Merge branch 'master' into dev/check_ssh-patches

41 files changed, 972 insertions, 442 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9de367e..afe6ab4 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -53,6 +53,7 @@ jobs:
 
     - name: Install packages
       run: |
+        sudo apt update
         sudo apt-get install -y --no-install-recommends m4 gettext automake autoconf make build-essential
         sudo apt-get install -y --no-install-recommends perl autotools-dev libdbi-dev libldap2-dev libpq-dev \
                                                         libmysqlclient-dev libradcli-dev libkrb5-dev libdbi0-dev \
@@ -62,10 +63,10 @@ jobs:
       run: |
         ./tools/setup
         ./configure --enable-libtap
-    
+
     - name: Build
       run: |
         make
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
diff --git a/configure.ac b/configure.ac
index dfc37b5..8c5ca70 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5,6 +5,7 @@ AC_CONFIG_SRCDIR(NPTest.pm)
 AC_CONFIG_FILES([gl/Makefile])
 AC_CONFIG_AUX_DIR(build-aux)
 AM_INIT_AUTOMAKE([1.8.3])
+AM_SILENT_RULES([yes])
 AM_MAINTAINER_MODE([enable])
 AC_CONFIG_HEADERS([config.h])
 AC_CANONICAL_HOST
diff --git a/doc/developer-guidelines.sgml b/doc/developer-guidelines.sgml
index 6f31f36..28674e0 100644
--- a/doc/developer-guidelines.sgml
+++ b/doc/developer-guidelines.sgml
@@ -13,7 +13,7 @@
 
     <pubdate>2013</pubdate>
     <title>Monitoring Plugins Development Guidelines</title>
-        
+
     <revhistory>
        <revision>
           <revnumber>1796</revnumber>
@@ -72,14 +72,14 @@
 </section>
 
 <section id="PlugOutput"><title>Plugin Output for Nagios</title>
-        
-                <para>You should always print something to STDOUT that tells if the 
-                service is working or why it is failing. Try to keep the output short - 
-                probably less that 80 characters. Remember that you ideally would like 
+
+                <para>You should always print something to STDOUT that tells if the
+                service is working or why it is failing. Try to keep the output short -
+                probably less that 80 characters. Remember that you ideally would like
                 the entire output to appear in a pager message, which will get chopped
                 off after a certain length.</para>
 
-                <para>As Nagios does not capture stderr output, you should only output to 
+                <para>As Nagios does not capture stderr output, you should only output to
                 STDOUT and not print to STDERR.</para>
 
                 <section><title>Print only one line of text</title>
@@ -101,7 +101,7 @@
                 SERVICE STATUS: Information text
                 </literallayout>
                 <para>However, note that this is not a requirement of the API, so you cannot depend on this
-                being an accurate reflection of the status of the service - the status should always 
+                being an accurate reflection of the status of the service - the status should always
                 be determined by the return code.</para>
                 </section>
 
@@ -148,7 +148,7 @@
                 <para>Code and output should try to respect the 80x25 size of a
                 crt (remember when fixing stuff in the server room!)</para>
                 </section>
-                
+
                 <section><title>Plugin Return Codes</title>
                 <para>The return codes below are based on the POSIX spec of returning
                 a positive value.  Netsaint prior to v0.0.7 supported non-POSIX
@@ -157,11 +157,11 @@
 
                 <para>Note: Some plugins will on occasion print on STDOUT that an error
                 occurred and error code is 138 or 255 or some such number.  These
-                are usually caused by plugins using system commands and having not 
+                are usually caused by plugins using system commands and having not
                 enough checks to catch unexpected output.  Developers should include a
                 default catch-all for system command output that returns an UNKNOWN
                 return code.</para>
-                
+
                 <table id="ReturnCodes"><title>Plugin Return Codes</title>
                         <tgroup cols="3">
                                 <thead>
@@ -175,20 +175,20 @@
                                         <row>
                                                 <entry align="center"><para>0</para></entry>
                                                 <entry valign="middle"><para>OK</para></entry>
-                                                <entry><para>The plugin was able to check the service and it 
+                                                <entry><para>The plugin was able to check the service and it
                                                 appeared to be functioning properly</para></entry>
                                         </row>
                                         <row>
                                                 <entry align="center"><para>1</para></entry>
                                                 <entry valign="middle"><para>Warning</para></entry>
-                                                <entry><para>The plugin was able to check the service, but it 
-                                                appeared to be above some "warning" threshold or did not appear 
+                                                <entry><para>The plugin was able to check the service, but it
+                                                appeared to be above some "warning" threshold or did not appear
                                                 to be working properly</para></entry>
                                         </row>
                                         <row>
                                                 <entry align="center"><para>2</para></entry>
                                                 <entry valign="middle"><para>Critical</para></entry>
-                                                <entry><para>The plugin detected that either the service was not 
+                                                <entry><para>The plugin detected that either the service was not
                                                 running or it was above some "critical" threshold</para></entry>
                                         </row>
                                         <row>
@@ -207,7 +207,7 @@
                         </tgroup>
                 </table>
 
-      
+
                 </section>
 
                 <section id="thresholdformat"><title>Threshold and ranges</title>
@@ -218,7 +218,7 @@
                 set_thresholds(thresholds *, char *, char *) function to set the thresholds.
                 </para>
                 <para>The theory is that the plugin will do some sort of check which returns
-                back a numerical value, or metric, which is then compared to the warning and 
+                back a numerical value, or metric, which is then compared to the warning and
                 critical thresholds. Use the get_status(double, thresholds *) function to
                 compare the value against the thresholds.</para>
                 <para>This is the generalised format for ranges:</para>
@@ -226,14 +226,14 @@
                 <literallayout>
                 [@]start:end
                 </literallayout>
-        
+
                 <para>Notes:</para>
                 <orderedlist>
                 <listitem><para>start &le; end</para>
                         </listitem>
                 <listitem><para>start and ":" is not required if start=0</para>
                         </listitem>
-                <listitem><para>if range is of format "start:" and end is not specified, 
+                <listitem><para>if range is of format "start:" and end is not specified,
                         assume end is infinity</para>
                         </listitem>
                 <listitem><para>to specify negative infinity, use "~"</para>
@@ -245,7 +245,7 @@
                         (inclusive of endpoints)</para>
                         </listitem>
                 </orderedlist>
-                
+
                 <para>Note: Not all plugins are coded to expect ranges in this format yet.
                 There will be some work in providing multiple metrics.</para>
 
@@ -344,7 +344,7 @@
                         </listitem>
                 <listitem><para>label can contain any characters except the equals sign or single quote (')</para>
                         </listitem>
-                <listitem><para>the single quotes for the label are optional. Required if 
+                <listitem><para>the single quotes for the label are optional. Required if
                         spaces are in the label</para>
                         </listitem>
                 <listitem><para>label length is arbitrary, but ideally the first 19 characters
@@ -353,7 +353,7 @@
                         </listitem>
                 <listitem><para>to specify a quote character, use two single quotes</para>
                         </listitem>
-                <listitem><para>warn, crit, min or max may be null (for example, if the threshold is 
+                <listitem><para>warn, crit, min or max may be null (for example, if the threshold is
                         not defined or min and max do not apply). Trailing unfilled semicolons can be
                         dropped</para>
                         </listitem>
@@ -363,12 +363,12 @@
                         same UOM. value may be a literal "U" instead, this would indicate that the
                         actual value couldn't be determined</para>
                         </listitem>
-                <listitem><para>warn and crit are in the range format (see 
+                <listitem><para>warn and crit are in the range format (see
                         <xref linkend="thresholdformat">). Must be the same UOM</para>
                         </listitem>
                 <listitem><para>UOM (unit of measurement) is one of:</para>
                         <orderedlist>
-                        <listitem><para>no unit specified - assume a number (int or float) 
+                        <listitem><para>no unit specified - assume a number (int or float)
                                 of things (eg, users, processes, load averages)</para>
                                 </listitem>
                         <listitem><para>s - seconds (also us, ms)</para></listitem>
@@ -385,9 +385,9 @@
                 </section>
 
         <section><title>Translations</title>
-        <para>If possible, use translation tools for all output to respect the user's language 
-                settings. See <xref linkend="translationsdevelopers"> for guidelines 
-                for the core plugins. 
+        <para>If possible, use translation tools for all output to respect the user's language
+                settings. See <xref linkend="translationsdevelopers"> for guidelines
+                for the core plugins.
         </para>
         </section>
 </section>
@@ -436,7 +436,7 @@
                 </section>
 
 </section>
-        
+
 
 
 
@@ -447,17 +447,17 @@
                 Perl Nagios (ePN) requires stricter use of the some of Perl's features.
                 This section outlines some of the steps needed to use ePN
                 effectively.</para>
-          
+
                 <orderedlist>
-                        
-                        <listitem><para> Do not use BEGIN and END blocks since they will be called 
-                        only once (when Nagios starts and shuts down) with Embedded Perl (ePN).  In 
+
+                        <listitem><para> Do not use BEGIN and END blocks since they will be called
+                        only once (when Nagios starts and shuts down) with Embedded Perl (ePN).  In
                         particular, do not use BEGIN blocks to initialize variables.</para>
                         </listitem>
-          
+
                         <listitem><para>To use utils.pm, you need to provide a full path to the
                         module in order for it to work.</para>
-                        
+
           <literallayout>
           e.g.
                 use lib "/usr/local/nagios/libexec";
@@ -467,24 +467,24 @@
 
                         <listitem><para>Perl scripts should be called with "-w"</para>
                         </listitem>
-                        
+
                         <listitem><para>All Perl plugins must compile cleanly under "use strict" - i.e. at
                         least explicitly package names as in "$main::x" or predeclare every
                         variable. </para>
-                        
+
 
                         <para>Explicitly initialize each variable in use.  Otherwise with
                         caching enabled, the plugin will not be recompiled each time, and
                         therefore Perl will not reinitialize all the variables.  All old
                         variable values will still be in effect.</para>
                         </listitem>
-                        
+
                         <listitem><para>Do not use &gt;DATA&lt; handles (these simply do not compile under ePN).</para>
                         </listitem>
 
                         <listitem><para>Do not use global variables in named subroutines. This is bad practise anyway, but with ePN the
                         compiler will report an error "&lt;global_var&gt; will not stay shared ..". Values used by
-                        subroutines should be passed in the argument list.</para> 
+                        subroutines should be passed in the argument list.</para>
                         </listitem>
 
                         <listitem><para>If writing to a file (perhaps recording
@@ -492,8 +492,8 @@
                         calls <emphasis role="strong">exit</emphasis>; that is caught by
                         p1.pl, so output streams are never closed.</para>
                         </listitem>
-                
-                        <listitem><para>As in <xref linkend="runtime"> all plugins need 
+
+                        <listitem><para>As in <xref linkend="runtime"> all plugins need
                         to monitor their runtime, specially if they are using network
                         resources.  Use of the <emphasis>alarm</emphasis> is recommended
                         noting that some Perl modules (eg LWP) manage timers, so that an alarm
@@ -507,9 +507,9 @@
                         and then "exit $ERRORS{'OK'}" rather than "exit 0"
                         </para>
                         </listitem>
-                        
+
                 </orderedlist>
-          
+
 </section>
 
 <section id="runtime"><title>Runtime Timeouts</title>
@@ -524,14 +524,14 @@
                 df could lock up like that.  Plus, it should just be more error
                 resistant to be able to time out rather than consume
                 resources.</para>
-                
+
                 <section><title>Use DEFAULT_SOCKET_TIMEOUT</title>
 
                 <para>All network plugins should use DEFAULT_SOCKET_TIMEOUT to timeout</para>
 
                 </section>
 
-                
+
                 <section><title>Add alarms to network plugins</title>
 
                 <para>If you write a plugin which communicates with another
@@ -543,16 +543,16 @@
 
                 </section>
 
-                
+
 
 </section>
 
 <section id="PlugOptions"><title>Plugin Options</title>
-        
-                <para>A well written plugin should have --help as a way to get 
+
+                <para>A well written plugin should have --help as a way to get
                 verbose help. Code and output should try to respect the 80x25 size of a
                 crt (remember when fixing stuff in the server room!)</para>
-                
+
                 <section><title>Option Processing</title>
 
                 <para>For plugins written in C, we recommend the C standard
@@ -585,11 +585,11 @@
           -p port or password (--port or --passwd/--password)monitors operational
           -u url or username (--url or --username)
                 </literallayout>
-          
+
                 <para>Look at check_pgsql and check_procs to see how I currently
                 think this can work.  Standard options are:</para>
 
-          
+
                 <para>The option -V or --version should be present in all
                 plugins. For C plugins it should result in a call to print_revision, a
                 function in utils.c which takes two character arguments, the
@@ -603,7 +603,7 @@
 
                 <para>The option -h or --help should be present in all plugins.
                 In C plugins, it should result in a call to print_help (or
-                equivalent).  The function print_help should call print_revision, 
+                equivalent).  The function print_help should call print_revision,
                 then print_usage, then should provide detailed
                 help. Help text should fit on an 80-character width display, but
                 may run as many lines as needed.</para>
@@ -666,7 +666,7 @@
 
       <para>As always, comments are welcome - making this consistent
       without a host of long options was quite a hassle, and I would
-      suspect that there are flaws in this strategy. 
+      suspect that there are flaws in this strategy.
       </para>
     </section>
 </section>
@@ -678,7 +678,7 @@ create and update test cases where possible.
 </para>
 
 <para>
-To run a test, from the top level directory, run "make test". This will run 
+To run a test, from the top level directory, run "make test". This will run
 all the current tests and report an overall success rate.
 </para>
 
@@ -697,7 +697,7 @@ This runs the test in a summary format.
 </para>
 
 <para>
-For a good and amusing tutorial on using Test::More, see this 
+For a good and amusing tutorial on using Test::More, see this
 <ulink url="http://search.cpan.org/dist/Test-Simple/lib/Test/Tutorial.pod">
 link</ulink>
 </para>
@@ -706,16 +706,16 @@ link</ulink>
 
 <section><title>Testing the C library functions</title>
 <para>
-We use <ulink url="http://jc.ngo.org.uk/trac-bin/trac.cgi/wiki/LibTap">the libtap library</ulink>, which gives 
+We use <ulink url="http://jc.ngo.org.uk/trac-bin/trac.cgi/wiki/LibTap">the libtap library</ulink>, which gives
 perl's TAP
 (Test Anything Protocol) output. This is used by the FreeBSD team for their regression testing.
 </para>
 
 <para>
-To run tests using the libtap library, download the latest tar ball and extract. 
-There is a problem with tap-1.01 where 
+To run tests using the libtap library, download the latest tar ball and extract.
+There is a problem with tap-1.01 where
 <ulink url="http://jc.ngo.org.uk/trac-bin/trac.cgi/ticket/25">pthread support doesn't appear to work</ulink>
-properly on non-FreeBSD systems. Install with 'CPPFLAGS="-UHAVE_LIBPTHREAD" ./configure && make && make check && make install'. 
+properly on non-FreeBSD systems. Install with 'CPPFLAGS="-UHAVE_LIBPTHREAD" ./configure && make && make check && make install'.
 </para>
 
 <para>
@@ -729,8 +729,8 @@ setup the tests. Run "make test" to run all the tests.
         <para>See <ulink url="http://www.gnu.org/prep/standards_toc.html">GNU
         Coding standards</ulink> for general guidelines.</para>
         <section><title>C coding</title>
-        
-        <para>Variables should be declared at the beginning of code blocks and 
+
+        <para>Variables should be declared at the beginning of code blocks and
         not inline because of portability with older compilers.</para>
 
         <para>You should use /* */ for comments and not // as some compilers
@@ -745,8 +745,8 @@ setup the tests. Run "make test" to run all the tests.
         <para>If you have copied a routine from another source, make sure the licence
         from your source allows this. Add a comment referencing the ACKNOWLEDGEMENTS
         file, where you can put more detail about the source.</para>
-        <para>For contributed code, do not add any named credits in the source code 
-        - contributors should be added into the THANKS.in file instead. 
+        <para>For contributed code, do not add any named credits in the source code
+        - contributors should be added into the THANKS.in file instead.
         </para>
         </section>
 
@@ -809,11 +809,11 @@ setup the tests. Run "make test" to run all the tests.
 
 
         <section id="Contributedplugins"><title>Contributed plugins</title>
-        <para>Plugins that have been contributed to the project and 
+        <para>Plugins that have been contributed to the project and
         distributed with the Monitoring Plugins files are held in the contrib/ directory and are not installed
-        by default. These plugins are not officially supported by the team. 
-        The current policy is that these plugins should be owned and maintained by the original 
-        contributor, preferably hosted on <ulink url="http://monitoringexchange.org">Monitoring Exchange</ulink>.
+        by default. These plugins are not officially supported by the team.
+        The current policy is that these plugins should be owned and maintained by the original
+        contributor, preferably hosted on <ulink url="https://exchange.icinga.com/">Icinga Exchange</ulink>.
         </para>
         <para>If patches or bugs are raised to an contributed plugin, we will start communications with the
         original contributor, but seek to remove the plugin from our distribution.
@@ -824,11 +824,11 @@ setup the tests. Run "make test" to run all the tests.
 
         <section id="Newplugins"><title>New plugins</title>
         <para>If you would like others to use your plugins, please add it to
-        the official 3rd party plugin repository, 
-        <ulink url="http://monitoringexchange.org">Monitoring Exchange</ulink>.
+        the official 3rd party plugin repository,
+        <ulink url="https://exchange.icinga.com/">Icinga Exchange</ulink>.
         </para>
 
-        <para>We are not accepting requests for inclusion of plugins into 
+        <para>We are not accepting requests for inclusion of plugins into
         our distribution at the moment, but when we do, these are the minimum
         requirements:
         </para>
@@ -843,9 +843,9 @@ setup the tests. Run "make test" to run all the tests.
           --timeout, --warning, --critical)</para>
         </listitem>
         <listitem>
-          <para>It is determined to be not redundant (for instance, we would not 
-                add a new version of check_disk just because someone had provide 
-                a plugin that had perf checking - we would incorporate the features 
+          <para>It is determined to be not redundant (for instance, we would not
+                add a new version of check_disk just because someone had provide
+                a plugin that had perf checking - we would incorporate the features
                 into an exisiting plugin)</para>
         </listitem>
         <listitem>
@@ -857,7 +857,7 @@ setup the tests. Run "make test" to run all the tests.
 utils (perl or c or sh) rather than using its own</para>
         </listitem>
         <listitem>
-          <para>Includes patches to configure.in if required (via the EXTRAS list if 
+          <para>Includes patches to configure.in if required (via the EXTRAS list if
           it will only work on some platforms)</para>
         </listitem>
         <listitem>
@@ -870,5 +870,5 @@ utils (perl or c or sh) rather than using its own</para>
 
 </section>
 </article>
-  
+
 </book>
diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c
index 01ae174..f8f1535 100644
--- a/plugins-root/check_icmp.c
+++ b/plugins-root/check_icmp.c
@@ -50,19 +50,11 @@ const char *email = "devel@monitoring-plugins.org";
 #if HAVE_SYS_SOCKIO_H
 #include <sys/sockio.h>
 #endif
-#include <sys/ioctl.h>
+
 #include <sys/time.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <unistd.h>
-#include <stddef.h>
 #include <errno.h>
-#include <string.h>
+#include <signal.h>
 #include <ctype.h>
-#include <netdb.h>
-#include <sys/socket.h>
 #include <net/if.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
@@ -71,8 +63,6 @@ const char *email = "devel@monitoring-plugins.org";
 #include <netinet/ip_icmp.h>
 #include <netinet/icmp6.h>
 #include <arpa/inet.h>
-#include <signal.h>
-#include <float.h>
 
 
 /** sometimes undefined system macros (quite a few, actually) **/
@@ -207,7 +197,7 @@ static int add_target(char *);
 static int add_target_ip(char *, struct sockaddr_storage *);
 static int handle_random_icmp(unsigned char *, struct sockaddr_storage *);
 static void parse_address(struct sockaddr_storage *, char *, int);
-static unsigned short icmp_checksum(unsigned short *, int);
+static unsigned short icmp_checksum(uint16_t *, size_t);
 static void finish(int);
 static void crash(const char *, ...);
 
@@ -223,7 +213,7 @@ static int mode, protocols, sockets, debug = 0, timeout = 10;
 static unsigned short icmp_data_size = DEFAULT_PING_DATA_SIZE;
 static unsigned short icmp_pkt_size = DEFAULT_PING_DATA_SIZE + ICMP_MINLEN;
 
-static unsigned int icmp_sent = 0, icmp_recv = 0, icmp_lost = 0;
+static unsigned int icmp_sent = 0, icmp_recv = 0, icmp_lost = 0, ttl = 0;
 #define icmp_pkts_en_route (icmp_sent - (icmp_recv + icmp_lost))
 static unsigned short targets_down = 0, targets = 0, packets = 0;
 #define targets_alive (targets - targets_down)
@@ -233,7 +223,6 @@ static pid_t pid;
 static struct timezone tz;
 static struct timeval prog_start;
 static unsigned long long max_completion_time = 0;
-static unsigned char ttl = 0;   /* outgoing ttl */
 static unsigned int warn_down = 1, crit_down = 1; /* host down threshold values */
 static int min_hosts_alive = -1;
 float pkt_backoff_factor = 1.5;
@@ -410,6 +399,7 @@ main(int argc, char **argv)
 #ifdef SO_TIMESTAMP
         int on = 1;
 #endif
+        char *source_ip = NULL;
         char * opts_str = "vhVw:c:n:p:t:H:s:i:b:I:l:m:64";
 
         setlocale (LC_ALL, "");
@@ -464,7 +454,6 @@ main(int argc, char **argv)
         /* Parse protocol arguments first */
         for(i = 1; i < argc; i++) {
                 while((arg = getopt(argc, argv, opts_str)) != EOF) {
-                        unsigned short size;
                         switch(arg) {
                         case '4':
                                 if (address_family != -1)
@@ -487,10 +476,10 @@ main(int argc, char **argv)
         /* Reset argument scanning */
         optind = 1;
 
+        unsigned short size;
         /* parse the arguments */
         for(i = 1; i < argc; i++) {
                 while((arg = getopt(argc, argv, opts_str)) != EOF) {
-                        unsigned short size;
                         switch(arg) {
                         case 'v':
                                 debug++;
@@ -530,7 +519,7 @@ main(int argc, char **argv)
                                 add_target(optarg);
                                 break;
                         case 'l':
-                                ttl = (unsigned char)strtoul(optarg, NULL, 0);
+                                ttl = (int)strtoul(optarg, NULL, 0);
                                 break;
                         case 'm':
                                 min_hosts_alive = (int)strtoul(optarg, NULL, 0);
@@ -542,7 +531,7 @@ main(int argc, char **argv)
                                 }
                                 break;
                         case 's': /* specify source IP address */
-                                set_source_ip(optarg);
+                                source_ip = optarg;
                                 break;
                         case 'V': /* version */
                                 print_revision (progname, NP_VERSION);
@@ -597,6 +586,8 @@ main(int argc, char **argv)
                 sockets |= HAVE_ICMP;
         else icmp_sockerrno = errno;
 
+        if( source_ip )
+                set_source_ip(source_ip);
 
 #ifdef SO_TIMESTAMP
         if(setsockopt(icmp_sock, SOL_SOCKET, SO_TIMESTAMP, &on, sizeof(on)))
@@ -717,7 +708,7 @@ main(int argc, char **argv)
 static void
 run_checks()
 {
-        u_int i, t, result;
+        u_int i, t;
         u_int final_wait, time_passed;
 
         /* this loop might actually violate the pkt_interval or target_interval
@@ -735,9 +726,9 @@ run_checks()
 
                         /* we're still in the game, so send next packet */
                         (void)send_icmp_ping(icmp_sock, table[t]);
-                        result = wait_for_reply(icmp_sock, target_interval);
+                        wait_for_reply(icmp_sock, target_interval);
                 }
-                result = wait_for_reply(icmp_sock, pkt_interval * targets);
+                wait_for_reply(icmp_sock, pkt_interval * targets);
         }
 
         if(icmp_pkts_en_route && targets_alive) {
@@ -757,7 +748,7 @@ run_checks()
                  * haven't yet */
                 if(debug) printf("Waiting for %u micro-seconds (%0.3f msecs)\n",
                                                  final_wait, (float)final_wait / 1000);
-                result = wait_for_reply(icmp_sock, final_wait);
+                wait_for_reply(icmp_sock, final_wait);
         }
 }
 
@@ -776,7 +767,7 @@ static int
 wait_for_reply(int sock, u_int t)
 {
         int n, hlen;
-        static unsigned char buf[4096];
+        static unsigned char buf[65536];
         struct sockaddr_storage resp_addr;
         union ip_hdr *ip;
         union icmp_packet packet;
@@ -913,9 +904,27 @@ wait_for_reply(int sock, u_int t)
                 if(debug) {
                         char address[INET6_ADDRSTRLEN];
                         parse_address(&resp_addr, address, sizeof(address));
-                        printf("%0.3f ms rtt from %s, outgoing ttl: %u, incoming ttl: %u, max: %0.3f, min: %0.3f\n",
-                                (float)tdiff / 1000, address,
-                                ttl, ip->ip.ip_ttl, (float)host->rtmax / 1000, (float)host->rtmin / 1000);
+
+                        switch(address_family) {
+                                case AF_INET: {
+                                        printf("%0.3f ms rtt from %s, outgoing ttl: %u, incoming ttl: %u, max: %0.3f, min: %0.3f\n",
+                                                (float)tdiff / 1000,
+                                                address,
+                                                ttl,
+                                                ip->ip.ip_ttl,
+                                                (float)host->rtmax / 1000,
+                                                (float)host->rtmin / 1000);
+                                        break;
+                                          };
+                                case AF_INET6: {
+                                        printf("%0.3f ms rtt from %s, outgoing ttl: %u, max: %0.3f, min: %0.3f\n",
+                                                (float)tdiff / 1000,
+                                                address,
+                                                ttl,
+                                                (float)host->rtmax / 1000,
+                                                (float)host->rtmin / 1000);
+                                          };
+                           }
                 }
 
                 /* if we're in hostcheck mode, exit with limited printouts */
@@ -938,6 +947,7 @@ static int
 send_icmp_ping(int sock, struct rta_host *host)
 {
         long int len;
+        size_t addrlen;
         struct icmp_ping_data data;
         struct msghdr hdr;
         struct iovec iov;
@@ -969,6 +979,7 @@ send_icmp_ping(int sock, struct rta_host *host)
 
         if (address_family == AF_INET) {
                 struct icmp *icp = (struct icmp*)buf;
+                addrlen = sizeof(struct sockaddr_in);
 
                 memcpy(&icp->icmp_data, &data, sizeof(data));
 
@@ -977,7 +988,7 @@ send_icmp_ping(int sock, struct rta_host *host)
                 icp->icmp_cksum = 0;
                 icp->icmp_id = htons(pid);
                 icp->icmp_seq = htons(host->id++);
-                icp->icmp_cksum = icmp_checksum((unsigned short*)buf, icmp_pkt_size);
+                icp->icmp_cksum = icmp_checksum((uint16_t*)buf, (size_t)icmp_pkt_size);
 
                 if (debug > 2)
                         printf("Sending ICMP echo-request of len %lu, id %u, seq %u, cksum 0x%X to host %s\n",
@@ -985,7 +996,10 @@ send_icmp_ping(int sock, struct rta_host *host)
         }
         else {
                 struct icmp6_hdr *icp6 = (struct icmp6_hdr*)buf;
+                addrlen = sizeof(struct sockaddr_in6);
+
                 memcpy(&icp6->icmp6_dataun.icmp6_un_data8[4], &data, sizeof(data));
+
                 icp6->icmp6_type = ICMP6_ECHO_REQUEST;
                 icp6->icmp6_code = 0;
                 icp6->icmp6_cksum = 0;
@@ -1006,7 +1020,7 @@ send_icmp_ping(int sock, struct rta_host *host)
 
         memset(&hdr, 0, sizeof(hdr));
         hdr.msg_name = (struct sockaddr *)&host->saddr_in;
-        hdr.msg_namelen = sizeof(struct sockaddr_storage);
+        hdr.msg_namelen = addrlen;
         hdr.msg_iov = &iov;
         hdr.msg_iovlen = 1;
 
@@ -1514,18 +1528,19 @@ get_threshold(char *str, threshold *th)
 }
 
 unsigned short
-icmp_checksum(unsigned short *p, int n)
+icmp_checksum(uint16_t *p, size_t n)
 {
         unsigned short cksum;
         long sum = 0;
 
-        while(n > 2) {
-                sum += *p++;
-                n -= sizeof(unsigned short);
+        /* sizeof(uint16_t) == 2 */
+        while(n >= 2) {
+                sum += *(p++);
+                n -= 2;
         }
 
         /* mop up the occasional odd byte */
-        if(n == 1) sum += (unsigned char)*p;
+        if(n == 1) sum += *((uint8_t *)p -1);
 
         sum = (sum >> 16) + (sum & 0xffff);     /* add hi 16 to low 16 */
         sum += (sum >> 16);                     /* add carry */
diff --git a/plugins-root/t/check_icmp.t b/plugins-root/t/check_icmp.t
index e043d4e..f6aa681 100644
--- a/plugins-root/t/check_icmp.t
+++ b/plugins-root/t/check_icmp.t
@@ -12,7 +12,7 @@ my $allow_sudo = getTestParameter( "NP_ALLOW_SUDO",
         "no" );
 
 if ($allow_sudo eq "yes" or $> == 0) {
-        plan tests => 16;
+        plan tests => 20;
 } else {
         plan skip_all => "Need sudo to test check_icmp";
 }
@@ -83,3 +83,14 @@ $res = NPTest->testCmd(
 is( $res->return_code, 2, "One of two host nonresponsive - two required" );
 like( $res->output, $failureOutput, "Output OK" );
 
+$res = NPTest->testCmd(
+        "$sudo ./check_icmp -H $host_responsive -s 127.0.15.15 -w 10000ms,100% -c 10000ms,100% -n 1 -m 2"
+        );
+is( $res->return_code, 0, "IPv4 source_ip accepted" );
+like( $res->output, $successOutput, "Output OK" );
+
+$res = NPTest->testCmd(
+        "$sudo ./check_icmp -H $host_responsive -b 65507"
+        );
+is( $res->return_code, 0, "Try max paket size" );
+like( $res->output, $successOutput, "Output OK - Didn't overflow" );
diff --git a/plugins-scripts/check_disk_smb.pl b/plugins-scripts/check_disk_smb.pl
index 28c49e8..15d1634 100755..100644
--- a/plugins-scripts/check_disk_smb.pl
+++ b/plugins-scripts/check_disk_smb.pl
@@ -22,7 +22,7 @@ require 5.004;
 use POSIX qw(setsid);
 use strict;
 use Getopt::Long;
-use vars qw($opt_P $opt_V $opt_h $opt_H $opt_s $opt_W $opt_u $opt_p $opt_w $opt_c $opt_a $verbose);
+use vars qw($opt_P $opt_V $opt_h $opt_H $opt_s $opt_W $opt_u $opt_p $opt_w $opt_c $opt_a $opt_C $opt_t $verbose);
 use vars qw($PROGNAME);
 use FindBin;
 use lib "$FindBin::Bin";
@@ -43,6 +43,7 @@ $ENV{'ENV'}='';
 Getopt::Long::Configure('bundling');
 GetOptions
         ("v"   => \$verbose, "verbose"    => \$verbose,
+   "t=i" => \$opt_t,  "timeout=i"  => \$opt_t,
          "P=s" => \$opt_P, "port=s"     => \$opt_P,
          "V"   => \$opt_V, "version"    => \$opt_V,
          "h"   => \$opt_h, "help"       => \$opt_h,
@@ -53,7 +54,8 @@ GetOptions
          "s=s" => \$opt_s, "share=s"    => \$opt_s,
          "W=s" => \$opt_W, "workgroup=s" => \$opt_W,
          "H=s" => \$opt_H, "hostname=s" => \$opt_H,
-         "a=s" => \$opt_a, "address=s" => \$opt_a);
+         "a=s" => \$opt_a, "address=s" => \$opt_a,
+         "C=s" => \$opt_C, "configfile=s" => \$opt_C);
 
 if ($opt_V) {
         print_revision($PROGNAME,'@NP_VERSION@'); #'
@@ -91,6 +93,12 @@ my $warn = $1 if ($opt_w =~ /^([0-9]{1,2}\%?|100\%?|[0-9]+[kMG])$/);
 my $crit = $1 if ($opt_c =~ /^([0-9]{1,2}\%?|100\%?|[0-9]+[kMG])$/);
 ($crit) || usage("Invalid critical threshold: $opt_c\n");
 
+($opt_C) || ($opt_C = shift @ARGV) || ($opt_C = "");
+my $configfile = $opt_C if ($opt_C);
+usage("Unable to read config file $configfile\n") if ($configfile) && (! -r $configfile);
+
+if ($opt_t && $opt_t =~ /^([0-9]+)$/) { $TIMEOUT = $1; }
+
 # Execute the given command line and return anything it writes to STDOUT and/or
 # STDERR.  (This might be useful for other plugins, too, so it should possibly
 # be moved to utils.pm.)
@@ -193,6 +201,7 @@ my @cmd = (
         defined($workgroup) ? ("-W", $workgroup) : (),
         defined($address) ? ("-I", $address) : (),
         defined($opt_P) ? ("-p", $opt_P) : (),
+        defined($configfile) ? ("-s", $configfile) : (),
         "-c", "du"
 );
 
@@ -292,7 +301,8 @@ exit $ERRORS{$state};
 
 sub print_usage () {
         print "Usage: $PROGNAME -H <host> -s <share> -u <user> -p <password> 
-      -w <warn> -c <crit> [-W <workgroup>] [-P <port>] [-a <IP>]\n";
+      -w <warn> -c <crit> [-W <workgroup>] [-P <port>] [-a <IP>] [-t timeout]
+      [-C <configfile>]\n";
 }
 
 sub print_help () {
@@ -318,11 +328,14 @@ Perl Check SMB Disk plugin for monitoring
    Password to log in to server. (Defaults to an empty password)
 -w, --warning=INTEGER or INTEGER[kMG]
    Percent of used space at which a warning will be generated (Default: 85%)
-      
 -c, --critical=INTEGER or INTEGER[kMG]
    Percent of used space at which a critical will be generated (Defaults: 95%)
+-t, --timeout=INTEGER
+   Seconds before connection times out (Default: 15)
 -P, --port=INTEGER
    Port to be used to connect to. Some Windows boxes use 139, others 445 (Defaults to smbclient default)
+-C, --configfile=STRING
+   Path to configfile which should be used by smbclient (Defaults to smb.conf of your smb installation)
    
    If thresholds are followed by either a k, M, or G then check to see if that
    much disk space is available (kilobytes, Megabytes, Gigabytes)
diff --git a/plugins-scripts/check_mailq.pl b/plugins-scripts/check_mailq.pl
index 3914f4a..4c72332 100755
--- a/plugins-scripts/check_mailq.pl
+++ b/plugins-scripts/check_mailq.pl
@@ -567,17 +567,17 @@ exit $state;
 
 sub process_arguments(){
         GetOptions
-                ("V"   => \$opt_V, "version"    => \$opt_V,
-                 "v"   => \$opt_v, "verbose"    => \$opt_v,
-                 "h"   => \$opt_h, "help"               => \$opt_h,
+                ("V"   => \$opt_V, "version"    => \$opt_V,
+                 "v"   => \$opt_v, "verbose"    => \$opt_v,
+                 "h"   => \$opt_h, "help"       => \$opt_h,
                  "M:s" => \$opt_M, "mailserver:s" => \$opt_M, # mailserver (default     sendmail)
                  "w=i" => \$opt_w, "warning=i"  => \$opt_w,   # warning if above this number
-                 "c=i" => \$opt_c, "critical=i" => \$opt_c,       # critical if above this number
+                 "c=i" => \$opt_c, "critical=i" => \$opt_c,   # critical if above this number
+                 "W=i" => \$opt_W, "warning-domain=i"  => \$opt_W,   # Warning if above this number
+                 "C=i" => \$opt_C, "critical-domain=i" => \$opt_C,   # Critical if above this number
                  "t=i" => \$opt_t, "timeout=i"  => \$opt_t,
                  "s"   => \$opt_s, "sudo"       => \$opt_s,
                  "d:s" => \$opt_d, "configdir:s" => \$opt_d,
-                 "W=i" => \$opt_W,                            # warning if above this number
-                 "C=i" => \$opt_C,                            # critical if above this number
                  );
 
         if ($opt_V) {
@@ -671,15 +671,15 @@ sub print_help () {
         print "   Feedback/patches to support non-sendmail mailqueue welcome\n\n";
         print "-w (--warning)   = Min. number of messages in queue to generate warning\n";
         print "-c (--critical)  = Min. number of messages in queue to generate critical alert ( w < c )\n";
-        print "-W               = Min. number of messages for same domain in queue to generate warning\n";
-        print "-C               = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n";
+        print "-W (--warning-domain)  = Min. number of messages for same domain in queue to generate warning\n";
+        print "-C (--critical-domain) = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n";
         print "-t (--timeout)   = Plugin timeout in seconds (default = $utils::TIMEOUT)\n";
         print "-M (--mailserver) = [ sendmail | qmail | postfix | exim | nullmailer ] (default = autodetect)\n";
         print "-s (--sudo)      = Use sudo to call the mailq command\n";
         print "-d (--configdir) = Config file or directory\n";
         print "-h (--help)\n";
         print "-V (--version)\n";
-        print "-v (--verbose)   = debugging output\n";
+        print "-v (--verbose)         = debugging output\n";
         print "\n\n";
         print "Note: -w and -c are required arguments.  -W and -C are optional.\n";
         print " -W and -C are applied to domains listed on the queues - both FROM and TO. (sendmail)\n";
diff --git a/plugins-scripts/check_uptime.pl b/plugins-scripts/check_uptime.pl
index 4c9f22d..f954287 100755
--- a/plugins-scripts/check_uptime.pl
+++ b/plugins-scripts/check_uptime.pl
@@ -25,7 +25,7 @@ use POSIX;
 use strict;
 use Getopt::Long;
 use vars qw($opt_V $opt_h $opt_v $verbose $PROGNAME $opt_w $opt_c
-                                        $opt_f $opt_s
+                                        $opt_f $opt_s $opt_d
                                         $lower_warn_threshold $upper_warn_threshold
                                         $lower_crit_threshold $upper_crit_threshold
                                         $status $state $msg);
@@ -137,9 +137,20 @@ if ( $uptime_seconds > $upper_crit_threshold ) {
         $state_str = "OK";
 }
 
+# Prepare uptime value (seconds or days)
+my $uptime_text = "";
+my $uptime_unit = "";
+if ( $opt_d ) {
+        $uptime_text = floor($uptime_seconds / 60 / 60 / 24);
+        $uptime_unit = "days";
+} else {
+        $uptime_text = $uptime_seconds;
+        $uptime_unit = "seconds";
+}
+
 $msg = "$state_str: ";
 
-$msg .= "uptime is $uptime_seconds seconds. ";
+$msg .= "Uptime is $uptime_text $uptime_unit. ";
 $msg .= "Exceeds $out_of_bounds_text threshold. "  if  $out_of_bounds_text;
 $msg .= "Running for $pretty_uptime. "  if  $opt_f;
 if ( $opt_s ) {
@@ -167,6 +178,7 @@ sub process_arguments(){
                  "c=s" => \$opt_c, "critical=s" => \$opt_c,       # critical if above this number
                  "f"   => \$opt_f, "for"        => \$opt_f,       # show "running for ..."
                  "s"   => \$opt_s, "since"      => \$opt_s,       # show "running since ..."
+                 "d"   => \$opt_d, "days"       => \$opt_d,       # report uptime in days
                  );
 
         if ($opt_V) {
@@ -262,6 +274,7 @@ sub print_help () {
         print "-c (--critical)  = Min. number of uptime to generate critical alert ( w < c )\n";
         print "-f (--for)       = Show uptime in a pretty format (Running for x weeks, x days, ...)\n";
         print "-s (--since)     = Show last boot in yyyy-mm-dd HH:MM:SS format (output from 'uptime -s')\n";
+        print "-d (--days)      = Show uptime in days\n";
         print "-h (--help)\n";
         print "-V (--version)\n";
         print "-v (--verbose)   = debugging output\n";
diff --git a/plugins-scripts/t/check_uptime.t b/plugins-scripts/t/check_uptime.t
index c395307..6e81db3 100644
--- a/plugins-scripts/t/check_uptime.t
+++ b/plugins-scripts/t/check_uptime.t
@@ -5,7 +5,7 @@
 #
 
 use strict;
-use Test::More tests => 40;
+use Test::More tests => 42;
 use NPTest;
 
 my $result;
@@ -46,29 +46,35 @@ cmp_ok( $result->return_code, '==', 2, "Uptime higher than 2 seconds" );
 like  ( $result->output, '/Running since \d+/', "Output for the s parameter correct" );
 
 $result = NPTest->testCmd(
+        "./check_uptime -d -w 1 -c 2"
+        );
+cmp_ok( $result->return_code, '==', 2, "Uptime higher than 2 seconds" );
+like  ( $result->output, '/CRITICAL: Uptime is \d+ days/', "Output for the d parameter correct" );
+
+$result = NPTest->testCmd(
         "./check_uptime -w 1 -c 2"
         );
 cmp_ok( $result->return_code, '==', 2, "Uptime higher than 2 seconds" );
-like  ( $result->output, '/^CRITICAL: uptime is \d+ seconds/', "Output for uptime higher than 2 seconds correct" );
+like  ( $result->output, '/^CRITICAL: Uptime is \d+ seconds/', "Output for uptime higher than 2 seconds correct" );
 
 $result = NPTest->testCmd(
         "./check_uptime -w 1 -c 9999w"
         );
 cmp_ok( $result->return_code, '==', 1, "Uptime lower than 9999 weeks" );
-like  ( $result->output, '/^WARNING: uptime is \d+ seconds/', "Output for uptime lower than 9999 weeks correct" );
+like  ( $result->output, '/^WARNING: Uptime is \d+ seconds/', "Output for uptime lower than 9999 weeks correct" );
 
 $result = NPTest->testCmd(
         "./check_uptime -w 9998w -c 9999w"
         );
 cmp_ok( $result->return_code, '==', 0, "Uptime lower than 9998 weeks" );
-like  ( $result->output, '/^OK: uptime is \d+ seconds/', "Output for uptime lower than 9998 weeks correct" );
+like  ( $result->output, '/^OK: Uptime is \d+ seconds/', "Output for uptime lower than 9998 weeks correct" );
 like  ( $result->output, '/\|uptime=[0-9]+s;6046790400;6047395200;/', "Checking for performance output" );
 
 $result = NPTest->testCmd(
         "./check_uptime -w 111222d -c 222333d"
         );
 cmp_ok( $result->return_code, '==', 0, "Uptime lower than 111222 days" );
-like  ( $result->output, '/^OK: uptime is \d+ seconds/', "Output for uptime lower than 111222 days correct" );
+like  ( $result->output, '/^OK: Uptime is \d+ seconds/', "Output for uptime lower than 111222 days correct" );
 like  ( $result->output, '/\|uptime=[0-9]+s;9609580800;19209571200;/', "Checking for performance output" );
 
 # Same as before, hopefully uptime is higher than 2 seconds so no warning
@@ -76,7 +82,7 @@ $result = NPTest->testCmd(
         "./check_uptime -w 2:111222d -c 1:222333d"
         );
 cmp_ok( $result->return_code, '==', 0, "Uptime lower than 111222 days, and higher 2 seconds" );
-like  ( $result->output, '/^OK: uptime is \d+ seconds/', "Output for uptime lower than 111222 days, and higher 2 seconds correct" );
+like  ( $result->output, '/^OK: Uptime is \d+ seconds/', "Output for uptime lower than 111222 days, and higher 2 seconds correct" );
 like  ( $result->output, '/\|uptime=[0-9]+s;9609580800;19209571200;/', "Checking for performance output" );
 
 # Same as before, now the low warning should trigger
@@ -84,7 +90,7 @@ $result = NPTest->testCmd(
         "./check_uptime -w 111221d:111222d -c 1:222333d"
         );
 cmp_ok( $result->return_code, '==', 1, "Uptime lower than 111221 days raises warning" );
-like  ( $result->output, '/^WARNING: uptime is \d+ seconds/', "Output for uptime lower than 111221 days correct" );
+like  ( $result->output, '/^WARNING: Uptime is \d+ seconds/', "Output for uptime lower than 111221 days correct" );
 like  ( $result->output, '/Exceeds lower warn threshold/', "Exceeds text correct" );
 like  ( $result->output, '/\|uptime=[0-9]+s;9609580800;19209571200;/', "Checking for performance output" );
 
@@ -93,7 +99,7 @@ $result = NPTest->testCmd(
         "./check_uptime -w 111221d:111222d -c 111220d:222333d"
         );
 cmp_ok( $result->return_code, '==', 2, "Uptime lower than 111220 days raises critical" );
-like  ( $result->output, '/^CRITICAL: uptime is \d+ seconds/', "Output for uptime lower than 111220 days correct" );
+like  ( $result->output, '/^CRITICAL: Uptime is \d+ seconds/', "Output for uptime lower than 111220 days correct" );
 like  ( $result->output, '/Exceeds lower crit threshold/', "Exceeds text correct" );
 like  ( $result->output, '/\|uptime=[0-9]+s;9609580800;19209571200;/', "Checking for performance output" );
 
diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
index 485bf3b..1ad547e 100644
--- a/plugins/check_by_ssh.c
+++ b/plugins/check_by_ssh.c
@@ -49,6 +49,8 @@ unsigned int commands = 0;
 unsigned int services = 0;
 int skip_stdout = 0;
 int skip_stderr = 0;
+int warn_on_stderr = 0;
+bool unknown_timeout = FALSE;
 char *remotecmd = NULL;
 char **commargv = NULL;
 int commargc = 0;
@@ -100,6 +102,13 @@ main (int argc, char **argv)
 
         result = cmd_run_array (commargv, &chld_out, &chld_err, 0);
 
+        /* SSH returns 255 if connection attempt fails; include the first line of error output */
+        if (result == 255 && unknown_timeout) {
+                printf (_("SSH connection failed: %s\n"),
+                        chld_err.lines > 0 ? chld_err.line[0] : "(no error output)");
+                return STATE_UNKNOWN;
+        }
+
         if (verbose) {
                 for(i = 0; i < chld_out.lines; i++)
                         printf("stdout: %s\n", chld_out.line[i]);
@@ -116,7 +125,10 @@ main (int argc, char **argv)
         if(chld_err.lines > skip_stderr) {
                 printf (_("Remote command execution failed: %s\n"),
                         chld_err.line[skip_stderr]);
-                return max_state_alt(result, STATE_UNKNOWN);
+                if ( warn_on_stderr ) 
+                        return max_state_alt(result, STATE_WARNING);
+                else
+                        return max_state_alt(result, STATE_UNKNOWN);
         }
 
         /* this is simple if we're not supposed to be passive.
@@ -176,6 +188,7 @@ process_arguments (int argc, char **argv)
                 {"verbose", no_argument, 0, 'v'},
                 {"fork", no_argument, 0, 'f'},
                 {"timeout", required_argument, 0, 't'},
+                {"unknown-timeout", no_argument, 0, 'U'},
                 {"host", required_argument, 0, 'H'},    /* backward compatibility */
                 {"hostname", required_argument, 0, 'H'},
                 {"port", required_argument,0,'p'},
@@ -189,6 +202,7 @@ process_arguments (int argc, char **argv)
                 {"skip", optional_argument, 0, 'S'}, /* backwards compatibility */
                 {"skip-stdout", optional_argument, 0, 'S'},
                 {"skip-stderr", optional_argument, 0, 'E'},
+                {"warn-on-stderr", no_argument, 0, 'W'},
                 {"proto1", no_argument, 0, '1'},
                 {"proto2", no_argument, 0, '2'},
                 {"use-ipv4", no_argument, 0, '4'},
@@ -207,7 +221,7 @@ process_arguments (int argc, char **argv)
                         strcpy (argv[c], "-t");
 
         while (1) {
-                c = getopt_long (argc, argv, "Vvh1246fqt:H:O:p:i:u:l:C:S::E::n:s:o:F:", longopts,
+                c = getopt_long (argc, argv, "Vvh1246fqt:UH:O:p:i:u:l:C:S::E::n:s:o:F:", longopts,
                                  &option);
 
                 if (c == -1 || c == EOF)
@@ -229,6 +243,9 @@ process_arguments (int argc, char **argv)
                         else
                                 timeout_interval = atoi (optarg);
                         break;
+                case 'U':
+                        unknown_timeout = TRUE;
+                        break;
                 case 'H':                                                                       /* host */
                         hostname = optarg;
                         break;
@@ -307,6 +324,9 @@ process_arguments (int argc, char **argv)
                         else
                                 skip_stderr = atoi (optarg);
                         break;
+                case 'W':                                                                       /* exit with warning if there is an output on stderr */
+                        warn_on_stderr = 1;
+                        break;
                 case 'o':                                                                       /* Extra options for the ssh command */
                         comm_append("-o");
                         comm_append(optarg);
@@ -413,6 +433,8 @@ print_help (void)
   printf ("    %s\n", _("Ignore all or (if specified) first n lines on STDOUT [optional]"));
   printf (" %s\n", "-E, --skip-stderr[=n]");
   printf ("    %s\n", _("Ignore all or (if specified) first n lines on STDERR [optional]"));
+  printf (" %s\n", "-W, --warn-on-stderr]");
+  printf ("    %s\n", _("Exit with an warning, if there is an output on STDERR"));
   printf (" %s\n", "-f");
   printf ("    %s\n", _("tells ssh to fork rather than create a tty [optional]. This will always return OK if ssh is executed"));
   printf (" %s\n","-C, --command='COMMAND STRING'");
@@ -435,6 +457,8 @@ print_help (void)
   printf ("    %s\n", _("Tell ssh to suppress warning and diagnostic messages [optional]"));
         printf (UT_WARN_CRIT);
         printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
+        printf (" %s\n","-U, --unknown-timeout");
+        printf ("    %s\n", _("Make connection problems return UNKNOWN instead of CRITICAL"));
         printf (UT_VERBOSE);
         printf("\n");
   printf (" %s\n", _("The most common mode of use is to refer to a local identity file with"));
@@ -464,8 +488,8 @@ void
 print_usage (void)
 {
         printf ("%s\n", _("Usage:"));
-        printf (" %s -H <host> -C <command> [-fqv] [-1|-2] [-4|-6]\n"
-                "       [-S [lines]] [-E [lines]] [-t timeout] [-i identity]\n"
+        printf (" %s -H <host> -C <command> [-fqvU] [-1|-2] [-4|-6]\n"
+                "       [-S [lines]] [-E [lines]] [-W] [-t timeout] [-i identity]\n"
                 "       [-l user] [-n name] [-s servicelist] [-O outputfile]\n"
                 "       [-p port] [-o ssh-option] [-F configfile]\n",
                 progname);
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 14cc846..a69854a 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -66,13 +66,13 @@ const char *email = "devel@monitoring-plugins.org";
 #define DEFAULT_BUFFER_SIZE 2048
 #define DEFAULT_SERVER_URL "/"
 #define HTTP_EXPECT "HTTP/"
-#define DEFAULT_MAX_REDIRS 15
 #define INET_ADDR_MAX_SIZE INET6_ADDRSTRLEN
 enum {
   MAX_IPV4_HOSTLENGTH = 255,
   HTTP_PORT = 80,
   HTTPS_PORT = 443,
-  MAX_PORT = 65535
+  MAX_PORT = 65535,
+  DEFAULT_MAX_REDIRS = 15
 };
 
 enum {
@@ -193,6 +193,7 @@ int followsticky = STICKY_NONE;
 int use_ssl = FALSE;
 int use_sni = TRUE;
 int check_cert = FALSE;
+int continue_after_check_cert = FALSE;
 typedef union {
   struct curl_slist* to_info;
   struct curl_certinfo* to_certinfo;
@@ -754,7 +755,9 @@ check_http (void)
          * and we actually have OpenSSL in the monitoring tools
          */
         result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
-        return result;
+        if (continue_after_check_cert == FALSE) {
+          return result;
+        }
 #else /* USE_OPENSSL */
         die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
 #endif /* USE_OPENSSL */
@@ -794,13 +797,17 @@ GOT_FIRST_CERT:
           }
           BIO_free (cert_BIO);
           result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
-          return result;
+          if (continue_after_check_cert == FALSE) {
+            return result;
+          }
 #else /* USE_OPENSSL */
           /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
            * so we use the libcurl CURLINFO data
            */
           result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
-          return result;
+          if (continue_after_check_cert == FALSE) {
+            return result;
+          }
 #endif /* USE_OPENSSL */
         } else {
           snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
@@ -1054,7 +1061,7 @@ redir (curlhelp_write_curlbuf* header_buf)
   char *new_url;
 
   int res = phr_parse_response (header_buf->buf, header_buf->buflen,
-    &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
+    &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
     headers, &nof_headers, 0);
 
   location = get_header_value (headers, nof_headers, "location");
@@ -1210,6 +1217,8 @@ process_arguments (int argc, char **argv)
   enum {
     INVERT_REGEX = CHAR_MAX + 1,
     SNI_OPTION,
+    MAX_REDIRS_OPTION,
+    CONTINUE_AFTER_CHECK_CERT,
     CA_CERT_OPTION,
     HTTP_VERSION_OPTION,
     AUTOMATIC_DECOMPRESSION
@@ -1243,6 +1252,7 @@ process_arguments (int argc, char **argv)
     {"private-key", required_argument, 0, 'K'},
     {"ca-cert", required_argument, 0, CA_CERT_OPTION},
     {"verify-cert", no_argument, 0, 'D'},
+    {"continue-after-certificate", no_argument, 0, CONTINUE_AFTER_CHECK_CERT},
     {"useragent", required_argument, 0, 'A'},
     {"header", required_argument, 0, 'k'},
     {"no-body", no_argument, 0, 'N'},
@@ -1254,6 +1264,7 @@ process_arguments (int argc, char **argv)
     {"use-ipv6", no_argument, 0, '6'},
     {"extended-perfdata", no_argument, 0, 'E'},
     {"show-body", no_argument, 0, 'B'},
+    {"max-redirs", required_argument, 0, MAX_REDIRS_OPTION},
     {"http-version", required_argument, 0, HTTP_VERSION_OPTION},
     {"enable-automatic-decompression", no_argument, 0, AUTOMATIC_DECOMPRESSION},
     {0, 0, 0, 0}
@@ -1401,6 +1412,11 @@ process_arguments (int argc, char **argv)
       check_cert = TRUE;
       goto enable_ssl;
 #endif
+    case CONTINUE_AFTER_CHECK_CERT: /* don't stop after the certificate is checked */
+#ifdef HAVE_SSL
+      continue_after_check_cert = TRUE;
+      break;
+#endif
     case 'J': /* use client certificate */
 #ifdef LIBCURL_FEATURE_SSL
       test_file(optarg);
@@ -1512,6 +1528,13 @@ process_arguments (int argc, char **argv)
       use_sni = TRUE;
       break;
 #endif /* LIBCURL_FEATURE_SSL */
+    case MAX_REDIRS_OPTION:
+      if (!is_intnonneg (optarg))
+        usage2 (_("Invalid max_redirs count"), optarg);
+      else {
+        max_depth = atoi (optarg);
+      }
+      break;    
     case 'f': /* onredirect */
       if (!strcmp (optarg, "ok"))
         onredirect = STATE_OK;
@@ -1791,7 +1814,11 @@ print_help (void)
 #endif
   printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
   printf ("    %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
-  printf ("    %s\n", _("(when this option is used the URL is not checked.)"));
+  printf ("    %s\n", _("(when this option is used the URL is not checked by default. You can use"));
+  printf ("    %s\n", _(" --continue-after-certificate to override this behavior)"));
+  printf (" %s\n", "--continue-after-certificate");
+  printf ("    %s\n", _("Allows the HTTP check to continue after performing the certificate check."));
+  printf ("    %s\n", _("Does nothing unless -C is used."));
   printf (" %s\n", "-J, --client-cert=FILE");
   printf ("   %s\n", _("Name of file that contains the client certificate (PEM format)"));
   printf ("   %s\n", _("to be used in establishing the SSL session"));
@@ -1854,6 +1881,9 @@ print_help (void)
   printf ("    %s\n", _("specified IP address. stickyport also ensures port stays the same."));
   printf ("    %s\n", _("follow uses the old redirection algorithm of check_http."));
   printf ("    %s\n", _("curl uses CURL_FOLLOWLOCATION built into libcurl."));
+  printf (" %s\n", "--max-redirs=INTEGER");
+  printf ("    %s", _("Maximal number of redirects (default: "));
+  printf ("%d)\n", DEFAULT_MAX_REDIRS);
   printf (" %s\n", "-m, --pagesize=INTEGER<:INTEGER>");
   printf ("    %s\n", _("Minimum page size required (bytes) : Maximum page size required (bytes)"));
   printf ("\n");
@@ -2188,7 +2218,7 @@ check_document_dates (const curlhelp_write_curlbuf *header_buf, char (*msg)[DEFA
   size_t msglen;
 
   int res = phr_parse_response (header_buf->buf, header_buf->buflen,
-    &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
+    &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
     headers, &nof_headers, 0);
 
   server_date = get_header_value (headers, nof_headers, "date");
@@ -2246,7 +2276,7 @@ get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_wri
   curlhelp_statusline status_line;
 
   int res = phr_parse_response (header_buf->buf, header_buf->buflen,
-    &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
+    &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
     headers, &nof_headers, 0);
 
   content_length_s = get_header_value (headers, nof_headers, "content-length");
diff --git a/plugins/check_disk.c b/plugins/check_disk.c
index 54befca..66c5dd3 100644
--- a/plugins/check_disk.c
+++ b/plugins/check_disk.c
@@ -230,8 +230,10 @@ main (int argc, char **argv)
   /* Process for every path in list */
   for (path = path_select_list; path; path=path->name_next) {
     if (verbose >= 3 && path->freespace_percent->warning != NULL && path->freespace_percent->critical != NULL)
-      printf("Thresholds(pct) for %s warn: %f crit %f\n",path->name, path->freespace_percent->warning->end,
-                                                         path->freespace_percent->critical->end);
+      printf("Thresholds(pct) for %s warn: %f crit %f\n",
+        path->name,
+        path->freespace_percent->warning->end,
+        path->freespace_percent->critical->end);
 
     if (verbose >= 3 && path->group != NULL)
       printf("Group of %s: %s\n",path->name,path->group);
@@ -959,7 +961,7 @@ print_help (void)
   printf ("    %s\n", _("Only check local filesystems against thresholds. Yet call stat on remote filesystems"));
   printf ("    %s\n", _("to test if they are accessible (e.g. to detect Stale NFS Handles)"));
   printf (" %s\n", "-M, --mountpoint");
-  printf ("    %s\n", _("Display the mountpoint instead of the partition"));
+  printf ("    %s\n", _("Display the (block) device instead of the mount point"));
   printf (" %s\n", "-m, --megabytes");
   printf ("    %s\n", _("Same as '--units MB'"));
   printf (" %s\n", "-A, --all");
diff --git a/plugins/check_fping.c b/plugins/check_fping.c
index 521d0fe..be9362a 100644
--- a/plugins/check_fping.c
+++ b/plugins/check_fping.c
@@ -37,6 +37,7 @@ const char *email = "devel@monitoring-plugins.org";
 #include "popen.h"
 #include "netutils.h"
 #include "utils.h"
+#include <stdbool.h>
 
 enum {
   PACKET_COUNT = 1,
@@ -65,6 +66,7 @@ double crta;
 double wrta;
 int cpl_p = FALSE;
 int wpl_p = FALSE;
+bool alive_p = FALSE;
 int crta_p = FALSE;
 int wrta_p = FALSE;
 
@@ -147,9 +149,11 @@ main (int argc, char **argv)
   (void) fclose (child_stderr);
 
   /* close the pipe */
-  if (result = spclose (child_process))
+  result = spclose (child_process);
+  if (result) {
     /* need to use max_state not max */
     status = max_state (status, STATE_WARNING);
+  }
 
   if (result > 1 ) {
     status = max_state (status, STATE_UNKNOWN);
@@ -171,10 +175,7 @@ main (int argc, char **argv)
 }
 
 
-
-int
-textscan (char *buf)
-{
+int textscan (char *buf) {
   char *rtastr = NULL;
   char *losstr = NULL;
   char *xmtstr = NULL;
@@ -183,6 +184,20 @@ textscan (char *buf)
   double xmt;
   int status = STATE_UNKNOWN;
 
+  /* stops testing after the first successful reply. */
+  if (alive_p && strstr(buf, "avg, 0% loss)")) {
+    rtastr = strstr (buf, "ms (");
+    rtastr = 1 + index(rtastr, '(');
+    rta = strtod(rtastr, NULL);
+    loss=strtod("0",NULL);
+    die (STATE_OK,
+         _("FPING %s - %s (rta=%f ms)|%s\n"),
+         state_text (STATE_OK), server_name,rta,
+                 /* No loss since we only waited for the first reply
+         perfdata ("loss", (long int)loss, "%", wpl_p, wpl, cpl_p, cpl, TRUE, 0, TRUE, 100), */
+         fperfdata ("rta", rta/1.0e3, "s", wrta_p, wrta/1.0e3, crta_p, crta/1.0e3, TRUE, 0, FALSE, 0));
+  }
+
   if (strstr (buf, "not found")) {
     die (STATE_CRITICAL, _("FPING UNKNOWN - %s not found\n"), server_name);
 
@@ -278,6 +293,7 @@ process_arguments (int argc, char **argv)
     {"sourceif", required_argument, 0, 'I'},
     {"critical", required_argument, 0, 'c'},
     {"warning", required_argument, 0, 'w'},
+        {"alive", no_argument, 0, 'a'},
     {"bytes", required_argument, 0, 'b'},
     {"number", required_argument, 0, 'n'},
     {"target-timeout", required_argument, 0, 'T'},
@@ -304,7 +320,7 @@ process_arguments (int argc, char **argv)
   }
 
   while (1) {
-    c = getopt_long (argc, argv, "+hVvH:S:c:w:b:n:T:i:I:46", longopts, &option);
+    c = getopt_long (argc, argv, "+hVvaH:S:c:w:b:n:T:i:I:46", longopts, &option);
 
     if (c == -1 || c == EOF || c == 1)
       break;
@@ -312,6 +328,9 @@ process_arguments (int argc, char **argv)
     switch (c) {
     case '?':                 /* print short usage statement if args not parsable */
       usage5 ();
+    case 'a':                 /* host alive mode */
+      alive_p = TRUE;
+      break;
     case 'h':                 /* help */
       print_help ();
       exit (STATE_UNKNOWN);
@@ -446,9 +465,7 @@ get_threshold (char *arg, char *rv[2])
 }
 
 
-void
-print_help (void)
-{
+void print_help (void) {
 
   print_revision (progname, NP_VERSION);
 
@@ -474,6 +491,8 @@ print_help (void)
   printf ("    %s\n", _("warning threshold pair"));
   printf (" %s\n", "-c, --critical=THRESHOLD");
   printf ("    %s\n", _("critical threshold pair"));
+  printf (" %s\n", "-a, --alive");
+  printf ("    %s\n", _("Return OK after first successfull reply"));
   printf (" %s\n", "-b, --bytes=INTEGER");
   printf ("    %s (default: %d)\n", _("size of ICMP packet"),PACKET_SIZE);
   printf (" %s\n", "-n, --number=INTEGER");
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 34fb4f0..f8ec853 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -52,11 +52,13 @@ enum {
   MAX_IPV4_HOSTLENGTH = 255,
   HTTP_PORT = 80,
   HTTPS_PORT = 443,
-  MAX_PORT = 65535
+  MAX_PORT = 65535,
+  DEFAULT_MAX_REDIRS = 15
 };
 
 #ifdef HAVE_SSL
 int check_cert = FALSE;
+int continue_after_check_cert = FALSE;
 int ssl_version = 0;
 int days_till_exp_warn, days_till_exp_crit;
 char *randbuff;
@@ -125,7 +127,7 @@ int sd;
 int min_page_len = 0;
 int max_page_len = 0;
 int redir_depth = 0;
-int max_depth = 15;
+int max_depth = DEFAULT_MAX_REDIRS;
 char *http_method;
 char *http_method_proxy;
 char *http_post_data;
@@ -203,7 +205,9 @@ process_arguments (int argc, char **argv)
 
   enum {
     INVERT_REGEX = CHAR_MAX + 1,
-    SNI_OPTION
+    SNI_OPTION,
+    MAX_REDIRS_OPTION,
+    CONTINUE_AFTER_CHECK_CERT
   };
 
   int option = 0;
@@ -231,6 +235,7 @@ process_arguments (int argc, char **argv)
     {"certificate", required_argument, 0, 'C'},
     {"client-cert", required_argument, 0, 'J'},
     {"private-key", required_argument, 0, 'K'},
+    {"continue-after-certificate", no_argument, 0, CONTINUE_AFTER_CHECK_CERT},
     {"useragent", required_argument, 0, 'A'},
     {"header", required_argument, 0, 'k'},
     {"no-body", no_argument, 0, 'N'},
@@ -242,6 +247,7 @@ process_arguments (int argc, char **argv)
     {"use-ipv6", no_argument, 0, '6'},
     {"extended-perfdata", no_argument, 0, 'E'},
     {"show-body", no_argument, 0, 'B'},
+    {"max-redirs", required_argument, 0, MAX_REDIRS_OPTION},
     {0, 0, 0, 0}
   };
 
@@ -329,6 +335,11 @@ process_arguments (int argc, char **argv)
       check_cert = TRUE;
       goto enable_ssl;
 #endif
+    case CONTINUE_AFTER_CHECK_CERT: /* don't stop after the certificate is checked */
+#ifdef HAVE_SSL
+      continue_after_check_cert = TRUE;
+      break;
+#endif
     case 'J': /* use client certificate */
 #ifdef HAVE_SSL
       test_file(optarg);
@@ -373,6 +384,13 @@ process_arguments (int argc, char **argv)
     case SNI_OPTION:
       use_sni = TRUE;
       break;
+    case MAX_REDIRS_OPTION:
+      if (!is_intnonneg (optarg))
+        usage2 (_("Invalid max_redirs count"), optarg);
+      else {
+        max_depth = atoi (optarg);
+      }
+      break;    
     case 'f': /* onredirect */
       if (!strcmp (optarg, "stickyport"))
         onredirect = STATE_DEPENDENT, followsticky = STICKY_HOST|STICKY_PORT;
@@ -971,9 +989,11 @@ check_http (void)
     elapsed_time_ssl = (double)microsec_ssl / 1.0e6;
     if (check_cert == TRUE) {
       result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
-      if (sd) close(sd);
-      np_net_ssl_cleanup();
-      return result;
+      if (continue_after_check_cert == FALSE) {
+        if (sd) close(sd);
+        np_net_ssl_cleanup();
+        return result;
+      }
     }
   }
 #endif /* HAVE_SSL */
@@ -1598,7 +1618,11 @@ print_help (void)
   printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
   printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
   printf ("    %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
-  printf ("    %s\n", _("(when this option is used the URL is not checked.)"));
+  printf ("    %s\n", _("(when this option is used the URL is not checked by default. You can use"));
+  printf ("    %s\n", _(" --continue-after-certificate to override this behavior)"));
+  printf (" %s\n", "--continue-after-certificate");
+  printf ("    %s\n", _("Allows the HTTP check to continue after performing the certificate check."));
+  printf ("    %s\n", _("Does nothing unless -C is used."));
   printf (" %s\n", "-J, --client-cert=FILE");
   printf ("   %s\n", _("Name of file that contains the client certificate (PEM format)"));
   printf ("   %s\n", _("to be used in establishing the SSL session"));
@@ -1657,9 +1681,11 @@ print_help (void)
   printf (" %s\n", "-f, --onredirect=<ok|warning|critical|follow|sticky|stickyport>");
   printf ("    %s\n", _("How to handle redirected pages. sticky is like follow but stick to the"));
   printf ("    %s\n", _("specified IP address. stickyport also ensures port stays the same."));
+  printf (" %s\n", "--max-redirs=INTEGER");
+  printf ("    %s", _("Maximal number of redirects (default: "));
+  printf ("%d)\n", DEFAULT_MAX_REDIRS);
   printf (" %s\n", "-m, --pagesize=INTEGER<:INTEGER>");
   printf ("    %s\n", _("Minimum page size required (bytes) : Maximum page size required (bytes)"));
-
   printf (UT_WARN_CRIT);
 
   printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
diff --git a/plugins/check_pgsql.c b/plugins/check_pgsql.c
index b8fc5f1..c893386 100644
--- a/plugins/check_pgsql.c
+++ b/plugins/check_pgsql.c
@@ -85,6 +85,8 @@ char *pgparams = NULL;
 double twarn = (double)DEFAULT_WARN;
 double tcrit = (double)DEFAULT_CRIT;
 char *pgquery = NULL;
+#define OPTID_QUERYNAME -1000
+char *pgqueryname = NULL;
 char *query_warning = NULL;
 char *query_critical = NULL;
 thresholds *qthresholds = NULL;
@@ -285,6 +287,7 @@ process_arguments (int argc, char **argv)
                 {"database", required_argument, 0, 'd'},
                 {"option", required_argument, 0, 'o'},
                 {"query", required_argument, 0, 'q'},
+                {"queryname", required_argument, 0, OPTID_QUERYNAME},
                 {"query_critical", required_argument, 0, 'C'},
                 {"query_warning", required_argument, 0, 'W'},
                 {"verbose", no_argument, 0, 'v'},
@@ -368,6 +371,9 @@ process_arguments (int argc, char **argv)
                 case 'q':
                         pgquery = optarg;
                         break;
+                case OPTID_QUERYNAME:
+                        pgqueryname = optarg;
+                        break;
                 case 'v':
                         verbose++;
                         break;
@@ -529,6 +535,9 @@ print_help (void)
 
         printf (" %s\n", "-q, --query=STRING");
         printf ("    %s\n", _("SQL query to run. Only first column in first row will be read"));
+        printf (" %s\n", "--queryname=STRING");
+        printf ("    %s\n", _("A name for the query, this string is used instead of the query"));
+        printf ("    %s\n", _("in the long output of the plugin"));
         printf (" %s\n", "-W, --query-warning=RANGE");
         printf ("    %s\n", _("SQL query value to result in warning status (double)"));
         printf (" %s\n", "-C, --query-critical=RANGE");
@@ -642,7 +651,13 @@ do_query (PGconn *conn, char *query)
                                         : (my_status == STATE_CRITICAL)
                                                 ? _("CRITICAL")
                                                 : _("UNKNOWN"));
-        printf (_("'%s' returned %f"), query, value);
+        if(pgqueryname) {
+                printf (_("%s returned %f"), pgqueryname, value);
+        }
+        else {
+                printf (_("'%s' returned %f"), query, value);
+        }
+
         printf ("|query=%f;%s;%s;;\n", value,
                         query_warning ? query_warning : "",
                         query_critical ? query_critical : "");
diff --git a/plugins/check_ping.c b/plugins/check_ping.c
index ba7af37..741f732 100644
--- a/plugins/check_ping.c
+++ b/plugins/check_ping.c
@@ -140,7 +140,7 @@ main (int argc, char **argv)
                 if (pl == UNKNOWN_PACKET_LOSS || rta < 0.0) {
                         printf ("%s\n", cmd);
                         die (STATE_UNKNOWN,
-                                   _("CRITICAL - Could not interpret output from ping command\n"));
+                                _("CRITICAL - Could not interpret output from ping command\n"));
                 }
 
                 if (pl >= cpl || rta >= crta || rta < 0)
@@ -527,12 +527,13 @@ int
 error_scan (char buf[MAX_INPUT_BUFFER], const char *addr)
 {
         if (strstr (buf, "Network is unreachable") ||
-                strstr (buf, "Destination Net Unreachable")
+                strstr (buf, "Destination Net Unreachable") ||
+                strstr (buf, "No route")
                 )
                 die (STATE_CRITICAL, _("CRITICAL - Network Unreachable (%s)\n"), addr);
-        else if (strstr (buf, "Destination Host Unreachable"))
+        else if (strstr (buf, "Destination Host Unreachable") || strstr(buf, "Address unreachable"))
                 die (STATE_CRITICAL, _("CRITICAL - Host Unreachable (%s)\n"), addr);
-        else if (strstr (buf, "Destination Port Unreachable"))
+        else if (strstr (buf, "Destination Port Unreachable") || strstr(buf, "Port unreachable"))
                 die (STATE_CRITICAL, _("CRITICAL - Bogus ICMP: Port Unreachable (%s)\n"), addr);
         else if (strstr (buf, "Destination Protocol Unreachable"))
                 die (STATE_CRITICAL, _("CRITICAL - Bogus ICMP: Protocol Unreachable (%s)\n"), addr);
@@ -540,11 +541,11 @@ error_scan (char buf[MAX_INPUT_BUFFER], const char *addr)
                 die (STATE_CRITICAL, _("CRITICAL - Network Prohibited (%s)\n"), addr);
         else if (strstr (buf, "Destination Host Prohibited"))
                 die (STATE_CRITICAL, _("CRITICAL - Host Prohibited (%s)\n"), addr);
-        else if (strstr (buf, "Packet filtered"))
+        else if (strstr (buf, "Packet filtered") || strstr(buf, "Administratively prohibited"))
                 die (STATE_CRITICAL, _("CRITICAL - Packet Filtered (%s)\n"), addr);
         else if (strstr (buf, "unknown host" ))
                 die (STATE_CRITICAL, _("CRITICAL - Host not found (%s)\n"), addr);
-        else if (strstr (buf, "Time to live exceeded"))
+        else if (strstr (buf, "Time to live exceeded") || strstr(buf, "Time exceeded"))
                 die (STATE_CRITICAL, _("CRITICAL - Time to live exceeded (%s)\n"), addr);
         else if (strstr (buf, "Destination unreachable: "))
                 die (STATE_CRITICAL, _("CRITICAL - Destination Unreachable (%s)\n"), addr);
@@ -553,7 +554,7 @@ error_scan (char buf[MAX_INPUT_BUFFER], const char *addr)
                 if (warn_text == NULL)
                         warn_text = strdup (_(WARN_DUPLICATES));
                 else if (! strstr (warn_text, _(WARN_DUPLICATES)) &&
-                         xasprintf (&warn_text, "%s %s", warn_text, _(WARN_DUPLICATES)) == -1)
+                                xasprintf (&warn_text, "%s %s", warn_text, _(WARN_DUPLICATES)) == -1)
                         die (STATE_UNKNOWN, _("Unable to realloc warn_text\n"));
                 return (STATE_WARNING);
         }
@@ -573,7 +574,7 @@ print_help (void)
 
         printf (_("Use ping to check connection statistics for a remote host."));
 
-  printf ("\n\n");
+        printf ("\n\n");
 
         print_usage ();
 
@@ -583,29 +584,29 @@ print_help (void)
         printf (UT_IPv46);
 
         printf (" %s\n", "-H, --hostname=HOST");
-  printf ("    %s\n", _("host to ping"));
-  printf (" %s\n", "-w, --warning=THRESHOLD");
-  printf ("    %s\n", _("warning threshold pair"));
-  printf (" %s\n", "-c, --critical=THRESHOLD");
-  printf ("    %s\n", _("critical threshold pair"));
-  printf (" %s\n", "-p, --packets=INTEGER");
-  printf ("    %s ", _("number of ICMP ECHO packets to send"));
-  printf (_("(Default: %d)\n"), DEFAULT_MAX_PACKETS);
-  printf (" %s\n", "-L, --link");
-  printf ("    %s\n", _("show HTML in the plugin output (obsoleted by urlize)"));
+        printf ("    %s\n", _("host to ping"));
+        printf (" %s\n", "-w, --warning=THRESHOLD");
+        printf ("    %s\n", _("warning threshold pair"));
+        printf (" %s\n", "-c, --critical=THRESHOLD");
+        printf ("    %s\n", _("critical threshold pair"));
+        printf (" %s\n", "-p, --packets=INTEGER");
+        printf ("    %s ", _("number of ICMP ECHO packets to send"));
+        printf (_("(Default: %d)\n"), DEFAULT_MAX_PACKETS);
+        printf (" %s\n", "-L, --link");
+        printf ("    %s\n", _("show HTML in the plugin output (obsoleted by urlize)"));
 
         printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
 
-  printf ("\n");
+        printf ("\n");
         printf ("%s\n", _("THRESHOLD is <rta>,<pl>% where <rta> is the round trip average travel"));
-  printf ("%s\n", _("time (ms) which triggers a WARNING or CRITICAL state, and <pl> is the"));
-  printf ("%s\n", _("percentage of packet loss to trigger an alarm state."));
+        printf ("%s\n", _("time (ms) which triggers a WARNING or CRITICAL state, and <pl> is the"));
+        printf ("%s\n", _("percentage of packet loss to trigger an alarm state."));
 
-  printf ("\n");
+        printf ("\n");
         printf ("%s\n", _("This plugin uses the ping command to probe the specified host for packet loss"));
-  printf ("%s\n", _("(percentage) and round trip average (milliseconds). It can produce HTML output"));
-  printf ("%s\n", _("linking to a traceroute CGI contributed by Ian Cass. The CGI can be found in"));
-  printf ("%s\n", _("the contrib area of the downloads section at http://www.nagios.org/"));
+        printf ("%s\n", _("(percentage) and round trip average (milliseconds). It can produce HTML output"));
+        printf ("%s\n", _("linking to a traceroute CGI contributed by Ian Cass. The CGI can be found in"));
+        printf ("%s\n", _("the contrib area of the downloads section at http://www.nagios.org/"));
 
         printf (UT_SUPPORT);
 }
@@ -613,7 +614,7 @@ print_help (void)
 void
 print_usage (void)
 {
-  printf ("%s\n", _("Usage:"));
+        printf ("%s\n", _("Usage:"));
         printf ("%s -H <host_address> -w <wrta>,<wpl>%% -c <crta>,<cpl>%%\n", progname);
-  printf (" [-p packets] [-t timeout] [-4|-6]\n");
+        printf (" [-p packets] [-t timeout] [-4|-6]\n");
 }
diff --git a/plugins/check_procs.c b/plugins/check_procs.c
index 4872340..a025ee8 100644
--- a/plugins/check_procs.c
+++ b/plugins/check_procs.c
@@ -775,7 +775,7 @@ be the total number of running processes\n\n"));
   printf (" %s\n", "check_procs -w 50000 -c 100000 --metric=VSZ");
   printf ("  %s\n\n", _("Alert if VSZ of any processes over 50K or 100K"));
   printf (" %s\n", "check_procs -w 10 -c 20 --metric=CPU");
-  printf ("  %s\n", _("Alert if CPU of any processes over 10%% or 20%%"));
+  printf ("  %s\n", _("Alert if CPU of any processes over 10\% or 20\%"));
 
         printf (UT_SUPPORT);
 }
diff --git a/plugins/check_snmp.c b/plugins/check_snmp.c
index abe54cf..2601ccd 100644
--- a/plugins/check_snmp.c
+++ b/plugins/check_snmp.c
@@ -113,6 +113,7 @@ char *authproto = NULL;
 char *privproto = NULL;
 char *authpasswd = NULL;
 char *privpasswd = NULL;
+int nulloid = STATE_UNKNOWN;
 char **oids = NULL;
 size_t oids_size = 0;
 char *label;
@@ -375,7 +376,7 @@ main (int argc, char **argv)
                 }
         }
 
-        for (line=0, i=0; line < chld_out.lines; line++, i++) {
+        for (line=0, i=0; line < chld_out.lines && i < numoids ; line++, i++) {
                 if(calculate_rate)
                         conv = "%.10g";
                 else
@@ -472,8 +473,16 @@ main (int argc, char **argv)
                                 print_thresholds("  thresholds", thlds[i]);
                         }
                         ptr = strpbrk (show, "-0123456789");
-                        if (ptr == NULL)
-                                die (STATE_UNKNOWN,_("No valid data returned (%s)\n"), show);
+                        if (ptr == NULL){
+                                if (nulloid == 3)
+                                        die (STATE_UNKNOWN,_("No valid data returned (%s)\n"), show);
+                                else if (nulloid == 0)
+                                        die (STATE_OK,_("No valid data returned (%s)\n"), show);
+                                else if (nulloid == 1)
+                                        die (STATE_WARNING,_("No valid data returned (%s)\n"), show);
+                                else if (nulloid == 2)
+                                        die (STATE_CRITICAL,_("No valid data returned (%s)\n"), show);
+                        }
                         while (i >= response_size) {
                                 response_size += OID_COUNT_STEP;
                                 response_value = realloc(response_value, response_size * sizeof(*response_value));
@@ -661,6 +670,7 @@ process_arguments (int argc, char **argv)
                 {"oid", required_argument, 0, 'o'},
                 {"object", required_argument, 0, 'o'},
                 {"delimiter", required_argument, 0, 'd'},
+                {"nulloid", required_argument, 0, 'z'},
                 {"output-delimiter", required_argument, 0, 'D'},
                 {"string", required_argument, 0, 's'},
                 {"timeout", required_argument, 0, 't'},
@@ -705,7 +715,7 @@ process_arguments (int argc, char **argv)
         }
 
         while (1) {
-                c = getopt_long (argc, argv, "nhvVO46t:c:w:H:C:o:e:E:d:D:s:t:R:r:l:u:p:m:P:N:L:U:a:x:A:X:",
+                c = getopt_long (argc, argv, "nhvVO46t:c:w:H:C:o:e:E:d:D:s:t:R:r:l:u:p:m:P:N:L:U:a:x:A:X:z:",
                                                                          longopts, &option);
 
                 if (c == -1 || c == EOF)
@@ -816,6 +826,12 @@ process_arguments (int argc, char **argv)
                                         eval_method[j+1] |= CRIT_PRESENT;
                         }
                         break;
+                case 'z':       /* Null OID Return Check */
+                        if (!is_integer (optarg))
+                                usage2 (_("Exit status must be a positive integer"), optarg);
+                        else
+                                nulloid = atoi(optarg);
+                        break;
                 case 's':                                                                       /* string or substring */
                         strncpy (string_value, optarg, sizeof (string_value) - 1);
                         string_value[sizeof (string_value) - 1] = 0;
@@ -1181,6 +1197,14 @@ print_help (void)
         printf ("    %s \"%s\"\n", _("Delimiter to use when parsing returned data. Default is"), DEFAULT_DELIMITER);
         printf ("    %s\n", _("Any data on the right hand side of the delimiter is considered"));
         printf ("    %s\n", _("to be the data that should be used in the evaluation."));
+        printf (" %s\n", "-z, --nulloid=#");
+        printf ("    %s\n", _("If the check returns a 0 length string or NULL value"));
+        printf ("    %s\n", _("This option allows you to choose what status you want it to exit"));
+        printf ("    %s\n", _("Excluding this option renders the default exit of 3(STATE_UNKNOWN)"));
+        printf ("    %s\n", _("0 = OK"));
+        printf ("    %s\n", _("1 = WARNING"));
+        printf ("    %s\n", _("2 = CRITICAL"));
+        printf ("    %s\n", _("3 = UNKNOWN"));
 
         /* Tests Against Integers */
         printf (" %s\n", "-w, --warning=THRESHOLD(s)");
diff --git a/plugins/check_swap.c b/plugins/check_swap.c
index bb854be..ff58b15 100644
--- a/plugins/check_swap.c
+++ b/plugins/check_swap.c
@@ -1,30 +1,30 @@
 /*****************************************************************************
-* 
+*
 * Monitoring check_swap plugin
-* 
+*
 * License: GPL
 * Copyright (c) 2000 Karl DeBisschop (kdebisschop@users.sourceforge.net)
 * Copyright (c) 2000-2007 Monitoring Plugins Development Team
-* 
+*
 * Description:
-* 
+*
 * This file contains the check_swap plugin
-* 
-* 
+*
+*
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
-* 
+*
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
-* 
+*
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
-* 
-* 
+*
+*
 *****************************************************************************/
 
 const char *progname = "check_swap";
@@ -150,7 +150,7 @@ main (int argc, char **argv)
                  * The following sscanf call looks for lines looking like: "SwapTotal: 123" and "SwapFree: 123"
                  * This format exists at least on Debian Linux with a 5.* kernel
                  */
-                else if (sscanf (input_buffer, "%*[S]%*[w]%*[a]%*[p]%[TotalFreCchd]%*[:] %f %*[k]%*[B]", str, &tmp_KB)) {
+                else if (sscanf (input_buffer, "%*[S]%*[w]%*[a]%*[p]%[TotalFreCchd]%*[:] %lu %*[k]%*[B]", str, &tmp_KB)) {
                         if (verbose >= 3) {
                                 printf("Got %s with %lu\n", str, tmp_KB);
                         }
@@ -389,7 +389,7 @@ main (int argc, char **argv)
                         TRUE, warn_print,
                         TRUE, crit_print,
                         TRUE, 0,
-                        TRUE, (long) total_swap_mb));
+                        TRUE, (long) total_swap_mb * 1024 * 1024));
 
         return result;
 }
diff --git a/plugins/picohttpparser/picohttpparser.c b/plugins/picohttpparser/picohttpparser.c
index 74ccc3e..d9680b7 100644
--- a/plugins/picohttpparser/picohttpparser.c
+++ b/plugins/picohttpparser/picohttpparser.c
@@ -242,7 +242,7 @@ static const char *is_complete(const char *buf, const char *buf_end, size_t last
     } while (0)
 
 /* returned pointer is always within [buf, buf_end), or null */
-static const char *parse_http_version(const char *buf, const char *buf_end, int *minor_version, int *ret)
+static const char *parse_http_version(const char *buf, const char *buf_end, int *major_version, int *minor_version, int *ret)
 {
     /* we want at least [HTTP/1.<two chars>] to try to parse */
     if (buf_end - buf < 9) {
@@ -254,9 +254,13 @@ static const char *parse_http_version(const char *buf, const char *buf_end, int
     EXPECT_CHAR_NO_CHECK('T');
     EXPECT_CHAR_NO_CHECK('P');
     EXPECT_CHAR_NO_CHECK('/');
-    EXPECT_CHAR_NO_CHECK('1');
-    EXPECT_CHAR_NO_CHECK('.');
-    PARSE_INT(minor_version, 1);
+    PARSE_INT(major_version, 1);
+    if (*major_version == 1) {
+        EXPECT_CHAR_NO_CHECK('.');
+        PARSE_INT(minor_version, 1);
+    } else {
+        *minor_version = 0;
+    }
     return buf;
 }
 
@@ -339,7 +343,7 @@ static const char *parse_headers(const char *buf, const char *buf_end, struct ph
 }
 
 static const char *parse_request(const char *buf, const char *buf_end, const char **method, size_t *method_len, const char **path,
-                                 size_t *path_len, int *minor_version, struct phr_header *headers, size_t *num_headers,
+                                 size_t *path_len, int *major_version, int *minor_version, struct phr_header *headers, size_t *num_headers,
                                  size_t max_headers, int *ret)
 {
     /* skip first empty line (some clients add CRLF after POST content) */
@@ -364,7 +368,7 @@ static const char *parse_request(const char *buf, const char *buf_end, const cha
         *ret = -1;
         return NULL;
     }
-    if ((buf = parse_http_version(buf, buf_end, minor_version, ret)) == NULL) {
+    if ((buf = parse_http_version(buf, buf_end, major_version, minor_version, ret)) == NULL) {
         return NULL;
     }
     if (*buf == '\015') {
@@ -381,7 +385,7 @@ static const char *parse_request(const char *buf, const char *buf_end, const cha
 }
 
 int phr_parse_request(const char *buf_start, size_t len, const char **method, size_t *method_len, const char **path,
-                      size_t *path_len, int *minor_version, struct phr_header *headers, size_t *num_headers, size_t last_len)
+                      size_t *path_len, int *major_version, int *minor_version, struct phr_header *headers, size_t *num_headers, size_t last_len)
 {
     const char *buf = buf_start, *buf_end = buf_start + len;
     size_t max_headers = *num_headers;
@@ -391,6 +395,7 @@ int phr_parse_request(const char *buf_start, size_t len, const char **method, si
     *method_len = 0;
     *path = NULL;
     *path_len = 0;
+    *major_version = -1;
     *minor_version = -1;
     *num_headers = 0;
 
@@ -400,7 +405,7 @@ int phr_parse_request(const char *buf_start, size_t len, const char **method, si
         return r;
     }
 
-    if ((buf = parse_request(buf, buf_end, method, method_len, path, path_len, minor_version, headers, num_headers, max_headers,
+    if ((buf = parse_request(buf, buf_end, method, method_len, path, path_len, major_version, minor_version, headers, num_headers, max_headers,
                              &r)) == NULL) {
         return r;
     }
@@ -408,11 +413,11 @@ int phr_parse_request(const char *buf_start, size_t len, const char **method, si
     return (int)(buf - buf_start);
 }
 
-static const char *parse_response(const char *buf, const char *buf_end, int *minor_version, int *status, const char **msg,
+static const char *parse_response(const char *buf, const char *buf_end, int *major_version, int *minor_version, int *status, const char **msg,
                                   size_t *msg_len, struct phr_header *headers, size_t *num_headers, size_t max_headers, int *ret)
 {
     /* parse "HTTP/1.x" */
-    if ((buf = parse_http_version(buf, buf_end, minor_version, ret)) == NULL) {
+    if ((buf = parse_http_version(buf, buf_end, major_version, minor_version, ret)) == NULL) {
         return NULL;
     }
     /* skip space */
@@ -451,13 +456,14 @@ static const char *parse_response(const char *buf, const char *buf_end, int *min
     return parse_headers(buf, buf_end, headers, num_headers, max_headers, ret);
 }
 
-int phr_parse_response(const char *buf_start, size_t len, int *minor_version, int *status, const char **msg, size_t *msg_len,
+int phr_parse_response(const char *buf_start, size_t len, int *major_version, int *minor_version, int *status, const char **msg, size_t *msg_len,
                        struct phr_header *headers, size_t *num_headers, size_t last_len)
 {
     const char *buf = buf_start, *buf_end = buf + len;
     size_t max_headers = *num_headers;
     int r;
 
+    *major_version = -1;
     *minor_version = -1;
     *status = 0;
     *msg = NULL;
@@ -470,7 +476,7 @@ int phr_parse_response(const char *buf_start, size_t len, int *minor_version, in
         return r;
     }
 
-    if ((buf = parse_response(buf, buf_end, minor_version, status, msg, msg_len, headers, num_headers, max_headers, &r)) == NULL) {
+    if ((buf = parse_response(buf, buf_end, major_version, minor_version, status, msg, msg_len, headers, num_headers, max_headers, &r)) == NULL) {
         return r;
     }
 
diff --git a/plugins/picohttpparser/picohttpparser.h b/plugins/picohttpparser/picohttpparser.h
index 0849f84..8f13b36 100644
--- a/plugins/picohttpparser/picohttpparser.h
+++ b/plugins/picohttpparser/picohttpparser.h
@@ -49,10 +49,10 @@ struct phr_header {
 /* returns number of bytes consumed if successful, -2 if request is partial,
  * -1 if failed */
 int phr_parse_request(const char *buf, size_t len, const char **method, size_t *method_len, const char **path, size_t *path_len,
-                      int *minor_version, struct phr_header *headers, size_t *num_headers, size_t last_len);
+                      int *major_version, int *minor_version, struct phr_header *headers, size_t *num_headers, size_t last_len);
 
 /* ditto */
-int phr_parse_response(const char *_buf, size_t len, int *minor_version, int *status, const char **msg, size_t *msg_len,
+int phr_parse_response(const char *_buf, size_t len, int *major_version, int *minor_version, int *status, const char **msg, size_t *msg_len,
                        struct phr_header *headers, size_t *num_headers, size_t last_len);
 
 /* ditto */
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 14f6579..286273f 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -134,7 +134,7 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
                 return STATE_CRITICAL;
         }
         if (cert && privkey) {
-                SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM);
+                SSL_CTX_use_certificate_chain_file(c, cert);
                 SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM);
 #ifdef USE_OPENSSL
                 if (!SSL_CTX_check_private_key(c)) {
diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t
index ada6a04..693f4b2 100644
--- a/plugins/t/check_curl.t
+++ b/plugins/t/check_curl.t
@@ -9,7 +9,7 @@ use Test::More;
 use POSIX qw/mktime strftime/;
 use NPTest;
 
-plan tests => 58;
+plan tests => 57;
 
 my $successOutput = '/OK.*HTTP.*second/';
 
@@ -188,11 +188,6 @@ SKIP: {
         like  ( $res->output, '/time_connect=[\d\.]+/', 'Extended Performance Data Output OK' );
         like  ( $res->output, '/time_ssl=[\d\.]+/', 'Extended Performance Data SSL Output OK' );
 
-        $res = NPTest->testCmd(
-                "./$plugin --ssl -H www.e-paycobalt.com"
-                );
-        cmp_ok( $res->return_code, "==", 0, "Can read https for www.e-paycobalt.com (uses AES certificate)" );
-
         $res = NPTest->testCmd( "./$plugin -H www.mozilla.com -u /firefox -f curl" );
         is( $res->return_code, 0, "Redirection based on location is okay");
 
diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t
index c137f7b..0c86622 100644
--- a/plugins/t/check_http.t
+++ b/plugins/t/check_http.t
@@ -9,7 +9,7 @@ use Test::More;
 use POSIX qw/mktime strftime/;
 use NPTest;
 
-plan tests => 50;
+plan tests => 49;
 
 my $successOutput = '/OK.*HTTP.*second/';
 
@@ -166,12 +166,6 @@ SKIP: {
         like  ( $res->output, '/time_connect=[\d\.]+/', 'Extended Performance Data Output OK' );
         like  ( $res->output, '/time_ssl=[\d\.]+/', 'Extended Performance Data SSL Output OK' );
 
-        $res = NPTest->testCmd(
-                "./$plugin --ssl -H www.e-paycobalt.com"
-                );
-        cmp_ok( $res->return_code, "==", 0, "Can read https for www.e-paycobalt.com (uses AES certificate)" );
-
-
         $res = NPTest->testCmd( "./$plugin -H www.mozilla.com -u /firefox -f follow" );
         is( $res->return_code, 0, "Redirection based on location is okay");
 
diff --git a/plugins/tests/certs/.gitignore b/plugins/tests/certs/.gitignore
new file mode 100644
index 0000000..79acaaa
--- /dev/null
+++ b/plugins/tests/certs/.gitignore
@@ -0,0 +1,2 @@
+/*.csr
+/*.srl
diff --git a/plugins/tests/certs/client-cert.pem b/plugins/tests/certs/client-cert.pem
new file mode 100644
index 0000000..5709750
--- /dev/null
+++ b/plugins/tests/certs/client-cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtDCCApwCAQIwDQYJKoZIhvcNAQELBQAwgaAxCzAJBgNVBAYTAkRFMRAwDgYD
+VQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gxGzAZBgNVBAoMEk1vbml0b3Jp
+bmcgUGx1Z2luczEkMCIGA1UEAwwbTW9uaXRvcmluZyBQbHVnaW5zIENsaWVudENB
+MSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5nLXBsdWdpbnMub3JnMB4X
+DTIxMDIyODIxMDIxMloXDTMwMTEyODIxMDIxMlowgZ4xCzAJBgNVBAYTAkRFMRAw
+DgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gxGzAZBgNVBAoMEk1vbml0
+b3JpbmcgUGx1Z2luczEiMCAGA1UEAwwZTW9uaXRvcmluZyBQbHVnaW5zIENsaWVu
+dDErMCkGCSqGSIb3DQEJARYcZGV2ZWxAbW9uaXRvcmluZy1wbHVnaW5zLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3EiqfFPomm5dZQPGYG5SrF
+rPvyqseXTzCkwUIUzGf+Sfm3s13zx7e3ije/04yKhTXgK59EQ793q7E2aWhSOz3s
+hwKKdylFkOIyc5jgbAfF1/pLZMK209rLt/mMRksXCRXYrHdTjRMx1ev4C2407+8Y
+8qkf77DuYQmUqCQe7DPOvqLeagdw9JcLGmQNTKHg3fl6wyRl5K1Bsy+qXu2XvEjZ
+0Ng7n8LHjOUkTqUEJndOxci9gL5cHU5ttul/GW34dKOtTuMU/pQX6/ywYusOGVOx
+RYI76OolRqj5BqbNctDIB/obe2RLo+UVx74/0jAxtH4XS23pYjO7NUpJcytsVG8C
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYfaY5n4pCq0NWPCdeVVRr4nr+GAfv1TC
+/PKcGuEoJZKt7TQT+OOA5yeZMZb53OvtA49D1r9aoJzWe946KElWOEBqxDRi5Cdr
+wkqpwGcPT2RfAqA3/cvQZ1XsquboXrCf7ajdl5OC64bs2jkqCFh9gnxuI140g8Ar
+Njol8BFxRPaYWOnwuQwmh/2t0FJqr3WSD85HrNqtxUSNGbTdSsvCfgF0v7QVkvLG
+3/cbx6z5hxzj2JUjhMnCvn+EbasoJt4xyBFvg67Q2229SMwu9YNqS63GVoKUqhCB
+4Gl5v31qx8dAFKuRvnez3ze/6oohwmakZkst4hcQdgZocHhzesvKlg==
+-----END CERTIFICATE-----
diff --git a/plugins/tests/certs/client-key.pem b/plugins/tests/certs/client-key.pem
new file mode 100644
index 0000000..09b6761
--- /dev/null
+++ b/plugins/tests/certs/client-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDNxIqnxT6JpuXW
+UDxmBuUqxaz78qrHl08wpMFCFMxn/kn5t7Nd88e3t4o3v9OMioU14CufREO/d6ux
+NmloUjs97IcCincpRZDiMnOY4GwHxdf6S2TCttPay7f5jEZLFwkV2Kx3U40TMdXr
++AtuNO/vGPKpH++w7mEJlKgkHuwzzr6i3moHcPSXCxpkDUyh4N35esMkZeStQbMv
+ql7tl7xI2dDYO5/Cx4zlJE6lBCZ3TsXIvYC+XB1Obbbpfxlt+HSjrU7jFP6UF+v8
+sGLrDhlTsUWCO+jqJUao+QamzXLQyAf6G3tkS6PlFce+P9IwMbR+F0tt6WIzuzVK
+SXMrbFRvAgMBAAECggEBALtc2pB3p0E6KpAiEU0pvCRdSO1FgsIpAd+eNadRPur2
+fi+XWQkUwGeGBaJL1npja3aqP65PP40pj7nWfNaUAgOZyznCEU0QXiPJor6yo0vU
+l5v+aKpwRao107i0RRF80TYGTMx+1LeEqnCqNOZN56gERHlBbkTiWpOZvBzf1143
+oegTcyM6+Ee6+FYNhHaDyIYD0md1S2wGR+IBPet6HwWiakLNKahFPa7lOLIKfmmD
+iTtifcbf4724wSe44a0uTeP4JrquZSeIKakm8MEmffmYqpycnaakYefd0Xc5UEsH
++VbhKpOWGY3d8FKHqUsTa+6QyXb2uFPo6A+yWm0pdJECgYEA7Prd5sbWACvXOcHT
+ONDBAgyfAVDQwOXi3D4dk6D5mg+/jxl5ZQY5slszJrwsLFtoEzXtYpNfTy3cpNOp
+JLbBDZYnqty+5tD8t3/Zv2IBXCAgvuk5CgfJWP5FNAfiyUEE6Vbp6J/5/vAnODsa
+fxZryN5UsH0X8ew7AlbfcVNyj4kCgYEA3khetIgn+GR6sv9jFRdCT6aJbp0xMsms
+6F4v3L5FG4Kp+SwDHL1bVOhieJ5g8odYp9hDbgTEEqbJfNmyCOu9+OQmZ/mztku7
+6reU8HhYBIvi+hFeJmvqKpdIgU0Zveg4Bst5QordmhPk8AHjBC4xvQ++uh7rwYKd
+WVsS08bGDjcCgYEAlAuNARUKsASzakOqHv5a9VrJIttH7povBYRQmd+gzxwzgcRa
+UEB5XvEWnYZE2lkoRYgVCtYiXqa6BsasDmGVbVV25okNQckhd8mJUMR7MQBpNJsi
+pR+EK/J9bSnYBf52gQdpDYiTdy60ca6KuQZaw5wRsEgV426+1pFK+dM16HECgYBY
+cTsdYb9lmbUoW201CxgbUQwFsw3MQ2pE2pT4o8wjcg3nUpe6a61XT08+5uV0Gl4w
+CmBp+gN52Fr7DjNEUWg5C64sWLIkqmWOspTUSU3cITyiex6W8wEtCRyUNfU0Fp2U
+Nol87HvXvmqtBFMraqXnr8gXjg4H5MxurUoEcWaEaQKBgCT4iIGZwW0Qf2rkFC7B
+xObzVGefivVVbaf8/c/LRO8TMLdnExkShMOmCzHeHV4mMEZDLbMOusHCI7xm10EX
+l3L1I1Kyqnhm1RH3e7TVWgkTmIDW3V5Fgrhm1jx5Iz6et4sb4Uh+bZq9tTLyqfZY
+8s0yJUrfpjRggfk7eUs5s7aY
+-----END PRIVATE KEY-----
diff --git a/plugins/tests/certs/clientca-cert.pem b/plugins/tests/certs/clientca-cert.pem
new file mode 100644
index 0000000..9ce7cd7
--- /dev/null
+++ b/plugins/tests/certs/clientca-cert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIzCCAwugAwIBAgIUL9Jfp5zv5B29NgDsNEFU2OM/UHswDQYJKoZIhvcNAQEL
+BQAwgaAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZN
+dW5pY2gxGzAZBgNVBAoMEk1vbml0b3JpbmcgUGx1Z2luczEkMCIGA1UEAwwbTW9u
+aXRvcmluZyBQbHVnaW5zIENsaWVudENBMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBt
+b25pdG9yaW5nLXBsdWdpbnMub3JnMB4XDTIxMDIyODIxMDIxMVoXDTMwMTEyODIx
+MDIxMVowgaAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQH
+DAZNdW5pY2gxGzAZBgNVBAoMEk1vbml0b3JpbmcgUGx1Z2luczEkMCIGA1UEAwwb
+TW9uaXRvcmluZyBQbHVnaW5zIENsaWVudENBMSswKQYJKoZIhvcNAQkBFhxkZXZl
+bEBtb25pdG9yaW5nLXBsdWdpbnMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAyxiWsGrsJFHw3VR0pqHviXUfbfKMw8LaCxI5EQZfInsMVkBIGWEW
+tFW6qDuAOsMdzsrKOnQRNNt852ts/0Uz++z8zysoauAGpc4JnCZuM5A1DU5CFXBx
+w6Ax+1ft3UsTt8C6kfLfs8mPCbtNVqAHrMrIqDxsNSRRxQSqkzp1vD8rwSKcbB1h
+u2+lut1bEqMe7dp89jKOtc6G/1tHUFQuLAGFoX/qk9yPscmQNzL6YbLP4m9r/416
+PsxWsAfyY97hmoYo6mSCue5LmeanOsjf4Kzq90hIJRwrpiUGmxGjW+tPLEhQBZw6
+C2wHyN74YIJYX2xREz2ijT0mgsqdhO5ZxwIDAQABo1MwUTAdBgNVHQ4EFgQUtsP9
+Z3fKkhmFp97Kh/cW/UqHMIMwHwYDVR0jBBgwFoAUtsP9Z3fKkhmFp97Kh/cW/UqH
+MIMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEApO5o+YECwTEv
+s+elDJZQ20UYwDSiU9Lpf4EcdnRv6FAb5UlhfRTH3ZdKCc/HX7kcKuy3PsF+b8Pw
+EusoKito9OlNEOF5HYAI9/J54/qceqn+SC0INsISeE19PvT0dma7lBSj4OvBv0IS
+GYbdztVaKLWqYgYs0mcEzteUc4MZcy1/C+Ru1i1Kp2s9/vIeAw2PV2+kpWtw88Pb
+FRJomGngP/hQdwniayCltG/Q1smS4iFEHNI5ayLZj1qJGMHwzqGiRr4KknJKfHzv
+fl4NQaFyMY31s1FRIS6QVIRFHVzUAlKZTdzwqEJygg3fUS9n9uDBnyDI/sW7DQuj
+yjSmYRS1hw==
+-----END CERTIFICATE-----
diff --git a/plugins/tests/certs/clientca-key.pem b/plugins/tests/certs/clientca-key.pem
new file mode 100644
index 0000000..a939f03
--- /dev/null
+++ b/plugins/tests/certs/clientca-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDLGJawauwkUfDd
+VHSmoe+JdR9t8ozDwtoLEjkRBl8iewxWQEgZYRa0VbqoO4A6wx3Oyso6dBE023zn
+a2z/RTP77PzPKyhq4AalzgmcJm4zkDUNTkIVcHHDoDH7V+3dSxO3wLqR8t+zyY8J
+u01WoAesysioPGw1JFHFBKqTOnW8PyvBIpxsHWG7b6W63VsSox7t2nz2Mo61zob/
+W0dQVC4sAYWhf+qT3I+xyZA3Mvphss/ib2v/jXo+zFawB/Jj3uGahijqZIK57kuZ
+5qc6yN/grOr3SEglHCumJQabEaNb608sSFAFnDoLbAfI3vhgglhfbFETPaKNPSaC
+yp2E7lnHAgMBAAECggEAJqAWiJbNMlsjI/Tb+pTxqYLM52wpuVFlhpWApOxBS517
+SywOikUcvE9RoI0wZfyVvq5yp4tLenID3z9fC21t5Yu8yOm8VhclLINy8G+epc/X
+RyCLEOjBuiLNXq/qXRvaNChDU16NjPPYcFFe9AqbaxFl+BkFu1Wc94tbpYSIv7Qt
+L6iBxUTXdgvLM5doa9AazIQzJx+jUsVCgRVQQf3zsLqtp9hH0Pfq+KWFIy5TA+bG
+0NFmYyQndRjtT0ihWGuNU7D8AXa+z7abzk+HydIlx4D//vGgdNq92QYPdnu2BBya
+5Fs6LkmkUonX/I8FbkLbRKkQWNPMt+Ks21t3xcVBgQKBgQDn4HuHVCPwxgU6Mv+5
+0sHJXYBq1fDzrUt0+iTtYkRqViX+9Mp4sUpYgXext/wXFLcKzQQp5B0g1dLYLSRS
+KwhsdiN0J7ZcoP1GMStw8zsayRTf8C3WRU6aACqyFiylYbyh56XomfYgwhja/7l9
+pzpVJD9ecG+mLVAyAkJtK2JolQKBgQDgOZfvrQj0L4QG+9E5VmFc3PE+6k3g+zDO
+MWqTSh0fOHqdTEyet4bMC4DogXGVsvw0/UKwbrGHOk0+ltA5VyKUtK/whSutr/+S
+nhCHljhV0XUN/I3OFcvezFjM3g0oC4uy1cL30hoM4IfeHM1d3EYse9N1Y/Op+mR6
+Sx+fEku16wKBgQC0KQ7RjuZ95N2a4pUe5En9EtD8MU4Nhs/iC5k1d+yAUn8jIT9P
+lzCUo8NEKheMN2Qg2Dor8jlPkdNIc4qM7TKWUxQo49IlFlCzgPCnydRac3HsrMhw
+e1ke/pIt3FzEArR1d27I0xcRTL3TKm4M2ynPjWJPFj0peHue33KNL/A+IQKBgEpL
+awd0Sxo1wEZcG9gmwf32C01wbzuTn3lCsHB7Ryj4GtCR3nVclCJ50U24zjzu4Fhi
+bj1tgA8xhzSs3fOR5phlQkKsrWtQfJtFGm8CnEn7LBDlVMsrN7Dr/qRrEuro4HHy
+GDbq+8y2fO5glr955BqLMOadprf0imRnDeQ0OLffAoGBAJio+X+xpglgMOC4BeH9
+9LcYi9nUEw8MDJNGo9/3e0XKA7spd3HShLDvt8YZhFJ2m168qBpGfezuw0+jpWxy
+PV9q0dokAgDx4pvCzIKaptZ1D30CWXJZHq25VK1tA41PCUIOh8JD5+R0MpxA5rn2
+DbqL4Vq7K7K0imGENYhHdyM+
+-----END PRIVATE KEY-----
diff --git a/plugins/tests/certs/clientchain-cert.pem b/plugins/tests/certs/clientchain-cert.pem
new file mode 100644
index 0000000..acd1e3e
--- /dev/null
+++ b/plugins/tests/certs/clientchain-cert.pem
@@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIIDuTCCAqECAQQwDQYJKoZIhvcNAQELBQAwgaAxCzAJBgNVBAYTAkRFMRAwDgYD
+VQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gxGzAZBgNVBAoMEk1vbml0b3Jp
+bmcgUGx1Z2luczEkMCIGA1UEAwwbTW9uaXRvcmluZyBQbHVnaW5zIENsaWVudENB
+MSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5nLXBsdWdpbnMub3JnMB4X
+DTIxMDIyODIxMDIxMloXDTMwMTEyODIxMDIxMlowgaMxCzAJBgNVBAYTAkRFMRAw
+DgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gxGzAZBgNVBAoMEk1vbml0
+b3JpbmcgUGx1Z2luczEnMCUGA1UEAwweTW9uaXRvcmluZyBQbHVnaW5zIENsaWVu
+dENoYWluMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5nLXBsdWdpbnMu
+b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAphvoJBbi/rDvm3+X
+8xok0sLCJvCRuUpSbU5wEmREQlkoOGmWK4l6r1JyOphKRBo8+n2MxPiCMvAmTrqx
+VlBmkcmyrwWj392Nga+2SLWTziASk5nFrrhV6U79PkgXnETV2Wk1/FNVIFkB8N+B
+undsTce8LLiCs7hfA5CK7ctJg8fqsAsmgKBNGzBRWwkbvxZPd6xlY6foIJeD7PQ2
+elvTmrD6WXSZq7GshFpDEkL3AifqrPMdsTnbBpyGgJ/fBM1b2dx9k53e25mgEQmn
+iSuYQxn08BsUT0FOvav8ksZLBQz859fuqCtwhikpODO635fD9zK5YkBPlVl+/5xo
+SvKOywIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBh4zeSKjENfY+VDLtPssaNQz2a
+R1ioY40lZ0WoihDSrfG32dqTK/R2YsLKBABjJ7uRYS1NIBMrtS2OktK8BWD5IUTF
+FuGuWilu6IWiTKZrLiZh1rsilNDVqwhorRPxDnbF+qVt9EMIvzKnKdJLGF+CWHN9
+yYJDeTD8MK5uR7zUJR3PsgW4ve5pFTi7z2UJ/xRvgOds6bmeeQnvaWDEL7k2+hrr
+0G899A086NL3htzaOnIllg0xo2D1o4ToncAJn+cUQVJmHZSg9HYiD4Lg3z8uXPAl
+rt/MX7dBm4dnImLXbSg7N3e8FdUtz+kZT9z+beKAeIe9JTbpxtsVUTzUZBBA
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID2jCCAsKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMCREUx
+EDAOBgNVBAgMB0JhdmFyaWExDzANBgNVBAcMBk11bmljaDEbMBkGA1UECgwSTW9u
+aXRvcmluZyBQbHVnaW5zMSQwIgYDVQQDDBtNb25pdG9yaW5nIFBsdWdpbnMgQ2xp
+ZW50Q0ExKzApBgkqhkiG9w0BCQEWHGRldmVsQG1vbml0b3JpbmctcGx1Z2lucy5v
+cmcwHhcNMjEwMjI4MjEwMjEyWhcNMzAxMTI4MjEwMjEyWjCBqjELMAkGA1UEBhMC
+REUxEDAOBgNVBAgMB0JhdmFyaWExDzANBgNVBAcMBk11bmljaDEbMBkGA1UECgwS
+TW9uaXRvcmluZyBQbHVnaW5zMS4wLAYDVQQDDCVNb25pdG9yaW5nIFBsdWdpbnMg
+Q2xpZW50SW50ZXJtZWRpYXRlMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9y
+aW5nLXBsdWdpbnMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+6rUgOZ9pAOxrcgeeOT3Vmu1YmY2O/C9tXhpKzDzjTaWUzcdDg00KdsjXfgbDzSiV
+uvMzjX63aKpmqeFG+05D2VzQGit3knqerUgl10FnTotiJGF5CU5/gY1aPxTJ7rj2
+tD6LINBkJcPTyQ4MoJT19pssvCax9erY1RxoXxLblJ+31C+VvrftdmBP4nVKXK26
+4anb1oUQhkgpXpJimJBmF+v7NbDs1Wh21Be80KXUh9SKgePhSQblr2QlRcA7jLgJ
+4PMjZ+KYF+da+4RB7s+DvTXVDMn9AL84E1w5Ut1E8XZV+u4RjWPvNdhK/7GnuxOR
+C9SdxonqkPQ8hiI7thP9bQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQDKQeiDbyr0/7sEhX33MmTDv84GeWgKl9qqHecx+d/0vImb
+c8XHK0PDa4lVqo/BW4P1hjKzpt2DW35kbOhuqGqM0lasIczef43aCDDEBLwstAe6
+qMoyWGVGoAQbpwT3li2pMrsIYoPwMvoSGNUphjrkdpviff2POkLly7a5RrR1X3qt
+Dai6eYbeMCr9NdgW7AZ5++/sKlFoe+zVk/Ed31s4D2lh3awrApZhVgcoquPmEwpt
+gm+OgRmHw50U4SF3ZaJPwDyLMbx+clH/bgUg0+Za9e53Br1NtGKmw7hh/7CG/hy0
+yxeLd930pH4vZu7s0XM56N/ckkfUzRkAH8dSmhH4
+-----END CERTIFICATE-----
diff --git a/plugins/tests/certs/clientchain-key.pem b/plugins/tests/certs/clientchain-key.pem
new file mode 100644
index 0000000..0263604
--- /dev/null
+++ b/plugins/tests/certs/clientchain-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmG+gkFuL+sO+b
+f5fzGiTSwsIm8JG5SlJtTnASZERCWSg4aZYriXqvUnI6mEpEGjz6fYzE+IIy8CZO
+urFWUGaRybKvBaPf3Y2Br7ZItZPOIBKTmcWuuFXpTv0+SBecRNXZaTX8U1UgWQHw
+34G6d2xNx7wsuIKzuF8DkIrty0mDx+qwCyaAoE0bMFFbCRu/Fk93rGVjp+ggl4Ps
+9DZ6W9OasPpZdJmrsayEWkMSQvcCJ+qs8x2xOdsGnIaAn98EzVvZ3H2Tnd7bmaAR
+CaeJK5hDGfTwGxRPQU69q/ySxksFDPzn1+6oK3CGKSk4M7rfl8P3MrliQE+VWX7/
+nGhK8o7LAgMBAAECggEAAfTqMyKh4eYrrGVAYPi53lG0/8htrwUVG3yFDXJo628p
+biCwSCsCavZJqi8JEOxOM5UvB1L2FauGh/7i/+VKkAUUOcOTPpvZguGTACBDcXYn
+Qd3Z2kkJmgn4Kbenr4uQCVOX8zT4F710rGW1nYCyoefsa4pw37UYSW52dH6kiwzW
+9k4X251nDMl/twBdOcjZbL768IEa5l4nySLpUNwfrVbSb1NzBoH0dVioh3DTLjt6
+gaShW4eIpaKczht1U97n6/7WNLl6vHX/mR99k/py8OhzhR1ccYpd2IfSHAWyQT0M
+K8BoNnkjICrr9oc0FCr2BVJa3IzKHlhukF4GTZiGYQKBgQDWCHTwAmwL4FFEBVhj
+pZne/sjaZc8TzPPxA8SkmxwDIZrM7tSu7qUuYgWTM432jZbLILWTyGfXf2PpqyF6
+wOpoBJj1ETkre8ZfRmYvsSvS5vtjF3Drszol+XvZnOclfB5VG3m5P2vYkQ8wI9OE
+Y5jUBgDj0RsCNd8QnrC1u54U/wKBgQDGrd5y8S9kUT0P0lkZit7bYjSPJExtClXt
+V7YNTjELrVCdc0jranxBWaub8NP3e6TGTi9HiQWvk2eOAS2qyccqlK4+YAK5XO3D
+EpFUNNcClq8CErw2POuCAKajrPuSp6vd6q8h4lTzDExVctQS4R9fRKKFBKkPUV5G
+UiKFllnKNQKBgQDBGIQXfLfpxwjKK2BhFihKDOc8UhmOrZtvV4zzTJTrJkg4l0f+
+QoN34ytQcHSleXwP6oSmvWkh/GYxjBj6XE2eZndwsYc4ecSwdB0A7gCxl345Gg7g
+NqRBWmGoJGxNXzsmYVFiFZvAmK5xKgFMMWbR8lCfOCn7xopmviSC8K9gFQKBgFRb
+KmH/SbH8VELNews/TVQ0pEBKlzCM/OLjJOcNVgGxOtM/Say677sHibeST0168AFK
+3QQwh3t+yK8gjPVA6xGHQ1w0g7OUY1c6IP5x2QC+XdwxfDxDLXNrN1WzcrVX/78f
+j/CBGrR/ekGlmanSb/GRQLfdvLJGSBLveLzjk4gpAoGBANN9RUm/aRz3dDBWex46
+kJ15xKJfLZiUeyDvY5+5d7YF4/tw5LU4XmKQNhiojHecykrTzPUMaGyMrbMPNn32
+WFW9CKMjuBEwWpMDJJb1/5NLEvpwu++sr7bUPZkQl76ot6OqgNHodbP8ATqrNr80
+5b8FrEN1LyfkTbabxNyAWcA0
+-----END PRIVATE KEY-----
diff --git a/plugins/tests/certs/clientintermediate-cert.pem b/plugins/tests/certs/clientintermediate-cert.pem
new file mode 100644
index 0000000..608a8fa
--- /dev/null
+++ b/plugins/tests/certs/clientintermediate-cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2jCCAsKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMCREUx
+EDAOBgNVBAgMB0JhdmFyaWExDzANBgNVBAcMBk11bmljaDEbMBkGA1UECgwSTW9u
+aXRvcmluZyBQbHVnaW5zMSQwIgYDVQQDDBtNb25pdG9yaW5nIFBsdWdpbnMgQ2xp
+ZW50Q0ExKzApBgkqhkiG9w0BCQEWHGRldmVsQG1vbml0b3JpbmctcGx1Z2lucy5v
+cmcwHhcNMjEwMjI4MjEwMjEyWhcNMzAxMTI4MjEwMjEyWjCBqjELMAkGA1UEBhMC
+REUxEDAOBgNVBAgMB0JhdmFyaWExDzANBgNVBAcMBk11bmljaDEbMBkGA1UECgwS
+TW9uaXRvcmluZyBQbHVnaW5zMS4wLAYDVQQDDCVNb25pdG9yaW5nIFBsdWdpbnMg
+Q2xpZW50SW50ZXJtZWRpYXRlMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9y
+aW5nLXBsdWdpbnMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+6rUgOZ9pAOxrcgeeOT3Vmu1YmY2O/C9tXhpKzDzjTaWUzcdDg00KdsjXfgbDzSiV
+uvMzjX63aKpmqeFG+05D2VzQGit3knqerUgl10FnTotiJGF5CU5/gY1aPxTJ7rj2
+tD6LINBkJcPTyQ4MoJT19pssvCax9erY1RxoXxLblJ+31C+VvrftdmBP4nVKXK26
+4anb1oUQhkgpXpJimJBmF+v7NbDs1Wh21Be80KXUh9SKgePhSQblr2QlRcA7jLgJ
+4PMjZ+KYF+da+4RB7s+DvTXVDMn9AL84E1w5Ut1E8XZV+u4RjWPvNdhK/7GnuxOR
+C9SdxonqkPQ8hiI7thP9bQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQDKQeiDbyr0/7sEhX33MmTDv84GeWgKl9qqHecx+d/0vImb
+c8XHK0PDa4lVqo/BW4P1hjKzpt2DW35kbOhuqGqM0lasIczef43aCDDEBLwstAe6
+qMoyWGVGoAQbpwT3li2pMrsIYoPwMvoSGNUphjrkdpviff2POkLly7a5RrR1X3qt
+Dai6eYbeMCr9NdgW7AZ5++/sKlFoe+zVk/Ed31s4D2lh3awrApZhVgcoquPmEwpt
+gm+OgRmHw50U4SF3ZaJPwDyLMbx+clH/bgUg0+Za9e53Br1NtGKmw7hh/7CG/hy0
+yxeLd930pH4vZu7s0XM56N/ckkfUzRkAH8dSmhH4
+-----END CERTIFICATE-----
diff --git a/plugins/tests/certs/clientintermediate-key.pem b/plugins/tests/certs/clientintermediate-key.pem
new file mode 100644
index 0000000..13f6887
--- /dev/null
+++ b/plugins/tests/certs/clientintermediate-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDqtSA5n2kA7Gty
+B545PdWa7ViZjY78L21eGkrMPONNpZTNx0ODTQp2yNd+BsPNKJW68zONfrdoqmap
+4Ub7TkPZXNAaK3eSep6tSCXXQWdOi2IkYXkJTn+BjVo/FMnuuPa0Posg0GQlw9PJ
+DgyglPX2myy8JrH16tjVHGhfEtuUn7fUL5W+t+12YE/idUpcrbrhqdvWhRCGSCle
+kmKYkGYX6/s1sOzVaHbUF7zQpdSH1IqB4+FJBuWvZCVFwDuMuAng8yNn4pgX51r7
+hEHuz4O9NdUMyf0AvzgTXDlS3UTxdlX67hGNY+812Er/sae7E5EL1J3GieqQ9DyG
+Iju2E/1tAgMBAAECggEACyYJXtNUoIeaXvM/r8ZhJBfMEpcnyJDUKBklnmfyABky
+ZUfmzBDXw2as3b6ihFc+LYAp3bm8KouVjtI1lfBUxrli5StVZa7PZLm9mmjv6Eo0
+ojfDEQ8afWPieoaZRO6iQVOLNkbPyv9vSuiQ7vvEZy9dw54u69h47j6IMqPprDiG
+ropUNeGAvTnh1Vf9/8aCHEvHUNHcc4zjzGiQ+E60JgnbpGVeJKoeiMgrQE0yjweo
+KyKA47Y6vqP6+AxAaPplXtmrx2UCbMjktHNvLvg42+2UlLS5roiwmJYEN9c6iT6t
+y82MJrjEFGZyLG2u6ZQANSJiIWaCnOyT1o2deJ8NoQKBgQD7UxivDTuljQD0so+E
+JX9UaFZ9PgS+8LC9v56PciL4XQ7bcCVP5vVgZZPABiQ9i989Wq7qI042Jrfu5qtE
+SthlOAu80GvAQV+Oujwo7ZzM6ciQtjMsj63r2uayWXnmQ07QcIg7x7y161Pt9Bqr
+LIDrqHziIj/lzT7+6QKZaQwFaQKBgQDvEuSC14CBlMhy2jji71kB/3Ya3c+8dP+A
+kQZL9wEWK4a4dm8IaTS8jl1/luhQUzFRMyh2rWaTqqigSe3dvs5DRblhE5NPwTSI
+9TO7t1EnzjW3R8LxZZsySyiSFnZ/8mR0empxq0Mov37OdXBj0tXuuzREf/hwijWh
+WuLxJUSjZQKBgAIDZ2Y3l+u6lnBfYdDwL/XwJAk6zvTsnq3WdCG4C1mr/St62YGr
+WvnbtnRKWE356d7m9BHCGKVMaBrM1EBmzRb6fPWVQde3blmJWmQFi0UE9mtaWkyY
+Fg+WoFR7bQOQNHhs/lpkPjnC2dhFJVWLtLiuj9mL5rEjlMab/T5XXhZJAoGBAMEP
+FZ8fXbPGrTQqSwPfWpZFcF9zvbynEmkFM/uGRMddcNZnNXSqWJ7nrFNLTuEGvW2g
+DU4A6zPV/YQrDz4hRjmHBZOCFlSyZbUvpY4yFAQ7/p66AY+kiHZNwT5vi1P5Luvs
+qyaNsZcnRMR+i7rg2EeHv0aNvNdMlNBvL5KikNINAoGAU2P/phdwJOUcqgHavQcQ
+ureTEyZ5i5AeNomNeHSj0slG24V9nxOqEL7D00JKln7oAPovYBUWocEnF39uBJe0
+p0Hy7fCCK6EI8/0QyiQuuZmJfDEEvjQqE6irONNH63r2UwDEpDNGFvGsZNuWHLZc
+SXADu5oSNu6o6IydiyOx528=
+-----END PRIVATE KEY-----
diff --git a/plugins/tests/certs/expired-cert.pem b/plugins/tests/certs/expired-cert.pem
index 77a9166..87fc8e4 100644
--- a/plugins/tests/certs/expired-cert.pem
+++ b/plugins/tests/certs/expired-cert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEETCCAvmgAwIBAgIUFDsP6WnV/uqeQMpD/DYSqouE13kwDQYJKoZIhvcNAQEL
+MIIEETCCAvmgAwIBAgIUVDKkhcUoYFnjYCw12tScPIqQzqIwDQYJKoZIhvcNAQEL
 BQAwgZcxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZN
 dW5pY2gxGzAZBgNVBAoMEk1vbml0b3JpbmcgUGx1Z2luczEbMBkGA1UEAwwSTW9u
 aXRvcmluZyBQbHVnaW5zMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5n
-LXBsdWdpbnMub3JnMB4XDTA4MDEwMTExMDAyNloXDTA4MDEwMjExMDAyNlowgZcx
+LXBsdWdpbnMub3JnMB4XDTA4MDEwMTEyMDAwMFoXDTA4MDEwMjEyMDAwMFowgZcx
 CzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gx
 GzAZBgNVBAoMEk1vbml0b3JpbmcgUGx1Z2luczEbMBkGA1UEAwwSTW9uaXRvcmlu
 ZyBQbHVnaW5zMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5nLXBsdWdp
-bnMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyeHKwKFjJWUX
-YHKsisypUf9dHlIPQAISyGP1BX6UL26ZLvE6kKbx3LFQ9W2POGoQWlzFiB1soGeV
-WDd0U0JtWdCKmOXWdcXpupQlTSUtRCMDQkfqLN8GR5TBTd73rezp5mz08nMfLwu0
-p5VQ191Ui8JHFgrAOalAn8Uw5De8vj4VmTXmU5NJ2UFoC0ddU/Th/lwRCayHc1cn
-MVq2F7c/uhMUUQYNBmJy0pxoHawp+j9NKl/xIYsjgQNgahQyNuswuGHjaEwhPu+7
-G03XsW4ehu+H1898M/MkSln6LQAU1syoJ8ypPM8tV+zgx4uwj7udnZ2hceN95uW7
-0PWg5DQyUwIDAQABo1MwUTAdBgNVHQ4EFgQUt9ps3KJ1XiMuy/ijFBjMzf6jgwkw
-HwYDVR0jBBgwFoAUt9ps3KJ1XiMuy/ijFBjMzf6jgwkwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAVPBZwMHbrnHFbmhbcPuvYd5cxk0uSVNAUzsl
-2biCq5P+ZHo10VHGygXtdV4utqk/IrAt2u5qSxycWPStCtAgTd3Q8ncfjOkaHM4z
-2bxTkhLyQeU8NWPuDBqDszo2GOaFTv+lm36LEKiAfqB1tjQVePSkycdrWIhkamBV
-EgMe6uHLdU7QQk1ajQfrBdakN1beqki/dKieA6gm+XF/QS4SSYINmsHB/2X5cT9U
-b/KMB8xurCnuJQuk1P4VsSkJCOSeHjWZgK9pKNdsIJZr4wDVfhjQgU0XT6xakSf7
-eCaHtO0VKsbLZoiTmpxidjsdYiXyeKYIQNtUpTjyJ5V/cZsq9w==
+bnMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwg1dmGT3rVqM
+beVWWLy8EAiq9re07AF8sTERy9oIYF5EUq9f0xO53mwwqIWV77O9mF99/kDFGQuQ
+NOnICMSHXNtMXEXzfBaMighw0uyCh1o/VCejNQ5x/HU8aLh930g5DIcOJQ3fZ4v9
+8kBaie7+aPgRMVDM1vIrILfedq9Kt56zvPizkXhDeqxjKyIZdrdoBlX5zAfftWtY
+HpQ+lkThSSXqQnchN6S2JFejmRtsNnceDVOBBdvlzmH0NlfwjynLK3/EJooTsINy
+i9dXD8/Oe8r+UA+nokWvnWC2IAUJjpxW+XAyTG/NofGwX+PwquT0YD5cSlODIwZA
+WAimygWLqQIDAQABo1MwUTAdBgNVHQ4EFgQUsKyJAwR9OXWEcSZMQz73GfpxCJIw
+HwYDVR0jBBgwFoAUsKyJAwR9OXWEcSZMQz73GfpxCJIwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAYKFGX7J3Fc/T9s278w61E2dSsY4DS/mjSDik
+fMWvod6eKw0fE3wJOnkWxjEH3VywTY6CmHd/oiJOaD8lr/Vk+BJfYNVBaVNmguyg
+4LXoWz9Benx0bAIeuDbNAhOvA4H4aIz8UrD9lKFvKdRp42gPMLtMEbzbLcBdT95D
+6BX7EhYm7vTnpitLPgFxVCsJ1JFqv2AQfUm+IkqQkezPs5x0tWLyrvCDNRGJ0kfv
+UuowpUZXDOh3k1vB+xaSOFviieLaCW8TSdd5FZgI2HQj4e6vCKsMGuKKZXrMUTI/
+qtrFlUfsOuwourfC5LMHtCyYo5B3uvAWT1eTXxhrGqyleSlxJQ==
 -----END CERTIFICATE-----
diff --git a/plugins/tests/certs/expired-key.pem b/plugins/tests/certs/expired-key.pem
index c1510b2..c5bba56 100644
--- a/plugins/tests/certs/expired-key.pem
+++ b/plugins/tests/certs/expired-key.pem
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJ4crAoWMlZRdg
-cqyKzKlR/10eUg9AAhLIY/UFfpQvbpku8TqQpvHcsVD1bY84ahBaXMWIHWygZ5VY
-N3RTQm1Z0IqY5dZ1xem6lCVNJS1EIwNCR+os3wZHlMFN3vet7OnmbPTycx8vC7Sn
-lVDX3VSLwkcWCsA5qUCfxTDkN7y+PhWZNeZTk0nZQWgLR11T9OH+XBEJrIdzVycx
-WrYXtz+6ExRRBg0GYnLSnGgdrCn6P00qX/EhiyOBA2BqFDI26zC4YeNoTCE+77sb
-Tdexbh6G74fXz3wz8yRKWfotABTWzKgnzKk8zy1X7ODHi7CPu52dnaFx433m5bvQ
-9aDkNDJTAgMBAAECggEACrLFfNnQmD24NGs/S4e2/VpsA9xTZI/3kNkDNgxULANP
-aNZtxRajwI9A/BCXQ2UTgsZhzWnJxOJYXrlpl7PweY78mUesysb3MOUC6QisUm0M
-kimfdktHWOnAKLFFLNleN9DUVjjVkTeslijqhNX80f80py1grG2UuCLKCX4OqYIm
-qACE8TMmSZLz42AO96TndNtKplQ8LuGLEmByW95wEfhx3Gm4ckkL7qII/U3DnQXr
-0T+3xLaj+eNJzYDpIFZiw4sNzOuAyCz+4Cc4sPDuMnzquXF+enpkemoycC1RmEpG
-KIDTwmFsc8TrbGV0qifC6fsCrDivdYLqL7R/q3IBQQKBgQDmfvO3VYTEKY8NA+AT
-5s6+7NTxRsXxJUCEhCNBWimSH3EzmBAvrodLY6A0oYg8i81bgNX1I9GPVXJZ/QA7
-ukd84HUIQoGS5Usmo4rp+kz4P6KkLXDemZtWPU5GXxicfajHRQlkbW6St6SpV7IS
-ibJcDADeoiaPL1xvue1ToP/LoQKBgQDgOFHjYpep00gabvjXfYW7vhrg1vVwaKUM
-rf0+UW8Exk4nbBw0eEC2YjxIwzdktlkdbzGaXYULnhg8GnfxYesMOpCLPw1JdB8o
-ixETAFpW5bKrUsjEFRUGhzWnsCSFIQ4smpmtGLTxOQ8AkoDdORY5Z+Wv7JtFF6Do
-PSoblckZcwKBgB3TD3YJesRnHDty5OuuUdIikuslXTd2uoJrFqS+JeLibqNeabnB
-u3/lxDULMbWj4U6VvRmbKOKDC+jY887Gq7lc0cff0yROxwqY3sCnwo3crg7QUmp7
-Nb5S8G3qoCSfndcq96wm/Me/O28uCbycVJfUdchY8uRUHIHYbP0FOBQBAoGBAMgh
-fPX4imaKr1DovDObVkK87EDDnU84GBm5MtDs3qrkVd3aIVK0Aw7HoAdSN58tI12i
-YiPmVVqJQhhjh6tsOuAvZdTj8ngdrbICbrsHFZt6an+A5LIgHyQ0iy+hiPdLCdvG
-ImTeKKMmyr04Bs1upueWVO0xw2VoMbcY4Py+NUEBAoGASQqedfCSKGLT+5lLZrhP
-CbFVMmswEPjBcRb1trcuA09vfExn9FfUNFnnw3i9miprED5kufvAjb+6nduXizKg
-7HQYHCwVvakgtXgbiDMaNgYZcjWm+MdnfiwLJjJTO3DfI1JF2PJ8y9R95DPlAkDm
-xH3OV8KV4UiTEVxS7ksmGzY=
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCDV2YZPetWoxt
+5VZYvLwQCKr2t7TsAXyxMRHL2ghgXkRSr1/TE7nebDCohZXvs72YX33+QMUZC5A0
+6cgIxIdc20xcRfN8FoyKCHDS7IKHWj9UJ6M1DnH8dTxouH3fSDkMhw4lDd9ni/3y
+QFqJ7v5o+BExUMzW8isgt952r0q3nrO8+LOReEN6rGMrIhl2t2gGVfnMB9+1a1ge
+lD6WROFJJepCdyE3pLYkV6OZG2w2dx4NU4EF2+XOYfQ2V/CPKcsrf8QmihOwg3KL
+11cPz857yv5QD6eiRa+dYLYgBQmOnFb5cDJMb82h8bBf4/Cq5PRgPlxKU4MjBkBY
+CKbKBYupAgMBAAECggEBAJ2mdCKJ7LoWdT4W8pZ3BqZUFGkKCF8wOhhOUDH3+ZQp
+IYK3XbdDMF7mMIXIuW4a7W4sLlTwU/Ar98U1JMESwRIMS7YvUke+ngDKKLcDVGwY
+Qpjg9vP0v2Al8qT1NbW/nDF0S2aJJbWfAvnblHK5ClFHL9iL107NQYJ8PqzXbnFL
+gCQRiZxVHlrbn/73ZUMHPGEoU0711U9hSjrsqrRuSAMC+V38s4HxOomZWutlVAHF
+HwClNZBqRO+a2njPyUuV9DM/rl5Tm9IQ89iFo3/QEORICK77HjJYhi+UzdfI5F35
+UntRJt+WLaiAP+K6Vt6oxHSm58qXnOkeLzaAunTTie0CgYEA6OLYfme8xe5zYXWX
+rqmKNYdcVfMkvL+vUfVT475o/piRtE54JC1LYWEFAN8paxEWHD5HZMy0+ONNXfGm
+zyNNTN/Lagz4WcpdFzKQmhfdro7DzRiDfdvwSLmaZDyE41PPPVVvfrI9IeDiUNY4
+nWLSb3sWo96Iuns+RoMqeA9wkqsCgYEA1U/UqeVQVTPlrWyiB2VXoI1xvFCCJTf8
+4NC0gcisxLRrtINk0BwrUJrRy0x1OLpJWiKwUl/W1GgvPPfhbYcUOb669JNtTIjY
+FeIZblCTjz9GzKKmXeDciXvccyEdCJVUlPO3/e2JiJ4mCDjULprifq0a2gcQevFS
+PfqVULhBOvsCgYB5KfS7J1vGmv36ucSWAe0/VlKLATqe3RfpCzt/JQTZWSWNaroF
+EG/ElUaWIoUZCEW5oglg/0Q0rYYGF4DTCingkhrx7ReVF70BIbSsBzi15d8nKNbY
+t4I3RCF4fyggYe1TmsysXS2DH85/gkToVY7oo2CvF0uJwi8vXnTNDDNkiwKBgHKs
+mAc94BHt9GtnGzQepx0I7TvvjAe2MZwqlt+uojKdS8mfWXMHscGDeYVxdRMqEoUC
+YQfnvfYyjDKaj/XxyE3C237gQsICTyh0hHdpmepIeidIyWdumyDOFZVPF+ylWvM4
+kpFQQb/QRWHmKyti2KCBLw5G/fUaBryLGfprE6ZBAoGBANy5rr41A679UQZ0abev
+bOZb7YWOHYp/wReJaQbvLAyR30os3aEY/0ht9S+OWdrgGMezPKvsx2Sqr/CwoFXI
+esiklpknr11maEPxnQJYi4FYiXS1a3NCg7yBvKzFEgx2XnMAC3s6zhuZXaFq4zNu
+pm5Btrq/NZqtVXovS+UhGLvJ
 -----END PRIVATE KEY-----
diff --git a/plugins/tests/certs/ext.cnf b/plugins/tests/certs/ext.cnf
new file mode 100644
index 0000000..d09cee1
--- /dev/null
+++ b/plugins/tests/certs/ext.cnf
@@ -0,0 +1,2 @@
+[ client_ca ]
+basicConstraints = critical, CA:true
diff --git a/plugins/tests/certs/generate-certs.sh b/plugins/tests/certs/generate-certs.sh
new file mode 100755
index 0000000..78660a2
--- /dev/null
+++ b/plugins/tests/certs/generate-certs.sh
@@ -0,0 +1,63 @@
+#!/bin/sh -e
+#
+# Recreates the https server certificates
+#
+# Set the GEN_EXPIRED environment variable to also regenerate
+# the expired certificate.
+
+cd "$(dirname "$0")"
+trap 'rm -f *.csr; rm -f clientca-cert.srl' EXIT
+
+subj() {
+        c="DE"
+        st="Bavaria"
+        l="Munich"
+        o="Monitoring Plugins"
+        cn="Monitoring Plugins"
+        emailAddress="devel@monitoring-plugins.org"
+
+        if [ -n "$1" ]; then
+                # Add to CN
+                cn="$cn $1"
+        fi
+
+        printf "/C=%s/ST=%s/L=%s/O=%s/CN=%s/emailAddress=%s" \
+                "$c" "$st" "$l" "$o" "$cn" "$emailAddress"
+}
+
+# server
+openssl req -new -x509 -days 3560 -nodes \
+        -keyout server-key.pem -out server-cert.pem \
+        -subj "$(subj)"
+# server, expired
+# there is generally no need to regenerate this, as it will stay epxired
+[ -n "$GEN_EXPIRED" ] && TZ=UTC faketime -f '2008-01-01 12:00:00' \
+        openssl req -new -x509 -days 1 -nodes \
+                -keyout expired-key.pem -out expired-cert.pem \
+                -subj "$(subj)"
+
+# client, ca
+openssl req -new -x509 -days 3560 -nodes \
+        -keyout clientca-key.pem -out clientca-cert.pem \
+        -subj "$(subj ClientCA)"
+echo "01" >clientca-cert.srl
+# client
+openssl req -new -nodes \
+        -keyout client-key.pem -out client-cert.csr \
+        -subj "$(subj Client)"
+openssl x509 -days 3560 -req -CA clientca-cert.pem -CAkey clientca-key.pem \
+        -in client-cert.csr -out client-cert.pem
+# client, intermediate
+openssl req -new -nodes \
+        -keyout clientintermediate-key.pem -out clientintermediate-cert.csr \
+        -subj "$(subj ClientIntermediate)"
+openssl x509 -days 3560 -req -CA clientca-cert.pem -CAkey clientca-key.pem \
+        -extfile ext.cnf -extensions client_ca \
+        -in clientintermediate-cert.csr -out clientintermediate-cert.pem
+# client, chain
+openssl req -new -nodes \
+        -keyout clientchain-key.pem -out clientchain-cert.csr \
+        -subj "$(subj ClientChain)"
+openssl x509 -days 3560 -req -CA clientca-cert.pem -CAkey clientca-key.pem \
+        -in clientchain-cert.csr -out clientchain-cert.pem
+cat clientintermediate-cert.pem >>clientchain-cert.pem
diff --git a/plugins/tests/certs/server-cert.pem b/plugins/tests/certs/server-cert.pem
index b84b91d..d1249ef 100644
--- a/plugins/tests/certs/server-cert.pem
+++ b/plugins/tests/certs/server-cert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEBjCCAu6gAwIBAgIJANbQ5QQrKhUGMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
-VQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEPMA0GA1UEBwwGTXVuaWNoMRswGQYD
-VQQKDBJNb25pdG9yaW5nIFBsdWdpbnMxGzAZBgNVBAMMEk1vbml0b3JpbmcgUGx1
-Z2luczErMCkGCSqGSIb3DQEJARYcZGV2ZWxAbW9uaXRvcmluZy1wbHVnaW5zLm9y
-ZzAeFw0xOTAyMTkxNTMxNDRaFw0yOTAyMTYxNTMxNDRaMIGXMQswCQYDVQQGEwJE
-RTEQMA4GA1UECAwHQmF2YXJpYTEPMA0GA1UEBwwGTXVuaWNoMRswGQYDVQQKDBJN
-b25pdG9yaW5nIFBsdWdpbnMxGzAZBgNVBAMMEk1vbml0b3JpbmcgUGx1Z2luczEr
-MCkGCSqGSIb3DQEJARYcZGV2ZWxAbW9uaXRvcmluZy1wbHVnaW5zLm9yZzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgV2yp8pQvJuN+aJGdAe6Hd0tja
-uteCPcNIcM92WLOF69TLTSYon1XDon4tHTh4Z5d4lD8bfsGzFVBmDSgWidhAUf+v
-EqEXwbp293ej/Frc0pXCvmrz6kI1tWrLtQhL/VdbxFYxhV7JjKb+PY3SxGFpSLPe
-PQ/5SwVndv7rZIwcjseL22K5Uy2TIrkgzzm2pRs/IvoxRybYr/+LGoHyrtJC6AO8
-ylp8A/etL0gwtUvRnrnZeTQ2pA1uZ5QN3anTL8JP/ZRZYNegIkaawqMtTKbhM6pi
-u3/4a3Uppvt0y7vmGfQlYejxCpICnMrvHMpw8L58zv/98AbCGjDU3UwCt6MCAwEA
-AaNTMFEwHQYDVR0OBBYEFG/UH6nGYPlVcM75UXzXBF5GZyrcMB8GA1UdIwQYMBaA
-FG/UH6nGYPlVcM75UXzXBF5GZyrcMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
-AQELBQADggEBAGwitJPOnlIKLndNf+iCLMIs0dxsl8kAaejFcjoT0n4ja7Y6Zrqz
-VSIidzz9vQWvy24xKJpAOdj/iLRHCUOG+Pf5fA6+/FiuqXr6gE2/lm0eC58BNONr
-E5OzjQ/VoQ8RX4hDntgu6FYbaVa/vhwn16igt9qmdNGGZXf2/+DM3JADwyaA4EK8
-vm7KdofX9zkxXecHPNvf3jiVLPiDDt6tkGpHPEsyP/yc+RUdltUeZvHfliV0cCuC
-jJX+Fm9ysjSpHIFFr+jUMuMHibWoOD8iy3eYxfCDoWsH488pCbj8MNuAq6vd6DBk
-bOZxDz43vjWuYMkwXJTxJQh7Pne6kK0vE1g=
+MIIEETCCAvmgAwIBAgIUZwOhY4myaCUaPek3NM+MxbLG9vwwDQYJKoZIhvcNAQEL
+BQAwgZcxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZN
+dW5pY2gxGzAZBgNVBAoMEk1vbml0b3JpbmcgUGx1Z2luczEbMBkGA1UEAwwSTW9u
+aXRvcmluZyBQbHVnaW5zMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5n
+LXBsdWdpbnMub3JnMB4XDTIxMDIyODIxMDIxMVoXDTMwMTEyODIxMDIxMVowgZcx
+CzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gx
+GzAZBgNVBAoMEk1vbml0b3JpbmcgUGx1Z2luczEbMBkGA1UEAwwSTW9uaXRvcmlu
+ZyBQbHVnaW5zMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5nLXBsdWdp
+bnMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2/3eBA4WG6xz
+LfM6xcWywxThb1Rp7XAW3ewQd9/PdoWXEe8BJWlLfyYi1drLMcsDywhLkKmW4Vp9
+1R4PAkiljjrB/ZaUMDLJ1ri3dwX4RvXG7crsU3QWFWCBOrf5V2FTRQ2m/H/KyB/6
+rVZANsU47HqTFSPiUm2j7P3wx/wtHeYC+qmNG7zZTjAYPYxfKiod0lytTSmb+h54
+6lxn3+VPEXZAQZlLvPnm/58JnXGrUv7B2yocf5MhKkLJOrGxH2hfwKISfaj2gpOV
+m4PUVYiDzCSpq1fPvwbUxIvdO27xprx+mrGOFM6f2UCEOc35w8FSmYiR2yQTnEJK
+pbSQD6t1jQIDAQABo1MwUTAdBgNVHQ4EFgQUMeYgglT2aWDlF8KEeF2376AlTGYw
+HwYDVR0jBBgwFoAUMeYgglT2aWDlF8KEeF2376AlTGYwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAFcEg83rTJdgkp7JLYqK0j8JogSHNlDYchr/r
+VxKBgQwfnjSp5A8d5+uTQ9s3QDabw8v7YeSrzYXbbjuWZ61mnl84tzOQ8LMeESnC
+CBXRCxB8Ow22WsVTVJq279SGYT+cZrdsmqGVWDi1A0C5kH+XTLAioG5CZmmxemD/
+S92ZoRxGyYfg33r+3X6EMcEYtHKGxCUa3EPcPOL4dq2F3nOnyjiWPZm3786H3NY2
+nsYwrEhAdUFtbYSsV5O0c/Zlc33fmTfh654ab35io1DtwmFo7q8J532dUE007EN0
+mIQmhdrjNJJHIftgSt0fuN5m48oLOnX7vvkz+X0WLWfVTtMr0w==
 -----END CERTIFICATE-----
diff --git a/plugins/tests/certs/server-key.pem b/plugins/tests/certs/server-key.pem
index 1194755..0de63f8 100644
--- a/plugins/tests/certs/server-key.pem
+++ b/plugins/tests/certs/server-key.pem
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCoFdsqfKULybjf
-miRnQHuh3dLY2rrXgj3DSHDPdlizhevUy00mKJ9Vw6J+LR04eGeXeJQ/G37BsxVQ
-Zg0oFonYQFH/rxKhF8G6dvd3o/xa3NKVwr5q8+pCNbVqy7UIS/1XW8RWMYVeyYym
-/j2N0sRhaUiz3j0P+UsFZ3b+62SMHI7Hi9tiuVMtkyK5IM85tqUbPyL6MUcm2K//
-ixqB8q7SQugDvMpafAP3rS9IMLVL0Z652Xk0NqQNbmeUDd2p0y/CT/2UWWDXoCJG
-msKjLUym4TOqYrt/+Gt1Kab7dMu75hn0JWHo8QqSApzK7xzKcPC+fM7//fAGwhow
-1N1MArejAgMBAAECggEANuvdTwanTzC8jaNqHaq+OuemS2E9B8nwsGxtH/zFgvNR
-WZiMPtmrJnTkFWJcV+VPw/iMSAqN4nDHmBugVOb4Z4asxGTKK4T9shXJSnh0rqPU
-00ZsvbmxY6z0+E5TesCJqQ+9GYTY1V357V7JchvaOxIRxWPqg9urHbru8OCtW/I5
-Fh5HPUZlgCvlMpjlhyjydIf/oXyVA3RNsXlwe8+2cKuGIrjEzm2j9o3VF0sctTX0
-ItP8A9qDmDQN7GIWX0MW6gncojpS1omC2wcFsdjj/xfPyiDal1X4aq/2YqG8351c
-YlM/+6Va0u9WWE/i64gASTAVqpMV4Yg8y0gGycuA0QKBgQDbgI2QeLd3FvMcURiU
-l3w9qJgw/Jp3jaNC/9LkVGGz4f4lKKB67lPZvI4noMK8GqO/LcXgqP/RY1oJojoA
-/6JKVvzYGASZ7VgMoG9bk1AneP1PGdibuTUEwimGlcObxnDFIC/yjwPFu3jIdqdS
-zZi1RZzyqAogN5y3SBEypSmn9wKBgQDECKsqqlcizmCl8v5aVk875AzGN+DOHZqx
-bkmztlnLO/2e2Fmk3G5Vvnui0FYisf8Eq19tUTQCF6lSfJlGQeFAT119wkFZhLu+
-FfLGqoEMH0ijJg/8PpdpFRK3I94YcISoTNN6yxMvE6xdDGfKCt5a+IX5bwQi9Zdc
-B242gEc6tQKBgA6tM8n7KFlAIZU9HuWgk2AUC8kKutFPmSD7tgAqXDYI4FNfugs+
-MEEYyHCB4UNujJBV4Ss6YZCAkh6eyD4U2aca1eElCfm40vBVMdzvpqZdAqLtWXxg
-D9l3mgszrFaYGCY2Fr6jLV9lP5g3xsxUjudf9jSLY9HvpfzjRrMaNATVAoGBALTl
-/vYfPMucwKlC5B7++J0e4/7iv6vUu9SyHocdZh1anb9AjPDKjXLIlZT4RhQ8R0XK
-0wOw5JpttU2uN08TKkbLNk3/vYhbKVjPLjrQSseh8sjDLgsqw1QwIxYnniLVakVY
-p+rvjSNrNyqicQCMKQavwgocvSd5lJRTMwxOMezlAoGBAKWj71BX+0CK00/2S6lC
-TcNcuUPG0d8y1czZ4q6tUlG4htwq1FMOpaghATXjkdsOGTLS+H1aA0Kt7Ai9zDhc
-/bzOJEJ+jvBXV4Gcs7jl1r/HTKv0tT9ZSI5Vzkida0rfqxDGzcMVlLuCdH0cb8Iu
-N0wdmCAqlQwHR13+F1zrAD7V
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDb/d4EDhYbrHMt
+8zrFxbLDFOFvVGntcBbd7BB33892hZcR7wElaUt/JiLV2ssxywPLCEuQqZbhWn3V
+Hg8CSKWOOsH9lpQwMsnWuLd3BfhG9cbtyuxTdBYVYIE6t/lXYVNFDab8f8rIH/qt
+VkA2xTjsepMVI+JSbaPs/fDH/C0d5gL6qY0bvNlOMBg9jF8qKh3SXK1NKZv6Hnjq
+XGff5U8RdkBBmUu8+eb/nwmdcatS/sHbKhx/kyEqQsk6sbEfaF/AohJ9qPaCk5Wb
+g9RViIPMJKmrV8+/BtTEi907bvGmvH6asY4Uzp/ZQIQ5zfnDwVKZiJHbJBOcQkql
+tJAPq3WNAgMBAAECggEBAIvJDUjQVpXxByL8eazviT5SR0jBf6mC3tTWykQRb7ck
+/bBEiRrnhDRf3CS9KP4TvO5G8BUU3a2GHYzM08akuKXeiiODidfyfbQ1nUZBAdi9
+FVFF7tK8YcflkVfpTMOMMSggm6m33fc58sQvmQ/0U85XuJvnOEkeJ9pQJa49e8GR
+lpCQImF7ygltHPEz4o8qOtNMuPxiHOxpc517+ozQULZk153NTfGok1XctDFFZ3YX
+8okLSfcqZ28mdHYSvI9xf60Cm7cT9tunXHwZ0f1esTFiVYpAp+oTJqtdYxr/fYlL
+oO8G8iIQ7LjdJfgo84PscpKdSRCq3BfnmER1Eyg6hrUCgYEA/0hL5Y/haz/2jYGy
+aa8yZSuD1ZcWtj7pLKrBQnHPHIHsjSBggWhopvonCFvCjgSS1pOFOUAwMGc0T+Dw
+rWo3w8cEUyECl3Bw8gbCWtRXaigzU9TPgCWyx1j5dTopQhLObzS/m7fJFElnYNru
+jqhsUfWS+NKk8a5+A7i9lv4iBLMCgYEA3Jws3Lfj/Xs7LljrvryTMpPthvUGBcyt
+U9Qmf1Hmur90RP5V1rx4FqPQzIeaGQyZDNIUnkhBSqQZNCts3Rzay7N4uQzk8OEg
+S8Llnw76wLwi0SJ4okDtT5tpTR6fcS0M9lGN+zvvfUB4+ul8oub0pMcyme/pywEz
+ap+x3xAQPL8CgYEAiYOBVtTNof9fqdRurh1w8SyipKDx3BRBeQ02c7tozLt0GIWT
+VsJOdXwVIJyFTglKrAnlXvSjwL8nX8wU+eVYyr5fJwSGJ9urC8T2VwVBXW7wTz04
+1Zf5GQdlwW8mIHCPATqR6Kj0yVfNN1BX50L0rqWxmRWnQoUzXn/aqQaWfp8CgYAW
+9693/zEeR8EejyVkAy/z+RCml0XcPrXg31pusPErihkpwazgIVkDSmTHlmqFpxkc
+C5cX73/UrIbvNoIr9wAUawfrhBsltNpu6MiNKbsTa8LYMRWMFuReAFkTLVf+KWmL
+D2yPtmq1iIvP25UdRJw9t3teKWsWtnZK6HtVNM/r8wKBgQDKlqUpy8r4KK+S2w80
+H7rAQJo1DgXsYrgSa2gfppSKro4lm3ltyAfVIrKQKP7uCo9xTGKVQAUPttMs2+17
+nwbwvt7/nG7G1Dk/C/t6b7SJ80VY5b9ZZKIJ0wOjajLufSjPNCe0ZTRn32XusZUn
+nYGB5/QXYr5WGV9YhAkRsFJYgA==
 -----END PRIVATE KEY-----
diff --git a/plugins/tests/check_curl.t b/plugins/tests/check_curl.t
index 29cb03f..aa72ef6 100755
--- a/plugins/tests/check_curl.t
+++ b/plugins/tests/check_curl.t
@@ -228,23 +228,25 @@ SKIP: {
         skip "HTTP::Daemon::SSL not installed", $common_tests + $ssl_only_tests if ! exists $servers->{https};
         run_common_tests( { command => "$command -p $port_https", ssl => 1 } );
 
+        my $expiry = "Thu Nov 28 21:02:11 2030 +0000";
+
         $result = NPTest->testCmd( "$command -p $port_https -S -C 14" );
         is( $result->return_code, 0, "$command -p $port_https -S -C 14" );
-        is( $result->output, "OK - Certificate 'Monitoring Plugins' will expire on Fri Feb 16 15:31:44 2029 +0000.", "output ok" );
+        is( $result->output, "OK - Certificate 'Monitoring Plugins' will expire on $expiry.", "output ok" );
 
         $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" );
         is( $result->return_code, 1, "$command -p $port_https -S -C 14000" );
-        like( $result->output, '/WARNING - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(Fri Feb 16 15:31:44 2029 \+0000\)./', "output ok" );
+        like( $result->output, '/WARNING - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(' . quotemeta($expiry) . '\)./', "output ok" );
 
         # Expired cert tests
         $result = NPTest->testCmd( "$command -p $port_https -S -C 13960,14000" );
         is( $result->return_code, 2, "$command -p $port_https -S -C 13960,14000" );
-        like( $result->output, '/CRITICAL - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(Fri Feb 16 15:31:44 2029 \+0000\)./', "output ok" );
+        like( $result->output, '/CRITICAL - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(' . quotemeta($expiry) . '\)./', "output ok" );
 
         $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" );
         is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" );
         is( $result->output,
-                'CRITICAL - Certificate \'Monitoring Plugins\' expired on Wed Jan  2 11:00:26 2008 +0000.',
+                'CRITICAL - Certificate \'Monitoring Plugins\' expired on Wed Jan  2 12:00:00 2008 +0000.',
                 "output ok" );
 
 }
diff --git a/plugins/tests/check_http.t b/plugins/tests/check_http.t
index 188f5e7..ea11b2a 100755
--- a/plugins/tests/check_http.t
+++ b/plugins/tests/check_http.t
@@ -3,16 +3,7 @@
 # Test check_http by having an actual HTTP server running
 #
 # To create the https server certificate:
-# openssl req -new -x509 -keyout server-key.pem -out server-cert.pem -days 3650 -nodes
-# to create a new expired certificate:
-# faketime '2008-01-01 12:00:00' openssl req -new -x509 -keyout expired-key.pem -out expired-cert.pem -days 1 -nodes
-# Country Name (2 letter code) [AU]:DE
-# State or Province Name (full name) [Some-State]:Bavaria
-# Locality Name (eg, city) []:Munich
-# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Monitoring Plugins
-# Organizational Unit Name (eg, section) []:
-# Common Name (e.g. server FQDN or YOUR name) []:Monitoring Plugins
-# Email Address []:devel@monitoring-plugins.org
+# ./certs/generate-certs.sh
 
 use strict;
 use Test::More;
@@ -23,7 +14,7 @@ $ENV{'LC_TIME'} = "C";
 
 my $common_tests = 70;
 my $virtual_port_tests = 8;
-my $ssl_only_tests = 8;
+my $ssl_only_tests = 12;
 # Check that all dependent modules are available
 eval "use HTTP::Daemon 6.01;";
 plan skip_all => 'HTTP::Daemon >= 6.01 required' if $@;
@@ -59,61 +50,87 @@ $HTTP::Daemon::VERSION = "1.00";
 my $port_http = 50000 + int(rand(1000));
 my $port_https = $port_http + 1;
 my $port_https_expired = $port_http + 2;
+my $port_https_clientcert = $port_http + 3;
 
 # This array keeps sockets around for implementing timeouts
 my @persist;
 
 # Start up all servers
 my @pids;
-my $pid = fork();
-if ($pid) {
-        # Parent
-        push @pids, $pid;
-        if (exists $servers->{https}) {
-                # Fork a normal HTTPS server
-                $pid = fork();
-                if ($pid) {
-                        # Parent
-                        push @pids, $pid;
-                        # Fork an expired cert server
-                        $pid = fork();
-                        if ($pid) {
-                                push @pids, $pid;
-                        } else {
-                                my $d = HTTP::Daemon::SSL->new(
-                                        LocalPort => $port_https_expired,
-                                        LocalAddr => "127.0.0.1",
-                                        SSL_cert_file => "$Bin/certs/expired-cert.pem",
-                                        SSL_key_file => "$Bin/certs/expired-key.pem",
-                                ) || die;
-                                print "Please contact https expired at: <URL:", $d->url, ">\n";
-                                run_server( $d );
-                                exit;
-                        }
-                } else {
-                        # closing the connection after -C cert checks make the daemon exit with a sigpipe otherwise
-                        local $SIG{'PIPE'} = 'IGNORE';
-                        my $d = HTTP::Daemon::SSL->new(
-                                LocalPort => $port_https,
-                                LocalAddr => "127.0.0.1",
-                                SSL_cert_file => "$Bin/certs/server-cert.pem",
-                                SSL_key_file => "$Bin/certs/server-key.pem",
-                        ) || die;
-                        print "Please contact https at: <URL:", $d->url, ">\n";
-                        run_server( $d );
-                        exit;
-                }
-        }
-} else {
-        # Child
-        #print "child\n";
+# Fork a HTTP server
+my $pid = fork;
+defined $pid or die "Failed to fork";
+if (!$pid) {
+        undef @pids;
         my $d = HTTP::Daemon->new(
                 LocalPort => $port_http,
                 LocalAddr => "127.0.0.1",
         ) || die;
         print "Please contact http at: <URL:", $d->url, ">\n";
         run_server( $d );
-        exit;
+        die "webserver stopped";
+}
+push @pids, $pid;
+
+if (exists $servers->{https}) {
+        # Fork a normal HTTPS server
+        $pid = fork;
+        defined $pid or die "Failed to fork";
+        if (!$pid) {
+                undef @pids;
+                # closing the connection after -C cert checks make the daemon exit with a sigpipe otherwise
+                local $SIG{'PIPE'} = 'IGNORE';
+                my $d = HTTP::Daemon::SSL->new(
+                        LocalPort => $port_https,
+                        LocalAddr => "127.0.0.1",
+                        SSL_cert_file => "$Bin/certs/server-cert.pem",
+                        SSL_key_file => "$Bin/certs/server-key.pem",
+                ) || die;
+                print "Please contact https at: <URL:", $d->url, ">\n";
+                run_server( $d );
+                die "webserver stopped";
+        }
+        push @pids, $pid;
+
+        # Fork an expired cert server
+        $pid = fork;
+        defined $pid or die "Failed to fork";
+        if (!$pid) {
+                undef @pids;
+                # closing the connection after -C cert checks make the daemon exit with a sigpipe otherwise
+                local $SIG{'PIPE'} = 'IGNORE';
+                my $d = HTTP::Daemon::SSL->new(
+                        LocalPort => $port_https_expired,
+                        LocalAddr => "127.0.0.1",
+                        SSL_cert_file => "$Bin/certs/expired-cert.pem",
+                        SSL_key_file => "$Bin/certs/expired-key.pem",
+                ) || die;
+                print "Please contact https expired at: <URL:", $d->url, ">\n";
+                run_server( $d );
+                die "webserver stopped";
+        }
+        push @pids, $pid;
+
+        # Fork an client cert expecting server
+        $pid = fork;
+        defined $pid or die "Failed to fork";
+        if (!$pid) {
+                undef @pids;
+                # closing the connection after -C cert checks make the daemon exit with a sigpipe otherwise
+                local $SIG{'PIPE'} = 'IGNORE';
+                my $d = HTTP::Daemon::SSL->new(
+                        LocalPort => $port_https_clientcert,
+                        LocalAddr => "127.0.0.1",
+                        SSL_cert_file => "$Bin/certs/server-cert.pem",
+                        SSL_key_file => "$Bin/certs/server-key.pem",
+                        SSL_verify_mode => IO::Socket::SSL->SSL_VERIFY_PEER | IO::Socket::SSL->SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+                        SSL_ca_file => "$Bin/certs/clientca-cert.pem",
+                ) || die;
+                print "Please contact https client cert at: <URL:", $d->url, ">\n";
+                run_server( $d );
+                die "webserver stopped";
+        }
+        push @pids, $pid;
 }
 
 # give our webservers some time to startup
@@ -122,60 +139,62 @@ sleep(3);
 # Run the same server on http and https
 sub run_server {
         my $d = shift;
-        MAINLOOP: while (my $c = $d->accept ) {
-                while (my $r = $c->get_request) {
-                        if ($r->method eq "GET" and $r->url->path =~ m^/statuscode/(\d+)^) {
-                                $c->send_basic_header($1);
-                                $c->send_crlf;
-                        } elsif ($r->method eq "GET" and $r->url->path =~ m^/file/(.*)^) {
-                                $c->send_basic_header;
-                                $c->send_crlf;
-                                $c->send_file_response("$Bin/var/$1");
-                        } elsif ($r->method eq "GET" and $r->url->path eq "/slow") {
-                                $c->send_basic_header;
-                                $c->send_crlf;
-                                sleep 1;
-                                $c->send_response("slow");
-                        } elsif ($r->url->path eq "/method") {
-                                if ($r->method eq "DELETE") {
-                                        $c->send_error(HTTP::Status->RC_METHOD_NOT_ALLOWED);
-                                } elsif ($r->method eq "foo") {
-                                        $c->send_error(HTTP::Status->RC_NOT_IMPLEMENTED);
+        while (1) {
+                MAINLOOP: while (my $c = $d->accept) {
+                        while (my $r = $c->get_request) {
+                                if ($r->method eq "GET" and $r->url->path =~ m^/statuscode/(\d+)^) {
+                                        $c->send_basic_header($1);
+                                        $c->send_crlf;
+                                } elsif ($r->method eq "GET" and $r->url->path =~ m^/file/(.*)^) {
+                                        $c->send_basic_header;
+                                        $c->send_crlf;
+                                        $c->send_file_response("$Bin/var/$1");
+                                } elsif ($r->method eq "GET" and $r->url->path eq "/slow") {
+                                        $c->send_basic_header;
+                                        $c->send_crlf;
+                                        sleep 1;
+                                        $c->send_response("slow");
+                                } elsif ($r->url->path eq "/method") {
+                                        if ($r->method eq "DELETE") {
+                                                $c->send_error(HTTP::Status->RC_METHOD_NOT_ALLOWED);
+                                        } elsif ($r->method eq "foo") {
+                                                $c->send_error(HTTP::Status->RC_NOT_IMPLEMENTED);
+                                        } else {
+                                                $c->send_status_line(200, $r->method);
+                                        }
+                                } elsif ($r->url->path eq "/postdata") {
+                                        $c->send_basic_header;
+                                        $c->send_crlf;
+                                        $c->send_response($r->method.":".$r->content);
+                                } elsif ($r->url->path eq "/redirect") {
+                                        $c->send_redirect( "/redirect2" );
+                                } elsif ($r->url->path eq "/redir_external") {
+                                        $c->send_redirect(($d->isa('HTTP::Daemon::SSL') ? "https" : "http") . "://169.254.169.254/redirect2" );
+                                } elsif ($r->url->path eq "/redirect2") {
+                                        $c->send_basic_header;
+                                        $c->send_crlf;
+                                        $c->send_response(HTTP::Response->new( 200, 'OK', undef, 'redirected' ));
+                                } elsif ($r->url->path eq "/redir_timeout") {
+                                        $c->send_redirect( "/timeout" );
+                                } elsif ($r->url->path eq "/timeout") {
+                                        # Keep $c from being destroyed, but prevent severe leaks
+                                        unshift @persist, $c;
+                                        delete($persist[1000]);
+                                        next MAINLOOP;
+                                } elsif ($r->url->path eq "/header_check") {
+                                        $c->send_basic_header;
+                                        $c->send_header('foo');
+                                        $c->send_crlf;
+                                } elsif ($r->url->path eq "/virtual_port") {
+                                        # return sent Host header
+                                        $c->send_basic_header;
+                                        $c->send_crlf;
+                                        $c->send_response(HTTP::Response->new( 200, 'OK', undef, $r->header ('Host')));
                                 } else {
-                                        $c->send_status_line(200, $r->method);
+                                        $c->send_error(HTTP::Status->RC_FORBIDDEN);
                                 }
-                        } elsif ($r->url->path eq "/postdata") {
-                                $c->send_basic_header;
-                                $c->send_crlf;
-                                $c->send_response($r->method.":".$r->content);
-                        } elsif ($r->url->path eq "/redirect") {
-                                $c->send_redirect( "/redirect2" );
-                        } elsif ($r->url->path eq "/redir_external") {
-                                $c->send_redirect(($d->isa('HTTP::Daemon::SSL') ? "https" : "http") . "://169.254.169.254/redirect2" );
-                        } elsif ($r->url->path eq "/redirect2") {
-                                $c->send_basic_header;
-                                $c->send_crlf;
-                                $c->send_response(HTTP::Response->new( 200, 'OK', undef, 'redirected' ));
-                        } elsif ($r->url->path eq "/redir_timeout") {
-                                $c->send_redirect( "/timeout" );
-                        } elsif ($r->url->path eq "/timeout") {
-                                # Keep $c from being destroyed, but prevent severe leaks
-                                unshift @persist, $c;
-                                delete($persist[1000]);
-                                next MAINLOOP;
-                        } elsif ($r->url->path eq "/header_check") {
-                                $c->send_basic_header;
-                                $c->send_header('foo');
-                                $c->send_crlf;
-                        } elsif ($r->url->path eq "/virtual_port") {
-                                # return sent Host header
-                                $c->send_basic_header;
-                                $c->send_crlf;
-                                $c->send_response(HTTP::Response->new( 200, 'OK', undef, $r->header ('Host')));
-                        } else {
-                                $c->send_error(HTTP::Status->RC_FORBIDDEN);
+                                $c->close;
                         }
-                        $c->close;
                 }
         }
 }
@@ -200,25 +219,44 @@ SKIP: {
         skip "HTTP::Daemon::SSL not installed", $common_tests + $ssl_only_tests if ! exists $servers->{https};
         run_common_tests( { command => "$command -p $port_https", ssl => 1 } );
 
+        my $expiry = "Thu Nov 28 21:02:11 2030 +0000";
+
         $result = NPTest->testCmd( "$command -p $port_https -S -C 14" );
         is( $result->return_code, 0, "$command -p $port_https -S -C 14" );
-        is( $result->output, "OK - Certificate 'Monitoring Plugins' will expire on Fri Feb 16 15:31:44 2029 +0000.", "output ok" );
+        is( $result->output, "OK - Certificate 'Monitoring Plugins' will expire on $expiry.", "output ok" );
 
         $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" );
         is( $result->return_code, 1, "$command -p $port_https -S -C 14000" );
-        like( $result->output, '/WARNING - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(Fri Feb 16 15:31:44 2029 \+0000\)./', "output ok" );
+        like( $result->output, '/WARNING - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(' . quotemeta($expiry) . '\)./', "output ok" );
 
         # Expired cert tests
         $result = NPTest->testCmd( "$command -p $port_https -S -C 13960,14000" );
         is( $result->return_code, 2, "$command -p $port_https -S -C 13960,14000" );
-        like( $result->output, '/CRITICAL - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(Fri Feb 16 15:31:44 2029 \+0000\)./', "output ok" );
+        like( $result->output, '/CRITICAL - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(' . quotemeta($expiry) . '\)./', "output ok" );
 
         $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" );
         is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" );
         is( $result->output,
-                'CRITICAL - Certificate \'Monitoring Plugins\' expired on Wed Jan  2 11:00:26 2008 +0000.',
+                'CRITICAL - Certificate \'Monitoring Plugins\' expired on Wed Jan  2 12:00:00 2008 +0000.',
                 "output ok" );
 
+        # client cert tests
+        my $cmd;
+        $cmd = "$command -p $port_https_clientcert"
+                . " -J \"$Bin/certs/client-cert.pem\""
+                . " -K \"$Bin/certs/client-key.pem\""
+                . " -u /statuscode/200";
+        $result = NPTest->testCmd($cmd);
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -p $port_https_clientcert"
+                . " -J \"$Bin/certs/clientchain-cert.pem\""
+                . " -K \"$Bin/certs/clientchain-key.pem\""
+                . " -u /statuscode/200";
+        $result = NPTest->testCmd($cmd);
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
 }
 
 my $cmd;