/gmon.out
/rsync
/rsync-ssl
-/stunnel-rsync
/stunnel-rsyncd.conf
/shconfig
/testdir
$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
@OBJ_RESTORE@
-all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsync stunnel-rsyncd.conf @MAKE_MAN@
+all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsyncd.conf @MAKE_MAN@
install: all
-${MKDIR_P} ${DESTDIR}${bindir}
if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi
if test -f rsyncd.conf.5; then ${INSTALLMAN} -m 644 rsyncd.conf.5 ${DESTDIR}${mandir}/man5; fi
-install-ssl-client: rsync-ssl stunnel-rsync
+install-ssl-client: rsync-ssl
-${MKDIR_P} ${DESTDIR}${bindir}
${INSTALLCMD} -m 755 rsync-ssl ${DESTDIR}${bindir}
- ${INSTALLCMD} -m 755 stunnel-rsync ${DESTDIR}${bindir}
+ ${INSTALLCMD} -m 755 rsh-ssl-rsync ${DESTDIR}${bindir}
install-ssl-daemon: stunnel-rsyncd.conf
-${MKDIR_P} ${DESTDIR}/etc/stunnel
sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/rsync-ssl.in >rsync-ssl
@chmod +x rsync-ssl
-stunnel-rsync: $(srcdir)/stunnel-rsync.in Makefile
- sed 's;\@stunnel4\@;$(stunnel4);g' <$(srcdir)/stunnel-rsync.in >stunnel-rsync
- @chmod +x stunnel-rsync
-
stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile
sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf
# the source directory.
distclean: clean
rm -f Makefile config.h config.status
- rm -f rsync-ssl stunnel-rsync stunnel-rsyncd.conf
+ rm -f rsync-ssl stunnel-rsyncd.conf
rm -f lib/dummy popt/dummy zlib/dummy
rm -f $(srcdir)/Makefile $(srcdir)/config.h $(srcdir)/config.status
rm -f $(srcdir)/lib/dummy $(srcdir)/popt/dummy $(srcdir)/zlib/dummy
AC_SUBST(BUILD_ZLIB)
AC_SUBST(MAKE_MAN)
-AC_PATH_PROG([STUNNEL], [stunnel], [stunnel], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
-AC_PATH_PROG([STUNNEL4], [stunnel4], [$STUNNEL], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
-
AC_CHECK_FUNCS(_acl __acl _facl __facl)
#################################################
# check for ACL support
%files ssl-client
%{_prefix}/bin/rsync-ssl
-%{_prefix}/bin/stunnel-rsync
+%{_prefix}/bin/rsh-ssl-rsync
%files ssl-daemon
%config(noreplace) /etc/stunnel/rsyncd.conf
--- /dev/null
+#!/bin/bash
+# This must be called as (note the trailing dot):
+#
+# rsh-ssl-rsync HOSTNAME rsync --server --daemon .
+#
+# ... which is typically done via the rsync-ssl script, which results in something like this:
+#
+# rsync --rsh=rsh-ssl-rsync -aiv HOSTNAME::module [ARGS]
+#
+# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that an stunnel connection requires at least version 4.x of stunnel.
+
+# The environment can override our defaults using RSYNC_SSL_* variables
+
+if [[ -z "$RSYNC_SSL_TYPE" ]]; then
+ RSYNC_SSL_TYPE=stunnel
+fi
+
+case "$RSYNC_SSL_TYPE" in
+ stunnel)
+ if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+ IFS_SAVE="$IFS"
+ IFS=:
+ for prog in stunnel4 stunnel; do
+ for dir in $PATH; do
+ [[ -z "$dir" ]] && dir=.
+ if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
+ RSYNC_SSL_STUNNEL="$dir/$prog"
+ break 2
+ fi
+ done
+ done
+ IFS="$IFS_SAVE"
+ fi
+ if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+ echo "Failed to find stunnel on your path." 1>&2
+ echo "Maybe export RSYNC_SSL_STUNNEL=/path or RSYNC_SSL_TYPE=openssl." 1>&2
+ exit 1
+ fi
+ optsep=' = '
+ ;;
+ openssl)
+ optsep=' '
+ ;;
+ *)
+ echo "The RSYNC_SSL_TYPE is not set to a known type: $RSYNC_SSL_TYPE" 1>&2
+ exit 1
+ ;;
+esac
+
+if [[ -z "$RSYNC_SSL_CERT" ]]; then
+ certopt=""
+else
+ certopt="cert$optsep$RSYNC_SSL_CERT"
+fi
+
+if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
+ # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
+ # openssl:
+ caopt="-verify_return_error -verify 4"
+ # stunnel:
+ cafile=""
+ verify=0
+elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
+ # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
+ # openssl:
+ caopt="-verify 1"
+ # stunnel:
+ cafile=""
+ verify=0
+else
+ # RSYNC_SSL_CA_CERT set - use CA AND verify:
+ # openssl:
+ caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+ # stunnel:
+ cafile="CAfile = $RSYNC_SSL_CA_CERT"
+ verify=3
+fi
+
+port="${RSYNC_PORT:-0}"
+if [[ "$port" == 0 ]]; then
+ port="${RSYNC_SSL_PORT:-874}"
+fi
+
+# If the user specified USER@HOSTNAME::module, then rsync passes us
+# the -l USER option too, so we must be prepared to ignore it.
+if [[ "$1" == "-l" ]]; then
+ shift 2
+fi
+
+hostname="$1"
+shift
+
+if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
+ echo "Usage: rsync-ssl-helper HOSTNAME rsync --server --daemon ." 1>&2
+ exit 1
+fi
+
+if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+ exec openssl s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+else
+ # devzero@web.de came up with this no-tmpfile calling syntax:
+ exec stunnel -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = $verify
+$certopt
+$cafile
+EOF
+fi
#!/bin/bash
-# This script supports using stunnel to secure an rsync daemon connection.
-# Note that this requires at least version 4.x of stunnel.
+# This script supports using stunnel or openssl to secure an rsync daemon connection.
+# The first option can be --type=stunnel or --type=openssl to choose your connection
+# type (overriding any $RSYNC_SSL_TYPE default value).
+
+if [[ "$1" == --type=* ]]; then
+ export RSYNC_SSL_TYPE="${1/--type=/}"
+ shift
+fi
+
case "$@" in
*rsync://*) ;;
*::*) ;;
*)
- echo "You must use rsync-ssl with a daemon-style hostname." 0>&1
+ echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
exit 1
;;
esac
-exec @bindir@/rsync --rsh=@bindir@/stunnel-rsync "${@}"
+
+exec @bindir@/rsync --rsh=@bindir@/rsh-ssl-rsync "${@}"
+++ /dev/null
-#!/bin/bash
-# This must be called as (note the trailing dot):
-#
-# stunnel-rsync HOSTNAME rsync --server --daemon .
-#
-# ... which is typically done via the rsync-ssl script, which results in something like this:
-#
-# rsync --rsh=stunnel-rsync -aiv HOSTNAME::module [ARGS]
-#
-# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL
-# Note that this requires at least version 4.x of stunnel.
-
-# The current environment can override using the RSYNC_SSL_* values:
-if [ x"$RSYNC_SSL_CERT" = x ]; then
- cert=""
-else
- cert="cert = $RSYNC_SSL_CERT"
-fi
-
-if [ x"$RSYNC_SSL_CA_CERT" = x ]; then
- cafile=""
- verify=0
-else
- cafile="CAfile = $RSYNC_SSL_CA_CERT"
- verify=3
-fi
-
-port="${RSYNC_PORT:-0}"
-if [ "$port" = 0 ]; then
- port="${RSYNC_SSL_PORT:-874}"
-fi
-
-# If the user specified USER@HOSTNAME::module, then rsync passes us
-# the -l USER option too, so we must be prepared to ignore it.
-if [ x"$1" = x"-l" ]; then
- shift 2
-fi
-
-hostname=$1
-shift
-
-if [ x"$hostname" = x -o x"$1" != x"rsync" -o x"$2" != x"--server" -o x"$3" != x"--daemon" ]; then
- echo "Usage: stunnel-rsync HOSTNAME rsync --server --daemon ." 1>&2
- exit 1
-fi
-
-# devzero@web.de came up with this no-tmpfile calling syntax:
-@stunnel4@ -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
-foreground = yes
-debug = crit
-connect = $hostname:$port
-client = yes
-TIMEOUTclose = 0
-verify = $verify
-$cert
-$cafile
-EOF
pid = /var/run/stunnel-rsyncd.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
-compression = rle
+#compression = rle
# This must be root for rsync to use chroot -- rsync will drop permissions:
setuid = root
setgid = root
# To allow anyone to try an ssl connection, use this:
verify = 0
-CAfile = /etc/ssl/ca-bundle.pem
+CAfile = /etc/ssl/certs/ca-certificates.crt
# To allow only cert-authorized clients, use something like this instead of the above:
#verify = 3
git.samba.org / rsync.git / commitdiff