diff options
Diffstat (limited to '')
-rwxr-xr-x | rsync-ssl | 198 | ||||
-rw-r--r-- | rsync-ssl.1 | 144 | ||||
-rw-r--r-- | rsync-ssl.1.html | 154 | ||||
-rw-r--r-- | rsync-ssl.1.md | 140 |
4 files changed, 636 insertions, 0 deletions
diff --git a/rsync-ssl b/rsync-ssl new file mode 100755 index 0000000..56ee7df --- /dev/null +++ b/rsync-ssl @@ -0,0 +1,198 @@ +#!/usr/bin/env bash + +# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection. + +# By default this script takes rsync args and hands them off to the actual +# rsync command with an --rsh option that makes it open an SSL connection to an +# rsync daemon. See the rsync-ssl manpage for usage details and env variables. + +# When the first arg is --HELPER, we are being used by rsync as an --rsh helper +# script, and the args are (note the trailing dot): +# +# rsync-ssl --HELPER HOSTNAME rsync --server --daemon . +# +# --HELPER is not a user-facing option, so it is not documented in the manpage. + +# The first SSL setup was based on: http://dozzie.jarowit.net/trac/wiki/RsyncSSL +# Note that an stunnel connection requires at least version 4.x of stunnel. + +function rsync_ssl_run { + case "$*" in + *rsync://*) ;; + *::*) ;; + *) + echo "You must use rsync-ssl with a daemon-style hostname." 1>&2 + exit 1 + ;; + esac + + exec rsync --rsh="$0 --HELPER" "${@}" +} + +function rsync_ssl_helper { + if [[ -z "$RSYNC_SSL_TYPE" ]]; then + found=`path_search openssl stunnel4 stunnel` || exit 1 + if [[ "$found" == */openssl ]]; then + RSYNC_SSL_TYPE=openssl + RSYNC_SSL_OPENSSL="$found" + elif [[ "$found" == */gnutls-cli ]]; then + RSYNC_SSL_TYPE=gnutls + RSYNC_SSL_GNUTLS="$found" + else + RSYNC_SSL_TYPE=stunnel + RSYNC_SSL_STUNNEL="$found" + fi + fi + + case "$RSYNC_SSL_TYPE" in + openssl) + if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then + RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1 + fi + optsep=' ' + ;; + gnutls) + if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then + RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1 + fi + optsep=' ' + ;; + stunnel) + if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then + RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1 + fi + optsep=' = ' + ;; + *) + echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2 + exit 1 + ;; + esac + + if [[ -z "$RSYNC_SSL_CERT" ]]; then + certopt="" + gnutls_cert_opt="" + else + certopt="-cert$optsep$RSYNC_SSL_CERT" + gnutls_cert_opt="--x509certfile=$RSYNC_SSL_CERT" + fi + + if [[ -z "$RSYNC_SSL_KEY" ]]; then + keyopt="" + gnutls_key_opt="" + else + keyopt="-key$optsep$RSYNC_SSL_KEY" + gnutls_key_opt="--x509keyfile=$RSYNC_SSL_KEY" + fi + + if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then + # RSYNC_SSL_CA_CERT unset - default CA set AND verify: + # openssl: + caopt="-verify_return_error -verify 4" + # gnutls: + gnutls_opts="" + # stunnel: + # Since there is no way of using the default CA certificate collection, + # we cannot do any verification. Thus, stunnel should really only be + # used if nothing else is available. + cafile="" + verify="" + elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then + # RSYNC_SSL_CA_CERT set but empty -do NO verifications: + # openssl: + caopt="-verify 1" + # gnutls: + gnutls_opts="--insecure" + # stunnel: + cafile="" + verify="verifyChain = no" + else + # RSYNC_SSL_CA_CERT set - use CA AND verify: + # openssl: + caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4" + # gnutls: + gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT" + # stunnel: + cafile="CAfile = $RSYNC_SSL_CA_CERT" + verify="verifyChain = yes" + fi + + port="${RSYNC_PORT:-0}" + if [[ "$port" == 0 ]]; then + port="${RSYNC_SSL_PORT:-874}" + fi + + # If the user specified USER@HOSTNAME::module, then rsync passes us + # the -l USER option too, so we must be prepared to ignore it. + if [[ "$1" == "-l" ]]; then + shift 2 + fi + + hostname="$1" + shift + + if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then + echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2 + exit 1 + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then + exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt $keyopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_key_opt $gnutls_opts $hostname:$port + else + # devzero@web.de came up with this no-tmpfile calling syntax: + exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&- +foreground = yes +debug = crit +connect = $hostname:$port +client = yes +TIMEOUTclose = 0 +$verify +$certopt +$cafile +EOF + fi +} + +function path_search { + IFS_SAVE="$IFS" + IFS=: + for prog in "${@}"; do + for dir in $PATH; do + [[ -z "$dir" ]] && dir=. + if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then + echo "$dir/$prog" + IFS="$IFS_SAVE" + return 0 + fi + done + done + + IFS="$IFS_SAVE" + echo "Failed to find on your path: $*" 1>&2 + echo "See the rsync-ssl manpage for configuration assistance." 1>&2 + return 1 +} + +if [[ "$#" == 0 ]]; then + echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2 + echo "The SSL_TYPE can be openssl or stunnel" + exit 1 +fi + +if [[ "$1" = --help || "$1" = -h ]]; then + exec rsync --help +fi + +if [[ "$1" == --HELPER ]]; then + shift + rsync_ssl_helper "${@}" +fi + +if [[ "$1" == --type=* ]]; then + export RSYNC_SSL_TYPE="${1/--type=/}" + shift +fi + +rsync_ssl_run "${@}" diff --git a/rsync-ssl.1 b/rsync-ssl.1 new file mode 100644 index 0000000..c7f5ad1 --- /dev/null +++ b/rsync-ssl.1 @@ -0,0 +1,144 @@ +.TH "rsync-ssl" "1" "20 Oct 2022" "rsync-ssl from rsync 3.2.7" "User Commands" +.\" prefix=/usr +.P +.SH "NAME" +.P +rsync-ssl \- a helper script for connecting to an ssl rsync daemon +.P +.SH "SYNOPSIS" +.P +.nf +rsync-ssl [--type=SSL_TYPE] RSYNC_ARGS +.fi +.P +The online version of this manpage (that includes cross-linking of topics) +is available at https://download.samba.org/pub/rsync/rsync-ssl.1. +.P +.SH "DESCRIPTION" +.P +The rsync-ssl script helps you to run an rsync copy to/from an rsync daemon +that requires ssl connections. +.P +The script requires that you specify an rsync-daemon arg in the style of either +\fBhostname::\fP (with 2 colons) or \fBrsync://hostname/\fP. The default port used for +connecting is 874 (one higher than the normal 873) unless overridden in the +environment. You can specify an overriding port via \fB\-\-port\fP or by including +it in the normal spot in the URL format, though both of those require your +rsync version to be at least 3.2.0. +.P +.SH "OPTIONS" +.P +If the \fBfirst\fP arg is a \fB\-\-type=SSL_TYPE\fP option, the script will only use +that particular program to open an ssl connection instead of trying to find an +openssl or stunnel executable via a simple heuristic (assuming that the +\fBRSYNC_SSL_TYPE\fP environment variable is not set as well\ \-\- see below). This +option must specify one of \fBopenssl\fP or \fBstunnel\fP. The equal sign is +required for this particular option. +.P +All the other options are passed through to the rsync command, so consult the +\fBrsync\fP(1) manpage for more information on how it works. +.P +.SH "ENVIRONMENT VARIABLES" +.P +The ssl helper scripts are affected by the following environment variables: +.P +.IP "\fBRSYNC_SSL_TYPE\fP" +Specifies the program type that should be used to open the ssl connection. +It must be one of \fBopenssl\fP or \fBstunnel\fP. The \fB\-\-type=SSL_TYPE\fP option +overrides this, when specified. +.IP "\fBRSYNC_SSL_PORT\fP" +If specified, the value is the port number that is used as the default when +the user does not specify a port in their rsync command. When not +specified, the default port number is 874. (Note that older rsync versions +(prior to 3.2.0) did not communicate an overriding port number value to the +helper script.) +.IP "\fBRSYNC_SSL_CERT\fP" +If specified, the value is a filename that contains a certificate to use +for the connection. +.IP "\fBRSYNC_SSL_KEY\fP" +If specified, the value is a filename that contains a key for the provided +certificate to use for the connection. +.IP "\fBRSYNC_SSL_CA_CERT\fP" +If specified, the value is a filename that contains a certificate authority +certificate that is used to validate the connection. +.IP "\fBRSYNC_SSL_OPENSSL\fP" +Specifies the openssl executable to run when the connection type is set to +openssl. If unspecified, the $PATH is searched for "openssl". +.IP "\fBRSYNC_SSL_GNUTLS\fP" +Specifies the gnutls-cli executable to run when the connection type is set +to gnutls. If unspecified, the $PATH is searched for "gnutls-cli". +.IP "\fBRSYNC_SSL_STUNNEL\fP" +Specifies the stunnel executable to run when the connection type is set to +stunnel. If unspecified, the $PATH is searched first for "stunnel4" and +then for "stunnel". +.P +.SH "EXAMPLES" +.RS 4 +.P +.nf +rsync-ssl -aiv example.com::mod/ dest +.fi +.RE +.RS 4 +.P +.nf +rsync-ssl --type=openssl -aiv example.com::mod/ dest +.fi +.RE +.RS 4 +.P +.nf +rsync-ssl -aiv --port 9874 example.com::mod/ dest +.fi +.RE +.RS 4 +.P +.nf +rsync-ssl -aiv rsync://example.com:9874/mod/ dest +.fi +.RE +.P +.SH "THE SERVER SIDE" +.P +For help setting up an SSL/TLS supporting rsync, see the instructions in +rsyncd.conf. +.P +.SH "SEE ALSO" +.P +\fBrsync\fP(1), \fBrsyncd.conf\fP(5) +.P +.SH "CAVEATS" +.P +Note that using an stunnel connection requires at least version 4 of stunnel, +which should be the case on modern systems. Also, it does not verify a +connection against the CA certificate collection, so it only encrypts the +connection without any cert validation unless you have specified the +certificate environment options. +.P +This script also supports a \fB\-\-type=gnutls\fP option, but at the time of this +release the gnutls-cli command was dropping output, making it unusable. If +that bug has been fixed in your version, feel free to put gnutls into an +exported RSYNC_SSL_TYPE environment variable to make its use the default. +.P +.SH "BUGS" +.P +Please report bugs! See the web site at https://rsync.samba.org/. +.P +.SH "VERSION" +.P +This manpage is current for version 3.2.7 of rsync. +.P +.SH "CREDITS" +.P +Rsync is distributed under the GNU General Public License. See the file +COPYING for details. +.P +A web site is available at https://rsync.samba.org/. The site includes an +FAQ-O-Matic which may cover questions unanswered by this manual page. +.P +.SH "AUTHOR" +.P +This manpage was written by Wayne Davison. +.P +Mailing lists for support and development are available at +https://lists.samba.org/. diff --git a/rsync-ssl.1.html b/rsync-ssl.1.html new file mode 100644 index 0000000..682a7e9 --- /dev/null +++ b/rsync-ssl.1.html @@ -0,0 +1,154 @@ +<html><head> +<title>rsync-ssl(1) manpage</title> +<meta charset="UTF-8"/> +<link href="https://fonts.googleapis.com/css2?family=Roboto&family=Roboto+Mono&display=swap" rel="stylesheet"> +<style> +body { + max-width: 50em; + margin: auto; +} +body, b, strong, u { + font-family: 'Roboto', sans-serif; +} +a.tgt { font-face: symbol; font-weight: 400; font-size: 70%; visibility: hidden; text-decoration: none; color: #ddd; padding: 0 4px; border: 0; } +a.tgt:after { content: '🔗'; } +a.tgt:hover { color: #444; background-color: #eaeaea; } +h1:hover > a.tgt, h2:hover > a.tgt, h3:hover > a.tgt, dt:hover > a.tgt { visibility: visible; } +code { + font-family: 'Roboto Mono', monospace; + font-weight: bold; + white-space: pre; +} +pre code { + display: block; + font-weight: normal; +} +blockquote pre code { + background: #f1f1f1; +} +dd p:first-of-type { + margin-block-start: 0em; +} +</style> +</head><body> +<h2 id="NAME">NAME<a href="#NAME" class="tgt"></a></h2> +<p>rsync-ssl -⁠ a helper script for connecting to an ssl rsync daemon</p> +<h2 id="SYNOPSIS">SYNOPSIS<a href="#SYNOPSIS" class="tgt"></a></h2> +<pre><code>rsync-ssl [--type=SSL_TYPE] RSYNC_ARGS +</code></pre> +<p>The online version of this manpage (that includes cross-linking of topics) +is available at <a href="https://download.samba.org/pub/rsync/rsync-ssl.1">https://download.samba.org/pub/rsync/rsync-ssl.1</a>.</p> +<h2 id="DESCRIPTION">DESCRIPTION<a href="#DESCRIPTION" class="tgt"></a></h2> +<p>The rsync-ssl script helps you to run an rsync copy to/from an rsync daemon +that requires ssl connections.</p> +<p>The script requires that you specify an rsync-daemon arg in the style of either +<code>hostname::</code> (with 2 colons) or <code>rsync://hostname/</code>. The default port used for +connecting is 874 (one higher than the normal 873) unless overridden in the +environment. You can specify an overriding port via <code>--port</code> or by including +it in the normal spot in the URL format, though both of those require your +rsync version to be at least 3.2.0.</p> +<h2 id="OPTIONS">OPTIONS<a href="#OPTIONS" class="tgt"></a></h2> +<p>If the <strong>first</strong> arg is a <code>--type=SSL_TYPE</code> option, the script will only use +that particular program to open an ssl connection instead of trying to find an +openssl or stunnel executable via a simple heuristic (assuming that the +<code>RSYNC_SSL_TYPE</code> environment variable is not set as well -⁠-⁠ see below). This +option must specify one of <code>openssl</code> or <code>stunnel</code>. The equal sign is +required for this particular option.</p> +<p>All the other options are passed through to the rsync command, so consult the +<strong>rsync</strong>(1) manpage for more information on how it works.</p> +<h2 id="ENVIRONMENT_VARIABLES">ENVIRONMENT VARIABLES<a href="#ENVIRONMENT_VARIABLES" class="tgt"></a></h2> +<p>The ssl helper scripts are affected by the following environment variables:</p> +<dl> + +<dt id="RSYNC_SSL_TYPE"><code>RSYNC_SSL_TYPE</code><a href="#RSYNC_SSL_TYPE" class="tgt"></a></dt><dd> +<p>Specifies the program type that should be used to open the ssl connection. +It must be one of <code>openssl</code> or <code>stunnel</code>. The <code>--type=SSL_TYPE</code> option +overrides this, when specified.</p> +</dd> + +<dt id="RSYNC_SSL_PORT"><code>RSYNC_SSL_PORT</code><a href="#RSYNC_SSL_PORT" class="tgt"></a></dt><dd> +<p>If specified, the value is the port number that is used as the default when +the user does not specify a port in their rsync command. When not +specified, the default port number is 874. (Note that older rsync versions +(prior to 3.2.0) did not communicate an overriding port number value to the +helper script.)</p> +</dd> + +<dt id="RSYNC_SSL_CERT"><code>RSYNC_SSL_CERT</code><a href="#RSYNC_SSL_CERT" class="tgt"></a></dt><dd> +<p>If specified, the value is a filename that contains a certificate to use +for the connection.</p> +</dd> + +<dt id="RSYNC_SSL_KEY"><code>RSYNC_SSL_KEY</code><a href="#RSYNC_SSL_KEY" class="tgt"></a></dt><dd> +<p>If specified, the value is a filename that contains a key for the provided +certificate to use for the connection.</p> +</dd> + +<dt id="RSYNC_SSL_CA_CERT"><code>RSYNC_SSL_CA_CERT</code><a href="#RSYNC_SSL_CA_CERT" class="tgt"></a></dt><dd> +<p>If specified, the value is a filename that contains a certificate authority +certificate that is used to validate the connection.</p> +</dd> + +<dt id="RSYNC_SSL_OPENSSL"><code>RSYNC_SSL_OPENSSL</code><a href="#RSYNC_SSL_OPENSSL" class="tgt"></a></dt><dd> +<p>Specifies the openssl executable to run when the connection type is set to +openssl. If unspecified, the $PATH is searched for "openssl".</p> +</dd> + +<dt id="RSYNC_SSL_GNUTLS"><code>RSYNC_SSL_GNUTLS</code><a href="#RSYNC_SSL_GNUTLS" class="tgt"></a></dt><dd> +<p>Specifies the gnutls-cli executable to run when the connection type is set +to gnutls. If unspecified, the $PATH is searched for "gnutls-cli".</p> +</dd> + +<dt id="RSYNC_SSL_STUNNEL"><code>RSYNC_SSL_STUNNEL</code><a href="#RSYNC_SSL_STUNNEL" class="tgt"></a></dt><dd> +<p>Specifies the stunnel executable to run when the connection type is set to +stunnel. If unspecified, the $PATH is searched first for "stunnel4" and +then for "stunnel".</p> +</dd> +</dl> +<h2 id="EXAMPLES">EXAMPLES<a href="#EXAMPLES" class="tgt"></a></h2> +<blockquote> +<pre><code>rsync-ssl -aiv example.com::mod/ dest +</code></pre> +</blockquote> +<blockquote> +<pre><code>rsync-ssl --type=openssl -aiv example.com::mod/ dest +</code></pre> +</blockquote> +<blockquote> +<pre><code>rsync-ssl -aiv --port 9874 example.com::mod/ dest +</code></pre> +</blockquote> +<blockquote> +<pre><code>rsync-ssl -aiv rsync://example.com:9874/mod/ dest +</code></pre> +</blockquote> +<h2 id="THE_SERVER_SIDE">THE SERVER SIDE<a href="#THE_SERVER_SIDE" class="tgt"></a></h2> +<p>For help setting up an SSL/TLS supporting rsync, see the <a href="rsyncd.conf.5#SSL_TLS_Daemon_Setup">instructions in +rsyncd.conf</a>.</p> +<h2 id="SEE_ALSO">SEE ALSO<a href="#SEE_ALSO" class="tgt"></a></h2> +<p><a href="rsync.1"><strong>rsync</strong>(1)</a>, <a href="rsyncd.conf.5"><strong>rsyncd.conf</strong>(5)</a></p> +<h2 id="CAVEATS">CAVEATS<a href="#CAVEATS" class="tgt"></a></h2> +<p>Note that using an stunnel connection requires at least version 4 of stunnel, +which should be the case on modern systems. Also, it does not verify a +connection against the CA certificate collection, so it only encrypts the +connection without any cert validation unless you have specified the +certificate environment options.</p> +<p>This script also supports a <code>--type=gnutls</code> option, but at the time of this +release the gnutls-cli command was dropping output, making it unusable. If +that bug has been fixed in your version, feel free to put gnutls into an +exported RSYNC_SSL_TYPE environment variable to make its use the default.</p> +<h2 id="BUGS">BUGS<a href="#BUGS" class="tgt"></a></h2> +<p>Please report bugs! See the web site at <a href="https://rsync.samba.org/">https://rsync.samba.org/</a>.</p> +<h2 id="VERSION">VERSION<a href="#VERSION" class="tgt"></a></h2> +<p>This manpage is current for version 3.2.7 of rsync.</p> +<h2 id="CREDITS">CREDITS<a href="#CREDITS" class="tgt"></a></h2> +<p>Rsync is distributed under the GNU General Public License. See the file +<a href="COPYING">COPYING</a> for details.</p> +<p>A web site is available at <a href="https://rsync.samba.org/">https://rsync.samba.org/</a>. The site includes an +FAQ-O-Matic which may cover questions unanswered by this manual page.</p> +<h2 id="AUTHOR">AUTHOR<a href="#AUTHOR" class="tgt"></a></h2> +<p>This manpage was written by Wayne Davison.</p> +<p>Mailing lists for support and development are available at +<a href="https://lists.samba.org/">https://lists.samba.org/</a>.</p> +<div style="float: right"><p><i>20 Oct 2022</i></p></div> +</body></html> diff --git a/rsync-ssl.1.md b/rsync-ssl.1.md new file mode 100644 index 0000000..a6f1e3d --- /dev/null +++ b/rsync-ssl.1.md @@ -0,0 +1,140 @@ +## NAME + +rsync-ssl - a helper script for connecting to an ssl rsync daemon + +## SYNOPSIS + +``` +rsync-ssl [--type=SSL_TYPE] RSYNC_ARGS +``` + +The online version of this manpage (that includes cross-linking of topics) +is available at <https://download.samba.org/pub/rsync/rsync-ssl.1>. + +## DESCRIPTION + +The rsync-ssl script helps you to run an rsync copy to/from an rsync daemon +that requires ssl connections. + +The script requires that you specify an rsync-daemon arg in the style of either +`hostname::` (with 2 colons) or `rsync://hostname/`. The default port used for +connecting is 874 (one higher than the normal 873) unless overridden in the +environment. You can specify an overriding port via `--port` or by including +it in the normal spot in the URL format, though both of those require your +rsync version to be at least 3.2.0. + +## OPTIONS + +If the **first** arg is a `--type=SSL_TYPE` option, the script will only use +that particular program to open an ssl connection instead of trying to find an +openssl or stunnel executable via a simple heuristic (assuming that the +`RSYNC_SSL_TYPE` environment variable is not set as well -- see below). This +option must specify one of `openssl` or `stunnel`. The equal sign is +required for this particular option. + +All the other options are passed through to the rsync command, so consult the +**rsync**(1) manpage for more information on how it works. + +## ENVIRONMENT VARIABLES + +The ssl helper scripts are affected by the following environment variables: + +0. `RSYNC_SSL_TYPE` + + Specifies the program type that should be used to open the ssl connection. + It must be one of `openssl` or `stunnel`. The `--type=SSL_TYPE` option + overrides this, when specified. + +0. `RSYNC_SSL_PORT` + + If specified, the value is the port number that is used as the default when + the user does not specify a port in their rsync command. When not + specified, the default port number is 874. (Note that older rsync versions + (prior to 3.2.0) did not communicate an overriding port number value to the + helper script.) + +0. `RSYNC_SSL_CERT` + + If specified, the value is a filename that contains a certificate to use + for the connection. + +0. `RSYNC_SSL_KEY` + + If specified, the value is a filename that contains a key for the provided + certificate to use for the connection. + +0. `RSYNC_SSL_CA_CERT` + + If specified, the value is a filename that contains a certificate authority + certificate that is used to validate the connection. + +0. `RSYNC_SSL_OPENSSL` + + Specifies the openssl executable to run when the connection type is set to + openssl. If unspecified, the $PATH is searched for "openssl". + +0. `RSYNC_SSL_GNUTLS` + + Specifies the gnutls-cli executable to run when the connection type is set + to gnutls. If unspecified, the $PATH is searched for "gnutls-cli". + +0. `RSYNC_SSL_STUNNEL` + + Specifies the stunnel executable to run when the connection type is set to + stunnel. If unspecified, the $PATH is searched first for "stunnel4" and + then for "stunnel". + +## EXAMPLES + +> rsync-ssl -aiv example.com::mod/ dest + +> rsync-ssl --type=openssl -aiv example.com::mod/ dest + +> rsync-ssl -aiv --port 9874 example.com::mod/ dest + +> rsync-ssl -aiv rsync://example.com:9874/mod/ dest + +## THE SERVER SIDE + +For help setting up an SSL/TLS supporting rsync, see the [instructions in +rsyncd.conf](rsyncd.conf.5#SSL_TLS_Daemon_Setup). + +## SEE ALSO + +[**rsync**(1)](rsync.1), [**rsyncd.conf**(5)](rsyncd.conf.5) + +## CAVEATS + +Note that using an stunnel connection requires at least version 4 of stunnel, +which should be the case on modern systems. Also, it does not verify a +connection against the CA certificate collection, so it only encrypts the +connection without any cert validation unless you have specified the +certificate environment options. + +This script also supports a `--type=gnutls` option, but at the time of this +release the gnutls-cli command was dropping output, making it unusable. If +that bug has been fixed in your version, feel free to put gnutls into an +exported RSYNC_SSL_TYPE environment variable to make its use the default. + +## BUGS + +Please report bugs! See the web site at <https://rsync.samba.org/>. + +## VERSION + +This manpage is current for version @VERSION@ of rsync. + +## CREDITS + +Rsync is distributed under the GNU General Public License. See the file +[COPYING](COPYING) for details. + +A web site is available at <https://rsync.samba.org/>. The site includes an +FAQ-O-Matic which may cover questions unanswered by this manual page. + +## AUTHOR + +This manpage was written by Wayne Davison. + +Mailing lists for support and development are available at +<https://lists.samba.org/>. |