1 files changed, 26 insertions, 0 deletions

diff --git a/etc/ftpsync.conf.sample b/etc/ftpsync.conf.sample
index 1524e72..50b084b 100644
--- a/etc/ftpsync.conf.sample
+++ b/etc/ftpsync.conf.sample
@@ -31,6 +31,32 @@
 ## If we need a user we also need a password
 #RSYNC_PASSWORD=
 
+## Set to "true" to tunnel your rsync through stunnel.
+##
+## ftpsync will then use rsync's -e option to wrap the connection
+## with bin/rsync-ssl-tunnel which sets up an stunnel to connect to
+## RSYNC_SSL_PORT on the remote site.  (This requires server
+##  support, obviously.)
+##
+## ftpsync can use either stunnel4, stunnel4-old, or socat to set up the
+## encrypted tunnel.
+##  o stunnel4 requires at least stunnel4 version 5.15 built aginst openssl
+##    1.0.2 or later such that the stunnel build supports the checkHost
+##    service-level option.  This will cause stunnel to verify both the
+##    peer certificate's validity and that it's actually for the host we wish
+##    to connect to.
+##  o stunnel4-old will skip the checkHost check.  As such it will connect
+##    to any peer that is able to present a valid certificate, regardless of
+##    which name it is made out to.
+##  o socat will verify the peer certificate name only starting with version
+##    1.7.3 (Debian 9.0).
+## To test if things work, you can run
+##  RSYNC_SSL_PORT=1873 RSYNC_SSL_CAPATH=/etc/ssl/certs RSYNC_SSL_METHOD=socat rsync -e 'bin/rsync-ssl-tunnel' <server>::
+#RSYNC_SSL=false
+#RSYNC_SSL_PORT=1873
+#RSYNC_SSL_CAPATH=/etc/ssl/certs
+#RSYNC_SSL_METHOD=stunnel4
+
 ## In which directory should logfiles end up
 ## Note that BASEDIR defaults to $HOME, but can be set before calling the
 ## ftpsync script to any value you want (for example using pam_env)