In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:

SSL Security Test

Free online security tool to test your security
  • Web Server SSL Test
  • Email Server SSL Test
  • SSL Certificate Test

Free online security tool to test your security

40,033,412 security tests performed

0 tests running
  tests today

Latest Tested SSL/TLS Servers

ImmuniWeb Discovery

For continuous monitoring purposes, we suggest you exploring our award-winning ImmuniWeb® Discovery offering tailored for continuous monitoring with flexible 24/7 notifications.

Commercial API

ImmuniWeb provides a commercial access to the SSL Security Test API with extended limits to the number daily tests. Please get in touch with us to get a personalized quote. Prices start at 500 USD per month.

Non-profit, research and academic institutions may request commercial API for free. Please send your API usage requirements to for additional information.

Free API

ImmuniWeb provides you with a free API to test your SSL/TLS servers. To assure high speed of service and availability for everyone, the free API allows 50 requests in total per 24 hours, from one IP address.

In order to prevent abuse, a protection mechanism has been set up to remove the ability to test IPs that are not related to the tested domain name. As a consequence if a domain name is resolved into several IPs, a second request will be mandatory, specifying one of the IPs replied by the server along with the token issued (examples are below). However, if the tested domain name can be resolved into only one IP address, it will be immediately tested.

In addition, there are different tiers of user, with each providing a different level of usage with the API.

License notice: The API is provided for free both for private and commercial purposes. When using the free API, a clearly-visible credit to ImmuniWeb® Community when displaying results is mandatory. Failure to properly do so may trigger a ban and legal consequences.

API Documentation and How-To

Full API Documentation

API Specifications

Field Name Value
Protocol HTTPS
Request Type POST
URL[ustamp].html - where "ustamp" is an arbitrary UNIX time-stamp (must be an integer). Such construction is done to prevent caching on client side.

POST Data Specification

Field Name Value
api_key secret token which you submit alongside with the request
domain:port must be a valid domain name, or IP address, followed by a port number. If port is not supplied, 443 is used by default.
show_test_results "false" means that test results will be hidden, "true" means that test results will be displayed in statistics.
choosen_ip IP address of tested server (if tested domain resolves to multiple addresses).
recheck "false" will use results from cache if the server has been tested within the past 24 hours, "true" will perform a new test without looking at the cache.
verbosity 1 means output will be detailed, 0 means output will be short.
token value of the token sent by the server if the tested domain is resolved into several IP addresses.

Example of Transaction Using CURL

# New test (not cached) $ curl -XPOST -d '' ''

{"debug":true,"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"test_started","status_id":1,"message":"Test has started"}

# You need to keep calling this until test is finished $ curl -XPOST -d 'job_id=2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc' ''

{"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"in_progress","status_id":2,"eta":2,"message":"Your test is in progress"}

# New test (cached) $ curl -XPOST -d '' ''

{"test_id":"c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004","status":"test_cached","status_id":3,"message":"Test is cached"}

$ curl -XPOST -d 'id=c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004' ''

# Example with token $ curl -XPOST -d '' ''


$ curl -XPOST -d '' ''

# Example with error $ curl -XPOST -d 'domain=' ''

{"error":"The domain name cannot be resolved","error_id":7}

Example of Server Response


Scoring Methodology

- At the beginning of the test, server score is 100.
- Points are deducted when server configuration does not correspond to the PCI DSS requirements, HIPAA guidance or NIST guidelines.
- Points are deducted when server configuration contains exploitable vulnerabilities or weaknesses that are not yet covered by PCI DSS, HIPAA or NIST.
- Points are added for every extra best practice which is not mentioned in the PCI DSS requirements, HIPAA guidance or NIST guidelines.
- Server cannot get an "A+" if a misconfiguration makes it lose more than 10 points.
- Server gets an "N" if a tested port is closed.
- The server gets an "F" grade if HTTPS (443/tcp) port is closed but HTTP (80/tcp) port is open.
Grade Score
A+ Score greater than 99
A Score between 90 and 99
A- Score between 80 and 89
Grade Score
B+ Score between 70 and 79
B Score between 60 and 69
B- Score between 50 and 59
Grade Score
C+ Score between 35 and 49
C Score between 20 and 34
F Score lower than 20


Description Score
Certificate is an Extended Validation (EV) certificate +10 points
HTTP website redirects to HTTPS (Always-On SSL) +10 points
Server prefers cipher suites providing strong Perfect Forward Secrecy (PFS) +10 points
Server provides TLS_Fallback_SCSV extension +10 points
Server implements HTTP Strict Transport Security (HSTS) with long duration +10 points
Server supports TLSv1.3 +10 points
Server X509 certificate is prior to version 3 -5 points
Server certificate has been issued for more than 3 year period -5 points
Server certificate has not been signed with the proper algorithm -5 points
Server does not support OCSP stapling -5 points
Server does not support neither P-256 nor P-384 curves -5 points
Server does not support some cipher suites required by NIST guidelines or HIPAA guidance -5 points
TLS cipher suites that are not approved by NIST guidelines or HIPAA guidance are supported -5 points
Server supports Elliptic Curves but does not support EC Point Format extension -5 points
Certificate chain is not provided -10 points
Website includes insecure (HTTP) content -10 points
Server accepts client-initiated secure renegotiation -10 points
Server does not provide information about support for secure renegotiation -10 points
Server does not support TLSv1.3 -10 points
Certificate chain rely on expired certificate -20 points
Certificate signature is not SHA2 -20 points
Certificate does not provide revocation information -20 points
SSL is supported but TLSv1.1 or TLSv1.2 or TLSv1.3 are preferred -20 points
SSL/TLS cipher suites that are not approved by PCI DSS are supported -40 points
Certificate key length or DH parameter are too small (< 2048 bits or 256 bits for EC) -40 points
Server supports at least one elliptic curve whose size is below 224 bits -40 points
SSL is supported while TLSv1.1 or TLSv1.2 or TLSv1.3 are not -40 points
Server supports TLS compression which may allow CRIME attack -40 points
SSL/TLS cipher suites that are not approved by PCI DSS are preferred -50 points
Certificate is untrusted or invalid* -60 points
Server is vulnerable to CVE-2014-0224 (OpenSSL CCS flaw) -60 points
Server is vulnerable to CVE-2016-2107 (OpenSSL padding-oracle flaw) -60 points
Server is vulnerable to POODLE over TLS -60 points
Server is vulnerable to GOLDENDOODLE -60 points
Server is vulnerable to Zombie POODLE -60 points
Server is vulnerable to Sleeping POODLE -60 points
Server is vulnerable to 0-Length OpenSSL -60 points
Server accepts client-initiated insecure renegotiation -60 points
Server is vulnerable to ROBOT (Return Of Bleichenbacher's Oracle Threat) -60 points
Server is vulnerable to Heartbleed -70 points

* including mismatch of the certificate’s CN and SAN unless the test is for an IP and IP’s PTR matches domain from CN and SAN

About the Service

SSL Security Test is a free product available online, provided and operated by ImmuniWeb.

SSL Security Test performs the following tests:

IP Ranges

IP ranges of our outbound servers are:

Interactive SSL/TLS Security Live World Map
Date/Time ()
Compliant with
Server location
Click to view full test results
View in fullscreen
Current time:
Latest update:

Recent HTTPS:

Recent non-HTTPS:

Recent Web Servers Security Tests

Recent Email Servers Security Tests

Summary of SSL Security Test Security Score


Source IP/Port:

Your final score

Get instant notifications on SSL grade or compliance change with ImmuniWeb Discovery.

Discovered Email Servers and Subdomains Subdomains

Discover all your subdomains, APIs and public cloud storage with ImmuniWeb Discovery.

SSL Certificate Analysis SSL Certificate

Get a timely notice about all your expiring or untrusted certificates with ImmuniWeb Discovery.

Email Server Security Hardening Email Server Security

GDPR Compliance Analysis GDPR

SSL found.
SSL found.
Get continuous GDPR compliance monitoring for all your websites and cloud with ImmuniWeb Discovery.

PCI DSS Compliance Analysis PCI DSS

Reference: PCI DSS 3.2.1 - Requirements 2.3 and 4.1

Get continuous PCI DSS compliance monitoring for all your websites and cloud with ImmuniWeb Discovery.

NIST Compliance Analysis NIST

Reference: NIST Special Publication 800-52 Revision 2 - Section 3

Get continuous NIST compliance monitoring for all your websites and cloud with ImmuniWeb Discovery.

Industry Best Practices Analysis Best Practices

Get continuous security monitoring for all your websites, APIs and cloud with ImmuniWeb Discovery.

External Content Analysis External Content

SSL/TLS Security Publications

Frequently Asked Questions

  • Q
    What is SSL?

    Secure Sockets Layer (SSL) is a family of network protocols aimed to encrypt data transmission over other, higher level, protocols that transport web content, email or other types of information. Today SSL is considered obsolete and insecure, and is now replaced with a newer TLS (Transport Layer Security) family of protocols. Many people, however, still use the SSL acronym interchangeably with TLS. Billions of people unwittingly use SSL/TLS in a daily manner, for example, when they visit an HTTPS website, they are relying on TLS encryption when sending and receiving the data from the web server where the website is hosted.

  • Q
    How does SSL work?

    Secure Sockets Layer (SSL) is now replaced by a more secure TLS (Transport Layer Security) family of data encryption protocols. They serve to wrap digitally transmitted data (e.g. emails or HTTP requests sent to a website) sent over a network to prevent data interception and falsification. You may consider SSL encryption to be a sealed and unbreakable envelope to protect content of your letter sent by a public postal service.

  • Q
    What is SSL certificate?

    From a technical standpoint, SSL certificate is a file stored on the server. From a practical standpoint, SSL certificate is a key to encrypt and decrypt information sent or received by a web, email or other servers with SSL/TLS encryption enabled. Furthermore, some SSL certificates may also confirm identity of the website owner, ensuring its visitors that they deal with the genuine website they can trust.

  • Q
    How to check SSL certificate?

    You may inspect and check SSL certificate of a website just by clicking on the green (grey or blue) lock icon on the left side of your browser’s address bar. Your web browser will display all available information about the SSL certificate. You may also check validity and correct configuration of your SSL certificate by running a free SSL security test operated by ImmuniWeb Community Edition.

  • Q
    Why SSL certificate is required for website?

    SSL certificate is required to allow data encryption between your website and its visitors by using HTTPS encryption. Google, Mozilla and many other companies may warn about insecurity of a website without HTTPS encryption or even block access to such website.

    An EV (Extended Validation) SSL certificate also provides a certain degree of trust to your website visitors by ensuring that your organization is a valid and existing business. Recently, however, many organizations and web browsers announced a gradual discontinuity of EV SSL certificates support stating lack of efficiency and exorbitant prices for EV certificates among the main causes of their decision.

  • Q
    Can SSL be decrypted?

    Some of the inherent cryptographic vulnerabilities (e.g. BEAST or POODLE) or SSL/TLS implementational vulnerabilities (Heartbleed) of SSL/TLS allow decrypting SSL/TLS traffic under some circumstances, usually involving social engineering, vulnerable or misconfigured software on the client or server side. Some variations of MITM (Man-in-the-Middle) attacks also permit intercepting and forging encrypted content under similar set of circumstances.

  • Q
    What is the SSL test and how do I perform it?

    SSL test aims to illuminate the wide spectrum of configurational, implementational and cryptographical problems inherent to SSL/TLS protocols and underlying software. ImmuniWeb Community Edition provides a free SSL test to detect all known security and cryptographic issues in your SSL/TLS-enabled services (e.g. HTTPS or SMTPS servers) and also test whether PCI DSS, NIST and HIPAA requirements related to SSL are properly implemented.

  • Q
    What is SSL/TLS security testing used for?

    SSSL/TLS security testing may be used to ensure that regulatory requirements and compliance, including different requirements of PCI DSS, GDPR or NIST, are properly implemented. Furthermore, SSL/TLS security testing ensures that your clients and other websites visitors (in the case of HTTPS encryption) are well protected from MITM attacks and other vectors of data interception. Finally, proper SSL/TLS configuration ensures that modern web and mobile browsers won’t block access to your website considering its insecure. You can test your SSL/TLS security by a free online test provided as a part of ImmuniWeb Community Edition.

Try Other ImmuniWeb® Free Products

AI Products Ask a Question