-#!/bin/bash
+#!/usr/bin/env bash
-# This script supports using stunnel or openssl to secure an rsync daemon connection.
+# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection.
# By default this script takes rsync args and hands them off to the actual
# rsync command with an --rsh option that makes it open an SSL connection to an
function rsync_ssl_helper {
if [[ -z "$RSYNC_SSL_TYPE" ]]; then
- found=`path_search stunnel4 stunnel openssl` || exit 1
+ found=`path_search openssl stunnel4 stunnel` || exit 1
if [[ "$found" == */openssl ]]; then
RSYNC_SSL_TYPE=openssl
RSYNC_SSL_OPENSSL="$found"
+ elif [[ "$found" == */gnutls-cli ]]; then
+ RSYNC_SSL_TYPE=gnutls
+ RSYNC_SSL_GNUTLS="$found"
else
RSYNC_SSL_TYPE=stunnel
RSYNC_SSL_STUNNEL="$found"
fi
optsep=' '
;;
+ gnutls)
+ if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then
+ RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1
+ fi
+ optsep=' '
+ ;;
stunnel)
if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
if [[ -z "$RSYNC_SSL_CERT" ]]; then
certopt=""
+ gnutls_cert_opt=""
+ else
+ certopt="-cert$optsep$RSYNC_SSL_CERT"
+ gnutls_cert_opt="--x509certfile=$RSYNC_SSL_CERT"
+ fi
+
+ if [[ -z "$RSYNC_SSL_KEY" ]]; then
+ keyopt=""
+ gnutls_key_opt=""
else
- certopt="cert$optsep$RSYNC_SSL_CERT"
+ keyopt="-key$optsep$RSYNC_SSL_KEY"
+ gnutls_key_opt="--x509keyfile=$RSYNC_SSL_KEY"
fi
if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
# RSYNC_SSL_CA_CERT unset - default CA set AND verify:
# openssl:
caopt="-verify_return_error -verify 4"
+ # gnutls:
+ gnutls_opts=""
# stunnel:
+ # Since there is no way of using the default CA certificate collection,
+ # we cannot do any verification. Thus, stunnel should really only be
+ # used if nothing else is available.
cafile=""
- verify=0
+ verify=""
elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
# RSYNC_SSL_CA_CERT set but empty -do NO verifications:
# openssl:
caopt="-verify 1"
+ # gnutls:
+ gnutls_opts="--insecure"
# stunnel:
cafile=""
- verify=0
+ verify="verifyChain = no"
else
# RSYNC_SSL_CA_CERT set - use CA AND verify:
# openssl:
caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+ # gnutls:
+ gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT"
# stunnel:
cafile="CAfile = $RSYNC_SSL_CA_CERT"
- verify=3
+ verify="verifyChain = yes"
fi
port="${RSYNC_PORT:-0}"
fi
if [[ $RSYNC_SSL_TYPE == openssl ]]; then
- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt $keyopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+ elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_key_opt $gnutls_opts $hostname:$port
else
# devzero@web.de came up with this no-tmpfile calling syntax:
exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
connect = $hostname:$port
client = yes
TIMEOUTclose = 0
-verify = $verify
+$verify
$certopt
$cafile
EOF
}
if [[ "$#" == 0 ]]; then
- echo "Usage: rsync-ssl [--type=openssl|stunnel] RSYNC_ARG [...]" 1>&2
+ echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2
+ echo "The SSL_TYPE can be openssl or stunnel"
exit 1
fi