Free Online TLS Configuration Grader
Instant security grade for your server's TLS setup โ protocol versions, cipher suites, certificate validity, HSTS, and more.
โ Free & instant โ No installation needed โ Secure server-side analysis.
Checks run server-side โ no browser extensions needed
Analyzing TLS configuration for โฆ
What is a TLS Configuration Grader?
A TLS Configuration Grader is a comprehensive security tool designed to evaluate the strength and security of a web server's SSL/TLS configuration. By performing a series of server-side probes, the tool analyzes supported protocol versions, cipher suites, certificate validity, and essential security headers. The result is a simple, easy-to-understand grade (from A+ to F) that highlights vulnerabilities and provides actionable fix recommendations.
How the TLS Grader Works
Our tool performs a deep scan of your server's handshake process to identify its security posture:
- Protocol Handshake: We attempt to connect using SSL 3.0, TLS 1.0, 1.1, 1.2, and 1.3 to see which versions your server accepts.
- Cipher Suite Analysis: We check for support of modern encryption algorithms like AES-GCM and CHACHA20, while flagging weak or broken ciphers like RC4, DES, and 3DES.
- Certificate Chain Verification: We ensure that your SSL certificate is not only valid and unexpired but also that the full intermediate chain is correctly installed.
- DNS Security Audit: We check for modern DNS-level security features, specifically CAA (Certification Authority Authorization) records.
- Header Inspection: We verify the presence of HSTS (Strict-Transport-Security) and proper HTTP-to-HTTPS redirects.
Understanding the Security Profiles
The grader aligns its findings with industry-standard benchmarks, including the Mozilla Security Profiles:
- Modern: For clients that support TLS 1.3 and have no need for backward compatibility. This is the highest level of security.
- Intermediate: The recommended configuration for most services. It provides high security while maintaining compatibility with almost all modern browsers.
- Old/Legacy: Supports ancient browsers but exposes users to known vulnerabilities. Servers in this category should be upgraded immediately.
Frequently Asked Questions (FAQ)
Why did I get a 'C' or 'F' grade?
Low grades are typically caused by supporting deprecated protocols (TLS 1.0/1.1), having an expired certificate, or using weak ciphers. Follow the "tap for fix" recommendations in the results to improve your score.
What is a CAA record and why do I need it?
A CAA (Certification Authority Authorization) record is a DNS entry that specifies which Certificate Authorities (CAs) are allowed to issue certificates for your domain. It prevents unauthorized CAs from issuing certificates for your site, adding a critical layer of protection against spoofing.
How do I fix "Incomplete Certificate Chain"?
This happens when your web server only provides the leaf certificate and skips the intermediate certificates. To fix this, you must use a "full chain" PEM file (often provided as fullchain.pem or bundle.crt) in your Nginx or Apache configuration.
Is this tool compatible with Cloudflare or other CDNs?
Yes. When a CDN is detected, the tool flags it. Note that the protocols and ciphers analyzed reflect the CDN's "Edge" configuration. You may need to update your TLS settings in your CDN dashboard (e.g., setting "Minimum TLS Version" to 1.2).
Does checking my domain affect its performance?
No. The scan involves a few standard handshakes that take less than 10 seconds. It is non-intrusive and does not perform any "attack" simulations.