Choose openssl before stunnel.

rsync-ssl

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# This script supports using stunnel or openssl to secure an rsync daemon connection.
+# This script supports using openssl or stunnel to secure an rsync daemon connection.
 
 # By default this script takes rsync args and hands them off to the actual
 # rsync command with an --rsh option that makes it open an SSL connection to an
@@ -31,7 +31,7 @@ function rsync_ssl_run {
 
 function rsync_ssl_helper {
     if [[ -z "$RSYNC_SSL_TYPE" ]]; then
-	found=`path_search stunnel4 stunnel openssl` || exit 1
+	found=`path_search openssl stunnel4 stunnel` || exit 1
 	if [[ "$found" == */openssl ]]; then
 	    RSYNC_SSL_TYPE=openssl
 	    RSYNC_SSL_OPENSSL="$found"
@@ -71,6 +71,9 @@ function rsync_ssl_helper {
 	# openssl:
 	caopt="-verify_return_error -verify 4"
 	# stunnel:
+	# Since there is no way of using the default CA certificate collection,
+	# we cannot do any verification. Thus, stunnel should really only be
+	# used if nothing else is available.
 	cafile=""
 	verify=""
     elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
@@ -147,7 +150,7 @@ function path_search {
 
 if [[ "$#" == 0 ]]; then
     echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2
-    echo "The SSL_TYPE can be stunnel or openssl"
+    echo "The SSL_TYPE can be openssl or stunnel"
     exit 1
 fi
 

rsync-ssl.1.md

@@ -17,7 +17,7 @@ that requires ssl connections.
 
 If the **first** arg is a `--type=SSL_TYPE` option, the script will only use
 that particular program to open an ssl connection instead of trying to find an
-stunnel or openssl executable via a simple heuristic (assuming that the
+openssl or stunnel executable via a simple heuristic (assuming that the
 `RSYNC_SSL_TYPE` environment variable is not set as well -- see below).  This
 option must specify one of `openssl` or `stunnel`.  The equal sign is
 required for this particular option.
@@ -41,17 +41,12 @@ The ssl helper scripts are affected by the following environment variables:
     certificate to use for the connection.
 0.  `RSYNC_SSL_CA_CERT` If specified, the value is a filename that contains a
     certificate authority certificate that is used to validate the connection.
-0.  `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the
-    connection type is set to stunnel.  If unspecified, the $PATH is searched
-    first for "stunnel4" and then for "stunnel".
 0.  `RSYNC_SSL_OPENSSL` Specifies the openssl executable to run when the
     connection type is set to openssl.  If unspecified, the $PATH is searched
     for "openssl".
-
-# CAVEATS
-
-Note that using an stunnel connection requires at least version 4 of stunnel,
-which should be the case on modern systems.
+0.  `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the
+    connection type is set to stunnel.  If unspecified, the $PATH is searched
+    first for "stunnel4" and then for "stunnel".
 
 # EXAMPLES
 
@@ -63,6 +58,14 @@ which should be the case on modern systems.
 
 **rsync**(1), **rsyncd.conf**(5)
 
+# CAVEATS
+
+Note that using an stunnel connection requires at least version 4 of stunnel,
+which should be the case on modern systems.  Also, it does not verify a
+connection against the CA certificate collection, so it only encrypts the
+connection without any cert validation unless you have specified the
+certificate environment options.
+
 # BUGS
 
 Please report bugs! See the web site at <http://rsync.samba.org/>.