From c60ecbe2ffc425e22c635c3d6b15189f06ab4685 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Thu, 4 Feb 2016 18:50:14 +0100 Subject: Default to stunnel4 with checkHost - this will break unless one runs stretch or newer --- etc/ftpsync.conf.sample | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'etc') diff --git a/etc/ftpsync.conf.sample b/etc/ftpsync.conf.sample index 7b8c81c..0463ba9 100644 --- a/etc/ftpsync.conf.sample +++ b/etc/ftpsync.conf.sample @@ -38,11 +38,16 @@ ## RSYNC_SSL_PORT on the remote site. (This requires server ## support, obviously.) ## -## ftpsync can use either socat or stunnel4 to set up the encrypted -## tunnel. -## o Note that stunnel will not verify the peer certificate's name -## (It will check that it's a valid certificate signed by a CA, but not -## if it is actually for the host you want to connect to.) +## ftpsync can use either stunnel4, stunnel4-old, or socat to set up the +## encrypted tunnel. +## o stunnel4 requires at least stunnel4 version 5.15 built aginst openssl +## 1.0.2 or later such that the stunnel build supports the checkHost +## service-level option. This will cause stunnel to verify both the +## peer certificate's validity and that it's actually for the host we wish +## to connect to. +## o stunnel4-old will skip the checkHost check. As such it will connect +## to any peer that is able to present a valid certificate, regardless of +## which name it is made out to. ## o socat will verify the peer certificate name only starting with version ## 1.7.3 (Debian 9.0). ## To test if things work, you can run @@ -50,7 +55,7 @@ #RSYNC_SSL=false #RSYNC_SSL_PORT=1873 #RSYNC_SSL_CAPATH=/etc/ssl/certs -#RSYNC_SSL_METHOD=socat +#RSYNC_SSL_METHOD=stunnel4 ## In which directory should logfiles end up ## Note that BASEDIR defaults to $HOME, but can be set before calling the -- cgit v1.2.3