From 17828dfb598b927752a75ff1f56c7fed863d194e Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Wed, 3 Feb 2016 13:16:02 +0000 Subject: Also support socat, and document that both stunnel4 and socat in their current versions are horrible --- etc/ftpsync.conf.sample | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/ftpsync.conf.sample b/etc/ftpsync.conf.sample index d58fbaf..7b8c81c 100644 --- a/etc/ftpsync.conf.sample +++ b/etc/ftpsync.conf.sample @@ -31,14 +31,26 @@ ## If we need a user we also need a password #RSYNC_PASSWORD= -## Set to "true" to tunnel your rsync through stunnel. Requires that stunnel4 be -## available in PATH. ftpsync will then create an stunnel config file and use -## rsync's -e to connect to RSYNC_SSL_PORT on the remote site. (This requires -## server support, obviously.) The presented certificate is checked by stunnel -## against the certificate authorities in RSYNC_SSL_CAPATH. +## Set to "true" to tunnel your rsync through stunnel. +## +## ftpsync will then use rsync's -e option to wrap the connection +## with bin/rsync-ssl-tunnel which sets up an stunnel to connect to +## RSYNC_SSL_PORT on the remote site. (This requires server +## support, obviously.) +## +## ftpsync can use either socat or stunnel4 to set up the encrypted +## tunnel. +## o Note that stunnel will not verify the peer certificate's name +## (It will check that it's a valid certificate signed by a CA, but not +## if it is actually for the host you want to connect to.) +## o socat will verify the peer certificate name only starting with version +## 1.7.3 (Debian 9.0). +## To test if things work, you can run +## RSYNC_SSL_PORT=1873 RSYNC_SSL_CAPATH=/etc/ssl/certs RSYNC_SSL_METHOD=socat rsync -e 'bin/rsync-ssl-tunnel' :: #RSYNC_SSL=false #RSYNC_SSL_PORT=1873 #RSYNC_SSL_CAPATH=/etc/ssl/certs +#RSYNC_SSL_METHOD=socat ## In which directory should logfiles end up ## Note that BASEDIR defaults to $HOME, but can be set before calling the -- cgit v1.2.3