#!/bin/sh
#
# check_ssl_cert
#
# Checks an X.509 certificate:
# - checks if the server is running and delivers a valid certificate
# - checks if the CA matches a given pattern
# - checks the validity
#
# See  the INSTALL file for installation instructions
#
# Copyright (c) 2007-2012 ETH Zurich.
# Copyright (c) 2007-2021 Matteo Corti <matteo@corti.li>
#
# This module is free software; you can redistribute it and/or modify it
# under the terms of GNU general public license (gpl) version 3.
# See the LICENSE file for details.

################################################################################
# Constants

VERSION=2.15.0
SHORTNAME="SSL_CERT"

VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"

SIGNALS="HUP INT QUIT TERM ABRT"

LC_ALL=C

# return value for the creation of temporary files
TEMPFILE=""

################################################################################
# Variables
STATUS_OK=0
STATUS_WARNING=1
STATUS_CRITICAL=2
STATUS_UNKNOWN=3
WARNING_MSG=""
CRITICAL_MSG=""
ALL_MSG=""
EARLIEST_VALIDITY_HOURS=""
DEBUG=0
DEBUG_FILE=""

################################################################################
# Functions

################################################################################
# To set a variable with an HEREDOC in a POSIX compliant way
# see: https://unix.stackexchange.com/questions/340718/how-do-i-bring-heredoc-text-into-a-shell-script-variable
# Usage:
#   set_variable variablename<<'HEREDOC'
#   ...
#  HEREDOC
set_variable() {
    # shellcheck disable=SC2016
    eval "$1"'=$(cat)'
}

################################################################################
# Prints usage information
# Params
#   $1 error message (optional)
usage() {

    if [ -n "$1" ]; then
        echo "Error: $1" 1>&2
    fi

    echo
    echo "Usage: check_ssl_cert -H host [OPTIONS]"
    echo "       check_ssl_cert -f file [OPTIONS]"
    echo
    echo "Arguments:"
    echo "   -f,--file file                  local file path (works with -H localhost"
    echo "                                   only) with -f you can not only pass a x509"
    echo "                                   certificate file but also a certificate"
    echo "                                   revocation list (CRL) to check the"
    echo "                                   validity period"
    echo "   -H,--host host                  server"
    echo
    echo "Options:"
    # Delimiter at 78 chars ############################################################
    echo "   -A,--noauth                     ignore authority warnings (expiration"
    echo "                                   only)"
    echo "      --all                        enables all the possible optional checks"
    echo "                                   at the maximum level"
    echo "      --all-local                  enables all the possible optional checks"
    echo "                                   at the maximum level (without SSL-Labs)"
    echo "      --allow-empty-san            allow certificates without Subject"
    echo "                                   Alternative Names (SANs)"
    # Delimiter at 78 chars ############################################################
    echo "   -C,--clientcert path            use client certificate to authenticate"
    echo "   -c,--critical days              minimum number of days a certificate has"
    echo "                                   to be valid to issue a critical status."
    echo "                                   Can be a floating point number, e.g., 0.5"
    echo "                                   Default: ${CRITICAL_DAYS}"
    echo "      --check-ciphers grade        checks the offered ciphers"
    echo "      --check-ciphers-warnings     critical if nmap reports a warning for an"
    echo "                                   offered cipher"
    echo "      --check-ssl-labs-warn grade  SSL Labs grade on which to warn"
    echo "      --clientpass phrase          set passphrase for client certificate."
    echo "      --crl                        checks revocation via CRL (requires"
    echo "                                   --rootcert-file)"
    echo "      --curl-bin path              path of the curl binary to be used"
    echo "      --curl-user-agent string     user agent that curl shall use to obtain"
    echo "                                   the issuer cert"
    echo "      --custom-http-header string  custom HTTP header sent when getting the"
    echo "                                   cert example: 'X-Check-Ssl-Cert: Foobar=1'"
    # Delimiter at 78 chars ############################################################
    echo "   -d,--debug                      produces debugging output (can be"
    echo "                                   specified more than once)"
    echo "      --dane                       verify that valid DANE records exist"
    echo "                                   (since OpenSSL 1.1.0)"
    echo "      --dane 211                   verify that a valid DANE-TA(2) SPKI(1)"
    echo "                                   SHA2-256(1) TLSA record exists"
    echo "      --dane 301                   verify that a valid DANE-EE(3) Cert(0)"
    echo "                                   SHA2-256(1) TLSA record exists"
    echo "      --dane 302                   verify that a valid DANE-EE(3) Cert(0)"
    echo "                                   SHA2-512(2) TLSA record exists"
    echo "      --dane 311                   verify that a valid DANE-EE(3) SPKI(1)"
    echo "                                   SHA2-256(1) TLSA record exists"
    echo "      --dane 312                   verify that a valid DANE-EE(3)"
    echo "                                   SPKI(1) SHA2-512(1) TLSA record exists"
    echo "      --date path                  path of the date binary to be used"
    echo "      --debug-cert                 stores the retrieved certificates in the"
    echo "                                   current directory"
    echo "      --debug-file file            writes the debug messages to file"
    echo "      --debug-time                 writes timing information in the"
    echo "                                   debugging output"
    echo "      --dig-bin path               path of the dig binary to be used"
    # Delimiter at 78 chars ############################################################
    echo "   -e,--email address              pattern to match the email address"
    echo "                                   contained in the certificate"
    echo "      --ecdsa                      signature algorithm selection: force ECDSA"
    echo "                                   certificate"
    echo "      --element number             checks up to the N cert element from the"
    echo "                                   beginning of the chain"
    # Delimiter at 78 chars ############################################################
    echo "      --file-bin path              path of the file binary to be used"
    echo "      --fingerprint SHA1           pattern to match the SHA1-Fingerprint"
    echo "      --first-element-only         verify just the first cert element, not"
    echo "                                   the whole chain"
    echo "      --force-dconv-date           force the usage of dconv for date"
    echo "                                   computations"
    echo "      --force-perl-date            force the usage of Perl for date"
    echo "                                   computations"
    echo "      --format FORMAT              format output template on success, for"
    echo "                                   example: %SHORTNAME% OK %CN% from"
    echo "                                   %CA_ISSUER_MATCHED%"
    # Delimiter at 78 chars ############################################################
    echo "   -h,--help,-?                    this help message"
    echo "      --http-use-get               use GET instead of HEAD (default) for the"
    echo "                                   HTTP related checks"
    # Delimiter at 78 chars ############################################################
    echo "   -i,--issuer issuer              pattern to match the issuer of the"
    echo "                                   certificate"
    echo "      --ignore-altnames            ignores alternative names when matching"
    echo "                                   pattern specified in -n (or the host name)"
    echo "      --ignore-connection-problems [state] in case of connection problems"
    echo "                                   returns OK or the optional state"
    echo "      --ignore-exp                 ignore expiration date"
    echo "      --ignore-host-cn             do not complain if the CN does not match"
    echo "                                   the host name"
    echo "      --ignore-incomplete-chain    does not check chain integrity"
    echo "      --ignore-ocsp                do not check revocation with OCSP"
    echo "      --ignore-ocsp-errors         continue if the OCSP status cannot be"
    echo "                                   checked"
    echo "      --ignore-ocsp-timeout        ignore OCSP result when timeout occurs"
    echo "                                   while checking"
    echo "      --ignore-sct                 do not check for signed certificate"
    echo "                                   timestamps (SCT)"
    echo "      --ignore-sig-alg             do not check if the certificate was signed"
    echo "                                   with SHA1 or MD5"
    echo "      --ignore-ssl-labs-cache      Forces a new check by SSL Labs (see -L)"
    echo "      --ignore-tls-renegotiation   Ignores the TLS renegotiation check"
    echo "      --inetproto protocol         Force IP version 4 or 6"
    echo "      --info                       Prints certificate information"
    echo "      --issuer-cert-cache dir      directory where to store issuer"
    echo "                                   certificates cache"
    # Delimiter at 78 chars ############################################################
    echo "   -K,--clientkey path             use client certificate key to authenticate"
    # Delimiter at 78 chars ############################################################
    echo "   -L,--check-ssl-labs grade       SSL Labs assessment (please check "
    echo "                                   https://www.ssllabs.com/about/terms.html)"
    echo "      --long-output list           append the specified comma separated (no"
    echo "                                   spaces) list of attributes to the plugin"
    echo "                                   output on additional lines"
    echo "                                   Valid attributes are:"
    echo "                                     enddate, startdate, subject, issuer,"
    echo "                                     modulus, serial, hash, email, ocsp_uri"
    echo "                                     and fingerprint."
    echo "                                   'all' will include all the available"
    echo "                                   attributes."
    # Delimiter at 78 chars ############################################################
    echo "   -n,--cn name                    pattern to match the CN of the certificate"
    echo "                                   (can be specified multiple times)"
    echo "      --nmap-bin path              path of the nmap binary to be used"
    echo "      --no-perf                    do not show performance data"
    echo "      --no-proxy                   ignores the http_proxy and https_proxy"
    echo "                                   environment variables"
    echo "      --no-proxy-curl              ignores the http_proxy and https_proxy"
    echo "                                   environment variables for curl"
    echo "      --no-proxy-s_client          ignores the http_proxy and https_proxy"
    echo "                                   environment variables for openssl s_client"
    echo "      --no-ssl2                    disable SSL version 2"
    echo "      --no-ssl3                    disable SSL version 3"
    echo "      --no-tls1                    disable TLS version 1"
    echo "      --no-tls1_1                  disable TLS version 1.1"
    echo "      --no-tls1_2                  disable TLS version 1.2"
    echo "      --no-tls1_3                  disable TLS version 1.3"
    echo "      --not-issued-by issuer       check that the issuer of the certificate"
    echo "                                   does not match the given pattern"
    echo "      --not-valid-longer-than days critical if the certificate validity is"
    echo "                                   longer than the specified period"
    # Delimiter at 78 chars ############################################################
    echo "   -o,--org org                    pattern to match the organization of the"
    echo "                                   certificate"
    echo "      --ocsp-critical hours        minimum number of hours an OCSP response"
    echo "                                   has to be valid to issue a critical status"
    echo "      --ocsp-warning hours         minimum number of hours an OCSP response"
    echo "                                   has to be valid to issue a warning status"
    echo "      --openssl path               path of the openssl binary to be used"
    # Delimiter at 78 chars ############################################################
    echo "   -p,--port port                  TCP port"
    echo "   -P,--protocol protocol          use the specific protocol:"
    echo "                                   ftp, ftps, http, https (default),"
    echo "                                   h2 (HTTP/2), imap, imaps, irc, ircs, ldap,"
    echo "                                   ldaps, mysql, pop3, pop3s, postgres,"
    echo "                                   sieve, smtp, smtps, xmpp, xmpp-server."
    echo "                                   ftp, imap, irc, ldap, pop3, postgres,"
    echo "                                   sieve, smtp: switch to TLS using StartTLS"
    echo "      --password source            password source for a local certificate,"
    echo "                                   see the PASS PHRASE ARGUMENTS section"
    echo "                                   openssl(1)"
    echo "      --prometheus                 generates Prometheus/OpenMetrics output"
    echo "      --proxy                      sets http_proxy and the s_client -proxy"
    # Delimiter at 78 chars ############################################################
    echo "   -r,--rootcert path              root certificate or directory to be used"
    echo "                                   for certificate validation"
    echo "      --require-client-cert [list] the server must accept a client"
    echo "                                   certificate. 'list' is an optional comma"
    echo "                                   separated list of expected client"
    echo "                                   certificate CAs"
    echo "      --require-no-ssl2            critical if SSL version 2 is offered"
    echo "      --require-no-ssl3            critical if SSL version 3 is offered"
    echo "      --require-no-tls1            critical if TLS 1 is offered"
    echo "      --require-no-tls1_1          critical if TLS 1.1 is offered"
    echo "      --require-ocsp-stapling      require OCSP stapling"
    echo "      --resolve ip                 provides a custom IP address for the"
    echo "                                   specified host"
    echo "      --rootcert-dir path          root directory to be used for certificate"
    echo "                                   validation"
    echo "      --rootcert-file path         root certificate to be used for"
    echo "                                   certificate validation"
    echo "      --rsa                        signature algorithm selection: force RSA"
    echo "                                   certificate"
    # Delimiter at 78 chars ############################################################
    echo "   -s,--selfsigned                 allows self-signed certificates"
    echo "      --serial serialnum           pattern to match the serial number"
    echo "      --skip-element number        skips checks on the Nth cert element (can"
    echo "                                   be specified multiple times)"
    echo "      --sni name                   sets the TLS SNI (Server Name Indication)"
    echo "                                   extension in the ClientHello message to"
    echo "                                   'name'"
    echo "      --ssl2                       force SSL version 2"
    echo "      --ssl3                       force SSL version 3"
    # Delimiter at 78 chars ############################################################
    echo "   -t,--timeout                    seconds timeout after the specified time"
    echo "                                   (defaults to ${TIMEOUT} seconds)"
    echo "      --temp dir                   directory where to store the temporary"
    echo "                                   files"
    echo "      --terse                      terse output"
    echo "      --tls1                       force TLS version 1"
    echo "      --tls1_1                     force TLS version 1.1"
    echo "      --tls1_2                     force TLS version 1.2"
    echo "      --tls1_3                     force TLS version 1.3"
    # Delimiter at 78 chars ############################################################
    echo "   -u,--url URL                    HTTP request URL"
    # Delimiter at 78 chars ############################################################
    echo "   -v,--verbose                    verbose output (can be specified more than"
    echo "                                   once)"
    echo "   -V,--version                    version"
    # Delimiter at 78 chars ############################################################
    echo "   -w,--warning days               minimum number of days a certificate has"
    echo "                                   to be valid to issue a warning status."
    echo "                                   Can be a floating point number, e.g., 0.5"
    echo "                                   Default: ${WARNING_DAYS}"
    # Delimiter at 78 chars ############################################################
    echo "      --xmpphost name              specifies the host for the 'to' attribute"
    echo "                                   of the stream element"
    # Delimiter at 78 chars ############################################################
    echo "   -4                              force IPv4"
    echo "   -6                              force IPv6"
    echo
    echo "Deprecated options:"
    echo "      --altnames                   matches the pattern specified in -n with"
    echo "                                   alternate names too (enabled by default)"
    echo "      --days days                  minimum number of days a certificate has"
    echo "                                   to be valid"
    echo "                                   (see --critical and --warning)"
    echo "   -N,--host-cn                    match CN with the host name"
    echo "                                   (enabled by default)"
    echo "      --no_ssl2                    disable SSLv2 (deprecated use --no-ssl2)"
    echo "      --no_ssl3                    disable SSLv3 (deprecated use --no-ssl3)"
    echo "      --no_tls1                    disable TLSv1 (deprecated use --no-tls1)"
    echo "      --no_tls1_1                  disable TLSv1.1 (deprecated use"
    echo "                                   --no-tls1_1)"
    echo "      --no_tls1_2                  disable TLSv1.1 (deprecated use"
    echo "                                   --no-tls1_2)"
    echo "      --no_tls1_3                  disable TLSv1.1 (deprecated use"
    echo "                                   --no-tls1_3)"
    echo "      --ocsp                       check revocation via OCSP (enabled by"
    echo "                                   default)"
    echo "      --require-san                require the presence of a Subject"
    echo "                                   Alternative Name"
    echo "                                   extension"
    echo "   -S,--ssl version                force SSL version (2,3)"
    echo "                                   (see: --ssl2 or --ssl3)"
    echo
    echo "Report bugs to https://github.com/matteocorti/check_ssl_cert/issues"
    echo

    exit "${STATUS_UNKNOWN}"

}

################################################################################
# Prints the given message to STDERR with the prefix '[DBG] ' if the debug
# command line option was specified
# $1: string
# $2: level (optional default 1)
debuglog() {

    MESSAGE=$1
    LEVEL=$2

    if [ -n "${DEBUG_TIME}" ]; then
        NOW=$(date +%s)
        ELAPSED=$((NOW - DEBUG_TIME))
        ELAPSED=$(printf "%04d" "${ELAPSED}")
    fi

    if [ -z "${LEVEL}" ]; then
        #default
        LEVEL=1
    fi

    if [ "${LEVEL}" -le "${DEBUG}" ]; then
        if [ -n "${ELAPSED}" ]; then
            echo "${1}" | sed "s/^/[DBG ${ELAPSED}s] /" >&2
        else
            echo "${1}" | sed "s/^/[DBG] /" >&2
        fi
    fi

    # debuglog is also called during the --debug-file sanity checks: we have
    # to check if the file exists
    if [ -n "${DEBUG_FILE}" ] && [ -e "${DEBUG_FILE}" ] && ! [ -d "${DEBUG_FILE}" ] && [ -w "${DEBUG_FILE}" ]; then
        if [ -n "${ELAPSED}" ]; then
            echo "+${ELAPSED}s ${1}" >>"${DEBUG_FILE}"
        else
            echo "${1}" >>"${DEBUG_FILE}"
        fi
    fi

}

##############################################################################
# Prints nicely certificate information
info() {

    LABEL=$1
    VALUE=$2

    if [ -n "${INFO}" ] && [ -n "${VALUE}" ]; then
        printf "%s\\t%s\\n" "${LABEL}" "${VALUE}" | expand -t 32
    fi

}

################################################################################
# Checks if the given file can be created and written
# $1: file name
open_for_appending() {

    FILE_TO_OPEN=$1

    if [ -d "${FILE_TO_OPEN}" ]; then

        unknown "${FILE_TO_OPEN} is a directory"

    elif [ -e "${FILE_TO_OPEN}" ]; then

        # file already exists
        if [ ! -w "${FILE_TO_OPEN}" ]; then
            unknown "Cannot write to ${FILE_TO_OPEN}"
        fi

    else

        FILE_TO_OPEN_DIRECTORY=$(dirname "${FILE_TO_OPEN}")
        if [ ! -w "${FILE_TO_OPEN_DIRECTORY}" ]; then
            unknown "Cannot write to ${FILE_TO_OPEN}"
        fi

        # clear / create the file
        true >"${FILE_TO_OPEN}"

    fi

}

################################################################################
# Checks if the given file can be created and written
# $1: file name
open_for_writing() {

    FILE_TO_OPEN=$1

    if [ -d "${FILE_TO_OPEN}" ]; then

        unknown "${FILE_TO_OPEN} is a directory"

    elif [ -e "${FILE_TO_OPEN}" ]; then

        # file already exists
        if [ ! -w "${FILE_TO_OPEN}" ]; then
            unknown "Cannot write to ${FILE_TO_OPEN}"
        fi

    else

        FILE_TO_OPEN_DIRECTORY=$(dirname "${FILE_TO_OPEN}")
        if [ ! -w "${FILE_TO_OPEN_DIRECTORY}" ]; then
            unknown "Cannot write to ${FILE_TO_OPEN}"
        fi

    fi

    # clear / create the file
    true >"${FILE_TO_OPEN}"

}

################################################################################
# Prints the given message to STDOUT if the verbose command line option was
# specified
# $1: string
# $2: level (optional default 1)
verboselog() {

    MESSAGE=$1
    LEVEL=$2

    if [ -z "${LEVEL}" ]; then
        #default
        LEVEL=1
    fi

    if [ "${LEVEL}" -le "${VERBOSE}" ]; then
        echo "${MESSAGE}" >&2
    fi

}

################################################################################
# trap passing the signal name
# see https://stackoverflow.com/questions/2175647/is-it-possible-to-detect-which-trap-signal-in-bash/2175751#2175751
trap_with_arg() {
    func="$1"
    shift
    for sig; do
        # shellcheck disable=SC2064
        trap "${func} ${sig}" "${sig}"
    done
}

################################################################################
# Cleanup temporary files
remove_temporary_files() {
    debuglog "cleaning up temporary files"
    # shellcheck disable=SC2086
    if [ -n "${TEMPORARY_FILES}" ]; then
        TEMPORARY_FILES_TMP="$(echo "${TEMPORARY_FILES}" | tr '\ ' '\n')"
        debuglog "${TEMPORARY_FILES_TMP}"
        rm -f ${TEMPORARY_FILES}
    fi
}

################################################################################
# Cleanup when exiting
cleanup() {
    SIGNAL=$1
    debuglog "signal caught ${SIGNAL}"
    remove_temporary_files
    # shellcheck disable=SC2086
    trap - ${SIGNALS}
    exit
}

create_temporary_file() {

    # create a temporary file
    #   mktemp is not always available (e.g., on AIX)
    #   we could use https://stackoverflow.com/questions/10224921/how-to-create-a-temporary-file-with-portable-shell-in-a-secure-way
    #   but on some systems od -N4 -tu /dev/random takes seconds (?) to execute

    if [ -n "${MKTEMP}" ]; then
        TEMPFILE="$(mktemp "${TMPDIR}/XXXXXX" 2>/dev/null)"
    else
        TEMPFILE=${TMPDIR}/XXX-$(od -N4 -tu /dev/random | head -n 1 | sed 's/\ *$//' | sed 's/.*\ //')
        touch "${TEMPFILE}"
    fi

    if [ -z "${TEMPFILE}" ] || [ ! -w "${TEMPFILE}" ]; then
        unknown 'temporary file creation failure.'
    fi

    debuglog "temporary file ${TEMPFILE} created"

    # add the file to the list of temporary files
    TEMPORARY_FILES="${TEMPORARY_FILES} ${TEMPFILE}"

}

################################################################################
# Compute the number of hours until a given date
# Params
#   $1 date
# return HOURS_UNTIL
hours_until() {

    DATE=$1

    debuglog "Date computations: ${DATETYPE}"

    # we check if we are on a 32 bit system and if the date is beyond the max date
    # we simplify and consider a date invalid after 1.1.2038 instead of 19.1.2038
    # since date is not able to parse the date we do it manually with a little bit of heuristics ...
    LONG_BIT_TMP="$(getconf LONG_BIT)"
    if [ "${LONG_BIT_TMP}" -eq 32 ]; then
        debuglog "32 bit system"
        CERT_YEAR=$(echo "${DATE}" | sed 's/.*\ \(2[0-9][0-9][0-9]\).*/\1/')
        debuglog "Checking if the year ${CERT_YEAR} is beyond the max date for the system 2038-01-19"
        if [ "${CERT_YEAR}" -gt 2038 ]; then
            verboselog "${DATE} is beyond the maximum date on a 32 bit system: we consider 2038-01-19"
            DATE='Jan 19 00:00:00 2038 GMT'
        fi
    fi

    debuglog "Computing number of hours until '${DATE}'"

    case "${DATETYPE}" in
    "BSD")

        # new BSD date
        HOURS_UNTIL=$((($(${DATEBIN} -jf "%b %d %T %Y %Z" "${DATE}" +%s) - $(${DATEBIN} +%s)) / 3600))

        ;;

    "DCONV")

        debuglog "Computing date with dconv"

        # detect the date -j required format
        if date --help 2>&1 | grep -q '\[\[\[mm\]dd]HH\]MM\[\[cc\]yy\]\[\.ss\]\]'; then

            # e.g., macOS

            debuglog "date -j format [[[mm]dd]HH]MM[[cc]yy][.ss]]"
            debuglog "executing: echo '${DATE}' | sed 's/  / /g' | ${DCONV_BIN} -f \"%m%d%H%M%Y.%S\" -i \"%b %d %H:%M:%S %Y %Z\""

            CONVERTED_DATE=$(echo "${DATE}" | sed 's/  / /g' | ${DCONV_BIN} -f "%m%d%H%M%Y.%S" -i "%b %d %H:%M:%S %Y %Z")
            debuglog "date converted with dconv: ${CONVERTED_DATE}"

            HOURS_UNTIL=$((($(${DATEBIN} -j "${CONVERTED_DATE}" +%s) - $(${DATEBIN} +%s)) / 3600))

            debuglog "hours computed with ${DCONV_BIN}: ${HOURS_UNTIL}"

        elif date --help 2>&1 | grep -q '\[\[\[\[\[\[cc\]yy\]mm\]dd\]HH\]MM\[\.SS\]\]'; then

            # e.g., old BSD

            debuglog "date -j format [[[[[[cc]yy]mm]dd]HH]MM[.SS]]"

            CONVERTED_DATE=$(echo "${DATE}" | sed 's/  / /g' | ${DCONV_BIN} -f "%Y%m%d%H%M.%S" -i "%b %d %H:%M:%S %Y %Z")
            debuglog "date converted with ${DCONV_BIN}: ${CONVERTED_DATE}"

            HOURS_UNTIL=$((($(${DATEBIN} -j +%s "${CONVERTED_DATE}") - $(${DATEBIN} +%s)) / 3600))

        else
            unknown "Unknown date(1) input format"
        fi

        ;;

    "BUSYBOX")
        BUSYBOX_DATE=$(echo "${DATE}" | sed 's/[ ][^ ]*$//')
        debuglog "Computing number of hours until '${BUSYBOX_DATE}' (BusyBox compatible format)"
        verboselog "Warning: BusyBox date does not support time zones. Using ${BUSYBOX_DATE} in the current zone instead of ${DATE}"
        HOURS_UNTIL=$((($(${DATEBIN} -d "${BUSYBOX_DATE}" +%s) - $(${DATEBIN} +%s)) / 3600))
        ;;
    "GNU")
        HOURS_UNTIL=$((($(${DATEBIN} -d "${DATE}" +%s) - $(${DATEBIN} +%s)) / 3600))
        ;;
    "PERL")
        # Warning: some shell script formatting tools will indent the EOF! (should be at position 0)
        if ! HOURS_UNTIL=$(
            perl - "${DATE}" <<-"EOF"
				                    use strict;
				                    use warnings;
				                    use Date::Parse;
				                    my $cert_date = str2time( $ARGV[0] );
				                    my $hours = int (( $cert_date - time ) / 3600 + 0.5);
				                    print "$hours\n";
			EOF
        ); then
            # something went wrong with the embedded Perl code: check the indentation of EOF
            unknown "Error computing the certificate validity with Perl"
        fi
        ;;
    *)
        unknown "Internal error: unknown date type"
        ;;
    esac

    debuglog "Hours until ${DATE}: ${HOURS_UNTIL}"

    echo "${HOURS_UNTIL}"

}

################################################################################
# Convert a number of days into according number of seconds
# Params
#   $1 NUMBER_OF_DAYS
# return NUMBER_OF_SECONDS
days_to_seconds() {

    NUMBER_OF_DAYS=$1

    if echo "${NUMBER_OF_DAYS}" | grep -q '^[0-9][0-9]*$'; then
        debuglog "Converting ${NUMBER_OF_DAYS} days into seconds by shell function"
        NUMBER_OF_SECONDS=$((NUMBER_OF_DAYS * 86400))
    else
        if command -v perl >/dev/null; then
            debuglog "Converting ${NUMBER_OF_DAYS} days into seconds with perl"
            NUMBER_OF_SECONDS=$(perl -E "say ${NUMBER_OF_DAYS}*86400")
        else
            debuglog "Converting ${NUMBER_OF_DAYS} days into seconds with awk"
            NUMBER_OF_SECONDS=$(awk "BEGIN {print ${NUMBER_OF_DAYS} * 86400}")
        fi
    fi

    debuglog "Converted ${NUMBER_OF_DAYS} days into seconds: ${NUMBER_OF_SECONDS}"

    echo "${NUMBER_OF_SECONDS}"

}

################################################################################
# checks if OpenSSL version is at least the given parameter
# Params
#   $1 minimum version
openssl_version() {

    # See https://wiki.openssl.org/index.php/Versioning

    # Required version
    MIN_VERSION=$1

    debuglog "openssl_version ${MIN_VERSION}"

    IFS='.' read -r MIN_MAJOR1 MIN_MAJOR2 MIN_MINOR <<EOF
${MIN_VERSION}
EOF

    if echo "${MIN_MINOR}" | grep -q '[[:alpha:]]'; then
        MIN_FIX=$(echo "${MIN_MINOR}" | sed 's/[[:digit:]][[:digit:]]*//')
        MIN_MINOR=$(echo "${MIN_MINOR}" | sed 's/[[:alpha:]][[:alpha:]]*//')
    fi

    if [ -n "${MIN_FIX}" ]; then MIN_FIX_NUM=$(printf '%d' "'${MIN_FIX}"); else MIN_FIX_NUM=0; fi
    debuglog "Checking if OpenSSL version is at least ${MIN_VERSION} ( '${MIN_MAJOR1}' '${MIN_MAJOR2}' '${MIN_MINOR}' '${MIN_FIX}:${MIN_FIX_NUM}' )"

    # current version

    # the OPENSSL_VERSION can be set externally to be able to test
    if [ -z "${OPENSSL_VERSION}" ]; then
        OPENSSL_VERSION=$(${OPENSSL} version)
    fi
    debuglog "openssl version: ${OPENSSL_VERSION}"
    OPENSSL_VERSION=$(echo "${OPENSSL_VERSION}" | sed -E 's/^(Libre|Open)SSL\ ([^ \-]*).*/\2/')

    IFS='.' read -r MAJOR1 MAJOR2 MINOR <<EOF
${OPENSSL_VERSION}
EOF

    if echo "${MINOR}" | grep -q '[[:alpha:]]'; then
        FIX=$(echo "${MINOR}" | sed 's/[[:digit:]][[:digit:]]*//')
        MINOR=$(echo "${MINOR}" | sed 's/[[:alpha:]][[:alpha:]]*//')
    fi

    if [ -n "${FIX}" ]; then FIX_NUM=$(printf '%d' "'${FIX}"); else FIX_NUM=0; fi
    debuglog "Current version ${OPENSSL_VERSION} ( '${MAJOR1}' '${MAJOR2}' '${MINOR}' '${FIX}:${FIX_NUM}' )"

    # return 0 for true and 1 for false
    # check MAJOR1
    if [ "${MAJOR1}" -gt "${MIN_MAJOR1}" ]; then
        RET=0
    elif [ "${MAJOR1}" -lt "${MIN_MAJOR1}" ]; then
        RET=1
    else
        # check MAJOR2
        if [ "${MAJOR2}" -gt "${MIN_MAJOR2}" ]; then
            RET=0
        elif [ "${MAJOR2}" -lt "${MIN_MAJOR2}" ]; then
            RET=1
        else
            # check MINOR
            if [ "${MINOR}" -gt "${MIN_MINOR}" ]; then
                RET=0
            elif [ "${MINOR}" -lt "${MIN_MINOR}" ]; then
                RET=1
            else
                # check FIX
                [ "${FIX_NUM}" -ge "${MIN_FIX_NUM}" ]
                RET=$?
            fi
        fi
    fi

    if [ "${DEBUG}" -ge 1 ]; then
        if [ "${RET}" -eq 0 ]; then
            debuglog '  true'
        else
            debuglog '  false'
        fi
    fi

    return "${RET}"

}

################################################################################
# prepends critical messages to list of all messages
# Params
#   $1 error message
#   $2 replace current critical message
prepend_critical_message() {

    verboselog "CRITICAL error: $1"

    debuglog "CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
    debuglog "prepend_critical_message: new message    = $1"
    debuglog "prepend_critical_message: CRITICAL_MSG   = ${CRITICAL_MSG}"
    debuglog "prepend_critical_message: ALL_MSG 1      = ${ALL_MSG}"

    if [ -n "${CN}" ]; then
        if echo "${CN}" | grep -q -F 'unavailable'; then
            tmp=" ${SUBJECT_ALTERNATIVE_NAME}"
        else
            tmp=" ${CN}"
        fi
    else
        if [ -n "${HOST_NAME}" ]; then
            if [ -n "${SNI}" ]; then
                tmp=" ${SNI}"
            elif [ -n "${FILE}" ]; then
                tmp=" ${FILE}"
            else
                tmp=" ${HOST_NAME}"
            fi
        fi
    fi

    MSG="${SHORTNAME} CRITICAL${tmp}: ${1}${LONG_OUTPUT}"

    if [ "${CRITICAL_MSG}" = "" ] || [ -n "${2-}" ]; then
        CRITICAL_MSG="${MSG}"
    fi

    ALL_MSG="\\n    ${MSG}${ALL_MSG}"

    debuglog "prepend_critical_message: MSG 2          = ${MSG}"
    debuglog "prepend_critical_message: CRITICAL_MSG 2 = ${CRITICAL_MSG}"
    debuglog "prepend_critical_message: ALL_MSG 2      = ${ALL_MSG}"
    debuglog "CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"

}

################################################################################
# Adds a line to the prometheus status output
# Params
#   $1 line to be added
add_prometheus_status_output_line() {

    PROMETHEUS_LINE=$1

    debuglog "Adding line to prometheus status output: ${PROMETHEUS_LINE}"

    if [ -n "${PROMETHEUS}" ]; then

        if [ -n "${PROMETHEUS_OUTPUT_STATUS}" ]; then
            PROMETHEUS_OUTPUT_STATUS="${PROMETHEUS_OUTPUT_STATUS}\\n${PROMETHEUS_LINE}"
        else
            PROMETHEUS_OUTPUT_STATUS="${PROMETHEUS_LINE}"
        fi

    fi

}

################################################################################
# Dada a line to the prometheus validity output
# Params
#   $1 line to be added
add_prometheus_valid_output_line() {

    PROMETHEUS_LINE=$1

    debuglog "Adding line to prometheus validity output: ${PROMETHEUS_LINE}"

    if [ -n "${PROMETHEUS}" ]; then

        if [ -n "${PROMETHEUS_OUTPUT_VALID}" ]; then
            PROMETHEUS_OUTPUT_VALID="${PROMETHEUS_OUTPUT_VALID}\\n${PROMETHEUS_LINE}"
        else
            PROMETHEUS_OUTPUT_VALID="${PROMETHEUS_LINE}"
        fi

    fi

}

################################################################################
# Dada a line to the prometheus days output
# Params
#   $1 line to be added
add_prometheus_days_output_line() {

    PROMETHEUS_LINE=$1

    debuglog "Adding line to prometheus days output: ${PROMETHEUS_LINE}"

    if [ -n "${PROMETHEUS}" ]; then

        if [ -n "${PROMETHEUS_OUTPUT_DAYS}" ]; then
            PROMETHEUS_OUTPUT_DAYS="${PROMETHEUS_OUTPUT_DAYS}\\n${PROMETHEUS_LINE}"
        else
            PROMETHEUS_OUTPUT_DAYS="${PROMETHEUS_LINE}"
        fi

    fi
}

################################################################################
# Prometheus output
prometheus_output() {

    if [ -n "${PROMETHEUS_OUTPUT_STATUS}" ]; then
        echo "# HELP cert_valid   If cert is ok (0), warning (1) or critical (2)"
        echo "# TYPE cert_valid gauge"
        echo "${PROMETHEUS_OUTPUT_STATUS}"
        NL=1
    fi

    if [ -n "${PROMETHEUS_OUTPUT_VALID}" ]; then
        if [ -n "${NL}" ]; then
            echo
        fi
        echo "# HELP cert_valid_chain_elem  If chain element is ok (0), warning (1) or critical (2)"
        echo "# TYPE cert_valid_chain_elem gauge"
        echo "${PROMETHEUS_OUTPUT_VALID}"
        NL=1
    fi

    if [ -n "${PROMETHEUS_OUTPUT_DAYS}" ]; then
        if [ -n "${NL}" ]; then
            echo
        fi
        echo "# HELP cert_days_chain_elem Days until chain element expires"
        echo "# TYPE cert_days_chain_elem gauge"
        echo "${PROMETHEUS_OUTPUT_DAYS}"
    fi
}

################################################################################
# Exits with a critical message
# Params
#   $1 error message
critical() {

    remove_temporary_files

    debuglog 'exiting with CRITICAL'
    debuglog "ALL_MSG = ${ALL_MSG}"

    NUMBER_OF_ERRORS=$(printf '%b' "${ALL_MSG}" | wc -l)

    debuglog "number of errors = ${NUMBER_OF_ERRORS}"

    if [ -n "${NO_PERF}" ]; then
        PERFORMANCE_DATA=
    fi

    if [ -z "${PROMETHEUS}" ]; then

        if [ "${NUMBER_OF_ERRORS}" -ge 2 ] && [ "${VERBOSE}" -gt 0 ]; then
            printf '%s%s\nError(s):%b\n' "$1" "${PERFORMANCE_DATA}" "${ALL_MSG}"
        else
            printf '%s%s \n' "$1" "${PERFORMANCE_DATA}"
        fi

    else

        if [ -n "${CN}" ]; then
            add_prometheus_status_output_line "cert_valid{cn=\"${CN}\"} 2"
        else
            add_prometheus_status_output_line "cert_valid 2"
        fi

        prometheus_output

    fi

    exit "${STATUS_CRITICAL}"
}

################################################################################
# append all warning messages to list of all messages
# Params
#   $1 warning message
#   $2 replace current warning message
append_warning_message() {

    verboselog "Warning: $1"

    debuglog "WARNING >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
    debuglog "append_warning_message: HOST_NAME    = ${HOST_NAME}"
    debuglog "append_warning_message: HOST_ADDR    = ${HOST_ADDR}"
    debuglog "append_warning_message: CN           = ${CN}"
    debuglog "append_warning_message: SNI          = ${SNI}"
    debuglog "append_warning_message: FILE         = ${FILE}"
    debuglog "append_warning_message: SHORTNAME    = ${SHORTNAME}"
    debuglog "prepend_warning_message: MSG         = ${MSG}"
    debuglog "prepend_warning_message: WARNING_MSG = ${WARNING_MSG}"
    debuglog "prepend_warning_message: ALL_MSG 1   = ${ALL_MSG}"

    if [ -n "${CN}" ]; then
        if echo "${CN}" | grep -q -F 'unavailable'; then
            tmp=" ${SUBJECT_ALTERNATIVE_NAME}"
        else
            tmp=" ${CN}"
        fi
    else
        if [ -n "${HOST_NAME}" ]; then
            if [ -n "${SNI}" ]; then
                tmp=" ${SNI}"
            elif [ -n "${FILE}" ]; then
                tmp=" ${FILE}"
            else
                tmp=" ${HOST_NAME}"
            fi
        fi
    fi

    MSG="${SHORTNAME} WARN${tmp}: ${1}${LONG_OUTPUT}"

    if [ "${WARNING_MSG}" = "" ] || [ -n "${2-}" ]; then
        WARNING_MSG="${MSG}"
    fi

    ALL_MSG="${ALL_MSG}\\n    ${MSG}"

    debuglog "prepend_warning_message: MSG 2          = ${MSG}"
    debuglog "prepend_warning_message: WARNING_MSG 2 = ${WARNING_MSG}"
    debuglog "prepend_warning_message: ALL_MSG 2      = ${ALL_MSG}"
    debuglog "WARNING <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"

}

################################################################################
# Exits with a warning message
# Params
#   $1 warning message
warning() {

    remove_temporary_files

    NUMBER_OF_ERRORS=$(printf '%b' "${ALL_MSG}" | wc -l)

    if [ -n "${NO_PERF}" ]; then
        PERFORMANCE_DATA=
    fi

    if [ -z "${PROMETHEUS}" ]; then

        if [ "${NUMBER_OF_ERRORS}" -ge 2 ] && [ "${VERBOSE}" -gt 0 ]; then
            printf '%s%s\nError(s):%b\n' "$1" "${PERFORMANCE_DATA}" "${ALL_MSG}"
        else
            printf '%s %s\n' "$1" "${PERFORMANCE_DATA}"
        fi

    else

        if [ -n "${CN}" ]; then
            add_prometheus_status_output_line "cert_valid{cn=\"${CN}\"} 1"
        else
            add_prometheus_status_output_line "cert_valid 1"
        fi

        prometheus_output

    fi

    exit "${STATUS_WARNING}"
}

################################################################################
# Exits with an 'unknown' status
# Params
#   $1 message
unknown() {
    if [ -n "${HOST_NAME}" ]; then
        if [ -n "${SNI}" ]; then
            tmp=" ${SNI}"
        elif [ -n "${FILE}" ]; then
            tmp=" ${FILE}"
        else
            tmp=" ${HOST_NAME}"
        fi
    fi
    remove_temporary_files
    printf '%s UNKNOWN%s: %s\n' "${SHORTNAME}" "${tmp}" "$1"
    exit "${STATUS_UNKNOWN}"
}

################################################################################
# Exits with unknown if s_client does not support the given option
#
# Usage:
#   require_s_client_option '-no_ssl2'
#
require_s_client_option() {
    debuglog "Checking if s_client supports the $1 option"
    if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "$1"; then
        unknown "s_client does not support the $1 option"
    fi
}

################################################################################
# Extract specific attributes from a certificate
# $1 attribute name
# $2 cert file or cert content
extract_cert_attribute() {

    debuglog "extracting cert attribute ${1}"

    if [ -f "${2}" ]; then
        cert_content="$(cat "${2}")"
    else
        cert_content="${2}"
    fi

    # shellcheck disable=SC2086,SC2016
    case $1 in
    cn)
        if echo "${cert_content}" | "${OPENSSL}" x509 -noout ${OPENSSL_PARAMS} -subject 2>/dev/null | grep -F -q 'CN' >/dev/null; then
            echo "${cert_content}" | "${OPENSSL}" x509 -noout ${OPENSSL_PARAMS} -subject |
                sed -e "s/^.*[[:space:]]*CN[[:space:]]=[[:space:]]//" -e 's/\/[[:alpha:]][[:alpha:]]*=.*$//' -e "s/,.*//"
        else
            echo 'CN unavailable'
            return 1
        fi
        ;;
    subject)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout ${OPENSSL_PARAMS} -subject
        ;;
    serial)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout -serial | sed -e "s/^serial=//"
        ;;
    fingerprint)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout -fingerprint -sha1 | sed -e "s/^SHA1 Fingerprint=//"
        ;;
    oscp_uri)
        echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -ocsp_uri
        ;;
    oscp_uri_single)
        extract_cert_attribute 'oscp_uri' "${cert_content}" | head -n 1
        ;;
    hash)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout -hash
        ;;
    modulus)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout -modulus
        ;;
    issuer)
        # see https://unix.stackexchange.com/questions/676776/parse-comma-separated-string-ignoring-commas-between-quotes
        echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout -nameopt sep_multiline,utf8,esc_ctrl -issuer |
            tail -n +2 |
            sed 's/^\ *//'
        ;;
    issuer_uri)
        echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | grep -F "CA Issuers" | grep -F -i "http" | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;${}<>`&'
        ;;
    issuer_uri_single)
        extract_cert_attribute 'issuer_uri' "${cert_content}" | head -n 1
        ;;
    issuer_hash)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout -issuer_hash
        ;;
    org)
        cert_subject=$(echo "${cert_content}" | "${OPENSSL}" x509 -noout -subject)

        # on older systems the fields where separated by /, e.g.,
        #   subject= /C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
        # on newer systems the fields are separated by , and are sometimes quoted (if they contain a comma), e.g.,
        #   subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
        #   subject=C = ES, ST = Madrid, L = Madrid, jurisdictionC = ES, O = Ibermutua Mutua Colaboradora con la Seguridad Social N\C3\BAmero 274, businessCategory = Private Organization, serialNumber = 1998-02-18, CN = www.ibermutua.es

        if echo "${cert_subject}" | grep -q '^subject=\ \/'; then
            # old format
            echo "${cert_subject}" | sed -e 's/.*\/O=//' -e 's/\/.*//'
        else
            # new format
            if echo "${cert_subject}" | grep -q 'O\ =\ "'; then
                # quotes
                echo "${cert_subject}" | sed -e 's/.*O\ =\ "//' -e 's/".*//'
            else
                # no quotes
                echo "${cert_subject}" | sed -e 's/.*O\ =\ //' -e 's/\,\ .*//'
            fi
        fi
        ;;
    email)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout -email
        ;;
    crl_uri)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout -text |
            grep -F -A 4 'X509v3 CRL Distribution Points' |
            grep -F URI |
            sed 's/^.*URI://'
        ;;
    sig_algo)
        echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | grep -m 1 -F 'Signature Algorithm'
        ;;
    startdate)
        echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -startdate | sed -e "s/^notBefore=//"
        ;;
    enddate)
        echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} "${OPENSSL_ENDDATE_OPTION}" | sed -e "s/^notAfter=//" -e "s/^nextUpdate=//"
        ;;
    sct)
        echo "${cert_content}" | "${OPENSSL}" x509 -noout -text | grep -E -q 'SCTs|1\.3\.6\.1\.4\.1\.11129\.2\.4\.2'
        ;;
    subjectAlternativeName)
        echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text |
            grep -F -A 1 "509v3 Subject Alternative Name:" |
            tail -n 1 |
            sed -e "s/DNS://g" |
            sed -e "s/,//g" |
            sed -e 's/^\ *//'
        ;;
    *)
        return 1
        ;;
    esac

}

################################################################################
# Executes command with a timeout
# Params:
#   $1 command
#   $2 where to put the stdout
#   $3 where to put the stderr
# Returns 1 if timed out 0 otherwise
exec_with_timeout() {

    time=${TIMEOUT}

    # start the command in a subshell to avoid problem with pipes
    # (spawn accepts one command)
    command="/bin/sh -c \"$1\""

    OUTFILE=/dev/null
    if [ -n "$2" ]; then
        OUTFILE=$2
    fi
    ERRFILE=/dev/null
    if [ -n "$3" ]; then
        ERRFILE=$3
    fi

    start_time=$(date +%s)

    debuglog "executing with timeout (${time}s): $1"
    debuglog "  start time = ${start_time}"

    if [ -n "${TIMEOUT_BIN}" ]; then

        debuglog "$(printf '%s %s %s\n' "${TIMEOUT_BIN}" "${time}" "${command}")"

        # We execute timeout in the background so that it can be relay a signal to 'timeout'
        # https://unix.stackexchange.com/questions/57667/why-cant-i-kill-a-timeout-called-from-a-bash-script-with-a-keystroke/57692#57692
        eval "${TIMEOUT_BIN} ${time} ${command} &" >"${OUTFILE}" 2>"${ERRFILE}"
        TIMEOUT_PID=$!
        wait "${TIMEOUT_PID}" >/dev/null 2>&1
        RET=$?

        # return codes
        # https://www.gnu.org/software/coreutils/manual/coreutils.html#timeout-invocation

        # because of the execution in the background we get a 137 for a timeout
        if [ "${RET}" -eq 137 ] || [ "${RET}" -eq 124 ]; then
            prepend_critical_message "Timeout after ${time} seconds"
            critical "${SHORTNAME} CRITICAL: Timeout after ${time} seconds"
        elif [ "${RET}" -eq 125 ]; then
            prepend_critical_message "execution of ${command} failed"
        elif [ "${RET}" -eq 126 ]; then
            prepend_critical_message "${command} is found but cannot be invoked"
        elif [ "${RET}" -eq 127 ]; then
            prepend_critical_message "${command} cannot be found"
        fi

        end_time=$(date +%s)
        TIMEOUT=$((TIMEOUT - end_time + start_time))
        debuglog "  end time = ${end_time}"
        debuglog "  new timeout = ${TIMEOUT}"
        if [ "${TIMEOUT}" -lt 1 ]; then TIMEOUT=1; fi

        return "${RET}"

    elif [ -n "${EXPECT}" ]; then

        # just to tell shellcheck that the variable is assigned
        # (in fact the value is assigned with the function set_value)
        EXPECT_SCRIPT=''
        TIMEOUT_ERROR_CODE=42

        set_variable EXPECT_SCRIPT <<EOT

set echo \"-noecho\"
set timeout ${time}

# spawn the process
spawn -noecho sh -c { ${command} > ${OUTFILE} 2> ${ERRFILE} }

expect {
  timeout { exit ${TIMEOUT_ERROR_CODE} }
  eof
}

# Get the return value
# https://stackoverflow.com/questions/23614039/how-to-get-the-exit-code-of-spawned-process-in-expect-shell-script

foreach { pid spawnid os_error_flag value } [wait] break

# return the command return value
exit \$value

EOT

        debuglog 'Executing expect script'
        debuglog "$(printf '%s' "${EXPECT_SCRIPT}")"

        echo "${EXPECT_SCRIPT}" | expect
        RET=$?

        debuglog "expect returned ${RET}"

        if [ "${RET}" -eq "${TIMEOUT_ERROR_CODE}" ]; then
            prepend_critical_message "Timeout after ${time} seconds"
            critical "${SHORTNAME} CRITICAL: Timeout after ${time} seconds"
        fi

        end_time=$(date +%s)
        TIMEOUT=$((TIMEOUT - end_time + start_time))
        debuglog "  end time = ${end_time}"
        debuglog "  new timeout = ${TIMEOUT}"
        if [ "${TIMEOUT}" -lt 1 ]; then TIMEOUT=1; fi

        return "${RET}"

    else

        debuglog "$(printf '%s\n' eval "${command}")"

        eval "${command}" >"${OUTFILE}" 2>"${ERRFILE}"
        RET=$?

        end_time=$(date +%s)

        # we deduce the command duration from the total specified timeout
        TIMEOUT=$((TIMEOUT - end_time + start_time))
        debuglog "  end time = ${end_time}"
        debuglog "  new timeout = ${TIMEOUT}"
        if [ "${TIMEOUT}" -lt 1 ]; then TIMEOUT=1; fi

        return "${RET}"

    fi

}

################################################################################
# Checks if a given program is available and executable
# Params
#   $1 program name
# Returns 1 if the program exists and is executable
check_required_prog() {

    PROG=$(command -v "$1" 2>/dev/null)

    if [ -z "${PROG}" ]; then
        unknown "cannot find program: $1"
    fi

    if [ ! -x "${PROG}" ]; then
        unknown "${PROG} is not executable"
    fi

}

################################################################################
# Checks cert revocation via CRL
# Params
#   $1 cert
#   $2 element number
check_crl() {
    el_number=1
    if [ -n "$2" ]; then
        el_number=$2
    fi

    create_temporary_file
    CERT_ELEMENT=${TEMPFILE}
    debuglog "Storing the chain element in ${CERT_ELEMENT}"
    echo "${1}" >"${CERT_ELEMENT}"

    # We check all the elements of the chain (but the root) for revocation
    # If any element is revoked, the certificate should not be trusted
    # https://security.stackexchange.com/questions/5253/what-happens-when-an-intermediate-ca-is-revoked

    debuglog "Checking CRL status of element ${el_number}"

    # See https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html

    CRL_URI="$(extract_cert_attribute 'crl_uri' "${CERT_ELEMENT}")"
    if [ -n "${CRL_URI}" ]; then

        debuglog "Certificate revocation list available (${CRL_URI})."

        debuglog "CRL: fetching CRL ${CRL_URI} to ${CRL_TMP_DER}"

        if [ -n "${CURL_USER_AGENT}" ]; then
            exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${CURL_USER_AGENT}' --location \\\"${CRL_URI}\\\" > ${CRL_TMP_DER}"
        else
            exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${CRL_URI}\\\" > ${CRL_TMP_DER}"
        fi

        # convert DER to
        debuglog "Converting ${CRL_TMP_DER} (DER) to ${CRL_TMP_PEM} (PEM)"
        "${OPENSSL}" crl -inform DER -in "${CRL_TMP_DER}" -outform PEM -out "${CRL_TMP_PEM}"

        # combine the certificate and the CRL
        debuglog "Combining the certificate, the CRL and the root cert"
        debuglog "cat ${CRL_TMP_PEM} ${CERT} ${ROOT_CA_FILE} > ${CRL_TMP_CHAIN}"
        cat "${CRL_TMP_PEM}" "${CERT}" "${ROOT_CA_FILE}" >"${CRL_TMP_CHAIN}"

        debuglog "${OPENSSL} verify -crl_check -CRLfile ${CRL_TMP_PEM} ${CERT_ELEMENT}"
        CRL_RESULT=$(
            "${OPENSSL}" verify -crl_check -CAfile "${CRL_TMP_CHAIN}" -CRLfile "${CRL_TMP_PEM}" "${CERT_ELEMENT}" 2>&1 |
                grep -F ':' |
                head -n 1 |
                sed 's/^.*:\ //'
        )

        debuglog "  result: ${CRL_RESULT}"

        if ! [ "${CRL_RESULT}" = 'OK' ]; then
            prepend_critical_message "certificate element ${el_number} is revoked (CRL)"
        fi

    else

        debuglog "Certificate revocation list not available"

    fi

}

################################################################################
# Checks cert revocation via OCSP
# Params
#   $1 cert
#   $2 element number
check_ocsp() {

    el_number=1
    if [ -n "$2" ]; then
        el_number=$2
    fi

    # We check all the elements of the chain (but the root) for revocation
    # If any element is revoked, the certificate should not be trusted
    # https://security.stackexchange.com/questions/5253/what-happens-when-an-intermediate-ca-is-revoked

    debuglog "Checking OCSP status of element ${el_number}"

    create_temporary_file
    CERT_ELEMENT=${TEMPFILE}
    debuglog "Storing the chain element in ${CERT_ELEMENT}"
    echo "${1}" >"${CERT_ELEMENT}"

    ################################################################################
    # Check revocation via OCSP
    if [ -n "${OCSP}" ]; then

        debuglog "Checking revocation via OCSP"

        ISSUER_HASH="$(extract_cert_attribute 'issuer_hash' "${CERT_ELEMENT}")"
        debuglog "Issuer hash: ${ISSUER_HASH}"

        if [ -z "${ISSUER_HASH}" ]; then
            unknown 'unable to find issuer certificate hash.'
        fi

        ISSUER_CERT=
        if [ -n "${ISSUER_CERT_CACHE}" ]; then

            if [ -r "${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt" ]; then

                debuglog "Found cached Issuer Certificate: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"

                ISSUER_CERT="${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"

            else

                debuglog "Not found cached Issuer Certificate: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"

            fi

        fi

        ELEMENT_ISSUER_URIS="$(extract_cert_attribute 'issuer_uri' "${CERT_ELEMENT}")"

        if [ -z "${ELEMENT_ISSUER_URIS}" ]; then
            verboselog "Warning cannot find the CA Issuers in the certificate chain element ${el_number}: disabling OCSP checks on chain element ${el_number}"
            return
        fi

        debuglog "Chain element issuer URIs: ${ELEMENT_ISSUER_URIS}"

        for ELEMENT_ISSUER_URI in ${ELEMENT_ISSUER_URIS}; do

            debuglog "checking issuer URIs: ${ELEMENT_ISSUER_URI}"

            # shellcheck disable=SC2021
            ELEMENT_ISSUER_URI_WO_SPACES_TMP="$(echo "${ELEMENT_ISSUER_URI}" | tr -d '[[:space:]]')"
            if [ "${ELEMENT_ISSUER_URI}" != "${ELEMENT_ISSUER_URI_WO_SPACES_TMP}" ]; then
                verboselog "Warning: unable to fetch the CA issuer certificate (spaces in URI): skipping"
                continue
            elif ! echo "${ELEMENT_ISSUER_URI}" | grep -q -i '^http'; then
                verboselog "Warning: unable to fetch the CA issuer certificate (unsupported protocol): skipping"
                continue
            fi

            if [ -z "${ISSUER_CERT}" ]; then

                debuglog "OCSP: fetching issuer certificate ${ELEMENT_ISSUER_URI} to ${ISSUER_CERT_TMP}"

                if [ -n "${CURL_USER_AGENT}" ]; then
                    exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${CURL_USER_AGENT}' --location \\\"${ELEMENT_ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
                else
                    exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${ELEMENT_ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
                fi

                TYPE_TMP="$(${FILE_BIN} -L -b "${ISSUER_CERT_TMP}" | sed 's/.*://')"
                debuglog "OCSP: issuer certificate type (1): ${TYPE_TMP}"

                if echo "${ELEMENT_ISSUER_URI}" | grep -F -q 'p7c'; then
                    debuglog "OCSP: converting issuer certificate from PKCS #7 to PEM"

                    open_for_writing "${ISSUER_CERT_TMP2}"
                    cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"

                    ${OPENSSL} pkcs7 -print_certs -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"

                fi

                TYPE_TMP="$(${FILE_BIN} -L -b "${ISSUER_CERT_TMP}" | sed 's/.*://')"
                debuglog "OCSP: issuer certificate type (2): ${TYPE_TMP}"

                # check for errors
                if "${FILE_BIN}" -L -b "${ISSUER_CERT_TMP}" | grep -E -q HTML; then
                    debuglog "OCSP: HTML page returned instead of a certificate"
                    unknown "Unable to fetch a valid certificate issuer certificate (HTML page returned)."
                fi

                # check the result
                if ! "${FILE_BIN}" -L -b "${ISSUER_CERT_TMP}" | grep -E -q '(ASCII|PEM)'; then

                    if "${FILE_BIN}" -L -b "${ISSUER_CERT_TMP}" | grep -E -q '(data|Certificate)'; then

                        debuglog "OCSP: converting issuer certificate from DER to PEM"

                        open_for_writing "${ISSUER_CERT_TMP2}"
                        cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"

                        ${OPENSSL} x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"

                    elif "${FILE_BIN}" -L -b "${ISSUER_CERT_TMP}" | grep -E -q 'empty'; then

                        # empty certs are allowed
                        debuglog "OCSP empty certificate detected: skipping"
                        return

                    else

                        TYPE_TMP="$(${FILE_BIN} -L -b "${ISSUER_CERT_TMP}")"
                        debuglog "OCSP: complete issuer certificate type ${TYPE_TMP}"

                        unknown "Unable to fetch a valid certificate issuer certificate."

                    fi

                fi

                TYPE_TMP="$(${FILE_BIN} -L -b "${ISSUER_CERT_TMP}" | sed 's/.*://')"
                debuglog "OCSP: issuer certificate type (3): ${TYPE_TMP}"

                if [ -n "${DEBUG_CERT}" ]; then

                    # remove trailing /
                    FILE_NAME=${ELEMENT_ISSUER_URI%/}

                    # remove everything up to the last slash
                    FILE_NAME="${FILE_NAME##*/}".crt

                    debuglog "OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME} for debugging purposes"

                    open_for_writing "${FILE_NAME}"
                    cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"

                fi

                if [ -n "${ISSUER_CERT_CACHE}" ]; then

                    if [ ! -w "${ISSUER_CERT_CACHE}" ]; then
                        unknown "Issuer certificates cache ${ISSUER_CERT_CACHE} is not writable!"
                    fi

                    debuglog "Storing Issuer Certificate to cache: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"

                    open_for_writing "${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
                    cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"

                fi

                ISSUER_CERT=${ISSUER_CERT_TMP}

            fi

        done

        OCSP_URIS="$(extract_cert_attribute 'oscp_uri' "${CERT_ELEMENT}")"

        debuglog "OCSP: URIs = ${OCSP_URIS}"

        for OCSP_URI in ${OCSP_URIS}; do

            debuglog "OCSP: URI = ${OCSP_URI}"

            OCSP_HOST="$(echo "${OCSP_URI}" | sed -e 's@.*//\([^/]\+\)\(/.*\)\?$@\1@g' | sed 's/^http:\/\///' | sed 's/\/.*//')"

            debuglog "OCSP: host = ${OCSP_HOST}"

            if [ -n "${OCSP_HOST}" ]; then

                # check if -header is supported
                OCSP_HEADER=""

                # ocsp -header is supported in OpenSSL versions from 1.0.0, but not documented until 1.1.0
                # so we check if the major version is greater than 0
                OPENSSL_VERSION_TMP="$(${OPENSSL} version | sed -e 's/OpenSSL \([0-9]\).*/\1/g')"
                if "${OPENSSL}" version | grep -q '^LibreSSL' || [ "${OPENSSL_VERSION_TMP}" -gt 0 ]; then

                    debuglog "openssl ocsp supports the -header option"

                    # the -header option was first accepting key and value separated by space. The newer versions are using key=value
                    KEYVALUE=""
                    if ${OPENSSL} ocsp -help 2>&1 | grep -F header | grep -F -q 'key=value'; then
                        debuglog "${OPENSSL} ocsp -header requires 'key=value'"
                        KEYVALUE=1
                    else
                        debuglog "${OPENSSL} ocsp -header requires 'key value'"
                    fi

                    # http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
                    # shellcheck disable=SC2154
                    if [ -n "${http_proxy}" ]; then
                        HTTP_PROXY="${http_proxy}"
                    fi

                    if [ -n "${HTTP_PROXY:-}" ]; then
                        OCSP_PROXY_ARGUMENT="$(echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//')"

                        if [ -n "${KEYVALUE}" ]; then
                            debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT_ELEMENT} -host \"${OCSP_PROXY_ARGUMENT}\" -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
                            OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -host "${OCSP_PROXY_ARGUMENT}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1)"
                        else
                            debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT_ELEMENT} -host \"${OCSP_PROXY_ARGUMENT}\" -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
                            OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -host "${OCSP_PROXY_ARGUMENT}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1)"
                        fi

                    else

                        if [ -n "${KEYVALUE}" ]; then
                            debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT_ELEMENT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
                            OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1)"
                        else
                            debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT_ELEMENT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
                            OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1)"
                        fi

                    fi

                    MESSAGE_TMP="$(echo "${OCSP_RESP}" | sed 's/^/OCSP: response = /')"
                    debuglog "${MESSAGE_TMP}"

                    if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -F -q -i "timeout on connect"; then

                        debuglog 'OCSP: Timeout on connect'

                    elif echo "${OCSP_RESP}" | grep -F -q -i "revoked"; then

                        debuglog 'OCSP: revoked'

                        prepend_critical_message "certificate element ${el_number} is revoked (OCSP)"

                    elif echo "${OCSP_RESP}" | grep -F -q -i "internalerror" && [ -n "${OCSP_IGNORE_ERRORS}" ]; then

                        verbose 'warning: the OCSP server returned an internal error'

                    elif ! echo "${OCSP_RESP}" | grep -F -q -i "good"; then

                        debuglog "OCSP: not good. HTTP_PROXY = ${HTTP_PROXY}"

                        if [ -n "${HTTP_PROXY:-}" ]; then

                            debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT_ELEMENT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"

                            if [ -n "${OCSP_HEADER}" ]; then
                                OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1)"
                            else
                                OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1)"
                            fi

                        else

                            debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT_ELEMENT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"

                            if [ -n "${OCSP_HEADER}" ]; then
                                OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1)"
                            else
                                OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -url "${OCSP_URI}" 2>&1)"
                            fi

                        fi

                        prepend_critical_message "OCSP error (-v for details)"

                    fi

                else

                    verboselog "Warning: openssl ocsp does not support the -header option: disabling OCSP checks"

                fi

            else

                verboselog "Warning: no OCSP host found: disabling OCSP checks"

            fi

        done

        verboselog "OCSP check for element ${el_number} OK"

    fi

}

################################################################################
# Checks cert end date validity
# Params
#   $1 cert
#   $2 element number
# Returns number of days
check_cert_end_date() {

    el_number=1
    if [ -n "$2" ]; then
        el_number=$2
    else
        debuglog "No certificate element specified: default 1"
    fi

    replace_current_message=''

    element_cn=$(extract_cert_attribute 'cn' "${1}")
    debuglog "Checking expiration date of element ${el_number} (${element_cn})"

    ELEM_END_DATE="$(extract_cert_attribute 'enddate' "$1")"
    debuglog "Validity date on cert element ${el_number} (${element_cn}) is ${ELEM_END_DATE}"

    HOURS_UNTIL=$(hours_until "${ELEM_END_DATE}")

    ELEM_DAYS_VALID=$((HOURS_UNTIL / 24))
    ELEM_SECONDS_VALID=$((HOURS_UNTIL * 3600))

    add_prometheus_days_output_line "cert_days_chain_elem{cn=\"${CN}\", element=${el_number}} ${ELEM_DAYS_VALID}"

    debuglog "  valid for ${ELEM_DAYS_VALID} days"

    if [ -z "${EARLIEST_VALIDITY_HOURS}" ] || [ "${HOURS_UNTIL}" -lt "${EARLIEST_VALIDITY_HOURS}" ]; then
        EARLIEST_VALIDITY_HOURS="${HOURS_UNTIL}"
        replace_current_message='yes'
    fi

    if [ -z "${DAYS_VALID}" ] || [ "${ELEM_DAYS_VALID}" -lt "${DAYS_VALID}" ]; then
        DAYS_VALID="${ELEM_DAYS_VALID}"
    fi

    add_performance_data "days_chain_elem${el_number}=${ELEM_DAYS_VALID};${WARNING_DAYS};${CRITICAL_DAYS};;"

    if [ "${OPENSSL_COMMAND}" = "x509" ]; then
        # x509 certificates (default)
        # We always check expired certificates
        debuglog "executing: ${OPENSSL} x509 -noout -checkend 0 on cert element ${el_number} (${element_cn})"
        if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend 0 >/dev/null; then
            if [ "${ELEM_DAYS_VALID}" -eq 0 ]; then
                DAYS_AGO='today'
            elif [ "${ELEM_DAYS_VALID}" -eq -1 ]; then
                DAYS_AGO='yesterday'
            else
                DAYS_AGO="$((-ELEM_DAYS_VALID)) days ago"
            fi
            prepend_critical_message "${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE}, ${DAYS_AGO})" "${replace_current_message}"
            if [ -z "${CN}" ]; then
                CN='unavailable'
            fi
            add_prometheus_valid_output_line "cert_valid_chain_elem{cn=\"${CN}\", element=${el_number}} 2"
            return 2
        fi

        if [ -n "${CRITICAL_DAYS}" ] && [ -n "${CRITICAL_SECONDS}" ]; then

            debuglog "executing: ${OPENSSL} x509 -noout -checkend ${CRITICAL_SECONDS} on cert element ${el_number} (${element_cn})"

            if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend "${CRITICAL_SECONDS}" >/dev/null; then
                prepend_critical_message "${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}" "${replace_current_message}"
                if [ -z "${CN}" ]; then
                    CN='unavailable'
                fi
                add_prometheus_valid_output_line "cert_valid_chain_elem{cn=\"${CN}\", element=${el_number}} 2"
                return 2
            fi

        fi

        if [ -n "${WARNING_DAYS}" ] && [ -n "${WARNING_SECONDS}" ]; then

            debuglog "executing: ${OPENSSL} x509 -noout -checkend ${WARNING_SECONDS} on cert element ${el_number}"

            if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend "${WARNING_SECONDS}" >/dev/null; then
                append_warning_message "${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}" "${replace_current_message}"
                if [ -z "${CN}" ]; then
                    CN='unavailable'
                fi
                add_prometheus_valid_output_line "cert_valid_chain_elem{cn=\"${CN}\", element=${el_number}} 1"
                return 1
            fi

        fi
        if [ -n "${NOT_VALID_LONGER_THAN}" ]; then
            debuglog "checking if the certificate is valid longer than ${NOT_VALID_LONGER_THAN} days"
            debuglog "  valid for ${DAYS_VALID} days"
            if [ "${DAYS_VALID}" -gt "${NOT_VALID_LONGER_THAN}" ]; then
                debuglog "Certificate expires in ${DAYS_VALID} days which is more than ${NOT_VALID_LONGER_THAN} days"
                prepend_critical_message "Certificate expires in ${DAYS_VALID} days which is more than ${NOT_VALID_LONGER_THAN} days" "${replace_current_message}"
                add_prometheus_valid_output_line "cert_valid_chain_elem{cn=\"${CN}\", element=${el_number}} 2"
                return 2
            fi
        fi
    elif [ "${OPENSSL_COMMAND}" = "crl" ]; then
        # CRL certificates

        # We always check expired certificates
        if [ "${ELEM_SECONDS_VALID}" -lt 1 ]; then
            prepend_critical_message "${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE})" "${replace_current_message}"
            add_prometheus_valid_output_line "cert_valid_chain_elem{cn=\"${CN}\", element=${el_number}} 2"
            return 2
        fi

        if [ -n "${CRITICAL_DAYS}" ] && [ -n "${CRITICAL_SECONDS}" ]; then
            # When comparing, always use values in seconds, because values in days might be floating point numbers
            if [ "${ELEM_SECONDS_VALID}" -lt "${CRITICAL_SECONDS}" ]; then
                prepend_critical_message "${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}" "${replace_current_message}"
                if [ -z "${CN}" ]; then
                    CN='unavailable'
                fi
                add_prometheus_valid_output_line "cert_valid_chain_elem{cn=\"${CN}\", element=${el_number}} 2"
                return 2
            fi

        fi

        if [ -n "${WARNING_DAYS}" ] && [ -n "${WARNING_SECONDS}" ]; then
            # When comparing, always use values in seconds, because values in days might be floating point numbers
            if [ "${ELEM_SECONDS_VALID}" -lt "${WARNING_SECONDS}" ]; then
                append_warning_message "${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}" "${replace_current_message}"
                if [ -z "${CN}" ]; then
                    CN='unavailable'
                fi
                add_prometheus_valid_output_line "cert_valid_chain_elem{cn=\"${CN}\", element=${el_number}} 1"
                return 1
            fi

        fi
    fi

    if [ -z "${CN}" ]; then
        CN='unavailable'
    fi
    verboselog "Certificate element ${el_number} (${element_cn}) is valid for ${ELEM_DAYS_VALID} days"
    add_prometheus_valid_output_line "cert_valid_chain_elem{cn=\"${CN}\", element=${el_number}} 0"

}

################################################################################
# Converts SSL Labs or nmap grades to a numeric value
#   (see https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf and
#    https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html)
# Params
#   $1 program name
# Sets NUMERIC_SSL_LAB_GRADE
convert_grade() {

    GRADE="$1"

    unset NUMERIC_SSL_LAB_GRADE

    case "${GRADE}" in
    'A+' | 'a+')
        # Value not in documentation
        NUMERIC_SSL_LAB_GRADE=85
        shift
        ;;
    A | a | strong | Strong)
        NUMERIC_SSL_LAB_GRADE=80
        shift
        ;;
    'A-' | 'a-')
        # Value not in documentation
        NUMERIC_SSL_LAB_GRADE=75
        shift
        ;;
    B | b)
        NUMERIC_SSL_LAB_GRADE=65
        shift
        ;;
    C | c | weak | Weak)
        NUMERIC_SSL_LAB_GRADE=50
        shift
        ;;
    D | d)
        NUMERIC_SSL_LAB_GRADE=35
        shift
        ;;
    E | e)
        NUMERIC_SSL_LAB_GRADE=20
        shift
        ;;
    F | f)
        NUMERIC_SSL_LAB_GRADE=0
        shift
        ;;
    T | t | unknown | Unknown)
        # No trust: value not in documentation
        NUMERIC_SSL_LAB_GRADE=0
        shift
        ;;
    M | m)
        # Certificate name mismatch: value not in documentation
        NUMERIC_SSL_LAB_GRADE=0
        shift
        ;;
    *)
        unknown "Cannot convert SSL Lab grade ${GRADE}"
        ;;
    esac

}

################################################################################
# Check if the specified host is an IP (does not check the validity
#   $1 string to check
is_ip() {
    ARGUMENT=$1
    debuglog "Checking if ${ARGUMENT} is an IP address"
    if [ "${ARGUMENT}" != "${ARGUMENT#*[0-9].[0-9]}" ]; then
        debuglog "${ARGUMENT} is an IPv4 address"
        echo '1'
    elif [ "${ARGUMENT}" != "${ARGUMENT#*:[0-9a-fA-F]}" ]; then
        debuglog "${ARGUMENT} is an IPv6 address"
        echo '1'
    else
        debuglog "${ARGUMENT} is not an IP address"
        echo '0'
    fi
}

################################################################################
# Tries to fetch the certificate

fetch_certificate() {

    RET=0

    # IPv6 addresses need brackets in a URI
    if [ "${HOST_ADDR}" != "${HOST_ADDR#*[0-9].[0-9]}" ]; then
        debuglog "${HOST_ADDR} is an IPv4 address"
    elif [ "${HOST_ADDR}" != "${HOST_ADDR#*:[0-9a-fA-F]}" ]; then
        debuglog "${HOST_ADDR} is an IPv6 address"
        if [ -z "${HOST_ADDR##*\[*}" ]; then
            debuglog "${HOST_ADDR} is already specified with brackets"
        else
            debuglog "adding brackets to ${HOST_ADDR}"
            HOST="[${HOST_ADDR}]"
        fi
    else
        debuglog "${HOST_ADDR} is not an IP address"
    fi

    if [ -n "${REQUIRE_OCSP_STAPLING}" ]; then
        STATUS='-status'
    fi

    debuglog "fetch_certificate: PROTOCOL = ${PROTOCOL}"

    # Check if a protocol was specified (if not HTTP switch to TLS)
    if [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" != 'http' ] && [ "${PROTOCOL}" != 'https' ] && [ "${PROTOCOL}" != 'h2' ]; then

        case "${PROTOCOL}" in
        pop3 | ftp)
            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        pop3s | ftps)
            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        smtp)
            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        smtps)
            exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION}  ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        irc | ldap)
            exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        ircs | ldaps)
            exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        imap)
            exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        imaps)
            exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        postgres)
            exec_with_timeout "printf 'X\\0\\0\\0\\4' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        sieve)
            exec_with_timeout "echo 'LOGOUT' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        xmpp | xmpp-server)
            exec_with_timeout "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST_ADDR}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        mysql)
            exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
            RET=$?
            ;;
        *)
            unknown "Error: unsupported protocol ${PROTOCOL}"
            ;;
        esac

    elif [ -n "${FILE}" ]; then

        if [ "${HOST_NAME}" = "localhost" ]; then

            debuglog "check if we have to convert the file ${FILE} to PEM"
            TYPE_TMP="$(${FILE_BIN} -L -b "${FILE}" | sed 's/.*://')"
            debuglog "certificate type (1): ${TYPE_TMP}"
            create_temporary_file
            CONVERSION_ERROR=${TEMPFILE}

            if echo "${FILE}" | grep -q -E '[.](p12|pfx)$'; then

                debuglog 'converting PKCS #12 to PEM'

                if [ -n "${PASSWORD_SOURCE}" ]; then
                    debuglog "executing ${OPENSSL} pkcs12 -in ${FILE} -out ${CERT} -nokeys -passin ${PASSWORD_SOURCE}"
                    "${OPENSSL}" pkcs12 -in "${FILE}" -out "${CERT}" -nokeys -passin "${PASSWORD_SOURCE}" 2>"${CONVERSION_ERROR}"
                else
                    debuglog "executing ${OPENSSL} pkcs12 -in ${FILE} -out ${CERT} -nokeys"
                    "${OPENSSL}" pkcs12 -in "${FILE}" -out "${CERT}" -nokeys 2>"${CONVERSION_ERROR}"
                fi

                if [ $? -eq 1 ]; then
                    CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
                    unknown "Error converting ${FILE}: ${CONVERSION_ERROR_TMP}"
                fi

            elif "${FILE_BIN}" -L -b "${FILE}" | grep -q -E '(data|Certificate)'; then

                debuglog 'converting DER to PEM'
                "${OPENSSL}" x509 -inform der -in "${FILE}" -out "${CERT}" 2>"${CONVERSION_ERROR}"

                if [ $? -eq 1 ]; then

                    CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
                    debuglog "Error converting ${FILE}: ${CONVERSION_ERROR_TMP}"
                    debuglog "Checking if ${FILE} is DER encoded CRL"

                    if "${OPENSSL}" crl -in "${FILE}" -inform DER 2>/dev/null | grep -F -q "BEGIN X509 CRL"; then

                        debuglog "The input file is a CRL in DER format: converting to PEM"

                        debuglog "Executing ${OPENSSL} crl -inform der -in ${FILE} -out ${CERT} 2> /dev/null"
                        "${OPENSSL}" crl -inform der -in "${FILE}" -out "${CERT}" 2>"${CONVERSION_ERROR}"

                        if [ $? -eq 1 ]; then
                            CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
                            unknown "Error converting CRL ${FILE}: ${CONVERSION_ERROR_TMP}"
                        fi

                    else
                        CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
                        unknown "Error converting ${FILE}: ${CONVERSION_ERROR_TMP}"
                    fi

                fi

            else

                debuglog "Copying the certificate to ${CERT}"
                /bin/cat "${FILE}" >"${CERT}"
                RET=$?

            fi

            debuglog "storing the certificate to ${CERT}"
            TYPE_TMP="$(${FILE_BIN} -L -b "${CERT}" | sed 's/.*://')"
            debuglog "certificate type (2): ${TYPE_TMP}"

            if ! grep -q -F 'CRL' "${CERT}"; then

                NUM_CERTIFICATES=$(grep -F -c -- "-BEGIN CERTIFICATE-" "${CERT}")

                if [ "${NUM_CERTIFICATES}" -gt 1 ]; then
                    debuglog "Certificate seems to be ca ca-bundle, splitting it"

                    create_temporary_file
                    USER_CERTIFICATE=${TEMPFILE}
                    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "${CERT}" |
                        awk -v n="1" '/-BEGIN CERTIFICATE-/{l++} (l==n) {print}' >"${USER_CERTIFICATE}"

                    create_temporary_file
                    INTERMEDIATE_CERTIFICATES=${TEMPFILE}
                    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "${CERT}" |
                        awk -v n="2" '/-BEGIN CERTIFICATE-/{l++} (l>=n) {print}' >"${INTERMEDIATE_CERTIFICATES}"
                    VERIFY_COMMAND="${OPENSSL} verify ${ROOT_CA} -untrusted ${INTERMEDIATE_CERTIFICATES} ${USER_CERTIFICATE}"
                else
                    debuglog "Certificate does not contain any intermediates, checking the chain will probably fail."
                    VERIFY_COMMAND="${OPENSSL} verify ${ROOT_CA} ${CERT}"
                fi

                # verify the local certificate
                debuglog "verifying the certificate"
                debuglog "  ${VERIFY_COMMAND} 2> ${ERROR} 1>&2"

                # on older versions of OpenSSL write the error on standard input
                # shellcheck disable=SC2086
                ${VERIFY_COMMAND} 2>"${ERROR}" 1>&2
                RET=$?

            else

                debuglog "skipping verification on CRL"

            fi

        else
            unknown "Error: option 'file' works with -H localhost only"
        fi

    else

        if [ "${PROTOCOL}" = 'h2' ]; then
            ALPN="-alpn h2"
        fi

        exec_with_timeout "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${ALPN} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
        RET=$?

    fi

    debuglog "Return value of the command = ${RET}"

    if [ -n "${DEBUG_CERT}" ]; then

        debuglog "storing a copy of the retrieved certificate in ${HOST_NAME}.crt for debugging purposes"
        open_for_writing "${HOST_NAME}.crt"
        cp "${CERT}" "${HOST_NAME}.crt"

        debuglog "storing a copy of the OpenSSL errors in ${HOST_NAME}.error for debugging purposes"
        open_for_writing "${HOST_NAME}.error"
        cp "${ERROR}" "${HOST_NAME}.error"

    fi

    if [ "${RET}" -ne 0 ]; then

        MESSAGE_TMP="$(sed 's/^/SSL error: /' "${ERROR}")"
        debuglog "${MESSAGE_TMP}"

        # s_client could verify the server certificate because the server requires a client certificate
        if ascii_grep '^Client Certificate Types' "${CERT}"; then

            verboselog "Warning: the server requires a client certificate"

        elif ascii_grep 'nodename\ nor\ servname\ provided,\ or\ not\ known' "${ERROR}" ||
            ascii_grep 'Name or service not known' "${ERROR}" ||
            ascii_grep 'connect\ argument\ or\ target\ parameter\ malformed\ or\ ambiguous' "${ERROR}"; then

            ERROR="${HOST_ADDR} is not a valid hostname"
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"

        elif ascii_grep 'Connection\ refused' "${ERROR}"; then

            ERROR='Connection refused'
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"

        elif ascii_grep 'Connection timed out' "${ERROR}"; then

            ERROR='OpenSSL connection timed out'
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"

        elif ascii_grep 'unable to get local issuer certificate' "${ERROR}"; then

            if [ -z "${IGNORE_INCOMPLETE_CHAIN}" ]; then
                prepend_critical_message 'Error verifying the certificate chain'
            fi

        elif ascii_grep 'self[ -]signed certificate' "${ERROR}"; then

            if [ -z "${SELFSIGNED}" ]; then
                prepend_critical_message 'Self signed certificate'
            fi

        elif ascii_grep 'dh\ key\ too\ small' "${ERROR}"; then

            prepend_critical_message 'DH with a key too small'

        elif ascii_grep 'alert\ handshake\ failure' "${ERROR}"; then

            prepend_critical_message 'Handshake failure'

        elif ascii_grep 'wrong\ version\ number' "${ERROR}"; then

            prepend_critical_message 'No TLS connection possible'

        elif ascii_grep 'tlsv1 alert decode error' "${ERROR}"; then

            prepend_critical_message 'Error decoding certificate'

        elif ascii_grep 'gethostbyname failure' "${ERROR}"; then

            ERROR='Invalid host name'
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"

        elif ascii_grep 'Operation\ timed\ out' "${ERROR}"; then

            ERROR='OpenSSL timed out'
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"

        elif ascii_grep 'write:errno=54' "${ERROR}"; then

            ERROR='No certificate returned (SNI required?)'
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"

        elif ascii_grep "Didn't find STARTTLS in server response, trying anyway..." "${ERROR}"; then

            ERROR="Didn't find STARTTLS in server response"
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"

        elif ascii_grep "unsafe legacy renegotiation disabled" "${ERROR}"; then

            ERROR="The server does not support the Renegotiation Indication Extension"
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"

        elif ascii_grep "no certificate or crl found" "${ERROR}"; then

            ERROR="Cannot read or parse the supplied certificate (e.g., root certificate)"
            prepend_critical_message "${ERROR}"
            critical "SSL_CERT_CRITICAL ${HOST_NAME}: ${ERROR}"

        else

            # Try to clean up the error message
            #     Remove the 'verify and depth' lines
            #     Take the 1st line (seems OK with the use cases I tested)
            ERROR_MESSAGE=$(
                grep -v '^depth' "${ERROR}" |
                    grep -v '^verify' |
                    head -n 1
            )

            debuglog "Unknown error: ${ERROR_MESSAGE}"

            prepend_critical_message "SSL error: ${ERROR_MESSAGE}"

        fi

    else

        if ascii_grep usage "${ERROR}" && [ "${PROTOCOL}" = "ldap" ]; then
            unknown "it seems that OpenSSL -starttls does not support yet LDAP"
        fi

        NEGOTIATED_PROTOCOL=$( grep -F 'ALPN protocol' "${CERT}" | sed 's/^ALPN protocol:\ //' )
        debuglog "Negotiated protocol: ${NEGOTIATED_PROTOCOL}"

        # check if the protocol was really HTTP/2
        if [ "${PROTOCOL}" = 'h2' ]; then
            if ! grep -q -F 'ALPN protocol: h2' "${CERT}"; then
                prepend_critical_message 'The server does not support HTTP/2'
            fi
        fi

    fi

}

################################################################################
# Adds metric to performance data
# Params
#   $1 performance data in Nagios plugin format,
#      see https://nagios-plugins.org/doc/guidelines.html#AEN200
add_performance_data() {
    if [ -z "${PERFORMANCE_DATA}" ]; then
        PERFORMANCE_DATA="|${1}"
    else
        PERFORMANCE_DATA="${PERFORMANCE_DATA} $1"
    fi
}

################################################################################
# Prepares sed-style command for variable replacement
# Params
#   $1 variable name (e.g. SHORTNAME)
#   $2 variable value (e.g. SSL_CERT)
var_for_sed() {
    VALUE_TMP="$(echo "$2" | sed -e 's#|#\\\\|#g')"
    echo "s|%$1%|${VALUE_TMP}|g"
}

################################################################################
# Performs a grep removing the NULL characters first
#
# As the POSIX grep does not have the -a option, we remove the NULL characters
# first to avoid the error Binary file matches
#
# Params
#  $1 pattern
#  $2 file
#
ascii_grep() {
    tr -d '\000' <"$2" | grep -q "$1"
}

################################################################################
# Checks if there is an option argument (should not begin with -)
#
# Params
#  $1 name of the option (e.g., '-w,--warning') to be used in the error message
#  $2 next command line parameter
check_option_argument() {

    # shellcheck disable=SC2295
    if [ -z "$2" ] || [ "${2%${2#?}}"x = '-x' ]; then
        unknown "'${1}' requires an argument"
    fi

}

################################################################################
# Parse command line options
#
# Params
#  $* options
parse_command_line_options() {

    COMMAND_LINE_ARGUMENTS=$*

    while true; do

        case "$1" in

        ########################################
        # Options without arguments

        -A | --noauth)
            NOAUTH=1
            shift
            ;;
        --all)
            ALL=1
            shift
            ;;
        --all-local)
            ALL_LOCAL=1
            shift
            ;;
        --allow-empty-san)
            REQUIRE_SAN=""
            shift
            ;;
        --altnames)
            ALTNAMES=1
            shift
            ;;
        --check-ciphers-warnings)
            CHECK_CIPHERS_WARNINGS=1
            shift
            ;;
        --crl)
            CRL=1
            shift
            ;;
        -d | --debug)
            DEBUG=$((DEBUG + 1))
            shift
            ;;
        --debug-cert)
            DEBUG_CERT=1
            shift
            ;;
        --debug-time)
            # start time
            DEBUG_TIME=$(date +%s)
            shift
            ;;
        -h | --help | -\?)
            usage
            ;;
        --first-element-only)
            FIRST_ELEMENT_ONLY=1
            shift
            ;;
        --force-dconv-date)
            FORCE_DCONV_DATE=1
            shift
            ;;
        --force-perl-date)
            FORCE_PERL_DATE=1
            shift
            ;;
        --http-use-get)
            HTTP_METHOD="GET"
            shift
            ;;
        --ignore-exp)
            NOEXP=1
            shift
            ;;
        --ignore-altnames)
            ALTNAMES=
            shift
            ;;
        --ignore-host-cn)
            COMMON_NAME=
            ALTNAMES=
            shift
            ;;
        --ignore-sig-alg)
            NOSIGALG=1
            shift
            ;;
        --ignore-sct)
            SCT=
            shift
            ;;
        --ignore-ssl-labs-cache)
            IGNORE_SSL_LABS_CACHE="&startNew=on"
            shift
            ;;
        --ignore-tls-renegotiation)
            IGNORE_TLS_RENEGOTIATION='1'
            shift
            ;;
        --info)
            INFO='1'
            shift
            ;;
        --no-perf)
            NO_PERF=1
            shift
            ;;
        --no-proxy)
            NO_PROXY=1
            shift
            ;;
        --no-proxy-s_client)
            NO_PROXY_S_CLIENT=1
            shift
            ;;
        --no-proxy-curl)
            NO_PROXY_CURL=1
            shift
            ;;
        --no-ssl2 | --no_ssl2)
            # we keep the old variant for compatibility
            SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_ssl2"
            shift
            ;;
        --no-ssl3 | --no_ssl3)
            # we keep the old variant for compatibility
            SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_ssl3"
            shift
            ;;
        --no-tls1 | --no_tls1)
            # we keep the old variant for compatibility
            SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1"
            shift
            ;;
        --no-tls1_1 | --no_tls1_1)
            # we keep the old variant for compatibility
            SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_1"
            shift
            ;;
        --no-tls1_2 | --no_tls1_2)
            # we keep the old variant for compatibility
            SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_2"
            shift
            ;;
        --no-tls1_3 | --no_tls1_3)
            # we keep the old variant for compatibility
            SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_3"
            shift
            ;;
        -N | --host-cn)
            COMMON_NAME="__HOST__"
            shift
            ;;
        --prometheus)
            PROMETHEUS=1
            shift
            ;;
        --rsa)
            RSA=1
            shift
            ;;
        --require-no-ssl2)
            DISALLOWED_PROTOCOLS="${DISALLOWED_PROTOCOLS} SSLv2"
            shift
            ;;
        --require-no-ssl3)
            DISALLOWED_PROTOCOLS="${DISALLOWED_PROTOCOLS} SSLv3"
            shift
            ;;
        --require-no-tls1)
            DISALLOWED_PROTOCOLS="${DISALLOWED_PROTOCOLS} TLSv1.0"
            shift
            ;;
        --require-no-tls1_1)
            DISALLOWED_PROTOCOLS="${DISALLOWED_PROTOCOLS} TLSv1.1"
            shift
            ;;
        --require-ocsp-stapling)
            REQUIRE_OCSP_STAPLING=1
            shift
            ;;
        --require-san)
            REQUIRE_SAN=1
            shift
            ;;
        -s | --selfsigned)
            SELFSIGNED=1
            shift
            ;;
        --ecdsa)
            ECDSA=1
            shift
            ;;
        --ssl2)
            SSL_VERSION="-ssl2"
            shift
            ;;
        --ssl3)
            SSL_VERSION="-ssl3"
            shift
            ;;
        --tls1)
            SSL_VERSION="-tls1"
            shift
            ;;
        --tls1_1)
            SSL_VERSION="-tls1_1"
            shift
            ;;
        --tls1_2)
            SSL_VERSION="-tls1_2"
            shift
            ;;
        --tls1_3)
            SSL_VERSION="-tls1_3"
            shift
            ;;
        --ocsp)
            # deprecated
            shift
            ;;
        --ignore-incomplete-chain)
            IGNORE_INCOMPLETE_CHAIN=1
            shift
            ;;
        --ignore-ocsp)
            OCSP=""
            shift
            ;;
        --ignore-ocsp-errors)
            OCSP_IGNORE_ERRORS=1
            shift
            ;;
        --ignore-ocsp-timeout)
            OCSP_IGNORE_TIMEOUT=1
            shift
            ;;
        --terse)
            TERSE=1
            shift
            ;;
        -v | --verbose)
            VERBOSE=$((VERBOSE + 1))
            shift
            ;;
        -V | --version)
            echo "check_ssl_cert version ${VERSION}"
            exit "${STATUS_UNKNOWN}"
            ;;
        -4)
            INETPROTO="-4"
            shift
            ;;
        -6)
            INETPROTO="-6"
            shift
            ;;

        ########################################
        # Options with one argument

        -c | --critical)
            check_option_argument '-c,--critical' "$2"
            CRITICAL_DAYS="$2"
            CRITICAL_SECONDS=$(days_to_seconds "${CRITICAL_DAYS}")
            shift 2
            ;;
        --check-ciphers)
            check_option_argument '--check-ciphers' "$2"
            CHECK_CIPHERS="$2"
            shift 2
            ;;
        --curl-bin)
            check_option_argument '--curl-bin' "$2"
            CURL_BIN="$2"
            shift 2
            ;;
        --curl-user-agent)
            check_option_argument '--curl-user-agent' "$2"
            CURL_USER_AGENT="$2"
            shift 2
            ;;
        --custom-http-header)
            check_option_argument '--custom-http-header' "$2"
            CUSTOM_HTTP_HEADER="$2"
            shift 2
            ;;
        --date)
            check_option_argument '--date' "$2"
            DATEBIN="$2"
            shift 2
            ;;
        # Deprecated option: used to be as --warning
        --days)
            check_option_argument '--days' "$2"
            WARNING_DAYS="$2"
            WARNING_SECONDS=$(days_to_seconds "${WARNING_DAYS}")
            shift 2
            ;;
        --debug-file)
            check_option_argument '--debug-file' "$2"
            DEBUG_FILE="$2"
            shift 2
            ;;
        --dig-bin)
            check_option_argument '--dig-bin' "$2"
            DIG_BIN="$2"
            shift 2
            ;;
        --inetproto)
            check_option_argument '--inetproto' "$2"
            INETPROTO="-$2"
            shift 2
            ;;
        --nmap-bin)
            check_option_argument '--nmap-bin' "$2"
            NMAP_BIN="$2"
            ;;
        -e | --email)
            check_option_argument 'e|--email' "$2"
            ADDR="$2"
            shift 2
            ;;
        -f | --file)
            check_option_argument ' -f|--file' "$2"
            FILE="$2"
            # remove _HOST_ from COMMON_NAME
            COMMON_NAME=$(echo "${COMMON_NAME}" | sed 's/__HOST__\ *//')
            ALTNAMES=
            shift 2
            ;;
        --file-bin)
            check_option_argument '--file-bin' "$2"
            FILE_BIN="$2"
            shift 2
            ;;
        --format)
            check_option_argument '--format' "$2"
            FORMAT="$2"
            shift 2
            ;;
        -H | --host)
            check_option_argument '-H|--host' "$2"
            HOST="$2"
            # remove http[s] from the input
            if echo "${HOST}" | grep -F -q '://'; then
                # try to remove the protocol (we do not consider URLs without
                # an authority (https://en.wikipedia.org/wiki/URL)
                debuglog "Stripping protocol and path from URL"
                HOST=$(echo "${HOST}" | sed 's/^[a-z]*:\/\///' | sed 's/\/.*//')
            fi
            shift 2
            ;;
        -i | --issuer)
            check_option_argument '-i|--issuer' "$2"
            ISSUER="$2"
            shift 2
            ;;
        --issuer-cert-cache)
            check_option_argument '--issuer-cert-cache' "$2"
            ISSUER_CERT_CACHE="$2"
            shift 2
            ;;
        -L | --check-ssl-labs)
            check_option_argument '-L|--check-ssl-labs' "$2"
            SSL_LAB_CRIT_ASSESSMENT="$2"
            shift 2
            ;;
        --check-ssl-labs-warn)
            check_option_argument '--check-ssl-labs-warn' "$2"
            SSL_LAB_WARN_ASSESTMENT="$2"
            shift 2
            ;;
        --serial)
            check_option_argument '--serial' "$2"
            SERIAL_LOCK="$2"
            shift 2
            ;;
        --element)
            check_option_argument '--element' "$2"
            ELEMENT="$2"
            shift 2
            ;;
        --skip-element)
            check_option_argument '--skip-element' "$2"
            if [ -z "${SKIP_ELEMENT}" ]; then
                SKIP_ELEMENT="$2"
            else
                SKIP_ELEMENT="${SKIP_ELEMENT}\\n$2"
            fi
            shift 2
            ;;
        --fingerprint)
            check_option_argument '--fingerprint' "$2"
            FINGERPRINT_LOCK="$2"
            shift 2
            ;;
        --long-output)
            check_option_argument '--long-output' "$2"
            LONG_OUTPUT_ATTR="$2"
            shift 2
            ;;
        -n | --cn)
            check_option_argument ' -n|--cn' "$2"
            if [ -z "${COMMON_NAME}" ]; then
                COMMON_NAME="${2}"
            else
                COMMON_NAME="${COMMON_NAME} ${2}"
            fi
            debuglog "--cn specified: COMMON_MANE = ${COMMON_NAME}"
            shift 2
            ;;
        --not-issued-by)
            check_option_argument '--not-issued-by' "$2"
            NOT_ISSUED_BY="$2"
            shift 2
            ;;
        --not-valid-longer-than)
            check_option_argument '--not-valid-longer-than' "$2"
            NOT_VALID_LONGER_THAN=$2
            shift 2
            ;;
        --ocsp-critical)
            check_option_argument '--ocsp-critical' "$2"
            OCSP_CRITICAL="$2"
            shift 2
            ;;
        --ocsp-warning)
            check_option_argument '--ocsp-warning' "$2"
            OCSP_WARNING="$2"
            shift 2
            ;;
        -o | --org)
            check_option_argument '-o|--org' "$2"
            ORGANIZATION="$2"
            shift 2
            ;;
        --openssl)
            check_option_argument '--openssl' "$2"
            OPENSSL="$2"
            shift 2
            ;;
        --password)
            check_option_argument '--password' "$2"
            PASSWORD_SOURCE="$2"
            shift 2
            ;;
        -p | --port)
            check_option_argument '-p|--port' "$2"
            PORT="$2"
            XMPPPORT="$2"
            shift 2
            ;;
        -P | --protocol)
            check_option_argument '-P|--protocol' "$2"
            PROTOCOL="$2"
            shift 2
            ;;
        --proxy)
            check_option_argument '--proxy' "$2"
            PROXY="$2"
            export http_proxy="$2"
            shift 2
            ;;
        --resolve)
            check_option_argument '--resolve' "$2"
            RESOLVE="$2"
            shift 2
            ;;
        -r | --rootcert)
            check_option_argument '-r|--rootcert' "$2"
            ROOT_CA="$2"
            shift 2
            ;;
        --rootcert-dir)
            check_option_argument '--rootcert-dir' "$2"
            ROOT_CA_DIR="$2"
            shift 2
            ;;
        --rootcert-file)
            check_option_argument '--rootcert-file' "$2"
            ROOT_CA_FILE="$2"
            shift 2
            ;;
        -C | --clientcert)
            check_option_argument '-C|--clientcert' "$2"
            CLIENT_CERT="$2"
            shift 2
            ;;
        -K | --clientkey)
            check_option_argument '-K|--clientkey' "$2"
            CLIENT_KEY="$2"
            shift 2
            ;;
        --clientpass)
            if [ $# -gt 1 ]; then
                CLIENT_PASS="$2"
                shift 2
            else
                unknown "--clientpass requires an argument"
            fi
            ;;
        --sni)
            check_option_argument '--sni' "$2"
            SNI="$2"
            shift 2
            ;;
        -S | --ssl)
            check_option_argument '' "$2"
            if [ "$2" = "2" ] || [ "$2" = "3" ]; then
                SSL_VERSION="-ssl${2}"
                shift 2
            else
                unknown "invalid argument for --ssl"
            fi
            ;;
        -t | --timeout)
            check_option_argument '-t|--timeout' "$2"
            TIMEOUT="$2"
            shift 2
            ;;
        --temp)
            check_option_argument '--temp' "$2"
            TMPDIR="$2"
            shift 2
            ;;
        -u | --url)
            check_option_argument '-u|--url' "$2"
            HTTP_REQUEST_URL="$2"
            shift 2
            ;;
        -w | --warning)
            check_option_argument '-w|--warning' "$2"
            WARNING_DAYS="$2"
            WARNING_SECONDS=$(days_to_seconds "${WARNING_DAYS}")
            shift 2
            ;;
        --xmpphost)
            check_option_argument '--xmpphost' "$2"
            XMPPHOST="$2"
            shift 2
            ;;

        ##############################
        # Variable number of arguments
        --dane)

            if [ -n "${DANE}" ]; then
                unknown "--dane can be specified only once"
            fi

            # check the second parameter if it exist
            if [ $# -gt 1 ]; then

                # shellcheck disable=SC2295
                if [ "${2%${2#?}}"x = '-x' ]; then
                    DANE=1
                    shift
                else
                    DANE=$2
                    shift 2
                fi

            else

                DANE=1
                shift

            fi

            ;;

        --require-client-cert)

            REQUIRE_CLIENT_CERT=1

            # check the second optional parameter if it exist
            if [ $# -gt 1 ]; then
                # shellcheck disable=SC2295
                if [ "${2%${2#?}}"x = '-x' ]; then
                    shift
                else
                    REQUIRE_CLIENT_CERT_CAS=$2
                    shift 2
                fi
            else
                shift
            fi

            ;;

        --ignore-connection-problems)

            # default OK
            IGNORE_CONNECTION_STATE="${STATUS_OK}"

            # check the second optional parameter if it exist
            if [ $# -gt 1 ]; then
                # shellcheck disable=SC2295
                if [ "${2%${2#?}}"x = '-x' ]; then
                    shift
                else
                    IGNORE_CONNECTION_STATE=$2
                    shift 2
                fi
            else
                shift
            fi

            ;;

        ########################################
        # Special
        --)
            shift
            break
            ;;
        -*)
            # we try to check for grouped variables
            OPTION="${1}"
            # if the option begins with a single dash and it's longer than one character
            OPTION_TMP="$(echo "${OPTION}" | wc -c | sed 's/\ //g')"
            if ! echo "${OPTION}" | grep -q -- '^--' &&
                [ "${OPTION_TMP}" -gt 3 ]; then
                if [ "${DEBUG}" -gt 0 ]; then
                    echo "[DBG]   unknown option ${OPTION}: splitting since it could be an option group"
                fi
                for letter in $(echo "${OPTION}" | sed 's/^-//' | grep -o .); do
                    parse_command_line_options "-${letter}"
                done
                shift
            else
                unknown "invalid option: ${1}"
            fi
            ;;
        *)
            if [ -n "$1" ]; then
                unknown "invalid option: ${1}"
            fi
            break
            ;;
        esac

    done

}

################################################################################
# Main
################################################################################
main() {

    # Default values

    ALTNAMES=1             # enabled by default
    COMMON_NAME="__HOST__" # enabled by default
    CRITICAL_DAYS=15
    CRITICAL_SECONDS=$(days_to_seconds "${CRITICAL_DAYS}")
    CRL=""
    CURL_BIN=""
    CURL_PROXY=""
    CURL_USER_AGENT=""
    CUSTOM_HTTP_HEADER=""
    DANE=""
    DEBUG="0"
    DIG_BIN=""
    DISALLOWED_PROTOCOLS=""
    ECDSA=""
    ELEMENT=0
    FILE_BIN=""
    FORCE_DCONV_DATE=""
    FORCE_PERL_DATE=""
    FORMAT=""
    HTTP_METHOD="HEAD"
    HTTP_REQUEST_URL="/"
    IGNORE_SSL_LABS_CACHE=""
    NMAP_BIN=""
    NO_PROXY=""
    NO_PROXY_CURL=""
    NO_PROXY_S_CLIENT=""
    OCSP="1" # enabled by default
    OCSP_IGNORE_ERRORS=""
    OCSP_IGNORE_TIMEOUT=""
    PORT=""
    PROMETHEUS_OUTPUT_STATUS=""
    PROMETHEUS_OUTPUT_VALID=""
    PROMETHEUS_OUTPUT_DAYS=""
    PROXY=""
    REQUIRE_OCSP_STAPLING=""
    REQUIRE_SAN=1
    RSA=""
    SCT="1" # enabled by default
    SKIP_ELEMENT=""
    SNI=""
    TIMEOUT="120"
    VERBOSE="0"
    WARNING_DAYS=20
    WARNING_SECONDS=$(days_to_seconds "${WARNING_DAYS}")
    XMPPHOST=""
    XMPPPORT="5222"

    # after 2020-09-01 we could set the default to 398 days because of Apple
    # https://support.apple.com/en-us/HT211025
    NOT_VALID_LONGER_THAN=""
    FIRST_ELEMENT_ONLY=""

    # Set the default temp dir if not set
    if [ -z "${TMPDIR}" ]; then
        TMPDIR="/tmp"
    fi

    ################################################################################
    # Process command line options
    #
    # We do not use getopts since it is unable to process long options and it is
    # Bash specific.

    parse_command_line_options "$@"

    ################################################################################
    # Default ports
    if [ -z "${PORT}" ]; then

        if [ -z "${PROTOCOL}" ]; then

            # default is HTTPS
            PORT='443'

        else

            case "${PROTOCOL}" in
            smtp)
                PORT=25
                ;;
            smtps)
                PORT=465
                ;;
            pop3)
                PORT=110
                ;;
            ftp | ftps)
                PORT=21
                ;;
            pop3s)
                PORT=995
                ;;
            irc | ircs)
                PORT=6667
                ;;
            ldap)
                PORT=389
                ;;
            ldaps)
                PORT=636
                ;;
            imap)
                PORT=143
                ;;
            imaps)
                PORT=993
                ;;
            postgres)
                PORT=5432
                ;;
            sieve)
                PORT=4190
                ;;
            http)
                PORT=80
                ;;
            https | h2)
                PORT=443
                ;;
            mysql)
                PORT=3306
                ;;
            *)
                unknown "Error: unsupported protocol ${PROTOCOL}"
                ;;
            esac

        fi

    fi

    if [ -n "${DEBUG_FILE}" ]; then
        open_for_appending "${DEBUG_FILE}"
        date >>"${DEBUG_FILE}"
    fi

    debuglog "Command line arguments: ${COMMAND_LINE_ARGUMENTS}"
    debuglog "  TMPDIR = ${TMPDIR}"

    if [ -n "${ALL}" ]; then

        # enable ciphers checks (level A)
        SSL_LAB_CRIT_ASSESSMENT='A'

    fi

    if [ -n "${ALL_LOCAL}" ] || [ -n "${ALL}" ]; then

        # enable ciphers checks (level A)
        CHECK_CIPHERS='A'

        # enable ciphers warnings
        CHECK_CIPHERS_WARNINGS=1

        if "${OPENSSL}" s_client -help 2>&1 | grep -q -- '-no_ssl2'; then
            debuglog "s_client supports -no_ssl2: disabling"
            # disable SSL 2.0 and SSL 3.0
            SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_ssl2 -no_ssl3"
        else
            # disable SSL 3.0 (SSL 2.0 is not supported anymore)
            SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_ssl3"
        fi

    fi

    ##############################
    # Check options: sanity checks

    if [ -z "${HOST}" ] && [ -z "${FILE}" ]; then
        usage "No host specified"
    elif [ -z "${HOST}" ] && [ -n "${FILE}" ]; then
        HOST='localhost'
    fi

    # we need the FQDN of an host to check the CN
    if ! echo "${HOST}" | grep -q '[.]' && [ -z "${FILE}" ] && [ "${HOST}" != 'localhost' ]; then
        debuglog "Domain for ${HOST} missing"
        DOMAIN=$(nslookup "${HOST}" | grep ^Name: | head -n 1 | cut -d. -f2-)
        if [ -z "${DOMAIN}" ]; then
            unknown "Cannot resolve ${HOST}"
        fi
        debuglog "Adding domain ${DOMAIN} to ${HOST}"
        HOST="${HOST}.${DOMAIN}"
        debuglog "New host: ${HOST}"
    fi

    ################################################################################
    # Usually SERVERADDR and SERVERNAME both contain the fully qualified domain name
    # (FQDN) or IP address of the host to check
    #
    # If --resolve is specified (defining an alternative IP address for the HOST
    # we set SERVERADDR to the address specified with --resolve and SERVERNAME to the
    # FQDN of the host.
    #
    # In addition we set the Server Name Indication (SNI) to HOST so that when
    # connecting with the IP address the server will be able to deliver the
    # correct certificate
    #
    if [ -n "${RESOLVE}" ]; then

        debuglog "Forcing ${HOST} to resolve to ${RESOLVE}"

        HOST_ADDR="${RESOLVE}"
        HOST_NAME="${HOST}"
        SNI="${HOST}"

    else

        HOST_ADDR="${HOST}"
        HOST_NAME="${HOST}"

    fi

    debuglog "SNI         = ${SNI}"
    debuglog "HOST_NAME   = ${HOST_NAME}"
    debuglog "HOST_ADDR   = ${HOST_ADDR}"
    debuglog "COMMON_NAME = ${COMMON_NAME}"

    # if the host name contains a / (e.g., a URL) the regex for COMMON_NAME substitution fails
    #   we check that only allowed characters are present
    #   we don't need a complete validation since a wrong host name will fail anyway
    if ! echo "${HOST_NAME}" | grep -q '^[.a-zA-Z0-9\_\-]*$'; then
        unknown "Invalid host name: ${HOST_NAME}"
    fi

    # we accept underscores since some hosts with an underscore exist but these names
    # are invalid: we issue a small warning
    if echo "${HOST_NAME}" | grep -q '[\_]' && [ -n "${VERBOSE}" ]; then
        verboselog "Warning: ${HOST_NAME} contains an underscore (invalid)"
    fi

    ################################################################################
    # Set COMMON_NAME to hostname if -N was given as argument.
    # COMMON_NAME may be a space separated list of hostnames.
    case ${COMMON_NAME} in
    *__HOST__*)
        # localhost is used for files to be checked: we ignore it
        if [ "${HOST_NAME}" != 'localhost' ]; then
            COMMON_NAME=$(echo "${COMMON_NAME}" | sed "s/__HOST__/${HOST_NAME}/")
        fi
        ;;
    *) ;;
    esac
    debuglog "COMMON_NAME = ${COMMON_NAME}"

    if [ -n "${ALTNAMES}" ] && [ -z "${COMMON_NAME}" ]; then
        unknown "--altnames requires a common name to match (--cn or --host-cn)"
    fi

    ##############################################################################
    # file
    if [ -z "${FILE_BIN}" ]; then
        FILE_BIN='file'
    fi
    check_required_prog "${FILE_BIN}"
    FILE_BIN=${PROG}

    ##############################################################################
    # OpenSSL
    if [ -n "${OPENSSL}" ]; then
        if [ ! -x "${OPENSSL}" ]; then
            unknown "${OPENSSL} is not an executable"
        fi
    else
        OPENSSL='openssl'
    fi
    check_required_prog "${OPENSSL}"
    OPENSSL=${PROG}

    ##############################################################################
    # Root certificate
    if [ -n "${ROOT_CA}" ]; then

        if [ ! -r "${ROOT_CA}" ]; then
            unknown "Cannot read root certificate ${ROOT_CA}"
        fi

        if [ -d "${ROOT_CA}" ]; then
            ROOT_CA="-CApath ${ROOT_CA}"
        elif [ -f "${ROOT_CA}" ]; then

            # check if the file is in DER format and has to be converted
            if "${FILE_BIN}" -L -b "${ROOT_CA}" | grep -E -q '(data|Certificate)'; then

                create_temporary_file
                ROOT_CA_PEM=${TEMPFILE}
                debuglog "Converting ${ROOT_CA} (DER) to PEM: ${ROOT_CA_PEM}"

                create_temporary_file
                CONVERT_ERROR=${TEMPFILE}
                if ! ${OPENSSL} x509 -inform DER -outform PEM -in "${ROOT_CA}" -out "${ROOT_CA_PEM}" 2> "${CONVERT_ERROR}"; then

                    CONVERT_ERROR=$( head -n 1 "${CONVERT_ERROR}" )
                    prepend_critical_message "Error converting ${ROOT_CA} to PEM: ${CONVERT_ERROR}"
                    critical "${SHORTNAME} CRITICAL: Error converting ${ROOT_CA} to PEM: ${CONVERT_ERROR}"

                fi

                ROOT_CA="-CAfile ${ROOT_CA_PEM}"

            else

                ROOT_CA="-CAfile ${ROOT_CA}"

            fi

        else
            FILE_TMP="$(file "${ROOT_CA}" 2>/dev/null)"
            unknown "Root certificate of unknown type ${FILE_TMP}"
        fi

        debuglog "Root CA option = ${ROOT_CA}"

    fi

    if [ -n "${REQUIRE_CLIENT_CERT}" ]; then
        debuglog "Check if at at least one client certificate is accepted"
        if [ -n "${REQUIRE_CLIENT_CERT_CAS}" ]; then
            debuglog "  from the following CAs: ${REQUIRE_CLIENT_CERT_CAS}"
        fi
    fi

    if [ -n "${ROOT_CA_DIR}" ]; then

        if [ ! -d "${ROOT_CA_DIR}" ]; then
            unknown "${ROOT_CA_DIR} is not a directory"
        fi

        if [ ! -r "${ROOT_CA_DIR}" ]; then
            unknown "Cannot read root directory ${ROOT_CA_DIR}"
        fi

        ROOT_CA_DIR="-CApath ${ROOT_CA_DIR}"
    fi

    if [ -n "${ROOT_CA_FILE}" ]; then

        if [ ! -r "${ROOT_CA_FILE}" ]; then
            unknown "Cannot read root certificate ${ROOT_CA_FILE}"
        fi

    fi

    if [ -n "${ROOT_CA_DIR}" ] || [ -n "${ROOT_CA_FILE}" ]; then
        if [ -n "${ROOT_CA_FILE}" ]; then
            ROOT_CA="${ROOT_CA_DIR} -CAfile ${ROOT_CA_FILE}"
        else
            ROOT_CA="${ROOT_CA_DIR}"
        fi
    fi

    if [ -n "${CLIENT_CERT}" ]; then

        if [ ! -r "${CLIENT_CERT}" ]; then
            unknown "Cannot read client certificate ${CLIENT_CERT}"
        fi

    fi

    if [ -n "${CLIENT_KEY}" ]; then

        if [ ! -r "${CLIENT_KEY}" ]; then
            unknown "Cannot read client certificate key ${CLIENT_KEY}"
        fi

    fi

    if [ -n "${FILE}" ]; then
        if [ ! -r "${FILE}" ]; then
            unknown "Cannot read file ${FILE}"
        fi
    fi

    # check if grep is in the path (see #244)
    if ! echo 0 | grep 0 >/dev/null 2>&1; then
        unknown "cannot execute grep: please check the PATH variable (${PATH})"
    fi

    if [ -n "${CRITICAL_DAYS}" ]; then

        debuglog "-c specified: ${CRITICAL_DAYS}"

        if ! echo "${CRITICAL_DAYS}" | grep -E -q '^[0-9][0-9]*(\.[0-9][0-9]*)?$'; then
            unknown "invalid number of days '${CRITICAL_DAYS}'"
        fi

    fi

    if [ -n "${WARNING_DAYS}" ]; then

        debuglog "-w specified: ${WARNING_DAYS}"

        if ! echo "${WARNING_DAYS}" | grep -E -q '^[0-9][0-9]*(\.[0-9][0-9]*)?$'; then
            unknown "invalid number of days '${WARNING_DAYS}'"
        fi

    fi

    if [ -n "${CRITICAL_DAYS}" ] && [ -n "${WARNING_DAYS}" ] && [ -n "${CRITICAL_SECONDS}" ] && [ -n "${WARNING_SECONDS}" ]; then

        # When comparing, always use values in seconds, because values in days might be floating point numbers
        if [ "${WARNING_SECONDS}" -le "${CRITICAL_SECONDS}" ]; then
            unknown "--warning (${WARNING_DAYS}) is less than or equal to --critical (${CRITICAL_DAYS})"
        fi

    fi

    if [ -n "${NOT_VALID_LONGER_THAN}" ]; then

        debuglog "--not-valid-longer-than specified: ${NOT_VALID_LONGER_THAN}"

        if ! echo "${NOT_VALID_LONGER_THAN}" | grep -q '^[0-9][0-9]*$'; then
            unknown "invalid number of days '${NOT_VALID_LONGER_THAN}'"
        fi

    fi

    if [ -n "${CRL}" ] && [ -z "${ROOT_CA_FILE}" ]; then

        unknown "To be able to check CRL we need the Root Cert. Please specify it with the --rootcert-file option"

    fi

    if [ -n "${TMPDIR}" ]; then

        if [ ! -d "${TMPDIR}" ]; then
            unknown "${TMPDIR} is not a directory"
        fi

        if [ ! -w "${TMPDIR}" ]; then
            unknown "${TMPDIR} is not writable"
        fi

    fi

    if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ]; then
        convert_grade "${SSL_LAB_CRIT_ASSESSMENT}"
        SSL_LAB_CRIT_ASSESSMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
    fi

    if [ -n "${SSL_LAB_WARN_ASSESTMENT}" ]; then
        convert_grade "${SSL_LAB_WARN_ASSESTMENT}"
        SSL_LAB_WARN_ASSESTMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
        if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ]; then
            if [ "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
                unknown '--check-ssl-labs-warn must be greater than -L|--check-ssl-labs'
            fi
        fi
    fi

    if [ -n "${CHECK_CIPHERS}" ]; then
        convert_grade "${CHECK_CIPHERS}"
        CHECK_CIPHERS_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
    fi

    debuglog "ROOT_CA = ${ROOT_CA}"

    if [ -n "${IGNORE_CONNECTION_STATE}" ]; then
        if ! echo "${IGNORE_CONNECTION_STATE}" | grep -q '^[0-3]$'; then
            unknown "The specified state (${IGNORE_CONNECTION_STATE}) is not valid (must be 0,1,2 or 3)"
        fi
    fi

    #######################
    # Check needed programs

    # Signature algorithms
    if [ -n "${RSA}" ] && [ -n "${ECDSA}" ]; then
        unknown 'both --rsa and --ecdsa specified: cannot force both ciphers at the same time'
    fi

    # check if -sigalgs is available
    if [ -n "${RSA}" ] || [ -n "${ECDSA}" ]; then
        if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -F -- -sigalgs; then
            unknown '--rsa or --ecdsa specified but OpenSSL does not support the -sigalgs option'
        fi
    fi

    if [ -n "${ECDSA}" ]; then
        # see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
        SSL_AU="ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA384:ECDSA+SHA256:ECDSA+SHA512"
    fi

    if [ -n "${RSA}" ]; then

        # check if ciphers with PSS are available
        if ! "${OPENSSL}" ciphers | grep -q -F 'PSS'; then
            NO_PSS=1
        fi

        if echo "${SSL_VERSION_DISABLED}" | grep -F -q -- '-no_tls1_3' ||
            [ "${SSL_VERSION}" = '-tls1' ] ||
            [ "${SSL_VERSION}" = '-tls1_1' ] ||
            [ "${SSL_VERSION}" = '-tls1_2' ] ||
            [ -n "${NO_PSS}" ]; then
            # see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
            # see https://github.com/matteocorti/check_ssl_cert/issues/167
            SSL_AU="RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1"
        else
            # see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
            SSL_AU="RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1"
        fi
    fi
    if [ -n "${SSL_AU}" ]; then
        if ! "${OPENSSL}" ciphers "${SSL_AU}" >/dev/null 2>&1; then
            unknown "OpenSSL does not support cipher '${SSL_AU}'"
        fi
        SSL_AU="-sigalgs '${SSL_AU}'"
    fi

    # mktemp
    MKTEMP=$(command -v mktemp 2>/dev/null)
    if [ -z "${MKTEMP}" ]; then
        debuglog "mktemp not available"
    else
        debuglog "mktemp available: ${MKTEMP}"
    fi

    # date
    if [ -z "${DATEBIN}" ]; then
        check_required_prog 'date'
        DATEBIN=${PROG}
    fi

    FILE_BIN_VERSION="$("${FILE_BIN}" --version 2>&1)"
    debuglog "file version: ${FILE_BIN_VERSION}"

    # curl
    if [ -z "${CURL_BIN}" ]; then
        if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ||
            [ -n "${OCSP}" ] ||
            [ -n "${CRL}" ] ||
            [ -n "${IGNORE_CONNECTION_STATE}" ]; then
            debuglog "curl binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}, CURL = ${CRL}, IGNORE_CONNECTION_STATE=${IGNORE_CONNECTION_STATE}"
            debuglog "curl binary not specified"

            check_required_prog curl
            CURL_BIN=${PROG}

            debuglog "curl available: ${CURL_BIN}"
            CURL_BIN_VERSION_TMP="$(${CURL_BIN} --version)"
            debuglog "${CURL_BIN_VERSION_TMP}"

        else
            debuglog "curl binary not needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
        fi
    else
        # we check if the provided binary actually works
        check_required_prog "${CURL_BIN}"
    fi

    # nmap
    if [ -z "${NMAP_BIN}" ]; then

        if [ -n "${DISALLOWED_PROTOCOLS}" ] || [ -n "${CHECK_CIPHERS}" ] || [ -n "${CHECK_CIPHERS_WARNINGS}" ]; then

            if [ -n "${DISALLOWED_PROTOCOLS}" ]; then debuglog "nmap binary needed. DISALLOWED_PROTOCOLS = ${DISALLOWED_PROTOCOLS}"; fi
            if [ -n "${CHECK_CIPHERS}" ]; then debuglog "nmap binary needed. CHECK_CIPHERS = ${CHECK_CIPHERS}"; fi
            if [ -n "${CHECK_CIPHERS_WARNINGS}" ]; then debuglog "nmap binary needed. CHECK_CIPHERS_WARNINGS"; fi
            debuglog "nmap binary not specified"

            check_required_prog nmap
            NMAP_BIN=${PROG}

            debuglog "nmap available: ${NMAP_BIN}"
        else
            debuglog "nmap binary not needed. No disallowed protocols"
        fi

    else
        # we check if the provided binary actually works
        check_required_prog "${NMAP_BIN}"

    fi

    # Expect (optional)
    EXPECT="$(command -v expect 2>/dev/null)"
    test -x "${EXPECT}" || EXPECT=""
    if [ -z "${EXPECT}" ]; then
        verboselog "expect not available" 2
    else
        verboselog "expect available (${EXPECT})" 2
    fi

    # Timeout (optional)
    TIMEOUT_BIN="$(command -v timeout 2>/dev/null)"
    test -x "${TIMEOUT_BIN}" || TIMEOUT_BIN=""
    if [ -z "${TIMEOUT_BIN}" ]; then
        verboselog "timeout not available" 2
    else

        verboselog "timeout available (${TIMEOUT_BIN})" 2
    fi

    if [ -z "${TIMEOUT_BIN}" ] && [ -z "${EXPECT}" ]; then
        verboselog "disabling timeouts" 2
    fi

    PERL="$(command -v perl 2>/dev/null)"

    if [ -n "${PERL}" ]; then
        debuglog "perl available: ${PERL}"
    fi

    if [ -n "${DATEBIN}" ]; then
        debuglog "date available: ${DATEBIN}"
    fi

    DATETYPE=""

    if ! "${DATEBIN}" +%s >/dev/null 2>&1; then

        debuglog "no date binary available"

        # Perl with Date::Parse (optional)
        test -x "${PERL}" || PERL=""
        if [ -z "${PERL}" ]; then
            verboselog "Warning: Perl not found: disabling date computations"
        fi

        if ! ${PERL} -e "use Date::Parse;" >/dev/null 2>&1; then

            verboselog "Perl module Date::Parse not installed: disabling date computations"

            PERL=""

        else

            verboselog "Perl module Date::Parse installed: enabling date computations"

            DATETYPE="PERL"

        fi

    else

        debuglog 'checking date version'

        if "${DATEBIN}" --version 2>&1 | grep -F -q GNU; then
            DATETYPE='GNU'
        elif "${DATEBIN}" --version 2>&1 | grep -F -q BusyBox; then
            DATETYPE='BUSYBOX'
        else
            DATETYPE='BSD'
            if "${DATEBIN}" -f "%b %d %T %Y %Z" '' 2>&1 | grep -q -F 'date: unknown option -- f'; then
                debuglog "Old BSD date without -f: checking for dconv"

                DCONV_BIN=$(command -v dconv)
                if [ -z "${DCONV_BIN}" ]; then
                    unknown "Old version of date without the -f option detected and no dconv installed"
                else
                    debuglog "dconv detected: ${DCONV_BIN}"
                    DATETYPE='DCONV'
                fi
            fi
        fi

        debuglog "date computation type: ${DATETYPE}"
        verboselog "Found ${DATETYPE} date with timestamp support: enabling date computations" 2

    fi

    if [ -n "${FORCE_DCONV_DATE}" ] && [ -n "${FORCE_PERL_DATE}" ]; then
        unknown "--force-dconv-date and --force-perl-date cannot be specified at the same time"
    fi
    if [ -n "${FORCE_PERL_DATE}" ]; then
        DATETYPE="PERL"
    fi
    if [ -n "${FORCE_DCONV_DATE}" ]; then

        debuglog "Forcing date computations with dconv"

        DATETYPE="DCONV"
        check_required_prog dconv
        DCONV_BIN=${PROG}
        debuglog "dconv binary: ${DCONV_BIN}"

    fi

    if [ "${DEBUG}" -ge 1 ]; then

        debuglog "check_ssl_cert version: ${VERSION}"
        debuglog "OpenSSL binary: ${OPENSSL}"
        if [ "${DEBUG}" -ge 1 ]; then
            debuglog "OpenSSL info:"
            ${OPENSSL} version -a | sed 's/^/[DBG] /'
        fi
        OPENSSL_DIR="$(${OPENSSL} version -d | sed -E 's/OPENSSLDIR: "([^"]*)"/\1/')"

        debuglog "OpenSSL configuration directory: ${OPENSSL_DIR}"

        DEFAULT_CA=0
        if [ -f "${OPENSSL_DIR}"/cert.pem ]; then
            DEFAULT_CA="$(grep -c BEGIN "${OPENSSL_DIR}"/cert.pem)"
        elif [ -f "${OPENSSL_DIR}"/certs ]; then
            DEFAULT_CA="$(grep -c BEGIN "${OPENSSL_DIR}"/certs)"
        fi
        debuglog "${DEFAULT_CA} root certificates installed by default"

        UNAME_TMP="$(uname -a)"
        debuglog " System info: ${UNAME_TMP}"
        debuglog "Date computation: ${DATETYPE}"

    fi

    ################################################################################
    # Check if openssl s_client supports the -servername option
    #
    #   openssl s_client now has a -help option, so we can use that.
    #   Some older versions support -servername, but not -help
    #   => We supply an invalid command line option to get the help
    #      on standard error for these intermediate versions.
    #
    SERVERNAME=
    if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -servername || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -F -q -- -servername; then

        if [ -n "${SNI}" ]; then
            SERVERNAME="-servername ${SNI}"
        else
            SERVERNAME="-servername ${HOST_NAME}"
        fi

        debuglog "'${OPENSSL} s_client' supports '-servername': using ${SERVERNAME}"

    else

        verboselog "'${OPENSSL} s_client' does not support '-servername': disabling virtual server support"

    fi

    ################################################################################
    # Check if openssl s_client supports the specified protocol
    if [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" = 'sieve' ]; then
        if ${OPENSSL} s_client "${INETPROTO}" -starttls sieve 2>&1 | grep -F -q 'Value must be one of:' || ${OPENSSL} s_client -starttls sieve 2>&1 | grep -F -q 'error: usage:'; then
            unknown "OpenSSL does not support the protocol sieve"
        fi
    fi

    if [ -n "${PROXY}" ] &&
        {
            [ -n "${NO_PROXY}" ] ||
                [ -n "${NO_PROXY_CURL}" ] ||
                [ -n "${NO_PROXY_S_CLIENT}" ]
        }; then
        unknown "Only one of --proxy or --no_proxy can be specified"
    fi

    debuglog "Proxy settings (before):"
    debuglog "  http_proxy  = ${http_proxy}"
    debuglog "  https_proxy = ${https_proxy}"
    debuglog "  HTTP_PROXY  = ${HTTP_PROXY}"
    debuglog "  HTTPS_PROXY = ${HTTPS_PROXY}"

    ################################################################################
    # If --no-proxy was specified unset the http_proxy variables
    if [ -n "${NO_PROXY}" ]; then
        debuglog "Disabling the proxy"
        unset http_proxy
        unset https_proxy
        unset HTTP_PROXY
        unset HTTPS_PROXY
    fi

    ################################################################################
    # Check if openssl s_client supports the -proxy option
    #
    SCLIENT_PROXY=
    SCLIENT_PROXY_ARGUMENT=
    CURL_PROXY=
    CURL_PROXY_ARGUMENT=
    if [ -n "${http_proxy}" ] || [ -n "${HTTP_PROXY}" ]; then

        if [ -n "${http_proxy}" ]; then
            HTTP_PROXY="${http_proxy}"
        fi

        if [ -z "${https_proxy}" ]; then
            # try to set https_proxy
            https_proxy="${http_proxy}"
        fi

        if [ -z "${HTTPS_PROXY}" ]; then
            # try to set HTTPS_proxy
            HTTPS_PROXY="${HTTP_PROXY}"
        fi

        if ${CURL_BIN} --manual | grep -F -q -- --proxy; then
            debuglog "Adding --proxy ${HTTP_PROXY} to the curl options"
            CURL_PROXY="--proxy"
            CURL_PROXY_ARGUMENT="${HTTP_PROXY}"
        fi

        if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -proxy || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -F -q -- -proxy; then
            SCLIENT_PROXY="-proxy"
            SCLIENT_PROXY_ARGUMENT="$(echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//')"

            debuglog "Adding -proxy ${SCLIENT_PROXY_ARGUMENT} to the s_client options"

        else

            verboselog "'${OPENSSL} s_client' does not support '-proxy': HTTP_PROXY could be ignored"

        fi

    fi

    if [ -n "${NO_PROXY_CURL}" ]; then
        CURL_PROXY=''
        CURL_PROXY_ARGUMENT=''
    fi

    if [ -n "${NO_PROXY_S_CLIENT}" ]; then
        SCLIENT_PROXY=''
        SCLIENT_PROXY_ARGUMENT=''
    fi

    debuglog "Proxy settings (after):"
    debuglog "  http_proxy  = ${http_proxy}"
    debuglog "  https_proxy = ${https_proxy}"
    debuglog "  HTTP_PROXY  = ${HTTP_PROXY}"
    debuglog "  HTTPS_PROXY = ${HTTPS_PROXY}"
    debuglog "  s_client    = ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT}"
    debuglog "  curl        = ${CURL_PROXY} ${CURL_PROXY_ARGUMENT}"

    ################################################################################
    # Check if openssl s_client supports the -name option
    #
    S_CLIENT_NAME=
    if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -name || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -F -q -- -name; then

        CURRENT_HOSTNAME=$(hostname)
        S_CLIENT_NAME="-name ${CURRENT_HOSTNAME}"

        debuglog "'${OPENSSL} s_client' supports '-name': using ${CURRENT_HOSTNAME}"

    else

        verboselog "'${OPENSSL} s_client' does not support '-name'"

    fi

    ################################################################################
    # Check if openssl s_client supports the -xmpphost option
    #
    if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -xmpphost; then
        XMPPHOST="-xmpphost ${XMPPHOST:-${HOST_NAME}}"
        debuglog "'${OPENSSL} s_client' supports '-xmpphost': using ${XMPPHOST}"
    else
        if [ -n "${XMPPHOST}" ]; then
            unknown " s_client' does not support '-xmpphost'"
        fi
        XMPPHOST=
        verboselog "'${OPENSSL} s_client' does not support '-xmpphost': disabling 'to' attribute"
    fi

    ################################################################################
    # check if openssl s_client supports the SSL TLS version
    if [ -n "${SSL_VERSION}" ]; then
        if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "${SSL_VERSION}"; then
            unknown "OpenSSL does not support the ${SSL_VERSION} version"
        fi
    fi

    ################################################################################
    # --inetproto validation
    if [ -n "${INETPROTO}" ]; then

        # validate the arguments
        if [ "${INETPROTO}" != "-4" ] && [ "${INETPROTO}" != "-6" ]; then
            VERSION=$(echo "${INETPROTO}" | awk '{ string=substr($0, 2); print string; }')
            unknown "Invalid argument '${VERSION}': the value must be 4 or 6"
        fi

        # Check if openssl s_client supports the -4 or -6 option
        if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "${INETPROTO}"; then
            unknown "OpenSSL does not support the ${INETPROTO} option"
        fi

        # Check if curl is needed and if it supports the -4 and -6 options
        if [ -z "${CURL_BIN}" ]; then
            if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ]; then
                if ! "${CURL_BIN}" --manual | grep -F -q -- -6 && [ -n "${INETPROTO}" ]; then
                    unknown "curl does not support the ${INETPROTO} option"
                fi
            fi
        fi

        # check if IPv6 is available locally
	    if command -v ifconfig > /dev/null; then
	        ifconfig -a | grep -F -q inet6
	        IPV6_INTERFACE=$?
	    elif command -v ip > /dev/null; then
	        ip addr | grep -F -q inet6
	        IPV6_INTERFACE=$?
	    else
	        unknown "cannot determine if a network interface has IPv6 configured"
	    fi


        if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" -eq "-6" ] && [ "${IPV6_INTERFACE}" -ne 0 ]; then
            unknown "cannot connect using IPv6 as no local interface has IPv6 configured"
        fi

        # nmap does not have a -4 switch
        NMAP_INETPROTO=''
        if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" = '-6' ]; then
            NMAP_INETPROTO='-6'
        fi

    fi

    ################################################################################
    # Check if s_client supports the no_ssl options
    for S_CLIENT_OPTION in ${SSL_VERSION_DISABLED}; do
        require_s_client_option "${S_CLIENT_OPTION}"
    done

    ################################################################################
    # define the HTTP request string
    if [ -n "${SNI}" ]; then
        HOST_HEADER="${SNI}"
    else
        HOST_HEADER="${HOST_NAME}"
    fi
    debuglog "HOST_HEADER = ${HOST_HEADER}"

    # add newline if custom HTTP header is defined
    if [ -n "${CUSTOM_HTTP_HEADER}" ]; then
        CUSTOM_HTTP_HEADER="${CUSTOM_HTTP_HEADER}\\n"
    fi

    # HTTP version
    if [ "${PROTOCOL}" = 'h2' ]; then
        HTTP_VERSION="2"
    else
        HTTP_VERSION="1.1"
    fi

    HTTP_REQUEST="${HTTP_METHOD} ${HTTP_REQUEST_URL} HTTP/${HTTP_VERSION}\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\n${CUSTOM_HTTP_HEADER}Connection: close\\n\\n"

    ##############################################################################
    # Check for disallowed protocols
    if [ -n "${DISALLOWED_PROTOCOLS}" ]; then

        # check if the host has an IPv6 address only (as nmap is not able to resolve without the -6 switch)
        if ! host "${HOST_ADDR}" | grep -F -q ' has address ' ; then
            debuglog "the host does not have an IPv4 address. Trying nmap with -6 to force IPv6 for an IPv6-only host"
            NMAP_INETPROTO='-6'
        fi

        debuglog "Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script ssl-enum-ciphers \"${HOST_ADDR}\" 2>&1 | grep '^|'"

        OFFERED_PROTOCOLS=$(${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script ssl-enum-ciphers "${HOST_ADDR}" 2>&1 | grep '^|')

        debuglog "offered ciphers and protocols:"
        debuglog "${OFFERED_PROTOCOLS}" | sed 's/^|/[DBG] /'

        DISALLOWED_PROTOCOLS_FAIL=
        for protocol in ${DISALLOWED_PROTOCOLS}; do
            debuglog "Checking if '${protocol}' is offered"
            if echo "${OFFERED_PROTOCOLS}" | grep -F -v 'No supported ciphers found' | grep -q "${protocol}"; then
                debuglog "'${protocol}' is offered"
                DISALLOWED_PROTOCOLS_FAIL=1
                prepend_critical_message "${protocol} is offered"
            fi
        done

        if [ -z "${DISALLOWED_PROTOCOLS_FAIL}" ] ; then
            verboselog "no disallowed protocols offered"
        fi

    fi

    ##############################################################################
    # DANE
    if [ -n "${DANE}" ]; then
        debuglog 'checking DANE'
        if [ -z "${DIG_BIN}" ]; then
            DIG_BIN='dig'
        fi
        check_required_prog "${DIG_BIN}"
        DIG_BIN=${PROG}
        # check if OpenSSL supports -dane_tlsa_rrdata
        if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -dane_tlsa_rrdata || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -F -q -- -dane_tlsa_rrdata; then
            DIG_RESULT=$("${DIG_BIN}" +short TLSA "_${PORT}._tcp.${HOST_ADDR}" | while read -r L; do echo " -dane_tlsa_rrdata '${L}' "; done)
            debuglog "Checking DANE (${DANE})"
            debuglog "$(printf '%s\n' "${DIG_BIN} +short TLSA _${PORT}._tcp.${HOST_ADDR} =")"
            debuglog "${DIG_RESULT}"

            case ${DANE} in
            1)
                DANE=$(echo "${DIG_RESULT}" | tr -d '\n')
                ;;
            211)
                DANE=$(echo "${DIG_RESULT}" | grep -F '2 1 1' | tr -d '\n')
                ;;
            301)
                DANE=$(echo "${DIG_RESULT}" | grep -F '3 0 1' | tr -d '\n')
                ;;
            311)
                DANE=$(echo "${DIG_RESULT}" | grep -F '3 1 1' | tr -d '\n')
                ;;
            312)
                DANE=$(echo "${DIG_RESULT}" | grep -F '3 1 2' | tr -d '\n')
                ;;
            302)
                DANE=$(echo "${DIG_RESULT}" | grep -F '3 0 2' | tr -d '\n')
                ;;
            *)
                unknown "Internal error: unknown DANE check type ${DANE}"
                ;;
            esac
            debuglog "${#DANE} DANE ="
            debuglog "${DANE}"

            if [ ${#DANE} -lt 5 ]; then
                prepend_critical_message "No matching TLSA records found at _${PORT}._tcp.${HOST_ADDR}"
                critical "${SHORTNAME} CRITICAL: No matching TLSA records found at _${PORT}._tcp.${HOST_ADDR}"
            else
                verboselog "DANE OK"
            fi
            DANE="${DANE} -dane_tlsa_domain ${HOST_ADDR} "
            debuglog "DBG] DANE = ${DANE}"
        else
            unknown 'OpenSSL s_client does not support DNS-based Authentication of Named Entities'
        fi
    fi

    # OpenSSL 3.0.0 gives an error for legacy renegotiation: ignore the error if --ignore-tls-renegotiation was specified
    if [ -n "${IGNORE_TLS_RENEGOTIATION}" ]; then
        debuglog "--ignore-tls-renegotiation specified: checking OpenSSL version and -legacy_renegotiation support"
        if "${OPENSSL}" s_client -help 2>&1 | grep -q -F -- "-legacy_renegotiation"; then
            debuglog "OpenSSL s_client supports the -legacy_renegotiation option"
            RENEGOTIATION="-legacy_renegotiation"
        fi
    fi

    ################################################################################
    # Connection check
    if [ -n "${IGNORE_CONNECTION_STATE}" ]; then

        debuglog "Testing connection with ${HOST}:${PORT} with timeout ${TIMEOUT}"

        # we check with curl if a connection is possible
        debuglog "Executing: ${CURL_BIN} --silent --connect-timeout ${TIMEOUT} ${HOST}:${PORT}"

        "${CURL_BIN}" --silent --connect-timeout "${TIMEOUT}" "${HOST}":"${PORT}" >/dev/null
        CURL_EXIT_STATUS=$?

        debuglog "  curl exited with status ${CURL_EXIT_STATUS}"

        # curl exit codes
        # -  7 Failed to connect to host
        # - 28 Timeout
        if [ "${CURL_EXIT_STATUS}" -eq 28 ] ||
            [ "${CURL_EXIT_STATUS}" -eq 7 ]; then

            debuglog "  connection timed out: exiting with code ${IGNORE_CONNECTION_STATE}"

            case "${IGNORE_CONNECTION_STATE}" in
            "${STATUS_OK}")
                echo "${SHORTNAME} OK: Cannot connect to ${HOST}:${PORT}"
                exit "${STATUS_OK}"
                ;;
            "${STATUS_WARNING}")
                echo "${SHORTNAME} WARNING: Cannot connect to ${HOST}:${PORT}"
                exit "${STATUS_WARNING}"
                ;;
            "${STATUS_CRITICAL}")
                echo "${SHORTNAME} CRITICAL: Cannot connect to ${HOST}:${PORT}"
                exit "${STATUS_CRITICAL}"
                ;;
            "${STATUS_UNKNOWN}")
                unknown "Cannot connect to ${HOST}:${PORT}"
                ;;
            *)
                unknown "Wrong exit code () specified for --ignore-connection-problem"
                ;;
            esac

            exit

        fi

    fi

    debuglog "Sanity checks: OK"

    ################################################################################
    # Fetch the X.509 certificate

    # Temporary storage for the certificate and the errors
    create_temporary_file
    CERT=${TEMPFILE}
    create_temporary_file
    ERROR=${TEMPFILE}

    create_temporary_file
    CRL_TMP_DER=${TEMPFILE}
    create_temporary_file
    CRL_TMP_PEM=${TEMPFILE}
    create_temporary_file
    CRL_TMP_CHAIN=${TEMPFILE}

    if [ -n "${OCSP}" ]; then

        create_temporary_file
        ISSUER_CERT_TMP=${TEMPFILE}
        create_temporary_file
        ISSUER_CERT_TMP2=${TEMPFILE}

    fi

    if [ -n "${REQUIRE_OCSP_STAPLING}" ]; then
        create_temporary_file
        OCSP_RESPONSE_TMP=${TEMPFILE}
    fi

    debuglog "Temporary files created"

    if [ -z "${FILE}" ]; then
        verboselog "Downloading certificate to ${TMPDIR}" 2
    fi

    CLIENT=""
    if [ -n "${CLIENT_CERT}" ]; then
        CLIENT="-cert ${CLIENT_CERT}"
    fi
    if [ -n "${CLIENT_KEY}" ]; then
        CLIENT="${CLIENT} -key ${CLIENT_KEY}"
    fi

    CLIENTPASS=""
    if [ -n "${CLIENT_PASS}" ]; then
        CLIENTPASS="-pass pass:${CLIENT_PASS}"
    fi

    # Cleanup before program termination
    # Using named signals to be POSIX compliant
    # shellcheck disable=SC2086
    trap_with_arg cleanup ${SIGNALS}

    fetch_certificate

    if ascii_grep 'sslv3\ alert\ unexpected\ message' "${ERROR}"; then

        if [ -n "${SERVERNAME}" ]; then

            verboselog "'${OPENSSL} s_client' returned an error: trying without '-servername'"

            SERVERNAME=""
            fetch_certificate

        fi

        if ascii_grep 'sslv3\ alert\ unexpected\ message' "${ERROR}"; then

            prepend_critical_message 'cannot fetch certificate: OpenSSL got an unexpected message'

        fi

    fi

    # check for TLS renegotiation
    if openssl_version '3.0.0' ; then
        debuglog 'Skipping TLS renegotiation check as OpenSSL 3.0.0 enforces it by default'

    else

        if [ -z "${IGNORE_TLS_RENEGOTIATION}" ] && [ -z "${FILE}" ]; then

            debuglog "checking TLS renegotiation"

            # see https://www.mcafee.com/blogs/enterprise/tips-securing-ssl-renegotiation/

            case "${PROTOCOL}" in
                pop3 | ftp | smtp | irc | ldap | imap | postgres | sieve | xmpp | xmpp-server | mysql)
                    exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} -starttls ${PROTOCOL} 2>&1 | grep -F -q err"
                    RET=$?
                    ;;
                *)
                    exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} 2>&1 | grep -F -q err"
                    RET=$?
                    ;;
            esac

            if [ "${RET}" -eq 1 ]; then

                if ascii_grep '^Secure\ Renegotiation\ IS\ NOT' "${CERT}" && ! ascii_grep 'TLSv1.3' "${CERT}"; then
                    prepend_critical_message 'TLS renegotiation is supported but not secure'
                else
                    verboselog "TLS renegotiation OK"
                fi

            else
                verboselog "TLS renegotiation OK"

            fi

        fi

    fi

    # check client certificates
    if [ -n "${REQUIRE_CLIENT_CERT}" ]; then

        debuglog "Checking required client cert CAs"

        if ascii_grep "No client certificate CA names sent" "${CERT}"; then
            prepend_critical_message "Did not return any client certificate CA names"
        else

            for ca in $(echo "${REQUIRE_CLIENT_CERT_CAS}" | tr ',' '\n'); do

                debuglog "  checking ${ca}"

                if ! grep "${ca}" "${CERT}" | grep -q '^C\ =\ ' &&
                    ! grep "${ca}" "${CERT}" | grep -q '^\/C='; then
                    prepend_critical_message "${ca} is not listed as an acceptable client certificate CA"
                fi

            done

        fi

    fi

    if ascii_grep "BEGIN X509 CRL" "${CERT}"; then
        # we are dealing with a CRL file
        OPENSSL_COMMAND="crl"
        OPENSSL_PARAMS="-nameopt utf8,oneline,-esc_msb"
        OPENSSL_ENDDATE_OPTION="-nextupdate"
    else
        # look if we are dealing with a regular certificate file (x509)
        if ! ascii_grep "CERTIFICATE" "${CERT}"; then
            if [ -n "${FILE}" ]; then

                if [ -r "${FILE}" ]; then

                    if "${OPENSSL}" crl -in "${CERT}" -inform DER | grep -F -q "BEGIN X509 CRL"; then
                        debuglog "File is DER encoded CRL"

                        OPENSSL_COMMAND="crl"
                        OPENSSL_PARAMS="-inform DER -nameopt utf8,oneline,-esc_msb"
                        OPENSSL_ENDDATE_OPTION="-nextupdate"
                    else
                        prepend_critical_message "'${FILE}' is not a valid certificate file"
                    fi

                else

                    prepend_critical_message "'${FILE}' is not readable"

                fi

            else
                # See
                # http://stackoverflow.com/questions/1251999/sed-how-can-i-replace-a-newline-n
                #
                # - create a branch label via :a
                # - the N command appends a newline and and the next line of the input
                #   file to the pattern space
                # - if we are before the last line, branch to the created label $!ba
                #   ($! means not to do it on the last line (as there should be one final newline))
                # - finally the substitution replaces every newline with a space on
                #   the pattern space
                ERROR_MESSAGE="$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/; /g' "${ERROR}")"
                verboselog "error: ${ERROR_MESSAGE}"
                prepend_critical_message "No certificate returned"
                critical "${CRITICAL_MSG}"
            fi
        else
            # parameters for regular x509 certificates
            OPENSSL_COMMAND="x509"
            OPENSSL_PARAMS="-nameopt utf8,oneline,-esc_msb"
            OPENSSL_ENDDATE_OPTION="-enddate"
        fi

    fi

    verboselog "Parsing the ${OPENSSL_COMMAND} certificate file" 2

    ################################################################################
    # Parse the X.509 certificate or crl
    DATE="$(extract_cert_attribute 'enddate' "${CERT}")"
    info "Valid until" "${DATE}"

    if [ "${OPENSSL_COMMAND}" != 'crl' ]; then
	START_DATE="$(extract_cert_attribute 'startdate' "${CERT}")"
	info "Valid from" "${START_DATE}"
    fi

    if [ "${OPENSSL_COMMAND}" = "crl" ]; then
        CN=""
        SUBJECT=""
        SERIAL=0
        OCSP_URI=""
        VALID_ATTRIBUTES=",lastupdate,nextupdate,issuer,"
        ISSUERS="$(extract_cert_attribute 'issuer' "${CERT}")"
    else

        # we need to remove everything before 'CN = ', to remove an eventual email
        # supplied with / and additional elements (after ', ')

        if ! CN="$(extract_cert_attribute 'cn' "${CERT}")"; then
            if [ -z "${ALTNAMES}" ]; then
                debuglog "certificate without common name (CN), enabling altername names"
                verboselog "certificate without common name (CN), enabling altername names"
                ALTNAMES=1
            fi
        fi

        SUBJECT="$(extract_cert_attribute 'subject' "${CERT}")"
        debuglog "SUBJECT = ${SUBJECT}"

        info "Subject" "${CN}"

        SERIAL="$(extract_cert_attribute 'serial' "${CERT}")"
        debuglog "SERIAL = ${SERIAL}"

        info "Serial Number" "${SERIAL}"

        FINGERPRINT="$(extract_cert_attribute 'fingerprint' "${CERT}")"
        debuglog "FINGERPRINT = ${FINGERPRINT}"

        FINGERPRINT_INFO="$( echo "${FINGERPRINT}" | sed 's/Fingerprint=//' )"
        info "Fingerprint" "${FINGERPRINT_INFO}"

        # TO DO: we just take the first result: a loop over all the hosts should
        # be implemented
        OCSP_URI="$(extract_cert_attribute 'oscp_uri_single' "${CERT}")"
        debuglog "OCSP_URI = ${OCSP_URI}"

        info "Revocation information" "OCSP: ${OCSP_URI}"

        # Extract the issuers
        debuglog "Extracting issuers"

        # count the certificates in the chain
        NUM_CERTIFICATES=$(grep -F -c -- "-BEGIN CERTIFICATE-" "${CERT}")
        debuglog "  Number of certificates in the chain: ${NUM_CERTIFICATES}"

        debuglog "Checking certificate chain"

        # start with first certificate
        CERT_IN_CHAIN=1
        while [ "${CERT_IN_CHAIN}" -le "${NUM_CERTIFICATES}" ]; do

            debuglog "    extracting issuer for element ${CERT_IN_CHAIN}"
            if echo "${SKIP_ELEMENT}" | grep -q "${CERT_IN_CHAIN}"; then
                debuglog "    skipping element ${CERT_IN_CHAIN}"
                CERT_IN_CHAIN=$((CERT_IN_CHAIN + 1))
                continue
            fi

            if [ -n "${ISSUERS}" ]; then
		# add a newline
                ISSUERS="${ISSUERS}
"
            fi
            CERT_ELEMENT="$(sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "${CERT}" |
                awk -v n="${CERT_IN_CHAIN}" '/-BEGIN CERTIFICATE-/{l++} (l==n) {print}')"

            # get the organization and common name

            ELEMENT_ISSUER="$(extract_cert_attribute 'issuer' "${CERT_ELEMENT}" | grep -E "^(O|CN) ?= ?" | sed 's/^[^=]*=//' )"

            MESSAGE="$( echo "${ELEMENT_ISSUER}" | sed 's/^/ELEMENT_ISSUER=/' )"
            debuglog "${MESSAGE}"

            ISSUERS="${ISSUERS}${ELEMENT_ISSUER}"
	        MESSAGE="$( echo "${ISSUERS}" | sed 's/^/ISSUERS=/' )"
            debuglog "${MESSAGE}"


            CERT_IN_CHAIN=$((CERT_IN_CHAIN + 1))
            if ! [ "${ELEMENT}" -eq 0 ] && [ $((ELEMENT - CERT_IN_CHAIN)) -lt 0 ]; then
                break
            fi
        done

        debuglog "Certificate chain check finished"

    fi

    debuglog 'ISSUERS = '
    debuglog "${ISSUERS}"

    # we just consider the first HTTP(S) URI
    ISSUER_URI="$(extract_cert_attribute 'issuer_uri_single' "${CERT}")"

    # Check OCSP stapling
    if [ -n "${REQUIRE_OCSP_STAPLING}" ]; then

        grep -F -A 17 'OCSP response:' "${CERT}" >"${OCSP_RESPONSE_TMP}"

        debuglog "${OCSP_RESPONSE_TMP}"

        if ! ascii_grep 'Next Update' "${OCSP_RESPONSE_TMP}"; then
            prepend_critical_message "OCSP stapling not enabled"
        else
            NEXT_UPDATE=$(grep -o 'Next Update: .*$' "${OCSP_RESPONSE_TMP}" | cut -b14-)
            OCSP_EXPIRES_IN_HOURS=$(hours_until "${NEXT_UPDATE}")
            verboselog "OCSP stapling expires in ${OCSP_EXPIRES_IN_HOURS} hours"
            if [ -n "${OCSP_CRITICAL}" ] && [ "${OCSP_CRITICAL}" -ge "${OCSP_EXPIRES_IN_HOURS}" ]; then
                prepend_critical_message "${OPENSSL_COMMAND} OCSP stapling will expire in ${OCSP_EXPIRES_IN_HOURS} hour(s) on ${NEXT_UPDATE}"
            elif [ -n "${OCSP_WARNING}" ] && [ "${OCSP_WARNING}" -ge "${OCSP_EXPIRES_IN_HOURS}" ]; then
                append_warning_message "${OPENSSL_COMMAND} OCSP stapling will expire in ${OCSP_EXPIRES_IN_HOURS} hour(s) on ${NEXT_UPDATE}"
            fi
        fi

    fi

    SIGNATURE_ALGORITHM="$(extract_cert_attribute 'sig_algo' "${CERT}" | sed 's/.*:\ //' )"
    info "Signature algorithm" "${SIGNATURE_ALGORITHM}"

    if [ "${DEBUG}" -ge 1 ]; then
        debuglog "${SUBJECT}"
        debuglog "CN         = ${CN}"
        # shellcheck disable=SC2162
        echo "${ISSUERS}" | while read LINE; do
            debuglog "CA         = ${LINE}"
        done
        debuglog "SERIAL     = ${SERIAL}"
        debuglog "FINGERPRINT= ${FINGERPRINT}"
        debuglog "OCSP_URI   = ${OCSP_URI}"
        debuglog "ISSUER_URI = ${ISSUER_URI}"
        debuglog "${SIGNATURE_ALGORITHM}"
    fi

    info "Issuer URI" "${ISSUER_URI}"
    # shellcheck disable=SC2116,SC2086
    ISSUER_INFO="$( echo ${ISSUERS} )"
    info "Issuers" "${ISSUER_INFO}"

    if echo "${SIGNATURE_ALGORITHM}" | grep -F -q "sha1"; then

        if [ -n "${NOSIGALG}" ]; then

            verboselog "${OPENSSL_COMMAND} Certificate is signed with SHA-1"

        else

            prepend_critical_message "${OPENSSL_COMMAND} Certificate is signed with SHA-1"

        fi

    fi

    if echo "${SIGNATURE_ALGORITHM}" | grep -F -qi "md5"; then

        if [ -n "${NOSIGALG}" ]; then

            verboselog "${OPENSSL_COMMAND} Certificate is signed with MD5"

        else

            prepend_critical_message "${OPENSSL_COMMAND} Certificate is signed with MD5"

        fi

    fi

    ################################################################################
    # Generate the long output
    if [ -n "${LONG_OUTPUT_ATTR}" ]; then

        check_attr() {
            ATTR="$1"
            if ! echo "${VALID_ATTRIBUTES}" | grep -q ",${ATTR},"; then
                unknown "Invalid certificate attribute: ${ATTR}"
            else
                # shellcheck disable=SC2086
                value="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -noout -nameopt utf8,oneline,-esc_msb -"${ATTR}" | sed -e "s/.*=//")"
                LONG_OUTPUT="${LONG_OUTPUT}\\n${ATTR}: ${value}"
            fi

        }

        # Split on comma
        if [ "${LONG_OUTPUT_ATTR}" = "all" ]; then
            LONG_OUTPUT_ATTR="${VALID_ATTRIBUTES}"
        fi
        attributes=$(echo "${LONG_OUTPUT_ATTR}" | tr ',' '\n')
        for attribute in ${attributes}; do
            check_attr "${attribute}"
        done

        LONG_OUTPUT="$(echo "${LONG_OUTPUT}" | sed 's/\\n/\n/g')"

    fi

    ################################################################################
    # Check the presence of a subjectAlternativeName (required for Chrome)

    # Do not use grep --after-context=NUM but -A NUM so that it works on BusyBox

    SUBJECT_ALTERNATIVE_NAME="$(extract_cert_attribute 'subjectAlternativeName' "${CERT}")"
    debuglog "subjectAlternativeName = ${SUBJECT_ALTERNATIVE_NAME}"
    if [ -n "${REQUIRE_SAN}" ] && [ -z "${SUBJECT_ALTERNATIVE_NAME}" ] && [ "${OPENSSL_COMMAND}" != "crl" ]; then
        prepend_critical_message "The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address."
    else
        verboselog "The certificate for this site contains a Subject Alternative Name extension"
    fi

    for san in ${SUBJECT_ALTERNATIVE_NAME}; do
        info "Subject Alternative Name" "${san}"
    done

    ################################################################################
    # Check the CN
    if [ -n "${COMMON_NAME}" ]; then

        ok=""

        debuglog "check CN                   ${CN}"
        debuglog "COMMON_NAME              = ${COMMON_NAME}"
        debuglog "ALTNAMES                 = ${ALTNAMES}"
        debuglog "SUBJECT_ALTERNATIVE_NAME = ${SUBJECT_ALTERNATIVE_NAME}"

        IS_IP_TMP="$(is_ip "${COMMON_NAME}")"
        if [ "${IS_IP_TMP}" -eq 0 ]; then

            # Common name is case insensitive: using grep for comparison (and not 'case' with 'shopt -s nocasematch' as not defined in POSIX
            if echo "${CN}" | grep -q -i '^\*\.'; then

                # Or the literal with the wildcard
                CN_TMP="$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9_\-]*/')"
                debuglog "checking if the common name matches ^${CN_TMP}\$"
                if echo "${COMMON_NAME}" | grep -q -i "^${CN_TMP}\$"; then
                    debuglog "the common name ${COMMON_NAME} matches ^${CN_TMP}\$"
                    ok="true"
                fi

                # Or if both are exactly the same
                debuglog "checking if the common name matches ^${CN}\$"

                if echo "${COMMON_NAME}" | grep -q -i "^${CN}\$"; then
                    debuglog "the common name ${COMMON_NAME} matches ^${CN}\$"
                    ok="true"
                fi

            else

                if echo "${COMMON_NAME}" | grep -q -i "^${CN}$"; then
                    ok="true"
                fi

            fi

        else

            verboselog "Skipping the matching of the host name (${COMMON_NAME}) as it is an IP address"
            COMMON_NAME_IS_AN_IP=1

        fi

        if [ -n "${REQUIRE_SAN}" ] && [ -z "${SUBJECT_ALTERNATIVE_NAME}" ]; then

            prepend_critical_message "The certificate does not have any Subject Alternative Names"

        else

            # Check alternate names
            #   SUBJECT_ALTERNATIVE_NAME can also be empty

            if [ -n "${SUBJECT_ALTERNATIVE_NAME}" ]; then

                if [ -n "${ALTNAMES}" ] && [ -z "${ok}" ]; then

                    debuglog "Checking alternate names"

                    for cn in ${COMMON_NAME}; do

                        IS_IP_TMP="$(is_ip "${cn}")"
                        if [ "${IS_IP_TMP}" -eq 1 ]; then
                            verboselog "Skipping the matching of ${cn} as it is an IP address"
                            continue
                        fi

                        ok=""

                        debuglog '==============================='
                        debuglog "checking altnames against ${cn}"
                        debuglog "  SUBJECT_ALTERNATIVE_NAME = ${SUBJECT_ALTERNATIVE_NAME}"

                        for alt_name in ${SUBJECT_ALTERNATIVE_NAME}; do

                            debuglog "check Altname: ${alt_name}"

                            if echo "${alt_name}" | grep -q -i '^\*\.'; then

                                # Match the domain
                                debuglog "the altname ${alt_name} begins with a '*'"
                                ALT_NAME_TMP="$(echo "${alt_name}" | cut -c 3-)"
                                debuglog "checking if the common name matches ^${ALT_NAME_TMP}\$"

                                if echo "${cn}" | grep -q -i "^${ALT_NAME_TMP}\$"; then
                                    debuglog "the common name ${cn} matches ^${ALT_NAME_TMP}\$"
                                    ok="true"

                                fi

                                # Or the literal with the wildcard
                                ALT_NAME_TMP="$(echo "${alt_name}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9_\-]*/')"
                                debuglog "checking if the common name matches ^${ALT_NAME_TMP}\$"

                                if echo "${cn}" | grep -q -i "^${ALT_NAME_TMP}\$"; then
                                    debuglog "the common name ${cn} matches ^${ALT_NAME_TMP}\$"
                                    ok="true"
                                fi

                                # Or if both are exactly the same
                                debuglog "checking if the common name matches ^${alt_name}\$"

                                if echo "${cn}" | grep -q -i "^${alt_name}\$"; then
                                    debuglog "the common name ${cn} matches ^${alt_name}\$"
                                    ok="true"
                                fi

                            else

                                if echo "${cn}" | grep -q -i "^${alt_name}$"; then
                                    ok="true"
                                fi

                            fi

                            if [ -n "${ok}" ]; then
                                break
                            fi

                        done

                        if [ -z "${ok}" ]; then
                            fail="${cn}"
                            break
                        fi

                    done

                fi

                CN_TMP="$(echo "${CN}" | sed "s/|/ PIPE /g")"
                if [ -n "${fail}" ]; then
                    prepend_critical_message "invalid CN ('${CN_TMP}' does not match '${fail}')"
                else
                    if [ -z "${ok}" ] && [ -z "${COMMON_NAME_IS_AN_IP}" ]; then
                        prepend_critical_message "invalid CN ('${CN_TMP}' does not match '${COMMON_NAME}')"
                    fi
                fi

            fi

        fi

        debuglog " CN check finished"

    fi

    ################################################################################
    # Check the issuer
    if [ -n "${ISSUER}" ]; then

        debuglog "check ISSUER: ${ISSUER}"

        ok=""
        CA_ISSUER_MATCHED=$(echo "${ISSUERS}" | grep -E "^${ISSUER}\$" | head -n1)

        debuglog "   issuer matched = ${CA_ISSUER_MATCHED}"

        if [ -n "${CA_ISSUER_MATCHED}" ]; then
            verboselog "The certificate issuer matches ${ISSUER}"
            ok="true"
        else
            # this looks ugly but preserves spaces in CA name
            ISSUER_TMP="$(echo "${ISSUER}" | sed "s/|/ PIPE /g")"
            ISSUERS_TMP="$(echo "${ISSUERS}" | tr '\n' '|' | sed 's/|$//g' | sed "s/|/\\' or \\'/g")"
            prepend_critical_message "invalid CA ('${ISSUER_TMP}' does not match '${ISSUERS_TMP}')"
        fi

    fi

    ################################################################################
    # Check if not issued by
    if [ -n "${NOT_ISSUED_BY}" ]; then

        debuglog "check NOT_ISSUED_BY: ${NOT_ISSUED_BY}"

        debuglog "  executing echo \"${ISSUERS}\" | sed -E -e \"s/^(O|CN) ?= ?//\" | grep -E \"^${NOT_ISSUED_BY}\$\" | head -n1"

        ok=""
        CA_ISSUER_MATCHED=$(echo "${ISSUERS}" | sed -E -e "s/^(O|CN) ?= ?//" | grep -E "^${NOT_ISSUED_BY}\$" | head -n1)

        debuglog "   issuer matched = ${CA_ISSUER_MATCHED}"

        if [ -n "${CA_ISSUER_MATCHED}" ]; then
            # this looks ugly but preserves spaces in CA name
            NOT_ISSUED_BY_TMP="$(echo "${NOT_ISSUED_BY}" | sed "s/|/ PIPE /g")"
            ISSUERS_TMP="$(echo "${ISSUERS}" | sed -E -e "s/^(O|CN) ?= ?//" | tr '\n' '|' | sed 's/|$//g' | sed "s/|/\\' or \\'/g")"
            prepend_critical_message "invalid CA ('${NOT_ISSUED_BY_TMP}' matches '${ISSUERS_TMP}')"
        else
            ok="true"
            CA_ISSUER_MATCHED="$(echo "${ISSUERS}" | grep -E "^CN ?= ?" | sed -E -e "s/^CN ?= ?//" | head -n1)"
        fi

    else

        CA_ISSUER_MATCHED="$(echo "${ISSUERS}" | head -n1)"

    fi

    ################################################################################
    # Check the serial number
    if [ -n "${SERIAL_LOCK}" ]; then

        ok=""

        if echo "${SERIAL}" | grep -q "^${SERIAL_LOCK}\$"; then
            ok="true"
        fi

        if [ -z "${ok}" ]; then
            SERIAL_LOCK_TMP="$(echo "${SERIAL_LOCK}" | sed "s/|/ PIPE /g")"
            prepend_critical_message "invalid serial number ('${SERIAL_LOCK_TMP}' does not match '${SERIAL}')"
        else
            verboselog "Valid serial number (${SERIAL})"
        fi

    fi
    ################################################################################
    # Check the Fingerprint
    if [ -n "${FINGERPRINT_LOCK}" ]; then

        ok=""

        if echo "${FINGERPRINT}" | grep -q -E "^${FINGERPRINT_LOCK}\$"; then
            ok="true"
        fi

        if [ -z "${ok}" ]; then
            FINGERPRINT_LOCK_TMP="$(echo "${FINGERPRINT_LOCK}" | sed "s/|/ PIPE /g")"
            prepend_critical_message "invalid SHA1 Fingerprint ('${FINGERPRINT_LOCK_TMP}' does not match '${FINGERPRINT}')"
        else
            verboselog "Valid SHA1 fingerprint (${FINGERPRINT})"
        fi

    fi

    ################################################################################
    # Check the validity
    if [ -z "${NOEXP}" ]; then

        debuglog "Checking expiration date"
        if [ -n "${FIRST_ELEMENT_ONLY}" ] || [ "${OPENSSL_COMMAND}" = "crl" ]; then
            debuglog "Only one element or CRL"
            DATE_TMP="$(cat "${CERT}")"
            check_cert_end_date "${DATE_TMP}"
        else
            # count the certificates in the chain
            NUM_CERTIFICATES=$(grep -F -c -- "-BEGIN CERTIFICATE-" "${CERT}")
            debuglog "Number of certificates in CA chain: $((NUM_CERTIFICATES))"

            CERT_IN_CHAIN=1
            while [ "${CERT_IN_CHAIN}" -le "${NUM_CERTIFICATES}" ]; do

                debuglog '------------------------------------------------------------------------------'
                debuglog "-- Checking element ${CERT_IN_CHAIN}"

                if echo "${SKIP_ELEMENT}" | grep -q "${CERT_IN_CHAIN}"; then
                    debuglog "    skipping element ${CERT_IN_CHAIN}"
                    CERT_IN_CHAIN=$((CERT_IN_CHAIN + 1))
                    continue
                fi

                elem_number=$((CERT_IN_CHAIN))
                chain_element=$(sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "${CERT}" |
                    awk -v n="${CERT_IN_CHAIN}" '/-BEGIN CERTIFICATE-/{l++} (l==n) {print}')

                check_cert_end_date "${chain_element}" "${elem_number}"

                debuglog '------------------------------------------------------------------------------'
                check_ocsp "${chain_element}" "${elem_number}"

                if [ -n "${CRL}" ]; then
                    debuglog '------------------------------------------------------------------------------'
                    check_crl "${chain_element}" "${elem_number}"
                fi

                CERT_IN_CHAIN=$((CERT_IN_CHAIN + 1))
                if ! [ "${ELEMENT}" -eq 0 ] && [ $((ELEMENT - CERT_IN_CHAIN)) -lt 0 ]; then
                    break
                fi

            done

            debuglog '------------------------------------------------------------------------------'

        fi

    fi

    ################################################################################
    # Check nmap
    if [ -n "${CHECK_CIPHERS}" ] || [ -n "${CHECK_CIPHERS_WARNINGS}" ]; then

        if [ -n "${CHECK_CIPHERS}" ]; then
            debuglog "Checking offered ciphers (minimum level ${CHECK_CIPHERS}: ${CHECK_CIPHERS_NUMERIC})"
        fi

        create_temporary_file
        NMAP_OUT=${TEMPFILE}
        create_temporary_file
        NMAP_ERR=${TEMPFILE}

        # -Pn is needed even if we specify a port
        exec_with_timeout "${NMAP_BIN} -Pn --script ssl-enum-ciphers ${HOST_ADDR} -p ${PORT}" "${NMAP_OUT}" "${NMAP_ERR}"

        if [ "${DEBUG}" -ge 1 ]; then
            debuglog 'nmap output:'
            while read -r LINE; do
                debuglog "${LINE}"
            done <"${NMAP_OUT}"
            debuglog 'nmap errors:'
            if [ -s "${NMAP_ERR}" ]; then
                while read -r LINE; do
                    debuglog "${LINE}"
                done <"${NMAP_ERR}"
            fi
        fi

	    if [ -s "${NMAP_ERR}" ]; then

            NMAP_ERROR=$(head -n 1 "${NMAP_ERR}")

	        # check for -Pn warning
	        if ! grep -q "Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower." "${NMAP_ERR}"; then
		        unknown "nmap exited with error: ${NMAP_ERROR}"
	        fi

        fi


        if ! grep -F -q '| ssl-enum-ciphers' "${NMAP_OUT}"; then
            unknown "empty nmap result while checking ciphers"
        fi

        if [ -n "${CHECK_CIPHERS}" ]; then

            if ! grep -q -F 'least strength' "${NMAP_OUT}"; then
                unknown 'nmap does not deliver cipher strength'
            fi

            NMAP_GRADE=$(grep -F 'least strength' "${NMAP_OUT}" | sed 's/.*\ //')
            convert_grade "${NMAP_GRADE}"
            NMAP_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"

            verboselog "Cipher grade ${NMAP_GRADE_NUMERIC}: ${NMAP_GRADE}"

            # Check the grade
            if [ "${NMAP_GRADE_NUMERIC}" -lt "${CHECK_CIPHERS_NUMERIC}" ]; then
                prepend_critical_message "${HOST_ADDR} offers ciphers with grade ${NMAP_GRADE} (instead of ${CHECK_CIPHERS})"
            fi

        fi

        if [ -n "${CHECK_CIPHERS_WARNINGS}" ]; then

            if grep -F -q 'warnings:' "${NMAP_OUT}"; then

                PARSING_WARNINGS=
                WARNINGS=
                while IFS= read -r line; do

                    if echo "${line}" | grep -q -F 'warnings:'; then
                        PARSING_WARNINGS=1
                    elif echo "${line}" | grep -q -F ':'; then
                        PARSING_WARNINGS=
                    elif [ -n "${PARSING_WARNINGS}" ]; then
                        WARNING=$(echo "${line}" | sed 's/|\ *//')
                        if [ -n "${WARNINGS}" ]; then
                            debuglog "Cipher warning '${WARNING}'"
                            WARNINGS="${WARNINGS}
${WARNING}"
                        else
                            WARNINGS="${WARNING}"
                        fi
                    fi

                done <"${NMAP_OUT}"

                WARNINGS="$( echo "${WARNINGS}" | sort | uniq | tr '\n' ',' | sed -e 's/,/,\ /g' -e 's/,\ $//' )"
                prepend_critical_message "${HOST_ADDR} offers ciphers with warnings: ${WARNINGS}"

            else

                verboselog "No ciphers with warnings are offered"

            fi

        fi

    fi

    ################################################################################
    # Check SSL Labs
    if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ]; then

        while true; do

            debuglog "http_proxy  = ${http_proxy}"
            debuglog "HTTPS_PROXY = ${HTTPS_PROXY}"
            debuglog "executing ${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST_NAME}${IGNORE_SSL_LABS_CACHE}\""

            if [ -n "${SNI}" ]; then
                JSON="$(${CURL_BIN} "${CURL_PROXY}" "${CURL_PROXY_ARGUMENT}" "${INETPROTO}" --silent "https://api.ssllabs.com/api/v2/analyze?host=${SNI}${IGNORE_SSL_LABS_CACHE}")"
                CURL_RETURN_CODE=$?
            else
                JSON="$(${CURL_BIN} "${CURL_PROXY}" "${CURL_PROXY_ARGUMENT}" "${INETPROTO}" --silent "https://api.ssllabs.com/api/v2/analyze?host=${HOST_NAME}${IGNORE_SSL_LABS_CACHE}")"
                CURL_RETURN_CODE=$?
            fi

            if [ "${CURL_RETURN_CODE}" -ne 0 ]; then

                debuglog "curl returned ${CURL_RETURN_CODE}: ${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST_NAME}${IGNORE_SSL_LABS_CACHE}\""

                unknown "Error checking SSL Labs: curl returned ${CURL_RETURN_CODE}, see 'man curl' for details"

            fi

            JSON="$(printf '%s' "${JSON}" | tr '\n' ' ')"

            debuglog "Checking SSL Labs: ${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST_NAME}\""
            debuglog "SSL Labs JSON: ${JSON}"

            # We clear the cache only on the first run
            IGNORE_SSL_LABS_CACHE=""

            if echo "${JSON}" | grep -F -q 'Running\ at\ full\ capacity.\ Please\ try\ again\ later'; then
                verboselog '  SSL Labs running at full capacity'
            else

                SSL_LABS_HOST_STATUS=$(echo "${JSON}" |
                    sed 's/.*"status":[ ]*"\([^"]*\)".*/\1/')

                debuglog "SSL Labs status: ${SSL_LABS_HOST_STATUS}"

                case "${SSL_LABS_HOST_STATUS}" in
                'ERROR')
                    SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" |
                        sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
                    prepend_critical_message "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
                    break
                    ;;
                'READY')
                    if ! echo "${JSON}" | grep -F -q "grade"; then

                        # Something went wrong
                        SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" |
                            sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
                        prepend_critical_message "SSL Labs error: ${SSL_LABS_STATUS_MESSAGE}"
                        break

                    else

                        SSL_LABS_HOST_GRADE=$(echo "${JSON}" |
                            sed 's/.*"grade":[ ]*"\([^"]*\)".*/\1/')

                        debuglog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"

                        verboselog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"

                        convert_grade "${SSL_LABS_HOST_GRADE}"
                        SSL_LABS_HOST_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"

                        add_performance_data "ssllabs=${SSL_LABS_HOST_GRADE_NUMERIC}%;;${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}"

                        # Check the grade
                        if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
                            prepend_critical_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_CRIT_ASSESSMENT})"
                        elif [ -n "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ]; then
                            if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ]; then
                                append_warning_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_WARN_ASSESTMENT})"
                            fi
                        fi

                        debuglog "SSL Labs grade (converted): ${SSL_LABS_HOST_GRADE_NUMERIC}"

                        # We have a result: exit
                        break

                    fi
                    ;;
                'IN_PROGRESS')
                    # Data not yet available: warn and continue
                    PROGRESS=$(echo "${JSON}" | sed 's/.*progress"://' | sed 's/,.*//')
                    if [ "${PROGRESS}" -eq -1 ]; then
                        verboselog "  warning: no cached data by SSL Labs, check in progress" 2
                    else
                        verboselog "  warning: no cached data by SSL Labs, check in progress ${PROGRESS}%" 2
                    fi
                    ;;
                'DNS')
                    verboselog "  SSL Labs resolving the domain name" 2
                    ;;
                *)
                    # Try to extract a message
                    SSL_LABS_ERROR_MESSAGE=$(echo "${JSON}" |
                        sed 's/.*"message":[ ]*"\([^"]*\)".*/\1/')

                    if [ -z "${SSL_LABS_ERROR_MESSAGE}" ]; then
                        SSL_LABS_ERROR_MESSAGE="${JSON}"
                    fi

                    prepend_critical_message "Cannot check status on SSL Labs: ${SSL_LABS_ERROR_MESSAGE}"
                    ;;
                esac

            fi

            WAIT_TIME=60
            verboselog "  waiting ${WAIT_TIME} seconds" 2

            sleep "${WAIT_TIME}"

        done

    fi

    ################################################################################
    # Check the organization
    if [ -n "${ORGANIZATION}" ]; then

        debuglog "Checking organization ${ORGANIZATION}"

        ORG="$(extract_cert_attribute 'org' "${CERT}")"
        debuglog "  ORG          = ${ORG}"
        debuglog "  ORGANIZATION = ${ORGANIZATION}"

        if ! echo "${ORG}" | grep -q -E "^${ORGANIZATION}"; then
            ORGANIZATION_TMP="$(echo "${ORGANIZATION}" | sed "s/|/ PIPE /g")"
            prepend_critical_message "invalid organization ('${ORGANIZATION_TMP}' does not match '${ORG}')"
        fi

    fi

    if [ "${OPENSSL_COMMAND}" != 'crl' ]; then
	EMAIL="$(extract_cert_attribute 'email' "${CERT}")"
	debuglog "EMAIL = ${EMAIL}"
	info "Email" "${EMAIL}"
    fi

    ################################################################################
    # Check the email
    if [ -n "${ADDR}" ]; then

        if [ -z "${EMAIL}" ]; then

            debuglog "no email in certificate"

            prepend_critical_message "the certificate does not contain an email address"

        else

            if ! echo "${EMAIL}" | grep -q -E "^${ADDR}"; then
                EMAIL_TMP="$(echo "${ADDR}" | sed "s/|/ PIPE /g")"
                prepend_critical_message "invalid email ('${EMAIL_TMP}' does not match ${EMAIL})"
            else
                verboselog "email ${ADDR} is OK"
            fi

        fi

    fi

    ################################################################################
    # Check if the certificate was verified
    if [ -z "${NOAUTH}" ] && ascii_grep '^verify\ error:' "${ERROR}"; then

        debuglog 'Checking if the certificate was self signed'

        if ascii_grep '^verify\ error:num=[0-9][0-9]*:self\ signed\ certificate' "${ERROR}"; then

            debuglog 'Self signed certificate'

            if [ -z "${SELFSIGNED}" ]; then
                prepend_critical_message "Cannot verify certificate, self signed certificate"
            else
                SELFSIGNEDCERT="self signed "
            fi

        elif ascii_grep '^verify\ error:num=[0-9][0-9]*:certificate\ has\ expired' "${ERROR}"; then

            debuglog 'Cannot verify since the certificate has expired.'

        else

            DEBUG_MESSAGE="$(sed 's/^/Error: /' "${ERROR}")"
            debuglog "${DEBUG_MESSAGE}"

            # Process errors
            # details=$(grep '^verify\ error:' "${ERROR}" | sed 's/verify\ error:num=[0-9]*://' | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/, /g')
            details=$(grep '^verify\ error:' "${ERROR}" | sed 's/verify\ error:num=[0-9]*://' )
            prepend_critical_message "Cannot verify certificate: ${details}"

        fi

    else

        verboselog "The certificate was successfully verified"

    fi

    ##############################################################################
    # Check for Signed Certificate Timestamps (SCT)
    if [ -z "${SELFSIGNED}" ] && [ "${OPENSSL_COMMAND}" != "crl" ]; then

        # check if OpenSSL supports SCTs
        if openssl_version '1.1.0'; then

            debuglog 'Checking Signed Certificate Timestamps (SCTs)'

            if [ -n "${SCT}" ] && ! extract_cert_attribute 'sct' "${CERT}"; then
                prepend_critical_message "Cannot find Signed Certificate Timestamps (SCT)"
            else
                info "SCT" "yes"
                verboselog "The certificate contains signed certificate timestamps (SCT)"
            fi

        else
            verboselog 'warning: Skipping SCTs check as not supported by OpenSSL'
        fi
    fi

    # if errors exist at this point return
    if [ "${CRITICAL_MSG}" != "" ]; then
        critical "${CRITICAL_MSG}"
    fi

    if [ "${WARNING_MSG}" != "" ]; then
        warning "${WARNING_MSG}"
    fi

    ################################################################################
    # If we get this far, assume all is well. :)

    # If --altnames was specified or if the certificate is wildcard,
    # then we show the specified CN in addition to the certificate CN
    CHECKEDNAMES=""
    if [ -n "${ALTNAMES}" ] && [ -n "${COMMON_NAME}" ] && [ "${CN}" != "${COMMON_NAME}" ]; then
        CHECKEDNAMES="(${COMMON_NAME}) "
    elif [ -n "${COMMON_NAME}" ] && echo "${CN}" | grep -q -i '^\*\.'; then
        CHECKEDNAMES="(${COMMON_NAME}) "
    fi

    if [ -n "${DAYS_VALID}" ]; then
        # nicer formatting
        if [ "${DAYS_VALID}" -gt 1 ]; then
            DAYS_VALID=" (expires in ${DAYS_VALID} days)"
        elif [ "${DAYS_VALID}" -eq 1 ]; then
            DAYS_VALID=" (expires tomorrow)"
        elif [ "${DAYS_VALID}" -eq 0 ]; then
            DAYS_VALID=" (expires today)"
        elif [ "${DAYS_VALID}" -eq -1 ]; then
            DAYS_VALID=" (expired yesterday)"
        else
            DAYS_VALID=" (expired ${DAYS_VALID} days ago)"
        fi
    fi

    if [ -n "${OCSP_EXPIRES_IN_HOURS}" ]; then
        # nicer formatting
        if [ "${OCSP_EXPIRES_IN_HOURS}" -gt 1 ]; then
            OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expires in ${OCSP_EXPIRES_IN_HOURS} hours)"
        elif [ "${OCSP_EXPIRES_IN_HOURS}" -eq 1 ]; then
            OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expires in one hour)"
        elif [ "${OCSP_EXPIRES_IN_HOURS}" -eq 0 ]; then
            OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expires now)"
        elif [ "${OCSP_EXPIRES_IN_HOURS}" -eq -1 ]; then
            OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expired one hour ago)"
        else
            OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expired ${OCSP_EXPIRES_IN_HOURS} hours ago)"
        fi
    fi

    if [ -n "${SSL_LABS_HOST_GRADE}" ]; then
        SSL_LABS_HOST_GRADE=", SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
    fi

    if [ -z "${CN}" ]; then
        DISPLAY_CN=""
    else
        DISPLAY_CN="'${CN}' "
    fi

    if [ -z "${FORMAT}" ]; then
        if [ -n "${TERSE}" ]; then
            FORMAT="%SHORTNAME% OK %CN% %DAYS_VALID%"
        else
            FORMAT="%SHORTNAME% OK - %OPENSSL_COMMAND% %SELFSIGNEDCERT%certificate %DISPLAY_CN%%CHECKEDNAMES%from '%CA_ISSUER_MATCHED%' valid until %DATE%%DAYS_VALID%%OCSP_EXPIRES_IN_HOURS%%SSL_LABS_HOST_GRADE%"
        fi
    fi

    # long output
    if [ -z "${TERSE}" ]; then
        EXTRA_OUTPUT="${LONG_OUTPUT}"
    fi
    # performance
    if [ -z "${NO_PERF}" ]; then
        EXTRA_OUTPUT="${EXTRA_OUTPUT}${PERFORMANCE_DATA}"
    fi

    debuglog "output parameters: CA_ISSUER_MATCHED     = ${CA_ISSUER_MATCHED}"
    debuglog "output parameters: CHECKEDNAMES          = ${CHECKEDNAMES}"
    debuglog "output parameters: CN                    = ${CN}"
    debuglog "output parameters: DATE                  = ${DATE}"
    debuglog "output parameters: DAYS_VALID            = ${DAYS_VALID}"
    debuglog "output parameters: DYSPLAY_CN            = ${DISPLAY_CN}"
    debuglog "output parameters: OPENSSL_COMMAND       = ${OPENSSL_COMMAND}"
    debuglog "output parameters: SELFSIGNEDCERT        = ${SELFSIGNEDCERT}"
    debuglog "output parameters: SHORTNAME             = ${SHORTNAME}"
    debuglog "output parameters: OCSP_EXPIRES_IN_HOURS = ${OCSP_EXPIRES_IN_HOURS}"
    debuglog "output parameters: SSL_LABS_HOST_GRADE   = ${SSL_LABS_HOST_GRADE}"

    if [ -z "${PROMETHEUS}" ]; then

        CA_ISSUER_MATCHED_TMP="$(var_for_sed CA_ISSUER_MATCHED "${CA_ISSUER_MATCHED}")"
        CHECKEDNAMES_TMP="$(var_for_sed CHECKEDNAMES "${CHECKEDNAMES}")"
        CN_TMP="$(var_for_sed CN "${CN}")"
        DATE_TMP="$(var_for_sed DATE "${DATE}")"
        DAYS_VALID_TMP="$(var_for_sed DAYS_VALID "${DAYS_VALID}")"
        DISPLAY_CN_TMP="$(var_for_sed DISPLAY_CN "${DISPLAY_CN}")"
        OPENSSL_COMMAND_TMP="$(var_for_sed OPENSSL_COMMAND "${OPENSSL_COMMAND}")"
        SELFSIGNEDCERT_TMP="$(var_for_sed SELFSIGNEDCERT "${SELFSIGNEDCERT}")"
        SHORTNAME_TMP="$(var_for_sed SHORTNAME "${SHORTNAME}")"
        OCSP_EXPIRES_IN_HOURS_TMP="$(var_for_sed OCSP_EXPIRES_IN_HOURS "${OCSP_EXPIRES_IN_HOURS}")"
        SSL_LABS_HOST_GRADE_TMP="$(var_for_sed SSL_LABS_HOST_GRADE "${SSL_LABS_HOST_GRADE}")"

        echo "${FORMAT}${EXTRA_OUTPUT}" | sed \
            -e "${CA_ISSUER_MATCHED_TMP}" \
            -e "${CHECKEDNAMES_TMP}" \
            -e "${CN_TMP}" \
            -e "${DATE_TMP}" \
            -e "${DAYS_VALID_TMP}" \
            -e "${DISPLAY_CN_TMP}" \
            -e "${OPENSSL_COMMAND_TMP}" \
            -e "${SELFSIGNEDCERT_TMP}" \
            -e "${SHORTNAME_TMP}" \
            -e "${OCSP_EXPIRES_IN_HOURS_TMP}" \
            -e "${SSL_LABS_HOST_GRADE_TMP}"

    else

        add_prometheus_status_output_line "cert_valid{cn=\"${CN}\"} 0"
        prometheus_output

    fi

    remove_temporary_files

    exit "${STATUS_OK}"

}

# Defined externally
# shellcheck disable=SC2154
if [ -z "${SOURCE_ONLY}" ]; then
    main "${@}"
fi
