[pkg-nagios-changes] [Git][nagios-team/nagios-plugins-contrib][master] check_ssl_cert: Update to 2.58.0

Jan Wagner (@waja) gitlab at salsa.debian.org
Thu Jan 19 10:17:34 GMT 2023



Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / nagios-plugins-contrib


Commits:
7206c6d3 by Jan Wagner at 2023-01-19T10:11:31+00:00
check_ssl_cert: Update to 2.58.0

- - - - -


18 changed files:

- − check_ssl_cert/check_ssl_cert_2.57.0/VERSION
- check_ssl_cert/check_ssl_cert_2.57.0/AUTHORS.md → check_ssl_cert/check_ssl_cert_2.58.0/AUTHORS.md
- check_ssl_cert/check_ssl_cert_2.57.0/CITATION.cff → check_ssl_cert/check_ssl_cert_2.58.0/CITATION.cff
- check_ssl_cert/check_ssl_cert_2.57.0/COPYING.md → check_ssl_cert/check_ssl_cert_2.58.0/COPYING.md
- check_ssl_cert/check_ssl_cert_2.57.0/COPYRIGHT.md → check_ssl_cert/check_ssl_cert_2.58.0/COPYRIGHT.md
- check_ssl_cert/check_ssl_cert_2.57.0/ChangeLog → check_ssl_cert/check_ssl_cert_2.58.0/ChangeLog
- check_ssl_cert/check_ssl_cert_2.57.0/GNUmakefile → check_ssl_cert/check_ssl_cert_2.58.0/GNUmakefile
- check_ssl_cert/check_ssl_cert_2.57.0/INSTALL.md → check_ssl_cert/check_ssl_cert_2.58.0/INSTALL.md
- check_ssl_cert/check_ssl_cert_2.57.0/Makefile → check_ssl_cert/check_ssl_cert_2.58.0/Makefile
- check_ssl_cert/check_ssl_cert_2.57.0/NEWS.md → check_ssl_cert/check_ssl_cert_2.58.0/NEWS.md
- check_ssl_cert/check_ssl_cert_2.57.0/README.md → check_ssl_cert/check_ssl_cert_2.58.0/README.md
- + check_ssl_cert/check_ssl_cert_2.58.0/VERSION
- check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.completion → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.completion
- check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.spec
- check_ssl_cert/control
- check_ssl_cert/src


Changes:

=====================================
check_ssl_cert/check_ssl_cert_2.57.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-2.57.0


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/AUTHORS.md → check_ssl_cert/check_ssl_cert_2.58.0/AUTHORS.md
=====================================
@@ -115,7 +115,8 @@ Maintainer: [Matteo Corti](https://github.com/matteocorti) <[matteo at corti.li](ma
 * Many thanks to [Christoph Moench-Tegeder](https://github.com/moench-tegeder) for the [OpenSSL](https://www.openssl.org) version patch
 * Many thanks to [waja](https://github.com/waja) for
   * the [GitHub](https://www.github.com) workflows and
-  * the chain checks with STARTTLS
+  * the chain checks with STARTTLS and
+  * the trailing backslash patch
 * Many thanks to [Tobias Grünewald](https://github.com/tobias-gruenewald) for the client certificate patch
 * Many thanks to [chornberger-c2c](https://github.com/chornberger-c2c) for the critical and warning output fix
 * Many thanks to [Claus-Theodor Riegg](https://github.com/ctriegg-mak) for


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/CITATION.cff → check_ssl_cert/check_ssl_cert_2.58.0/CITATION.cff
=====================================
@@ -246,8 +246,8 @@ authors:
   given-names: "Дилян"
   website: https://github.com/dilyanpalauzov
 title: "check_ssl_cert"
-version: 2.57.0
-date-released: 2022-12-04
+version: 2.58.0
+date-released: 2023-01-16
 url: "https://github.com/matteocorti/check_ssl_cert"
 repository-code: "https://github.com/matteocorti/check_ssl_cert"
 keywords:


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/COPYING.md → check_ssl_cert/check_ssl_cert_2.58.0/COPYING.md
=====================================


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/COPYRIGHT.md → check_ssl_cert/check_ssl_cert_2.58.0/COPYRIGHT.md
=====================================
@@ -2,7 +2,7 @@
 # Copyright
 
 * Copyright © 2007-2013 ETH Zurich
-* Copyright © 2007-2022 Matteo Corti
+* Copyright © 2007-2023 Matteo Corti
 
 with the following individuals added to the list of contributing authors
 


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/ChangeLog → check_ssl_cert/check_ssl_cert_2.58.0/ChangeLog
=====================================
@@ -1,3 +1,12 @@
+2023-01-16  Matteo Corti  <matteo at corti.li>
+
+        * check_ssl_cert: Added an option to set the security level (see help)
+        * check_ssl_cert (fetch_certificate): better error handling
+
+2023-01-05  Matteo Corti  <matteo at corti.li>
+
+        * check_ssl_cert (usage): Added an option to ignore header problems with --all and --all-local
+
 2022-11-30  Marcel Burkhalter <marcel.burkhalter at weareplanet.com>
 
         * check_ssl_cert (main): Add command line argument to set the PATH variable


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/GNUmakefile → check_ssl_cert/check_ssl_cert_2.58.0/GNUmakefile
=====================================


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/INSTALL.md → check_ssl_cert/check_ssl_cert_2.58.0/INSTALL.md
=====================================


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/Makefile → check_ssl_cert/check_ssl_cert_2.58.0/Makefile
=====================================


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/NEWS.md → check_ssl_cert/check_ssl_cert_2.58.0/NEWS.md
=====================================
@@ -1,5 +1,8 @@
 # News
 
+* 2023-01-16 Version 2.58.0
+  * Added the option ```--security-level```
+  * Added an option to ignore header problems with --all and --all-local (```--ignore-http-headers```)
 * 2022-12-04 Version 2.57.0
   * Support for DNS over TLS
 * 2022-11-30 Version 2.56.0


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/README.md → check_ssl_cert/check_ssl_cert_2.58.0/README.md
=====================================
@@ -1,7 +1,7 @@
 # check\_ssl\_cert
 
  © Matteo Corti, ETH Zurich, 2007-2012.
- © Matteo Corti, 2007-2022.
+ © Matteo Corti, 2007-2023.
 
  see [AUTHORS.md](AUTHORS.md) for the complete list of contributors
 
@@ -122,6 +122,8 @@ Options:
       --ignore-connection-problems [state] In case of connection problems
                                    returns OK or the optional state
       --ignore-exp                 Ignore expiration date
+      --ignore-http-headers        Ignore checks on HTTP headers with --all
+                                   and --all-local
       --ignore-host-cn             Do not complain if the CN does not match
                                    the host name
       --ignore-incomplete-chain    Do not check chain integrity
@@ -234,6 +236,9 @@ Options:
                                    certificate validation
       --rsa                        Signature algorithm selection: force RSA
                                    certificate
+      --security-level number      Set the security level to specified value
+                                   See SSL_CTX_set_security_level(3) for a
+                                   description of what each level means
    -s,--selfsigned                 Allow self-signed certificates
       --serial serialnum           Pattern to match the serial number
       --skip-element number        Skip checks on the Nth cert element (can
@@ -319,6 +324,7 @@ Deprecated options:
                                    (see: --ssl2 or --ssl3)
 
 Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
+
 ```
 
 ## Configuration


=====================================
check_ssl_cert/check_ssl_cert_2.58.0/VERSION
=====================================
@@ -0,0 +1 @@
+2.58.0


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert
=====================================
@@ -10,7 +10,7 @@
 # See the INSTALL.md file for installation instructions
 #
 # Copyright (c) 2007-2012 ETH Zurich.
-# Copyright (c) 2007-2022 Matteo Corti <matteo at corti.li>
+# Copyright (c) 2007-2023 Matteo Corti <matteo at corti.li>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -31,7 +31,7 @@
 ################################################################################
 # Constants
 
-VERSION=2.57.0
+VERSION=2.58.0
 SHORTNAME="SSL_CERT"
 
 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -79,7 +79,7 @@ SCALE=""
 add_required_header() {
     header=$1
     debuglog "Adding ${header} to the list of required HTTP headers: ${REQUIRED_HTTP_HEADERS}"
-    if [ -z "${REQUIRED_HTTP_HEADERS}" ] ; then
+    if [ -z "${REQUIRED_HTTP_HEADERS}" ]; then
         REQUIRED_HTTP_HEADERS="${header}"
     else
         REQUIRED_HTTP_HEADERS="${REQUIRED_HTTP_HEADERS},${header}"
@@ -93,19 +93,18 @@ add_required_header() {
 add_unrequired_header() {
     header=$1
     debuglog "Adding ${header} to the list of unrequired HTTP headers: ${UNREQUIRED_HTTP_HEADERS}"
-    if [ -z "${UNREQUIRED_HTTP_HEADERS}" ] ; then
+    if [ -z "${UNREQUIRED_HTTP_HEADERS}" ]; then
         UNREQUIRED_HTTP_HEADERS="${header}"
     else
         UNREQUIRED_HTTP_HEADERS="${UNREQUIRED_HTTP_HEADERS},${header}"
     fi
 }
 
-
 CACHED_HEADERS=
 
 fetch_http_headers() {
 
-    if [ -z "${CACHED_HEADERS}" ] ; then
+    if [ -z "${CACHED_HEADERS}" ]; then
 
         debuglog "Fetching headers"
 
@@ -113,7 +112,7 @@ fetch_http_headers() {
         CACHED_HEADERS=${TEMPFILE}
 
         CURL_RESOLVE=''
-        if [ -n "${RESOLVE}" ] ; then
+        if [ -n "${RESOLVE}" ]; then
             CURL_RESOLVE="--resolve ${HOST}:${PORT}:${RESOLVE}"
         fi
 
@@ -127,18 +126,18 @@ fetch_http_headers() {
         exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_RESOLVE} ${CURL_PROXY_ARGUMENT} ${INETPROTO} -k -s -D- -A '${HTTP_USER_AGENT}' -o /dev/null -L https://${HOST}${path}" "${CACHED_HEADERS}"
         RET=$?
 
-        if [ "${RET}" -ne 0 ] ; then
+        if [ "${RET}" -ne 0 ]; then
             debuglog "Cannot retrieve HTTP headers (curl error code: ${RET})"
             prepend_critical_message "Cannot retrieve HTTP headers"
         fi
 
         if [ "${DEBUG}" -gt 1 ]; then
-            ESCAPED_PATH=$( echo "${path}" | sed 's/\//\\\//g' )
+            ESCAPED_PATH=$(echo "${path}" | sed 's/\//\\\//g')
             # there might be empty lines
             "${GREP_BIN}" '[[:alpha:]]' "${CACHED_HEADERS}" | sed "s/^/[DBG]   HTTP headers for https:\\/\\/${HOST}${ESCAPED_PATH}: /" 1>&2
         fi
 
-        if [ -n "${DEBUG_HEADERS}" ] ; then
+        if [ -n "${DEBUG_HEADERS}" ]; then
             cp "${CACHED_HEADERS}" headers.txt
         fi
 
@@ -155,11 +154,11 @@ check_required_http_header() {
 
     debuglog "Checking required header '${header}' with path '${path}'"
 
-    if ! "${GREP_BIN}" -q -i "^${header}:" "${CACHED_HEADERS}" ; then
+    if ! "${GREP_BIN}" -q -i "^${header}:" "${CACHED_HEADERS}"; then
         debuglog "Required header '${header}' not found"
         prepend_critical_message "HTTP header '${header}' is not supported"
     else
-        HEADER_VALUE=$( "${GREP_BIN}" -i "^${header}:" "${CACHED_HEADERS}" | sed 's/[^:]*: //' | tr -d '\n' | tr -d '\r' )
+        HEADER_VALUE=$("${GREP_BIN}" -i "^${header}:" "${CACHED_HEADERS}" | sed 's/[^:]*: //' | tr -d '\n' | tr -d '\r')
         debuglog "Required header '${header}' found (${HEADER_VALUE})"
         verboselog "Required header '${header}' is supported  (${HEADER_VALUE})"
     fi
@@ -175,8 +174,8 @@ check_unrequired_http_header() {
 
     debuglog "Checking unrequired header '${header}' with path '${path}'"
 
-    if "${GREP_BIN}" -q -i "^${header}:" "${CACHED_HEADERS}" ; then
-        HEADER_VALUE=$( "${GREP_BIN}" -i "^${header}:" "${CACHED_HEADERS}" | sed 's/[^:]*: //' | tr -d '\n' | tr -d '\r' )
+    if "${GREP_BIN}" -q -i "^${header}:" "${CACHED_HEADERS}"; then
+        HEADER_VALUE=$("${GREP_BIN}" -i "^${header}:" "${CACHED_HEADERS}" | sed 's/[^:]*: //' | tr -d '\n' | tr -d '\r')
         debuglog "Unwanted header '${header}' found (${HEADER_VALUE})"
         prepend_critical_message "HTTP header '${header}' is supported (${HEADER_VALUE})"
     else
@@ -324,6 +323,8 @@ usage() {
     echo "      --ignore-connection-problems [state] In case of connection problems"
     echo "                                   returns OK or the optional state"
     echo "      --ignore-exp                 Ignore expiration date"
+    echo "      --ignore-http-headers        Ignore checks on HTTP headers with --all"
+    echo "                                   and --all-local"
     echo "      --ignore-host-cn             Do not complain if the CN does not match"
     echo "                                   the host name"
     echo "      --ignore-incomplete-chain    Do not check chain integrity"
@@ -446,6 +447,9 @@ usage() {
     echo "      --rsa                        Signature algorithm selection: force RSA"
     echo "                                   certificate"
     # Delimiter at 78 chars ############################################################
+    echo "      --security-level number      Set the security level to specified value"
+    echo "                                   See SSL_CTX_set_security_level(3) for a"
+    echo "                                   description of what each level means"
     echo "   -s,--selfsigned                 Allow self-signed certificates"
     echo "      --serial serialnum           Pattern to match the serial number"
     echo "      --skip-element number        Skip checks on the Nth cert element (can"
@@ -716,7 +720,7 @@ remove_temporary_files() {
     debuglog "cleaning up temporary files"
     # shellcheck disable=SC2086
     if [ -n "${TEMPORARY_FILES}" ]; then
-        TEMPORARY_FILES_TMP="$(echo "${TEMPORARY_FILES}" | tr '\ ' '\n')"
+        TEMPORARY_FILES_TMP="$(echo "${TEMPORARY_FILES}" | tr '\s' '\n')"
         debuglog "${TEMPORARY_FILES_TMP}"
         rm -f ${TEMPORARY_FILES}
     fi
@@ -1013,7 +1017,7 @@ prepend_critical_message() {
                 tmp=" ${SNI}"
             elif [ -n "${FILE_URI}" ]; then
                 tmp=" ${FILE_URI}"
-            elif [ -n "${FILE}" ] && [ "${HOST}" = 'localhost' ] ; then
+            elif [ -n "${FILE}" ] && [ "${HOST}" = 'localhost' ]; then
                 tmp=" ${FILE}"
             else
                 tmp=" ${HOST_NAME}"
@@ -1333,7 +1337,7 @@ compare() {
 # Returns the result
 compute() {
     expression="$1"
-    if [ -n "$2" ] ; then
+    if [ -n "$2" ]; then
         # custom scale
         local_scale=$2
     else
@@ -1412,7 +1416,6 @@ check_x509_option() {
     return $?
 }
 
-
 ################################################################################
 # Extract specific field from a subject
 # $1 field
@@ -1436,7 +1439,7 @@ parse_subject() {
         # old format
         debuglog "  old format separated by /"
 
-        if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}=" ; then
+        if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}="; then
             echo "${SUBJECT}" | sed -e "s/.*\\/${FIELD}=//" -e 's/\/.*//'
         fi
 
@@ -1445,7 +1448,7 @@ parse_subject() {
         # new format
         debuglog "  new format separated by ,"
 
-        if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}[ ]*=" ; then
+        if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}[ ]*="; then
 
             if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}[ ]*=[ ]*\""; then
                 # quotes
@@ -1463,7 +1466,6 @@ parse_subject() {
 
 }
 
-
 ################################################################################
 # Extract specific attributes from a certificate
 # $1 attribute name
@@ -1569,9 +1571,9 @@ extract_cert_attribute() {
         #
         #  see https://security.stackexchange.com/questions/141661/whats-the-difference-between-public-key-algorithm-and-signature-algorithm-i
 
-        ALGORITHM=$( echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public Key Algorithm' | sed -e 's/.*: //')
+        ALGORITHM=$(echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public Key Algorithm' | sed -e 's/.*: //')
 
-        PUBLIC_KEY=$( echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public-Key' | sed 's/.*: //' )
+        PUBLIC_KEY=$(echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public-Key' | sed 's/.*: //')
 
         echo "${ALGORITHM} ${PUBLIC_KEY}"
         ;;
@@ -1595,15 +1597,15 @@ extract_cert_attribute() {
             sed -e 's/^ *//'
         ;;
     keyUsage)
-        KEY_USAGE_TMP=$( echo "${cert_content}" | "${OPENSSL}" x509 -noout -ext keyUsage 2>&1 )
-        if echo "${KEY_USAGE_TMP}" | "${GREP_BIN}" -q 'No extensions in certificate' ; then
+        KEY_USAGE_TMP=$(echo "${cert_content}" | "${OPENSSL}" x509 -noout -ext keyUsage 2>&1)
+        if echo "${KEY_USAGE_TMP}" | "${GREP_BIN}" -q 'No extensions in certificate'; then
             echo
         else
 
-            if echo "${KEY_USAGE_TMP}" | "${GREP_BIN}" -q critical ; then
+            if echo "${KEY_USAGE_TMP}" | "${GREP_BIN}" -q critical; then
                 PURPOSE_CRITICAL=1
             fi
-            PURPOSE=$( echo "${KEY_USAGE_TMP}" | tail -n 1 | sed 's/^[[:blank:]]*//')
+            PURPOSE=$(echo "${KEY_USAGE_TMP}" | tail -n 1 | sed 's/^[[:blank:]]*//')
             echo "${PURPOSE}"
 
         fi
@@ -1643,7 +1645,7 @@ exec_with_timeout() {
     debuglog "exec_with_timeout $1 $2 $3"
     debuglog "  TIMEOUT_REASON = ${TIMEOUT_REASON}"
 
-    if [ -n "${TIMEOUT_REASON}" ] ; then
+    if [ -n "${TIMEOUT_REASON}" ]; then
         if ! echo "${TIMEOUT_REASON}" | "${GREP_BIN}" -q '^ '; then
             # add a blank before the reason in parenthesis
             TIMEOUT_REASON=" (${TIMEOUT_REASON})"
@@ -2133,8 +2135,8 @@ check_ocsp() {
                         fi
 
                         debuglog "${OCSP_RESP}"
-                        OCSP_ERROR_MESSAGE=$( echo "${OCSP_RESP}" | head -n 1 )
-                        if [ -z "${OCSP_IGNORE_ERRORS}" ] ; then
+                        OCSP_ERROR_MESSAGE=$(echo "${OCSP_RESP}" | head -n 1)
+                        if [ -z "${OCSP_IGNORE_ERRORS}" ]; then
                             prepend_critical_message "OCSP error (${OCSP_ERROR_MESSAGE})"
                         else
                             debuglog "Ignoring OCSP error (${OCSP_ERROR_MESSAGE})"
@@ -2227,7 +2229,7 @@ check_cert_end_date() {
             fi
             debuglog "CRITICAL: certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE}, ${DAYS_AGO})"
             CN_EXPIRED_TMP="${element_cn}:${replace_current_message}:${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE}, ${DAYS_AGO})"
-            if [ -z "${CN_EXPIRED_CRITICAL}" ] ; then
+            if [ -z "${CN_EXPIRED_CRITICAL}" ]; then
                 CN_EXPIRED_CRITICAL="${CN_EXPIRED_TMP}"
             else
                 CN_EXPIRED_CRITICAL="${CN_EXPIRED_CRITICAL}
@@ -2247,7 +2249,7 @@ ${CN_EXPIRED_TMP}"
             if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend "${CRITICAL_SECONDS}" >/dev/null; then
                 debuglog "CRITICAL: certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
                 CN_EXPIRED_TMP="${element_cn}:${replace_current_message}:${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
-                if [ -z "${CN_EXPIRED_CRITICAL}" ] ; then
+                if [ -z "${CN_EXPIRED_CRITICAL}" ]; then
                     CN_EXPIRED_CRITICAL="${CN_EXPIRED_TMP}"
                 else
                     CN_EXPIRED_CRITICAL="${CN_EXPIRED_CRITICAL}
@@ -2269,7 +2271,7 @@ ${CN_EXPIRED_TMP}"
             if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend "${WARNING_SECONDS}" >/dev/null; then
                 debuglog "WARNING: certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
                 CN_EXPIRED_TMP="${element_cn}:${replace_current_message}:${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
-                if [ -z "${CN_EXPIRED_WARNING}" ] ; then
+                if [ -z "${CN_EXPIRED_WARNING}" ]; then
                     CN_EXPIRED_WARNING="${CN_EXPIRED_TMP}"
                 else
                     CN_EXPIRED_WARNING="${CN_EXPIRED_WARNING}
@@ -2338,7 +2340,7 @@ ${CN_EXPIRED_TMP}"
     fi
 
     # the element is valid: add to the list of valid CNs
-    if [ -z "${CN_OK}" ] ; then
+    if [ -z "${CN_OK}" ]; then
         CN_OK="${element_cn}"
     else
         CN_OK="${CN_OK}
@@ -2477,51 +2479,51 @@ fetch_certificate() {
 
         case "${PROTOCOL}" in
         pop3 | ftp)
-            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         pop3s | ftps)
-            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         smtp)
-            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         smtps)
-            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION}  ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION}  ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
-        irc | ldap )
-            exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+        irc | ldap)
+            exec_with_timeout "echo | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
-        ircs | ldaps | dns )
-            exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+        ircs | ldaps | dns)
+            exec_with_timeout "echo | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         imap)
-            exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         imaps)
-            exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         postgres | postgresql)
-            exec_with_timeout "printf 'X\\0\\0\\0\\4' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "printf 'X\\0\\0\\0\\4' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         sieve)
-            exec_with_timeout "echo 'LOGOUT' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "echo 'LOGOUT' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         xmpp | xmpp-server)
-            exec_with_timeout "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${XMPPHOST} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "echo 'Q' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${XMPPHOST} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         mysql)
-            exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+            exec_with_timeout "echo | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
             RET=$?
             ;;
         *)
@@ -2567,11 +2569,11 @@ fetch_certificate() {
 
             debuglog "Executing ${KEYTOOLBIN} -exportcert -rfc -keystore ${FILE} -alias ${JKSALIAS} -file ${CERT} -storepass ${PASSWORD_SOURCE}"
 
-            CONVERSION_ERROR=$( "${KEYTOOLBIN}" -exportcert -rfc -keystore "${FILE}" -alias "${JKSALIAS}" -file "${CERT}" -storepass "${PASSWORD_SOURCE}" 2>&1)
+            CONVERSION_ERROR=$("${KEYTOOLBIN}" -exportcert -rfc -keystore "${FILE}" -alias "${JKSALIAS}" -file "${CERT}" -storepass "${PASSWORD_SOURCE}" 2>&1)
             RET=$?
 
             if [ "${RET}" -eq 1 ]; then
-                CONVERSION_ERROR_TMP="$( echo "${CONVERSION_ERROR}" | head -n 1)"
+                CONVERSION_ERROR_TMP="$(echo "${CONVERSION_ERROR}" | head -n 1)"
                 unknown "Error converting JKS to PEM: ${CONVERSION_ERROR_TMP}"
             fi
 
@@ -2591,16 +2593,16 @@ fetch_certificate() {
                     debuglog "The input file is a CRL in DER format: converting to PEM"
 
                     debuglog "Executing ${OPENSSL} crl -inform der -in ${FILE} -out ${CERT} 2> /dev/null"
-                        "${OPENSSL}" crl -inform der -in "${FILE}" -out "${CERT}" 2>"${CONVERSION_ERROR}"
+                    "${OPENSSL}" crl -inform der -in "${FILE}" -out "${CERT}" 2>"${CONVERSION_ERROR}"
 
-                        if [ $? -eq 1 ]; then
-                            CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
-                            unknown "Error converting CRL ${FILE}: ${CONVERSION_ERROR_TMP}"
-                        fi
-
-                    else
+                    if [ $? -eq 1 ]; then
                         CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
-                        unknown "Error converting ${FILE}: ${CONVERSION_ERROR_TMP}"
+                        unknown "Error converting CRL ${FILE}: ${CONVERSION_ERROR_TMP}"
+                    fi
+
+                else
+                    CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
+                    unknown "Error converting ${FILE}: ${CONVERSION_ERROR_TMP}"
                 fi
 
             fi
@@ -2660,7 +2662,7 @@ fetch_certificate() {
             ALPN="-alpn h2"
         fi
 
-        exec_with_timeout "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${ALPN} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+        exec_with_timeout "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${ALPN} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
         RET=$?
 
     fi
@@ -2802,7 +2804,7 @@ fetch_certificate() {
         elif ascii_grep "Unable to load certificate file" "${ERROR}"; then
 
             # we handle TDS retried certs differently
-            if [ "${HOST}" = 'localhost' ] ; then
+            if [ "${HOST}" = 'localhost' ]; then
                 ERROR="Cannot read certificate file"
                 prepend_critical_message "${ERROR}"
                 critical "SSL_CERT_CRITICAL ${FILE}: ${ERROR}"
@@ -2818,8 +2820,20 @@ fetch_certificate() {
             prepend_critical_message "${ERROR}"
             critical "SSL_CERT_CRITICAL ${FILE}: ${ERROR}"
 
+        elif ascii_grep ":error:0A0C0103:SSL" "${ERROR}"; then
+
+            ERROR="Legacy signature algorithm unsupported or disallowed"
+            prepend_critical_message "${ERROR}"
+            critical "SSL_CERT_CRITICAL ${HOST}: ${ERROR}"
+
+        elif ascii_grep ":ssl_choose_client_version:unsupported" "${ERROR}"; then
+
+            ERROR="Unsupported TLS protocol version"
+            prepend_critical_message "${ERROR}"
+            critical "SSL_CERT_CRITICAL ${HOST}: ${ERROR}"
+
         elif ascii_grep "unexpected eof while reading" "${ERROR}" ||
-             ascii_grep "ssl handshake failure" "${ERROR}"; then
+            ascii_grep "ssl handshake failure" "${ERROR}"; then
 
             ERROR="TLS handshake error"
             prepend_critical_message "${ERROR}"
@@ -2996,7 +3010,7 @@ parse_command_line_options() {
 
         # DTLS
         --dtls)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--dtls: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             require_s_client_option '-dtls'
@@ -3004,7 +3018,7 @@ parse_command_line_options() {
             shift
             ;;
         --dtls1)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--dtls1: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             require_s_client_option '-dtls1'
@@ -3012,7 +3026,7 @@ parse_command_line_options() {
             shift
             ;;
         --dtls1_2)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--dtls1_2: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             require_s_client_option '-dtls1_2'
@@ -3047,6 +3061,10 @@ parse_command_line_options() {
             ALTNAMES=
             shift
             ;;
+        --ignore-http-headers)
+            IGNORE_HTTP_HEADERS=1
+            shift
+            ;;
         --ignore-host-cn)
             NAMES_TO_BE_CHECKED=
             ALTNAMES=
@@ -3099,7 +3117,7 @@ parse_command_line_options() {
             shift
             ;;
         --no-ssl2 | --no_ssl2)
-            if [ "$1" = '--no_ssl2' ] ; then
+            if [ "$1" = '--no_ssl2' ]; then
                 deprecated "$1" "Use '--no-ssl2'"
             fi
             # we keep the old variant for compatibility
@@ -3107,7 +3125,7 @@ parse_command_line_options() {
             shift
             ;;
         --no-ssl3 | --no_ssl3)
-            if [ "$1" = '--no_ssl3' ] ; then
+            if [ "$1" = '--no_ssl3' ]; then
                 deprecated "$1" "Use '--no-ssl3'"
             fi
             # we keep the old variant for compatibility
@@ -3115,7 +3133,7 @@ parse_command_line_options() {
             shift
             ;;
         --no-tls1 | --no_tls1)
-            if [ "$1" = '--no_tls1' ] ; then
+            if [ "$1" = '--no_tls1' ]; then
                 deprecated "$1" "Use '--no-tls1'"
             fi
             # we keep the old variant for compatibility
@@ -3123,7 +3141,7 @@ parse_command_line_options() {
             shift
             ;;
         --no-tls1_1 | --no_tls1_1)
-            if [ "$1" = '--no_tls1_1' ] ; then
+            if [ "$1" = '--no_tls1_1' ]; then
                 deprecated "$1" "Use '--no-tls1_1'"
             fi
             # we keep the old variant for compatibility
@@ -3131,7 +3149,7 @@ parse_command_line_options() {
             shift
             ;;
         --no-tls1_2 | --no_tls1_2)
-            if [ "$1" = '--no_tls1_2' ] ; then
+            if [ "$1" = '--no_tls1_2' ]; then
                 deprecated "$1" "Use '--no-tls1_2'"
             fi
             # we keep the old variant for compatibility
@@ -3139,7 +3157,7 @@ parse_command_line_options() {
             shift
             ;;
         --no-tls1_3 | --no_tls1_3)
-            if [ "$1" = '--no_tls1_3' ] ; then
+            if [ "$1" = '--no_tls1_3' ]; then
                 deprecated "$1" "Use '--no-tls1_3'"
             fi
             # we keep the old variant for compatibility
@@ -3219,42 +3237,42 @@ parse_command_line_options() {
             shift
             ;;
         --ssl2)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--ssl2: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             SSL_VERSION="-ssl2"
             shift
             ;;
         --ssl3)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--ssl3: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             SSL_VERSION="-ssl3"
             shift
             ;;
         --tls1)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--tls1: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             SSL_VERSION="-tls1"
             shift
             ;;
         --tls1_1)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--tls1_1: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             SSL_VERSION="-tls1_1"
             shift
             ;;
         --tls1_2)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--tls1_2: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             SSL_VERSION="-tls1_2"
             shift
             ;;
         --tls1_3)
-            if [ -n "${SSL_VERSION}" ] ; then
+            if [ -n "${SSL_VERSION}" ]; then
                 unknown "--tls1_3: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
             fi
             SSL_VERSION="-tls1_3"
@@ -3324,12 +3342,12 @@ parse_command_line_options() {
 
         --configuration)
             check_option_argument '--configuration' "$2"
-            if [ -r "$2" ] ; then
+            if [ -r "$2" ]; then
                 # custom configuration file
                 while IFS= read -r line; do
                     # shellcheck disable=SC2086
                     set -- "$@" ${line}
-                done < "$2"
+                done <"$2"
             else
                 unknown "Cannot read $2"
             fi
@@ -3467,6 +3485,15 @@ parse_command_line_options() {
             PYTHON_BIN="$2"
             shift 2
             ;;
+        --security-level)
+            check_option_argument '--security-level' "$2"
+            if ! echo "$2" | grep -q '^[0-5]$' ; then
+                unknown 'Invalid secuirity level'
+            fi
+            SECURITY_LEVEL="-cipher DEFAULT at SECLEVEL=$2"
+            shift 2
+            ;;
+
         --serial)
             check_option_argument '--serial' "$2"
             SERIAL_LOCK="$2"
@@ -3534,10 +3561,10 @@ $2"
             shift 2
             ;;
         -n | --cn | -m | --match)
-            if [ "$1" = '-n' ] ; then
+            if [ "$1" = '-n' ]; then
                 deprecated '-n' "Use '-m'"
             fi
-            if [ "$1" = '--cn' ] ; then
+            if [ "$1" = '--cn' ]; then
                 deprecated '--cn' "Use '--match'"
             fi
             check_option_argument ' -n|--cn|-m|--match' "$2"
@@ -3765,7 +3792,7 @@ $2"
             add_required_header X-Frame-Options
 
             # default path
-            if [ -z "${HTTP_HEADERS_PATH}" ] ; then
+            if [ -z "${HTTP_HEADERS_PATH}" ]; then
                 HTTP_HEADERS_PATH='/'
             fi
 
@@ -3919,11 +3946,11 @@ main() {
     # Bash specific.
 
     # read additional options from the configuration file
-    if [ -r "${CONFIGURATION_FILE}" ] ; then
+    if [ -r "${CONFIGURATION_FILE}" ]; then
         while IFS= read -r line; do
             # shellcheck disable=SC2086
             set -- "$@" ${line}
-        done < "${CONFIGURATION_FILE}"
+        done <"${CONFIGURATION_FILE}"
     fi
 
     parse_command_line_options "$@"
@@ -4011,20 +4038,24 @@ main() {
         date >>"${DEBUG_FILE}"
     fi
 
-    if [ "${DEBUG}" -gt 0 ] ; then
+    if [ "${DEBUG}" -gt 0 ]; then
 
         debuglog "Shell: ${SHELL}"
-        SHELL_VERSION=$( "${SHELL}" --version)
+        SHELL_VERSION=$("${SHELL}" --version)
         echo "${SHELL_VERSION}" | sed 's/^/[DBG]   /' 1>&2
 
         # should take a look at
         # https://github.com/stephane-chazelas/misc-scripts/blob/master/which_interpreter
 
         debuglog "grep: ${GREP_BIN}"
-        GREP_VERSION=$( ${GREP_BIN} --version)
+        GREP_VERSION=$(${GREP_BIN} --version 2>&1)
+        if echo "${GREP_VERSION}" | grep -q BusyBox ; then
+            # BusyBox grep does not have a -version option
+            GREP_VERSION=$( echo "${GREP_VERSION}" | sed -e 's/.*BusyBox/BusyBox/' -e 's/\. Usage.*//' )
+        fi
         echo "${GREP_VERSION}" | sed 's/^/[DBG]   /' 1>&2
 
-        HOSTNAME_BIN=$( command -v hostname )
+        HOSTNAME_BIN=$(command -v hostname)
         debuglog "hostname: ${HOSTNAME_BIN}"
 
         debuglog "\$PATH: ${PATH}"
@@ -4059,9 +4090,11 @@ main() {
         fi
 
         # we check HTTP headers only with HTTP/HTTPS
-        if [ -z "${PROTOCOL}" ] || [ "${PROTOCOL}" = 'http' ] || [ "${PROTOCOL}" = 'https' ] || [ "${PROTOCOL}" = 'h2' ] ; then
-            REQUIRED_HTTP_HEADERS="${DEFAULT_REQUIRED_HTTP_HEADERS}"
-            UNREQUIRED_HTTP_HEADERS="${DEFAULT_UNREQUIRED_HTTP_HEADERS}"
+        if [ -z "${IGNORE_HTTP_HEADERS}" ] ; then
+            if [ -z "${PROTOCOL}" ] || [ "${PROTOCOL}" = 'http' ] || [ "${PROTOCOL}" = 'https' ] || [ "${PROTOCOL}" = 'h2' ]; then
+                REQUIRED_HTTP_HEADERS="${DEFAULT_REQUIRED_HTTP_HEADERS}"
+                UNREQUIRED_HTTP_HEADERS="${DEFAULT_UNREQUIRED_HTTP_HEADERS}"
+            fi
         fi
 
     fi
@@ -4085,13 +4118,12 @@ main() {
     # HTTP checks do only make sense with HTTP
     # do not split the next line otherwise ShellCheck will fail to parse it
     # see https://www.shellcheck.net/wiki/SC2235 for the { ; } syntax
-    if [ -n "${FILE}" ] || { [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" != 'http' ] && [ "${PROTOCOL}" != 'https' ] && [ "${PROTOCOL}" != 'h2' ]; } ; then
-        if [ -n "${REQUIRED_HTTP_HEADERS}" ] || [ -n "${UNREQUIRED_HTTP_HEADERS}" ] ; then
+    if [ -n "${FILE}" ] || { [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" != 'http' ] && [ "${PROTOCOL}" != 'https' ] && [ "${PROTOCOL}" != 'h2' ]; }; then
+        if [ -n "${REQUIRED_HTTP_HEADERS}" ] || [ -n "${UNREQUIRED_HTTP_HEADERS}" ]; then
             unknown "HTTP headers can only be checked with HTTP[S]"
         fi
     fi
 
-
     # we need the FQDN of an host to check the CN
     debuglog "Adding the domain if missing"
     # - the domain does not contain a .
@@ -4121,8 +4153,8 @@ main() {
     if [ -r "${HOST_CACHE}" ]; then
         debuglog "Host cache ${HOST_CACHE} is present"
 
-        if echo "${HOST}" | "${GREP_BIN}" -q -F '[' ; then
-            PATTERN=$( echo "${HOST}" | sed -e 's/\[//' -e 's/\]//' )
+        if echo "${HOST}" | "${GREP_BIN}" -q -F '['; then
+            PATTERN=$(echo "${HOST}" | sed -e 's/\[//' -e 's/\]//')
         else
             PATTERN="^${HOST}$"
         fi
@@ -4151,7 +4183,7 @@ main() {
 
         debuglog "Forcing ${HOST} to resolve to ${RESOLVE}"
 
-        if echo "${RESOLVE}" | "${GREP_BIN}" -q '^[a-fA-F0-9].*:' ; then
+        if echo "${RESOLVE}" | "${GREP_BIN}" -q '^[a-fA-F0-9].*:'; then
             debuglog "--resolve with an IPv6 (${RESOLVE}) without brackets: adding ([${RESOLVE}])"
             RESOLVE="[${RESOLVE}]"
         fi
@@ -4241,7 +4273,7 @@ main() {
         PYTHON_BIN="${PROG}"
 
         # check Python major version
-        if "${PYTHON_BIN}" --version 2>&1 | grep -q '^Python 2' ; then
+        if "${PYTHON_BIN}" --version 2>&1 | grep -q '^Python 2'; then
             unknown "Python 2 is not supported"
         fi
 
@@ -4261,7 +4293,7 @@ main() {
 
     ##############################################################################
     # OpenSSL options
-    if [ -n "${REQUIRE_PURPOSE}" ] || [ -n "${REQUIRE_PURPOSE_CRITICAL}" ] ; then
+    if [ -n "${REQUIRE_PURPOSE}" ] || [ -n "${REQUIRE_PURPOSE_CRITICAL}" ]; then
         require_x509_option "-ext" " (required for certificate purpose)"
     fi
 
@@ -4620,8 +4652,8 @@ main() {
 
     # nmap does not understand brackets in IPv6 addresses
     NMAP_HOST_ADDR="${HOST_ADDR}"
-    if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q '^\[' ; then
-        NMAP_HOST_ADDR=$( echo "${NMAP_HOST_ADDR}" | sed -e 's/^\[//' -e 's/\]$//' )
+    if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q '^\['; then
+        NMAP_HOST_ADDR=$(echo "${NMAP_HOST_ADDR}" | sed -e 's/^\[//' -e 's/\]$//')
     fi
 
     # check if the host has an IPv6 address only (as nmap is not able to resolve without the -6 switch)
@@ -4631,7 +4663,7 @@ main() {
         NMAP_INETPROTO='-6'
     fi
 
-    if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q ':' ; then
+    if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q ':'; then
         debuglog "host specified as an IPv6 address: forcing IPv6 with nmap"
         NMAP_INETPROTO='-6'
     fi
@@ -4892,17 +4924,16 @@ main() {
     # https://security.stackexchange.com/questions/120708/nmap-through-proxy
     #
     if [ -n "${http_proxy}" ] ||
-           [ -n "${https_proxy}" ] ||
-           [ -n "${HTTP_PROXY}" ] ||
-           [ -n "${HTTPS_PROXY}" ] ||
-           [ -n "${SCLIENT_PROXY}" ] ||
-           [ -n "${CURL_PROXY}" ] ; then
+        [ -n "${https_proxy}" ] ||
+        [ -n "${HTTP_PROXY}" ] ||
+        [ -n "${HTTPS_PROXY}" ] ||
+        [ -n "${SCLIENT_PROXY}" ] ||
+        [ -n "${CURL_PROXY}" ]; then
         DISABLE_NMAP=1
         debuglog "A proxy is specified: nmap disabled"
         verboselog "A proxy is specified: nmap checks disabled"
     fi
 
-
     ################################################################################
     # Check if openssl s_client supports the -name option
     #
@@ -5002,9 +5033,9 @@ main() {
     # - https://dnsinstitute.com/documentation/dnssec-guide/ch03s02.html
     # - https://serverfault.com/questions/154016/querying-and-verifying-dnssec
     #
-    if [ -n "${REQUIRE_DNSSEC}" ] ; then
+    if [ -n "${REQUIRE_DNSSEC}" ]; then
 
-        if [ -n "${FILE}" ] ; then
+        if [ -n "${FILE}" ]; then
             unknown "--require-dnssec cannot be used with --file"
         fi
 
@@ -5018,7 +5049,7 @@ main() {
 
         # a lot of DNS servers have no support for DNSSEC: we use Google's public DNS
         debuglog "Checking DNSSEC with ${DIG_BIN} +dnssec ${HOST} @8.8.8.8"
-        DIG_OUTPUT=$( ${DIG_BIN} +dnssec "${HOST}" @8.8.8.8 )
+        DIG_OUTPUT=$(${DIG_BIN} +dnssec "${HOST}" @8.8.8.8)
 
         if [ "${DEBUG}" -gt 0 ]; then
             echo "${DIG_OUTPUT}" | sed 's/^/[DBG]     /' 1>&2
@@ -5026,24 +5057,24 @@ main() {
 
         DNSSEC_ERROR=
         # check for the presence of the Authenticated Data (ad) flag in the header
-        if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" ';; flags:' | "${GREP_BIN}" -q 'ad[; ]' ; then
+        if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" ';; flags:' | "${GREP_BIN}" -q 'ad[; ]'; then
             prepend_critical_message "DNSSEC: the Authenticated Data (ad) flag is not present"
             DNSSEC_ERROR=1
         fi
 
         # check the DNSSEC OK (do) flag indicating the recursive server is DNSSEC-aware
-        if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" ', flags:' | "${GREP_BIN}" -q 'do[; ]' ; then
+        if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" ', flags:' | "${GREP_BIN}" -q 'do[; ]'; then
             prepend_critical_message "DNSSEC: the DNSSEC OK (do) flag indicating the recursive server is DNSSEC-aware is not present"
             DNSSEC_ERROR=1
         fi
 
         # check for the presence of an additional resource record of type RRSIG, with the same name as the A record.
-        if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" -q 'RRSIG' ; then
+        if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" -q 'RRSIG'; then
             prepend_critical_message "DNSSEC: the RRSIG resource record is not present"
             DNSSEC_ERROR=1
         fi
 
-        if [ -z "${DNSSEC_ERROR}" ] ; then
+        if [ -z "${DNSSEC_ERROR}" ]; then
             verboselog "DNSSEC ok"
             info "DNSSEC" "ok"
         else
@@ -5074,10 +5105,10 @@ main() {
         HTTP_VERSION="1.1"
     fi
 
-    if [ -n "${IGNORE_MAXIMUM_VALIDITY}" ] && [ -n "${MAXIMUM_VALIDITY}" ] ; then
+    if [ -n "${IGNORE_MAXIMUM_VALIDITY}" ] && [ -n "${MAXIMUM_VALIDITY}" ]; then
         unknown "--ignore-maximum-validity and --maximum-validity cannot be specified at the same time"
     fi
-    if [ -n "${MAXIMUM_VALIDITY}" ]  && ! echo "${MAXIMUM_VALIDITY}" | "${GREP_BIN}" -E -q '^[0-9][0-9]*$'; then
+    if [ -n "${MAXIMUM_VALIDITY}" ] && ! echo "${MAXIMUM_VALIDITY}" | "${GREP_BIN}" -E -q '^[0-9][0-9]*$'; then
         unknown "invalid number of days '${MAXIMUM_VALIDITY}'"
     fi
 
@@ -5089,7 +5120,7 @@ main() {
     # Check for disallowed protocols
     if [ -n "${DISALLOWED_PROTOCOLS}" ]; then
 
-        if [ -n "${DISABLE_NMAP}" ] ; then
+        if [ -n "${DISABLE_NMAP}" ]; then
 
             verboselog "Using a proxy: cannot check for disable protocols"
             debuglog "Using a proxy: cannot check for disable protocols"
@@ -5192,9 +5223,9 @@ main() {
 
     ################################################################################
     # Connection check
-    if [ -z "${FILE}" ] ; then
+    if [ -z "${FILE}" ]; then
 
-        if [ -n "${DISABLE_NMAP}" ] ; then
+        if [ -n "${DISABLE_NMAP}" ]; then
 
             verboselog "Using a proxy: cannot test connection"
             debuglog "Using a proxy: cannot test connection"
@@ -5205,29 +5236,29 @@ main() {
 
             debuglog "Executing: '${NMAP_BIN} ${NMAP_INETPROTO} --unprivileged -Pn -p ${PORT} ${NMAP_HOST_ADDR}'"
 
-            if ! ${NMAP_BIN} "${NMAP_INETPROTO}" --unprivileged -Pn -p "${PORT}" "${NMAP_HOST_ADDR}" 2>&1 | "${GREP_BIN}" -q "${PORT}.*open" ; then
+            if ! ${NMAP_BIN} "${NMAP_INETPROTO}" --unprivileged -Pn -p "${PORT}" "${NMAP_HOST_ADDR}" 2>&1 | "${GREP_BIN}" -q "${PORT}.*open"; then
 
-                if [ -n "${IGNORE_CONNECTION_STATE}" ] ; then
+                if [ -n "${IGNORE_CONNECTION_STATE}" ]; then
 
                     case "${IGNORE_CONNECTION_STATE}" in
-                        "${STATUS_OK}")
-                            echo "${SHORTNAME} OK: Cannot connect to ${HOST}:${PORT}"
-                            exit "${STATUS_OK}"
-                            ;;
-                        "${STATUS_WARNING}")
-                            echo "${SHORTNAME} WARNING: Cannot connect to ${HOST}:${PORT}"
-                            exit "${STATUS_WARNING}"
-                            ;;
-                        "${STATUS_CRITICAL}")
-                            echo "${SHORTNAME} CRITICAL: Cannot connect to ${HOST}:${PORT}"
-                            exit "${STATUS_CRITICAL}"
-                            ;;
-                        "${STATUS_UNKNOWN}")
-                            critical "Cannot connect to ${HOST}:${PORT}"
-                            ;;
-                        *)
-                            debuglog "Ignoring connection test"
-                            ;;
+                    "${STATUS_OK}")
+                        echo "${SHORTNAME} OK: Cannot connect to ${HOST}:${PORT}"
+                        exit "${STATUS_OK}"
+                        ;;
+                    "${STATUS_WARNING}")
+                        echo "${SHORTNAME} WARNING: Cannot connect to ${HOST}:${PORT}"
+                        exit "${STATUS_WARNING}"
+                        ;;
+                    "${STATUS_CRITICAL}")
+                        echo "${SHORTNAME} CRITICAL: Cannot connect to ${HOST}:${PORT}"
+                        exit "${STATUS_CRITICAL}"
+                        ;;
+                    "${STATUS_UNKNOWN}")
+                        critical "Cannot connect to ${HOST}:${PORT}"
+                        ;;
+                    *)
+                        debuglog "Ignoring connection test"
+                        ;;
                     esac
 
                 else
@@ -5322,16 +5353,16 @@ main() {
     ####################
     # check HTTP headers
 
-    if [ -n "${REQUIRED_HTTP_HEADERS}" ] ; then
+    if [ -n "${REQUIRED_HTTP_HEADERS}" ]; then
         debuglog "Checking required HTTP headers: ${REQUIRED_HTTP_HEADERS}"
-        for header in $( echo "${REQUIRED_HTTP_HEADERS}" | tr ',' '\n' ) ; do
+        for header in $(echo "${REQUIRED_HTTP_HEADERS}" | tr ',' '\n'); do
             check_required_http_header "${header}" "${HTTP_HEADERS_PATH}"
         done
     fi
 
-    if [ -n "${UNREQUIRED_HTTP_HEADERS}" ] ; then
+    if [ -n "${UNREQUIRED_HTTP_HEADERS}" ]; then
         debuglog "Checking unwanted HTTP headers: ${UNREQUIRED_HTTP_HEADERS}"
-        for header in $( echo "${UNREQUIRED_HTTP_HEADERS}" | tr ',' '\n' ) ; do
+        for header in $(echo "${UNREQUIRED_HTTP_HEADERS}" | tr ',' '\n'); do
             check_unrequired_http_header "${header}" "${HTTP_HEADERS_PATH}"
         done
     fi
@@ -5352,11 +5383,11 @@ main() {
             TIMEOUT_REASON="checking TLS renegotiation"
             case "${PROTOCOL}" in
             pop3 | ftp | smtp | irc | ldap | imap | postgres | postgresql | sieve | xmpp | xmpp-server | mysql)
-                exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -starttls ${PROTOCOL} 2>&1 | ${GREP_BIN} -F -q err"
+                exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -starttls ${PROTOCOL} 2>&1 | ${GREP_BIN} -F -q err"
                 RET=$?
                 ;;
             *)
-                exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} 2>&1 | ${GREP_BIN} -F -q err"
+                exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} 2>&1 | ${GREP_BIN} -F -q err"
                 RET=$?
                 ;;
             esac
@@ -5507,36 +5538,36 @@ main() {
         info "Fingerprint" "${FINGERPRINT_INFO}"
 
         # only works with -ext
-        if check_x509_option '-ext' ; then
+        if check_x509_option '-ext'; then
 
             KEY_USAGE="$(extract_cert_attribute 'keyUsage' "${CERT}")"
 
             # info
-            if [ -n "${PURPOSE_CRITICAL}" ] ; then
+            if [ -n "${PURPOSE_CRITICAL}" ]; then
                 debuglog "Certificate purpose is defined as critical"
                 PURPOSE_LABEL="Purpose (critical)"
             else
                 debuglog "Certificate purpose is not defined as critical"
                 PURPOSE_LABEL="Purpose"
-                if [ -n "${REQUIRE_PURPOSE_CRITICAL}" ] ; then
+                if [ -n "${REQUIRE_PURPOSE_CRITICAL}" ]; then
                     prepend_critical_message "Certificate purpose is not defined as critical (as required)"
                 fi
             fi
             info "${PURPOSE_LABEL}" "${KEY_USAGE}"
 
             # check the certificate purpose
-            if [ -n "${REQUIRE_PURPOSE}" ] ; then
+            if [ -n "${REQUIRE_PURPOSE}" ]; then
                 debuglog "Checking certificate purpose(s)"
 
-                while IFS= read -r purpose ; do
+                while IFS= read -r purpose; do
 
                     debuglog "  Check if '${purpose}' is defined"
 
                     # the purposes are in a 'comma space' separated list
                     if ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i "^${purpose}$" &&
-                            ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i "^${purpose}, " &&
-                            ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i ", ${purpose}$" &&
-                            ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i ", ${purpose}, " ; then
+                        ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i "^${purpose}, " &&
+                        ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i ", ${purpose}$" &&
+                        ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i ", ${purpose}, "; then
                         prepend_critical_message "'${purpose}' is not specified as a certificate purpose"
                     fi
 
@@ -5617,12 +5648,12 @@ EOF
         # 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
         #   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
 
-        matches=$( grep '^ [0-9 ] [si]:' "${CERT}" | tail -n 2 | sed 's/^[ 0-9]* [si]://' | uniq -c | wc -l )
+        matches=$(grep '^ [0-9 ] [si]:' "${CERT}" | tail -n 2 | sed 's/^[ 0-9]* [si]://' | uniq -c | wc -l)
 
-        if [ "${matches}" -eq 1 ] ; then
+        if [ "${matches}" -eq 1 ]; then
             debuglog "The root certificate is present in the chain"
             verboselog "The root certificate is unnecessarily present in the delivered certificate chain"
-            if [ -n "${CHECK_CHAIN}" ] ; then
+            if [ -n "${CHECK_CHAIN}" ]; then
                 prepend_critical_message "The root certificate is unnecessarily present in the delivered certificate chain"
             fi
         fi
@@ -6039,17 +6070,17 @@ EOF
         # browsers usually do not complain (see #416)
 
         # loop over the criticals
-        if [ -n "${CN_EXPIRED_CRITICAL}" ] ; then
-            while IFS= read -r critical ; do
+        if [ -n "${CN_EXPIRED_CRITICAL}" ]; then
+            while IFS= read -r critical; do
 
-                CN_TMP=$( echo "${critical}" | sed 's/:.*//' )
-                REPLACE_CURRENT_MESSAGE=$( echo "${critical}" | sed -e 's/^[^:]*://' -e 's/:.*//' )
-                MESSAGE_TMP=$( echo "${critical}" | sed 's/^[^:]*:[^:]*://' )
+                CN_TMP=$(echo "${critical}" | sed 's/:.*//')
+                REPLACE_CURRENT_MESSAGE=$(echo "${critical}" | sed -e 's/^[^:]*://' -e 's/:.*//')
+                MESSAGE_TMP=$(echo "${critical}" | sed 's/^[^:]*:[^:]*://')
 
                 # check if the warning is overridden by another certificate for the same CN
-                if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
+                if echo "${CN_OK}" | grep -q "${CN_TMP}"; then
                     verboselog "Both a valid and an expired certificate were found"
-                    if [ -n "${CHECK_CHAIN}" ] ; then
+                    if [ -n "${CHECK_CHAIN}" ]; then
                         prepend_critical_message "Both a valid and an expired certificate were found"
                     fi
                 else
@@ -6062,17 +6093,17 @@ INPUT
         fi
 
         # loop over the warnings
-        if [ -n "${CN_EXPIRED_WARNING}" ] ; then
-            while IFS= read -r warning ; do
+        if [ -n "${CN_EXPIRED_WARNING}" ]; then
+            while IFS= read -r warning; do
 
-                CN_TMP=$( echo "${warning}" | sed 's/:.*//' )
-                REPLACE_CURRENT_MESSAGE=$( echo "${warning}" | sed -e 's/^[^:]*://' -e 's/:.*//' )
-                MESSAGE_TMP=$( echo "${warning}" | sed 's/^[^:]*:[^:]*://' )
+                CN_TMP=$(echo "${warning}" | sed 's/:.*//')
+                REPLACE_CURRENT_MESSAGE=$(echo "${warning}" | sed -e 's/^[^:]*://' -e 's/:.*//')
+                MESSAGE_TMP=$(echo "${warning}" | sed 's/^[^:]*:[^:]*://')
 
                 # check if the warning is overridden by another certificate for the same CN
-                if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
+                if echo "${CN_OK}" | grep -q "${CN_TMP}"; then
                     verboselog "Both a valid and an expired certificate were found"
-                    if [ -n "${CHECK_CHAIN}" ] ; then
+                    if [ -n "${CHECK_CHAIN}" ]; then
                         prepend_critical_message "Both a valid and an expired certificate were found"
                     fi
                 else
@@ -6090,7 +6121,7 @@ INPUT
     # Check nmap
     if [ -n "${CHECK_CIPHERS}" ] || [ -n "${CHECK_CIPHERS_WARNINGS}" ]; then
 
-        if [ -n "${DISABLE_NMAP}" ] ; then
+        if [ -n "${DISABLE_NMAP}" ]; then
 
             verboselog "Using a proxy: cannot check ciphers"
             debuglog "Using a proxy: cannot check ciphers"
@@ -6350,7 +6381,7 @@ ${WARNING}"
 
     fi
 
-    if [ -n "${INFO}" ] ; then
+    if [ -n "${INFO}" ]; then
 
         # see https://stackoverflow.com/questions/6464129/certificate-subject-x-509 for additional fields that could be implemented
 
@@ -6369,7 +6400,7 @@ ${WARNING}"
         CERT_LOCALITY="$(extract_cert_attribute 'locality' "${CERT}")"
         info "Locality" "${CERT_LOCALITY}"
 
-        KEY_LENGTH="$( extract_cert_attribute 'key_length' "${CERT}" )"
+        KEY_LENGTH="$(extract_cert_attribute 'key_length' "${CERT}")"
         info "Public key length" "${KEY_LENGTH}"
 
     fi
@@ -6457,28 +6488,28 @@ ${WARNING}"
 
     ##############################################################################
     # Check total certificate validity
-    if [ -z "${IGNORE_MAXIMUM_VALIDITY}" ] ; then
+    if [ -z "${IGNORE_MAXIMUM_VALIDITY}" ]; then
 
         # we check only for HTTP protocols, files or if --maximum-validity was specified
         if [ -z "${PROTOCOL}" ] ||
-               [ "${PROTOCOL}" = 'https' ] ||
-               [ "${PROTOCOL}" = 'h2' ] ||
-               [ -n "${MAXIMUM_VALIDITY}" ] ||
-               [ -n "${FILE}" ] ; then
+            [ "${PROTOCOL}" = 'https' ] ||
+            [ "${PROTOCOL}" = 'h2' ] ||
+            [ -n "${MAXIMUM_VALIDITY}" ] ||
+            [ -n "${FILE}" ]; then
 
-            HOURS_UNTIL_END_DATE=$( hours_until "${DATE}" )
-            HOURS_FROM_START_DATE=$( hours_until "${START_DATE}" )
+            HOURS_UNTIL_END_DATE=$(hours_until "${DATE}")
+            HOURS_FROM_START_DATE=$(hours_until "${START_DATE}")
 
             # no decimals even if --precision was specified
-            TOTAL_CERT_VALIDITY=$( compute "(${HOURS_UNTIL_END_DATE} - ${HOURS_FROM_START_DATE})/24" 0 )
+            TOTAL_CERT_VALIDITY=$(compute "(${HOURS_UNTIL_END_DATE} - ${HOURS_FROM_START_DATE})/24" 0)
 
             LIMIT=397
-            if [ -n "${MAXIMUM_VALIDITY}" ] ; then
+            if [ -n "${MAXIMUM_VALIDITY}" ]; then
                 LIMIT="${MAXIMUM_VALIDITY}"
             fi
 
             # a certificate cannot be valid for more than 13 months (397 days)
-            if [ "${TOTAL_CERT_VALIDITY}" -gt "${LIMIT}" ] ; then
+            if [ "${TOTAL_CERT_VALIDITY}" -gt "${LIMIT}" ]; then
                 prepend_critical_message "The certificate cannot be valid for more than ${LIMIT} days (${TOTAL_CERT_VALIDITY})"
             else
                 verboselog "The certificate validity (${TOTAL_CERT_VALIDITY}) is shorter then the maximum (${LIMIT})"
@@ -6525,7 +6556,7 @@ ${WARNING}"
             elif compare "${DAYS_VALID}" '>=' 0; then
                 DAYS_VALID=" (expires in less than a day)"
             elif compare "${DAYS_VALID}" '>=' '-1'; then
-                DAYS_VALID=$(( -DAYS_VALID ))
+                DAYS_VALID=$((-DAYS_VALID))
                 DAYS_VALID=" (expired ${DAYS_VALID} days ago)"
             fi
         fi
@@ -6663,7 +6694,7 @@ get_tds_certificate() {
     create_temporary_file
     PYTHON_SCRIPT=${TEMPFILE}
 
-    cat << ____PYTHON > "${PYTHON_SCRIPT}"
+    cat <<____PYTHON >"${PYTHON_SCRIPT}"
 from __future__ import print_function
 import sys
 import pprint


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
 .\" Process this file with
 .\" groff -man -Tascii check_ssl_cert.1
 .\"
-.TH "check_ssl_cert" 1 "December, 2022" "2.57.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "January, 2023" "2.58.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS
@@ -202,6 +202,9 @@ In case of connection problems returns OK or the optional state
 .BR "   --ignore-exp"
 Ignore expiration date
 .TP
+.BR "   --ignore-http-headers"
+Ignore checks on HTTP headers with --all and --all-local
+.TP
 .BR "   --ignore-host-cn"
 Do not complain if the CN does not match the host name
 .TP
@@ -405,6 +408,9 @@ overrides option -r,--rootcert
 .BR "   --rsa"
 Signature algorithm selection: force RSA certificate
 .TP
+.BR "   --security-level" " number"
+Set the security level to specified value. See SSL_CTX_set_security_level(3) for a description of what each level means
+.TP
 .BR "-s,--selfsigned"
 Allow self-signed certificates
 .TP


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.completion → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.completion
=====================================
@@ -14,7 +14,7 @@ _check_ssl_cert() {
     #   only the autocompletion with long options is implemented: long options are more readable and quick to enter since we are
     #   using autocompletion.
     #
-    opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-chain --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --jks-alias --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --path --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve  --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org  --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning --python-bin"
+    opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-chain --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --jks-alias --ignore-connection-problems --ignore-exp --ignore-http-headers --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --path --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve  --rootcert-dir --rootcert-file --rsa --serial --security-level --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org  --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning --python-bin"
 
     if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]]; then
         # shellcheck disable=2207
@@ -96,6 +96,12 @@ _check_ssl_cert() {
         COMPREPLY=($(compgen -W "X-Powered-By X-Aspnet-Version X-XSS-Protection Server X-AspNetMvc-Version" -- "${cur}"))
         ;;
 
+    --security-level)
+
+        # shellcheck disable=2207
+        COMPREPLY=($(compgen -W "0 1 2 3 4 5" -- "${cur}"))
+        ;;
+
     --port | -p)
         # shellcheck disable=2207
         COMPREPLY=($(compgen -W "21 22 80 443 143 993 194 994 389 587 636 3306 3391 110 995 5432 4190 25 465 5222 5269" -- "${cur}"))
@@ -103,7 +109,7 @@ _check_ssl_cert() {
 
     --protocol | -P)
         # shellcheck disable=2207
-        COMPREPLY=($(compgen -W "ftp ftps http https h2 imap imaps irc ircs ldap ldaps mysql pop3 pop3s postgres sieve smtp smtps xmpp xmpp-server tds" -- "${cur}"))
+        COMPREPLY=($(compgen -W "dns ftp ftps http https h2 imap imaps irc ircs ldap ldaps mysql pop3 pop3s postgres sieve smtp smtps xmpp xmpp-server tds" -- "${cur}"))
         ;;
 
     *) ;;


=====================================
check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%global version          2.57.0
+%global version          2.58.0
 %global release          0
 %global sourcename       check_ssl_cert
 %global packagename      nagios-plugins-check_ssl_cert
@@ -54,6 +54,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Mon Jan  16 2023 Matteo Corti <matteo at corti.li> - 2.58.0-0
+- Updated to 2.58.0
+
 * Sun Dec   4 2022 Matteo Corti <matteo at corti.li> - 2.57.0-0
 - Updated to 2.57.0
 


=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
 Uploaders: Jan Wagner <waja at cyconet.org>
 Recommends: bc, curl, file, openssl
 Suggests: expect, iproute2, dnsutils
-Version: 2.57.0
+Version: 2.58.0
 Homepage: https://github.com/matteocorti/check_ssl_cert
 Watch: https://github.com/matteocorti/check_ssl_cert/releases >check_ssl_cert-([0-9.]+)<
 Description: plugin to check the CA and validity of an


=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_2.57.0
\ No newline at end of file
+check_ssl_cert_2.58.0/
\ No newline at end of file



View it on GitLab: https://salsa.debian.org/nagios-team/nagios-plugins-contrib/-/commit/7206c6d3cbaf774cde15b0d5556d56dd7ad40adf

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/nagios-plugins-contrib/-/commit/7206c6d3cbaf774cde15b0d5556d56dd7ad40adf
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20230119/7c527f03/attachment-0001.htm>


More information about the pkg-nagios-changes mailing list