From 1e2387474a449452b78520b9ad96a8b4b5e99722 Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Wed, 17 Apr 2019 19:07:19 +0200 Subject: initial commit of source fetch --- .../check_ssl_cert-1.83.0/check_ssl_cert.1 | 222 +++++++++++++++++++++ 1 file changed, 222 insertions(+) create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/check_ssl_cert.1 (limited to 'nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/check_ssl_cert.1') diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/check_ssl_cert.1 b/nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/check_ssl_cert.1 new file mode 100644 index 0000000..0a593be --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/check_ssl_cert.1 @@ -0,0 +1,222 @@ +.\" Process this file with +.\" groff -man -Tascii foo.1 +.\" +.TH "check_ssl_cert" 1 "February, 2019" "1.82.0" "USER COMMANDS" +.SH NAME +check_ssl_cert \- checks the validity of X.509 certificates +.SH SYNOPSIS +.BR "check_ssl_cert " "-H host [OPTIONS]" +.SH DESCRIPTION +.B check_ssl_cert +A Nagios plugin to check an X.509 certificate: + - checks if the server is running and delivers a valid certificate + - checks if the CA matches a given pattern + - checks the validity +.SH ARGUMENTS +.TP +.BR "-H,--host" " host" +server +.SH OPTIONS +.TP +.BR "-A,--noauth" +ignore authority warnings (expiration only) +.TP +.BR " --altnames" +matches the pattern specified in -n with alternate names too +.TP +.BR "-C,--clientcert" " path" +use client certificate to authenticate +.TP +.BR " --clientpass" " phrase" +set passphrase for client certificate. +.TP +.BR "-c,--critical" " days" +minimum number of days a certificate has to be valid to issue a critical status +.TP +.BR " --curl-bin" " path" +path of the curl binary to be used" +.TP +.BR "-d,--debug" +produces debugging output +.TP +.BR " --ecdsa" +cipher selection: force ECDSA authentication +.TP +.BR "-e,--email" " address" +pattern to match the email address contained in the certificate +.TP +.BR "-f,--file" " file" +local file path (works with -H localhost only) with -f you can not only pass a x509 certificate file but also a certificate revocation list (CRL) to check the validity period +.TP +.BR " --file-bin" " path" +path of the file binary to be used +.TP +.BR " --fingerprint" " SHA1" +pattern to match the SHA1-Fingerprint +.TP +.BR " --force-perl-date" +force the usage of Perl for date computations +.TP +.BR " --format" " FORMAT" +custom output format (e.g. "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'") +.TP +.BR "-h,--help,-?" +this help message +.TP +.BR " --ignore-exp" +ignore expiration date +.TP +.BR " --ignore-ocsp" +do not check revocation with OCSP +.TP +.BR " --ignore-sig-alg" +do not check if the certificate was signed with SHA1 or MD5 +.TP +.BR " --ignore-ssl-labs-cache" +Forces a new check by SSL Labs (see -L) +.TP +.BR " --issuer-cert-cache" " dir" +directory where to store issuer certificates cache +.TP +.BR "-i,--issuer" " issuer" +pattern to match the issuer of the certificate +.TP +.BR "-K,--clientkey" " path" +use client certificate key to authenticate +.TP +.BR "-L,--check-ssl-labs grade" +SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html) +.TP +.BR " --check-ssl-warn-labs grade" +SSL Labs grade on which to warn +.TP +.BR " --long-output" " list" +append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines. +Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes. +.TP +.BR "-n,--cn" " name" +pattern to match the CN of the certificate (can be specified multiple times) +.TP +.BR " --no_ssl2" +disable SSL version 2 +.TP +.BR " --no_ssl3" +disable SSL version 3 +.TP +.BR " --no_tls1" +disable TLS version 1 +.TP +.BR " --no_tls1_1" +disable TLS version 1.1 +.TP +.BR " --no_tls1_2" +disable TLS version 1.2 +.TP +.BR "-N,--host-cn" +match CN with the host name +.TP +.BR "-o,--org" " org" +pattern to match the organization of the certificate +.TP +.BR " --openssl" " path" +path of the openssl binary to be used +.TP +.BR "-p,--port" " port" +TCP port +.TP +.BR "-P,--protocol" " protocol" +use the specific protocol: http (default), irc or smtp,pop3,imap,ftp,ldap (switch to TLS) +.TP +.BR "-s,--selfsigned" +allows self-signed certificates +.TP +.BR " --serial serialnum" +pattern to match the serial number +.TP +.BR " --sni name" +sets the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name' +.TP +.BR " --ssl2" +force SSL version 2 +.TP +.BR " --ssl3" +force SSL version 3 +.TP +.BR " --require-ocsp-stapling" +require OCSP stapling +.TP +.BR " --require-san" +require the presence of a Subject Alternative Name extension +.TP +.BR "-r,--rootcert" " cert" +root certificate or directory to be used for certificate validation (passed to openssl's -CAfile or -CApath) +.TP +.BR " --rootcert-dir" " dir" +root directory to be used for certificate validation (passed to openssl's -CApath) +overrides option -r,--rootcert +.TP +.BR " --rootcert-file" " cert" +root certificate to be used for certificate validation (passed to openssl's -CAfile) +overrides option -r,--rootcert +.TP +.BR " --rsa" +cipher selection: force RSA authentication +.TP +.BR " --temp" " dir" +directory where to store the temporary files +.TP +.BR " --terse" +terse output (also see --verbose) +.TP +.BR "-t,--timeout" +seconds timeout after the specified time (defaults to 15 seconds) +.TP +.BR " --tls1" +force TLS version 1 +.TP +.BR " --tls1_1" +force TLS version 1.1 +.TP +.BR " --tls1_2" +force TLS version 1.2 +.TP +.BR " --tls1_3" +force TLS version 1.3 +.TP +.BR "-v,--verbose" +verbose output (also see --terse) +.TP +.BR "-V,--version" +version +.TP +.BR "-w,--warning" " days" +minimum number of days a certificate has to be valid to issue a warning status +.TP +.BR " --xmpphost" " name" +specifies the host for the "to" attribute of the stream element +.SH DEPRECATED OPTIONS +.TP +.BR "-d,--days" " days" +minimum number of days a certificate has to be valid (see --critical and --warning) +.TP +.BR " --ocsp" +check revocation via OCSP +.TP +.BR "-S,--ssl" " version" +force SSL version (2,3) (see: --ssl2 or --ssl3) + +.SH MULTIPLE CERTIFICATES +If the host has multiple certificates and the installed openssl version supports the -servername option it is possible to specify the TLS SNI (Server Name Idetificator) with the -N (or --host-cn) option. + +.SH "SEE ALSO" +x509(1), openssl(1), expect(1), timeout(1) +.SH "EXIT STATUS" +check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems +.SH BUGS +Please report bugs to: + +https://github.com/matteocorti/check_ssl_cert/issues +.SH AUTHOR +Matteo Corti (matteo (at) corti.li ) +See the AUTHORS file for the complete list of contributors + -- cgit v1.2.3