using stunnel or openssl to secure an rsync daemon connection. +# This script supports using openssl or stunnel to secure an rsync daemon connection. # By default this script takes rsync args and hands them off to the actual # rsync command with an --rsh option that makes it open an SSL connection to an @@ -31,7 +31,7 @@ function rsync_ssl_run { function rsync_ssl_helper { if [[ -z "$RSYNC_SSL_TYPE" ]]; then - found=`path_search stunnel4 stunnel openssl` || exit 1 + found=`path_search openssl stunnel4 stunnel` || exit 1 if [[ "$found" == */openssl ]]; then RSYNC_SSL_TYPE=openssl RSYNC_SSL_OPENSSL="$found" @@ -71,6 +71,9 @@ function rsync_ssl_helper { # openssl: caopt="-verify_return_error -verify 4" # stunnel: + # Since there is no way of using the default CA certificate collection, + # we cannot do any verification. Thus, stunnel should really only be + # used if nothing else is available. cafile="" verify="" elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then @@ -147,7 +150,7 @@ function path_search { if [[ "$#" == 0 ]]; then echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2 - echo "The SSL_TYPE can be stunnel or openssl" + echo "The SSL_TYPE can be openssl or stunnel" exit 1 fi diff --git a/rsync-ssl.1.md b/rsync-ssl.1.md index c16b9657..ff4913c2 100644 --- a/rsync-ssl.1.md +++ b/rsync-ssl.1.md @@ -17,7 +17,7 @@ that requires ssl connections. If the **first** arg is a `--type=SSL_TYPE` option, the script will only use that particular program to open an ssl connection instead of trying to find an -stunnel or openssl executable via a simple heuristic (assuming that the +openssl or stunnel executable via a simple heuristic (assuming that the `RSYNC_SSL_TYPE` environment variable is not set as well -- see below). This option must specify one of `openssl` or `stunnel`. The equal sign is required for this particular option. @@ -41,17 +41,12 @@ The ssl helper scripts are affected by the following environment variables: certificate to use for the connection. 0. `RSYNC_SSL_CA_CERT` If specified, the value is a filename that contains a certificate authority certificate that is used to validate the connection. -0. `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the - connection type is set to stunnel. If unspecified, the $PATH is searched - first for "stunnel4" and then for "stunnel". 0. `RSYNC_SSL_OPENSSL` Specifies the openssl executable to run when the connection type is set to openssl. If unspecified, the $PATH is searched for "openssl". - -# CAVEATS - -Note that using an stunnel connection requires at least version 4 of stunnel, -which should be the case on modern systems. +0. `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the + connection type is set to stunnel. If unspecified, the $PATH is searched + first for "stunnel4" and then for "stunnel". # EXAMPLES @@ -63,6 +58,14 @@ which should be the case on modern systems. **rsync**(1), **rsyncd.conf**(5) +# CAVEATS + +Note that using an stunnel connection requires at least version 4 of stunnel, +which should be the case on modern systems. Also, it does not verify a +connection against the CA certificate collection, so it only encrypts the +connection without any cert validation unless you have specified the +certificate environment options. + # BUGS Please report bugs! See the web site at .