SSL Advanced
TLS settings & cipher suites
🌐 172.69.130.187
🔥 5 left
SSL/TLS Deep Analysis with SSLyze
Testing Tool: SSLyze v5.x - Open-source SSL/TLS scanner recommended by Mozilla, Qualys, IETF and others
Purpose: Comprehensively diagnose website SSL/TLS configuration to identify security vulnerabilities and provide improvement recommendations
Test Coverage:
• TLS Protocol Versions - SSL 2.0/3.0, TLS 1.0/1.1/1.2/1.3 support detection
• Cipher Suites - Strength assessment, PFS (Perfect Forward Secrecy) support, weak cipher detection
• Certificate Chain - Validity, expiration, signature algorithms, key size, chain completeness
• OCSP Stapling - Real-time certificate revocation status verification mechanism
• HTTP Security Headers - HSTS (HTTP Strict Transport Security) configuration
• Elliptic Curve Cryptography - Supported curve list and strength evaluation
Web-PSQC scans the target server's SSL/TLS configuration using the SSLyze engine and calculates security grades based on collected data.
This process typically takes 30 seconds to 3 minutes.
Purpose: Comprehensively diagnose website SSL/TLS configuration to identify security vulnerabilities and provide improvement recommendations
Test Coverage:
• TLS Protocol Versions - SSL 2.0/3.0, TLS 1.0/1.1/1.2/1.3 support detection
• Cipher Suites - Strength assessment, PFS (Perfect Forward Secrecy) support, weak cipher detection
• Certificate Chain - Validity, expiration, signature algorithms, key size, chain completeness
• OCSP Stapling - Real-time certificate revocation status verification mechanism
• HTTP Security Headers - HSTS (HTTP Strict Transport Security) configuration
• Elliptic Curve Cryptography - Supported curve list and strength evaluation
Web-PSQC scans the target server's SSL/TLS configuration using the SSLyze engine and calculates security grades based on collected data.
This process typically takes 30 seconds to 3 minutes.
| Grade | Score | Criteria |
|---|---|---|
| A+ | 90~100 | TLS 1.3/1.2 only, no weak ciphers (all PFS) Certificate ECDSA or RSA≥3072, complete chain, expires in 60+ days OCSP Stapling working (ideally with Must-Staple) HSTS enabled, max-age ≥ 1 year, includeSubDomains, preload |
| A | 80~89 | TLS 1.3/1.2, strong ciphers prioritized (mostly PFS) Certificate RSA≥2048, SHA-256+, valid chain, expires in 30+ days OCSP Stapling enabled (occasional failures allowed) HSTS enabled, max-age ≥ 6 months |
| B | 65~79 | TLS 1.2 required, 1.3 optional/unsupported, some CBC present Certificate RSA≥2048, valid chain (expires in 14+ days) OCSP Stapling disabled (but OCSP responses available) HSTS configured but partially inadequate |
| C | 50~64 | TLS 1.0/1.1 enabled or many weak ciphers (low PFS) Missing chain/weak signatures (SHA-1) or expires soon (≤14 days) No Stapling, unclear revocation checking HSTS not configured |
| D | 35~49 | Legacy protocols/ciphers (SSLv3/EXPORT/RC4 etc.) allowed Certificate mismatch/chain errors frequent Stapling fails, revocation checking impossible Security headers generally inadequate |
| F | 0~34 | Handshake failure level defects Expired/self-signed/hostname mismatch Widespread weak protocols and ciphers allowed Overall TLS configuration failure |
No results yet
Run a test to view the SSL/TLS security analysis.
No data yet
Run a test to view the raw JSON data.
Sign in to view test history.
Sign in to manage domains.