DO NOT REPLY [Bug 1890] TLS for rsync protocol

samba-bugs at samba.org samba-bugs at samba.org
Sun Aug 6 07:39:47 GMT 2006 

https://bugzilla.samba.org/show_bug.cgi?id=1890


marineam at osuosl.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |marineam at osuosl.org




------- Comment #2 from marineam at osuosl.org  2006-08-06 02:39 MST -------
(In reply to comment #1)
> There is a diff in the patches directory named openssl-support.diff that
> contains an implementation of optional ssl support for an rsync daemon.  The
> version of this patch that was released with 2.6.3 has a few problems, so if you
> want to try it out, grab the latest version of the patch from CVS:
> 
> http://rsync.samba.org/ftp/unpacked/rsync/patches/openssl-support.diff
> 
> I have never gotten the patch to work, however -- it always fails with an "ssl
> handshake failure".  This might be because I don't know the proper way to
> configure the key/certificate options.  Or, it might mean that a bug crept into
> the code.

The current version of the patch listed above does not run init_tls() in daemon
mode. This will of course case start_tls() to fail very quickly which give the
above error message. Not sure if that was the problem back in 2004, but with a
little tweeking to call init_tls() along with a couple minor things this works
for me.

My current version of the patch, based on release 2.6.8 is available here:
http://staff.osuosl.org/~marineam/files/rsync/rsync-openssl-1.diff

I have not extensivly tested things yet, but doing the following gets me a
directory listing over the encrypted connection: (using the testing cert/key
shipped with stunnel to avoid generating one)

rsync --daemon --config ./rsyncd.conf \
     --ssl-cert ./stunnel.crt --ssl-key ./stunnel-key

rsync --ssl localhost::something/

If anyone has any comments on how to improve the patch let me know, I have not
dug into it any further than the minimum required to make it work.


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the rsync mailing list