From c60ecbe2ffc425e22c635c3d6b15189f06ab4685 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Thu, 4 Feb 2016 18:50:14 +0100
Subject: Default to stunnel4 with checkHost - this will break unless one runs
 stretch or newer

---
 bin/ftpsync             |  2 +-
 bin/rsync-ssl-tunnel    | 16 +++++++++++++---
 etc/ftpsync.conf.sample | 17 +++++++++++------
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/bin/ftpsync b/bin/ftpsync
index c96f8f5..2242cfe 100755
--- a/bin/ftpsync
+++ b/bin/ftpsync
@@ -487,7 +487,7 @@ done
 RSYNC_SSL=${RSYNC_SSL:-"false"}
 RSYNC_SSL_PORT=${RSYNC_SSL_PORT:-"1873"}
 RSYNC_SSL_CAPATH=${RSYNC_SSL_CAPATH:-"/etc/ssl/certs"}
-RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"socat"}
+RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"stunnel4"}
 
 if [[ true != ${RSYNC_SSL} ]]; then
   RSYNC_SSL_OPTIONS=""
diff --git a/bin/rsync-ssl-tunnel b/bin/rsync-ssl-tunnel
index 82fb9eb..d0daaf7 100755
--- a/bin/rsync-ssl-tunnel
+++ b/bin/rsync-ssl-tunnel
@@ -39,13 +39,16 @@ fi
 RSYNC_HOST="$1"; shift
 RSYNC_SSL_PORT=${RSYNC_SSL_PORT:-"1873"}
 RSYNC_SSL_CAPATH=${RSYNC_SSL_CAPATH:-"/etc/ssl/certs"}
-RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"socat"}
+RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"stunnel4"}
 
 method_stunnel() {
+  skip_host_check="$1"; shift
+
   tmp="`tempfile`"
   trap "rm -f '$tmp'" EXIT
 
-  cat << EOF > "$tmp"
+  (
+    cat << EOF
 # This file has been automatically created by ftpsync for syncing
 # from ${RSYNC_HOST}.
 #
@@ -62,6 +65,10 @@ output = /dev/stderr
 
 connect = ${RSYNC_HOST}:${RSYNC_SSL_PORT}
 EOF
+    if ! [ "$skip_host_check" = 1 ]; then
+      echo "checkHost = ${RSYNC_HOST}"
+    fi
+  ) > "$tmp"
 
   exec stunnel4 "$tmp"
   echo >&2 "Failed to exec stunnel4"
@@ -76,7 +83,10 @@ method_socat() {
 
 case ${RSYNC_SSL_METHOD:-} in
   stunnel4)
-    method_stunnel
+    method_stunnel 0
+    ;;
+  stunnel4-old)
+    method_stunnel 1
     ;;
   socat)
     method_socat
diff --git a/etc/ftpsync.conf.sample b/etc/ftpsync.conf.sample
index 7b8c81c..0463ba9 100644
--- a/etc/ftpsync.conf.sample
+++ b/etc/ftpsync.conf.sample
@@ -38,11 +38,16 @@
 ## RSYNC_SSL_PORT on the remote site.  (This requires server
 ##  support, obviously.)
 ##
-## ftpsync can use either socat or stunnel4 to set up the encrypted
-## tunnel.
-##  o Note that stunnel will not verify the peer certificate's name
-##    (It will check that it's a valid certificate signed by a CA, but not
-##    if it is actually for the host you want to connect to.)
+## ftpsync can use either stunnel4, stunnel4-old, or socat to set up the
+## encrypted tunnel.
+##  o stunnel4 requires at least stunnel4 version 5.15 built aginst openssl
+##    1.0.2 or later such that the stunnel build supports the checkHost
+##    service-level option.  This will cause stunnel to verify both the
+##    peer certificate's validity and that it's actually for the host we wish
+##    to connect to.
+##  o stunnel4-old will skip the checkHost check.  As such it will connect
+##    to any peer that is able to present a valid certificate, regardless of
+##    which name it is made out to.
 ##  o socat will verify the peer certificate name only starting with version
 ##    1.7.3 (Debian 9.0).
 ## To test if things work, you can run
@@ -50,7 +55,7 @@
 #RSYNC_SSL=false
 #RSYNC_SSL_PORT=1873
 #RSYNC_SSL_CAPATH=/etc/ssl/certs
-#RSYNC_SSL_METHOD=socat
+#RSYNC_SSL_METHOD=stunnel4
 
 ## In which directory should logfiles end up
 ## Note that BASEDIR defaults to $HOME, but can be set before calling the
-- 
cgit v1.2.3