summaryrefslogtreecommitdiffstats
path: root/rsync-ssl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xrsync-ssl198
-rw-r--r--rsync-ssl.1144
-rw-r--r--rsync-ssl.1.html154
-rw-r--r--rsync-ssl.1.md140
4 files changed, 636 insertions, 0 deletions
diff --git a/rsync-ssl b/rsync-ssl
new file mode 100755
index 0000000..56ee7df
--- /dev/null
+++ b/rsync-ssl
@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+
+# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection.
+
+# By default this script takes rsync args and hands them off to the actual
+# rsync command with an --rsh option that makes it open an SSL connection to an
+# rsync daemon. See the rsync-ssl manpage for usage details and env variables.
+
+# When the first arg is --HELPER, we are being used by rsync as an --rsh helper
+# script, and the args are (note the trailing dot):
+#
+# rsync-ssl --HELPER HOSTNAME rsync --server --daemon .
+#
+# --HELPER is not a user-facing option, so it is not documented in the manpage.
+
+# The first SSL setup was based on: http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that an stunnel connection requires at least version 4.x of stunnel.
+
+function rsync_ssl_run {
+ case "$*" in
+ *rsync://*) ;;
+ *::*) ;;
+ *)
+ echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
+ exit 1
+ ;;
+ esac
+
+ exec rsync --rsh="$0 --HELPER" "${@}"
+}
+
+function rsync_ssl_helper {
+ if [[ -z "$RSYNC_SSL_TYPE" ]]; then
+ found=`path_search openssl stunnel4 stunnel` || exit 1
+ if [[ "$found" == */openssl ]]; then
+ RSYNC_SSL_TYPE=openssl
+ RSYNC_SSL_OPENSSL="$found"
+ elif [[ "$found" == */gnutls-cli ]]; then
+ RSYNC_SSL_TYPE=gnutls
+ RSYNC_SSL_GNUTLS="$found"
+ else
+ RSYNC_SSL_TYPE=stunnel
+ RSYNC_SSL_STUNNEL="$found"
+ fi
+ fi
+
+ case "$RSYNC_SSL_TYPE" in
+ openssl)
+ if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then
+ RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1
+ fi
+ optsep=' '
+ ;;
+ gnutls)
+ if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then
+ RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1
+ fi
+ optsep=' '
+ ;;
+ stunnel)
+ if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+ RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
+ fi
+ optsep=' = '
+ ;;
+ *)
+ echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2
+ exit 1
+ ;;
+ esac
+
+ if [[ -z "$RSYNC_SSL_CERT" ]]; then
+ certopt=""
+ gnutls_cert_opt=""
+ else
+ certopt="-cert$optsep$RSYNC_SSL_CERT"
+ gnutls_cert_opt="--x509certfile=$RSYNC_SSL_CERT"
+ fi
+
+ if [[ -z "$RSYNC_SSL_KEY" ]]; then
+ keyopt=""
+ gnutls_key_opt=""
+ else
+ keyopt="-key$optsep$RSYNC_SSL_KEY"
+ gnutls_key_opt="--x509keyfile=$RSYNC_SSL_KEY"
+ fi
+
+ if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
+ # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
+ # openssl:
+ caopt="-verify_return_error -verify 4"
+ # gnutls:
+ gnutls_opts=""
+ # stunnel:
+ # Since there is no way of using the default CA certificate collection,
+ # we cannot do any verification. Thus, stunnel should really only be
+ # used if nothing else is available.
+ cafile=""
+ verify=""
+ elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
+ # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
+ # openssl:
+ caopt="-verify 1"
+ # gnutls:
+ gnutls_opts="--insecure"
+ # stunnel:
+ cafile=""
+ verify="verifyChain = no"
+ else
+ # RSYNC_SSL_CA_CERT set - use CA AND verify:
+ # openssl:
+ caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+ # gnutls:
+ gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT"
+ # stunnel:
+ cafile="CAfile = $RSYNC_SSL_CA_CERT"
+ verify="verifyChain = yes"
+ fi
+
+ port="${RSYNC_PORT:-0}"
+ if [[ "$port" == 0 ]]; then
+ port="${RSYNC_SSL_PORT:-874}"
+ fi
+
+ # If the user specified USER@HOSTNAME::module, then rsync passes us
+ # the -l USER option too, so we must be prepared to ignore it.
+ if [[ "$1" == "-l" ]]; then
+ shift 2
+ fi
+
+ hostname="$1"
+ shift
+
+ if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
+ echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2
+ exit 1
+ fi
+
+ if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt $keyopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+ elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_key_opt $gnutls_opts $hostname:$port
+ else
+ # devzero@web.de came up with this no-tmpfile calling syntax:
+ exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+$verify
+$certopt
+$cafile
+EOF
+ fi
+}
+
+function path_search {
+ IFS_SAVE="$IFS"
+ IFS=:
+ for prog in "${@}"; do
+ for dir in $PATH; do
+ [[ -z "$dir" ]] && dir=.
+ if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
+ echo "$dir/$prog"
+ IFS="$IFS_SAVE"
+ return 0
+ fi
+ done
+ done
+
+ IFS="$IFS_SAVE"
+ echo "Failed to find on your path: $*" 1>&2
+ echo "See the rsync-ssl manpage for configuration assistance." 1>&2
+ return 1
+}
+
+if [[ "$#" == 0 ]]; then
+ echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2
+ echo "The SSL_TYPE can be openssl or stunnel"
+ exit 1
+fi
+
+if [[ "$1" = --help || "$1" = -h ]]; then
+ exec rsync --help
+fi
+
+if [[ "$1" == --HELPER ]]; then
+ shift
+ rsync_ssl_helper "${@}"
+fi
+
+if [[ "$1" == --type=* ]]; then
+ export RSYNC_SSL_TYPE="${1/--type=/}"
+ shift
+fi
+
+rsync_ssl_run "${@}"
diff --git a/rsync-ssl.1 b/rsync-ssl.1
new file mode 100644
index 0000000..c7f5ad1
--- /dev/null
+++ b/rsync-ssl.1
@@ -0,0 +1,144 @@
+.TH "rsync-ssl" "1" "20 Oct 2022" "rsync-ssl from rsync 3.2.7" "User Commands"
+.\" prefix=/usr
+.P
+.SH "NAME"
+.P
+rsync-ssl \- a helper script for connecting to an ssl rsync daemon
+.P
+.SH "SYNOPSIS"
+.P
+.nf
+rsync-ssl [--type=SSL_TYPE] RSYNC_ARGS
+.fi
+.P
+The online version of this manpage (that includes cross-linking of topics)
+is available at https://download.samba.org/pub/rsync/rsync-ssl.1.
+.P
+.SH "DESCRIPTION"
+.P
+The rsync-ssl script helps you to run an rsync copy to/from an rsync daemon
+that requires ssl connections.
+.P
+The script requires that you specify an rsync-daemon arg in the style of either
+\fBhostname::\fP (with 2 colons) or \fBrsync://hostname/\fP. The default port used for
+connecting is 874 (one higher than the normal 873) unless overridden in the
+environment. You can specify an overriding port via \fB\-\-port\fP or by including
+it in the normal spot in the URL format, though both of those require your
+rsync version to be at least 3.2.0.
+.P
+.SH "OPTIONS"
+.P
+If the \fBfirst\fP arg is a \fB\-\-type=SSL_TYPE\fP option, the script will only use
+that particular program to open an ssl connection instead of trying to find an
+openssl or stunnel executable via a simple heuristic (assuming that the
+\fBRSYNC_SSL_TYPE\fP environment variable is not set as well\ \-\- see below). This
+option must specify one of \fBopenssl\fP or \fBstunnel\fP. The equal sign is
+required for this particular option.
+.P
+All the other options are passed through to the rsync command, so consult the
+\fBrsync\fP(1) manpage for more information on how it works.
+.P
+.SH "ENVIRONMENT VARIABLES"
+.P
+The ssl helper scripts are affected by the following environment variables:
+.P
+.IP "\fBRSYNC_SSL_TYPE\fP"
+Specifies the program type that should be used to open the ssl connection.
+It must be one of \fBopenssl\fP or \fBstunnel\fP. The \fB\-\-type=SSL_TYPE\fP option
+overrides this, when specified.
+.IP "\fBRSYNC_SSL_PORT\fP"
+If specified, the value is the port number that is used as the default when
+the user does not specify a port in their rsync command. When not
+specified, the default port number is 874. (Note that older rsync versions
+(prior to 3.2.0) did not communicate an overriding port number value to the
+helper script.)
+.IP "\fBRSYNC_SSL_CERT\fP"
+If specified, the value is a filename that contains a certificate to use
+for the connection.
+.IP "\fBRSYNC_SSL_KEY\fP"
+If specified, the value is a filename that contains a key for the provided
+certificate to use for the connection.
+.IP "\fBRSYNC_SSL_CA_CERT\fP"
+If specified, the value is a filename that contains a certificate authority
+certificate that is used to validate the connection.
+.IP "\fBRSYNC_SSL_OPENSSL\fP"
+Specifies the openssl executable to run when the connection type is set to
+openssl. If unspecified, the $PATH is searched for "openssl".
+.IP "\fBRSYNC_SSL_GNUTLS\fP"
+Specifies the gnutls-cli executable to run when the connection type is set
+to gnutls. If unspecified, the $PATH is searched for "gnutls-cli".
+.IP "\fBRSYNC_SSL_STUNNEL\fP"
+Specifies the stunnel executable to run when the connection type is set to
+stunnel. If unspecified, the $PATH is searched first for "stunnel4" and
+then for "stunnel".
+.P
+.SH "EXAMPLES"
+.RS 4
+.P
+.nf
+rsync-ssl -aiv example.com::mod/ dest
+.fi
+.RE
+.RS 4
+.P
+.nf
+rsync-ssl --type=openssl -aiv example.com::mod/ dest
+.fi
+.RE
+.RS 4
+.P
+.nf
+rsync-ssl -aiv --port 9874 example.com::mod/ dest
+.fi
+.RE
+.RS 4
+.P
+.nf
+rsync-ssl -aiv rsync://example.com:9874/mod/ dest
+.fi
+.RE
+.P
+.SH "THE SERVER SIDE"
+.P
+For help setting up an SSL/TLS supporting rsync, see the instructions in
+rsyncd.conf.
+.P
+.SH "SEE ALSO"
+.P
+\fBrsync\fP(1), \fBrsyncd.conf\fP(5)
+.P
+.SH "CAVEATS"
+.P
+Note that using an stunnel connection requires at least version 4 of stunnel,
+which should be the case on modern systems. Also, it does not verify a
+connection against the CA certificate collection, so it only encrypts the
+connection without any cert validation unless you have specified the
+certificate environment options.
+.P
+This script also supports a \fB\-\-type=gnutls\fP option, but at the time of this
+release the gnutls-cli command was dropping output, making it unusable. If
+that bug has been fixed in your version, feel free to put gnutls into an
+exported RSYNC_SSL_TYPE environment variable to make its use the default.
+.P
+.SH "BUGS"
+.P
+Please report bugs! See the web site at https://rsync.samba.org/.
+.P
+.SH "VERSION"
+.P
+This manpage is current for version 3.2.7 of rsync.
+.P
+.SH "CREDITS"
+.P
+Rsync is distributed under the GNU General Public License. See the file
+COPYING for details.
+.P
+A web site is available at https://rsync.samba.org/. The site includes an
+FAQ-O-Matic which may cover questions unanswered by this manual page.
+.P
+.SH "AUTHOR"
+.P
+This manpage was written by Wayne Davison.
+.P
+Mailing lists for support and development are available at
+https://lists.samba.org/.
diff --git a/rsync-ssl.1.html b/rsync-ssl.1.html
new file mode 100644
index 0000000..682a7e9
--- /dev/null
+++ b/rsync-ssl.1.html
@@ -0,0 +1,154 @@
+<html><head>
+<title>rsync-ssl(1) manpage</title>
+<meta charset="UTF-8"/>
+<link href="https://fonts.googleapis.com/css2?family=Roboto&family=Roboto+Mono&display=swap" rel="stylesheet">
+<style>
+body {
+ max-width: 50em;
+ margin: auto;
+}
+body, b, strong, u {
+ font-family: 'Roboto', sans-serif;
+}
+a.tgt { font-face: symbol; font-weight: 400; font-size: 70%; visibility: hidden; text-decoration: none; color: #ddd; padding: 0 4px; border: 0; }
+a.tgt:after { content: '🔗'; }
+a.tgt:hover { color: #444; background-color: #eaeaea; }
+h1:hover > a.tgt, h2:hover > a.tgt, h3:hover > a.tgt, dt:hover > a.tgt { visibility: visible; }
+code {
+ font-family: 'Roboto Mono', monospace;
+ font-weight: bold;
+ white-space: pre;
+}
+pre code {
+ display: block;
+ font-weight: normal;
+}
+blockquote pre code {
+ background: #f1f1f1;
+}
+dd p:first-of-type {
+ margin-block-start: 0em;
+}
+</style>
+</head><body>
+<h2 id="NAME">NAME<a href="#NAME" class="tgt"></a></h2>
+<p>rsync-ssl -&#8288; a helper script for connecting to an ssl rsync daemon</p>
+<h2 id="SYNOPSIS">SYNOPSIS<a href="#SYNOPSIS" class="tgt"></a></h2>
+<pre><code>rsync-ssl [--type=SSL_TYPE] RSYNC_ARGS
+</code></pre>
+<p>The online version of this manpage (that includes cross-linking of topics)
+is available at <a href="https://download.samba.org/pub/rsync/rsync-ssl.1">https://download.samba.org/pub/rsync/rsync-ssl.1</a>.</p>
+<h2 id="DESCRIPTION">DESCRIPTION<a href="#DESCRIPTION" class="tgt"></a></h2>
+<p>The rsync-ssl script helps you to run an rsync copy to/from an rsync daemon
+that requires ssl connections.</p>
+<p>The script requires that you specify an rsync-daemon arg in the style of either
+<code>hostname::</code> (with 2 colons) or <code>rsync://hostname/</code>. The default port used for
+connecting is 874 (one higher than the normal 873) unless overridden in the
+environment. You can specify an overriding port via <code>--port</code> or by including
+it in the normal spot in the URL format, though both of those require your
+rsync version to be at least 3.2.0.</p>
+<h2 id="OPTIONS">OPTIONS<a href="#OPTIONS" class="tgt"></a></h2>
+<p>If the <strong>first</strong> arg is a <code>--type=SSL_TYPE</code> option, the script will only use
+that particular program to open an ssl connection instead of trying to find an
+openssl or stunnel executable via a simple heuristic (assuming that the
+<code>RSYNC_SSL_TYPE</code> environment variable is not set as well&nbsp;-&#8288;-&#8288; see below). This
+option must specify one of <code>openssl</code> or <code>stunnel</code>. The equal sign is
+required for this particular option.</p>
+<p>All the other options are passed through to the rsync command, so consult the
+<strong>rsync</strong>(1) manpage for more information on how it works.</p>
+<h2 id="ENVIRONMENT_VARIABLES">ENVIRONMENT VARIABLES<a href="#ENVIRONMENT_VARIABLES" class="tgt"></a></h2>
+<p>The ssl helper scripts are affected by the following environment variables:</p>
+<dl>
+
+<dt id="RSYNC_SSL_TYPE"><code>RSYNC_SSL_TYPE</code><a href="#RSYNC_SSL_TYPE" class="tgt"></a></dt><dd>
+<p>Specifies the program type that should be used to open the ssl connection.
+It must be one of <code>openssl</code> or <code>stunnel</code>. The <code>--type=SSL_TYPE</code> option
+overrides this, when specified.</p>
+</dd>
+
+<dt id="RSYNC_SSL_PORT"><code>RSYNC_SSL_PORT</code><a href="#RSYNC_SSL_PORT" class="tgt"></a></dt><dd>
+<p>If specified, the value is the port number that is used as the default when
+the user does not specify a port in their rsync command. When not
+specified, the default port number is 874. (Note that older rsync versions
+(prior to 3.2.0) did not communicate an overriding port number value to the
+helper script.)</p>
+</dd>
+
+<dt id="RSYNC_SSL_CERT"><code>RSYNC_SSL_CERT</code><a href="#RSYNC_SSL_CERT" class="tgt"></a></dt><dd>
+<p>If specified, the value is a filename that contains a certificate to use
+for the connection.</p>
+</dd>
+
+<dt id="RSYNC_SSL_KEY"><code>RSYNC_SSL_KEY</code><a href="#RSYNC_SSL_KEY" class="tgt"></a></dt><dd>
+<p>If specified, the value is a filename that contains a key for the provided
+certificate to use for the connection.</p>
+</dd>
+
+<dt id="RSYNC_SSL_CA_CERT"><code>RSYNC_SSL_CA_CERT</code><a href="#RSYNC_SSL_CA_CERT" class="tgt"></a></dt><dd>
+<p>If specified, the value is a filename that contains a certificate authority
+certificate that is used to validate the connection.</p>
+</dd>
+
+<dt id="RSYNC_SSL_OPENSSL"><code>RSYNC_SSL_OPENSSL</code><a href="#RSYNC_SSL_OPENSSL" class="tgt"></a></dt><dd>
+<p>Specifies the openssl executable to run when the connection type is set to
+openssl. If unspecified, the $PATH is searched for &quot;openssl&quot;.</p>
+</dd>
+
+<dt id="RSYNC_SSL_GNUTLS"><code>RSYNC_SSL_GNUTLS</code><a href="#RSYNC_SSL_GNUTLS" class="tgt"></a></dt><dd>
+<p>Specifies the gnutls-cli executable to run when the connection type is set
+to gnutls. If unspecified, the $PATH is searched for &quot;gnutls-cli&quot;.</p>
+</dd>
+
+<dt id="RSYNC_SSL_STUNNEL"><code>RSYNC_SSL_STUNNEL</code><a href="#RSYNC_SSL_STUNNEL" class="tgt"></a></dt><dd>
+<p>Specifies the stunnel executable to run when the connection type is set to
+stunnel. If unspecified, the $PATH is searched first for &quot;stunnel4&quot; and
+then for &quot;stunnel&quot;.</p>
+</dd>
+</dl>
+<h2 id="EXAMPLES">EXAMPLES<a href="#EXAMPLES" class="tgt"></a></h2>
+<blockquote>
+<pre><code>rsync-ssl -aiv example.com::mod/ dest
+</code></pre>
+</blockquote>
+<blockquote>
+<pre><code>rsync-ssl --type=openssl -aiv example.com::mod/ dest
+</code></pre>
+</blockquote>
+<blockquote>
+<pre><code>rsync-ssl -aiv --port 9874 example.com::mod/ dest
+</code></pre>
+</blockquote>
+<blockquote>
+<pre><code>rsync-ssl -aiv rsync://example.com:9874/mod/ dest
+</code></pre>
+</blockquote>
+<h2 id="THE_SERVER_SIDE">THE SERVER SIDE<a href="#THE_SERVER_SIDE" class="tgt"></a></h2>
+<p>For help setting up an SSL/TLS supporting rsync, see the <a href="rsyncd.conf.5#SSL_TLS_Daemon_Setup">instructions in
+rsyncd.conf</a>.</p>
+<h2 id="SEE_ALSO">SEE ALSO<a href="#SEE_ALSO" class="tgt"></a></h2>
+<p><a href="rsync.1"><strong>rsync</strong>(1)</a>, <a href="rsyncd.conf.5"><strong>rsyncd.conf</strong>(5)</a></p>
+<h2 id="CAVEATS">CAVEATS<a href="#CAVEATS" class="tgt"></a></h2>
+<p>Note that using an stunnel connection requires at least version 4 of stunnel,
+which should be the case on modern systems. Also, it does not verify a
+connection against the CA certificate collection, so it only encrypts the
+connection without any cert validation unless you have specified the
+certificate environment options.</p>
+<p>This script also supports a <code>--type=gnutls</code> option, but at the time of this
+release the gnutls-cli command was dropping output, making it unusable. If
+that bug has been fixed in your version, feel free to put gnutls into an
+exported RSYNC_SSL_TYPE environment variable to make its use the default.</p>
+<h2 id="BUGS">BUGS<a href="#BUGS" class="tgt"></a></h2>
+<p>Please report bugs! See the web site at <a href="https://rsync.samba.org/">https://rsync.samba.org/</a>.</p>
+<h2 id="VERSION">VERSION<a href="#VERSION" class="tgt"></a></h2>
+<p>This manpage is current for version 3.2.7 of rsync.</p>
+<h2 id="CREDITS">CREDITS<a href="#CREDITS" class="tgt"></a></h2>
+<p>Rsync is distributed under the GNU General Public License. See the file
+<a href="COPYING">COPYING</a> for details.</p>
+<p>A web site is available at <a href="https://rsync.samba.org/">https://rsync.samba.org/</a>. The site includes an
+FAQ-O-Matic which may cover questions unanswered by this manual page.</p>
+<h2 id="AUTHOR">AUTHOR<a href="#AUTHOR" class="tgt"></a></h2>
+<p>This manpage was written by Wayne Davison.</p>
+<p>Mailing lists for support and development are available at
+<a href="https://lists.samba.org/">https://lists.samba.org/</a>.</p>
+<div style="float: right"><p><i>20 Oct 2022</i></p></div>
+</body></html>
diff --git a/rsync-ssl.1.md b/rsync-ssl.1.md
new file mode 100644
index 0000000..a6f1e3d
--- /dev/null
+++ b/rsync-ssl.1.md
@@ -0,0 +1,140 @@
+## NAME
+
+rsync-ssl - a helper script for connecting to an ssl rsync daemon
+
+## SYNOPSIS
+
+```
+rsync-ssl [--type=SSL_TYPE] RSYNC_ARGS
+```
+
+The online version of this manpage (that includes cross-linking of topics)
+is available at <https://download.samba.org/pub/rsync/rsync-ssl.1>.
+
+## DESCRIPTION
+
+The rsync-ssl script helps you to run an rsync copy to/from an rsync daemon
+that requires ssl connections.
+
+The script requires that you specify an rsync-daemon arg in the style of either
+`hostname::` (with 2 colons) or `rsync://hostname/`. The default port used for
+connecting is 874 (one higher than the normal 873) unless overridden in the
+environment. You can specify an overriding port via `--port` or by including
+it in the normal spot in the URL format, though both of those require your
+rsync version to be at least 3.2.0.
+
+## OPTIONS
+
+If the **first** arg is a `--type=SSL_TYPE` option, the script will only use
+that particular program to open an ssl connection instead of trying to find an
+openssl or stunnel executable via a simple heuristic (assuming that the
+`RSYNC_SSL_TYPE` environment variable is not set as well -- see below). This
+option must specify one of `openssl` or `stunnel`. The equal sign is
+required for this particular option.
+
+All the other options are passed through to the rsync command, so consult the
+**rsync**(1) manpage for more information on how it works.
+
+## ENVIRONMENT VARIABLES
+
+The ssl helper scripts are affected by the following environment variables:
+
+0. `RSYNC_SSL_TYPE`
+
+ Specifies the program type that should be used to open the ssl connection.
+ It must be one of `openssl` or `stunnel`. The `--type=SSL_TYPE` option
+ overrides this, when specified.
+
+0. `RSYNC_SSL_PORT`
+
+ If specified, the value is the port number that is used as the default when
+ the user does not specify a port in their rsync command. When not
+ specified, the default port number is 874. (Note that older rsync versions
+ (prior to 3.2.0) did not communicate an overriding port number value to the
+ helper script.)
+
+0. `RSYNC_SSL_CERT`
+
+ If specified, the value is a filename that contains a certificate to use
+ for the connection.
+
+0. `RSYNC_SSL_KEY`
+
+ If specified, the value is a filename that contains a key for the provided
+ certificate to use for the connection.
+
+0. `RSYNC_SSL_CA_CERT`
+
+ If specified, the value is a filename that contains a certificate authority
+ certificate that is used to validate the connection.
+
+0. `RSYNC_SSL_OPENSSL`
+
+ Specifies the openssl executable to run when the connection type is set to
+ openssl. If unspecified, the $PATH is searched for "openssl".
+
+0. `RSYNC_SSL_GNUTLS`
+
+ Specifies the gnutls-cli executable to run when the connection type is set
+ to gnutls. If unspecified, the $PATH is searched for "gnutls-cli".
+
+0. `RSYNC_SSL_STUNNEL`
+
+ Specifies the stunnel executable to run when the connection type is set to
+ stunnel. If unspecified, the $PATH is searched first for "stunnel4" and
+ then for "stunnel".
+
+## EXAMPLES
+
+> rsync-ssl -aiv example.com::mod/ dest
+
+> rsync-ssl --type=openssl -aiv example.com::mod/ dest
+
+> rsync-ssl -aiv --port 9874 example.com::mod/ dest
+
+> rsync-ssl -aiv rsync://example.com:9874/mod/ dest
+
+## THE SERVER SIDE
+
+For help setting up an SSL/TLS supporting rsync, see the [instructions in
+rsyncd.conf](rsyncd.conf.5#SSL_TLS_Daemon_Setup).
+
+## SEE ALSO
+
+[**rsync**(1)](rsync.1), [**rsyncd.conf**(5)](rsyncd.conf.5)
+
+## CAVEATS
+
+Note that using an stunnel connection requires at least version 4 of stunnel,
+which should be the case on modern systems. Also, it does not verify a
+connection against the CA certificate collection, so it only encrypts the
+connection without any cert validation unless you have specified the
+certificate environment options.
+
+This script also supports a `--type=gnutls` option, but at the time of this
+release the gnutls-cli command was dropping output, making it unusable. If
+that bug has been fixed in your version, feel free to put gnutls into an
+exported RSYNC_SSL_TYPE environment variable to make its use the default.
+
+## BUGS
+
+Please report bugs! See the web site at <https://rsync.samba.org/>.
+
+## VERSION
+
+This manpage is current for version @VERSION@ of rsync.
+
+## CREDITS
+
+Rsync is distributed under the GNU General Public License. See the file
+[COPYING](COPYING) for details.
+
+A web site is available at <https://rsync.samba.org/>. The site includes an
+FAQ-O-Matic which may cover questions unanswered by this manual page.
+
+## AUTHOR
+
+This manpage was written by Wayne Davison.
+
+Mailing lists for support and development are available at
+<https://lists.samba.org/>.