It looks like rsync-ssl can silently connect without verifying the server cert

[dseomn]

If I'm reading the below two blocks of code correctly, it looks like with the default options, if openssl can't be found but stunnel can, rsync-ssl will connect to the remote server without verifying the certificate. Is that correct? I'm guessing openssl is much more likely to be installed than stunnel, so that probably doesn't happen in many cases, but it still seems like poor security to connect without verification when the user didn't explicitly request that.

https://github.com/WayneD/rsync/blob/592c6bc3e5e93f36c2fdc0a491a9fb43a41cf688/rsync-ssl#L34 https://github.com/WayneD/rsync/blob/592c6bc3e5e93f36c2fdc0a491a9fb43a41cf688/rsync-ssl#L87-L91

[dseomn]

Just from skimming the stunnel manpage, would it work to do CApath = /etc/ssl/certs?