SSL Security Test

What does this SSL security test check?

This tool performs a deep analysis of your server's SSL/TLS configuration, similar to Qualys SSL Labs. It tests which TLS protocol versions are supported (TLS 1.0 through 1.3), enumerates all accepted cipher suites, validates the certificate chain, checks HSTS headers, and computes a security grade from A+ (best) to F (worst).

What we check

Every scan touches the same eight areas, in roughly the order an attacker would probe them.

• Protocol support. SSL 2.0 and SSL 3.0 are tested and flagged as failed if accepted. TLS 1.0 and TLS 1.1 are deprecated and downgrade the grade. TLS 1.2 with modern ciphers is the floor for a clean report. TLS 1.3 is preferred.
• Cipher suites. AEAD ciphers (AES-GCM, ChaCha20-Poly1305) are preferred. CBC-mode ciphers are flagged. RC4, NULL, EXPORT, and anonymous ciphers are failed outright.
• Key exchange. ECDHE is preferred for forward secrecy. Plain RSA key transport is flagged because past traffic becomes decryptable if the private key is later compromised. Anonymous Diffie-Hellman fails the scan.
• Forward secrecy. We list which suites support FS and whether forward secrecy holds across all suites the server will negotiate, not just the preferred one.
• Certificate chain. Trust anchor verification, expiry window, hostname match against subject CN and SAN list, completeness of intermediates, and signature algorithm strength.
• Vulnerability tests. BEAST, POODLE, FREAK, LOGJAM, CRIME, and BREACH. Each is checked against the negotiated parameters, not just the protocol version.
• HTTP security headers. HSTS (and whether preload and includeSubDomains are set), Content Security Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
• DNS surface. CAA records and DNSSEC status, because a perfect TLS config is undermined if anyone can issue a cert for the domain.

Grading methodology

We follow the SSL Labs scoring model so results are directly comparable. The overall score is a weighted average: Protocol Support 30%, Key Exchange 30%, Cipher Strength 40%. The score is then translated into a letter grade with several caps that override the raw number.

• TLS 1.0 supported: grade capped at B.
• SSL 3.0 or older supported: grade capped at C.
• Expired or untrusted certificate: grade is F regardless of other scores.
• Any weak cipher accepted (RC4, 3DES, export-grade): grade capped at C.
• A+ requires HSTS with preload, or a strong CSP. Without one of those, the highest achievable grade is A.

The grade is the headline number, but the per-category subscores are usually more actionable. A site at an A grade with a 70% protocol score and a 95% cipher score is one TLS 1.3 rollout away from A+.

When to use this

A few situations where a one-off scan earns its keep.

• Pre-deployment. Before you point a new domain at the public internet, run a scan against the staging hostname. It is much cheaper to fix a missing intermediate now than during the launch window.
• Auditor pre-meeting. If an external auditor is about to look at your TLS posture, look first. Save the report URL, fix what is fixable, and walk in knowing the worst they can find.
• Compliance evidence. SOC 2, ISO 27001, and PCI DSS 4.0 all require strong transport encryption with documented evidence. The shareable report URL is the evidence, dated and re-runnable on demand.
• Vendor due diligence. Scanning a SaaS provider's login domain before signing a contract is a five-second check that occasionally surfaces real problems.

For ongoing tracking rather than point-in-time checks, continuous TLS monitoring is part of the paid SecurityAlert plan. It re-scans on a schedule, alerts on grade drops, certificate changes, and upcoming expiry, and stores the history so you can show a trend line in board reports.

Frequently asked questions

Looking for continuous monitoring? Certificate Lifecycle Monitor on ServiceAlert tracks your certificates with automated alerts before expiry.