summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xbin/ftpsync2
-rwxr-xr-xbin/rsync-ssl-tunnel16
-rw-r--r--etc/ftpsync.conf.sample17
3 files changed, 25 insertions, 10 deletions
diff --git a/bin/ftpsync b/bin/ftpsync
index c96f8f5..2242cfe 100755
--- a/bin/ftpsync
+++ b/bin/ftpsync
@@ -487,7 +487,7 @@ done
RSYNC_SSL=${RSYNC_SSL:-"false"}
RSYNC_SSL_PORT=${RSYNC_SSL_PORT:-"1873"}
RSYNC_SSL_CAPATH=${RSYNC_SSL_CAPATH:-"/etc/ssl/certs"}
-RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"socat"}
+RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"stunnel4"}
if [[ true != ${RSYNC_SSL} ]]; then
RSYNC_SSL_OPTIONS=""
diff --git a/bin/rsync-ssl-tunnel b/bin/rsync-ssl-tunnel
index 82fb9eb..d0daaf7 100755
--- a/bin/rsync-ssl-tunnel
+++ b/bin/rsync-ssl-tunnel
@@ -39,13 +39,16 @@ fi
RSYNC_HOST="$1"; shift
RSYNC_SSL_PORT=${RSYNC_SSL_PORT:-"1873"}
RSYNC_SSL_CAPATH=${RSYNC_SSL_CAPATH:-"/etc/ssl/certs"}
-RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"socat"}
+RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"stunnel4"}
method_stunnel() {
+ skip_host_check="$1"; shift
+
tmp="`tempfile`"
trap "rm -f '$tmp'" EXIT
- cat << EOF > "$tmp"
+ (
+ cat << EOF
# This file has been automatically created by ftpsync for syncing
# from ${RSYNC_HOST}.
#
@@ -62,6 +65,10 @@ output = /dev/stderr
connect = ${RSYNC_HOST}:${RSYNC_SSL_PORT}
EOF
+ if ! [ "$skip_host_check" = 1 ]; then
+ echo "checkHost = ${RSYNC_HOST}"
+ fi
+ ) > "$tmp"
exec stunnel4 "$tmp"
echo >&2 "Failed to exec stunnel4"
@@ -76,7 +83,10 @@ method_socat() {
case ${RSYNC_SSL_METHOD:-} in
stunnel4)
- method_stunnel
+ method_stunnel 0
+ ;;
+ stunnel4-old)
+ method_stunnel 1
;;
socat)
method_socat
diff --git a/etc/ftpsync.conf.sample b/etc/ftpsync.conf.sample
index 7b8c81c..0463ba9 100644
--- a/etc/ftpsync.conf.sample
+++ b/etc/ftpsync.conf.sample
@@ -38,11 +38,16 @@
## RSYNC_SSL_PORT on the remote site. (This requires server
## support, obviously.)
##
-## ftpsync can use either socat or stunnel4 to set up the encrypted
-## tunnel.
-## o Note that stunnel will not verify the peer certificate's name
-## (It will check that it's a valid certificate signed by a CA, but not
-## if it is actually for the host you want to connect to.)
+## ftpsync can use either stunnel4, stunnel4-old, or socat to set up the
+## encrypted tunnel.
+## o stunnel4 requires at least stunnel4 version 5.15 built aginst openssl
+## 1.0.2 or later such that the stunnel build supports the checkHost
+## service-level option. This will cause stunnel to verify both the
+## peer certificate's validity and that it's actually for the host we wish
+## to connect to.
+## o stunnel4-old will skip the checkHost check. As such it will connect
+## to any peer that is able to present a valid certificate, regardless of
+## which name it is made out to.
## o socat will verify the peer certificate name only starting with version
## 1.7.3 (Debian 9.0).
## To test if things work, you can run
@@ -50,7 +55,7 @@
#RSYNC_SSL=false
#RSYNC_SSL_PORT=1873
#RSYNC_SSL_CAPATH=/etc/ssl/certs
-#RSYNC_SSL_METHOD=socat
+#RSYNC_SSL_METHOD=stunnel4
## In which directory should logfiles end up
## Note that BASEDIR defaults to $HOME, but can be set before calling the