1 files changed, 87 insertions, 21 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 5167997..2038f4a 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -267,11 +267,11 @@ process_arguments (int argc, char **argv)
      break;
    case 'h': /* help */
      print_help ();
-      exit (STATE_OK);
+      exit (STATE_UNKNOWN);
      break;
    case 'V': /* version */
      print_revision (progname, NP_VERSION);
-      exit (STATE_OK);
+      exit (STATE_UNKNOWN);
      break;
    case 't': /* timeout period */
      if (!is_intnonneg (optarg))
@@ -343,9 +343,20 @@ process_arguments (int argc, char **argv)
         parameters, like -S and -C combinations */
      use_ssl = TRUE;
      if (c=='S' && optarg != NULL) {
-        ssl_version = atoi(optarg);
+        int got_plus = strchr(optarg, '+') != NULL;
-        if (ssl_version < 1 || ssl_version > 3)
-            usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)"));
+        if (!strncmp (optarg, "1.2", 3))
+          ssl_version = got_plus ? MP_TLSv1_2_OR_NEWER : MP_TLSv1_2;
+        else if (!strncmp (optarg, "1.1", 3))
+          ssl_version = got_plus ? MP_TLSv1_1_OR_NEWER : MP_TLSv1_1;
+        else if (optarg[0] == '1')
+          ssl_version = got_plus ? MP_TLSv1_OR_NEWER : MP_TLSv1;
+        else if (optarg[0] == '3')
+          ssl_version = got_plus ? MP_SSLv3_OR_NEWER : MP_SSLv3;
+        else if (optarg[0] == '2')
+          ssl_version = got_plus ? MP_SSLv2_OR_NEWER : MP_SSLv2;
+        else
+          usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)"));
      }
      if (specify_port == FALSE)
        server_port = HTTPS_PORT;
@@ -869,17 +880,42 @@ check_http (void)
  double elapsed_time_transfer = 0.0;
  int page_len = 0;
  int result = STATE_OK;
+  char *force_host_header = NULL;
  /* try to connect to the host at the given port number */
  gettimeofday (&tv_temp, NULL);
  if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)
    die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
  microsec_connect = deltime (tv_temp);
+    /* if we are called with the -I option, the -j method is CONNECT and */
+    /* we received -S for SSL, then we tunnel the request through a proxy*/
+    /* @20100414, public[at]frank4dd.com, http://www.frank4dd.com/howto  */
+    if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
+      && host_name != NULL && use_ssl == TRUE) {
+    if (verbose) printf ("Entering CONNECT tunnel mode with proxy %s:%d to dst %s:%d\n", server_address, server_port, host_name, HTTPS_PORT);
+    asprintf (&buf, "%s %s:%d HTTP/1.1\r\n%s\r\n", http_method, host_name, HTTPS_PORT, user_agent);
+    asprintf (&buf, "%sProxy-Connection: keep-alive\r\n", buf);
+    asprintf (&buf, "%sHost: %s\r\n", buf, host_name);
+    /* we finished our request, send empty line with CRLF */
+    asprintf (&buf, "%s%s", buf, CRLF);
+    if (verbose) printf ("%s\n", buf);
+    send(sd, buf, strlen (buf), 0);
+    buf[0]='\0';
+    if (verbose) printf ("Receive response from proxy\n");
+    read (sd, buffer, MAX_INPUT_BUFFER-1);
+    if (verbose) printf ("%s", buffer);
+    /* Here we should check if we got HTTP/1.1 200 Connection established */
+  }
 #ifdef HAVE_SSL
  elapsed_time_connect = (double)microsec_connect / 1.0e6;
  if (use_ssl == TRUE) {
    gettimeofday (&tv_temp, NULL);
    result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey);
+    if (verbose) printf ("SSL initialized\n");
    if (result != STATE_OK)
      die (STATE_CRITICAL, NULL);
    microsec_ssl = deltime (tv_temp);
@@ -893,29 +929,51 @@ check_http (void)
  }
 #endif /* HAVE_SSL */
-  xasprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
+  if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
+       && host_name != NULL && use_ssl == TRUE)
+    asprintf (&buf, "%s %s %s\r\n%s\r\n", "GET", server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
+  else
+    asprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
  /* tell HTTP/1.1 servers not to keep the connection alive */
  xasprintf (&buf, "%sConnection: close\r\n", buf);
+  /* check if Host header is explicitly set in options */
+  if (http_opt_headers_count) {
+    for (i = 0; i < http_opt_headers_count ; i++) {
+      if (strncmp(http_opt_headers[i], "Host:", 5) == 0) {
+        force_host_header = http_opt_headers[i];
+      }
+    }
+  }
  /* optionally send the host header info */
  if (host_name) {
-    /*
+    if (force_host_header) {
-     * Specify the port only if we're using a non-default port (see RFC 2616,
+      xasprintf (&buf, "%s%s\r\n", buf, force_host_header);
-     * 14.23).  Some server applications/configurations cause trouble if the
+    }
-     * (default) port is explicitly specified in the "Host:" header line.
+    else {
-     */
+      /*
-    if ((use_ssl == FALSE && server_port == HTTP_PORT) ||
+       * Specify the port only if we're using a non-default port (see RFC 2616,
-        (use_ssl == TRUE && server_port == HTTPS_PORT))
+       * 14.23).  Some server applications/configurations cause trouble if the
-      xasprintf (&buf, "%sHost: %s\r\n", buf, host_name);
+       * (default) port is explicitly specified in the "Host:" header line.
-    else
+       */
-      xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port);
+      if ((use_ssl == FALSE && server_port == HTTP_PORT) ||
+          (use_ssl == TRUE && server_port == HTTPS_PORT) ||
+          (server_address != NULL && strcmp(http_method, "CONNECT") == 0
+         && host_name != NULL && use_ssl == TRUE))
+        xasprintf (&buf, "%sHost: %s\r\n", buf, host_name);
+      else
+        xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port);
+    }
  }
  /* optionally send any other header tag */
  if (http_opt_headers_count) {
    for (i = 0; i < http_opt_headers_count ; i++) {
-      xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]);
+      if (force_host_header != http_opt_headers[i]) {
+        xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]);
+      }
    }
    /* This cannot be free'd here because a redirection will then try to access this and segfault */
    /* Covered in a testcase in tests/check_http.t */
@@ -1467,9 +1525,10 @@ print_help (void)
  printf (UT_IPv46);
 #ifdef HAVE_SSL
-  printf (" %s\n", "-S, --ssl=VERSION");
+  printf (" %s\n", "-S, --ssl=VERSION[+]");
  printf ("    %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
-  printf ("    %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."));
+  printf ("    %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
+  printf ("    %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
  printf (" %s\n", "--sni");
  printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
  printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
@@ -1496,7 +1555,7 @@ print_help (void)
  printf ("    %s\n", _("URL to GET or POST (default: /)"));
  printf (" %s\n", "-P, --post=STRING");
  printf ("    %s\n", _("URL encoded http POST data"));
-  printf (" %s\n", "-j, --method=STRING  (for example: HEAD, OPTIONS, TRACE, PUT, DELETE)");
+  printf (" %s\n", "-j, --method=STRING  (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
  printf ("    %s\n", _("Set HTTP method."));
  printf (" %s\n", "-N, --no-body");
  printf ("    %s\n", _("Don't wait for document body: stop reading after headers."));
@@ -1570,7 +1629,7 @@ print_help (void)
  printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
  printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
  printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
-  printf (" %s\n", _("the certificate is expired."));
+  printf (" %s\n\n", _("the certificate is expired."));
  printf ("\n");
  printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");
  printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
@@ -1578,6 +1637,13 @@ print_help (void)
  printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
  printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
+  printf (" %s\n\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: ");
+  printf (" %s\n", _("check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com "));
+  printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
+  printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
+  printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
+  printf (" %s\n", _("a STATE_CRITICAL will be returned."));
 #endif
  printf (UT_SUPPORT);

diff --git a/plugins/check_http.c b/plugins/check_http.c index 5167997..2038f4a 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c
@@ -267,11 +267,11 @@ process_arguments (int argc, char **argv)
267	break;	267	break;
268	case 'h': /* help */	268	case 'h': /* help */
269	print_help ();	269	print_help ();
270	exit (STATE_OK);	270	exit (STATE_UNKNOWN);
271	break;	271	break;
272	case 'V': /* version */	272	case 'V': /* version */
273	print_revision (progname, NP_VERSION);	273	print_revision (progname, NP_VERSION);
274	exit (STATE_OK);	274	exit (STATE_UNKNOWN);
275	break;	275	break;
276	case 't': /* timeout period */	276	case 't': /* timeout period */
277	if (!is_intnonneg (optarg))	277	if (!is_intnonneg (optarg))
@@ -343,9 +343,20 @@ process_arguments (int argc, char **argv)
343	parameters, like -S and -C combinations */	343	parameters, like -S and -C combinations */
344	use_ssl = TRUE;	344	use_ssl = TRUE;
345	if (c=='S' && optarg != NULL) {	345	if (c=='S' && optarg != NULL) {
346	ssl_version = atoi(optarg);	346	int got_plus = strchr(optarg, '+') != NULL;
347	if (ssl_version < 1 \|\| ssl_version > 3)	347
348	usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)"));	348	if (!strncmp (optarg, "1.2", 3))
		349	ssl_version = got_plus ? MP_TLSv1_2_OR_NEWER : MP_TLSv1_2;
		350	else if (!strncmp (optarg, "1.1", 3))
		351	ssl_version = got_plus ? MP_TLSv1_1_OR_NEWER : MP_TLSv1_1;
		352	else if (optarg[0] == '1')
		353	ssl_version = got_plus ? MP_TLSv1_OR_NEWER : MP_TLSv1;
		354	else if (optarg[0] == '3')
		355	ssl_version = got_plus ? MP_SSLv3_OR_NEWER : MP_SSLv3;
		356	else if (optarg[0] == '2')
		357	ssl_version = got_plus ? MP_SSLv2_OR_NEWER : MP_SSLv2;
		358	else
		359	usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)"));
349	}	360	}
350	if (specify_port == FALSE)	361	if (specify_port == FALSE)
351	server_port = HTTPS_PORT;	362	server_port = HTTPS_PORT;
@@ -869,17 +880,42 @@ check_http (void)
869	double elapsed_time_transfer = 0.0;	880	double elapsed_time_transfer = 0.0;
870	int page_len = 0;	881	int page_len = 0;
871	int result = STATE_OK;	882	int result = STATE_OK;
		883	char *force_host_header = NULL;
872		884
873	/* try to connect to the host at the given port number */	885	/* try to connect to the host at the given port number */
874	gettimeofday (&tv_temp, NULL);	886	gettimeofday (&tv_temp, NULL);
875	if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)	887	if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)
876	die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));	888	die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
877	microsec_connect = deltime (tv_temp);	889	microsec_connect = deltime (tv_temp);
		890
		891	/* if we are called with the -I option, the -j method is CONNECT and */
		892	/* we received -S for SSL, then we tunnel the request through a proxy*/
		893	/* @20100414, public[at]frank4dd.com, http://www.frank4dd.com/howto */
		894
		895	if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
		896	&& host_name != NULL && use_ssl == TRUE) {
		897
		898	if (verbose) printf ("Entering CONNECT tunnel mode with proxy %s:%d to dst %s:%d\n", server_address, server_port, host_name, HTTPS_PORT);
		899	asprintf (&buf, "%s %s:%d HTTP/1.1\r\n%s\r\n", http_method, host_name, HTTPS_PORT, user_agent);
		900	asprintf (&buf, "%sProxy-Connection: keep-alive\r\n", buf);
		901	asprintf (&buf, "%sHost: %s\r\n", buf, host_name);
		902	/* we finished our request, send empty line with CRLF */
		903	asprintf (&buf, "%s%s", buf, CRLF);
		904	if (verbose) printf ("%s\n", buf);
		905	send(sd, buf, strlen (buf), 0);
		906	buf[0]='\0';
		907
		908	if (verbose) printf ("Receive response from proxy\n");
		909	read (sd, buffer, MAX_INPUT_BUFFER-1);
		910	if (verbose) printf ("%s", buffer);
		911	/* Here we should check if we got HTTP/1.1 200 Connection established */
		912	}
878	#ifdef HAVE_SSL	913	#ifdef HAVE_SSL
879	elapsed_time_connect = (double)microsec_connect / 1.0e6;	914	elapsed_time_connect = (double)microsec_connect / 1.0e6;
880	if (use_ssl == TRUE) {	915	if (use_ssl == TRUE) {
881	gettimeofday (&tv_temp, NULL);	916	gettimeofday (&tv_temp, NULL);
882	result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey);	917	result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey);
		918	if (verbose) printf ("SSL initialized\n");
883	if (result != STATE_OK)	919	if (result != STATE_OK)
884	die (STATE_CRITICAL, NULL);	920	die (STATE_CRITICAL, NULL);
885	microsec_ssl = deltime (tv_temp);	921	microsec_ssl = deltime (tv_temp);
@@ -893,29 +929,51 @@ check_http (void)
893	}	929	}
894	#endif /* HAVE_SSL */	930	#endif /* HAVE_SSL */
895		931
896	xasprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);	932	if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
		933	&& host_name != NULL && use_ssl == TRUE)
		934	asprintf (&buf, "%s %s %s\r\n%s\r\n", "GET", server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
		935	else
		936	asprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
897		937
898	/* tell HTTP/1.1 servers not to keep the connection alive */	938	/* tell HTTP/1.1 servers not to keep the connection alive */
899	xasprintf (&buf, "%sConnection: close\r\n", buf);	939	xasprintf (&buf, "%sConnection: close\r\n", buf);
900		940
		941	/* check if Host header is explicitly set in options */
		942	if (http_opt_headers_count) {
		943	for (i = 0; i < http_opt_headers_count ; i++) {
		944	if (strncmp(http_opt_headers[i], "Host:", 5) == 0) {
		945	force_host_header = http_opt_headers[i];
		946	}
		947	}
		948	}
		949
901	/* optionally send the host header info */	950	/* optionally send the host header info */
902	if (host_name) {	951	if (host_name) {
903	/*	952	if (force_host_header) {
904	* Specify the port only if we're using a non-default port (see RFC 2616,	953	xasprintf (&buf, "%s%s\r\n", buf, force_host_header);
905	* 14.23). Some server applications/configurations cause trouble if the	954	}
906	* (default) port is explicitly specified in the "Host:" header line.	955	else {
907	*/	956	/*
908	if ((use_ssl == FALSE && server_port == HTTP_PORT) \|\|	957	* Specify the port only if we're using a non-default port (see RFC 2616,
909	(use_ssl == TRUE && server_port == HTTPS_PORT))	958	* 14.23). Some server applications/configurations cause trouble if the
910	xasprintf (&buf, "%sHost: %s\r\n", buf, host_name);	959	* (default) port is explicitly specified in the "Host:" header line.
911	else	960	*/
912	xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port);	961	if ((use_ssl == FALSE && server_port == HTTP_PORT) \|\|
		962	(use_ssl == TRUE && server_port == HTTPS_PORT) \|\|
		963	(server_address != NULL && strcmp(http_method, "CONNECT") == 0
		964	&& host_name != NULL && use_ssl == TRUE))
		965	xasprintf (&buf, "%sHost: %s\r\n", buf, host_name);
		966	else
		967	xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port);
		968	}
913	}	969	}
914		970
915	/* optionally send any other header tag */	971	/* optionally send any other header tag */
916	if (http_opt_headers_count) {	972	if (http_opt_headers_count) {
917	for (i = 0; i < http_opt_headers_count ; i++) {	973	for (i = 0; i < http_opt_headers_count ; i++) {
918	xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]);	974	if (force_host_header != http_opt_headers[i]) {
		975	xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]);
		976	}
919	}	977	}
920	/* This cannot be free'd here because a redirection will then try to access this and segfault */	978	/* This cannot be free'd here because a redirection will then try to access this and segfault */
921	/* Covered in a testcase in tests/check_http.t */	979	/* Covered in a testcase in tests/check_http.t */
@@ -1467,9 +1525,10 @@ print_help (void)
1467	printf (UT_IPv46);	1525	printf (UT_IPv46);
1468		1526
1469	#ifdef HAVE_SSL	1527	#ifdef HAVE_SSL
1470	printf (" %s\n", "-S, --ssl=VERSION");	1528	printf (" %s\n", "-S, --ssl=VERSION[+]");
1471	printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));	1529	printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
1472	printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."));	1530	printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
		1531	printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
1473	printf (" %s\n", "--sni");	1532	printf (" %s\n", "--sni");
1474	printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));	1533	printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1475	printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");	1534	printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
@@ -1496,7 +1555,7 @@ print_help (void)
1496	printf (" %s\n", _("URL to GET or POST (default: /)"));	1555	printf (" %s\n", _("URL to GET or POST (default: /)"));
1497	printf (" %s\n", "-P, --post=STRING");	1556	printf (" %s\n", "-P, --post=STRING");
1498	printf (" %s\n", _("URL encoded http POST data"));	1557	printf (" %s\n", _("URL encoded http POST data"));
1499	printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE)");	1558	printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
1500	printf (" %s\n", _("Set HTTP method."));	1559	printf (" %s\n", _("Set HTTP method."));
1501	printf (" %s\n", "-N, --no-body");	1560	printf (" %s\n", "-N, --no-body");
1502	printf (" %s\n", _("Don't wait for document body: stop reading after headers."));	1561	printf (" %s\n", _("Don't wait for document body: stop reading after headers."));
@@ -1570,7 +1629,7 @@ print_help (void)
1570	printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));	1629	printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
1571	printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));	1630	printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1572	printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));	1631	printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
1573	printf (" %s\n", _("the certificate is expired."));	1632	printf (" %s\n\n", _("the certificate is expired."));
1574	printf ("\n");	1633	printf ("\n");
1575	printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");	1634	printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");
1576	printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));	1635	printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
@@ -1578,6 +1637,13 @@ print_help (void)
1578	printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));	1637	printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
1579	printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));	1638	printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
1580		1639
		1640	printf (" %s\n\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: ");
		1641	printf (" %s\n", _("check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com "));
		1642	printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
		1643	printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
		1644	printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
		1645	printf (" %s\n", _("a STATE_CRITICAL will be returned."));
		1646
1581	#endif	1647	#endif
1582		1648
1583	printf (UT_SUPPORT);	1649	printf (UT_SUPPORT);