Have SSL on our rsync communications with mirrors (#11152) · Issues · tails / sysadmin

Have SSL on our rsync communications with mirrors

Originally created by @sajolida on #11152 (Redmine)

The days of unauthenticated, cleartext communication on Internet are over. Currently the communication between our primary rsync server and all our mirrors is cleartext and unauthenticated. We should use TLS.

The Puppet code that manages our primary rsync server is linked from https://tails.boum.org/contribute/working_together/roles/sysadmins/#rsync. How one can get a Let’s Encrypt certificate for rsyncd is left to be researched. Once we support TLS on our side, we need to have all mirror operators adjust their cronjob to have their rsync client use TLS.

We could do something like:

$ cat /etc/xinetd.d/rsync-syncproxy-ssl
service rsync-ssl
{
        bind            = W.X.Y.Z
        type            = UNLISTED
        port            = 1873
        id              = rsync-syncproxy-ssl

        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        server          = /usr/bin/stunnel4
        server_args     = /etc/rsyncd-syncproxy-stunnel.conf
        nice            = 10
        instances       = 200
        per_source      = 3
        cps             = 0 0
}

$ cat /etc/rsyncd-syncproxy-stunnel.conf
cert = /etc/ssl/OUR_CERTIFICATE_CHAIN
key = /etc/ssl/OUR_KEY

debug = notice

client = no
socket = a:SO_LINGER=1:60
socket = a:SO_KEEPALIVE=1

exec = /usr/bin/rsync
execargs = rsync --daemon --config=/etc/rsyncd-syncproxy.conf

Related issues

Related to tails#8437 (closed)
Blocked by tails#15162 (closed)

_Originally created by @sajolida on [#11152 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/11152)_

The days of unauthenticated, cleartext communication on Internet are
over. Currently the communication between our primary rsync server and
all our mirrors is cleartext and unauthenticated. We should use TLS.

The Puppet code that manages our primary rsync server is linked from
<https://tails.boum.org/contribute/working_together/roles/sysadmins/#rsync>.
How one can get a Let’s Encrypt certificate for rsyncd is left to be
researched. Once we support TLS on our side, we need to have all mirror
operators adjust their cronjob to have their rsync client use TLS.

We could do something like:

$ cat /etc/xinetd.d/rsync-syncproxy-ssl
    service rsync-ssl
    {
            bind            = W.X.Y.Z
            type            = UNLISTED
            port            = 1873
            id              = rsync-syncproxy-ssl
    
            socket_type     = stream
            protocol        = tcp
            wait            = no
            user            = root
            server          = /usr/bin/stunnel4
            server_args     = /etc/rsyncd-syncproxy-stunnel.conf
            nice            = 10
            instances       = 200
            per_source      = 3
            cps             = 0 0
    }
    
    $ cat /etc/rsyncd-syncproxy-stunnel.conf
    cert = /etc/ssl/OUR_CERTIFICATE_CHAIN
    key = /etc/ssl/OUR_KEY
    
    debug = notice
    
    client = no
    socket = a:SO_LINGER=1:60
    socket = a:SO_KEEPALIVE=1
    
    exec = /usr/bin/rsync
    execargs = rsync --daemon --config=/etc/rsyncd-syncproxy.conf

### Related issues

- **Related to** tails/tails#8437
  - [x] **Blocked by** tails/tails#15162

Edited May 15, 2020 by sajolida

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information