diff options
author | Peter Palfrader <peter@palfrader.org> | 2016-02-03 13:16:02 +0000 |
---|---|---|
committer | Peter Palfrader <peter@palfrader.org> | 2016-02-03 13:16:02 +0000 |
commit | 17828dfb598b927752a75ff1f56c7fed863d194e (patch) | |
tree | 177f75204032390a228ce567a5107251e3f70d77 /etc | |
parent | f79e3a2077f60fb979d62299351187a6a91ca92a (diff) |
Also support socat, and document that both stunnel4 and socat in their current versions are horrible
Diffstat (limited to 'etc')
-rw-r--r-- | etc/ftpsync.conf.sample | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/etc/ftpsync.conf.sample b/etc/ftpsync.conf.sample index d58fbaf..7b8c81c 100644 --- a/etc/ftpsync.conf.sample +++ b/etc/ftpsync.conf.sample @@ -31,14 +31,26 @@ ## If we need a user we also need a password #RSYNC_PASSWORD= -## Set to "true" to tunnel your rsync through stunnel. Requires that stunnel4 be -## available in PATH. ftpsync will then create an stunnel config file and use -## rsync's -e to connect to RSYNC_SSL_PORT on the remote site. (This requires -## server support, obviously.) The presented certificate is checked by stunnel -## against the certificate authorities in RSYNC_SSL_CAPATH. +## Set to "true" to tunnel your rsync through stunnel. +## +## ftpsync will then use rsync's -e option to wrap the connection +## with bin/rsync-ssl-tunnel which sets up an stunnel to connect to +## RSYNC_SSL_PORT on the remote site. (This requires server +## support, obviously.) +## +## ftpsync can use either socat or stunnel4 to set up the encrypted +## tunnel. +## o Note that stunnel will not verify the peer certificate's name +## (It will check that it's a valid certificate signed by a CA, but not +## if it is actually for the host you want to connect to.) +## o socat will verify the peer certificate name only starting with version +## 1.7.3 (Debian 9.0). +## To test if things work, you can run +## RSYNC_SSL_PORT=1873 RSYNC_SSL_CAPATH=/etc/ssl/certs RSYNC_SSL_METHOD=socat rsync -e 'bin/rsync-ssl-tunnel' <server>:: #RSYNC_SSL=false #RSYNC_SSL_PORT=1873 #RSYNC_SSL_CAPATH=/etc/ssl/certs +#RSYNC_SSL_METHOD=socat ## In which directory should logfiles end up ## Note that BASEDIR defaults to $HOME, but can be set before calling the |