forked from matteocorti/check_ssl_cert
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhelp.txt
232 lines (232 loc) · 10.4 KB
/
help.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
-H,--host host;server
-A,--noauth;ignore authority warnings (expiration
-A,--noauth;only)
--all;enables all the possible optional checks
--all;at the maximum level
--all-local;enables all the possible optional checks
--all-local;at the maximum level
--all-local;(without SSL-Labs)
--allow-empty-san;allow certificates without Subject
--allow-empty-san;Alternative Names (SANs)
--check-ciphers grade;checks the offered ciphers
--check-ciphers-warnings;critical if nmap reports a warning for an
--check-ciphers-warnings;offered cipher
-C,--clientcert path;use client certificate to authenticate
--clientpass phrase;set passphrase for client certificate.
-c,--critical days;minimum number of days a certificate has
-c,--critical days;to be valid to issue a critical status.
-c,--critical days;Can be a floating point number, e.g., 0.5
-c,--critical days;Default: ${CRITICAL_DAYS}
--crl;checks revocation via CRL (requires
--crl;--rootcert-file)
--curl-bin path;path of the curl binary to be used
--curl-user-agent string;user agent that curl shall use to obtain
--curl-user-agent string;the issuer cert
--custom-http-header string;custom HTTP header sent when getting the
--custom-http-header string;cert example: 'X-Check-Ssl-Cert: Foobar=1'
--dane;verify that valid DANE records exist
--dane;(since OpenSSL 1.1.0)
--dane 211;verify that a valid DANE-TA(2) SPKI(1)
--dane 211;SHA2-256(1) TLSA record exists
--dane 301;verify that a valid DANE-EE(3) Cert(0)
--dane 301;SHA2-256(1) TLSA record exists
--dane 302;verify that a valid DANE-EE(3) Cert(0)
--dane 302;SHA2-512(2) TLSA record exists
--dane 311;verify that a valid DANE-EE(3) SPKI(1)
--dane 311;SHA2-256(1) TLSA record exists
--dane 312;verify that a valid DANE-EE(3) SPKI(1)
--dane 312;SHA2-512(1) TLSA record exists
--date path;path of the date binary to be used
-d,--debug;produces debugging output (can be
-d,--debug;specified more than once)
--debug-cert;stores the retrieved certificates in the
--debug-cert;current directory
--debug-file file;writes the debug messages to file
--debug-time;writes timing information in the
--debug-time;debugging output
--dig-bin path;path of the dig binary to be used
--ecdsa;signature algorithm selection: force ECDSA
--ecdsa;certificate
--element number;checks up to the N cert element from the
--element number;beginning of the chain
-e,--email address;pattern to match the email address
-e,--email address;contained in the certificate
-f,--file file;local file path or URI.
-f,--file file;With -f you can not only pass a x509
-f,--file file;certificate file but also a certificate
-f,--file file;revocation list (CRL) to check the
-f,--file file;validity period
--file-bin path;path of the file binary to be used
--fingerprint SHA1;pattern to match the SHA1-Fingerprint
--first-element-only;verify just the first cert element, not
--first-element-only;the whole chain
--force-dconv-date;force the usage of dconv for date
--force-dconv-date;computations
--force-perl-date;force the usage of Perl for date
--force-perl-date;computations
--format FORMAT;format output template on success, for
--format FORMAT;example: '%SHORTNAME% OK %CN% from
--format FORMAT;%CA_ISSUER_MATCHED%'
-h,--help,-?;this help message
--http-use-get;use GET instead of HEAD (default) for the
--http-use-get;HTTP related checks
--ignore-altnames;ignores alternative names when matching
--ignore-altnames;pattern specified in -n (or the host name)
--ignore-connection-problems [state];in case of connection problems
--ignore-connection-problems [state];returns OK or the optional state
--ignore-exp;ignore expiration date
--ignore-host-cn;do not complain if the CN does not match
--ignore-host-cn;the host name
--ignore-incomplete-chain;does not check chain integrity
--ignore-ocsp;do not check revocation with OCSP
--ignore-ocsp-errors;continue if the OCSP status cannot be
--ignore-ocsp-errors;checked
--ignore-ocsp-timeout;ignore OCSP result when timeout occurs
--ignore-ocsp-timeout;while checking
--ignore-sig-alg;do not check if the certificate was signed
--ignore-sig-alg;with SHA1 or MD5
--ignore-sct;do not check for signed certificate
--ignore-sct;timestamps (SCT)
--ignore-ssl-labs-cache;Forces a new check by SSL Labs (see -L)
--ignore-tls-renegotiation;Ignores the TLS renegotiation check
--inetproto protocol;Force IP version 4 or 6
--info;Prints certificate information
-i,--issuer issuer;pattern to match the issuer of the
-i,--issuer issuer;certificate
--issuer-cert-cache dir;directory where to store issuer
--issuer-cert-cache dir;certificates cache
-K,--clientkey path;use client certificate key to authenticate
-L,--check-ssl-labs grade;SSL Labs assessment
-L,--check-ssl-labs grade;(please check
-L,--check-ssl-labs grade;https://www.ssllabs.com/about/terms.html)
--check-ssl-labs-warn grade;SSL Labs grade on which to warn
--long-output list;append the specified comma separated (no
--long-output list;spaces) list of attributes to the plugin
--long-output list;output on additional lines
--long-output list;Valid attributes are:
--long-output list;enddate, startdate, subject, issuer,
--long-output list;modulus, serial, hash, email, ocsp_uri
--long-output list;and fingerprint.
--long-output list;'all' will include all the available
--long-output list;attributes.
-m,--match name;pattern to match the CN or AltName
-m,--match name;(can be specified multiple times)
-n,--cn name;pattern to match the CN or AltName
-n,--cn name;(can be specified multiple times)
--nmap-bin path;path of the nmap binary to be used
--no-perf;do not show performance data
--no-proxy;ignores the http_proxy and https_proxy
--no-proxy;environment variables
--no-proxy-curl;ignores the http_proxy and https_proxy
--no-proxy-curl;environment variables
--no-proxy-curl;for curl
--no-proxy-s_client;ignores the http_proxy and https_proxy
--no-proxy-s_client;environment variables
--no-proxy-s_client;for openssl s_client
--no-ssl2;disable SSL version 2
--no-ssl3;disable SSL version 3
--no-tls1;disable TLS version 1
--no-tls1_1;disable TLS version 1.1
--no-tls1_2;disable TLS version 1.2
--no-tls1_3;disable TLS version 1.3
--not-issued-by issuer;check that the issuer of the certificate
--not-issued-by issuer;does not match the given pattern
--not-valid-longer-than days;critical if the certificate validity is
--not-valid-longer-than days;longer than the specified period
--ocsp-critical hours;minimum number of hours an OCSP response
--ocsp-critical hours;has to be valid to issue a critical status
--ocsp-warning hours;minimum number of hours an OCSP response
--ocsp-warning hours;has to be valid to issue a warning status
-o,--org org;pattern to match the organization of the
-o,--org org;certificate
--openssl path;path of the openssl binary to be used
--password source;password source for a local certificate,
--password source;see the PASS PHRASE ARGUMENTS section
--password source;openssl(1)
-p,--port port;TCP port
--precision digits;number of decimal places for durations:
--precision digits;defaults to 0 if critical or warning are
--precision digits;integers, 2 otherwise
--prometheus;generates Prometheus/OpenMetrics output
-P,--protocol protocol;use the specific protocol:
-P,--protocol protocol;ftp, ftps, http, https (default),
-P,--protocol protocol;h2 (HTTP/2), imap, imaps, irc, ircs, ldap,
-P,--protocol protocol;ldaps, mysql, pop3, pop3s, postgres,
-P,--protocol protocol;sieve, smtp, smtps, xmpp, xmpp-server.
-P,--protocol protocol;ftp, imap, irc, ldap, pop3, postgres,
-P,--protocol protocol;sieve, smtp: switch to TLS using StartTLS
--proxy proxy;sets http_proxy and the s_client -proxy
--proxy proxy;option
-q,--quiet;do not produce any output
--require-client-cert [list];the server must accept a client
--require-client-cert [list];certificate. 'list' is an optional comma
--require-client-cert [list];separated list of expected client
--require-client-cert [list]; certificate CAs
--require-no-ssl2;critical if SSL version 2 is offered
--require-no-ssl3;critical if SSL version 3 is offered
--require-no-tls1;critical if TLS 1 is offered
--require-no-tls1_1;critical if TLS 1.1 is offered
--resolve ip;provides a custom IP address for the
--resolve ip;specified host
-s,--selfsigned;allows self-signed certificates
--serial serialnum;pattern to match the serial number
--skip-element number;skips checks on the Nth cert element (can
--skip-element number;be specified multiple times)
--sni name;sets the TLS SNI (Server Name Indication)
--sni name;extension in the ClientHello message to
--sni name;'name'
--ssl2;force SSL version 2
--ssl3;force SSL version 3
--require-ocsp-stapling;require OCSP stapling
-r,--rootcert path;root certificate or directory to be used
-r,--rootcert path;for certificate validation
--rootcert-dir path;root directory to be used for
--rootcert-dir path;certificate validation
--rootcert-file path;root certificate to be used for
--rootcert-file path;certificate validation
--rsa;signature algorithm selection: force RSA
--rsa;certificate
--temp dir;directory where to store the temporary
--temp dir;files
--terse;terse output
-t,--timeout;seconds timeout after the specified time
-t,--timeout;(defaults to ${TIMEOUT} seconds)
--tls1;force TLS version 1
--tls1_1;force TLS version 1.1
--tls1_2;force TLS version 1.2
--tls1_3;force TLS version 1.3
-u,--url URL;HTTP request URL
-v,--verbose;verbose output (can be specified more than
-v,--verbose;once)
-V,--version;version
-w,--warning days;minimum number of days a certificate has
-w,--warning days;to be valid to issue a warning status.
-w,--warning days;Can be a floating point number, e.g., 0.5
-w,--warning days;Default: ${WARNING_DAYS}"
--xmpphost name;specifies the host for the 'to' attribute
--xmpphost name;of the stream element
-4;force IPv4
-6;force IPv6
--altnames;matches the pattern specified in -n with
--altnames;alternate names too (enabled by default)
--days days;minimum number of days a certificate has
--days days;to be valid
--days days;(see --critical and --warning)
-N,--host-cn;match CN with the host name
-N,--host-cn;(enabled by default)
--no_ssl2;disable SSLv2 (deprecated use --no-ssl2)
--no_ssl3;disable SSLv3 (deprecated use --no-ssl3)
--no_tls1;disable TLSv1 (deprecated use --no-tls1)
--no_tls1_1;disable TLSv1.1 (deprecated use
--no_tls1_1;--no-tls1_1)
--no_tls1_2;disable TLSv1.1 (deprecated use
--no_tls1_2;--no-tls1_2)
--no_tls1_3;disable TLSv1.1 (deprecated use
--no_tls1_3;--no-tls1_3)
--ocsp;check revocation via OCSP (enabled by
--ocsp;default)
--require-san;require the presence of a Subject
--require-san;Alternative Name
--require-san;extension
-S,--ssl version;force SSL version (2,3)
-S,--ssl version;(see: --ssl2 or --ssl3)