DRLM STUNNEL

DRLM stunnel server daemon. Used to secure the rsync transport over TLS. This is the new default, so all backups/restores will be encripted in tansport.

Configuration

pid = /var/run/stunnel.pid
foreground = yes
debug = debug
output = /var/log/drlm/drlm-stunnel.log
TIMEOUTclose = 1
verify = 1
options = NO_SSLv3
sslVersionMin = TLSv1.2
sslVersionMax = TLSv1.3
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[rsync]
accept = 0.0.0.0:874
connect = 0.0.0.0:873
CApath = /etc/drlm/cert
cert = /etc/drlm/cert/drlm.crt
key = /etc/drlm/cert/drlm.key
client = no

Management

Start DRLM STUNNEL

~# systemctl start drlm-stunnel.service

Restart DRLM RSYNCD

~# systemctl restart drlm-stunnel.service

Stop DRLM RSYNCD

~# systemctl stop drlm-stunnel.service

Log File

The log file for DRLM STUNNEL can be found at /var/log/drlm/drlm-stunnel.log

example:

root@drlmsrv:~# cat /var/log/drlm/drlm-stunnel.log
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS read client hello
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS write server hello
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS write change cipher spec
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): TLSv1.3 write encrypted extensions
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS write certificate request
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS write certificate
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): TLSv1.3 write server certificate verify
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS write finished
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): TLSv1.3 early data
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): TLSv1.3 early data
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS read client certificate
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS read finished
2024.08.29 06:09:13 LOG7[5]:      6 server accept(s) requested
2024.08.29 06:09:13 LOG7[5]:      6 server accept(s) succeeded
2024.08.29 06:09:13 LOG7[5]:      0 server renegotiation(s) requested
2024.08.29 06:09:13 LOG7[5]:      0 session reuse(s)
2024.08.29 06:09:13 LOG7[5]:      5 internal session cache item(s)
2024.08.29 06:09:13 LOG7[5]:      0 internal session cache fill-up(s)
2024.08.29 06:09:13 LOG7[5]:      0 internal session cache miss(es)
2024.08.29 06:09:13 LOG7[5]:      0 external session cache hit(s)
2024.08.29 06:09:13 LOG7[5]:      0 expired session(s) retrieved
2024.08.29 06:09:13 LOG7[5]: Generate session ticket callback
2024.08.29 06:09:13 LOG7[5]: Initializing application specific data for session authenticated
2024.08.29 06:09:13 LOG7[5]: Deallocating application specific data for session connect address
2024.08.29 06:09:13 LOG7[5]: New session callback
2024.08.29 06:09:13 LOG6[5]: No peer certificate received
2024.08.29 06:09:13 LOG6[5]: Session id: 6BC58C768B7DA65289449588CA1F06DA2A42B2F5402B8FB99102FE104678670D
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS write session ticket
2024.08.29 06:09:13 LOG7[5]: Initializing application specific data for session authenticated
2024.08.29 06:09:13 LOG7[5]: Deallocating application specific data for session connect address
2024.08.29 06:09:13 LOG7[5]: Generate session ticket callback
2024.08.29 06:09:13 LOG7[5]: Initializing application specific data for session authenticated
2024.08.29 06:09:13 LOG7[5]: Deallocating application specific data for session connect address
2024.08.29 06:09:13 LOG7[5]: New session callback
2024.08.29 06:09:13 LOG6[5]: No peer certificate received
2024.08.29 06:09:13 LOG6[5]: Session id: 9EC5C4AFF88455624198DE99B614F3738DD2DCFFAC52CA63833FF4201DFA9E0F
2024.08.29 06:09:13 LOG7[5]: TLS state (accept): SSLv3/TLS write session ticket
2024.08.29 06:09:13 LOG6[5]: TLS accepted: new session negotiated
2024.08.29 06:09:13 LOG6[5]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption)
2024.08.29 06:09:13 LOG6[5]: Peer temporary key: X25519, 253 bits
2024.08.29 06:09:13 LOG7[5]: Compression: null, expansion: null
2024.08.29 06:09:13 LOG6[5]: s_connect: connecting 0.0.0.0:873
2024.08.29 06:09:13 LOG7[5]: s_connect: s_poll_wait 0.0.0.0:873: waiting 10 seconds
2024.08.29 06:09:13 LOG7[5]: FD=6 events=0x2001 revents=0x0
2024.08.29 06:09:13 LOG7[5]: FD=11 events=0x2005 revents=0x1
2024.08.29 06:09:13 LOG5[5]: s_connect: connected 0.0.0.0:873
2024.08.29 06:09:13 LOG6[5]: persistence: 0.0.0.0:873 cached
2024.08.29 06:09:13 LOG5[5]: Service [rsync] connected remote server from 127.0.0.1:45440
...
...
...