49 files changed, 4378 insertions, 563 deletions

diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 0ddf9bd..3fde54d 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -38,7 +38,9 @@ check_tcp_programs = check_ftp check_imap check_nntp check_pop \
 EXTRA_PROGRAMS = check_mysql check_radius check_pgsql check_snmp check_hpjd \
         check_swap check_fping check_ldap check_game check_dig \
         check_nagios check_by_ssh check_dns check_nt check_ide_smart    \
-        check_procs check_mysql_query check_apt check_dbi
+        check_procs check_mysql_query check_apt check_dbi check_curl
+
+SUBDIRS = picohttpparser
 
 EXTRA_DIST = t tests
 
@@ -69,6 +71,9 @@ test-debug:
 
 check_apt_LDADD = $(BASEOBJS)
 check_cluster_LDADD = $(BASEOBJS)
+check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS) $(URIPARSERCFLAGS) $(LIBCURLINCLUDE) $(URIPARSERINCLUDE) -Ipicohttpparser
+check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLCFLAGS) $(URIPARSERCFLAGS) $(LIBCURLINCLUDE) $(URIPARSERINCLUDE) -Ipicohttpparser
+check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) $(SSLOBJS) $(URIPARSERLIBS) picohttpparser/libpicohttpparser.a
 check_dbi_LDADD = $(NETLIBS) $(DBILIBS)
 check_dig_LDADD = $(NETLIBS)
 check_disk_LDADD = $(BASEOBJS)
@@ -89,7 +94,7 @@ check_mysql_query_CFLAGS = $(AM_CFLAGS) $(MYSQLCFLAGS)
 check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE)
 check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS)
 check_nagios_LDADD = $(BASEOBJS)
-check_nt_LDADD = $(NETLIBS) 
+check_nt_LDADD = $(NETLIBS)
 check_ntp_LDADD = $(NETLIBS) $(MATHLIBS)
 check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS)
 check_nwstat_LDADD = $(NETLIBS)
diff --git a/plugins/check_apt.c b/plugins/check_apt.c
index b69680c..d7be575 100644
--- a/plugins/check_apt.c
+++ b/plugins/check_apt.c
@@ -86,6 +86,8 @@ static char *do_include = NULL;  /* regexp to only include certain packages */
 static char *do_exclude = NULL;  /* regexp to only exclude certain packages */
 static char *do_critical = NULL;  /* regexp specifying critical packages */
 static char *input_filename = NULL; /* input filename for testing */
+/* number of packages available for upgrade to return WARNING status */
+static int packages_warning = 1;
 
 /* other global variables */
 static int stderr_warning = 0;   /* if a cmd issued output on stderr */
@@ -117,7 +119,7 @@ int main (int argc, char **argv) {
 
         if(sec_count > 0){
                 result = max_state(result, STATE_CRITICAL);
-        } else if(packages_available > 0 && only_critical == 0){
+        } else if(packages_available >= packages_warning && only_critical == 0){
                 result = max_state(result, STATE_WARNING);
         } else if(result > STATE_UNKNOWN){
                 result = STATE_UNKNOWN;
@@ -170,11 +172,12 @@ int process_arguments (int argc, char **argv) {
                 {"critical", required_argument, 0, 'c'},
                 {"only-critical", no_argument, 0, 'o'},
                 {"input-file", required_argument, 0, INPUT_FILE_OPT},
+                {"packages-warning", required_argument, 0, 'w'},
                 {0, 0, 0, 0}
         };
 
         while(1) {
-                c = getopt_long(argc, argv, "hVvt:u::U::d::nli:e:c:o", longopts, NULL);
+                c = getopt_long(argc, argv, "hVvt:u::U::d::nli:e:c:ow:", longopts, NULL);
 
                 if(c == -1 || c == EOF || c == 1) break;
 
@@ -233,6 +236,9 @@ int process_arguments (int argc, char **argv) {
                 case INPUT_FILE_OPT:
                         input_filename = optarg;
                         break;
+                case 'w':
+                        packages_warning = atoi(optarg);
+                        break;
                 default:
                         /* print short usage statement if args not parsable */
                         usage5();
@@ -530,7 +536,10 @@ print_help (void)
   printf (" %s\n", "-o, --only-critical");
   printf ("    %s\n", _("Only warn about upgrades matching the critical list.  The total number"));
   printf ("    %s\n", _("of upgrades will be printed, but any non-critical upgrades will not cause"));
-  printf ("    %s\n\n", _("the plugin to return WARNING status."));
+  printf ("    %s\n", _("the plugin to return WARNING status."));
+  printf (" %s\n", "-w, --packages-warning");
+  printf ("    %s\n", _("Minumum number of packages available for upgrade to return WARNING status."));
+  printf ("    %s\n\n", _("Default is 1 package."));
 
   printf ("%s\n\n", _("The following options require root privileges and should be used with care:"));
   printf (" %s\n", "-u, --update=OPTS");
@@ -548,5 +557,5 @@ void
 print_usage(void)
 {
   printf ("%s\n", _("Usage:"));
-  printf ("%s [[-d|-u|-U]opts] [-n] [-l] [-t timeout]\n", progname);
+  printf ("%s [[-d|-u|-U]opts] [-n] [-l] [-t timeout] [-w packages-warning]\n", progname);
 }
diff --git a/plugins/check_cluster.c b/plugins/check_cluster.c
index b86e501..e1ede9f 100644
--- a/plugins/check_cluster.c
+++ b/plugins/check_cluster.c
@@ -143,6 +143,7 @@ int main(int argc, char **argv){
 
 int process_arguments(int argc, char **argv){
         int c;
+        char *ptr;
         int option=0;
         static struct option longopts[]={
                 {"data",     required_argument,0,'d'},
@@ -188,6 +189,15 @@ int process_arguments(int argc, char **argv){
 
                 case 'd': /* data values */
                         data_vals=(char *)strdup(optarg);
+                        /* validate data */
+                        for (ptr=data_vals;ptr!=NULL;ptr+=2){
+                                if (ptr[0]<'0' || ptr[0]>'3')
+                                        return ERROR;
+                                if (ptr[1]=='\0')
+                                        break;
+                                if (ptr[1]!=',')
+                                        return ERROR;
+                        }
                         break;
 
                 case 'l': /* text label */
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
new file mode 100644
index 0000000..2d69b31
--- /dev/null
+++ b/plugins/check_curl.c
@@ -0,0 +1,2335 @@
+/*****************************************************************************
+*
+* Monitoring check_curl plugin
+*
+* License: GPL
+* Copyright (c) 1999-2019 Monitoring Plugins Development Team
+*
+* Description:
+*
+* This file contains the check_curl plugin
+*
+* This plugin tests the HTTP service on the specified host. It can test
+* normal (http) and secure (https) servers, follow redirects, search for
+* strings and regular expressions, check connection times, and report on
+* certificate expiration times.
+*
+* This plugin uses functions from the curl library, see
+* http://curl.haxx.se
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation, either version 3 of the License, or
+* (at your option) any later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+*
+*****************************************************************************/
+const char *progname = "check_curl";
+
+const char *copyright = "2006-2019";
+const char *email = "devel@monitoring-plugins.org";
+
+#include <ctype.h>
+
+#include "common.h"
+#include "utils.h"
+
+#ifndef LIBCURL_PROTOCOL_HTTP
+#error libcurl compiled without HTTP support, compiling check_curl plugin does not makes a lot of sense
+#endif
+
+#include "curl/curl.h"
+#include "curl/easy.h"
+
+#include "picohttpparser.h"
+
+#include "uriparser/Uri.h"
+
+#include <arpa/inet.h>
+
+#define MAKE_LIBCURL_VERSION(major, minor, patch) ((major)*0x10000 + (minor)*0x100 + (patch))
+
+#define DEFAULT_BUFFER_SIZE 2048
+#define DEFAULT_SERVER_URL "/"
+#define HTTP_EXPECT "HTTP/"
+#define DEFAULT_MAX_REDIRS 15
+#define INET_ADDR_MAX_SIZE INET6_ADDRSTRLEN
+enum {
+  MAX_IPV4_HOSTLENGTH = 255,
+  HTTP_PORT = 80,
+  HTTPS_PORT = 443,
+  MAX_PORT = 65535
+};
+
+enum {
+  STICKY_NONE = 0,
+  STICKY_HOST = 1,
+  STICKY_PORT = 2
+};
+
+enum {
+  FOLLOW_HTTP_CURL = 0,
+  FOLLOW_LIBCURL = 1
+};
+
+/* for buffers for header and body */
+typedef struct {
+  char *buf;
+  size_t buflen;
+  size_t bufsize;
+} curlhelp_write_curlbuf;
+
+/* for buffering the data sent in PUT */
+typedef struct {
+  char *buf;
+  size_t buflen;
+  off_t pos;
+} curlhelp_read_curlbuf;
+
+/* for parsing the HTTP status line */
+typedef struct {
+  int http_major;   /* major version of the protocol, always 1 (HTTP/0.9
+                     * never reached the big internet most likely) */
+  int http_minor;   /* minor version of the protocol, usually 0 or 1 */
+  int http_code;    /* HTTP return code as in RFC 2145 */
+  int http_subcode; /* Microsoft IIS extension, HTTP subcodes, see
+                     * http://support.microsoft.com/kb/318380/en-us */
+  const char *msg;  /* the human readable message */
+  char *first_line; /* a copy of the first line */
+} curlhelp_statusline;
+
+/* to know the underlying SSL library used by libcurl */
+typedef enum curlhelp_ssl_library {
+  CURLHELP_SSL_LIBRARY_UNKNOWN,
+  CURLHELP_SSL_LIBRARY_OPENSSL,
+  CURLHELP_SSL_LIBRARY_LIBRESSL,
+  CURLHELP_SSL_LIBRARY_GNUTLS,
+  CURLHELP_SSL_LIBRARY_NSS
+} curlhelp_ssl_library;
+
+enum {
+  REGS = 2,
+  MAX_RE_SIZE = 256
+};
+#include "regex.h"
+regex_t preg;
+regmatch_t pmatch[REGS];
+char regexp[MAX_RE_SIZE];
+int cflags = REG_NOSUB | REG_EXTENDED | REG_NEWLINE;
+int errcode;
+int invert_regex = 0;
+
+char *server_address = NULL;
+char *host_name = NULL;
+char *server_url = 0;
+char server_ip[DEFAULT_BUFFER_SIZE];
+struct curl_slist *server_ips = NULL;
+int specify_port = FALSE;
+unsigned short server_port = HTTP_PORT;
+unsigned short virtual_port = 0;
+int host_name_length;
+char output_header_search[30] = "";
+char output_string_search[30] = "";
+char *warning_thresholds = NULL;
+char *critical_thresholds = NULL;
+int days_till_exp_warn, days_till_exp_crit;
+thresholds *thlds;
+char user_agent[DEFAULT_BUFFER_SIZE];
+int verbose = 0;
+int show_extended_perfdata = FALSE;
+int min_page_len = 0;
+int max_page_len = 0;
+int redir_depth = 0;
+int max_depth = DEFAULT_MAX_REDIRS;
+char *http_method = NULL;
+char *http_post_data = NULL;
+char *http_content_type = NULL;
+CURL *curl;
+struct curl_slist *header_list = NULL;
+curlhelp_write_curlbuf body_buf;
+curlhelp_write_curlbuf header_buf;
+curlhelp_statusline status_line;
+curlhelp_read_curlbuf put_buf;
+char http_header[DEFAULT_BUFFER_SIZE];
+long code;
+long socket_timeout = DEFAULT_SOCKET_TIMEOUT;
+double total_time;
+double time_connect;
+double time_appconnect;
+double time_headers;
+double time_firstbyte;
+char errbuf[CURL_ERROR_SIZE+1];
+CURLcode res;
+char url[DEFAULT_BUFFER_SIZE];
+char msg[DEFAULT_BUFFER_SIZE];
+char perfstring[DEFAULT_BUFFER_SIZE];
+char header_expect[MAX_INPUT_BUFFER] = "";
+char string_expect[MAX_INPUT_BUFFER] = "";
+char server_expect[MAX_INPUT_BUFFER] = HTTP_EXPECT;
+int server_expect_yn = 0;
+char user_auth[MAX_INPUT_BUFFER] = "";
+char proxy_auth[MAX_INPUT_BUFFER] = "";
+char **http_opt_headers;
+int http_opt_headers_count = 0;
+int display_html = FALSE;
+int onredirect = STATE_OK;
+int followmethod = FOLLOW_HTTP_CURL;
+int followsticky = STICKY_NONE;
+int use_ssl = FALSE;
+int use_sni = TRUE;
+int check_cert = FALSE;
+typedef union {
+  struct curl_slist* to_info;
+  struct curl_certinfo* to_certinfo;
+} cert_ptr_union;
+cert_ptr_union cert_ptr;
+int ssl_version = CURL_SSLVERSION_DEFAULT;
+char *client_cert = NULL;
+char *client_privkey = NULL;
+char *ca_cert = NULL;
+int is_openssl_callback = FALSE;
+#if defined(HAVE_SSL) && defined(USE_OPENSSL)
+X509 *cert = NULL;
+#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
+int no_body = FALSE;
+int maximum_age = -1;
+int address_family = AF_UNSPEC;
+curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
+int curl_http_version = CURL_HTTP_VERSION_NONE;
+
+int process_arguments (int, char**);
+void handle_curl_option_return_code (CURLcode res, const char* option);
+int check_http (void);
+void redir (curlhelp_write_curlbuf*);
+char *perfd_time (double microsec);
+char *perfd_time_connect (double microsec);
+char *perfd_time_ssl (double microsec);
+char *perfd_time_firstbyte (double microsec);
+char *perfd_time_headers (double microsec);
+char *perfd_time_transfer (double microsec);
+char *perfd_size (int page_len);
+void print_help (void);
+void print_usage (void);
+void print_curl_version (void);
+int curlhelp_initwritebuffer (curlhelp_write_curlbuf*);
+int curlhelp_buffer_write_callback (void*, size_t , size_t , void*);
+void curlhelp_freewritebuffer (curlhelp_write_curlbuf*);
+int curlhelp_initreadbuffer (curlhelp_read_curlbuf *, const char *, size_t);
+int curlhelp_buffer_read_callback (void *, size_t , size_t , void *);
+void curlhelp_freereadbuffer (curlhelp_read_curlbuf *);
+curlhelp_ssl_library curlhelp_get_ssl_library (CURL*);
+const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library);
+int net_noopenssl_check_certificate (cert_ptr_union*, int, int);
+
+int curlhelp_parse_statusline (const char*, curlhelp_statusline *);
+void curlhelp_free_statusline (curlhelp_statusline *);
+char *get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header);
+int check_document_dates (const curlhelp_write_curlbuf *, char (*msg)[DEFAULT_BUFFER_SIZE]);
+int get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf);
+
+#if defined(HAVE_SSL) && defined(USE_OPENSSL)
+int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit);
+#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
+
+void remove_newlines (char *);
+void test_file (char *);
+
+int
+main (int argc, char **argv)
+{
+  int result = STATE_UNKNOWN;
+
+  setlocale (LC_ALL, "");
+  bindtextdomain (PACKAGE, LOCALEDIR);
+  textdomain (PACKAGE);
+
+  /* Parse extra opts if any */
+  argv = np_extra_opts (&argc, argv, progname);
+
+  /* set defaults */
+  snprintf( user_agent, DEFAULT_BUFFER_SIZE, "%s/v%s (monitoring-plugins %s, %s)",
+    progname, NP_VERSION, VERSION, curl_version());
+
+  /* parse arguments */
+  if (process_arguments (argc, argv) == ERROR)
+    usage4 (_("Could not parse arguments"));
+
+  if (display_html == TRUE)
+    printf ("<A HREF=\"%s://%s:%d%s\" target=\"_blank\">",
+      use_ssl ? "https" : "http",
+      host_name ? host_name : server_address,
+      virtual_port ? virtual_port : server_port,
+      server_url);
+
+  result = check_http ();
+  return result;
+}
+
+#ifdef HAVE_SSL
+#ifdef USE_OPENSSL
+
+int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+  /* TODO: we get all certificates of the chain, so which ones
+   * should we test?
+   * TODO: is the last certificate always the server certificate?
+   */
+  cert = X509_STORE_CTX_get_current_cert(x509_ctx);
+  return 1;
+}
+
+CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
+{
+  SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
+
+  return CURLE_OK;
+}
+
+#endif /* USE_OPENSSL */
+#endif /* HAVE_SSL */
+
+/* Checks if the server 'reply' is one of the expected 'statuscodes' */
+static int
+expected_statuscode (const char *reply, const char *statuscodes)
+{
+  char *expected, *code;
+  int result = 0;
+
+  if ((expected = strdup (statuscodes)) == NULL)
+    die (STATE_UNKNOWN, _("HTTP UNKNOWN - Memory allocation error\n"));
+
+  for (code = strtok (expected, ","); code != NULL; code = strtok (NULL, ","))
+    if (strstr (reply, code) != NULL) {
+      result = 1;
+      break;
+    }
+
+  free (expected);
+  return result;
+}
+
+void
+handle_curl_option_return_code (CURLcode res, const char* option)
+{
+  if (res != CURLE_OK) {
+    snprintf (msg, DEFAULT_BUFFER_SIZE, _("Error while setting cURL option '%s': cURL returned %d - %s"),
+      option, res, curl_easy_strerror(res));
+    die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+  }
+}
+
+int
+check_http (void)
+{
+  int result = STATE_OK;
+  int page_len = 0;
+  int i;
+  char *force_host_header = NULL;
+
+  /* initialize curl */
+  if (curl_global_init (CURL_GLOBAL_DEFAULT) != CURLE_OK)
+    die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_global_init failed\n");
+
+  if ((curl = curl_easy_init()) == NULL)
+    die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_easy_init failed\n");
+
+  if (verbose >= 1)
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE), "CURLOPT_VERBOSE");
+
+  /* print everything on stdout like check_http would do */
+  handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_STDERR, stdout), "CURLOPT_STDERR");
+
+  /* initialize buffer for body of the answer */
+  if (curlhelp_initwritebuffer(&body_buf) < 0)
+    die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_WRITEFUNCTION");
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEDATA, (void *)&body_buf), "CURLOPT_WRITEDATA");
+
+  /* initialize buffer for header of the answer */
+  if (curlhelp_initwritebuffer( &header_buf ) < 0)
+    die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for header\n" );
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HEADERFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_HEADERFUNCTION");
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEHEADER, (void *)&header_buf), "CURLOPT_WRITEHEADER");
+
+  /* set the error buffer */
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_ERRORBUFFER, errbuf), "CURLOPT_ERRORBUFFER");
+
+  /* set timeouts */
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, socket_timeout), "CURLOPT_CONNECTTIMEOUT");
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_TIMEOUT, socket_timeout), "CURLOPT_TIMEOUT");
+
+  // fill dns resolve cache to make curl connect to the given server_address instead of the host_name, only required for ssl, because we use the host_name later on to make SNI happy
+  if(use_ssl && host_name != NULL) {
+      struct curl_slist *host = NULL;
+      char dnscache[DEFAULT_BUFFER_SIZE];
+      snprintf (dnscache, DEFAULT_BUFFER_SIZE, "%s:%d:%s", host_name, server_port, server_address);
+      host = curl_slist_append(NULL, dnscache);
+      curl_easy_setopt(curl, CURLOPT_RESOLVE, host);
+      if (verbose>=1)
+        printf ("* curl CURLOPT_RESOLVE: %s\n", dnscache);
+  }
+
+  /* compose URL: use the address we want to connect to, set Host: header later */
+  snprintf (url, DEFAULT_BUFFER_SIZE, "%s://%s:%d%s",
+      use_ssl ? "https" : "http",
+      use_ssl & host_name != NULL ? host_name : server_address,
+      server_port,
+      server_url
+  );
+
+  if (verbose>=1)
+    printf ("* curl CURLOPT_URL: %s\n", url);
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, url), "CURLOPT_URL");
+
+  /* extract proxy information for legacy proxy https requests */
+  if (!strcmp(http_method, "CONNECT") || strstr(server_url, "http") == server_url) {
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXY, server_address), "CURLOPT_PROXY");
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXYPORT, (long)server_port), "CURLOPT_PROXYPORT");
+    if (verbose>=2)
+      printf ("* curl CURLOPT_PROXY: %s:%d\n", server_address, server_port);
+    http_method = "GET";
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, server_url), "CURLOPT_URL");
+  }
+
+  /* disable body for HEAD request */
+  if (http_method && !strcmp (http_method, "HEAD" )) {
+    no_body = TRUE;
+  }
+
+  /* set HTTP protocol version */
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HTTP_VERSION, curl_http_version), "CURLOPT_HTTP_VERSION");
+
+  /* set HTTP method */
+  if (http_method) {
+    if (!strcmp(http_method, "POST"))
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POST, 1), "CURLOPT_POST");
+    else if (!strcmp(http_method, "PUT"))
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_UPLOAD, 1), "CURLOPT_UPLOAD");
+    else
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CUSTOMREQUEST, http_method), "CURLOPT_CUSTOMREQUEST");
+  }
+
+  /* check if Host header is explicitly set in options */
+  if (http_opt_headers_count) {
+    for (i = 0; i < http_opt_headers_count ; i++) {
+      if (strncmp(http_opt_headers[i], "Host:", 5) == 0) {
+        force_host_header = http_opt_headers[i];
+      }
+    }
+  }
+
+  /* set hostname (virtual hosts), not needed if CURLOPT_CONNECT_TO is used, but left in anyway */
+  if(host_name != NULL && force_host_header == NULL) {
+    if((virtual_port != HTTP_PORT && !use_ssl) || (virtual_port != HTTPS_PORT && use_ssl)) {
+      snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s:%d", host_name, virtual_port);
+    } else {
+      snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s", host_name);
+    }
+    header_list = curl_slist_append (header_list, http_header);
+  }
+
+  /* always close connection, be nice to servers */
+  snprintf (http_header, DEFAULT_BUFFER_SIZE, "Connection: close");
+  header_list = curl_slist_append (header_list, http_header);
+
+  /* attach additional headers supplied by the user */
+  /* optionally send any other header tag */
+  if (http_opt_headers_count) {
+    for (i = 0; i < http_opt_headers_count ; i++) {
+      header_list = curl_slist_append (header_list, http_opt_headers[i]);
+    }
+    /* This cannot be free'd here because a redirection will then try to access this and segfault */
+    /* Covered in a testcase in tests/check_http.t */
+    /* free(http_opt_headers); */
+  }
+
+  /* set HTTP headers */
+  handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPHEADER, header_list ), "CURLOPT_HTTPHEADER");
+
+#ifdef LIBCURL_FEATURE_SSL
+
+  /* set SSL version, warn about unsecure or unsupported versions */
+  if (use_ssl) {
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLVERSION, ssl_version), "CURLOPT_SSLVERSION");
+  }
+
+  /* client certificate and key to present to server (SSL) */
+  if (client_cert)
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLCERT, client_cert), "CURLOPT_SSLCERT");
+  if (client_privkey)
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY");
+  if (ca_cert) {
+    /* per default if we have a CA verify both the peer and the
+     * hostname in the certificate, can be switched off later */
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO");
+    handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER");
+    handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST");
+  } else {
+    /* backward-compatible behaviour, be tolerant in checks
+     * TODO: depending on more options have aspects we want
+     * to be less tolerant about ssl verfications
+     */
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0), "CURLOPT_SSL_VERIFYPEER");
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0), "CURLOPT_SSL_VERIFYHOST");
+  }
+
+  /* detect SSL library used by libcurl */
+  ssl_library = curlhelp_get_ssl_library (curl);
+
+  /* try hard to get a stack of certificates to verify against */
+  if (check_cert) {
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1)
+    /* inform curl to report back certificates */
+    switch (ssl_library) {
+      case CURLHELP_SSL_LIBRARY_OPENSSL:
+      case CURLHELP_SSL_LIBRARY_LIBRESSL:
+        /* set callback to extract certificate with OpenSSL context function (works with
+         * OpenSSL-style libraries only!) */
+#ifdef USE_OPENSSL
+        /* libcurl and monitoring plugins built with OpenSSL, good */
+        handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
+        is_openssl_callback = TRUE;
+#else /* USE_OPENSSL */
+#endif /* USE_OPENSSL */
+        /* libcurl is built with OpenSSL, monitoring plugins, so falling
+         * back to manually extracting certificate information */
+        handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
+        break;
+
+      case CURLHELP_SSL_LIBRARY_NSS:
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
+        /* NSS: support for CERTINFO is implemented since 7.34.0 */
+        handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
+#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
+        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
+        break;
+
+      case CURLHELP_SSL_LIBRARY_GNUTLS:
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0)
+        /* GnuTLS: support for CERTINFO is implemented since 7.42.0 */
+        handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
+#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
+        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
+        break;
+
+      case CURLHELP_SSL_LIBRARY_UNKNOWN:
+      default:
+        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (unknown SSL library '%s', must implement first)\n", curlhelp_get_ssl_library_string (ssl_library));
+        break;
+    }
+#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
+    /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
+    if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
+      handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
+    else
+      die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
+  }
+
+#endif /* LIBCURL_FEATURE_SSL */
+
+  /* set default or user-given user agent identification */
+  handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERAGENT, user_agent), "CURLOPT_USERAGENT");
+
+  /* proxy-authentication */
+  if (strcmp(proxy_auth, ""))
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXYUSERPWD, proxy_auth), "CURLOPT_PROXYUSERPWD");
+
+  /* authentication */
+  if (strcmp(user_auth, ""))
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERPWD, user_auth), "CURLOPT_USERPWD");
+
+  /* TODO: parameter auth method, bitfield of following methods:
+   * CURLAUTH_BASIC (default)
+   * CURLAUTH_DIGEST
+   * CURLAUTH_DIGEST_IE
+   * CURLAUTH_NEGOTIATE
+   * CURLAUTH_NTLM
+   * CURLAUTH_NTLM_WB
+   *
+   * convenience tokens for typical sets of methods:
+   * CURLAUTH_ANYSAFE: most secure, without BASIC
+   * or CURLAUTH_ANY: most secure, even BASIC if necessary
+   *
+   * handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST ), "CURLOPT_HTTPAUTH");
+   */
+
+  /* handle redirections */
+  if (onredirect == STATE_DEPENDENT) {
+    if( followmethod == FOLLOW_LIBCURL ) {
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_FOLLOWLOCATION, 1), "CURLOPT_FOLLOWLOCATION");
+
+      /* default -1 is infinite, not good, could lead to zombie plugins!
+         Setting it to one bigger than maximal limit to handle errors nicely below
+       */
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_MAXREDIRS, max_depth+1), "CURLOPT_MAXREDIRS");
+
+      /* for now allow only http and https (we are a http(s) check plugin in the end) */
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 4)
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS), "CURLOPT_REDIRECT_PROTOCOLS");
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 4) */
+
+      /* TODO: handle the following aspects of redirection, make them
+       * command line options too later:
+        CURLOPT_POSTREDIR: method switch
+        CURLINFO_REDIRECT_URL: custom redirect option
+        CURLOPT_REDIRECT_PROTOCOLS: allow people to step outside safe protocols
+        CURLINFO_REDIRECT_COUNT: get the number of redirects, print it, maybe a range option here is nice like for expected page size?
+      */
+    } else {
+      /* old style redirection is handled below */
+    }
+  }
+
+  /* no-body */
+  if (no_body)
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_NOBODY, 1), "CURLOPT_NOBODY");
+
+  /* IPv4 or IPv6 forced DNS resolution */
+  if (address_family == AF_UNSPEC)
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_WHATEVER), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_WHATEVER)");
+  else if (address_family == AF_INET)
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V4)");
+#if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6)
+  else if (address_family == AF_INET6)
+    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V6)");
+#endif
+
+  /* either send http POST data (any data, not only POST)*/
+  if (!strcmp(http_method, "POST") ||!strcmp(http_method, "PUT")) {
+    /* set content of payload for POST and PUT */
+    if (http_content_type) {
+      snprintf (http_header, DEFAULT_BUFFER_SIZE, "Content-Type: %s", http_content_type);
+      header_list = curl_slist_append (header_list, http_header);
+    }
+    /* NULL indicates "HTTP Continue" in libcurl, provide an empty string
+     * in case of no POST/PUT data */
+    if (!http_post_data)
+      http_post_data = "";
+    if (!strcmp(http_method, "POST")) {
+      /* POST method, set payload with CURLOPT_POSTFIELDS */
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POSTFIELDS, http_post_data), "CURLOPT_POSTFIELDS");
+    } else if (!strcmp(http_method, "PUT")) {
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READFUNCTION, (curl_read_callback)curlhelp_buffer_read_callback), "CURLOPT_READFUNCTION");
+      curlhelp_initreadbuffer (&put_buf, http_post_data, strlen (http_post_data));
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READDATA, (void *)&put_buf), "CURLOPT_READDATA");
+      handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_INFILESIZE, (curl_off_t)strlen (http_post_data)), "CURLOPT_INFILESIZE");
+    }
+  }
+
+  /* do the request */
+  res = curl_easy_perform(curl);
+
+  if (verbose>=2 && http_post_data)
+    printf ("**** REQUEST CONTENT ****\n%s\n", http_post_data);
+
+  /* free header and server IP resolve lists, we don't need it anymore */
+  curl_slist_free_all (header_list); header_list = NULL;
+  curl_slist_free_all (server_ips); server_ips = NULL;
+
+  /* Curl errors, result in critical Nagios state */
+  if (res != CURLE_OK) {
+    snprintf (msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host on port %d: cURL returned %d - %s"),
+      server_port, res, curl_easy_strerror(res));
+    die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+  }
+
+  /* certificate checks */
+#ifdef LIBCURL_FEATURE_SSL
+  if (use_ssl == TRUE) {
+    if (check_cert == TRUE) {
+      if (is_openssl_callback) {
+#ifdef USE_OPENSSL
+        /* check certificate with OpenSSL functions, curl has been built against OpenSSL
+         * and we actually have OpenSSL in the monitoring tools
+         */
+        result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+        return result;
+#else /* USE_OPENSSL */
+        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
+#endif /* USE_OPENSSL */
+      } else {
+        int i;
+        struct curl_slist *slist;
+
+        cert_ptr.to_info = NULL;
+        res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
+        if (!res && cert_ptr.to_info) {
+#ifdef USE_OPENSSL
+          /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert parsing
+           * We only check the first certificate and assume it's the one of the server
+           */
+          const char* raw_cert = NULL;
+          for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
+            for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
+              if (verbose >= 2)
+                printf ("%d ** %s\n", i, slist->data);
+              if (strncmp (slist->data, "Cert:", 5) == 0) {
+                raw_cert = &slist->data[5];
+                goto GOT_FIRST_CERT;
+              }
+            }
+          }
+GOT_FIRST_CERT:
+          if (!raw_cert) {
+            snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates from CERTINFO information - certificate data was empty"));
+            die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+          }
+          BIO* cert_BIO = BIO_new (BIO_s_mem());
+          BIO_write (cert_BIO, raw_cert, strlen(raw_cert));
+          cert = PEM_read_bio_X509 (cert_BIO, NULL, NULL, NULL);
+          if (!cert) {
+            snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot read certificate from CERTINFO information - BIO error"));
+            die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+          }
+          BIO_free (cert_BIO);
+          result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+          return result;
+#else /* USE_OPENSSL */
+          /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
+           * so we use the libcurl CURLINFO data
+           */
+          result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
+          return result;
+#endif /* USE_OPENSSL */
+        } else {
+          snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
+            res, curl_easy_strerror(res));
+          die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+        }
+      }
+    }
+  }
+#endif /* LIBCURL_FEATURE_SSL */
+
+  /* we got the data and we executed the request in a given time, so we can append
+   * performance data to the answer always
+   */
+  handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_TOTAL_TIME, &total_time), "CURLINFO_TOTAL_TIME");
+  page_len = get_content_length(&header_buf, &body_buf);
+  if(show_extended_perfdata) {
+    handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_CONNECT_TIME, &time_connect), "CURLINFO_CONNECT_TIME");
+    handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_APPCONNECT_TIME, &time_appconnect), "CURLINFO_APPCONNECT_TIME");
+    handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_PRETRANSFER_TIME, &time_headers), "CURLINFO_PRETRANSFER_TIME");
+    handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_STARTTRANSFER_TIME, &time_firstbyte), "CURLINFO_STARTTRANSFER_TIME");
+    snprintf(perfstring, DEFAULT_BUFFER_SIZE, "%s %s %s %s %s %s %s",
+      perfd_time(total_time),
+      perfd_size(page_len),
+      perfd_time_connect(time_connect),
+      use_ssl == TRUE ? perfd_time_ssl (time_appconnect-time_connect) : "",
+      perfd_time_headers(time_headers - time_appconnect),
+      perfd_time_firstbyte(time_firstbyte - time_headers),
+      perfd_time_transfer(total_time-time_firstbyte)
+    );
+  } else {
+    snprintf(perfstring, DEFAULT_BUFFER_SIZE, "%s %s",
+      perfd_time(total_time),
+      perfd_size(page_len)
+    );
+  }
+
+  /* return a CRITICAL status if we couldn't read any data */
+  if (strlen(header_buf.buf) == 0 && strlen(body_buf.buf) == 0)
+    die (STATE_CRITICAL, _("HTTP CRITICAL - No header received from host\n"));
+
+  /* get status line of answer, check sanity of HTTP code */
+  if (curlhelp_parse_statusline (header_buf.buf, &status_line) < 0) {
+    snprintf (msg, DEFAULT_BUFFER_SIZE, "Unparsable status line in %.3g seconds response time|%s\n",
+      total_time, perfstring);
+    die (STATE_CRITICAL, "HTTP CRITICAL HTTP/1.x %ld unknown - %s", code, msg);
+  }
+
+  /* get result code from cURL */
+  handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &code), "CURLINFO_RESPONSE_CODE");
+  if (verbose>=2)
+    printf ("* curl CURLINFO_RESPONSE_CODE is %ld\n", code);
+
+  /* print status line, header, body if verbose */
+  if (verbose >= 2) {
+    printf ("**** HEADER ****\n%s\n**** CONTENT ****\n%s\n", header_buf.buf,
+                (no_body ? "  [[ skipped ]]" : body_buf.buf));
+  }
+
+  /* make sure the status line matches the response we are looking for */
+  if (!expected_statuscode(status_line.first_line, server_expect)) {
+    if (server_port == HTTP_PORT)
+      snprintf(msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host: %s\n"), status_line.first_line);
+    else
+      snprintf(msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host on port %d: %s\n"), server_port, status_line.first_line);
+    die (STATE_CRITICAL, "HTTP CRITICAL - %s", msg);
+  }
+
+  if( server_expect_yn  )  {
+    snprintf(msg, DEFAULT_BUFFER_SIZE, _("Status line output matched \"%s\" - "), server_expect);
+    if (verbose)
+      printf ("%s\n",msg);
+    result = STATE_OK;
+  }
+  else {
+    /* illegal return codes result in a critical state */
+    if (code >= 600 || code < 100) {
+      die (STATE_CRITICAL, _("HTTP CRITICAL: Invalid Status (%d, %.40s)\n"), status_line.http_code, status_line.msg);
+    /* server errors result in a critical state */
+        } else if (code >= 500) {
+      result = STATE_CRITICAL;
+        /* client errors result in a warning state */
+    } else if (code >= 400) {
+      result = STATE_WARNING;
+    /* check redirected page if specified */
+    } else if (code >= 300) {
+      if (onredirect == STATE_DEPENDENT) {
+        if( followmethod == FOLLOW_LIBCURL ) {
+          code = status_line.http_code;
+        } else {
+          /* old check_http style redirection, if we come
+           * back here, we are in the same status as with
+           * the libcurl method
+           */
+          redir (&header_buf);
+        }
+      } else {
+        /* this is a specific code in the command line to
+         * be returned when a redirection is encoutered
+         */
+      }
+      result = max_state_alt (onredirect, result);
+    /* all other codes are considered ok */
+    } else {
+      result = STATE_OK;
+    }
+  }
+
+  /* libcurl redirection internally, handle error states here */
+  if( followmethod == FOLLOW_LIBCURL ) {
+    handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_REDIRECT_COUNT, &redir_depth), "CURLINFO_REDIRECT_COUNT");
+    if (verbose >= 2)
+      printf(_("* curl LIBINFO_REDIRECT_COUNT is %d\n"), redir_depth);
+    if (redir_depth > max_depth) {
+      snprintf (msg, DEFAULT_BUFFER_SIZE, "maximum redirection depth %d exceeded in libcurl",
+        max_depth);
+      die (STATE_WARNING, "HTTP WARNING - %s", msg);
+    }
+  }
+
+  /* check status codes, set exit status accordingly */
+  if( status_line.http_code != code ) {
+    die (STATE_CRITICAL, _("HTTP CRITICAL HTTP/%d.%d %d %s - different HTTP codes (cUrl has %ld)\n"),
+      status_line.http_major, status_line.http_minor,
+      status_line.http_code, status_line.msg, code);
+  }
+
+  if (maximum_age >= 0) {
+    result = max_state_alt(check_document_dates(&header_buf, &msg), result);
+  }
+
+  /* Page and Header content checks go here */
+
+  if (strlen (header_expect)) {
+    if (!strstr (header_buf.buf, header_expect)) {
+      strncpy(&output_header_search[0],header_expect,sizeof(output_header_search));
+      if(output_header_search[sizeof(output_header_search)-1]!='\0') {
+        bcopy("...",&output_header_search[sizeof(output_header_search)-4],4);
+      }
+      snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sheader '%s' not found on '%s://%s:%d%s', "), msg, output_header_search, use_ssl ? "https" : "http", host_name ? host_name : server_address, server_port, server_url);
+      result = STATE_CRITICAL;
+    }
+  }
+
+  if (strlen (string_expect)) {
+    if (!strstr (body_buf.buf, string_expect)) {
+      strncpy(&output_string_search[0],string_expect,sizeof(output_string_search));
+      if(output_string_search[sizeof(output_string_search)-1]!='\0') {
+        bcopy("...",&output_string_search[sizeof(output_string_search)-4],4);
+      }
+      snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sstring '%s' not found on '%s://%s:%d%s', "), msg, output_string_search, use_ssl ? "https" : "http", host_name ? host_name : server_address, server_port, server_url);
+      result = STATE_CRITICAL;
+    }
+  }
+
+  if (strlen (regexp)) {
+    errcode = regexec (&preg, body_buf.buf, REGS, pmatch, 0);
+    if ((errcode == 0 && invert_regex == 0) || (errcode == REG_NOMATCH && invert_regex == 1)) {
+      /* OK - No-op to avoid changing the logic around it */
+      result = max_state_alt(STATE_OK, result);
+    }
+    else if ((errcode == REG_NOMATCH && invert_regex == 0) || (errcode == 0 && invert_regex == 1)) {
+      if (invert_regex == 0)
+        snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spattern not found, "), msg);
+      else
+        snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spattern found, "), msg);
+      result = STATE_CRITICAL;
+    }
+    else {
+      regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER);
+      snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sExecute Error: %s, "), msg, errbuf);
+      result = STATE_UNKNOWN;
+    }
+  }
+
+  /* make sure the page is of an appropriate size */
+  if ((max_page_len > 0) && (page_len > max_page_len)) {
+    snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spage size %d too large, "), msg, page_len);
+    result = max_state_alt(STATE_WARNING, result);
+  } else if ((min_page_len > 0) && (page_len < min_page_len)) {
+    snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spage size %d too small, "), msg, page_len);
+    result = max_state_alt(STATE_WARNING, result);
+  }
+
+  /* -w, -c: check warning and critical level */
+  result = max_state_alt(get_status(total_time, thlds), result);
+
+  /* Cut-off trailing characters */
+  if(msg[strlen(msg)-2] == ',')
+    msg[strlen(msg)-2] = '\0';
+  else
+    msg[strlen(msg)-3] = '\0';
+
+  /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */
+  die (result, "HTTP %s: HTTP/%d.%d %d %s%s%s - %d bytes in %.3f second response time %s|%s\n",
+    state_text(result), status_line.http_major, status_line.http_minor,
+    status_line.http_code, status_line.msg,
+    strlen(msg) > 0 ? " - " : "",
+    msg, page_len, total_time,
+    (display_html ? "</A>" : ""),
+    perfstring);
+
+  /* proper cleanup after die? */
+  curlhelp_free_statusline(&status_line);
+  curl_easy_cleanup (curl);
+  curl_global_cleanup ();
+  curlhelp_freewritebuffer (&body_buf);
+  curlhelp_freewritebuffer (&header_buf);
+  if (!strcmp (http_method, "PUT")) {
+    curlhelp_freereadbuffer (&put_buf);
+  }
+
+  return result;
+}
+
+int
+uri_strcmp (const UriTextRangeA range, const char* s)
+{
+  if (!range.first) return -1;
+  if (range.afterLast - range.first < strlen (s)) return -1;
+  return strncmp (s, range.first, min( range.afterLast - range.first, strlen (s)));
+}
+
+char*
+uri_string (const UriTextRangeA range, char* buf, size_t buflen)
+{
+  if (!range.first) return "(null)";
+  strncpy (buf, range.first, max (buflen, range.afterLast - range.first));
+  buf[max (buflen, range.afterLast - range.first)] = '\0';
+  buf[range.afterLast - range.first] = '\0';
+  return buf;
+}
+
+void
+redir (curlhelp_write_curlbuf* header_buf)
+{
+  char *location = NULL;
+  curlhelp_statusline status_line;
+  struct phr_header headers[255];
+  size_t nof_headers = 255;
+  size_t msglen;
+  char buf[DEFAULT_BUFFER_SIZE];
+  char ipstr[INET_ADDR_MAX_SIZE];
+  int new_port;
+  char *new_host;
+  char *new_url;
+
+  int res = phr_parse_response (header_buf->buf, header_buf->buflen,
+    &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
+    headers, &nof_headers, 0);
+
+  location = get_header_value (headers, nof_headers, "location");
+
+  if (verbose >= 2)
+    printf(_("* Seen redirect location %s\n"), location);
+
+  if (++redir_depth > max_depth)
+    die (STATE_WARNING,
+         _("HTTP WARNING - maximum redirection depth %d exceeded - %s%s\n"),
+         max_depth, location, (display_html ? "</A>" : ""));
+
+  UriParserStateA state;
+  UriUriA uri;
+  state.uri = &uri;
+  if (uriParseUriA (&state, location) != URI_SUCCESS) {
+    if (state.errorCode == URI_ERROR_SYNTAX) {
+      die (STATE_UNKNOWN,
+           _("HTTP UNKNOWN - Could not parse redirect location '%s'%s\n"),
+           location, (display_html ? "</A>" : ""));
+    } else if (state.errorCode == URI_ERROR_MALLOC) {
+      die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate URL\n"));
+    }
+  }
+
+  if (verbose >= 2) {
+    printf (_("** scheme: %s\n"),
+      uri_string (uri.scheme, buf, DEFAULT_BUFFER_SIZE));
+    printf (_("** host: %s\n"),
+      uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE));
+    printf (_("** port: %s\n"),
+      uri_string (uri.portText, buf, DEFAULT_BUFFER_SIZE));
+    if (uri.hostData.ip4) {
+      inet_ntop (AF_INET, uri.hostData.ip4->data, ipstr, sizeof (ipstr));
+      printf (_("** IPv4: %s\n"), ipstr);
+    }
+    if (uri.hostData.ip6) {
+      inet_ntop (AF_INET, uri.hostData.ip6->data, ipstr, sizeof (ipstr));
+      printf (_("** IPv6: %s\n"), ipstr);
+    }
+    if (uri.pathHead) {
+      printf (_("** path: "));
+      const UriPathSegmentA* p = uri.pathHead;
+      for (; p; p = p->next) {
+        printf ("/%s", uri_string (p->text, buf, DEFAULT_BUFFER_SIZE));
+      }
+      puts ("");
+    }
+    if (uri.query.first) {
+      printf (_("** query: %s\n"),
+      uri_string (uri.query, buf, DEFAULT_BUFFER_SIZE));
+    }
+    if (uri.fragment.first) {
+      printf (_("** fragment: %s\n"),
+      uri_string (uri.fragment, buf, DEFAULT_BUFFER_SIZE));
+    }
+  }
+
+  use_ssl = !uri_strcmp (uri.scheme, "https");
+
+  /* we do a sloppy test here only, because uriparser would have failed
+   * above, if the port would be invalid, we just check for MAX_PORT
+   */
+  if (uri.portText.first) {
+    new_port = atoi (uri_string (uri.portText, buf, DEFAULT_BUFFER_SIZE));
+  } else {
+    new_port = HTTP_PORT;
+    if (use_ssl)
+      new_port = HTTPS_PORT;
+  }
+  if (new_port > MAX_PORT)
+    die (STATE_UNKNOWN,
+         _("HTTP UNKNOWN - Redirection to port above %d - %s%s\n"),
+         MAX_PORT, location, display_html ? "</A>" : "");
+
+  /* by RFC 7231 relative URLs in Location should be taken relative to
+   * the original URL, so wy try to form a new absolute URL here
+   */
+  if (!uri.scheme.first && !uri.hostText.first) {
+    new_host = strdup (host_name ? host_name : server_address);
+  } else {
+    new_host = strdup (uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE));
+  }
+
+  /* compose new path */
+  /* TODO: handle fragments and query part of URL */
+  new_url = (char *)calloc( 1, DEFAULT_BUFFER_SIZE);
+  if (uri.pathHead) {
+    const UriPathSegmentA* p = uri.pathHead;
+    for (; p; p = p->next) {
+      strncat (new_url, "/", DEFAULT_BUFFER_SIZE);
+      strncat (new_url, uri_string (p->text, buf, DEFAULT_BUFFER_SIZE), DEFAULT_BUFFER_SIZE);
+    }
+  }
+
+  if (server_port==new_port &&
+      !strncmp(server_address, new_host, MAX_IPV4_HOSTLENGTH) &&
+      (host_name && !strncmp(host_name, new_host, MAX_IPV4_HOSTLENGTH)) &&
+      !strcmp(server_url, new_url))
+    die (STATE_WARNING,
+         _("HTTP WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"),
+         use_ssl ? "https" : "http", new_host, new_port, new_url, (display_html ? "</A>" : ""));
+
+  /* set new values for redirected request */
+
+  if (!(followsticky & STICKY_HOST)) {
+    free (server_address);
+    server_address = strndup (new_host, MAX_IPV4_HOSTLENGTH);
+  }
+  if (!(followsticky & STICKY_PORT)) {
+    server_port = (unsigned short)new_port;
+  }
+
+  free (host_name);
+  host_name = strndup (new_host, MAX_IPV4_HOSTLENGTH);
+
+  /* reset virtual port */
+  virtual_port = server_port;
+
+  free(new_host);
+  free (server_url);
+  server_url = new_url;
+
+  uriFreeUriMembersA (&uri);
+
+  if (verbose)
+    printf (_("Redirection to %s://%s:%d%s\n"), use_ssl ? "https" : "http",
+            host_name ? host_name : server_address, server_port, server_url);
+
+  /* TODO: the hash component MUST be taken from the original URL and
+   * attached to the URL in Location
+   */
+
+  check_http ();
+}
+
+/* check whether a file exists */
+void
+test_file (char *path)
+{
+  if (access(path, R_OK) == 0)
+    return;
+  usage2 (_("file does not exist or is not readable"), path);
+}
+
+int
+process_arguments (int argc, char **argv)
+{
+  char *p;
+  int c = 1;
+  char *temp;
+
+  enum {
+    INVERT_REGEX = CHAR_MAX + 1,
+    SNI_OPTION,
+    CA_CERT_OPTION,
+    HTTP_VERSION_OPTION
+  };
+
+  int option = 0;
+  int got_plus = 0;
+  static struct option longopts[] = {
+    STD_LONG_OPTS,
+    {"link", no_argument, 0, 'L'},
+    {"nohtml", no_argument, 0, 'n'},
+    {"ssl", optional_argument, 0, 'S'},
+    {"sni", no_argument, 0, SNI_OPTION},
+    {"post", required_argument, 0, 'P'},
+    {"method", required_argument, 0, 'j'},
+    {"IP-address", required_argument, 0, 'I'},
+    {"url", required_argument, 0, 'u'},
+    {"port", required_argument, 0, 'p'},
+    {"authorization", required_argument, 0, 'a'},
+    {"proxy-authorization", required_argument, 0, 'b'},
+    {"header-string", required_argument, 0, 'd'},
+    {"string", required_argument, 0, 's'},
+    {"expect", required_argument, 0, 'e'},
+    {"regex", required_argument, 0, 'r'},
+    {"ereg", required_argument, 0, 'r'},
+    {"eregi", required_argument, 0, 'R'},
+    {"linespan", no_argument, 0, 'l'},
+    {"onredirect", required_argument, 0, 'f'},
+    {"certificate", required_argument, 0, 'C'},
+    {"client-cert", required_argument, 0, 'J'},
+    {"private-key", required_argument, 0, 'K'},
+    {"ca-cert", required_argument, 0, CA_CERT_OPTION},
+    {"useragent", required_argument, 0, 'A'},
+    {"header", required_argument, 0, 'k'},
+    {"no-body", no_argument, 0, 'N'},
+    {"max-age", required_argument, 0, 'M'},
+    {"content-type", required_argument, 0, 'T'},
+    {"pagesize", required_argument, 0, 'm'},
+    {"invert-regex", no_argument, NULL, INVERT_REGEX},
+    {"use-ipv4", no_argument, 0, '4'},
+    {"use-ipv6", no_argument, 0, '6'},
+    {"extended-perfdata", no_argument, 0, 'E'},
+    {"http-version", required_argument, 0, HTTP_VERSION_OPTION},
+    {0, 0, 0, 0}
+  };
+
+  if (argc < 2)
+    return ERROR;
+
+  /* support check_http compatible arguments */
+  for (c = 1; c < argc; c++) {
+    if (strcmp ("-to", argv[c]) == 0)
+      strcpy (argv[c], "-t");
+    if (strcmp ("-hn", argv[c]) == 0)
+      strcpy (argv[c], "-H");
+    if (strcmp ("-wt", argv[c]) == 0)
+      strcpy (argv[c], "-w");
+    if (strcmp ("-ct", argv[c]) == 0)
+      strcpy (argv[c], "-c");
+    if (strcmp ("-nohtml", argv[c]) == 0)
+      strcpy (argv[c], "-n");
+  }
+
+  server_url = strdup(DEFAULT_SERVER_URL);
+
+  while (1) {
+    c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:NE", longopts, &option);
+    if (c == -1 || c == EOF || c == 1)
+      break;
+
+    switch (c) {
+    case 'h':
+      print_help();
+      exit(STATE_UNKNOWN);
+      break;
+    case 'V':
+      print_revision(progname, NP_VERSION);
+      print_curl_version();
+      exit(STATE_UNKNOWN);
+      break;
+    case 'v':
+      verbose++;
+      break;
+    case 't': /* timeout period */
+      if (!is_intnonneg (optarg))
+        usage2 (_("Timeout interval must be a positive integer"), optarg);
+      else
+        socket_timeout = (int)strtol (optarg, NULL, 10);
+      break;
+    case 'c': /* critical time threshold */
+      critical_thresholds = optarg;
+      break;
+    case 'w': /* warning time threshold */
+      warning_thresholds = optarg;
+      break;
+    case 'H': /* virtual host */
+      host_name = strdup (optarg);
+      if (host_name[0] == '[') {
+        if ((p = strstr (host_name, "]:")) != NULL) { /* [IPv6]:port */
+          virtual_port = atoi (p + 2);
+          /* cut off the port */
+          host_name_length = strlen (host_name) - strlen (p) - 1;
+          free (host_name);
+          host_name = strndup (optarg, host_name_length);
+        }
+      } else if ((p = strchr (host_name, ':')) != NULL
+                 && strchr (++p, ':') == NULL) { /* IPv4:port or host:port */
+          virtual_port = atoi (p);
+          /* cut off the port */
+          host_name_length = strlen (host_name) - strlen (p) - 1;
+          free (host_name);
+          host_name = strndup (optarg, host_name_length);
+        }
+      break;
+    case 'I': /* internet address */
+      server_address = strdup (optarg);
+      break;
+    case 'u': /* URL path */
+      server_url = strdup (optarg);
+      break;
+    case 'p': /* Server port */
+      if (!is_intnonneg (optarg))
+        usage2 (_("Invalid port number, expecting a non-negative number"), optarg);
+      else {
+        if( strtol(optarg, NULL, 10) > MAX_PORT)
+          usage2 (_("Invalid port number, supplied port number is too big"), optarg);
+        server_port = (unsigned short)strtol(optarg, NULL, 10);
+        specify_port = TRUE;
+      }
+      break;
+    case 'a': /* authorization info */
+      strncpy (user_auth, optarg, MAX_INPUT_BUFFER - 1);
+      user_auth[MAX_INPUT_BUFFER - 1] = 0;
+      break;
+    case 'b': /* proxy-authorization info */
+      strncpy (proxy_auth, optarg, MAX_INPUT_BUFFER - 1);
+      proxy_auth[MAX_INPUT_BUFFER - 1] = 0;
+      break;
+    case 'P': /* HTTP POST data in URL encoded format; ignored if settings already */
+      if (! http_post_data)
+        http_post_data = strdup (optarg);
+      if (! http_method)
+        http_method = strdup("POST");
+      break;
+    case 'j': /* Set HTTP method */
+      if (http_method)
+        free(http_method);
+      http_method = strdup (optarg);
+      break;
+    case 'A': /* useragent */
+      strncpy (user_agent, optarg, DEFAULT_BUFFER_SIZE);
+      user_agent[DEFAULT_BUFFER_SIZE-1] = '\0';
+      break;
+    case 'k': /* Additional headers */
+      if (http_opt_headers_count == 0)
+        http_opt_headers = malloc (sizeof (char *) * (++http_opt_headers_count));
+      else
+        http_opt_headers = realloc (http_opt_headers, sizeof (char *) * (++http_opt_headers_count));
+      http_opt_headers[http_opt_headers_count - 1] = optarg;
+      break;
+    case 'L': /* show html link */
+      display_html = TRUE;
+      break;
+    case 'n': /* do not show html link */
+      display_html = FALSE;
+      break;
+    case 'C': /* Check SSL cert validity */
+#ifdef LIBCURL_FEATURE_SSL
+      if ((temp=strchr(optarg,','))!=NULL) {
+        *temp='\0';
+        if (!is_intnonneg (optarg))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi(optarg);
+        *temp=',';
+        temp++;
+        if (!is_intnonneg (temp))
+          usage2 (_("Invalid certificate expiration period"), temp);
+        days_till_exp_crit = atoi (temp);
+      }
+      else {
+        days_till_exp_crit=0;
+        if (!is_intnonneg (optarg))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi (optarg);
+      }
+      check_cert = TRUE;
+      goto enable_ssl;
+#endif
+    case 'J': /* use client certificate */
+#ifdef LIBCURL_FEATURE_SSL
+      test_file(optarg);
+      client_cert = optarg;
+      goto enable_ssl;
+#endif
+    case 'K': /* use client private key */
+#ifdef LIBCURL_FEATURE_SSL
+      test_file(optarg);
+      client_privkey = optarg;
+      goto enable_ssl;
+#endif
+#ifdef LIBCURL_FEATURE_SSL
+    case CA_CERT_OPTION: /* use CA chain file */
+      test_file(optarg);
+      ca_cert = optarg;
+      goto enable_ssl;
+#endif
+    case 'S': /* use SSL */
+#ifdef LIBCURL_FEATURE_SSL
+    enable_ssl:
+      use_ssl = TRUE;
+      /* ssl_version initialized to CURL_SSLVERSION_DEFAULT as a default.
+       * Only set if it's non-zero.  This helps when we include multiple
+       * parameters, like -S and -C combinations */
+      ssl_version = CURL_SSLVERSION_DEFAULT;
+      if (c=='S' && optarg != NULL) {
+        char *plus_ptr = strchr(optarg, '+');
+        if (plus_ptr) {
+          got_plus = 1;
+          *plus_ptr = '\0';
+        }
+
+        if (optarg[0] == '2')
+          ssl_version = CURL_SSLVERSION_SSLv2;
+        else if (optarg[0] == '3')
+          ssl_version = CURL_SSLVERSION_SSLv3;
+        else if (!strcmp (optarg, "1") || !strcmp (optarg, "1.0"))
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
+          ssl_version = CURL_SSLVERSION_TLSv1_0;
+#else
+          ssl_version = CURL_SSLVERSION_DEFAULT;
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
+        else if (!strcmp (optarg, "1.1"))
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
+          ssl_version = CURL_SSLVERSION_TLSv1_1;
+#else
+          ssl_version = CURL_SSLVERSION_DEFAULT;
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
+        else if (!strcmp (optarg, "1.2"))
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
+          ssl_version = CURL_SSLVERSION_TLSv1_2;
+#else
+          ssl_version = CURL_SSLVERSION_DEFAULT;
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
+        else if (!strcmp (optarg, "1.3"))
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0)
+          ssl_version = CURL_SSLVERSION_TLSv1_3;
+#else
+          ssl_version = CURL_SSLVERSION_DEFAULT;
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) */
+        else
+          usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)"));
+      }
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0)
+      if (got_plus) {
+        switch (ssl_version) {
+          case CURL_SSLVERSION_TLSv1_3:
+            ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3;
+            break;
+          case CURL_SSLVERSION_TLSv1_2:
+          case CURL_SSLVERSION_TLSv1_1:
+          case CURL_SSLVERSION_TLSv1_0:
+            ssl_version |= CURL_SSLVERSION_MAX_DEFAULT;
+            break;
+        }
+      } else {
+        switch (ssl_version) {
+          case CURL_SSLVERSION_TLSv1_3:
+            ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3;
+            break;
+          case CURL_SSLVERSION_TLSv1_2:
+            ssl_version |= CURL_SSLVERSION_MAX_TLSv1_2;
+            break;
+          case CURL_SSLVERSION_TLSv1_1:
+            ssl_version |= CURL_SSLVERSION_MAX_TLSv1_1;
+            break;
+          case CURL_SSLVERSION_TLSv1_0:
+            ssl_version |= CURL_SSLVERSION_MAX_TLSv1_0;
+            break;
+        }
+      }
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) */
+      if (verbose >= 2)
+        printf(_("* Set SSL/TLS version to %d\n"), ssl_version);
+      if (specify_port == FALSE)
+        server_port = HTTPS_PORT;
+      break;
+#else /* LIBCURL_FEATURE_SSL */
+      /* -C -J and -K fall through to here without SSL */
+      usage4 (_("Invalid option - SSL is not available"));
+      break;
+    case SNI_OPTION: /* --sni is parsed, but ignored, the default is TRUE with libcurl */
+      use_sni = TRUE;
+      break;
+#endif /* LIBCURL_FEATURE_SSL */
+    case 'f': /* onredirect */
+      if (!strcmp (optarg, "ok"))
+        onredirect = STATE_OK;
+      else if (!strcmp (optarg, "warning"))
+        onredirect = STATE_WARNING;
+      else if (!strcmp (optarg, "critical"))
+        onredirect = STATE_CRITICAL;
+      else if (!strcmp (optarg, "unknown"))
+        onredirect = STATE_UNKNOWN;
+      else if (!strcmp (optarg, "follow"))
+        onredirect = STATE_DEPENDENT;
+      else if (!strcmp (optarg, "stickyport"))
+        onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_HOST|STICKY_PORT;
+      else if (!strcmp (optarg, "sticky"))
+        onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_HOST;
+      else if (!strcmp (optarg, "follow"))
+        onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_NONE;
+      else if (!strcmp (optarg, "curl"))
+        onredirect = STATE_DEPENDENT, followmethod = FOLLOW_LIBCURL;
+      else usage2 (_("Invalid onredirect option"), optarg);
+      if (verbose >= 2)
+        printf(_("* Following redirects set to %s\n"), state_text(onredirect));
+      break;
+    case 'd': /* string or substring */
+      strncpy (header_expect, optarg, MAX_INPUT_BUFFER - 1);
+      header_expect[MAX_INPUT_BUFFER - 1] = 0;
+      break;
+    case 's': /* string or substring */
+      strncpy (string_expect, optarg, MAX_INPUT_BUFFER - 1);
+      string_expect[MAX_INPUT_BUFFER - 1] = 0;
+      break;
+    case 'e': /* string or substring */
+      strncpy (server_expect, optarg, MAX_INPUT_BUFFER - 1);
+      server_expect[MAX_INPUT_BUFFER - 1] = 0;
+      server_expect_yn = 1;
+      break;
+    case 'T': /* Content-type */
+      http_content_type = strdup (optarg);
+     break;
+    case 'l': /* linespan */
+      cflags &= ~REG_NEWLINE;
+      break;
+    case 'R': /* regex */
+      cflags |= REG_ICASE;
+    case 'r': /* regex */
+      strncpy (regexp, optarg, MAX_RE_SIZE - 1);
+      regexp[MAX_RE_SIZE - 1] = 0;
+      errcode = regcomp (&preg, regexp, cflags);
+      if (errcode != 0) {
+        (void) regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER);
+        printf (_("Could Not Compile Regular Expression: %s"), errbuf);
+        return ERROR;
+      }
+      break;
+    case INVERT_REGEX:
+      invert_regex = 1;
+      break;
+    case '4':
+      address_family = AF_INET;
+      break;
+    case '6':
+#if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6)
+      address_family = AF_INET6;
+#else
+      usage4 (_("IPv6 support not available"));
+#endif
+      break;
+    case 'm': /* min_page_length */
+      {
+      char *tmp;
+      if (strchr(optarg, ':') != (char *)NULL) {
+        /* range, so get two values, min:max */
+        tmp = strtok(optarg, ":");
+        if (tmp == NULL) {
+          printf("Bad format: try \"-m min:max\"\n");
+          exit (STATE_WARNING);
+        } else
+          min_page_len = atoi(tmp);
+
+        tmp = strtok(NULL, ":");
+        if (tmp == NULL) {
+          printf("Bad format: try \"-m min:max\"\n");
+          exit (STATE_WARNING);
+        } else
+          max_page_len = atoi(tmp);
+      } else
+        min_page_len = atoi (optarg);
+      break;
+      }
+    case 'N': /* no-body */
+      no_body = TRUE;
+      break;
+    case 'M': /* max-age */
+    {
+      int L = strlen(optarg);
+      if (L && optarg[L-1] == 'm')
+        maximum_age = atoi (optarg) * 60;
+      else if (L && optarg[L-1] == 'h')
+        maximum_age = atoi (optarg) * 60 * 60;
+      else if (L && optarg[L-1] == 'd')
+        maximum_age = atoi (optarg) * 60 * 60 * 24;
+      else if (L && (optarg[L-1] == 's' ||
+                     isdigit (optarg[L-1])))
+        maximum_age = atoi (optarg);
+      else {
+        fprintf (stderr, "unparsable max-age: %s\n", optarg);
+        exit (STATE_WARNING);
+      }
+      if (verbose >= 2)
+        printf ("* Maximal age of document set to %d seconds\n", maximum_age);
+    }
+    break;
+    case 'E': /* show extended perfdata */
+      show_extended_perfdata = TRUE;
+      break;
+    case HTTP_VERSION_OPTION:
+      curl_http_version = CURL_HTTP_VERSION_NONE;
+      if (strcmp (optarg, "1.0") == 0) {
+        curl_http_version = CURL_HTTP_VERSION_1_0;
+      } else if (strcmp (optarg, "1.1") == 0) {
+        curl_http_version = CURL_HTTP_VERSION_1_1;
+      } else if ((strcmp (optarg, "2.0") == 0) || (strcmp (optarg, "2") == 0)) {
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 33, 0)
+        curl_http_version = CURL_HTTP_VERSION_2_0;
+#else
+        curl_http_version = CURL_HTTP_VERSION_NONE;
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 33, 0) */
+      } else {
+        fprintf (stderr, "unkown http-version parameter: %s\n", optarg);
+        exit (STATE_WARNING);
+      }
+      break;
+    case '?':
+      /* print short usage statement if args not parsable */
+      usage5 ();
+      break;
+    }
+  }
+
+  c = optind;
+
+  if (server_address == NULL && c < argc)
+    server_address = strdup (argv[c++]);
+
+  if (host_name == NULL && c < argc)
+    host_name = strdup (argv[c++]);
+
+  if (server_address == NULL) {
+    if (host_name == NULL)
+      usage4 (_("You must specify a server address or host name"));
+    else
+      server_address = strdup (host_name);
+  }
+
+  set_thresholds(&thlds, warning_thresholds, critical_thresholds);
+
+  if (critical_thresholds && thlds->critical->end>(double)socket_timeout)
+    socket_timeout = (int)thlds->critical->end + 1;
+  if (verbose >= 2)
+    printf ("* Socket timeout set to %ld seconds\n", socket_timeout);
+
+  if (http_method == NULL)
+    http_method = strdup ("GET");
+
+  if (client_cert && !client_privkey)
+    usage4 (_("If you use a client certificate you must also specify a private key file"));
+
+  if (virtual_port == 0)
+    virtual_port = server_port;
+  else {
+    if ((use_ssl && server_port == HTTPS_PORT) || (!use_ssl && server_port == HTTP_PORT))
+      if(specify_port == FALSE)
+        server_port = virtual_port;
+  }
+
+  return TRUE;
+}
+
+char *perfd_time (double elapsed_time)
+{
+  return fperfdata ("time", elapsed_time, "s",
+            thlds->warning?TRUE:FALSE, thlds->warning?thlds->warning->end:0,
+            thlds->critical?TRUE:FALSE, thlds->critical?thlds->critical->end:0,
+                   TRUE, 0, TRUE, socket_timeout);
+}
+
+char *perfd_time_connect (double elapsed_time_connect)
+{
+  return fperfdata ("time_connect", elapsed_time_connect, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
+}
+
+char *perfd_time_ssl (double elapsed_time_ssl)
+{
+  return fperfdata ("time_ssl", elapsed_time_ssl, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
+}
+
+char *perfd_time_headers (double elapsed_time_headers)
+{
+  return fperfdata ("time_headers", elapsed_time_headers, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
+}
+
+char *perfd_time_firstbyte (double elapsed_time_firstbyte)
+{
+  return fperfdata ("time_firstbyte", elapsed_time_firstbyte, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
+}
+
+char *perfd_time_transfer (double elapsed_time_transfer)
+{
+  return fperfdata ("time_transfer", elapsed_time_transfer, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
+}
+
+char *perfd_size (int page_len)
+{
+  return perfdata ("size", page_len, "B",
+            (min_page_len>0?TRUE:FALSE), min_page_len,
+            (min_page_len>0?TRUE:FALSE), 0,
+            TRUE, 0, FALSE, 0);
+}
+
+void
+print_help (void)
+{
+  print_revision (progname, NP_VERSION);
+
+  printf ("Copyright (c) 1999 Ethan Galstad <nagios@nagios.org>\n");
+  printf (COPYRIGHT, copyright, email);
+
+  printf ("%s\n", _("This plugin tests the HTTP service on the specified host. It can test"));
+  printf ("%s\n", _("normal (http) and secure (https) servers, follow redirects, search for"));
+  printf ("%s\n", _("strings and regular expressions, check connection times, and report on"));
+  printf ("%s\n", _("certificate expiration times."));
+  printf ("\n");
+  printf ("%s\n", _("It makes use of libcurl to do so. It tries to be as compatible to check_http"));
+  printf ("%s\n", _("as possible."));
+
+  printf ("\n\n");
+
+  print_usage ();
+
+  printf (_("NOTE: One or both of -H and -I must be specified"));
+
+  printf ("\n");
+
+  printf (UT_HELP_VRSN);
+  printf (UT_EXTRA_OPTS);
+
+  printf (" %s\n", "-H, --hostname=ADDRESS");
+  printf ("    %s\n", _("Host name argument for servers using host headers (virtual host)"));
+  printf ("    %s\n", _("Append a port to include it in the header (eg: example.com:5000)"));
+  printf (" %s\n", "-I, --IP-address=ADDRESS");
+  printf ("    %s\n", _("IP address or name (use numeric address if possible to bypass DNS lookup)."));
+  printf (" %s\n", "-p, --port=INTEGER");
+  printf ("    %s", _("Port number (default: "));
+  printf ("%d)\n", HTTP_PORT);
+
+  printf (UT_IPv46);
+
+#ifdef LIBCURL_FEATURE_SSL
+  printf (" %s\n", "-S, --ssl=VERSION[+]");
+  printf ("    %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
+  printf ("    %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
+  printf ("    %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
+  printf ("    %s\n", _("Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl"));
+  printf (" %s\n", "--sni");
+  printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
+#if LIBCURL_VERSION_NUM >= 0x071801
+  printf ("    %s\n", _("Note: --sni is the default in libcurl as SSLv2 and SSLV3 are deprecated and"));
+  printf ("    %s\n", _("      SNI only really works since TLSv1.0"));
+#else
+  printf ("    %s\n", _("Note: SNI is not supported in libcurl before 7.18.1"));
+#endif
+  printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
+  printf ("    %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
+  printf ("    %s\n", _("(when this option is used the URL is not checked.)"));
+  printf (" %s\n", "-J, --client-cert=FILE");
+  printf ("   %s\n", _("Name of file that contains the client certificate (PEM format)"));
+  printf ("   %s\n", _("to be used in establishing the SSL session"));
+  printf (" %s\n", "-K, --private-key=FILE");
+  printf ("   %s\n", _("Name of file containing the private key (PEM format)"));
+  printf ("   %s\n", _("matching the client certificate"));
+  printf (" %s\n", "--ca-cert=FILE");
+  printf ("   %s\n", _("CA certificate file to verify peer against"));
+#endif
+
+  printf (" %s\n", "-e, --expect=STRING");
+  printf ("    %s\n", _("Comma-delimited list of strings, at least one of them is expected in"));
+  printf ("    %s", _("the first (status) line of the server response (default: "));
+  printf ("%s)\n", HTTP_EXPECT);
+  printf ("    %s\n", _("If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)"));
+  printf (" %s\n", "-d, --header-string=STRING");
+  printf ("    %s\n", _("String to expect in the response headers"));
+  printf (" %s\n", "-s, --string=STRING");
+  printf ("    %s\n", _("String to expect in the content"));
+  printf (" %s\n", "-u, --url=PATH");
+  printf ("    %s\n", _("URL to GET or POST (default: /)"));
+  printf (" %s\n", "-P, --post=STRING");
+  printf ("    %s\n", _("URL encoded http POST data"));
+  printf (" %s\n", "-j, --method=STRING  (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
+  printf ("    %s\n", _("Set HTTP method."));
+  printf (" %s\n", "-N, --no-body");
+  printf ("    %s\n", _("Don't wait for document body: stop reading after headers."));
+  printf ("    %s\n", _("(Note that this still does an HTTP GET or POST, not a HEAD.)"));
+  printf (" %s\n", "-M, --max-age=SECONDS");
+  printf ("    %s\n", _("Warn if document is more than SECONDS old. the number can also be of"));
+  printf ("    %s\n", _("the form \"10m\" for minutes, \"10h\" for hours, or \"10d\" for days."));
+  printf (" %s\n", "-T, --content-type=STRING");
+  printf ("    %s\n", _("specify Content-Type header media type when POSTing\n"));
+  printf (" %s\n", "-l, --linespan");
+  printf ("    %s\n", _("Allow regex to span newlines (must precede -r or -R)"));
+  printf (" %s\n", "-r, --regex, --ereg=STRING");
+  printf ("    %s\n", _("Search page for regex STRING"));
+  printf (" %s\n", "-R, --eregi=STRING");
+  printf ("    %s\n", _("Search page for case-insensitive regex STRING"));
+  printf (" %s\n", "--invert-regex");
+  printf ("    %s\n", _("Return CRITICAL if found, OK if not\n"));
+  printf (" %s\n", "-a, --authorization=AUTH_PAIR");
+  printf ("    %s\n", _("Username:password on sites with basic authentication"));
+  printf (" %s\n", "-b, --proxy-authorization=AUTH_PAIR");
+  printf ("    %s\n", _("Username:password on proxy-servers with basic authentication"));
+  printf (" %s\n", "-A, --useragent=STRING");
+  printf ("    %s\n", _("String to be sent in http header as \"User Agent\""));
+  printf (" %s\n", "-k, --header=STRING");
+  printf ("    %s\n", _("Any other tags to be sent in http header. Use multiple times for additional headers"));
+  printf (" %s\n", "-E, --extended-perfdata");
+  printf ("    %s\n", _("Print additional performance data"));
+  printf (" %s\n", "-L, --link");
+  printf ("    %s\n", _("Wrap output in HTML link (obsoleted by urlize)"));
+  printf (" %s\n", "-f, --onredirect=<ok|warning|critical|follow|sticky|stickyport|curl>");
+  printf ("    %s\n", _("How to handle redirected pages. sticky is like follow but stick to the"));
+  printf ("    %s\n", _("specified IP address. stickyport also ensures port stays the same."));
+  printf ("    %s\n", _("follow uses the old redirection algorithm of check_http."));
+  printf ("    %s\n", _("curl uses CURL_FOLLOWLOCATION built into libcurl."));
+  printf (" %s\n", "-m, --pagesize=INTEGER<:INTEGER>");
+  printf ("    %s\n", _("Minimum page size required (bytes) : Maximum page size required (bytes)"));
+  printf ("\n");
+  printf (" %s\n", "--http-version=VERSION");
+  printf ("    %s\n", _("Connect via specific HTTP protocol."));
+  printf ("    %s\n", _("1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)"));
+  printf ("\n");
+
+  printf (UT_WARN_CRIT);
+
+  printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
+
+  printf (UT_VERBOSE);
+
+  printf ("\n");
+  printf ("%s\n", _("Notes:"));
+  printf (" %s\n", _("This plugin will attempt to open an HTTP connection with the host."));
+  printf (" %s\n", _("Successful connects return STATE_OK, refusals and timeouts return STATE_CRITICAL"));
+  printf (" %s\n", _("other errors return STATE_UNKNOWN.  Successful connects, but incorrect response"));
+  printf (" %s\n", _("messages from the host result in STATE_WARNING return values.  If you are"));
+  printf (" %s\n", _("checking a virtual server that uses 'host headers' you must supply the FQDN"));
+  printf (" %s\n", _("(fully qualified domain name) as the [host_name] argument."));
+
+#ifdef LIBCURL_FEATURE_SSL
+  printf ("\n");
+  printf (" %s\n", _("This plugin can also check whether an SSL enabled web server is able to"));
+  printf (" %s\n", _("serve content (optionally within a specified time) or whether the X509 "));
+  printf (" %s\n", _("certificate is still valid for the specified number of days."));
+  printf ("\n");
+  printf (" %s\n", _("Please note that this plugin does not check if the presented server"));
+  printf (" %s\n", _("certificate matches the hostname of the server, or if the certificate"));
+  printf (" %s\n", _("has a valid chain of trust to one of the locally installed CAs."));
+  printf ("\n");
+  printf ("%s\n", _("Examples:"));
+  printf (" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com");
+  printf (" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,"));
+  printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
+  printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
+  printf (" %s\n", _("a STATE_CRITICAL will be returned."));
+  printf ("\n");
+  printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14");
+  printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
+  printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
+  printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
+  printf (" %s\n\n", _("the certificate is expired."));
+  printf ("\n");
+  printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14");
+  printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
+  printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
+  printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
+  printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
+#endif
+
+  printf ("\n %s\n", "CHECK WEBSERVER CONTENT VIA PROXY:");
+  printf (" %s\n", _("It is recommended to use an environment proxy like:"));
+  printf (" %s\n", _("http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org"));
+  printf (" %s\n", _("legacy proxy requests in check_http style still work:"));
+  printf (" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u http://www.monitoring-plugins.org/ -H www.monitoring-plugins.org"));
+
+#ifdef LIBCURL_FEATURE_SSL
+  printf ("\n %s\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: ");
+  printf (" %s\n", _("It is recommended to use an environment proxy like:"));
+  printf (" %s\n", _("https_proxy=http://192.168.100.35:3128 ./check_curl -H www.verisign.com -S"));
+  printf (" %s\n", _("legacy proxy requests in check_http style still work:"));
+  printf (" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com "));
+  printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
+  printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
+  printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
+  printf (" %s\n", _("a STATE_CRITICAL will be returned."));
+
+#endif
+
+  printf (UT_SUPPORT);
+
+}
+
+
+
+void
+print_usage (void)
+{
+  printf ("%s\n", _("Usage:"));
+  printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
+  printf ("       [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>]\n");
+  printf ("       [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n");
+  printf ("       [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport|curl>]\n");
+  printf ("       [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
+  printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
+  printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
+  printf ("       [-T <content-type>] [-j method]\n");
+  printf ("       [--http-version=<version>]\n");
+  printf ("\n");
+  printf ("%s\n", _("WARNING: check_curl is experimental. Please use"));
+  printf ("%s\n\n", _("check_http if you need a stable version."));
+}
+
+void
+print_curl_version (void)
+{
+  printf( "%s\n", curl_version());
+}
+
+int
+curlhelp_initwritebuffer (curlhelp_write_curlbuf *buf)
+{
+  buf->bufsize = DEFAULT_BUFFER_SIZE;
+  buf->buflen = 0;
+  buf->buf = (char *)malloc ((size_t)buf->bufsize);
+  if (buf->buf == NULL) return -1;
+  return 0;
+}
+
+int
+curlhelp_buffer_write_callback (void *buffer, size_t size, size_t nmemb, void *stream)
+{
+  curlhelp_write_curlbuf *buf = (curlhelp_write_curlbuf *)stream;
+
+  while (buf->bufsize < buf->buflen + size * nmemb + 1) {
+    buf->bufsize *= buf->bufsize * 2;
+    buf->buf = (char *)realloc (buf->buf, buf->bufsize);
+    if (buf->buf == NULL) return -1;
+  }
+
+  memcpy (buf->buf + buf->buflen, buffer, size * nmemb);
+  buf->buflen += size * nmemb;
+  buf->buf[buf->buflen] = '\0';
+
+  return (int)(size * nmemb);
+}
+
+int
+curlhelp_buffer_read_callback (void *buffer, size_t size, size_t nmemb, void *stream)
+{
+  curlhelp_read_curlbuf *buf = (curlhelp_read_curlbuf *)stream;
+
+  size_t n = min (nmemb * size, buf->buflen - buf->pos);
+
+  memcpy (buffer, buf->buf + buf->pos, n);
+  buf->pos += n;
+
+  return (int)n;
+}
+
+void
+curlhelp_freewritebuffer (curlhelp_write_curlbuf *buf)
+{
+  free (buf->buf);
+  buf->buf = NULL;
+}
+
+int
+curlhelp_initreadbuffer (curlhelp_read_curlbuf *buf, const char *data, size_t datalen)
+{
+  buf->buflen = datalen;
+  buf->buf = (char *)malloc ((size_t)buf->buflen);
+  if (buf->buf == NULL) return -1;
+  memcpy (buf->buf, data, datalen);
+  buf->pos = 0;
+  return 0;
+}
+
+void
+curlhelp_freereadbuffer (curlhelp_read_curlbuf *buf)
+{
+  free (buf->buf);
+  buf->buf = NULL;
+}
+
+/* TODO: where to put this, it's actually part of sstrings2 (logically)?
+ */
+const char*
+strrstr2(const char *haystack, const char *needle)
+{
+  int counter;
+  size_t len;
+  const char *prev_pos;
+  const char *pos;
+
+  if (haystack == NULL || needle == NULL)
+    return NULL;
+
+  if (haystack[0] == '\0' || needle[0] == '\0')
+    return NULL;
+
+  counter = 0;
+  prev_pos = NULL;
+  pos = haystack;
+  len = strlen (needle);
+  for (;;) {
+    pos = strstr (pos, needle);
+    if (pos == NULL) {
+      if (counter == 0)
+        return NULL;
+      else
+        return prev_pos;
+    }
+    counter++;
+    prev_pos = pos;
+    pos += len;
+    if (*pos == '\0') return prev_pos;
+  }
+}
+
+int
+curlhelp_parse_statusline (const char *buf, curlhelp_statusline *status_line)
+{
+  char *first_line_end;
+  char *p;
+  size_t first_line_len;
+  char *pp;
+  const char *start;
+  char *first_line_buf;
+
+  /* find last start of a new header */
+  start = strrstr2 (buf, "\r\nHTTP");
+  if (start != NULL) {
+    start += 2;
+    buf = start;
+  }
+
+  first_line_end = strstr(buf, "\r\n");
+  if (first_line_end == NULL) return -1;
+
+  first_line_len = (size_t)(first_line_end - buf);
+  status_line->first_line = (char *)malloc (first_line_len + 1);
+  if (status_line->first_line == NULL) return -1;
+  memcpy (status_line->first_line, buf, first_line_len);
+  status_line->first_line[first_line_len] = '\0';
+  first_line_buf = strdup( status_line->first_line );
+
+  /* protocol and version: "HTTP/x.x" SP or "HTTP/2" SP */
+
+  p = strtok(first_line_buf, "/");
+  if( p == NULL ) { free( first_line_buf ); return -1; }
+  if( strcmp( p, "HTTP" ) != 0 ) { free( first_line_buf ); return -1; }
+
+  p = strtok( NULL, " " );
+  if( p == NULL ) { free( first_line_buf ); return -1; }
+  if( strchr( p, '.' ) != NULL ) {
+
+    /* HTTP 1.x case */
+    char *ppp;
+    ppp = strtok( p, "." );
+    status_line->http_major = (int)strtol( p, &pp, 10 );
+    if( *pp != '\0' ) { free( first_line_buf ); return -1; }
+    ppp = strtok( NULL, " " );
+    status_line->http_minor = (int)strtol( p, &pp, 10 );
+    if( *pp != '\0' ) { free( first_line_buf ); return -1; }
+    p += 4; /* 1.x SP */
+  } else {
+    /* HTTP 2 case */
+    status_line->http_major = (int)strtol( p, &pp, 10 );
+    status_line->http_minor = 0;
+    p += 2; /* 2 SP */
+  }
+
+  /* status code: "404" or "404.1", then SP */
+
+  p = strtok( p, " " );
+  if( p == NULL ) { free( first_line_buf ); return -1; }
+  if( strchr( p, '.' ) != NULL ) {
+    char *ppp;
+    ppp = strtok( p, "." );
+    status_line->http_code = (int)strtol( ppp, &pp, 10 );
+    if( *pp != '\0' ) { free( first_line_buf ); return -1; }
+    ppp = strtok( NULL, "" );
+    status_line->http_subcode = (int)strtol( ppp, &pp, 10 );
+    if( *pp != '\0' ) { free( first_line_buf ); return -1; }
+    p += 6; /* 400.1 SP */
+  } else {
+    status_line->http_code = (int)strtol( p, &pp, 10 );
+    status_line->http_subcode = -1;
+    if( *pp != '\0' ) { free( first_line_buf ); return -1; }
+    p += 4; /* 400 SP */
+  }
+
+  /* Human readable message: "Not Found" CRLF */
+
+  p = strtok( p, "" );
+  if( p == NULL ) { status_line->msg = ""; return 0; }
+  status_line->msg = status_line->first_line + ( p - first_line_buf );
+  free( first_line_buf );
+
+  return 0;
+}
+
+void
+curlhelp_free_statusline (curlhelp_statusline *status_line)
+{
+  free (status_line->first_line);
+}
+
+void
+remove_newlines (char *s)
+{
+  char *p;
+
+  for (p = s; *p != '\0'; p++)
+    if (*p == '\r' || *p == '\n')
+      *p = ' ';
+}
+
+char *
+get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header)
+{
+  int i;
+  for( i = 0; i < nof_headers; i++ ) {
+    if( strncasecmp( header, headers[i].name, max( headers[i].name_len, 4 ) ) == 0 ) {
+      return strndup( headers[i].value, headers[i].value_len );
+    }
+  }
+  return NULL;
+}
+
+int
+check_document_dates (const curlhelp_write_curlbuf *header_buf, char (*msg)[DEFAULT_BUFFER_SIZE])
+{
+  char *server_date = NULL;
+  char *document_date = NULL;
+  int date_result = STATE_OK;
+  curlhelp_statusline status_line;
+  struct phr_header headers[255];
+  size_t nof_headers = 255;
+  size_t msglen;
+
+  int res = phr_parse_response (header_buf->buf, header_buf->buflen,
+    &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
+    headers, &nof_headers, 0);
+
+  server_date = get_header_value (headers, nof_headers, "date");
+  document_date = get_header_value (headers, nof_headers, "last-modified");
+
+  if (!server_date || !*server_date) {
+    snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sServer date unknown, "), *msg);
+    date_result = max_state_alt(STATE_UNKNOWN, date_result);
+  } else if (!document_date || !*document_date) {
+    snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument modification date unknown, "), *msg);
+    date_result = max_state_alt(STATE_CRITICAL, date_result);
+  } else {
+    time_t srv_data = curl_getdate (server_date, NULL);
+    time_t doc_data = curl_getdate (document_date, NULL);
+    if (verbose >= 2)
+      printf ("* server date: '%s' (%d), doc_date: '%s' (%d)\n", server_date, (int)srv_data, document_date, (int)doc_data);
+    if (srv_data <= 0) {
+      snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sServer date \"%100s\" unparsable, "), *msg, server_date);
+      date_result = max_state_alt(STATE_CRITICAL, date_result);
+    } else if (doc_data <= 0) {
+      snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument date \"%100s\" unparsable, "), *msg, document_date);
+      date_result = max_state_alt(STATE_CRITICAL, date_result);
+    } else if (doc_data > srv_data + 30) {
+      snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument is %d seconds in the future, "), *msg, (int)doc_data - (int)srv_data);
+      date_result = max_state_alt(STATE_CRITICAL, date_result);
+    } else if (doc_data < srv_data - maximum_age) {
+      int n = (srv_data - doc_data);
+      if (n > (60 * 60 * 24 * 2)) {
+        snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sLast modified %.1f days ago, "), *msg, ((float) n) / (60 * 60 * 24));
+        date_result = max_state_alt(STATE_CRITICAL, date_result);
+      } else {
+        snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sLast modified %d:%02d:%02d ago, "), *msg, n / (60 * 60), (n / 60) % 60, n % 60);
+        date_result = max_state_alt(STATE_CRITICAL, date_result);
+      }
+    }
+  }
+
+  if (server_date) free (server_date);
+  if (document_date) free (document_date);
+
+  return date_result;
+}
+
+
+int
+get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf)
+{
+  const char *s;
+  int content_length = 0;
+  char *copy;
+  struct phr_header headers[255];
+  size_t nof_headers = 255;
+  size_t msglen;
+  char *content_length_s = NULL;
+  curlhelp_statusline status_line;
+
+  int res = phr_parse_response (header_buf->buf, header_buf->buflen,
+    &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
+    headers, &nof_headers, 0);
+
+  content_length_s = get_header_value (headers, nof_headers, "content-length");
+  if (!content_length_s) {
+    return header_buf->buflen + body_buf->buflen;
+  }
+  content_length_s += strspn (content_length_s, " \t");
+  content_length = atoi (content_length_s);
+  if (content_length != body_buf->buflen) {
+    /* TODO: should we warn if the actual and the reported body length don't match? */
+  }
+
+  if (content_length_s) free (content_length_s);
+
+  return header_buf->buflen + body_buf->buflen;
+}
+
+/* TODO: is there a better way in libcurl to check for the SSL library? */
+curlhelp_ssl_library
+curlhelp_get_ssl_library (CURL* curl)
+{
+  curl_version_info_data* version_data;
+  char *ssl_version;
+  char *library;
+  curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
+
+  version_data = curl_version_info (CURLVERSION_NOW);
+  if (version_data == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
+
+  ssl_version = strdup (version_data->ssl_version);
+  if (ssl_version == NULL ) return CURLHELP_SSL_LIBRARY_UNKNOWN;
+
+  library = strtok (ssl_version, "/");
+  if (library == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
+
+  if (strcmp (library, "OpenSSL") == 0)
+    ssl_library = CURLHELP_SSL_LIBRARY_OPENSSL;
+  else if (strcmp (library, "LibreSSL") == 0)
+    ssl_library = CURLHELP_SSL_LIBRARY_LIBRESSL;
+  else if (strcmp (library, "GnuTLS") == 0)
+    ssl_library = CURLHELP_SSL_LIBRARY_GNUTLS;
+  else if (strcmp (library, "NSS") == 0)
+    ssl_library = CURLHELP_SSL_LIBRARY_NSS;
+
+  if (verbose >= 2)
+    printf ("* SSL library string is : %s %s (%d)\n", version_data->ssl_version, library, ssl_library);
+
+  free (ssl_version);
+
+  return ssl_library;
+}
+
+const char*
+curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library)
+{
+  switch (ssl_library) {
+    case CURLHELP_SSL_LIBRARY_OPENSSL:
+      return "OpenSSL";
+    case CURLHELP_SSL_LIBRARY_LIBRESSL:
+      return "LibreSSL";
+    case CURLHELP_SSL_LIBRARY_GNUTLS:
+      return "GnuTLS";
+    case CURLHELP_SSL_LIBRARY_NSS:
+      return "NSS";
+    case CURLHELP_SSL_LIBRARY_UNKNOWN:
+    default:
+      return "unknown";
+  }
+}
+
+#ifdef LIBCURL_FEATURE_SSL
+#ifndef USE_OPENSSL
+time_t
+parse_cert_date (const char *s)
+{
+  struct tm tm;
+  time_t date;
+  char *res;
+
+  if (!s) return -1;
+
+  /* Jan 17 14:25:12 2020 GMT */
+  res = strptime (s, "%Y-%m-%d %H:%M:%S GMT", &tm);
+  /* Sep 11 12:00:00 2020 GMT */
+  if (res == NULL) strptime (s, "%Y %m %d %H:%M:%S GMT", &tm);
+  date = mktime (&tm);
+
+  return date;
+}
+
+/* TODO: this needs cleanup in the sslutils.c, maybe we the #else case to
+ * OpenSSL could be this function
+ */
+int
+net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit)
+{
+  int i;
+  struct curl_slist* slist;
+  int cname_found = 0;
+  char* start_date_str = NULL;
+  char* end_date_str = NULL;
+  time_t start_date;
+  time_t end_date;
+        char *tz;
+        float time_left;
+        int days_left;
+        int time_remaining;
+        char timestamp[50] = "";
+        int status = STATE_UNKNOWN;
+
+  if (verbose >= 2)
+    printf ("**** REQUEST CERTIFICATES ****\n");
+
+  for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) {
+    for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) {
+      /* find first common name in subject,
+       * TODO: check alternative subjects for
+       * TODO: have a decent parser here and not a hack
+       * multi-host certificate, check wildcards
+       */
+      if (strncasecmp (slist->data, "Subject:", 8) == 0) {
+        int d = 3;
+        char* p = strstr (slist->data, "CN=");
+        if (p == NULL) {
+          d = 5;
+          p = strstr (slist->data, "CN = ");
+        }
+        if (p != NULL) {
+          if (strncmp (host_name, p+d, strlen (host_name)) == 0) {
+            cname_found = 1;
+          }
+        }
+      } else if (strncasecmp (slist->data, "Start Date:", 11) == 0) {
+        start_date_str = &slist->data[11];
+      } else if (strncasecmp (slist->data, "Expire Date:", 12) == 0) {
+        end_date_str = &slist->data[12];
+      } else if (strncasecmp (slist->data, "Cert:", 5) == 0) {
+        goto HAVE_FIRST_CERT;
+      }
+      if (verbose >= 2)
+        printf ("%d ** %s\n", i, slist->data);
+    }
+  }
+HAVE_FIRST_CERT:
+
+  if (verbose >= 2)
+    printf ("**** REQUEST CERTIFICATES ****\n");
+
+  if (!cname_found) {
+                printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
+                return STATE_CRITICAL;
+  }
+
+  start_date = parse_cert_date (start_date_str);
+  if (start_date <= 0) {
+    snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Start Date' in certificate: '%s'"),
+      start_date_str);
+    puts (msg);
+    return STATE_WARNING;
+  }
+
+  end_date = parse_cert_date (end_date_str);
+  if (end_date <= 0) {
+    snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Expire Date' in certificate: '%s'"),
+      start_date_str);
+    puts (msg);
+    return STATE_WARNING;
+  }
+
+  time_left = difftime (end_date, time(NULL));
+        days_left = time_left / 86400;
+        tz = getenv("TZ");
+        setenv("TZ", "GMT", 1);
+        tzset();
+        strftime(timestamp, 50, "%c %z", localtime(&end_date));
+        if (tz)
+                setenv("TZ", tz, 1);
+        else
+                unsetenv("TZ");
+        tzset();
+
+        if (days_left > 0 && days_left <= days_till_exp_warn) {
+                printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, days_left, timestamp);
+                if (days_left > days_till_exp_crit)
+                        status = STATE_WARNING;
+                else
+                        status = STATE_CRITICAL;
+        } else if (days_left == 0 && time_left > 0) {
+                if (time_left >= 3600)
+                        time_remaining = (int) time_left / 3600;
+                else
+                        time_remaining = (int) time_left / 60;
+
+                printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
+                        (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", host_name, time_remaining,
+                        time_left >= 3600 ? "hours" : "minutes", timestamp);
+
+                if ( days_left > days_till_exp_crit)
+                        status = STATE_WARNING;
+                else
+                        status = STATE_CRITICAL;
+        } else if (time_left < 0) {
+                printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), host_name, timestamp);
+                status=STATE_CRITICAL;
+        } else if (days_left == 0) {
+                printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, timestamp);
+                if (days_left > days_till_exp_crit)
+                        status = STATE_WARNING;
+                else
+                        status = STATE_CRITICAL;
+        } else {
+                printf(_("OK - Certificate '%s' will expire on %s.\n"), host_name, timestamp);
+                status = STATE_OK;
+        }
+        return status;
+}
+#endif /* USE_OPENSSL */
+#endif /* LIBCURL_FEATURE_SSL */
diff --git a/plugins/check_dbi.c b/plugins/check_dbi.c
index 826eb8d..ced13d0 100644
--- a/plugins/check_dbi.c
+++ b/plugins/check_dbi.c
@@ -35,6 +35,7 @@ const char *email = "devel@monitoring-plugins.org";
 
 #include "common.h"
 #include "utils.h"
+#include "utils_cmd.h"
 
 #include "netutils.h"
 
diff --git a/plugins/check_disk.c b/plugins/check_disk.c
index e73a008..844e625 100644
--- a/plugins/check_disk.c
+++ b/plugins/check_disk.c
@@ -141,6 +141,7 @@ int erronly = FALSE;
 int display_mntp = FALSE;
 int exact_match = FALSE;
 int freespace_ignore_reserved = FALSE;
+int display_inodes_perfdata = FALSE;
 char *warn_freespace_units = NULL;
 char *crit_freespace_units = NULL;
 char *warn_freespace_percent = NULL;
@@ -167,6 +168,7 @@ main (int argc, char **argv)
   char *output;
   char *details;
   char *perf;
+  char *perf_ilabel;
   char *preamble;
   char *flag_header;
   double inode_space_pct;
@@ -186,6 +188,7 @@ main (int argc, char **argv)
   output = strdup ("");
   details = strdup ("");
   perf = strdup ("");
+  perf_ilabel = strdup ("");
   stat_buf = malloc(sizeof *stat_buf);
 
   setlocale (LC_ALL, "");
@@ -348,6 +351,29 @@ main (int argc, char **argv)
                           TRUE, 0,
                           TRUE, path->dtotal_units));
 
+      if (display_inodes_perfdata) {
+        /* *_high_tide must be reinitialized at each run */
+        warning_high_tide = UINT_MAX;
+        critical_high_tide = UINT_MAX;
+
+        if (path->freeinodes_percent->warning != NULL) {
+          warning_high_tide = abs( min( (double) warning_high_tide, (double) (1.0 - path->freeinodes_percent->warning->end/100)*path->inodes_total ));
+        }
+        if (path->freeinodes_percent->critical != NULL) {
+          critical_high_tide = abs( min( (double) critical_high_tide, (double) (1.0 - path->freeinodes_percent->critical->end/100)*path->inodes_total ));
+        }
+
+        xasprintf (&perf_ilabel, "%s (inodes)", (!strcmp(me->me_mountdir, "none") || display_mntp) ? me->me_devname : me->me_mountdir);
+        /* Nb: *_high_tide are unset when == UINT_MAX */
+        xasprintf (&perf, "%s %s", perf,
+                   perfdata (perf_ilabel,
+                             path->inodes_used, "",
+                             (warning_high_tide != UINT_MAX ? TRUE : FALSE), warning_high_tide,
+                             (critical_high_tide != UINT_MAX ? TRUE : FALSE), critical_high_tide,
+                             TRUE, 0,
+                             TRUE, path->inodes_total));
+      }
+
       if (disk_result==STATE_OK && erronly && !verbose)
         continue;
 
@@ -455,6 +481,7 @@ process_arguments (int argc, char **argv)
     {"ignore-eregi-partition", required_argument, 0, 'I'},
     {"local", no_argument, 0, 'l'},
     {"stat-remote-fs", no_argument, 0, 'L'},
+    {"iperfdata", no_argument, 0, 'P'},
     {"mountpoint", no_argument, 0, 'M'},
     {"errors-only", no_argument, 0, 'e'},
     {"exact-match", no_argument, 0, 'E'},
@@ -477,7 +504,7 @@ process_arguments (int argc, char **argv)
       strcpy (argv[c], "-t");
 
   while (1) {
-    c = getopt_long (argc, argv, "+?VqhvefCt:c:w:K:W:u:p:x:X:N:mklLg:R:r:i:I:MEA", longopts, &option);
+    c = getopt_long (argc, argv, "+?VqhvefCt:c:w:K:W:u:p:x:X:N:mklLPg:R:r:i:I:MEA", longopts, &option);
 
     if (c == -1 || c == EOF)
       break;
@@ -582,9 +609,13 @@ process_arguments (int argc, char **argv)
       break;
     case 'L':
       stat_remote_fs = 1;
+      /* fallthrough */
     case 'l':
       show_local_fs = 1;
       break;
+    case 'P':
+      display_inodes_perfdata = 1;
+      break;
     case 'p':                 /* select path */
       if (! (warn_freespace_units || crit_freespace_units || warn_freespace_percent ||
              crit_freespace_percent || warn_usedspace_units || crit_usedspace_units ||
@@ -904,6 +935,8 @@ print_help (void)
   printf ("    %s\n", _("Display only devices/mountpoints with errors"));
   printf (" %s\n", "-f, --freespace-ignore-reserved");
   printf ("    %s\n", _("Don't account root-reserved blocks into freespace in perfdata"));
+  printf (" %s\n", "-P, --iperfdata");
+  printf ("    %s\n", _("Display inode usage in perfdata"));
   printf (" %s\n", "-g, --group=NAME");
   printf ("    %s\n", _("Group paths. Thresholds apply to (free-)space of all partitions together"));
   printf (" %s\n", "-k, --kilobytes");
@@ -1012,6 +1045,8 @@ get_stats (struct parameter_list *p, struct fs_usage *fsp) {
           p->dtotal_units += p_list->dtotal_units;
           p->inodes_total += p_list->inodes_total;
           p->inodes_free  += p_list->inodes_free;
+          p->inodes_free_to_root  += p_list->inodes_free_to_root;
+          p->inodes_used  += p_list->inodes_used;
         }
         first = 0;
       }
@@ -1050,7 +1085,18 @@ get_path_stats (struct parameter_list *p, struct fs_usage *fsp) {
   p->dused_units = p->used*fsp->fsu_blocksize/mult;
   p->dfree_units = p->available*fsp->fsu_blocksize/mult;
   p->dtotal_units = p->total*fsp->fsu_blocksize/mult;
-  p->inodes_total = fsp->fsu_files;      /* Total file nodes. */
-  p->inodes_free  = fsp->fsu_ffree;      /* Free file nodes. */
+  /* Free file nodes. Not sure the workaround is required, but in case...*/
+  p->inodes_free  = fsp->fsu_favail > fsp->fsu_ffree ? 0 : fsp->fsu_favail;
+  p->inodes_free_to_root  = fsp->fsu_ffree; /* Free file nodes for root. */
+  p->inodes_used = fsp->fsu_files - fsp->fsu_ffree;
+  if (freespace_ignore_reserved) {
+    /* option activated : we substract the root-reserved inodes from the total */
+    /* not all OS report fsp->fsu_favail, only the ones with statvfs syscall */
+    /* for others, fsp->fsu_ffree == fsp->fsu_favail */
+    p->inodes_total = fsp->fsu_files - p->inodes_free_to_root + p->inodes_free;
+  } else {
+    /* default behaviour : take all the inodes into account */
+    p->inodes_total = fsp->fsu_files;
+  }
   np_add_name(&seen, p->best_match->me_mountdir);
 }
diff --git a/plugins/check_dns.c b/plugins/check_dns.c
index f206163..b90f50e 100644
--- a/plugins/check_dns.c
+++ b/plugins/check_dns.c
@@ -56,6 +56,7 @@ char **expected_address = NULL;
 int expected_address_cnt = 0;
 
 int expect_authority = FALSE;
+int all_match = FALSE;
 thresholds *time_thresholds = NULL;
 
 static int
@@ -168,8 +169,8 @@ main (int argc, char **argv)
       temp_buffer++;
 
       /* Strip leading spaces */
-      for (; *temp_buffer != '\0' && *temp_buffer == ' '; temp_buffer++)
-        /* NOOP */;
+      while (*temp_buffer == ' ')
+        temp_buffer++;
 
       strip(temp_buffer);
       if (temp_buffer==NULL || strlen(temp_buffer)==0) {
@@ -201,7 +202,10 @@ main (int argc, char **argv)
     if (error_scan (chld_err.line[i]) != STATE_OK) {
       result = max_state (result, error_scan (chld_err.line[i]));
       msg = strchr(input_buffer, ':');
-      if(msg) msg++;
+      if(msg)
+         msg++;
+      else
+         msg = input_buffer;
     }
   }
 
@@ -228,16 +232,27 @@ main (int argc, char **argv)
   if (result == STATE_OK && expected_address_cnt > 0) {
     result = STATE_CRITICAL;
     temp_buffer = "";
+    unsigned long expect_match = (1 << expected_address_cnt) - 1;
+    unsigned long addr_match = (1 << n_addresses) - 1;
 
     for (i=0; i<expected_address_cnt; i++) {
+      int j;
       /* check if we get a match on 'raw' ip or cidr */
-      if ( strcmp(address, expected_address[i]) == 0
-           || ip_match_cidr(address, expected_address[i]) )
-        result = STATE_OK;
+      for (j=0; j<n_addresses; j++) {
+        if ( strcmp(addresses[j], expected_address[i]) == 0
+             || ip_match_cidr(addresses[j], expected_address[i]) ) {
+          result = STATE_OK;
+          addr_match &= ~(1 << j);
+          expect_match &= ~(1 << i);
+        }
+      }
 
       /* prepare an error string */
       xasprintf(&temp_buffer, "%s%s; ", temp_buffer, expected_address[i]);
     }
+    /* check if expected_address must cover all in addresses and none may be missing */
+    if (all_match && (expect_match != 0 || addr_match != 0))
+      result = STATE_CRITICAL;
     if (result == STATE_CRITICAL) {
       /* Strip off last semicolon... */
       temp_buffer[strlen(temp_buffer)-2] = '\0';
@@ -336,6 +351,8 @@ error_scan (char *input_buffer)
   /* DNS server is not running... */
   else if (strstr (input_buffer, "No response from server"))
     die (STATE_CRITICAL, _("No response from DNS %s\n"), dns_server);
+  else if (strstr (input_buffer, "no servers could be reached"))
+    die (STATE_CRITICAL, _("No response from DNS %s\n"), dns_server);
 
   /* Host name is valid, but server doesn't have records... */
   else if (strstr (input_buffer, "No records"))
@@ -401,6 +418,7 @@ process_arguments (int argc, char **argv)
     {"reverse-server", required_argument, 0, 'r'},
     {"expected-address", required_argument, 0, 'a'},
     {"expect-authority", no_argument, 0, 'A'},
+    {"all", no_argument, 0, 'L'},
     {"warning", required_argument, 0, 'w'},
     {"critical", required_argument, 0, 'c'},
     {0, 0, 0, 0}
@@ -414,7 +432,7 @@ process_arguments (int argc, char **argv)
       strcpy (argv[c], "-t");
 
   while (1) {
-    c = getopt_long (argc, argv, "hVvAt:H:s:r:a:w:c:", long_opts, &opt_index);
+    c = getopt_long (argc, argv, "hVvALt:H:s:r:a:w:c:", long_opts, &opt_index);
 
     if (c == -1 || c == EOF)
       break;
@@ -462,6 +480,9 @@ process_arguments (int argc, char **argv)
     case 'A': /* expect authority */
       expect_authority = TRUE;
       break;
+    case 'L': /* all must match */
+      all_match = TRUE;
+      break;
     case 'w':
       warning = optarg;
       break;
@@ -530,14 +551,16 @@ print_help (void)
   printf (" -a, --expected-address=IP-ADDRESS|CIDR|HOST\n");
   printf ("    %s\n", _("Optional IP-ADDRESS/CIDR you expect the DNS server to return. HOST must end"));
   printf ("    %s\n", _("with a dot (.). This option can be repeated multiple times (Returns OK if any"));
-  printf ("    %s\n", _("value match). If multiple addresses are returned at once, you have to match"));
-  printf ("    %s\n", _("the whole string of addresses separated with commas (sorted alphabetically)."));
+  printf ("    %s\n", _("value matches)."));
   printf (" -A, --expect-authority\n");
   printf ("    %s\n", _("Optionally expect the DNS server to be authoritative for the lookup"));
   printf (" -w, --warning=seconds\n");
   printf ("    %s\n", _("Return warning if elapsed time exceeds value. Default off"));
   printf (" -c, --critical=seconds\n");
   printf ("    %s\n", _("Return critical if elapsed time exceeds value. Default off"));
+  printf (" -L, --all\n");
+  printf ("    %s\n", _("Return critical if the list of expected addresses does not match all addresses"));
+  printf ("    %s\n", _("returned. Default off"));
 
   printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
 
@@ -549,5 +572,5 @@ void
 print_usage (void)
 {
   printf ("%s\n", _("Usage:"));
-  printf ("%s -H host [-s server] [-a expected-address] [-A] [-t timeout] [-w warn] [-c crit]\n", progname);
+  printf ("%s -H host [-s server] [-a expected-address] [-A] [-t timeout] [-w warn] [-c crit] [-L]\n", progname);
 }
diff --git a/plugins/check_hpjd.c b/plugins/check_hpjd.c
index f159f5a..6546556 100644
--- a/plugins/check_hpjd.c
+++ b/plugins/check_hpjd.c
@@ -67,6 +67,7 @@ void print_usage (void);
 char *community = NULL;
 char *address = NULL;
 char *port = NULL;
+int  check_paper_out = 1;
 
 int
 main (int argc, char **argv)
@@ -240,7 +241,8 @@ main (int argc, char **argv)
                         strcpy (errmsg, _("Paper Jam"));
                 }
                 else if (paper_out) {
-                        result = STATE_WARNING;
+                        if (check_paper_out)
+                                result = STATE_WARNING;
                         strcpy (errmsg, _("Out of Paper"));
                 }
                 else if (line_status == OFFLINE) {
@@ -325,7 +327,7 @@ process_arguments (int argc, char **argv)
 
 
         while (1) {
-                c = getopt_long (argc, argv, "+hVH:C:p:", longopts, &option);
+                c = getopt_long (argc, argv, "+hVH:C:p:D", longopts, &option);
 
                 if (c == -1 || c == EOF || c == 1)
                         break;
@@ -347,6 +349,8 @@ process_arguments (int argc, char **argv)
                                 usage2 (_("Port must be a positive short integer"), optarg);
                         else
                                 port = atoi(optarg);
+                case 'D':                                                                       /* disable paper out check*/
+                        check_paper_out = 0;
                         break;
                 case 'V':                                                                       /* version */
                         print_revision (progname, NP_VERSION);
@@ -420,6 +424,8 @@ print_help (void)
         printf ("    %s", _("Specify the port to check "));
         printf (_("(default=%s)"), DEFAULT_PORT);
         printf ("\n");
+        printf (" %s\n", "-D");
+        printf ("    %s", _("Disable paper check "));
 
         printf (UT_SUPPORT);
 }
@@ -430,5 +436,5 @@ void
 print_usage (void)
 {
   printf ("%s\n", _("Usage:"));
-        printf ("%s -H host [-C community] [-p port]\n", progname);
+        printf ("%s -H host [-C community] [-p port] [-D]\n", progname);
 }
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 2e393eb..e2298b1 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -120,12 +120,14 @@ int use_ssl = FALSE;
 int use_sni = FALSE;
 int verbose = FALSE;
 int show_extended_perfdata = FALSE;
+int show_body = FALSE;
 int sd;
 int min_page_len = 0;
 int max_page_len = 0;
 int redir_depth = 0;
 int max_depth = 15;
 char *http_method;
+char *http_method_proxy;
 char *http_post_data;
 char *http_content_type;
 char buffer[MAX_INPUT_BUFFER];
@@ -239,6 +241,7 @@ process_arguments (int argc, char **argv)
     {"use-ipv4", no_argument, 0, '4'},
     {"use-ipv6", no_argument, 0, '6'},
     {"extended-perfdata", no_argument, 0, 'E'},
+    {"show-body", no_argument, 0, 'B'},
     {0, 0, 0, 0}
   };
 
@@ -259,7 +262,7 @@ process_arguments (int argc, char **argv)
   }
 
   while (1) {
-    c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:NE", longopts, &option);
+    c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:NEB", longopts, &option);
     if (c == -1 || c == EOF)
       break;
 
@@ -446,6 +449,12 @@ process_arguments (int argc, char **argv)
       if (http_method)
         free(http_method);
       http_method = strdup (optarg);
+      char *tmp;
+      if ((tmp = strstr(http_method, ":")) > 0) {
+        tmp[0] = '\0';
+        http_method = http_method;
+        http_method_proxy = ++tmp;
+      }
       break;
     case 'd': /* string or substring */
       strncpy (header_expect, optarg, MAX_INPUT_BUFFER - 1);
@@ -540,6 +549,9 @@ process_arguments (int argc, char **argv)
     case 'E': /* show extended perfdata */
       show_extended_perfdata = TRUE;
       break;
+    case 'B': /* print body content after status line */
+      show_body = TRUE;
+      break;
     }
   }
 
@@ -566,6 +578,9 @@ process_arguments (int argc, char **argv)
   if (http_method == NULL)
     http_method = strdup ("GET");
 
+  if (http_method_proxy == NULL)
+    http_method_proxy = strdup ("GET");
+
   if (client_cert && !client_privkey)
     usage4 (_("If you use a client certificate you must also specify a private key file"));
 
@@ -965,7 +980,7 @@ check_http (void)
 
   if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
        && host_name != NULL && use_ssl == TRUE)
-    asprintf (&buf, "%s %s %s\r\n%s\r\n", "GET", server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
+    asprintf (&buf, "%s %s %s\r\n%s\r\n", http_method_proxy, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
   else
     asprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
 
@@ -1155,6 +1170,8 @@ check_http (void)
       xasprintf (&msg,
                 _("Invalid HTTP response received from host on port %d: %s\n"),
                 server_port, status_line);
+    if (show_body)
+        xasprintf (&msg, _("%s\n%s"), msg, page);
     die (STATE_CRITICAL, "HTTP CRITICAL - %s", msg);
   }
 
@@ -1305,6 +1322,9 @@ check_http (void)
            perfd_time (elapsed_time),
            perfd_size (page_len));
 
+  if (show_body)
+    xasprintf (&msg, _("%s\n%s"), msg, page);
+
   result = max_state_alt(get_status(elapsed_time, thlds), result);
 
   die (result, "HTTP %s: %s\n", state_text(result), msg);
@@ -1596,7 +1616,7 @@ print_help (void)
   printf ("    %s\n", _("URL to GET or POST (default: /)"));
   printf (" %s\n", "-P, --post=STRING");
   printf ("    %s\n", _("URL encoded http POST data"));
-  printf (" %s\n", "-j, --method=STRING  (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
+  printf (" %s\n", "-j, --method=STRING  (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT, CONNECT:POST)");
   printf ("    %s\n", _("Set HTTP method."));
   printf (" %s\n", "-N, --no-body");
   printf ("    %s\n", _("Don't wait for document body: stop reading after headers."));
@@ -1626,6 +1646,8 @@ print_help (void)
   printf ("    %s\n", _("Any other tags to be sent in http header. Use multiple times for additional headers"));
   printf (" %s\n", "-E, --extended-perfdata");
   printf ("    %s\n", _("Print additional performance data"));
+  printf (" %s\n", "-B, --show-body");
+  printf ("    %s\n", _("Print body content below status line"));
   printf (" %s\n", "-L, --link");
   printf ("    %s\n", _("Wrap output in HTML link (obsoleted by urlize)"));
   printf (" %s\n", "-f, --onredirect=<ok|warning|critical|follow|sticky|stickyport>");
@@ -1683,7 +1705,8 @@ print_help (void)
   printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
   printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
   printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
-  printf (" %s\n", _("a STATE_CRITICAL will be returned."));
+  printf (" %s\n", _("a STATE_CRITICAL will be returned. By adding a colon to the method you can set the method used"));
+  printf (" %s\n", _("inside the proxied connection: -j CONNECT:POST"));
 
 #endif
 
diff --git a/plugins/check_load.c b/plugins/check_load.c
index b1cc498..bf7b94b 100644
--- a/plugins/check_load.c
+++ b/plugins/check_load.c
@@ -33,6 +33,7 @@ const char *copyright = "1999-2007";
 const char *email = "devel@monitoring-plugins.org";
 
 #include "common.h"
+#include "runcmd.h"
 #include "utils.h"
 #include "popen.h"
 
@@ -52,6 +53,9 @@ static int process_arguments (int argc, char **argv);
 static int validate_arguments (void);
 void print_help (void);
 void print_usage (void);
+static int print_top_consuming_processes();
+
+static int n_procs_to_show = 0;
 
 /* strictly for pretty-print usage in loops */
 static const int nums[3] = { 1, 5, 15 };
@@ -210,6 +214,9 @@ main (int argc, char **argv)
                 printf("load%d=%.3f;%.3f;%.3f;0; ", nums[i], la[i], wload[i], cload[i]);
 
         putchar('\n');
+        if (n_procs_to_show > 0) {
+                print_top_consuming_processes();
+        }
         return result;
 }
 
@@ -227,6 +234,7 @@ process_arguments (int argc, char **argv)
                 {"percpu", no_argument, 0, 'r'},
                 {"version", no_argument, 0, 'V'},
                 {"help", no_argument, 0, 'h'},
+                {"procs-to-show", required_argument, 0, 'n'},
                 {0, 0, 0, 0}
         };
 
@@ -234,7 +242,7 @@ process_arguments (int argc, char **argv)
                 return ERROR;
 
         while (1) {
-                c = getopt_long (argc, argv, "Vhrc:w:", longopts, &option);
+                c = getopt_long (argc, argv, "Vhrc:w:n:", longopts, &option);
 
                 if (c == -1 || c == EOF)
                         break;
@@ -255,6 +263,9 @@ process_arguments (int argc, char **argv)
                 case 'h':                                                                       /* help */
                         print_help ();
                         exit (STATE_UNKNOWN);
+                case 'n':
+                        n_procs_to_show = atoi(optarg);
+                        break;
                 case '?':                                                                       /* help */
                         usage5 ();
                 }
@@ -324,6 +335,9 @@ print_help (void)
   printf ("    %s\n", _("the load average format is the same used by \"uptime\" and \"w\""));
   printf (" %s\n", "-r, --percpu");
   printf ("    %s\n", _("Divide the load averages by the number of CPUs (when possible)"));
+  printf (" %s\n", "-n, --procs-to-show=NUMBER_OF_PROCS");
+  printf ("    %s\n", _("Number of processes to show when printing the top consuming processes."));
+  printf ("    %s\n", _("NUMBER_OF_PROCS=0 disables this feature. Default value is 0"));
 
         printf (UT_SUPPORT);
 }
@@ -332,5 +346,48 @@ void
 print_usage (void)
 {
   printf ("%s\n", _("Usage:"));
-        printf ("%s [-r] -w WLOAD1,WLOAD5,WLOAD15 -c CLOAD1,CLOAD5,CLOAD15\n", progname);
+  printf ("%s [-r] -w WLOAD1,WLOAD5,WLOAD15 -c CLOAD1,CLOAD5,CLOAD15 [-n NUMBER_OF_PROCS]\n", progname);
+}
+
+#ifdef PS_USES_PROCPCPU
+int cmpstringp(const void *p1, const void *p2) {
+        int procuid = 0;
+        int procpid = 0;
+        int procppid = 0;
+        int procvsz = 0;
+        int procrss = 0;
+        float procpcpu = 0;
+        char procstat[8];
+#ifdef PS_USES_PROCETIME
+        char procetime[MAX_INPUT_BUFFER];
+#endif /* PS_USES_PROCETIME */
+        char procprog[MAX_INPUT_BUFFER];
+        int pos;
+        sscanf (* (char * const *) p1, PS_FORMAT, PS_VARLIST);
+        float procpcpu1 = procpcpu;
+        sscanf (* (char * const *) p2, PS_FORMAT, PS_VARLIST);
+        return procpcpu1 < procpcpu;
+}
+#endif /* PS_USES_PROCPCPU */
+
+static int print_top_consuming_processes() {
+        int i = 0;
+        struct output chld_out, chld_err;
+        if(np_runcmd(PS_COMMAND, &chld_out, &chld_err, 0) != 0){
+                fprintf(stderr, _("'%s' exited with non-zero status.\n"), PS_COMMAND);
+                return STATE_UNKNOWN;
+        }
+        if (chld_out.lines < 2) {
+                fprintf(stderr, _("some error occurred getting procs list.\n"));
+                return STATE_UNKNOWN;
+        }
+#ifdef PS_USES_PROCPCPU
+        qsort(chld_out.line + 1, chld_out.lines - 1, sizeof(char*), cmpstringp);
+#endif /* PS_USES_PROCPCPU */
+        int lines_to_show = chld_out.lines < (n_procs_to_show + 1)
+                        ? chld_out.lines : n_procs_to_show + 1;
+        for (i = 0; i < lines_to_show; i += 1) {
+                printf("%s\n", chld_out.line[i]);
+        }
+        return OK;
 }
diff --git a/plugins/check_mysql.c b/plugins/check_mysql.c
index 5773afd..0cba50e 100644
--- a/plugins/check_mysql.c
+++ b/plugins/check_mysql.c
@@ -379,6 +379,9 @@ process_arguments (int argc, char **argv)
                         if (is_host (optarg)) {
                                 db_host = optarg;
                         }
+                        else if (*optarg == '/') {
+                                db_socket = optarg;
+                        }
                         else {
                                 usage2 (_("Invalid hostname/address"), optarg);
                         }
diff --git a/plugins/check_pgsql.c b/plugins/check_pgsql.c
index 5cd4709..11ce691 100644
--- a/plugins/check_pgsql.c
+++ b/plugins/check_pgsql.c
@@ -34,6 +34,7 @@ const char *email = "devel@monitoring-plugins.org";
 
 #include "common.h"
 #include "utils.h"
+#include "utils_cmd.h"
 
 #include "netutils.h"
 #include <libpq-fe.h>
diff --git a/plugins/check_procs.c b/plugins/check_procs.c
index 4bcc56b..f7917c3 100644
--- a/plugins/check_procs.c
+++ b/plugins/check_procs.c
@@ -764,6 +764,11 @@ be the total number of running processes\n\n"));
   printf (" %s\n", "check_procs -w 2:2 -c 2:1024 -C portsentry");
   printf ("  %s\n", _("Warning if not two processes with command name portsentry."));
   printf ("  %s\n\n", _("Critical if < 2 or > 1024 processes"));
+  printf (" %s\n", "check_procs -c 1: -C sshd");
+  printf ("  %s\n", _("Critical if not at least 1 process with command sshd"));
+  printf (" %s\n", "check_procs -w 1024 -c 1: -C sshd");
+  printf ("  %s\n", _("Warning if > 1024 processes with command name sshd."));
+  printf ("  %s\n\n", _("Critical if < 1 processes with command name sshd."));
   printf (" %s\n", "check_procs -w 10 -a '/usr/local/bin/perl' -u root");
   printf ("  %s\n", _("Warning alert if > 10 processes with command arguments containing"));
   printf ("  %s\n\n", _("'/usr/local/bin/perl' and owned by root"));
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 0fcf4c6..d37c57c 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -293,6 +293,7 @@ main (int argc, char **argv)
                     printf("%s", buffer);
                 }
 
+                n = 0;
                 while (n < ncommands) {
                         xasprintf (&cmd_str, "%s%s", commands[n], "\r\n");
                         my_send(cmd_str, strlen(cmd_str));
diff --git a/plugins/check_snmp.c b/plugins/check_snmp.c
index da9638c..e8a21a4 100644
--- a/plugins/check_snmp.c
+++ b/plugins/check_snmp.c
@@ -1207,8 +1207,9 @@ print_help (void)
         printf ("    %s\n", _("Separates output on multiple OID requests"));
 
         printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
+        printf ("    %s\n", _("NOTE the final timeout value is calculated using this formula: timeout_interval * retries + 5"));
         printf (" %s\n", "-e, --retries=INTEGER");
-        printf ("    %s\n", _("Number of retries to be used in the requests"));
+        printf ("    %s%i\n", _("Number of retries to be used in the requests, default: "), DEFAULT_RETRIES);
 
         printf (" %s\n", "-O, --perf-oids");
         printf ("    %s\n", _("Label performance data with OIDs instead of --label's"));
diff --git a/plugins/check_swap.c b/plugins/check_swap.c
index 4d5a407..0ff0c77 100644
--- a/plugins/check_swap.c
+++ b/plugins/check_swap.c
@@ -51,7 +51,7 @@ const char *email = "devel@monitoring-plugins.org";
 # define SWAP_CONVERSION 1
 #endif
 
-int check_swap (int usp, float free_swap_mb);
+int check_swap (int usp, float free_swap_mb, float total_swap_mb);
 int process_arguments (int argc, char **argv);
 int validate_arguments (void);
 void print_usage (void);
@@ -128,7 +128,7 @@ main (int argc, char **argv)
                                         percent=100.0;
                                 else
                                         percent = 100 * (((double) dskused_mb) / ((double) dsktotal_mb));
-                                result = max_state (result, check_swap (percent, dskfree_mb));
+                                result = max_state (result, check_swap (percent, dskfree_mb, dsktotal_mb));
                                 if (verbose)
                                         xasprintf (&status, "%s [%.0f (%d%%)]", status, dskfree_mb, 100 - percent);
                         }
@@ -227,7 +227,7 @@ main (int argc, char **argv)
                         free_swap_mb += dskfree_mb;
                         if (allswaps) {
                                 percent = 100 * (((double) dskused_mb) / ((double) dsktotal_mb));
-                                result = max_state (result, check_swap (percent, dskfree_mb));
+                                result = max_state (result, check_swap (percent, dskfree_mb, dsktotal_mb));
                                 if (verbose)
                                         xasprintf (&status, "%s [%.0f (%d%%)]", status, dskfree_mb, 100 - percent);
                         }
@@ -289,7 +289,7 @@ main (int argc, char **argv)
 
                 if(allswaps && dsktotal_mb > 0){
                         percent = 100 * (((double) dskused_mb) / ((double) dsktotal_mb));
-                        result = max_state (result, check_swap (percent, dskfree_mb));
+                        result = max_state (result, check_swap (percent, dskfree_mb, dsktotal_mb));
                         if (verbose) {
                                 xasprintf (&status, "%s [%.0f (%d%%)]", status, dskfree_mb, 100 - percent);
                         }
@@ -328,7 +328,7 @@ main (int argc, char **argv)
 
                 if(allswaps && dsktotal_mb > 0){
                         percent = 100 * (((double) dskused_mb) / ((double) dsktotal_mb));
-                        result = max_state (result, check_swap (percent, dskfree_mb));
+                        result = max_state (result, check_swap (percent, dskfree_mb, dsktotal_mb));
                         if (verbose) {
                                 xasprintf (&status, "%s [%.0f (%d%%)]", status, dskfree_mb, 100 - percent);
                         }
@@ -355,7 +355,7 @@ main (int argc, char **argv)
                 status = "- Swap is either disabled, not present, or of zero size. ";
         }
 
-        result = max_state (result, check_swap (percent_used, free_swap_mb));
+        result = max_state (result, check_swap (percent_used, free_swap_mb, total_swap_mb));
         printf (_("SWAP %s - %d%% free (%d MB out of %d MB) %s|"),
                         state_text (result),
                         (100 - percent_used), (int) free_swap_mb, (int) total_swap_mb, status);
@@ -372,10 +372,10 @@ main (int argc, char **argv)
 
 
 int
-check_swap (int usp, float free_swap_mb)
+check_swap (int usp, float free_swap_mb, float total_swap_mb)
 {
 
-        if (!free_swap_mb) return no_swap_state;
+        if (!total_swap_mb) return no_swap_state;
 
         int result = STATE_UNKNOWN;
         float free_swap = free_swap_mb * (1024 * 1024);         /* Convert back to bytes as warn and crit specified in bytes */
diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c
index 61333bd..1365b9c 100644
--- a/plugins/check_tcp.c
+++ b/plugins/check_tcp.c
@@ -86,6 +86,11 @@ static char buffer[MAXBUF];
 static int expect_mismatch_state = STATE_WARNING;
 static int match_flags = NP_MATCH_EXACT;
 
+#ifdef HAVE_SSL
+static char *sni = NULL;
+static int sni_specified = FALSE;
+#endif
+
 #define FLAG_SSL 0x01
 #define FLAG_VERBOSE 0x02
 #define FLAG_TIME_WARN 0x04
@@ -241,7 +246,7 @@ main (int argc, char **argv)
 
 #ifdef HAVE_SSL
         if (flags & FLAG_SSL){
-                result = np_net_ssl_init(sd);
+                result = np_net_ssl_init_with_hostname(sd, (sni_specified ? sni : NULL));
                 if (result == STATE_OK && check_cert == TRUE) {
                         result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
                 }
@@ -401,6 +406,10 @@ process_arguments (int argc, char **argv)
         int escape = 0;
         char *temp;
 
+        enum {
+                SNI_OPTION = CHAR_MAX + 1
+        };
+
         int option = 0;
         static struct option longopts[] = {
                 {"hostname", required_argument, 0, 'H'},
@@ -427,6 +436,7 @@ process_arguments (int argc, char **argv)
                 {"version", no_argument, 0, 'V'},
                 {"help", no_argument, 0, 'h'},
                 {"ssl", no_argument, 0, 'S'},
+                {"sni", required_argument, 0, SNI_OPTION},
                 {"certificate", required_argument, 0, 'D'},
                 {0, 0, 0, 0}
         };
@@ -604,6 +614,15 @@ process_arguments (int argc, char **argv)
                         die (STATE_UNKNOWN, _("Invalid option - SSL is not available"));
 #endif
                         break;
+                case SNI_OPTION:
+#ifdef HAVE_SSL
+                        flags |= FLAG_SSL;
+                        sni_specified = TRUE;
+                        sni = optarg;
+#else
+                        die (STATE_UNKNOWN, _("Invalid option - SSL is not available"));
+#endif
+                        break;
                 case 'A':
                         match_flags |= NP_MATCH_ALL;
                         break;
@@ -671,6 +690,8 @@ print_help (void)
   printf ("    %s\n", _("1st is #days for warning, 2nd is critical (if not specified - 0)."));
   printf (" %s\n", "-S, --ssl");
   printf ("    %s\n", _("Use SSL for the connection."));
+  printf (" %s\n", "--sni=STRING");
+  printf ("    %s\n", _("SSL server_name"));
 #endif
 
         printf (UT_WARN_CRIT);
diff --git a/plugins/common.h b/plugins/common.h
index 8719b50..0f08e2f 100644
--- a/plugins/common.h
+++ b/plugins/common.h
@@ -174,6 +174,11 @@
  *
  */
 
+/* MariaDB 10.2 client does not set MYSQL_PORT */
+#ifndef MYSQL_PORT
+#  define MYSQL_PORT 3306
+#endif
+
 enum {
         OK = 0,
         ERROR = -1
@@ -220,4 +225,18 @@ enum {
 # define __attribute__(x) /* do nothing */
 #endif
 
+/* Try sysconf(_SC_OPEN_MAX) first, as it can be higher than OPEN_MAX.
+ * If that fails and the macro isn't defined, we fall back to an educated
+ * guess. There's no guarantee that our guess is adequate and the program
+ * will die with SIGSEGV if it isn't and the upper boundary is breached. */
+#define DEFAULT_MAXFD  256   /* fallback value if no max open files value is set */
+#define MAXFD_LIMIT   8192   /* upper limit of open files */
+#ifdef _SC_OPEN_MAX
+static long maxfd = 0;
+#elif defined(OPEN_MAX)
+# define maxfd OPEN_MAX
+#else   /* sysconf macro unavailable, so guess (may be wildly inaccurate) */
+# define maxfd DEFAULT_MAXFD
+#endif
+
 #endif /* _COMMON_H_ */
diff --git a/plugins/picohttpparser/Makefile.am b/plugins/picohttpparser/Makefile.am
new file mode 100644
index 0000000..87e0531
--- /dev/null
+++ b/plugins/picohttpparser/Makefile.am
@@ -0,0 +1,3 @@
+noinst_LIBRARIES = libpicohttpparser.a
+
+libpicohttpparser_a_SOURCES = picohttpparser.c picohttpparser.h
diff --git a/plugins/picohttpparser/picohttpparser.c b/plugins/picohttpparser/picohttpparser.c
new file mode 100644
index 0000000..74ccc3e
--- /dev/null
+++ b/plugins/picohttpparser/picohttpparser.c
@@ -0,0 +1,645 @@
+/*
+ * Copyright (c) 2009-2014 Kazuho Oku, Tokuhiro Matsuno, Daisuke Murase,
+ *                         Shigeo Mitsunari
+ *
+ * The software is licensed under either the MIT License (below) or the Perl
+ * license.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include <assert.h>
+#include <stddef.h>
+#include <string.h>
+#ifdef __SSE4_2__
+#ifdef _MSC_VER
+#include <nmmintrin.h>
+#else
+#include <x86intrin.h>
+#endif
+#endif
+#include "picohttpparser.h"
+
+#if __GNUC__ >= 3
+#define likely(x) __builtin_expect(!!(x), 1)
+#define unlikely(x) __builtin_expect(!!(x), 0)
+#else
+#define likely(x) (x)
+#define unlikely(x) (x)
+#endif
+
+#ifdef _MSC_VER
+#define ALIGNED(n) _declspec(align(n))
+#else
+#define ALIGNED(n) __attribute__((aligned(n)))
+#endif
+
+#define IS_PRINTABLE_ASCII(c) ((unsigned char)(c)-040u < 0137u)
+
+#define CHECK_EOF()                                                                                                                \
+    if (buf == buf_end) {                                                                                                          \
+        *ret = -2;                                                                                                                 \
+        return NULL;                                                                                                               \
+    }
+
+#define EXPECT_CHAR_NO_CHECK(ch)                                                                                                   \
+    if (*buf++ != ch) {                                                                                                            \
+        *ret = -1;                                                                                                                 \
+        return NULL;                                                                                                               \
+    }
+
+#define EXPECT_CHAR(ch)                                                                                                            \
+    CHECK_EOF();                                                                                                                   \
+    EXPECT_CHAR_NO_CHECK(ch);
+
+#define ADVANCE_TOKEN(tok, toklen)                                                                                                 \
+    do {                                                                                                                           \
+        const char *tok_start = buf;                                                                                               \
+        static const char ALIGNED(16) ranges2[16] = "\000\040\177\177";                                                            \
+        int found2;                                                                                                                \
+        buf = findchar_fast(buf, buf_end, ranges2, 4, &found2);                                                                    \
+        if (!found2) {                                                                                                             \
+            CHECK_EOF();                                                                                                           \
+        }                                                                                                                          \
+        while (1) {                                                                                                                \
+            if (*buf == ' ') {                                                                                                     \
+                break;                                                                                                             \
+            } else if (unlikely(!IS_PRINTABLE_ASCII(*buf))) {                                                                      \
+                if ((unsigned char)*buf < '\040' || *buf == '\177') {                                                              \
+                    *ret = -1;                                                                                                     \
+                    return NULL;                                                                                                   \
+                }                                                                                                                  \
+            }                                                                                                                      \
+            ++buf;                                                                                                                 \
+            CHECK_EOF();                                                                                                           \
+        }                                                                                                                          \
+        tok = tok_start;                                                                                                           \
+        toklen = buf - tok_start;                                                                                                  \
+    } while (0)
+
+static const char *token_char_map = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+                                    "\0\1\0\1\1\1\1\1\0\0\1\1\0\1\1\0\1\1\1\1\1\1\1\1\1\1\0\0\0\0\0\0"
+                                    "\0\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\0\0\0\1\1"
+                                    "\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\0\1\0\1\0"
+                                    "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+                                    "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+                                    "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+                                    "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+
+static const char *findchar_fast(const char *buf, const char *buf_end, const char *ranges, size_t ranges_size, int *found)
+{
+    *found = 0;
+#if __SSE4_2__
+    if (likely(buf_end - buf >= 16)) {
+        __m128i ranges16 = _mm_loadu_si128((const __m128i *)ranges);
+
+        size_t left = (buf_end - buf) & ~15;
+        do {
+            __m128i b16 = _mm_loadu_si128((const __m128i *)buf);
+            int r = _mm_cmpestri(ranges16, ranges_size, b16, 16, _SIDD_LEAST_SIGNIFICANT | _SIDD_CMP_RANGES | _SIDD_UBYTE_OPS);
+            if (unlikely(r != 16)) {
+                buf += r;
+                *found = 1;
+                break;
+            }
+            buf += 16;
+            left -= 16;
+        } while (likely(left != 0));
+    }
+#else
+    /* suppress unused parameter warning */
+    (void)buf_end;
+    (void)ranges;
+    (void)ranges_size;
+#endif
+    return buf;
+}
+
+static const char *get_token_to_eol(const char *buf, const char *buf_end, const char **token, size_t *token_len, int *ret)
+{
+    const char *token_start = buf;
+
+#ifdef __SSE4_2__
+    static const char ALIGNED(16) ranges1[16] = "\0\010"    /* allow HT */
+                                                "\012\037"  /* allow SP and up to but not including DEL */
+                                                "\177\177"; /* allow chars w. MSB set */
+    int found;
+    buf = findchar_fast(buf, buf_end, ranges1, 6, &found);
+    if (found)
+        goto FOUND_CTL;
+#else
+    /* find non-printable char within the next 8 bytes, this is the hottest code; manually inlined */
+    while (likely(buf_end - buf >= 8)) {
+#define DOIT()                                                                                                                     \
+    do {                                                                                                                           \
+        if (unlikely(!IS_PRINTABLE_ASCII(*buf)))                                                                                   \
+            goto NonPrintable;                                                                                                     \
+        ++buf;                                                                                                                     \
+    } while (0)
+        DOIT();
+        DOIT();
+        DOIT();
+        DOIT();
+        DOIT();
+        DOIT();
+        DOIT();
+        DOIT();
+#undef DOIT
+        continue;
+    NonPrintable:
+        if ((likely((unsigned char)*buf < '\040') && likely(*buf != '\011')) || unlikely(*buf == '\177')) {
+            goto FOUND_CTL;
+        }
+        ++buf;
+    }
+#endif
+    for (;; ++buf) {
+        CHECK_EOF();
+        if (unlikely(!IS_PRINTABLE_ASCII(*buf))) {
+            if ((likely((unsigned char)*buf < '\040') && likely(*buf != '\011')) || unlikely(*buf == '\177')) {
+                goto FOUND_CTL;
+            }
+        }
+    }
+FOUND_CTL:
+    if (likely(*buf == '\015')) {
+        ++buf;
+        EXPECT_CHAR('\012');
+        *token_len = buf - 2 - token_start;
+    } else if (*buf == '\012') {
+        *token_len = buf - token_start;
+        ++buf;
+    } else {
+        *ret = -1;
+        return NULL;
+    }
+    *token = token_start;
+
+    return buf;
+}
+
+static const char *is_complete(const char *buf, const char *buf_end, size_t last_len, int *ret)
+{
+    int ret_cnt = 0;
+    buf = last_len < 3 ? buf : buf + last_len - 3;
+
+    while (1) {
+        CHECK_EOF();
+        if (*buf == '\015') {
+            ++buf;
+            CHECK_EOF();
+            EXPECT_CHAR('\012');
+            ++ret_cnt;
+        } else if (*buf == '\012') {
+            ++buf;
+            ++ret_cnt;
+        } else {
+            ++buf;
+            ret_cnt = 0;
+        }
+        if (ret_cnt == 2) {
+            return buf;
+        }
+    }
+
+    *ret = -2;
+    return NULL;
+}
+
+#define PARSE_INT(valp_, mul_)                                                                                                     \
+    if (*buf < '0' || '9' < *buf) {                                                                                                \
+        buf++;                                                                                                                     \
+        *ret = -1;                                                                                                                 \
+        return NULL;                                                                                                               \
+    }                                                                                                                              \
+    *(valp_) = (mul_) * (*buf++ - '0');
+
+#define PARSE_INT_3(valp_)                                                                                                         \
+    do {                                                                                                                           \
+        int res_ = 0;                                                                                                              \
+        PARSE_INT(&res_, 100)                                                                                                      \
+        *valp_ = res_;                                                                                                             \
+        PARSE_INT(&res_, 10)                                                                                                       \
+        *valp_ += res_;                                                                                                            \
+        PARSE_INT(&res_, 1)                                                                                                        \
+        *valp_ += res_;                                                                                                            \
+    } while (0)
+
+/* returned pointer is always within [buf, buf_end), or null */
+static const char *parse_http_version(const char *buf, const char *buf_end, int *minor_version, int *ret)
+{
+    /* we want at least [HTTP/1.<two chars>] to try to parse */
+    if (buf_end - buf < 9) {
+        *ret = -2;
+        return NULL;
+    }
+    EXPECT_CHAR_NO_CHECK('H');
+    EXPECT_CHAR_NO_CHECK('T');
+    EXPECT_CHAR_NO_CHECK('T');
+    EXPECT_CHAR_NO_CHECK('P');
+    EXPECT_CHAR_NO_CHECK('/');
+    EXPECT_CHAR_NO_CHECK('1');
+    EXPECT_CHAR_NO_CHECK('.');
+    PARSE_INT(minor_version, 1);
+    return buf;
+}
+
+static const char *parse_headers(const char *buf, const char *buf_end, struct phr_header *headers, size_t *num_headers,
+                                 size_t max_headers, int *ret)
+{
+    for (;; ++*num_headers) {
+        CHECK_EOF();
+        if (*buf == '\015') {
+            ++buf;
+            EXPECT_CHAR('\012');
+            break;
+        } else if (*buf == '\012') {
+            ++buf;
+            break;
+        }
+        if (*num_headers == max_headers) {
+            *ret = -1;
+            return NULL;
+        }
+        if (!(*num_headers != 0 && (*buf == ' ' || *buf == '\t'))) {
+            /* parsing name, but do not discard SP before colon, see
+             * http://www.mozilla.org/security/announce/2006/mfsa2006-33.html */
+            headers[*num_headers].name = buf;
+            static const char ALIGNED(16) ranges1[] = "\x00 "  /* control chars and up to SP */
+                                                      "\"\""   /* 0x22 */
+                                                      "()"     /* 0x28,0x29 */
+                                                      ",,"     /* 0x2c */
+                                                      "//"     /* 0x2f */
+                                                      ":@"     /* 0x3a-0x40 */
+                                                      "[]"     /* 0x5b-0x5d */
+                                                      "{\377"; /* 0x7b-0xff */
+            int found;
+            buf = findchar_fast(buf, buf_end, ranges1, sizeof(ranges1) - 1, &found);
+            if (!found) {
+                CHECK_EOF();
+            }
+            while (1) {
+                if (*buf == ':') {
+                    break;
+                } else if (!token_char_map[(unsigned char)*buf]) {
+                    *ret = -1;
+                    return NULL;
+                }
+                ++buf;
+                CHECK_EOF();
+            }
+            if ((headers[*num_headers].name_len = buf - headers[*num_headers].name) == 0) {
+                *ret = -1;
+                return NULL;
+            }
+            ++buf;
+            for (;; ++buf) {
+                CHECK_EOF();
+                if (!(*buf == ' ' || *buf == '\t')) {
+                    break;
+                }
+            }
+        } else {
+            headers[*num_headers].name = NULL;
+            headers[*num_headers].name_len = 0;
+        }
+        const char *value;
+        size_t value_len;
+        if ((buf = get_token_to_eol(buf, buf_end, &value, &value_len, ret)) == NULL) {
+            return NULL;
+        }
+        /* remove trailing SPs and HTABs */
+        const char *value_end = value + value_len;
+        for (; value_end != value; --value_end) {
+            const char c = *(value_end - 1);
+            if (!(c == ' ' || c == '\t')) {
+                break;
+            }
+        }
+        headers[*num_headers].value = value;
+        headers[*num_headers].value_len = value_end - value;
+    }
+    return buf;
+}
+
+static const char *parse_request(const char *buf, const char *buf_end, const char **method, size_t *method_len, const char **path,
+                                 size_t *path_len, int *minor_version, struct phr_header *headers, size_t *num_headers,
+                                 size_t max_headers, int *ret)
+{
+    /* skip first empty line (some clients add CRLF after POST content) */
+    CHECK_EOF();
+    if (*buf == '\015') {
+        ++buf;
+        EXPECT_CHAR('\012');
+    } else if (*buf == '\012') {
+        ++buf;
+    }
+
+    /* parse request line */
+    ADVANCE_TOKEN(*method, *method_len);
+    do {
+        ++buf;
+    } while (*buf == ' ');
+    ADVANCE_TOKEN(*path, *path_len);
+    do {
+        ++buf;
+    } while (*buf == ' ');
+    if (*method_len == 0 || *path_len == 0) {
+        *ret = -1;
+        return NULL;
+    }
+    if ((buf = parse_http_version(buf, buf_end, minor_version, ret)) == NULL) {
+        return NULL;
+    }
+    if (*buf == '\015') {
+        ++buf;
+        EXPECT_CHAR('\012');
+    } else if (*buf == '\012') {
+        ++buf;
+    } else {
+        *ret = -1;
+        return NULL;
+    }
+
+    return parse_headers(buf, buf_end, headers, num_headers, max_headers, ret);
+}
+
+int phr_parse_request(const char *buf_start, size_t len, const char **method, size_t *method_len, const char **path,
+                      size_t *path_len, int *minor_version, struct phr_header *headers, size_t *num_headers, size_t last_len)
+{
+    const char *buf = buf_start, *buf_end = buf_start + len;
+    size_t max_headers = *num_headers;
+    int r;
+
+    *method = NULL;
+    *method_len = 0;
+    *path = NULL;
+    *path_len = 0;
+    *minor_version = -1;
+    *num_headers = 0;
+
+    /* if last_len != 0, check if the request is complete (a fast countermeasure
+       againt slowloris */
+    if (last_len != 0 && is_complete(buf, buf_end, last_len, &r) == NULL) {
+        return r;
+    }
+
+    if ((buf = parse_request(buf, buf_end, method, method_len, path, path_len, minor_version, headers, num_headers, max_headers,
+                             &r)) == NULL) {
+        return r;
+    }
+
+    return (int)(buf - buf_start);
+}
+
+static const char *parse_response(const char *buf, const char *buf_end, int *minor_version, int *status, const char **msg,
+                                  size_t *msg_len, struct phr_header *headers, size_t *num_headers, size_t max_headers, int *ret)
+{
+    /* parse "HTTP/1.x" */
+    if ((buf = parse_http_version(buf, buf_end, minor_version, ret)) == NULL) {
+        return NULL;
+    }
+    /* skip space */
+    if (*buf != ' ') {
+        *ret = -1;
+        return NULL;
+    }
+    do {
+        ++buf;
+    } while (*buf == ' ');
+    /* parse status code, we want at least [:digit:][:digit:][:digit:]<other char> to try to parse */
+    if (buf_end - buf < 4) {
+        *ret = -2;
+        return NULL;
+    }
+    PARSE_INT_3(status);
+
+    /* get message includig preceding space */
+    if ((buf = get_token_to_eol(buf, buf_end, msg, msg_len, ret)) == NULL) {
+        return NULL;
+    }
+    if (*msg_len == 0) {
+        /* ok */
+    } else if (**msg == ' ') {
+        /* remove preceding space */
+        do {
+            ++*msg;
+            --*msg_len;
+        } while (**msg == ' ');
+    } else {
+        /* garbage found after status code */
+        *ret = -1;
+        return NULL;
+    }
+
+    return parse_headers(buf, buf_end, headers, num_headers, max_headers, ret);
+}
+
+int phr_parse_response(const char *buf_start, size_t len, int *minor_version, int *status, const char **msg, size_t *msg_len,
+                       struct phr_header *headers, size_t *num_headers, size_t last_len)
+{
+    const char *buf = buf_start, *buf_end = buf + len;
+    size_t max_headers = *num_headers;
+    int r;
+
+    *minor_version = -1;
+    *status = 0;
+    *msg = NULL;
+    *msg_len = 0;
+    *num_headers = 0;
+
+    /* if last_len != 0, check if the response is complete (a fast countermeasure
+       against slowloris */
+    if (last_len != 0 && is_complete(buf, buf_end, last_len, &r) == NULL) {
+        return r;
+    }
+
+    if ((buf = parse_response(buf, buf_end, minor_version, status, msg, msg_len, headers, num_headers, max_headers, &r)) == NULL) {
+        return r;
+    }
+
+    return (int)(buf - buf_start);
+}
+
+int phr_parse_headers(const char *buf_start, size_t len, struct phr_header *headers, size_t *num_headers, size_t last_len)
+{
+    const char *buf = buf_start, *buf_end = buf + len;
+    size_t max_headers = *num_headers;
+    int r;
+
+    *num_headers = 0;
+
+    /* if last_len != 0, check if the response is complete (a fast countermeasure
+       against slowloris */
+    if (last_len != 0 && is_complete(buf, buf_end, last_len, &r) == NULL) {
+        return r;
+    }
+
+    if ((buf = parse_headers(buf, buf_end, headers, num_headers, max_headers, &r)) == NULL) {
+        return r;
+    }
+
+    return (int)(buf - buf_start);
+}
+
+enum {
+    CHUNKED_IN_CHUNK_SIZE,
+    CHUNKED_IN_CHUNK_EXT,
+    CHUNKED_IN_CHUNK_DATA,
+    CHUNKED_IN_CHUNK_CRLF,
+    CHUNKED_IN_TRAILERS_LINE_HEAD,
+    CHUNKED_IN_TRAILERS_LINE_MIDDLE
+};
+
+static int decode_hex(int ch)
+{
+    if ('0' <= ch && ch <= '9') {
+        return ch - '0';
+    } else if ('A' <= ch && ch <= 'F') {
+        return ch - 'A' + 0xa;
+    } else if ('a' <= ch && ch <= 'f') {
+        return ch - 'a' + 0xa;
+    } else {
+        return -1;
+    }
+}
+
+ssize_t phr_decode_chunked(struct phr_chunked_decoder *decoder, char *buf, size_t *_bufsz)
+{
+    size_t dst = 0, src = 0, bufsz = *_bufsz;
+    ssize_t ret = -2; /* incomplete */
+
+    while (1) {
+        switch (decoder->_state) {
+        case CHUNKED_IN_CHUNK_SIZE:
+            for (;; ++src) {
+                int v;
+                if (src == bufsz)
+                    goto Exit;
+                if ((v = decode_hex(buf[src])) == -1) {
+                    if (decoder->_hex_count == 0) {
+                        ret = -1;
+                        goto Exit;
+                    }
+                    break;
+                }
+                if (decoder->_hex_count == sizeof(size_t) * 2) {
+                    ret = -1;
+                    goto Exit;
+                }
+                decoder->bytes_left_in_chunk = decoder->bytes_left_in_chunk * 16 + v;
+                ++decoder->_hex_count;
+            }
+            decoder->_hex_count = 0;
+            decoder->_state = CHUNKED_IN_CHUNK_EXT;
+        /* fallthru */
+        case CHUNKED_IN_CHUNK_EXT:
+            /* RFC 7230 A.2 "Line folding in chunk extensions is disallowed" */
+            for (;; ++src) {
+                if (src == bufsz)
+                    goto Exit;
+                if (buf[src] == '\012')
+                    break;
+            }
+            ++src;
+            if (decoder->bytes_left_in_chunk == 0) {
+                if (decoder->consume_trailer) {
+                    decoder->_state = CHUNKED_IN_TRAILERS_LINE_HEAD;
+                    break;
+                } else {
+                    goto Complete;
+                }
+            }
+            decoder->_state = CHUNKED_IN_CHUNK_DATA;
+        /* fallthru */
+        case CHUNKED_IN_CHUNK_DATA: {
+            size_t avail = bufsz - src;
+            if (avail < decoder->bytes_left_in_chunk) {
+                if (dst != src)
+                    memmove(buf + dst, buf + src, avail);
+                src += avail;
+                dst += avail;
+                decoder->bytes_left_in_chunk -= avail;
+                goto Exit;
+            }
+            if (dst != src)
+                memmove(buf + dst, buf + src, decoder->bytes_left_in_chunk);
+            src += decoder->bytes_left_in_chunk;
+            dst += decoder->bytes_left_in_chunk;
+            decoder->bytes_left_in_chunk = 0;
+            decoder->_state = CHUNKED_IN_CHUNK_CRLF;
+        }
+        /* fallthru */
+        case CHUNKED_IN_CHUNK_CRLF:
+            for (;; ++src) {
+                if (src == bufsz)
+                    goto Exit;
+                if (buf[src] != '\015')
+                    break;
+            }
+            if (buf[src] != '\012') {
+                ret = -1;
+                goto Exit;
+            }
+            ++src;
+            decoder->_state = CHUNKED_IN_CHUNK_SIZE;
+            break;
+        case CHUNKED_IN_TRAILERS_LINE_HEAD:
+            for (;; ++src) {
+                if (src == bufsz)
+                    goto Exit;
+                if (buf[src] != '\015')
+                    break;
+            }
+            if (buf[src++] == '\012')
+                goto Complete;
+            decoder->_state = CHUNKED_IN_TRAILERS_LINE_MIDDLE;
+        /* fallthru */
+        case CHUNKED_IN_TRAILERS_LINE_MIDDLE:
+            for (;; ++src) {
+                if (src == bufsz)
+                    goto Exit;
+                if (buf[src] == '\012')
+                    break;
+            }
+            ++src;
+            decoder->_state = CHUNKED_IN_TRAILERS_LINE_HEAD;
+            break;
+        default:
+            assert(!"decoder is corrupt");
+        }
+    }
+
+Complete:
+    ret = bufsz - src;
+Exit:
+    if (dst != src)
+        memmove(buf + dst, buf + src, bufsz - src);
+    *_bufsz = dst;
+    return ret;
+}
+
+int phr_decode_chunked_is_in_data(struct phr_chunked_decoder *decoder)
+{
+    return decoder->_state == CHUNKED_IN_CHUNK_DATA;
+}
+
+#undef CHECK_EOF
+#undef EXPECT_CHAR
+#undef ADVANCE_TOKEN
diff --git a/plugins/picohttpparser/picohttpparser.h b/plugins/picohttpparser/picohttpparser.h
new file mode 100644
index 0000000..0849f84
--- /dev/null
+++ b/plugins/picohttpparser/picohttpparser.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2009-2014 Kazuho Oku, Tokuhiro Matsuno, Daisuke Murase,
+ *                         Shigeo Mitsunari
+ *
+ * The software is licensed under either the MIT License (below) or the Perl
+ * license.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#ifndef picohttpparser_h
+#define picohttpparser_h
+
+#include <sys/types.h>
+
+#ifdef _MSC_VER
+#define ssize_t intptr_t
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* contains name and value of a header (name == NULL if is a continuing line
+ * of a multiline header */
+struct phr_header {
+    const char *name;
+    size_t name_len;
+    const char *value;
+    size_t value_len;
+};
+
+/* returns number of bytes consumed if successful, -2 if request is partial,
+ * -1 if failed */
+int phr_parse_request(const char *buf, size_t len, const char **method, size_t *method_len, const char **path, size_t *path_len,
+                      int *minor_version, struct phr_header *headers, size_t *num_headers, size_t last_len);
+
+/* ditto */
+int phr_parse_response(const char *_buf, size_t len, int *minor_version, int *status, const char **msg, size_t *msg_len,
+                       struct phr_header *headers, size_t *num_headers, size_t last_len);
+
+/* ditto */
+int phr_parse_headers(const char *buf, size_t len, struct phr_header *headers, size_t *num_headers, size_t last_len);
+
+/* should be zero-filled before start */
+struct phr_chunked_decoder {
+    size_t bytes_left_in_chunk; /* number of bytes left in current chunk */
+    char consume_trailer;       /* if trailing headers should be consumed */
+    char _hex_count;
+    char _state;
+};
+
+/* the function rewrites the buffer given as (buf, bufsz) removing the chunked-
+ * encoding headers.  When the function returns without an error, bufsz is
+ * updated to the length of the decoded data available.  Applications should
+ * repeatedly call the function while it returns -2 (incomplete) every time
+ * supplying newly arrived data.  If the end of the chunked-encoded data is
+ * found, the function returns a non-negative number indicating the number of
+ * octets left undecoded at the tail of the supplied buffer.  Returns -1 on
+ * error.
+ */
+ssize_t phr_decode_chunked(struct phr_chunked_decoder *decoder, char *buf, size_t *bufsz);
+
+/* returns if the chunked decoder is in middle of chunked data */
+int phr_decode_chunked_is_in_data(struct phr_chunked_decoder *decoder);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/plugins/popen.c b/plugins/popen.c
index 592263f..9eb49b6 100644
--- a/plugins/popen.c
+++ b/plugins/popen.c
@@ -39,9 +39,9 @@
 *****************************************************************************/
 
 #include "common.h"
+#include "utils.h"
 
 /* extern so plugin has pid to kill exec'd process on timeouts */
-extern int timeout_interval;
 extern pid_t *childpid;
 extern int *child_stderr_array;
 extern FILE *child_process;
@@ -76,18 +76,9 @@ RETSIGTYPE popen_timeout_alarm_handler (int);
 #define SIG_ERR ((Sigfunc *)-1)
 #endif
 
-#define min(a,b)        ((a) < (b) ? (a) : (b))
-#define max(a,b)        ((a) > (b) ? (a) : (b))
-int open_max (void);                                            /* {Prog openmax} */
-static void err_sys (const char *, ...) __attribute__((noreturn,format(printf, 1, 2)));
-char *rtrim (char *, const char *);
 
 char *pname = NULL;                                                     /* caller can set this from argv[0] */
 
-/*int *childerr = NULL;*//* ptr to array allocated at run-time */
-/*extern pid_t *childpid = NULL; *//* ptr to array allocated at run-time */
-static int maxfd;                                                               /* from our open_max(), {Prog openmax} */
-
 #ifdef REDHAT_SPOPEN_ERROR
 static volatile int childtermd = 0;
 #endif
@@ -186,14 +177,15 @@ spopen (const char *cmdstring)
         }
         argv[i] = NULL;
 
+        if(maxfd == 0)
+                maxfd = open_max();
+
         if (childpid == NULL) {                         /* first time through */
-                maxfd = open_max ();                            /* allocate zeroed out array for child pids */
                 if ((childpid = calloc ((size_t)maxfd, sizeof (pid_t))) == NULL)
                         return (NULL);
         }
 
         if (child_stderr_array == NULL) {       /* first time through */
-                maxfd = open_max ();                            /* allocate zeroed out array for child pids */
                 if ((child_stderr_array = calloc ((size_t)maxfd, sizeof (int))) == NULL)
                         return (NULL);
         }
@@ -273,15 +265,6 @@ spclose (FILE * fp)
         return (1);
 }
 
-#ifdef  OPEN_MAX
-static int openmax = OPEN_MAX;
-#else
-static int openmax = 0;
-#endif
-
-#define OPEN_MAX_GUESS  256                     /* if OPEN_MAX is indeterminate */
-                                /* no guarantee this is adequate */
-
 #ifdef REDHAT_SPOPEN_ERROR
 RETSIGTYPE
 popen_sigchld_handler (int signo)
@@ -309,63 +292,3 @@ popen_timeout_alarm_handler (int signo)
                 exit (STATE_CRITICAL);
         }
 }
-
-
-int
-open_max (void)
-{
-        if (openmax == 0) {                                             /* first time through */
-                errno = 0;
-                if ((openmax = sysconf (_SC_OPEN_MAX)) < 0) {
-                        if (errno == 0)
-                                openmax = OPEN_MAX_GUESS;       /* it's indeterminate */
-                        else
-                                err_sys (_("sysconf error for _SC_OPEN_MAX"));
-                }
-        }
-        return (openmax);
-}
-
-
-/* Fatal error related to a system call.
- * Print a message and die. */
-
-#define MAXLINE 2048
-static void
-err_sys (const char *fmt, ...)
-{
-        int errnoflag = 1;
-        int errno_save;
-        char buf[MAXLINE];
-
-        va_list ap;
-
-        va_start (ap, fmt);
-        /* err_doit (1, fmt, ap); */
-        errno_save = errno;                                             /* value caller might want printed */
-        vsprintf (buf, fmt, ap);
-        if (errnoflag)
-                sprintf (buf + strlen (buf), ": %s", strerror (errno_save));
-        strcat (buf, "\n");
-        fflush (stdout);                                                        /* in case stdout and stderr are the same */
-        fputs (buf, stderr);
-        fflush (NULL);                                                          /* flushes all stdio output streams */
-        va_end (ap);
-        exit (1);
-}
-
-char *
-rtrim (char *str, const char *tok)
-{
-        int i = 0;
-        int j = sizeof (str);
-
-        while (str != NULL && i < j) {
-                if (*(str + i) == *tok) {
-                        sprintf (str + i, "%s", "\0");
-                        return str;
-                }
-                i++;
-        }
-        return str;
-}
diff --git a/plugins/popen.h b/plugins/popen.h
index fc7e78e..a5dd8fa 100644
--- a/plugins/popen.h
+++ b/plugins/popen.h
@@ -7,7 +7,6 @@ FILE *spopen (const char *);
 int spclose (FILE *);
 RETSIGTYPE popen_timeout_alarm_handler (int);
 
-extern unsigned int timeout_interval;
 pid_t *childpid=NULL;
 int *child_stderr_array=NULL;
 FILE *child_process=NULL;
diff --git a/plugins/runcmd.c b/plugins/runcmd.c
index 1a7c904..a7155d2 100644
--- a/plugins/runcmd.c
+++ b/plugins/runcmd.c
@@ -67,19 +67,6 @@
  * occur in any number of threads simultaneously. */
 static pid_t *np_pids = NULL;
 
-/* Try sysconf(_SC_OPEN_MAX) first, as it can be higher than OPEN_MAX.
- * If that fails and the macro isn't defined, we fall back to an educated
- * guess. There's no guarantee that our guess is adequate and the program
- * will die with SIGSEGV if it isn't and the upper boundary is breached. */
-#ifdef _SC_OPEN_MAX
-static long maxfd = 0;
-#elif defined(OPEN_MAX)
-# define maxfd OPEN_MAX
-#else /* sysconf macro unavailable, so guess (may be wildly inaccurate) */
-# define maxfd 256
-#endif
-
-
 /** prototypes **/
 static int np_runcmd_open(const char *, int *, int *)
         __attribute__((__nonnull__(1, 2, 3)));
@@ -99,14 +86,8 @@ extern void die (int, const char *, ...)
  * through this api and thus achieve async-safeness throughout the api */
 void np_runcmd_init(void)
 {
-#ifndef maxfd
-        if(!maxfd && (maxfd = sysconf(_SC_OPEN_MAX)) < 0) {
-                /* possibly log or emit a warning here, since there's no
-                 * guarantee that our guess at maxfd will be adequate */
-                maxfd = 256;
-        }
-#endif
-
+        if(maxfd == 0)
+                maxfd = open_max();
         if(!np_pids) np_pids = calloc(maxfd, sizeof(pid_t));
 }
 
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index e38947e..14f6579 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,29 +1,29 @@
 /*****************************************************************************
-* 
+*
 * Monitoring Plugins SSL utilities
-* 
+*
 * License: GPL
 * Copyright (c) 2005-2010 Monitoring Plugins Development Team
-* 
+*
 * Description:
-* 
+*
 * This file contains common functions for plugins that require SSL.
-* 
+*
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
-* 
+*
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
-* 
+*
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
-* 
-* 
+*
+*
 *****************************************************************************/
 
 #define MAX_CN_LENGTH 256
@@ -193,12 +193,22 @@ int np_net_ssl_read(void *buf, int num) {
 
 int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
 #  ifdef USE_OPENSSL
-        X509 *certificate=NULL;
+        X509 *certificate = NULL;
+        certificate=SSL_get_peer_certificate(s);
+        return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
+#  else /* ifndef USE_OPENSSL */
+        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
+        return STATE_WARNING;
+#  endif /* USE_OPENSSL */
+}
+
+int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
+#  ifdef USE_OPENSSL
         X509_NAME *subj=NULL;
         char timestamp[50] = "";
         char cn[MAX_CN_LENGTH]= "";
         char *tz;
-        
+
         int cnlen =-1;
         int status=STATE_UNKNOWN;
 
@@ -210,7 +220,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
         int time_remaining;
         time_t tm_t;
 
-        certificate=SSL_get_peer_certificate(s);
         if (!certificate) {
                 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
                 return STATE_CRITICAL;
diff --git a/plugins/t/NPTest.cache.travis b/plugins/t/NPTest.cache.travis
index e9705f3..9b9f805 100644
--- a/plugins/t/NPTest.cache.travis
+++ b/plugins/t/NPTest.cache.travis
@@ -1,62 +1,54 @@
 {
-  'MYSQL_LOGIN_DETAILS' => '-u root -d test',
   'NP_ALLOW_SUDO' => 'yes',
   'NP_DNS_SERVER' => '8.8.8.8',
   'NP_GOOD_NTP_SERVICE' => '',
+  'NP_HOST_DHCP_RESPONSIVE' => '',
+  'NP_HOST_HPJD_PORT_INVALID' => '161',
+  'NP_HOST_HPJD_PORT_VALID' => '',
+  'NP_HOSTNAME_INVALID_CIDR' => '130.133.8.39/30',
   'NP_HOSTNAME_INVALID' => 'nosuchhost',
-  'NP_HOSTNAME_VALID' => 'monitoring-plugins.org',
-  'NP_HOSTNAME_VALID_IP' => '130.133.8.40',
   'NP_HOSTNAME_VALID_CIDR' => '130.133.8.41/30',
-  'NP_HOSTNAME_INVALID_CIDR' => '130.133.8.39/30',
+  'NP_HOSTNAME_VALID_IP' => '130.133.8.40',
+  'NP_HOSTNAME_VALID' => 'monitoring-plugins.org',
   'NP_HOSTNAME_VALID_REVERSE' => 'orwell.monitoring-plugins.org.',
-  'NP_HOST_DHCP_RESPONSIVE' => '',
   'NP_HOST_NONRESPONSIVE' => '10.0.0.1',
   'NP_HOST_RESPONSIVE' => 'localhost',
   'NP_HOST_SMB' => '',
-  'NP_HOST_SNMP' => 'localhost',
+  'NP_HOST_SNMP' => '',
   'NP_HOST_TCP_FTP' => '',
   'NP_HOST_TCP_HPJD' => '',
-  'NP_HOST_HPJD_PORT_INVALID' => '161',
-  'NP_HOST_HPJD_PORT_VALID' => '',
-  'NP_HOST_TCP_HTTP' => 'localhost',
   'NP_HOST_TCP_HTTP2' => 'test.monitoring-plugins.org',
+  'NP_HOST_TCP_HTTP' => 'localhost',
   'NP_HOST_TCP_IMAP' => 'imap.web.de',
+  'NP_HOST_TCP_JABBER' => 'jabber.org',
   'NP_HOST_TCP_LDAP' => 'localhost',
   'NP_HOST_TCP_POP' => 'pop.web.de',
+  'NP_HOST_TCP_PROXY' => 'localhost',
   'NP_HOST_TCP_SMTP' => 'localhost',
   'NP_HOST_TCP_SMTP_NOTLS' => '',
   'NP_HOST_TCP_SMTP_TLS' => '',
+  'NP_HOST_TLS_CERT' => 'localhost,
+  'NP_HOST_TLS_HTTP' => 'localhost',
+  'NP_HOST_UDP_TIME' => 'none',
   'NP_INTERNET_ACCESS' => 'yes',
   'NP_LDAP_BASE_DN' => 'cn=admin,dc=nodomain',
   'NP_MOUNTPOINT2_VALID' => '/media/ramdisk',
   'NP_MOUNTPOINT_VALID' => '/',
+  'NP_MYSQL_LOGIN_DETAILS' => '-u root -d test',
   'NP_MYSQL_SERVER' => 'localhost',
-  'NP_HOST_UDP_TIME' => 'localhost',
   'NP_MYSQL_SOCKET' => '/var/run/mysqld/mysqld.sock',
   'NP_MYSQL_WITH_SLAVE' => '',
   'NP_MYSQL_WITH_SLAVE_LOGIN' => '',
   'NP_NO_NTP_SERVICE' => 'localhost',
+  'NP_PORT_TCP_PROXY' => '3128',
   'NP_SMB_SHARE' => '',
   'NP_SMB_SHARE_DENY' => '',
   'NP_SMB_SHARE_SPC' => '',
   'NP_SMB_VALID_USER' => '',
   'NP_SMB_VALID_USER_PASS' => '',
-  'NP_SNMP_COMMUNITY' => 'public',
+  'NP_SNMP_COMMUNITY' => '',
+  'NP_SNMP_USER' => '',
   'NP_SSH_CONFIGFILE' => '~/.ssh/config',
   'NP_SSH_HOST' => 'localhost',
-  'NP_SSH_IDENTITY' => '~/.ssh/id_dsa',
-  'NP_HOST_TCP_JABBER' => 'jabber.org',
-  'host_nonresponsive' => '10.0.0.1',
-  'host_responsive' => 'localhost',
-  'host_snmp' => '',
-  'host_tcp_ftp' => '',
-  'host_tcp_http' => 'localhost',
-  'host_tcp_imap' => 'imap.nierlein.de',
-  'host_tcp_smtp' => 'localhost',
-  'hostname_invalid' => 'nosuchhost',
-  'snmp_community' => '',
-  'user_snmp' => '',
-  'host_udp_time' => 'none',
-  'host_tls_http' => 'localhost',
-  'host_tls_cert' => 'localhost',
+  'NP_SSH_IDENTITY' => '~/.ssh/id_rsa'
 }
diff --git a/plugins/t/check_by_ssh.t b/plugins/t/check_by_ssh.t
index 4797390..1d2939e 100644
--- a/plugins/t/check_by_ssh.t
+++ b/plugins/t/check_by_ssh.t
@@ -9,17 +9,9 @@ use Test::More;
 use NPTest;
 
 # Required parameters
-my $ssh_service = getTestParameter( "NP_SSH_HOST",
-    "A host providing SSH service",
-    "localhost");
-
-my $ssh_key = getTestParameter( "NP_SSH_IDENTITY",
-    "A key allowing access to NP_SSH_HOST",
-    "~/.ssh/id_dsa");
-
-my $ssh_conf = getTestParameter( "NP_SSH_CONFIGFILE",
-    "A config file with ssh settings",
-    "~/.ssh/config");
+my $ssh_service = getTestParameter("NP_SSH_HOST", "A host providing SSH service", "localhost");
+my $ssh_key     = getTestParameter("NP_SSH_IDENTITY", "A key allowing access to NP_SSH_HOST", "~/.ssh/id_dsa");
+my $ssh_conf    = getTestParameter( "NP_SSH_CONFIGFILE", "A config file with ssh settings", "~/.ssh/config");
 
 
 plan skip_all => "SSH_HOST and SSH_IDENTITY must be defined" unless ($ssh_service && $ssh_key);
diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t
new file mode 100644
index 0000000..4bff538
--- /dev/null
+++ b/plugins/t/check_curl.t
@@ -0,0 +1,199 @@
+#! /usr/bin/perl -w -I ..
+#
+# HyperText Transfer Protocol (HTTP) Test via check_http
+#
+#
+
+use strict;
+use Test::More;
+use POSIX qw/mktime strftime/;
+use NPTest;
+
+plan tests => 57;
+
+my $successOutput = '/OK.*HTTP.*second/';
+
+my $res;
+my $plugin = 'check_http';
+$plugin    = 'check_curl' if $0 =~ m/check_curl/mx;
+
+my $host_tcp_http      = getTestParameter("NP_HOST_TCP_HTTP", "A host providing the HTTP Service (a web server)", "localhost");
+my $host_tls_http      = getTestParameter("NP_HOST_TLS_HTTP", "A host providing the HTTPS Service (a tls web server)", "localhost");
+my $host_tls_cert      = getTestParameter("NP_HOST_TLS_CERT", "the common name of the certificate.", "localhost");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
+my $internet_access    = getTestParameter("NP_INTERNET_ACCESS", "Is this system directly connected to the internet?", "yes");
+my $host_tcp_http2     = getTestParameter("NP_HOST_TCP_HTTP2", "A host providing an index page containing the string 'monitoring'", "test.monitoring-plugins.org");
+my $host_tcp_proxy     = getTestParameter("NP_HOST_TCP_PROXY", "A host providing a HTTP proxy with CONNECT support", "localhost");
+my $port_tcp_proxy     = getTestParameter("NP_PORT_TCP_PROXY", "Port of the proxy with HTTP and CONNECT support", "3128");
+
+my $faketime = -x '/usr/bin/faketime' ? 1 : 0;
+
+
+$res = NPTest->testCmd(
+        "./$plugin $host_tcp_http -wt 300 -ct 600"
+        );
+cmp_ok( $res->return_code, '==', 0, "Webserver $host_tcp_http responded" );
+like( $res->output, $successOutput, "Output OK" );
+
+$res = NPTest->testCmd(
+        "./$plugin $host_tcp_http -wt 300 -ct 600 -v -v -v -k 'bob:there' -k 'carl:frown'"
+        );
+like( $res->output, '/bob:there\r\ncarl:frown\r\n/', "Got headers with multiple -k options" );
+
+$res = NPTest->testCmd(
+        "./$plugin $host_nonresponsive -wt 1 -ct 2 -t 3"
+        );
+cmp_ok( $res->return_code, '==', 2, "Webserver $host_nonresponsive not responding" );
+# was CRITICAL only, but both check_curl and check_http print HTTP CRITICAL (puzzle?!)
+cmp_ok( $res->output, 'eq', "HTTP CRITICAL - Invalid HTTP response received from host on port 80: cURL returned 28 - Timeout was reached", "Output OK");
+
+$res = NPTest->testCmd(
+        "./$plugin $hostname_invalid -wt 1 -ct 2"
+        );
+cmp_ok( $res->return_code, '==', 2, "Webserver $hostname_invalid not valid" );
+# The first part of the message comes from the OS catalogue, so cannot check this.
+# On Debian, it is Name or service not known, on Darwin, it is No address associated with nodename
+# Is also possible to get a socket timeout if DNS is not responding fast enough
+# cURL gives us consistent strings from it's own 'lib/strerror.c'
+like( $res->output, "/cURL returned 6 - Couldn't resolve host name/", "Output OK");
+
+# host header checks
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http");
+like( $res->output, '/^Host: '.$host_tcp_http.'\s*$/ms', "Host Header OK" );
+like( $res->output, '/CURLOPT_URL: http:\/\/'.$host_tcp_http.':80\//ms', "Url OK" );
+
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http -p 80");
+like( $res->output, '/^Host: '.$host_tcp_http.'\s*$/ms', "Host Header OK" );
+like( $res->output, '/CURLOPT_URL: http:\/\/'.$host_tcp_http.':80\//ms', "Url OK" );
+
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http:8080 -p 80");
+like( $res->output, '/^Host: '.$host_tcp_http.':8080\s*$/ms', "Host Header OK" );
+like( $res->output, '/CURLOPT_URL: http:\/\/'.$host_tcp_http.':80\//ms', "Url OK" );
+
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http:8080 -p 80");
+like( $res->output, '/^Host: '.$host_tcp_http.':8080\s*$/ms', "Host Header OK" );
+like( $res->output, '/CURLOPT_URL: http:\/\/'.$host_tcp_http.':80\//ms', "Url OK" );
+
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http:8080 -p 80 -k 'Host: testhost:8001'");
+like( $res->output, '/^Host: testhost:8001\s*$/ms', "Host Header OK" );
+like( $res->output, '/CURLOPT_URL: http:\/\/'.$host_tcp_http.':80\//ms', "Url OK" );
+
+$res = NPTest->testCmd("./$plugin -v -I $host_tcp_http -p 80 -k 'Host: testhost:8001'");
+like( $res->output, '/^Host: testhost:8001\s*$/ms', "Host Header OK" );
+like( $res->output, '/CURLOPT_URL: http:\/\/'.$host_tcp_http.':80\//ms', "Url OK" );
+
+SKIP: {
+        skip "No internet access", 3 if $internet_access eq "no";
+
+        $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -S");
+        like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" );
+
+        $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:8080 -S -p 443");
+        like( $res->output, '/^Host: '.$host_tls_http.':8080\s*$/ms', "Host Header OK" );
+
+        $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443");
+        like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" );
+};
+
+SKIP: {
+        skip "No host serving monitoring in index file", 7 unless $host_tcp_http2;
+
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -r 'monitoring'" );
+        cmp_ok( $res->return_code, "==", 0, "Got a reference to 'monitoring'");
+
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -r 'mONiTORing'" );
+        cmp_ok( $res->return_code, "==", 2, "Not got 'mONiTORing'");
+        like ( $res->output, "/pattern not found/", "Error message says 'pattern not found'");
+
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -R 'mONiTORing'" );
+        cmp_ok( $res->return_code, "==", 0, "But case insensitive doesn't mind 'mONiTORing'");
+
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -r 'monitoring' --invert-regex" );
+        cmp_ok( $res->return_code, "==", 2, "Invert results work when found");
+        like ( $res->output, "/pattern found/", "Error message says 'pattern found'");
+
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -r 'mONiTORing' --invert-regex" );
+        cmp_ok( $res->return_code, "==", 0, "And also when not found");
+}
+SKIP: {
+        skip "No internet access", 16 if $internet_access eq "no";
+
+        $res = NPTest->testCmd(
+                "./$plugin --ssl $host_tls_http"
+                );
+        cmp_ok( $res->return_code, '==', 0, "Can read https for $host_tls_http" );
+
+        $res = NPTest->testCmd( "./$plugin -C 1 --ssl $host_tls_http" );
+        cmp_ok( $res->return_code, '==', 0, "Checking certificate for $host_tls_http");
+        like  ( $res->output, "/Certificate '$host_tls_cert' will expire on/", "Output OK" );
+        my $saved_cert_output = $res->output;
+
+        $res = NPTest->testCmd( "./$plugin -C 8000,1 --ssl $host_tls_http" );
+        cmp_ok( $res->return_code, '==', 1, "Checking certificate for $host_tls_http");
+        like  ( $res->output, qr/WARNING - Certificate '$host_tls_cert' expires in \d+ day/, "Output Warning" );
+
+        $res = NPTest->testCmd( "./$plugin $host_tls_http -C 1" );
+        is( $res->return_code, 0, "Old syntax for cert checking okay" );
+        is( $res->output, $saved_cert_output, "Same output as new syntax" );
+
+        $res = NPTest->testCmd( "./$plugin -H $host_tls_http -C 1" );
+        is( $res->return_code, 0, "Updated syntax for cert checking okay" );
+        is( $res->output, $saved_cert_output, "Same output as new syntax" );
+
+        $res = NPTest->testCmd( "./$plugin -C 1 $host_tls_http" );
+        cmp_ok( $res->output, 'eq', $saved_cert_output, "--ssl option automatically added");
+
+        $res = NPTest->testCmd( "./$plugin $host_tls_http -C 1" );
+        cmp_ok( $res->output, 'eq', $saved_cert_output, "Old syntax for cert checking still works");
+
+        # run some certificate checks with faketime
+        SKIP: {
+                skip "No faketime binary found", 12 if !$faketime;
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC ./$plugin -C 1 $host_tls_http");
+                like($res->output, qr/OK - Certificate '$host_tls_cert' will expire on/, "Catch cert output");
+                is( $res->return_code, 0, "Catch cert output exit code" );
+                my($mon,$day,$hour,$min,$sec,$year) = ($res->output =~ /(\w+)\s+(\d+)\s+(\d+):(\d+):(\d+)\s+(\d+)/);
+                if(!defined $year) {
+                    die("parsing date failed from: ".$res->output);
+                }
+                my $months = {'Jan' => 0, 'Feb' => 1, 'Mar' => 2, 'Apr' => 3, 'May' => 4, 'Jun' => 5, 'Jul' => 6, 'Aug' => 7, 'Sep' => 8, 'Oct' => 9, 'Nov' => 10, 'Dec' => 11};
+                my $ts   = mktime($sec, $min, $hour, $day, $months->{$mon}, $year-1900);
+                my $time = strftime("%Y-%m-%d %H:%M:%S", localtime($ts));
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts))."' ./$plugin -C 1 $host_tls_http");
+                like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' just expired/, "Output on expire date");
+                is( $res->return_code, 2, "Output on expire date" );
+
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-1))."' ./$plugin -C 1 $host_tls_http");
+                like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' expires in 0 minutes/, "cert expires in 1 second output");
+                is( $res->return_code, 2, "cert expires in 1 second exit code" );
+
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-120))."' ./$plugin -C 1 $host_tls_http");
+                like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' expires in 2 minutes/, "cert expires in 2 minutes output");
+                is( $res->return_code, 2, "cert expires in 2 minutes exit code" );
+
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-7200))."' ./$plugin -C 1 $host_tls_http");
+                like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' expires in 2 hours/, "cert expires in 2 hours output");
+                is( $res->return_code, 2, "cert expires in 2 hours exit code" );
+
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts+1))."' ./$plugin -C 1 $host_tls_http");
+                like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' expired on/, "Certificate expired output");
+                is( $res->return_code, 2, "Certificate expired exit code" );
+        };
+
+        $res = NPTest->testCmd( "./$plugin --ssl $host_tls_http -E" );
+        like  ( $res->output, '/time_connect=[\d\.]+/', 'Extended Performance Data Output OK' );
+        like  ( $res->output, '/time_ssl=[\d\.]+/', 'Extended Performance Data SSL Output OK' );
+
+        $res = NPTest->testCmd(
+                "./$plugin --ssl -H www.e-paycobalt.com"
+                );
+        cmp_ok( $res->return_code, "==", 0, "Can read https for www.e-paycobalt.com (uses AES certificate)" );
+
+
+        $res = NPTest->testCmd( "./$plugin -H www.mozilla.com -u /firefox -f follow" );
+        is( $res->return_code, 0, "Redirection based on location is okay");
+
+        $res = NPTest->testCmd( "./$plugin -H www.mozilla.com --extended-perfdata" );
+        like  ( $res->output, '/time_connect=[\d\.]+/', 'Extended Performance Data Output OK' );
+}
diff --git a/plugins/t/check_fping.t b/plugins/t/check_fping.t
index 08692e4..342b0a7 100644
--- a/plugins/t/check_fping.t
+++ b/plugins/t/check_fping.t
@@ -15,15 +15,9 @@ BEGIN {$tests = 4; plan tests => $tests}
 my $successOutput = '/^FPING OK - /';
 my $failureOutput = '/^FPING CRITICAL - /';
 
-my $host_responsive    = getTestParameter( "host_responsive",    "NP_HOST_RESPONSIVE",    "localhost",
-                                           "The hostname of system responsive to network requests" );
-
-my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1",
-                                           "The hostname of system not responsive to network requests" );
-
-my $hostname_invalid   = getTestParameter( "hostname_invalid",   "NP_HOSTNAME_INVALID",   "nosuchhost",
-                                           "An invalid (not known to DNS) hostname" );
-
+my $host_responsive    = getTestParameter("NP_HOST_RESPONSIVE", "The hostname of system responsive to network requests", "localhost");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
 
 my $t;
 
diff --git a/plugins/t/check_ftp.t b/plugins/t/check_ftp.t
index de6831b..93a7d7c 100644
--- a/plugins/t/check_ftp.t
+++ b/plugins/t/check_ftp.t
@@ -11,14 +11,9 @@ use NPTest;
 use vars qw($tests);
 BEGIN {$tests = 4; plan tests => $tests}
 
-my $host_tcp_ftp       = getTestParameter( "host_tcp_ftp",       "NP_HOST_TCP_FTP",       "localhost",
-                                           "A host providing the FTP Service (an FTP server)");
-
-my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1",
-                                           "The hostname of system not responsive to network requests" );
-
-my $hostname_invalid   = getTestParameter( "hostname_invalid",   "NP_HOSTNAME_INVALID",   "nosuchhost",
-                                           "An invalid (not known to DNS) hostname" );
+my $host_tcp_ftp       = getTestParameter("NP_HOST_TCP_FTP", "A host providing the FTP Service (an FTP server)", "localhost");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
 
 my $successOutput = '/FTP OK -\s+[0-9]?\.?[0-9]+ second response time/';
 
diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t
index 8bd484a..e92681e 100644
--- a/plugins/t/check_http.t
+++ b/plugins/t/check_http.t
@@ -9,61 +9,46 @@ use Test::More;
 use POSIX qw/mktime strftime/;
 use NPTest;
 
-plan tests => 49;
+plan tests => 50;
 
 my $successOutput = '/OK.*HTTP.*second/';
 
 my $res;
-
-my $host_tcp_http      = getTestParameter( "NP_HOST_TCP_HTTP",
-                "A host providing the HTTP Service (a web server)",
-                "localhost" );
-
-my $host_tls_http      = getTestParameter( "host_tls_http",      "NP_HOST_TLS_HTTP",      "localhost",
-                                           "A host providing the HTTPS Service (a tls web server)" );
-
-my $host_tls_cert      = getTestParameter( "host_tls_cert",      "NP_HOST_TLS_CERT",      "localhost",
-                                           "the common name of the certificate." );
-
-
-my $host_nonresponsive = getTestParameter( "NP_HOST_NONRESPONSIVE",
-                "The hostname of system not responsive to network requests",
-                "10.0.0.1" );
-
-my $hostname_invalid   = getTestParameter( "NP_HOSTNAME_INVALID",
-                "An invalid (not known to DNS) hostname",
-                "nosuchhost");
-
-my $internet_access = getTestParameter( "NP_INTERNET_ACCESS",
-                "Is this system directly connected to the internet?",
-                "yes");
-
-my $host_tcp_http2  = getTestParameter( "NP_HOST_TCP_HTTP2",
-            "A host providing an index page containing the string 'monitoring'",
-            "test.monitoring-plugins.org" );
+my $plugin = 'check_http';
+$plugin    = 'check_curl' if $0 =~ m/check_curl/mx;
+
+my $host_tcp_http      = getTestParameter("NP_HOST_TCP_HTTP", "A host providing the HTTP Service (a web server)", "localhost");
+my $host_tls_http      = getTestParameter("NP_HOST_TLS_HTTP", "A host providing the HTTPS Service (a tls web server)", "localhost");
+my $host_tls_cert      = getTestParameter("NP_HOST_TLS_CERT", "the common name of the certificate.", "localhost");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
+my $internet_access    = getTestParameter("NP_INTERNET_ACCESS", "Is this system directly connected to the internet?", "yes");
+my $host_tcp_http2     = getTestParameter("NP_HOST_TCP_HTTP2", "A host providing an index page containing the string 'monitoring'", "test.monitoring-plugins.org");
+my $host_tcp_proxy     = getTestParameter("NP_HOST_TCP_PROXY", "A host providing a HTTP proxy with CONNECT support", "localhost");
+my $port_tcp_proxy     = getTestParameter("NP_PORT_TCP_PROXY", "Port of the proxy with HTTP and CONNECT support", "3128");
 
 my $faketime = -x '/usr/bin/faketime' ? 1 : 0;
 
 
 $res = NPTest->testCmd(
-        "./check_http $host_tcp_http -wt 300 -ct 600"
+        "./$plugin $host_tcp_http -wt 300 -ct 600"
         );
 cmp_ok( $res->return_code, '==', 0, "Webserver $host_tcp_http responded" );
 like( $res->output, $successOutput, "Output OK" );
 
 $res = NPTest->testCmd(
-        "./check_http $host_tcp_http -wt 300 -ct 600 -v -v -v -k 'bob:there' -k 'carl:frown'"
+        "./$plugin $host_tcp_http -wt 300 -ct 600 -v -v -v -k 'bob:there' -k 'carl:frown'"
         );
 like( $res->output, '/bob:there\r\ncarl:frown\r\n/', "Got headers with multiple -k options" );
 
 $res = NPTest->testCmd(
-        "./check_http $host_nonresponsive -wt 1 -ct 2 -t 3"
+        "./$plugin $host_nonresponsive -wt 1 -ct 2 -t 3"
         );
 cmp_ok( $res->return_code, '==', 2, "Webserver $host_nonresponsive not responding" );
 cmp_ok( $res->output, 'eq', "CRITICAL - Socket timeout after 3 seconds", "Output OK");
 
 $res = NPTest->testCmd(
-        "./check_http $hostname_invalid -wt 1 -ct 2"
+        "./$plugin $hostname_invalid -wt 1 -ct 2"
         );
 cmp_ok( $res->return_code, '==', 2, "Webserver $hostname_invalid not valid" );
 # The first part of the message comes from the OS catalogue, so cannot check this.
@@ -72,86 +57,86 @@ cmp_ok( $res->return_code, '==', 2, "Webserver $hostname_invalid not valid" );
 like( $res->output, "/Unable to open TCP socket|Socket timeout after/", "Output OK");
 
 # host header checks
-$res = NPTest->testCmd("./check_http -v -H $host_tcp_http");
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http");
 like( $res->output, '/^Host: '.$host_tcp_http.'\s*$/ms', "Host Header OK" );
 
-$res = NPTest->testCmd("./check_http -v -H $host_tcp_http -p 80");
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http -p 80");
 like( $res->output, '/^Host: '.$host_tcp_http.'\s*$/ms', "Host Header OK" );
 
-$res = NPTest->testCmd("./check_http -v -H $host_tcp_http:8080 -p 80");
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http:8080 -p 80");
 like( $res->output, '/^Host: '.$host_tcp_http.':8080\s*$/ms', "Host Header OK" );
 
-$res = NPTest->testCmd("./check_http -v -H $host_tcp_http:8080 -p 80");
+$res = NPTest->testCmd("./$plugin -v -H $host_tcp_http:8080 -p 80");
 like( $res->output, '/^Host: '.$host_tcp_http.':8080\s*$/ms', "Host Header OK" );
 
 SKIP: {
         skip "No internet access", 3 if $internet_access eq "no";
 
-        $res = NPTest->testCmd("./check_http -v -H $host_tls_http -S");
+        $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -S");
         like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" );
 
-        $res = NPTest->testCmd("./check_http -v -H $host_tls_http:8080 -S -p 443");
+        $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:8080 -S -p 443");
         like( $res->output, '/^Host: '.$host_tls_http.':8080\s*$/ms', "Host Header OK" );
 
-        $res = NPTest->testCmd("./check_http -v -H $host_tls_http:443 -S -p 443");
+        $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443");
         like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" );
 };
 
 SKIP: {
         skip "No host serving monitoring in index file", 7 unless $host_tcp_http2;
 
-        $res = NPTest->testCmd( "./check_http -H $host_tcp_http2 -r 'monitoring'" );
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -r 'monitoring'" );
         cmp_ok( $res->return_code, "==", 0, "Got a reference to 'monitoring'");
 
-        $res = NPTest->testCmd( "./check_http -H $host_tcp_http2 -r 'mONiTORing'" );
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -r 'mONiTORing'" );
         cmp_ok( $res->return_code, "==", 2, "Not got 'mONiTORing'");
         like ( $res->output, "/pattern not found/", "Error message says 'pattern not found'");
 
-        $res = NPTest->testCmd( "./check_http -H $host_tcp_http2 -R 'mONiTORing'" );
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -R 'mONiTORing'" );
         cmp_ok( $res->return_code, "==", 0, "But case insensitive doesn't mind 'mONiTORing'");
 
-        $res = NPTest->testCmd( "./check_http -H $host_tcp_http2 -r 'monitoring' --invert-regex" );
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -r 'monitoring' --invert-regex" );
         cmp_ok( $res->return_code, "==", 2, "Invert results work when found");
         like ( $res->output, "/pattern found/", "Error message says 'pattern found'");
 
-        $res = NPTest->testCmd( "./check_http -H $host_tcp_http2 -r 'mONiTORing' --invert-regex" );
+        $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 -r 'mONiTORing' --invert-regex" );
         cmp_ok( $res->return_code, "==", 0, "And also when not found");
 }
 SKIP: {
         skip "No internet access", 16 if $internet_access eq "no";
 
         $res = NPTest->testCmd(
-                "./check_http --ssl $host_tls_http"
+                "./$plugin --ssl $host_tls_http"
                 );
         cmp_ok( $res->return_code, '==', 0, "Can read https for $host_tls_http" );
 
-        $res = NPTest->testCmd( "./check_http -C 1 --ssl $host_tls_http" );
+        $res = NPTest->testCmd( "./$plugin -C 1 --ssl $host_tls_http" );
         cmp_ok( $res->return_code, '==', 0, "Checking certificate for $host_tls_http");
         like  ( $res->output, "/Certificate '$host_tls_cert' will expire on/", "Output OK" );
         my $saved_cert_output = $res->output;
 
-        $res = NPTest->testCmd( "./check_http -C 8000,1 --ssl $host_tls_http" );
+        $res = NPTest->testCmd( "./$plugin -C 8000,1 --ssl $host_tls_http" );
         cmp_ok( $res->return_code, '==', 1, "Checking certificate for $host_tls_http");
         like  ( $res->output, qr/WARNING - Certificate '$host_tls_cert' expires in \d+ day/, "Output Warning" );
 
-        $res = NPTest->testCmd( "./check_http $host_tls_http -C 1" );
+        $res = NPTest->testCmd( "./$plugin $host_tls_http -C 1" );
         is( $res->return_code, 0, "Old syntax for cert checking okay" );
         is( $res->output, $saved_cert_output, "Same output as new syntax" );
 
-        $res = NPTest->testCmd( "./check_http -H $host_tls_http -C 1" );
+        $res = NPTest->testCmd( "./$plugin -H $host_tls_http -C 1" );
         is( $res->return_code, 0, "Updated syntax for cert checking okay" );
         is( $res->output, $saved_cert_output, "Same output as new syntax" );
 
-        $res = NPTest->testCmd( "./check_http -C 1 $host_tls_http" );
+        $res = NPTest->testCmd( "./$plugin -C 1 $host_tls_http" );
         cmp_ok( $res->output, 'eq', $saved_cert_output, "--ssl option automatically added");
 
-        $res = NPTest->testCmd( "./check_http $host_tls_http -C 1" );
+        $res = NPTest->testCmd( "./$plugin $host_tls_http -C 1" );
         cmp_ok( $res->output, 'eq', $saved_cert_output, "Old syntax for cert checking still works");
 
         # run some certificate checks with faketime
         SKIP: {
                 skip "No faketime binary found", 12 if !$faketime;
-                $res = NPTest->testCmd("LC_TIME=C TZ=UTC ./check_http -C 1 $host_tls_http");
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC ./$plugin -C 1 $host_tls_http");
                 like($res->output, qr/OK - Certificate '$host_tls_cert' will expire on/, "Catch cert output");
                 is( $res->return_code, 0, "Catch cert output exit code" );
                 my($mon,$day,$hour,$min,$sec,$year) = ($res->output =~ /(\w+)\s+(\d+)\s+(\d+):(\d+):(\d+)\s+(\d+)/);
@@ -161,40 +146,51 @@ SKIP: {
                 my $months = {'Jan' => 0, 'Feb' => 1, 'Mar' => 2, 'Apr' => 3, 'May' => 4, 'Jun' => 5, 'Jul' => 6, 'Aug' => 7, 'Sep' => 8, 'Oct' => 9, 'Nov' => 10, 'Dec' => 11};
                 my $ts   = mktime($sec, $min, $hour, $day, $months->{$mon}, $year-1900);
                 my $time = strftime("%Y-%m-%d %H:%M:%S", localtime($ts));
-                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts))."' ./check_http -C 1 $host_tls_http");
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts))."' ./$plugin -C 1 $host_tls_http");
                 like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' just expired/, "Output on expire date");
-                is( $res->return_code, 2, "Output on expire date" );
 
-                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-1))."' ./check_http -C 1 $host_tls_http");
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-1))."' ./$plugin -C 1 $host_tls_http");
                 like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' expires in 0 minutes/, "cert expires in 1 second output");
-                is( $res->return_code, 2, "cert expires in 1 second exit code" );
 
-                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-120))."' ./check_http -C 1 $host_tls_http");
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-120))."' ./$plugin -C 1 $host_tls_http");
                 like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' expires in 2 minutes/, "cert expires in 2 minutes output");
-                is( $res->return_code, 2, "cert expires in 2 minutes exit code" );
 
-                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-7200))."' ./check_http -C 1 $host_tls_http");
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts-7200))."' ./$plugin -C 1 $host_tls_http");
                 like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' expires in 2 hours/, "cert expires in 2 hours output");
-                is( $res->return_code, 2, "cert expires in 2 hours exit code" );
 
-                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts+1))."' ./check_http -C 1 $host_tls_http");
+                $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts+1))."' ./$plugin -C 1 $host_tls_http");
                 like($res->output, qr/CRITICAL - Certificate '$host_tls_cert' expired on/, "Certificate expired output");
-                is( $res->return_code, 2, "Certificate expired exit code" );
         };
 
-        $res = NPTest->testCmd( "./check_http --ssl $host_tls_http -E" );
+        $res = NPTest->testCmd( "./$plugin --ssl $host_tls_http -E" );
         like  ( $res->output, '/time_connect=[\d\.]+/', 'Extended Performance Data Output OK' );
         like  ( $res->output, '/time_ssl=[\d\.]+/', 'Extended Performance Data SSL Output OK' );
 
         $res = NPTest->testCmd(
-                "./check_http --ssl -H www.e-paycobalt.com"
+                "./$plugin --ssl -H www.e-paycobalt.com"
                 );
         cmp_ok( $res->return_code, "==", 0, "Can read https for www.e-paycobalt.com (uses AES certificate)" );
 
 
-        $res = NPTest->testCmd( "./check_http -H www.mozilla.com -u /firefox -f follow" );
+        $res = NPTest->testCmd( "./$plugin -H www.mozilla.com -u /firefox -f follow" );
         is( $res->return_code, 0, "Redirection based on location is okay");
 
-        $res = NPTest->testCmd( "./check_http -H www.mozilla.com --extended-perfdata" );
+        $res = NPTest->testCmd( "./$plugin -H www.mozilla.com --extended-perfdata" );
         like  ( $res->output, '/time_connect=[\d\.]+/', 'Extended Performance Data Output OK' );
 }
+
+SKIP: {
+        skip "No internet access or proxy configured", 6 if $internet_access eq "no" or ! $host_tcp_proxy;
+
+        $res = NPTest->testCmd( "./$plugin -I $host_tcp_proxy -p $port_tcp_proxy -u http://$host_tcp_http -e 200,301,302");
+        is( $res->return_code, 0, "Proxy HTTP works");
+        like($res->output, qr/OK: Status line output matched/, "Proxy HTTP Output is sufficent");
+
+        $res = NPTest->testCmd( "./$plugin -I $host_tcp_proxy -p $port_tcp_proxy -H $host_tls_http -S -j CONNECT");
+        is( $res->return_code, 0, "Proxy HTTP CONNECT works");
+        like($res->output, qr/HTTP OK:/, "Proxy HTTP CONNECT output sufficent");
+
+        $res = NPTest->testCmd( "./$plugin -I $host_tcp_proxy -p $port_tcp_proxy -H $host_tls_http -S -j CONNECT:HEAD");
+        is( $res->return_code, 0, "Proxy HTTP CONNECT works with override method");
+        like($res->output, qr/HTTP OK:/, "Proxy HTTP CONNECT output sufficent");
+}
diff --git a/plugins/t/check_imap.t b/plugins/t/check_imap.t
index 9c6eae1..7c74e56 100644
--- a/plugins/t/check_imap.t
+++ b/plugins/t/check_imap.t
@@ -8,17 +8,10 @@ use strict;
 use Test::More tests => 7;
 use NPTest;
 
-my $host_tcp_smtp      = getTestParameter( "host_tcp_smtp",      "NP_HOST_TCP_SMTP",      "mailhost",
-                                           "A host providing an STMP Service (a mail server)");
-
-my $host_tcp_imap      = getTestParameter( "host_tcp_imap",      "NP_HOST_TCP_IMAP",      $host_tcp_smtp,
-                                           "A host providing an IMAP Service (a mail server)");
-
-my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1",
-                                           "The hostname of system not responsive to network requests" );
-
-my $hostname_invalid   = getTestParameter( "hostname_invalid",   "NP_HOSTNAME_INVALID",   "nosuchhost",
-                                           "An invalid (not known to DNS) hostname" );
+my $host_tcp_smtp      = getTestParameter("NP_HOST_TCP_SMTP", "A host providing an STMP Service (a mail server)", "mailhost");
+my $host_tcp_imap      = getTestParameter("NP_HOST_TCP_IMAP", "A host providing an IMAP Service (a mail server)", $host_tcp_smtp);
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
 
 my $t;
 
diff --git a/plugins/t/check_jabber.t b/plugins/t/check_jabber.t
index 7a708d5..fcdae17 100644
--- a/plugins/t/check_jabber.t
+++ b/plugins/t/check_jabber.t
@@ -10,23 +10,9 @@ use NPTest;
 
 plan tests => 10;
 
-my $host_tcp_jabber = getTestParameter( 
-                        "NP_HOST_TCP_JABBER",
-                        "A host providing the Jabber Service",
-                        "jabber.org"
-                        );
-
-my $host_nonresponsive = getTestParameter(
-                        "NP_HOST_NONRESPONSIVE", 
-                        "The hostname of system not responsive to network requests",
-                        "10.0.0.1",
-                        );
-
-my $hostname_invalid   = getTestParameter( 
-                        "NP_HOSTNAME_INVALID",
-                        "An invalid (not known to DNS) hostname",
-                        "nosuchhost",
-                        );
+my $host_tcp_jabber    = getTestParameter("NP_HOST_TCP_JABBER", "A host providing the Jabber Service", "jabber.de");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
 
 
 my $jabberOK = '/JABBER OK\s-\s\d+\.\d+\ssecond response time on '.$host_tcp_jabber.' port 5222/';
diff --git a/plugins/t/check_ldap.t b/plugins/t/check_ldap.t
index b8944d4..b8a4a76 100644
--- a/plugins/t/check_ldap.t
+++ b/plugins/t/check_ldap.t
@@ -9,19 +9,10 @@ use warnings;
 use Test::More;
 use NPTest;
 
-my $host_tcp_ldap      = getTestParameter("NP_HOST_TCP_LDAP",
-                                          "A host providing the LDAP Service",
-                                          "localhost" );
-
-my $ldap_base_dn       = getTestParameter("NP_LDAP_BASE_DN",
-                                          "A base dn for the LDAP Service",
-                                          "cn=admin" );
-
-my $host_nonresponsive = getTestParameter("host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1",
-                                          "The hostname of system not responsive to network requests" );
-
-my $hostname_invalid   = getTestParameter("hostname_invalid",   "NP_HOSTNAME_INVALID",   "nosuchhost",
-                                          "An invalid (not known to DNS) hostname" );
+my $host_tcp_ldap      = getTestParameter("NP_HOST_TCP_LDAP", "A host providing the LDAP Service", "localhost");
+my $ldap_base_dn       = getTestParameter("NP_LDAP_BASE_DN", "A base dn for the LDAP Service", "cn=admin");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
 
 my($result, $cmd);
 my $command = './check_ldap';
diff --git a/plugins/t/check_mysql.t b/plugins/t/check_mysql.t
index 28cd4cd..e426bf5 100644
--- a/plugins/t/check_mysql.t
+++ b/plugins/t/check_mysql.t
@@ -21,30 +21,11 @@ plan skip_all => "check_mysql not compiled" unless (-x "check_mysql");
 plan tests => 15;
 
 my $bad_login_output = '/Access denied for user /';
-my $mysqlserver = getTestParameter(
-                "NP_MYSQL_SERVER",
-                "A MySQL Server hostname or IP with no slaves setup"
-                );
-my $mysqlsocket = getTestParameter(
-                "NP_MYSQL_SOCKET",
-                "Full path to a MySQL Server socket with no slaves setup"
-                );
-my $mysql_login_details = getTestParameter(
-                "MYSQL_LOGIN_DETAILS",
-                "Command line parameters to specify login access (requires " .
-                "REPLICATION CLIENT privleges)",
-                "-u test -ptest",
-                );
-my $with_slave = getTestParameter(
-                "NP_MYSQL_WITH_SLAVE",
-                "MySQL server with slaves setup"
-                );
-my $with_slave_login = getTestParameter(
-                "NP_MYSQL_WITH_SLAVE_LOGIN",
-                "Login details for server with slave (requires REPLICATION CLIENT " .
-                "privleges)",
-                $mysql_login_details || "-u test -ptest"
-                );
+my $mysqlserver         = getTestParameter("NP_MYSQL_SERVER", "A MySQL Server hostname or IP with no slaves setup");
+my $mysqlsocket         = getTestParameter("NP_MYSQL_SOCKET", "Full path to a MySQL Server socket with no slaves setup");
+my $mysql_login_details = getTestParameter("NP_MYSQL_LOGIN_DETAILS", "Command line parameters to specify login access (requires REPLICATION CLIENT privleges)", "-u test -ptest");
+my $with_slave          = getTestParameter("NP_MYSQL_WITH_SLAVE", "MySQL server with slaves setup");
+my $with_slave_login    = getTestParameter("NP_MYSQL_WITH_SLAVE_LOGIN", "Login details for server with slave (requires REPLICATION CLIENT privleges)", $mysql_login_details || "-u test -ptest");
 
 my $result;
 
diff --git a/plugins/t/check_mysql_query.t b/plugins/t/check_mysql_query.t
index 407af88..96899ac 100644
--- a/plugins/t/check_mysql_query.t
+++ b/plugins/t/check_mysql_query.t
@@ -17,15 +17,8 @@ use vars qw($tests);
 
 plan skip_all => "check_mysql_query not compiled" unless (-x "check_mysql_query");
 
-my $mysqlserver = getTestParameter( 
-                "NP_MYSQL_SERVER", 
-                "A MySQL Server with no slaves setup"
-                );
-my $mysql_login_details = getTestParameter( 
-                "MYSQL_LOGIN_DETAILS", 
-                "Command line parameters to specify login access",
-                "-u user -ppw -d db",
-                );
+my $mysqlserver         = getTestParameter("NP_MYSQL_SERVER", "A MySQL Server with no slaves setup");
+my $mysql_login_details = getTestParameter("NP_MYSQL_LOGIN_DETAILS", "Command line parameters to specify login access", "-u user -ppw -d db");
 my $result;
 
 if (! $mysqlserver) {
diff --git a/plugins/t/check_snmp.t b/plugins/t/check_snmp.t
index 9a6cd2b..f2f218f 100644
--- a/plugins/t/check_snmp.t
+++ b/plugins/t/check_snmp.t
@@ -15,18 +15,12 @@ BEGIN {
 
 my $res;
 
-my $host_snmp = getTestParameter( "host_snmp",          "NP_HOST_SNMP",      "localhost",
-                                  "A host providing an SNMP Service");
+my $host_snmp          = getTestParameter("NP_HOST_SNMP", "A host providing an SNMP Service", "localhost");
+my $snmp_community     = getTestParameter("NP_SNMP_COMMUNITY", "The SNMP Community string for SNMP Testing (assumes snmp v1)", "public");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
+my $user_snmp          = getTestParameter("NP_SNMP_USER", "An SNMP user", "auth_md5");
 
-my $snmp_community = getTestParameter( "snmp_community",     "NP_SNMP_COMMUNITY", "public",
-                                       "The SNMP Community string for SNMP Testing (assumes snmp v1)" );
-
-my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1",
-                                           "The hostname of system not responsive to network requests" );
-
-my $hostname_invalid   = getTestParameter( "hostname_invalid",   "NP_HOSTNAME_INVALID",   "nosuchhost",
-                                           "An invalid (not known to DNS) hostname" );
-my $user_snmp = getTestParameter( "user_snmp",    "NP_SNMP_USER",    "auth_md5", "An SNMP user");
 
 $res = NPTest->testCmd( "./check_snmp -t 1" );
 is( $res->return_code, 3, "No host name" );
diff --git a/plugins/t/check_ssh.t b/plugins/t/check_ssh.t
index 8008349..a5cd23c 100644
--- a/plugins/t/check_ssh.t
+++ b/plugins/t/check_ssh.t
@@ -9,17 +9,9 @@ use Test::More;
 use NPTest;
 
 # Required parameters
-my $ssh_host           = getTestParameter("NP_SSH_HOST",
-                                          "A host providing SSH service",
-                                          "localhost");
-
-my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE",
-                                          "The hostname of system not responsive to network requests",
-                                          "10.0.0.1" );
-
-my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID",
-                                          "An invalid (not known to DNS) hostname",
-                                          "nosuchhost" );
+my $ssh_host           = getTestParameter("NP_SSH_HOST", "A host providing SSH service", "localhost");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1" );
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost" );
 
 
 plan skip_all => "SSH_HOST must be defined" unless $ssh_host;
diff --git a/plugins/t/check_tcp.t b/plugins/t/check_tcp.t
index 121b0cb..cb4de53 100644
--- a/plugins/t/check_tcp.t
+++ b/plugins/t/check_tcp.t
@@ -15,21 +15,11 @@ BEGIN {
 }
 
 
-my $host_tcp_http      = getTestParameter( "host_tcp_http",      "NP_HOST_TCP_HTTP",      "localhost",
-                                           "A host providing the HTTP Service (a web server)" );
-
-my $host_tls_http      = getTestParameter( "host_tls_http",      "NP_HOST_TLS_HTTP",      "localhost",
-                                           "A host providing the HTTPS Service (a tls web server)" );
-
-my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1",
-                                           "The hostname of system not responsive to network requests" );
-
-my $hostname_invalid   = getTestParameter( "hostname_invalid",   "NP_HOSTNAME_INVALID",   "nosuchhost",
-                                           "An invalid (not known to DNS) hostname" );
-
-my $internet_access    = getTestParameter( "NP_INTERNET_ACCESS",
-                                           "Is this system directly connected to the internet?",
-                                           "yes");
+my $host_tcp_http      = getTestParameter("NP_HOST_TCP_HTTP", "A host providing the HTTP Service (a web server)", "localhost");
+my $host_tls_http      = getTestParameter("NP_HOST_TLS_HTTP", "A host providing the HTTPS Service (a tls web server)", "localhost");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
+my $internet_access    = getTestParameter("NP_INTERNET_ACCESS", "Is this system directly connected to the internet?", "yes");
 
 my $successOutput = '/^TCP OK\s-\s+[0-9]?\.?[0-9]+ second response time on port [0-9]+/';
 
diff --git a/plugins/t/check_time.t b/plugins/t/check_time.t
index 961f56e..92c2f89 100644
--- a/plugins/t/check_time.t
+++ b/plugins/t/check_time.t
@@ -11,14 +11,9 @@ use NPTest;
 use vars qw($tests);
 BEGIN {$tests = 8; plan tests => $tests}
 
-my $host_udp_time      = getTestParameter( "host_udp_time",      "NP_HOST_UDP_TIME",      "localhost",
-                                           "A host providing the UDP Time Service" );
-
-my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1",
-                                           "The hostname of system not responsive to network requests" );
-
-my $hostname_invalid   = getTestParameter( "hostname_invalid",   "NP_HOSTNAME_INVALID",   "nosuchhost",
-                                           "An invalid (not known to DNS) hostname" );
+my $host_udp_time      = getTestParameter("NP_HOST_UDP_TIME", "A host providing the UDP Time Service", "localhost");
+my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1");
+my $hostname_invalid   = getTestParameter("NP_HOSTNAME_INVALID", "An invalid (not known to DNS) hostname", "nosuchhost");
 
 my $successOutput = '/^TIME OK - [0-9]+ second time difference/';
 
diff --git a/plugins/tests/certs/expired-cert.pem b/plugins/tests/certs/expired-cert.pem
index 40324cf..77a9166 100644
--- a/plugins/tests/certs/expired-cert.pem
+++ b/plugins/tests/certs/expired-cert.pem
@@ -1,21 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIDYzCCAsygAwIBAgIJAJISzcX71f5pMA0GCSqGSIb3DQEBBAUAMH8xCzAJBgNV
-BAYTAlVLMRMwEQYDVQQIEwpEZXJieXNoaXJlMQ8wDQYDVQQHEwZCZWxwZXIxFzAV
-BgNVBAoTDk5hZ2lvcyBQbHVnaW5zMREwDwYDVQQDEwhUb24gVm9vbjEeMBwGCSqG
-SIb3DQEJARYPdG9udm9vbkBtYWMuY29tMB4XDTA5MDMwNjAwMTMxNVoXDTA5MDMw
-NTAwMTMxNlowfzELMAkGA1UEBhMCVUsxEzARBgNVBAgTCkRlcmJ5c2hpcmUxDzAN
-BgNVBAcTBkJlbHBlcjEXMBUGA1UEChMOTmFnaW9zIFBsdWdpbnMxETAPBgNVBAMT
-CFRvbiBWb29uMR4wHAYJKoZIhvcNAQkBFg90b252b29uQG1hYy5jb20wgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAOQHP4JnzACi4q6quXAiK+gTSffG6yyjEV+K
-iyutRgBF2MdF03X5ls0wENw/5fnMTrHynl4XoGoV/rD4CR2hGT0m7dv7Vu0MRLlP
-J1SCiFeMuQS30zzLMJr0A7IW869qRlKQmzxs1JT6XDbSoNQuF154zoxwNsKlMjoX
-tJSHN2YpAgMBAAGjgeYwgeMwHQYDVR0OBBYEFHWjM9OQldrDLMcAfPnUVfGxlzOp
-MIGzBgNVHSMEgaswgaiAFHWjM9OQldrDLMcAfPnUVfGxlzOpoYGEpIGBMH8xCzAJ
-BgNVBAYTAlVLMRMwEQYDVQQIEwpEZXJieXNoaXJlMQ8wDQYDVQQHEwZCZWxwZXIx
-FzAVBgNVBAoTDk5hZ2lvcyBQbHVnaW5zMREwDwYDVQQDEwhUb24gVm9vbjEeMBwG
-CSqGSIb3DQEJARYPdG9udm9vbkBtYWMuY29tggkAkhLNxfvV/mkwDAYDVR0TBAUw
-AwEB/zANBgkqhkiG9w0BAQQFAAOBgQDHjoXoGwBamCiNplTt93jH/TO08RATdZP5
-45hlxv2+PKCjjTiFa2mjAvopFiqmYsr40XYEmpeYMiaOzOW5rBjtqBAT/JJWyfda
-SCmj3swqyKus63rv/iuokIhZzBdhbB+eOJJrmwT2SEc5KdRaipH0QAGF1nZAAGzo
-6xW7hkzYog==
+MIIEETCCAvmgAwIBAgIUFDsP6WnV/uqeQMpD/DYSqouE13kwDQYJKoZIhvcNAQEL
+BQAwgZcxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZN
+dW5pY2gxGzAZBgNVBAoMEk1vbml0b3JpbmcgUGx1Z2luczEbMBkGA1UEAwwSTW9u
+aXRvcmluZyBQbHVnaW5zMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5n
+LXBsdWdpbnMub3JnMB4XDTA4MDEwMTExMDAyNloXDTA4MDEwMjExMDAyNlowgZcx
+CzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gx
+GzAZBgNVBAoMEk1vbml0b3JpbmcgUGx1Z2luczEbMBkGA1UEAwwSTW9uaXRvcmlu
+ZyBQbHVnaW5zMSswKQYJKoZIhvcNAQkBFhxkZXZlbEBtb25pdG9yaW5nLXBsdWdp
+bnMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyeHKwKFjJWUX
+YHKsisypUf9dHlIPQAISyGP1BX6UL26ZLvE6kKbx3LFQ9W2POGoQWlzFiB1soGeV
+WDd0U0JtWdCKmOXWdcXpupQlTSUtRCMDQkfqLN8GR5TBTd73rezp5mz08nMfLwu0
+p5VQ191Ui8JHFgrAOalAn8Uw5De8vj4VmTXmU5NJ2UFoC0ddU/Th/lwRCayHc1cn
+MVq2F7c/uhMUUQYNBmJy0pxoHawp+j9NKl/xIYsjgQNgahQyNuswuGHjaEwhPu+7
+G03XsW4ehu+H1898M/MkSln6LQAU1syoJ8ypPM8tV+zgx4uwj7udnZ2hceN95uW7
+0PWg5DQyUwIDAQABo1MwUTAdBgNVHQ4EFgQUt9ps3KJ1XiMuy/ijFBjMzf6jgwkw
+HwYDVR0jBBgwFoAUt9ps3KJ1XiMuy/ijFBjMzf6jgwkwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAVPBZwMHbrnHFbmhbcPuvYd5cxk0uSVNAUzsl
+2biCq5P+ZHo10VHGygXtdV4utqk/IrAt2u5qSxycWPStCtAgTd3Q8ncfjOkaHM4z
+2bxTkhLyQeU8NWPuDBqDszo2GOaFTv+lm36LEKiAfqB1tjQVePSkycdrWIhkamBV
+EgMe6uHLdU7QQk1ajQfrBdakN1beqki/dKieA6gm+XF/QS4SSYINmsHB/2X5cT9U
+b/KMB8xurCnuJQuk1P4VsSkJCOSeHjWZgK9pKNdsIJZr4wDVfhjQgU0XT6xakSf7
+eCaHtO0VKsbLZoiTmpxidjsdYiXyeKYIQNtUpTjyJ5V/cZsq9w==
 -----END CERTIFICATE-----
diff --git a/plugins/tests/certs/expired-key.pem b/plugins/tests/certs/expired-key.pem
index af0e24d..c1510b2 100644
--- a/plugins/tests/certs/expired-key.pem
+++ b/plugins/tests/certs/expired-key.pem
@@ -1,15 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDkBz+CZ8wAouKuqrlwIivoE0n3xussoxFfiosrrUYARdjHRdN1
-+ZbNMBDcP+X5zE6x8p5eF6BqFf6w+AkdoRk9Ju3b+1btDES5TydUgohXjLkEt9M8
-yzCa9AOyFvOvakZSkJs8bNSU+lw20qDULhdeeM6McDbCpTI6F7SUhzdmKQIDAQAB
-AoGARgI3rHjjuDpKMGg4IMZNBqaNaiZHY9/44IVvrww21rSbFqtIfgsQEpU0R/rS
-R7xDWPztRGQqmwd/t6OfYNpqHbjO1MWzasVBVnzue5P59Y1xy1h0LZF8+a9GY++0
-uAGUC24jsXSmypNVzoX+ZKyinA3oYV/etdPYx1W8Ms5XIzUCQQD7xwhMuLok6Kbq
-UEgiSfBTbx+haP3IiqqMF14z8QoEyD3jchydNaXEYdQxN8jEl2aPrMqTc6x8Jq4/
-ai0OkB+fAkEA59pAmN81HylV7+CsVjLOSbJqzau7NDxSs2uutxhHZRwz0e25wVer
-fA03l08u0ebC/TDHkmHV6ikCryM5HU2FNwJAVZJFzd2S1myEHmr+uTisB49jDrbi
-WkBWypo+mCS6JPnxntXvx7auClq9haTSBY73eqldiFPuMZvr6P2rJqHxPQJBAOTM
-quaxjti7kATy8N73sD9mBKQGju1TgkFxSK+DFCGhnTnToXY9MAtxd6SoDYoyccYu
-dyPrzJAR/IYc+mYCdC0CQDKlZuMPVXEgvGaQapzMQ++5yJRvMZF4tWvONBs0OCE9
-QYarsTi5M20cymMBXHOLZIjqwsni4G/C9kqJSvC75Vg=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJ4crAoWMlZRdg
+cqyKzKlR/10eUg9AAhLIY/UFfpQvbpku8TqQpvHcsVD1bY84ahBaXMWIHWygZ5VY
+N3RTQm1Z0IqY5dZ1xem6lCVNJS1EIwNCR+os3wZHlMFN3vet7OnmbPTycx8vC7Sn
+lVDX3VSLwkcWCsA5qUCfxTDkN7y+PhWZNeZTk0nZQWgLR11T9OH+XBEJrIdzVycx
+WrYXtz+6ExRRBg0GYnLSnGgdrCn6P00qX/EhiyOBA2BqFDI26zC4YeNoTCE+77sb
+Tdexbh6G74fXz3wz8yRKWfotABTWzKgnzKk8zy1X7ODHi7CPu52dnaFx433m5bvQ
+9aDkNDJTAgMBAAECggEACrLFfNnQmD24NGs/S4e2/VpsA9xTZI/3kNkDNgxULANP
+aNZtxRajwI9A/BCXQ2UTgsZhzWnJxOJYXrlpl7PweY78mUesysb3MOUC6QisUm0M
+kimfdktHWOnAKLFFLNleN9DUVjjVkTeslijqhNX80f80py1grG2UuCLKCX4OqYIm
+qACE8TMmSZLz42AO96TndNtKplQ8LuGLEmByW95wEfhx3Gm4ckkL7qII/U3DnQXr
+0T+3xLaj+eNJzYDpIFZiw4sNzOuAyCz+4Cc4sPDuMnzquXF+enpkemoycC1RmEpG
+KIDTwmFsc8TrbGV0qifC6fsCrDivdYLqL7R/q3IBQQKBgQDmfvO3VYTEKY8NA+AT
+5s6+7NTxRsXxJUCEhCNBWimSH3EzmBAvrodLY6A0oYg8i81bgNX1I9GPVXJZ/QA7
+ukd84HUIQoGS5Usmo4rp+kz4P6KkLXDemZtWPU5GXxicfajHRQlkbW6St6SpV7IS
+ibJcDADeoiaPL1xvue1ToP/LoQKBgQDgOFHjYpep00gabvjXfYW7vhrg1vVwaKUM
+rf0+UW8Exk4nbBw0eEC2YjxIwzdktlkdbzGaXYULnhg8GnfxYesMOpCLPw1JdB8o
+ixETAFpW5bKrUsjEFRUGhzWnsCSFIQ4smpmtGLTxOQ8AkoDdORY5Z+Wv7JtFF6Do
+PSoblckZcwKBgB3TD3YJesRnHDty5OuuUdIikuslXTd2uoJrFqS+JeLibqNeabnB
+u3/lxDULMbWj4U6VvRmbKOKDC+jY887Gq7lc0cff0yROxwqY3sCnwo3crg7QUmp7
+Nb5S8G3qoCSfndcq96wm/Me/O28uCbycVJfUdchY8uRUHIHYbP0FOBQBAoGBAMgh
+fPX4imaKr1DovDObVkK87EDDnU84GBm5MtDs3qrkVd3aIVK0Aw7HoAdSN58tI12i
+YiPmVVqJQhhjh6tsOuAvZdTj8ngdrbICbrsHFZt6an+A5LIgHyQ0iy+hiPdLCdvG
+ImTeKKMmyr04Bs1upueWVO0xw2VoMbcY4Py+NUEBAoGASQqedfCSKGLT+5lLZrhP
+CbFVMmswEPjBcRb1trcuA09vfExn9FfUNFnnw3i9miprED5kufvAjb+6nduXizKg
+7HQYHCwVvakgtXgbiDMaNgYZcjWm+MdnfiwLJjJTO3DfI1JF2PJ8y9R95DPlAkDm
+xH3OV8KV4UiTEVxS7ksmGzY=
+-----END PRIVATE KEY-----
diff --git a/plugins/tests/certs/server-cert.pem b/plugins/tests/certs/server-cert.pem
index 549e4f7..b84b91d 100644
--- a/plugins/tests/certs/server-cert.pem
+++ b/plugins/tests/certs/server-cert.pem
@@ -1,21 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIDYzCCAsygAwIBAgIJAL8LkpNwzYdxMA0GCSqGSIb3DQEBBAUAMH8xCzAJBgNV
-BAYTAlVLMRMwEQYDVQQIEwpEZXJieXNoaXJlMQ8wDQYDVQQHEwZCZWxwZXIxFzAV
-BgNVBAoTDk5hZ2lvcyBQbHVnaW5zMREwDwYDVQQDEwhUb24gVm9vbjEeMBwGCSqG
-SIb3DQEJARYPdG9udm9vbkBtYWMuY29tMB4XDTA5MDMwNTIxNDEyOFoXDTE5MDMw
-MzIxNDEyOFowfzELMAkGA1UEBhMCVUsxEzARBgNVBAgTCkRlcmJ5c2hpcmUxDzAN
-BgNVBAcTBkJlbHBlcjEXMBUGA1UEChMOTmFnaW9zIFBsdWdpbnMxETAPBgNVBAMT
-CFRvbiBWb29uMR4wHAYJKoZIhvcNAQkBFg90b252b29uQG1hYy5jb20wgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAKcWMBtNtfY8vZXk0SN6/EYTVN/LOvaOSegy
-oVdLoGwuwjagk+XmCzvCqHZRp8lnCLay7AO8AQI7TSN02ihCcSrgGA9OT+HciIJ1
-l5/kEYUAuA1PR6YKK/T713zUAlMzy2tsugx5+xSsSEwsXkmne52jJiG/wuE5CLT0
-9pF8HQqHAgMBAAGjgeYwgeMwHQYDVR0OBBYEFGioSPQ/rdE19+zaeY2YvHTXlUDI
-MIGzBgNVHSMEgaswgaiAFGioSPQ/rdE19+zaeY2YvHTXlUDIoYGEpIGBMH8xCzAJ
-BgNVBAYTAlVLMRMwEQYDVQQIEwpEZXJieXNoaXJlMQ8wDQYDVQQHEwZCZWxwZXIx
-FzAVBgNVBAoTDk5hZ2lvcyBQbHVnaW5zMREwDwYDVQQDEwhUb24gVm9vbjEeMBwG
-CSqGSIb3DQEJARYPdG9udm9vbkBtYWMuY29tggkAvwuSk3DNh3EwDAYDVR0TBAUw
-AwEB/zANBgkqhkiG9w0BAQQFAAOBgQCdqasaIO6JiV5ONFG6Tr1++85UfEdZKMUX
-N2NHiNNUunolIZEYR+dW99ezKmHlDiQ/tMgoLVYpl2Ubho2pAkLGQR+W0ZASgWQ1
-NjfV27Rv0y6lYQMTA0lVAU93L1x9reo3FMedmL5+H+lIEpLCxEPtAJNISrJOneZB
-W5jDadwkoQ==
+MIIEBjCCAu6gAwIBAgIJANbQ5QQrKhUGMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
+VQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEPMA0GA1UEBwwGTXVuaWNoMRswGQYD
+VQQKDBJNb25pdG9yaW5nIFBsdWdpbnMxGzAZBgNVBAMMEk1vbml0b3JpbmcgUGx1
+Z2luczErMCkGCSqGSIb3DQEJARYcZGV2ZWxAbW9uaXRvcmluZy1wbHVnaW5zLm9y
+ZzAeFw0xOTAyMTkxNTMxNDRaFw0yOTAyMTYxNTMxNDRaMIGXMQswCQYDVQQGEwJE
+RTEQMA4GA1UECAwHQmF2YXJpYTEPMA0GA1UEBwwGTXVuaWNoMRswGQYDVQQKDBJN
+b25pdG9yaW5nIFBsdWdpbnMxGzAZBgNVBAMMEk1vbml0b3JpbmcgUGx1Z2luczEr
+MCkGCSqGSIb3DQEJARYcZGV2ZWxAbW9uaXRvcmluZy1wbHVnaW5zLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgV2yp8pQvJuN+aJGdAe6Hd0tja
+uteCPcNIcM92WLOF69TLTSYon1XDon4tHTh4Z5d4lD8bfsGzFVBmDSgWidhAUf+v
+EqEXwbp293ej/Frc0pXCvmrz6kI1tWrLtQhL/VdbxFYxhV7JjKb+PY3SxGFpSLPe
+PQ/5SwVndv7rZIwcjseL22K5Uy2TIrkgzzm2pRs/IvoxRybYr/+LGoHyrtJC6AO8
+ylp8A/etL0gwtUvRnrnZeTQ2pA1uZ5QN3anTL8JP/ZRZYNegIkaawqMtTKbhM6pi
+u3/4a3Uppvt0y7vmGfQlYejxCpICnMrvHMpw8L58zv/98AbCGjDU3UwCt6MCAwEA
+AaNTMFEwHQYDVR0OBBYEFG/UH6nGYPlVcM75UXzXBF5GZyrcMB8GA1UdIwQYMBaA
+FG/UH6nGYPlVcM75UXzXBF5GZyrcMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
+AQELBQADggEBAGwitJPOnlIKLndNf+iCLMIs0dxsl8kAaejFcjoT0n4ja7Y6Zrqz
+VSIidzz9vQWvy24xKJpAOdj/iLRHCUOG+Pf5fA6+/FiuqXr6gE2/lm0eC58BNONr
+E5OzjQ/VoQ8RX4hDntgu6FYbaVa/vhwn16igt9qmdNGGZXf2/+DM3JADwyaA4EK8
+vm7KdofX9zkxXecHPNvf3jiVLPiDDt6tkGpHPEsyP/yc+RUdltUeZvHfliV0cCuC
+jJX+Fm9ysjSpHIFFr+jUMuMHibWoOD8iy3eYxfCDoWsH488pCbj8MNuAq6vd6DBk
+bOZxDz43vjWuYMkwXJTxJQh7Pne6kK0vE1g=
 -----END CERTIFICATE-----
diff --git a/plugins/tests/certs/server-key.pem b/plugins/tests/certs/server-key.pem
index eacaeaa..1194755 100644
--- a/plugins/tests/certs/server-key.pem
+++ b/plugins/tests/certs/server-key.pem
@@ -1,15 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQCnFjAbTbX2PL2V5NEjevxGE1Tfyzr2jknoMqFXS6BsLsI2oJPl
-5gs7wqh2UafJZwi2suwDvAECO00jdNooQnEq4BgPTk/h3IiCdZef5BGFALgNT0em
-Civ0+9d81AJTM8trbLoMefsUrEhMLF5Jp3udoyYhv8LhOQi09PaRfB0KhwIDAQAB
-AoGAfpxclcP8N3vteXErXURrd7pcXT0GECDgNjhvc9PV20RPXM+vYs1AA+fMeeQE
-TaRqwO6x016aMRO4rz5ztYArecTBznkds1k59pkN/Ne/nsueU4tvGK8MNyS2o986
-Voohqkaq4Lcy1bcHJb9su1ELjegEr1R76Mz452Hsy+uTbAECQQDcg/tZWKVeh5CQ
-dOEB3YWHwfn0NDgfPm/X2i2kAZ7n7URaUy/ffdlfsrr1mBtHCfedLoOxmmlNfEpM
-hXAAurSHAkEAwfk7fEb0iN0Sj9gTozO7c6Ky10KwePZyjVzqSQIiJq3NX8BEaIeb
-51TXxE5VxaLjjMLRkA0hWTYXClgERFZ6AQJAN7ChPqwzf08PRFwwIw911JY5cOHr
-NoDHMCUql5vNLNdwBruxgGjBB/kUXEfgw60RusFvgt/zLh1wiii844JDawJAGQBF
-sYP3urg7zzx7c3qUe5gJ0wLuefjR1PSX4ecbfb7DDMdcSdjIuG1QDiZGmd2f1KG7
-nwSCOtxk5dloW2KGAQJAQh/iBn0QhfKLFAP5eZBVk8E8XlZuw+S2DLy5SnBlIiYJ
-GB5I2OClgtudXMv1labFrcST8O9eFrtsrhU1iUGUOw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCoFdsqfKULybjf
+miRnQHuh3dLY2rrXgj3DSHDPdlizhevUy00mKJ9Vw6J+LR04eGeXeJQ/G37BsxVQ
+Zg0oFonYQFH/rxKhF8G6dvd3o/xa3NKVwr5q8+pCNbVqy7UIS/1XW8RWMYVeyYym
+/j2N0sRhaUiz3j0P+UsFZ3b+62SMHI7Hi9tiuVMtkyK5IM85tqUbPyL6MUcm2K//
+ixqB8q7SQugDvMpafAP3rS9IMLVL0Z652Xk0NqQNbmeUDd2p0y/CT/2UWWDXoCJG
+msKjLUym4TOqYrt/+Gt1Kab7dMu75hn0JWHo8QqSApzK7xzKcPC+fM7//fAGwhow
+1N1MArejAgMBAAECggEANuvdTwanTzC8jaNqHaq+OuemS2E9B8nwsGxtH/zFgvNR
+WZiMPtmrJnTkFWJcV+VPw/iMSAqN4nDHmBugVOb4Z4asxGTKK4T9shXJSnh0rqPU
+00ZsvbmxY6z0+E5TesCJqQ+9GYTY1V357V7JchvaOxIRxWPqg9urHbru8OCtW/I5
+Fh5HPUZlgCvlMpjlhyjydIf/oXyVA3RNsXlwe8+2cKuGIrjEzm2j9o3VF0sctTX0
+ItP8A9qDmDQN7GIWX0MW6gncojpS1omC2wcFsdjj/xfPyiDal1X4aq/2YqG8351c
+YlM/+6Va0u9WWE/i64gASTAVqpMV4Yg8y0gGycuA0QKBgQDbgI2QeLd3FvMcURiU
+l3w9qJgw/Jp3jaNC/9LkVGGz4f4lKKB67lPZvI4noMK8GqO/LcXgqP/RY1oJojoA
+/6JKVvzYGASZ7VgMoG9bk1AneP1PGdibuTUEwimGlcObxnDFIC/yjwPFu3jIdqdS
+zZi1RZzyqAogN5y3SBEypSmn9wKBgQDECKsqqlcizmCl8v5aVk875AzGN+DOHZqx
+bkmztlnLO/2e2Fmk3G5Vvnui0FYisf8Eq19tUTQCF6lSfJlGQeFAT119wkFZhLu+
+FfLGqoEMH0ijJg/8PpdpFRK3I94YcISoTNN6yxMvE6xdDGfKCt5a+IX5bwQi9Zdc
+B242gEc6tQKBgA6tM8n7KFlAIZU9HuWgk2AUC8kKutFPmSD7tgAqXDYI4FNfugs+
+MEEYyHCB4UNujJBV4Ss6YZCAkh6eyD4U2aca1eElCfm40vBVMdzvpqZdAqLtWXxg
+D9l3mgszrFaYGCY2Fr6jLV9lP5g3xsxUjudf9jSLY9HvpfzjRrMaNATVAoGBALTl
+/vYfPMucwKlC5B7++J0e4/7iv6vUu9SyHocdZh1anb9AjPDKjXLIlZT4RhQ8R0XK
+0wOw5JpttU2uN08TKkbLNk3/vYhbKVjPLjrQSseh8sjDLgsqw1QwIxYnniLVakVY
+p+rvjSNrNyqicQCMKQavwgocvSd5lJRTMwxOMezlAoGBAKWj71BX+0CK00/2S6lC
+TcNcuUPG0d8y1czZ4q6tUlG4htwq1FMOpaghATXjkdsOGTLS+H1aA0Kt7Ai9zDhc
+/bzOJEJ+jvBXV4Gcs7jl1r/HTKv0tT9ZSI5Vzkida0rfqxDGzcMVlLuCdH0cb8Iu
+N0wdmCAqlQwHR13+F1zrAD7V
+-----END PRIVATE KEY-----
diff --git a/plugins/tests/check_curl.t b/plugins/tests/check_curl.t
new file mode 100755
index 0000000..1afbe4b
--- /dev/null
+++ b/plugins/tests/check_curl.t
@@ -0,0 +1,498 @@
+#! /usr/bin/perl -w -I ..
+#
+# Test check_http by having an actual HTTP server running
+#
+# To create the https server certificate:
+# openssl req -new -x509 -keyout server-key.pem -out server-cert.pem -days 3650 -nodes
+# to create a new expired certificate:
+# faketime '2008-01-01 12:00:00' openssl req -new -x509 -keyout expired-key.pem -out expired-cert.pem -days 1 -nodes
+# Country Name (2 letter code) [AU]:DE
+# State or Province Name (full name) [Some-State]:Bavaria
+# Locality Name (eg, city) []:Munich
+# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Monitoring Plugins
+# Organizational Unit Name (eg, section) []:
+# Common Name (e.g. server FQDN or YOUR name) []:Monitoring Plugins
+# Email Address []:devel@monitoring-plugins.org
+
+use strict;
+use Test::More;
+use NPTest;
+use FindBin qw($Bin);
+
+$ENV{'LC_TIME'} = "C";
+
+my $common_tests = 70;
+my $ssl_only_tests = 8;
+# Check that all dependent modules are available
+eval "use HTTP::Daemon 6.01;";
+plan skip_all => 'HTTP::Daemon >= 6.01 required' if $@;
+eval {
+        require HTTP::Status;
+        require HTTP::Response;
+};
+
+my $plugin = 'check_http';
+$plugin    = 'check_curl' if $0 =~ m/check_curl/mx;
+
+# look for libcurl version to see if some advanced checks are possible (>= 7.49.0)
+my $advanced_checks = 12;
+my $use_advanced_checks = 0;
+my $required_version = '7.49.0';
+my $virtual_host = 'www.somefunnyhost.com';
+my $virtual_port = 42;
+my $curl_version = '';
+open (my $fh, '-|', "./$plugin --version") or die;
+while (<$fh>) {
+        if (m{libcurl/([\d.]+)\s}) {
+                $curl_version = $1;
+                last;
+        }
+}
+close ($fh);
+if ($curl_version) {
+        my ($major, $minor, $release) = split (/\./, $curl_version);
+        my ($req_major, $req_minor, $req_release) = split (/\./, $required_version);
+        my $check = ($major <=> $req_major or $minor <=> $req_minor or $release <=> $req_release);
+        if ($check >= 0) {
+                $use_advanced_checks = 1;
+                print "Found libcurl $major.$minor.$release. Using advanced checks\n";
+        }
+}
+
+if ($@) {
+        plan skip_all => "Missing required module for test: $@";
+} else {
+        if (-x "./$plugin") {
+                plan tests => $common_tests * 2 + $ssl_only_tests + $advanced_checks;
+        } else {
+                plan skip_all => "No $plugin compiled";
+        }
+}
+
+my $servers = { http => 0 };    # HTTP::Daemon should always be available
+eval { require HTTP::Daemon::SSL };
+if ($@) {
+        diag "Cannot load HTTP::Daemon::SSL: $@";
+} else {
+        $servers->{https} = 0;
+}
+
+# set a fixed version, so the header size doesn't vary
+$HTTP::Daemon::VERSION = "1.00";
+
+my $port_http = 50000 + int(rand(1000));
+my $port_https = $port_http + 1;
+my $port_https_expired = $port_http + 2;
+
+# This array keeps sockets around for implementing timeouts
+my @persist;
+
+# Start up all servers
+my @pids;
+my $pid = fork();
+if ($pid) {
+        # Parent
+        push @pids, $pid;
+        if (exists $servers->{https}) {
+                # Fork a normal HTTPS server
+                $pid = fork();
+                if ($pid) {
+                        # Parent
+                        push @pids, $pid;
+                        # Fork an expired cert server
+                        $pid = fork();
+                        if ($pid) {
+                                push @pids, $pid;
+                        } else {
+                                my $d = HTTP::Daemon::SSL->new(
+                                        LocalPort => $port_https_expired,
+                                        LocalAddr => "127.0.0.1",
+                                        SSL_cert_file => "$Bin/certs/expired-cert.pem",
+                                        SSL_key_file => "$Bin/certs/expired-key.pem",
+                                ) || die;
+                                print "Please contact https expired at: <URL:", $d->url, ">\n";
+                                run_server( $d );
+                                exit;
+                        }
+                } else {
+                        my $d = HTTP::Daemon::SSL->new(
+                                LocalPort => $port_https,
+                                LocalAddr => "127.0.0.1",
+                                SSL_cert_file => "$Bin/certs/server-cert.pem",
+                                SSL_key_file => "$Bin/certs/server-key.pem",
+                        ) || die;
+                        print "Please contact https at: <URL:", $d->url, ">\n";
+                        run_server( $d );
+                        exit;
+                }
+        }
+        # give our webservers some time to startup
+        sleep(1);
+} else {
+        # Child
+        #print "child\n";
+        my $d = HTTP::Daemon->new(
+                LocalPort => $port_http,
+                LocalAddr => "127.0.0.1",
+        ) || die;
+        print "Please contact http at: <URL:", $d->url, ">\n";
+        run_server( $d );
+        exit;
+}
+
+# Run the same server on http and https
+sub run_server {
+        my $d = shift;
+        MAINLOOP: while (my $c = $d->accept ) {
+                while (my $r = $c->get_request) {
+                        if ($r->method eq "GET" and $r->url->path =~ m^/statuscode/(\d+)^) {
+                                $c->send_basic_header($1);
+                                $c->send_crlf;
+                        } elsif ($r->method eq "GET" and $r->url->path =~ m^/file/(.*)^) {
+                                $c->send_basic_header;
+                                $c->send_crlf;
+                                $c->send_file_response("$Bin/var/$1");
+                        } elsif ($r->method eq "GET" and $r->url->path eq "/slow") {
+                                $c->send_basic_header;
+                                $c->send_crlf;
+                                sleep 1;
+                                $c->send_response("slow");
+                        } elsif ($r->url->path eq "/method") {
+                                if ($r->method eq "DELETE") {
+                                        $c->send_error(HTTP::Status->RC_METHOD_NOT_ALLOWED);
+                                } elsif ($r->method eq "foo") {
+                                        $c->send_error(HTTP::Status->RC_NOT_IMPLEMENTED);
+                                } else {
+                                        $c->send_status_line(200, $r->method);
+                                }
+                        } elsif ($r->url->path eq "/postdata") {
+                                $c->send_basic_header;
+                                $c->send_crlf;
+                                $c->send_response($r->method.":".$r->content);
+                        } elsif ($r->url->path eq "/redirect") {
+                                $c->send_redirect( "/redirect2" );
+                        } elsif ($r->url->path eq "/redir_external") {
+                                $c->send_redirect(($d->isa('HTTP::Daemon::SSL') ? "https" : "http") . "://169.254.169.254/redirect2" );
+                        } elsif ($r->url->path eq "/redirect2") {
+                                $c->send_basic_header;
+                                $c->send_crlf;
+                                $c->send_response(HTTP::Response->new( 200, 'OK', undef, 'redirected' ));
+                        } elsif ($r->url->path eq "/redir_timeout") {
+                                $c->send_redirect( "/timeout" );
+                        } elsif ($r->url->path eq "/timeout") {
+                                # Keep $c from being destroyed, but prevent severe leaks
+                                unshift @persist, $c;
+                                delete($persist[1000]);
+                                next MAINLOOP;
+                        } elsif ($r->url->path eq "/header_check") {
+                                $c->send_basic_header;
+                                $c->send_header('foo');
+                                $c->send_crlf;
+                        } elsif ($r->url->path eq "/virtual_port") {
+                                # return sent Host header
+                                $c->send_basic_header;
+                                $c->send_crlf;
+                                $c->send_response(HTTP::Response->new( 200, 'OK', undef, $r->header ('Host')));
+                        } else {
+                                $c->send_error(HTTP::Status->RC_FORBIDDEN);
+                        }
+                        $c->close;
+                }
+        }
+}
+
+END {
+        foreach my $pid (@pids) {
+                if ($pid) { print "Killing $pid\n"; kill "INT", $pid }
+        }
+};
+
+if ($ARGV[0] && $ARGV[0] eq "-d") {
+        while (1) {
+                sleep 100;
+        }
+}
+
+my $result;
+my $command = "./$plugin -H 127.0.0.1";
+
+run_common_tests( { command => "$command -p $port_http" } );
+SKIP: {
+        skip "HTTP::Daemon::SSL not installed", $common_tests + $ssl_only_tests if ! exists $servers->{https};
+        run_common_tests( { command => "$command -p $port_https", ssl => 1 } );
+
+        $result = NPTest->testCmd( "$command -p $port_https -S -C 14" );
+        is( $result->return_code, 0, "$command -p $port_https -S -C 14" );
+        is( $result->output, "OK - Certificate 'Monitoring Plugins' will expire on Fri Feb 16 15:31:44 2029 +0000.", "output ok" );
+
+        $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" );
+        is( $result->return_code, 1, "$command -p $port_https -S -C 14000" );
+        like( $result->output, '/WARNING - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(Fri Feb 16 15:31:44 2029 \+0000\)./', "output ok" );
+
+        # Expired cert tests
+        $result = NPTest->testCmd( "$command -p $port_https -S -C 13960,14000" );
+        is( $result->return_code, 2, "$command -p $port_https -S -C 13960,14000" );
+        like( $result->output, '/CRITICAL - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(Fri Feb 16 15:31:44 2029 \+0000\)./', "output ok" );
+
+        $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" );
+        is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" );
+        is( $result->output,
+                'CRITICAL - Certificate \'Monitoring Plugins\' expired on Wed Jan  2 11:00:26 2008 +0000.',
+                "output ok" );
+
+}
+
+my $cmd;
+
+# advanced checks with virtual hostname and virtual port
+SKIP: {
+        skip "libcurl version is smaller than $required_version", 6 unless $use_advanced_checks;
+        
+        # http without virtual port
+        $cmd = "./$plugin -H $virtual_host -I 127.0.0.1 -p $port_http -u /virtual_port -r ^$virtual_host:$port_http\$";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        # http with virtual port (!= 80)
+        $cmd = "./$plugin -H $virtual_host:$virtual_port -I 127.0.0.1 -p $port_http -u /virtual_port -r ^$virtual_host:$virtual_port\$";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+        
+        # http with virtual port (80)
+        $cmd = "./$plugin -H $virtual_host:80 -I 127.0.0.1 -p $port_http -u /virtual_port -r ^$virtual_host\$";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+}
+
+# and the same for SSL
+SKIP: {
+        skip "libcurl version is smaller than $required_version and/or HTTP::Daemon::SSL not installed", 6 if ! exists $servers->{https} or not $use_advanced_checks;
+        # https without virtual port
+        $cmd = "./$plugin -H $virtual_host -I 127.0.0.1 -p $port_https --ssl -u /virtual_port -r ^$virtual_host:$port_https\$";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        # https with virtual port (!= 443)
+        $cmd = "./$plugin -H $virtual_host:$virtual_port -I 127.0.0.1 -p $port_https --ssl -u /virtual_port -r ^$virtual_host:$virtual_port\$";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        # https with virtual port (443)
+        $cmd = "./$plugin -H $virtual_host:443 -I 127.0.0.1 -p $port_https --ssl -u /virtual_port -r ^$virtual_host\$";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+}
+
+
+sub run_common_tests {
+        my ($opts) = @_;
+        my $command = $opts->{command};
+        if ($opts->{ssl}) {
+                $command .= " --ssl";
+        }
+
+        $result = NPTest->testCmd( "$command -u /file/root" );
+        is( $result->return_code, 0, "/file/root");
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - 274 bytes in [\d\.]+ second/', "Output correct" );
+
+        $result = NPTest->testCmd( "$command -u /file/root -s Root" );
+        is( $result->return_code, 0, "/file/root search for string");
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - 274 bytes in [\d\.]+ second/', "Output correct" );
+
+        $result = NPTest->testCmd( "$command -u /file/root -s NonRoot" );
+        is( $result->return_code, 2, "Missing string check");
+        like( $result->output, qr%^HTTP CRITICAL: HTTP/1\.1 200 OK - string 'NonRoot' not found on 'https?://127\.0\.0\.1:\d+/file/root'%, "Shows search string and location");
+
+        $result = NPTest->testCmd( "$command -u /file/root -s NonRootWithOver30charsAndMoreFunThanAWetFish" );
+        is( $result->return_code, 2, "Missing string check");
+        like( $result->output, qr%HTTP CRITICAL: HTTP/1\.1 200 OK - string 'NonRootWithOver30charsAndM...' not found on 'https?://127\.0\.0\.1:\d+/file/root'%, "Shows search string and location");
+
+        $result = NPTest->testCmd( "$command -u /header_check -d foo" );
+        is( $result->return_code, 0, "header_check search for string");
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - 96 bytes in [\d\.]+ second/', "Output correct" );
+
+        $result = NPTest->testCmd( "$command -u /header_check -d bar" );
+        is( $result->return_code, 2, "Missing header string check");
+        like( $result->output, qr%^HTTP CRITICAL: HTTP/1\.1 200 OK - header 'bar' not found on 'https?://127\.0\.0\.1:\d+/header_check'%, "Shows search string and location");
+
+        my $cmd;
+        $cmd = "$command -u /slow";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, "$cmd");
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+        $result->output =~ /in ([\d\.]+) second/;
+        cmp_ok( $1, ">", 1, "Time is > 1 second" );
+
+        $cmd = "$command -u /statuscode/200";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /statuscode/200 -e 200";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - Status line output matched "200" - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /statuscode/201";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 201 Created - \d+ bytes in [\d\.]+ second /', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /statuscode/201 -e 201";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 201 Created - Status line output matched "201" - \d+ bytes in [\d\.]+ second /', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /statuscode/201 -e 200";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 2, $cmd);
+        like( $result->output, '/^HTTP CRITICAL - Invalid HTTP response received from host on port \d+: HTTP/1.1 201 Created/', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /statuscode/200 -e 200,201,202";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - Status line output matched "200,201,202" - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /statuscode/201 -e 200,201,202";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 201 Created - Status line output matched "200,201,202" - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /statuscode/203 -e 200,201,202";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 2, $cmd);
+        like( $result->output, '/^HTTP CRITICAL - Invalid HTTP response received from host on port (\d+): HTTP/1.1 203 Non-Authoritative Information/', "Output correct: ".$result->output );
+
+        $cmd = "$command -j HEAD -u /method";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 HEAD - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -j POST -u /method";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 POST - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -j GET -u /method";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 GET - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /method";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 GET - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -P foo -u /method";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 POST - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -j DELETE -u /method";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 1, $cmd);
+        like( $result->output, '/^HTTP WARNING: HTTP/1.1 405 Method Not Allowed/', "Output correct: ".$result->output );
+
+        $cmd = "$command -j foo -u /method";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 2, $cmd);
+        like( $result->output, '/^HTTP CRITICAL: HTTP/1.1 501 Not Implemented/', "Output correct: ".$result->output );
+
+        $cmd = "$command -P stufftoinclude -u /postdata -s POST:stufftoinclude";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -j PUT -P stufftoinclude -u /postdata -s PUT:stufftoinclude";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        # To confirm that the free doesn't segfault
+        $cmd = "$command -P stufftoinclude -j PUT -u /postdata -s PUT:stufftoinclude";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /redirect";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 301 Moved Permanently - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -f follow -u /redirect";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -u /redirect -k 'follow: me'";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 301 Moved Permanently - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -f follow -u /redirect -k 'follow: me'";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -f sticky -u /redirect -k 'follow: me'";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+        $cmd = "$command -f stickyport -u /redirect -k 'follow: me'";
+        $result = NPTest->testCmd( $cmd );
+        is( $result->return_code, 0, $cmd);
+        like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+
+  # These tests may block
+        print "ALRM\n";
+
+        # stickyport - on full urlS port is set back to 80 otherwise
+        $cmd = "$command -f stickyport -u /redir_external -t 5 -s redirected";
+        eval {
+                local $SIG{ALRM} = sub { die "alarm\n" };
+                alarm(2);
+                $result = NPTest->testCmd( $cmd );
+                alarm(0);       };
+        isnt( $@, "alarm\n", $cmd );
+        is( $result->return_code, 0, $cmd );
+
+        # Let's hope there won't be any web server on :80 returning "redirected"!
+        $cmd = "$command -f sticky -u /redir_external -t 5 -s redirected";
+        eval {
+                local $SIG{ALRM} = sub { die "alarm\n" };
+                alarm(2);
+                $result = NPTest->testCmd( $cmd );
+                alarm(0); };
+        isnt( $@, "alarm\n", $cmd );
+        isnt( $result->return_code, 0, $cmd );
+
+        # Test an external address - timeout
+        SKIP: {
+                skip "This doesn't seem to work all the time", 1 unless ($ENV{HTTP_EXTERNAL});
+                $cmd = "$command -f follow -u /redir_external -t 5";
+                eval {
+                        $result = NPTest->testCmd( $cmd, 2 );
+                };
+                like( $@, "/timeout in command: $cmd/", $cmd );
+        }
+
+        $cmd = "$command -u /timeout -t 5";
+        eval {
+                $result = NPTest->testCmd( $cmd, 2 );
+        };
+        like( $@, "/timeout in command: $cmd/", $cmd );
+
+        $cmd = "$command -f follow -u /redir_timeout -t 2";
+        eval {
+                $result = NPTest->testCmd( $cmd, 5 );
+        };
+        is( $@, "", $cmd );
+
+}
diff --git a/plugins/tests/check_http.t b/plugins/tests/check_http.t
index d6d31de..2f051fa 100755
--- a/plugins/tests/check_http.t
+++ b/plugins/tests/check_http.t
@@ -4,13 +4,15 @@
 #
 # To create the https server certificate:
 # openssl req -new -x509 -keyout server-key.pem -out server-cert.pem -days 3650 -nodes
-# Country Name (2 letter code) [AU]:UK
-# State or Province Name (full name) [Some-State]:Derbyshire
-# Locality Name (eg, city) []:Belper
+# to create a new expired certificate:
+# faketime '2008-01-01 12:00:00' openssl req -new -x509 -keyout expired-key.pem -out expired-cert.pem -days 1 -nodes
+# Country Name (2 letter code) [AU]:DE
+# State or Province Name (full name) [Some-State]:Bavaria
+# Locality Name (eg, city) []:Munich
 # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Monitoring Plugins
 # Organizational Unit Name (eg, section) []:
-# Common Name (eg, YOUR name) []:Ton Voon
-# Email Address []:tonvoon@mac.com
+# Common Name (e.g. server FQDN or YOUR name) []:Monitoring Plugins
+# Email Address []:devel@monitoring-plugins.org
 
 use strict;
 use Test::More;
@@ -30,13 +32,16 @@ eval {
         require HTTP::Response;
 };
 
+my $plugin = 'check_http';
+$plugin    = 'check_curl' if $0 =~ m/check_curl/mx;
+
 if ($@) {
         plan skip_all => "Missing required module for test: $@";
 } else {
-        if (-x "./check_http") {
+        if (-x "./$plugin") {
                 plan tests => $common_tests * 2 + $ssl_only_tests + $virtual_port_tests;
         } else {
-                plan skip_all => "No check_http compiled";
+                plan skip_all => "No $plugin compiled";
         }
 }
 
@@ -185,7 +190,7 @@ if ($ARGV[0] && $ARGV[0] eq "-d") {
 }
 
 my $result;
-my $command = "./check_http -H 127.0.0.1";
+my $command = "./$plugin -H 127.0.0.1";
 
 run_common_tests( { command => "$command -p $port_http" } );
 SKIP: {
@@ -194,21 +199,21 @@ SKIP: {
 
         $result = NPTest->testCmd( "$command -p $port_https -S -C 14" );
         is( $result->return_code, 0, "$command -p $port_https -S -C 14" );
-        is( $result->output, 'OK - Certificate \'Ton Voon\' will expire on Sun Mar  3 21:41:28 2019 +0000.', "output ok" );
+        is( $result->output, "OK - Certificate 'Monitoring Plugins' will expire on Fri Feb 16 15:31:44 2029 +0000.", "output ok" );
 
         $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" );
         is( $result->return_code, 1, "$command -p $port_https -S -C 14000" );
-        like( $result->output, '/WARNING - Certificate \'Ton Voon\' expires in \d+ day\(s\) \(Sun Mar  3 21:41:28 2019 \+0000\)./', "output ok" );
+        like( $result->output, '/WARNING - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(Fri Feb 16 15:31:44 2029 \+0000\)./', "output ok" );
 
         # Expired cert tests
         $result = NPTest->testCmd( "$command -p $port_https -S -C 13960,14000" );
         is( $result->return_code, 2, "$command -p $port_https -S -C 13960,14000" );
-        like( $result->output, '/CRITICAL - Certificate \'Ton Voon\' expires in \d+ day\(s\) \(Sun Mar  3 21:41:28 2019 \+0000\)./', "output ok" );
+        like( $result->output, '/CRITICAL - Certificate \'Monitoring Plugins\' expires in \d+ day\(s\) \(Fri Feb 16 15:31:44 2029 \+0000\)./', "output ok" );
 
         $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" );
         is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" );
         is( $result->output,
-                'CRITICAL - Certificate \'Ton Voon\' expired on Thu Mar  5 00:13:16 2009 +0000.',
+                'CRITICAL - Certificate \'Monitoring Plugins\' expired on Wed Jan  2 11:00:26 2008 +0000.',
                 "output ok" );
 
 }
diff --git a/plugins/tests/check_snmp.t b/plugins/tests/check_snmp.t
index 73a68b2..85d6bf5 100755
--- a/plugins/tests/check_snmp.t
+++ b/plugins/tests/check_snmp.t
@@ -7,6 +7,7 @@ use strict;
 use Test::More;
 use NPTest;
 use FindBin qw($Bin);
+use POSIX qw/strftime/;
 
 my $tests = 67;
 # Check that all dependent modules are available
@@ -37,6 +38,7 @@ if ($@) {
 
 my $port_snmp = 16100 + int(rand(100));
 
+my $faketime = -x '/usr/bin/faketime' ? 1 : 0;
 
 # Start up server
 my @pids;
@@ -118,77 +120,81 @@ like($res->output, '/'.quotemeta('SNMP OK - And now have fun with with this: \"C
 "And now have fun with with this: \"C:\\\\\"
 because we\'re not done yet!"').'/m', "Attempt to confuse parser No.3");
 
-system("rm -f ".$ENV{'MP_STATE_PATH'}."/check_snmp/*");
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -w 600" );
-is($res->return_code, 0, "Returns OK");
-is($res->output, "No previous data to calculate rate - assume okay");
+system("rm -f ".$ENV{'MP_STATE_PATH'}."/*/check_snmp/*");
 
-# Need to sleep, otherwise duration=0
-sleep 1;
+# run rate checks with faketime. rate checks depend on the exact amount of time spend between the
+# plugin runs which may fail on busy machines.
+# using faketime removes this race condition and also saves all the sleeps in between.
+SKIP: {
+    skip "No faketime binary found", 28 if !$faketime;
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -w 600" );
-is($res->return_code, 1, "WARNING - due to going above rate calculation" );
-is($res->output, "SNMP RATE WARNING - *666* | iso.3.6.1.4.1.8072.3.2.67.10=666;600 ");
+    my $ts = time();
+    $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts))."' ./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -w 600" );
+    is($res->return_code, 0, "Returns OK");
+    is($res->output, "No previous data to calculate rate - assume okay");
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -w 600" );
-is($res->return_code, 3, "UNKNOWN - basically the divide by zero error" );
-is($res->output, "Time duration between plugin calls is invalid");
+    # test rate 1 second later
+    $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts+1))."' ./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -w 600" );
+    is($res->return_code, 1, "WARNING - due to going above rate calculation" );
+    is($res->output, "SNMP RATE WARNING - *666* | iso.3.6.1.4.1.8072.3.2.67.10=666;600 ");
 
+    # test rate with same time
+    $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts+1))."' ./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -w 600" );
+    is($res->return_code, 3, "UNKNOWN - basically the divide by zero error" );
+    is($res->output, "Time duration between plugin calls is invalid");
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets" );
-is($res->return_code, 0, "OK for first call" );
-is($res->output, "No previous data to calculate rate - assume okay" );
 
-# Need to sleep, otherwise duration=0
-sleep 1;
+    $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts))."' ./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets" );
+    is($res->return_code, 0, "OK for first call" );
+    is($res->output, "No previous data to calculate rate - assume okay" );
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP RATE OK - inoctets 666 | inoctets=666 ", "Check label");
+    # test rate 1 second later
+    $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts+1))."' ./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP RATE OK - inoctets 666 | inoctets=666 ", "Check label");
 
-sleep 2;
+    # test rate 3 seconds later
+    $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts+3))."' ./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP RATE OK - inoctets 333 | inoctets=333 ", "Check rate decreases due to longer interval");
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP RATE OK - inoctets 333 | inoctets=333 ", "Check rate decreases due to longer interval");
 
+    # label performance data check
+    $res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l test" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP OK - test 67996 | test=67996c ", "Check label");
 
-# label performance data check
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l test" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP OK - test 67996 | test=67996c ", "Check label");
+    $res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l \"test'test\"" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP OK - test'test 68662 | \"test'test\"=68662c ", "Check label");
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l \"test'test\"" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP OK - test'test 68662 | \"test'test\"=68662c ", "Check label");
+    $res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l 'test\"test'" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP OK - test\"test 69328 | 'test\"test'=69328c ", "Check label");
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l 'test\"test'" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP OK - test\"test 69328 | 'test\"test'=69328c ", "Check label");
+    $res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l test -O" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP OK - test 69994 | iso.3.6.1.4.1.8072.3.2.67.10=69994c ", "Check label");
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l test -O" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP OK - test 69994 | iso.3.6.1.4.1.8072.3.2.67.10=69994c ", "Check label");
+    $res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP OK - 70660 | iso.3.6.1.4.1.8072.3.2.67.10=70660c ", "Check label");
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP OK - 70660 | iso.3.6.1.4.1.8072.3.2.67.10=70660c ", "Check label");
+    $res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l 'test test'" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP OK - test test 71326 | 'test test'=71326c ", "Check label");
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 -l 'test test'" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP OK - test test 71326 | 'test test'=71326c ", "Check label");
 
+    $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts))."' ./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets_per_minute --rate-multiplier=60" );
+    is($res->return_code, 0, "OK for first call" );
+    is($res->output, "No previous data to calculate rate - assume okay" );
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets_per_minute --rate-multiplier=60" );
-is($res->return_code, 0, "OK for first call" );
-is($res->output, "No previous data to calculate rate - assume okay" );
-
-# Need to sleep, otherwise duration=0
-sleep 1;
+    # test 1 second later
+    $res = NPTest->testCmd("LC_TIME=C TZ=UTC faketime -f '".strftime("%Y-%m-%d %H:%M:%S", localtime($ts+1))."' ./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets_per_minute --rate-multiplier=60" );
+    is($res->return_code, 0, "OK as no thresholds" );
+    is($res->output, "SNMP RATE OK - inoctets_per_minute 39960 | inoctets_per_minute=39960 ", "Checking multiplier");
+};
 
-$res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.10 --rate -l inoctets_per_minute --rate-multiplier=60" );
-is($res->return_code, 0, "OK as no thresholds" );
-is($res->output, "SNMP RATE OK - inoctets_per_minute 39960 | inoctets_per_minute=39960 ", "Checking multiplier");
 
 
 $res = NPTest->testCmd( "./check_snmp -H 127.0.0.1 -C public -p $port_snmp -o .1.3.6.1.4.1.8072.3.2.67.11 -s '\"stringtests\"'" );
diff --git a/plugins/utils.c b/plugins/utils.c
index 231af92..348ec02 100644
--- a/plugins/utils.c
+++ b/plugins/utils.c
@@ -36,9 +36,6 @@ extern const char *progname;
 #define STRLEN 64
 #define TXTBLK 128
 
-unsigned int timeout_state = STATE_CRITICAL;
-unsigned int timeout_interval = DEFAULT_SOCKET_TIMEOUT;
-
 time_t start_time, end_time;
 
 /* **************************************************************************
@@ -148,33 +145,6 @@ print_revision (const char *command_name, const char *revision)
                  command_name, revision, PACKAGE, VERSION);
 }
 
-const char *
-state_text (int result)
-{
-        switch (result) {
-        case STATE_OK:
-                return "OK";
-        case STATE_WARNING:
-                return "WARNING";
-        case STATE_CRITICAL:
-                return "CRITICAL";
-        case STATE_DEPENDENT:
-                return "DEPENDENT";
-        default:
-                return "UNKNOWN";
-        }
-}
-
-void
-timeout_alarm_handler (int signo)
-{
-        if (signo == SIGALRM) {
-                printf (_("%s - Plugin timed out after %d seconds\n"),
-                                                state_text(timeout_state), timeout_interval);
-                exit (timeout_state);
-        }
-}
-
 int
 is_numeric (char *number)
 {
@@ -709,3 +679,18 @@ char *sperfdata_int (const char *label,
         return data;
 }
 
+int
+open_max (void)
+{
+        errno = 0;
+        if (maxfd > 0)
+                return(maxfd);
+
+        if ((maxfd = sysconf (_SC_OPEN_MAX)) < 0) {
+                if (errno == 0)
+                        maxfd = DEFAULT_MAXFD;   /* it's indeterminate */
+        else
+                die (STATE_UNKNOWN, _("sysconf error for _SC_OPEN_MAX\n"));
+        }
+        return(maxfd);
+}
diff --git a/plugins/utils.h b/plugins/utils.h
index a436e1c..33a2054 100644
--- a/plugins/utils.h
+++ b/plugins/utils.h
@@ -29,13 +29,6 @@ suite of plugins. */
 void support (void);
 void print_revision (const char *, const char *);
 
-/* Handle timeouts */
-
-extern unsigned int timeout_state;
-extern unsigned int timeout_interval;
-
-RETSIGTYPE timeout_alarm_handler (int);
-
 extern time_t start_time, end_time;
 
 /* Test input types */
@@ -89,8 +82,6 @@ void usage4(const char *) __attribute__((noreturn));
 void usage5(void) __attribute__((noreturn));
 void usage_va(const char *fmt, ...) __attribute__((noreturn));
 
-const char *state_text (int);
-
 #define max(a,b) (((a)>(b))?(a):(b))
 #define min(a,b) (((a)<(b))?(a):(b))
 
@@ -106,6 +97,8 @@ char *sperfdata (const char *, double, const char *, char *, char *,
 char *sperfdata_int (const char *, int, const char *, char *, char *,
                      int, int, int, int);
 
+int open_max (void);
+
 /* The idea here is that, although not every plugin will use all of these, 
    most will or should.  Therefore, for consistency, these very common 
    options should have only these meanings throughout the overall suite */