rsync-ssl: add socat transport#981
Open
steadytao wants to merge 4 commits into
Open
Conversation
Member
Author
|
Overlooked BSD. Pushing a fix shortly for CI fails. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #869 by adding
socatas anrsync-ssltransport.rsync-sslcurrently supportsopenssl s_client,gnutls-cliandstunnel. The failure reported in #869 points at theopenssl s_clientpath breaking as a transport with OpenSSL 3.6.2 while the investigation in the issue found thatstunnelandsocatavoid the failure mode. The linked OpenSSL issue, openssl/openssl#30925 still appears to be the upstream place for thes_clientregression so this keeps the existing OpenSSL path for compatibility rather than trying to work around that buffering behaviour inside rsync.This adds
--type=socatandRSYNC_SSL_SOCAT.The socat transport uses:
OPENSSL:host:portcommonname=hostsnihost=hostfor host namesno-sni=1for IP literalsverify=1whenRSYNC_SSL_CA_CERTis unsetverify=0whenRSYNC_SSL_CA_CERTis set to an empty valuecafile=...whenRSYNC_SSL_CA_CERTis set to a pathcert=...andkey=...for client certificate configurationThe automatic helper search still prefers
opensslfirst, preserving the existing default for users who have OpenSSL installed. If OpenSSL is unavailable, it now triessocatbeforestunnel. That fallback order is deliberate; in this script, stunnel cannot use the default CA certificate collection while socat can still perform verification without requiring an explicit CA file.The new testsuite coverage uses fake helper binaries to verify the wrapper/helper contract without requiring a live TLS daemon. It covers explicit
--type=socat, socat command construction, SNI handling, CA/cert/key options, disabled verification, OpenSSL-first default selection and socat fallback when OpenSSL is absent.