ssltls.check does not work as expected with newer OpenSSL versions as the option "-ssl3" does not exist anymore.
Example output of manually calling the built command line when checking for POODLE vulnerability:

root@www:/root# /usr/bin/openssl s_client -connect mail:465 -ssl3
s_client: Option unknown option -ssl3
s_client: Use -help for summary.

I'm running Debian 9 with openssl 1.1.0f-3+deb9u2

All results are empty, only the "simple" check works. Which renders this plugin useless in the official Alpine Linux based docker container.

I will try to fix this myself and maybe make a pull request if it doesn't break on other distros.

Shouldn't it be possible, to import both templates? I have a server with many SNI-Pages but also an other server with just one page. So it would be great to use both templates... If I import all templates, i receive an exception with the last one for the multiple-SNI-Pages: Template_App_HTTPS_Autodiscovery.xml

Zabbix-Server 3.4

Import Fails: Details
Created: Item "HTTPS service is running" on "Template App HTTPS Service Autodiscovery".
Updated: Discovery rule "HTTPS sites" on "Template App HTTPS Service Autodiscovery".
Created: Item prototype "HTTPS certificate end date {#SSLNAME}" on "Template App HTTPS Service Autodiscovery".
Created: Item prototype "HTTPS certificate time until expire {#SSLNAME}" on "Template App HTTPS Service Autodiscovery".
Created: Item prototype "HTTPS service running {#SSLNAME}" on "Template App HTTPS Service Autodiscovery".
Created: Item prototype "HTTPS sslv3 poodle vulnerable {#SSLNAME}" on "Template App HTTPS Service Autodiscovery".
Created: Item prototype "HTTPS certificate start date {#SSLNAME}" on "Template App HTTPS Service Autodiscovery".
Incorrect item value type "Numeric (float)" provided for trigger function "str(sha1)".

Any tipp? Thanks for the good work!

I see that the config file uses cat and a unix path to the json file. Does the Windows Zabbix Agent understand that, or do we need another config file for Windows web servers?

Would you accept a PR for adding a sslcrl.check that works against CRL's.

This is primarily useful for those who use a private CA, and sometimes forget to update the CRL when using an offline CA.

When trying to import Template_App_HTTPS_Autodiscovery.xml on Zabbix 3.4, the import failed, mentioning that the value type 'Numeric (float)' for the function 'str(sha1)' is incorrect.

After removing the offending part of the expression, getting the template imported, and changing the value type of the item prototype "HTTPS certificate digest mode {#SSLNAME}" from 'Numeric (float)' to 'Text', the expression could be restored to the original one without problem.

Hi,

when HOST is an IPv6 address openssl s_client -connect 2001::2:33:4:25 does not work and it returns "argument malformed or ambiguous".

I got it fixed with the following patch

ipv6.txt

I'm getting this error for the

/usr/lib/zabbix/externalscripts/ssltls.check: line 124: warning: setlocale: LC_ALL: cannot change locale (en_GB.UTF8): No such file or directory
Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption

so I changed to en_US.UTF8, but that just gave me the same error (except en_US.UTF8).

I changed to this:

LOC="C.UTF-8"

And set my default local in my Zabbix Docker image by adding to .env_srv

LANG=C.UTF-8 
LANGUAGE=C:en 
LC_ALL=C.UTF-8

So it seems to be working now.

The values for the lifetime items are stored as unsigned numbers, causing data collection to fail once a certificate is expired because the negative numbers are not valid for the value type.

The trigger ... certificate on {HOSTNAME} expired is never triggered because the the condition ssltls.check[...,lifetime].last()}<0will never be satisfied.

This can be fixed by setting <value_type> to 0 (numeric float) for the lifetime items.