SSL Security Test
- Web Server SSL Test
- Email Server SSL Test
- SSL Certificate Test
- PCI DSS, HIPAA & NIST Test
Free online security tool to test your security
40,033,412 security tests performed
Latest Tested SSL/TLS Servers
Free API
ImmuniWeb provides you with a free API to test your SSL/TLS servers. To assure high speed of service and availability for everyone, the free API allows 50 requests in total per 24 hours, from one IP address.
In order to prevent abuse, a protection mechanism has been set up to remove the ability to test IPs that are not related to the tested domain name. As a consequence if a domain name is resolved into several IPs, a second request will be mandatory, specifying one of the IPs replied by the server along with the token issued (examples are below). However, if the tested domain name can be resolved into only one IP address, it will be immediately tested.
In addition, there are different tiers of user, with each providing a different level of usage with the API.
License notice: The API is provided for free both for private and commercial purposes. If you use the API for publicly available service (commercial or not) a link to ImmuniWeb's Free SSL Server Test is mandatory.
Commercial API
ImmuniWeb provides a commercial access to the SSL Security Test API without restrictions. Tailored for your needs, restrictions of the free API can be partially or entirely removed. Prices start at 200 USD per month.
Non-profit, research and academic institutions may request commercial API for free. Please send your API usage requirements to for additional information.
API Documentation and How-To
API Specifications
| Field Name | Value |
|---|---|
| Protocol | HTTPS |
| Request Type | POST |
| URL | https://www.immuniweb.com/ssl/api/v1/check/[ustamp].html - where "ustamp" is an arbitrary UNIX time-stamp (must be an integer). Such construction is done to prevent caching on client side. |
POST Data Specification
| Field Name | Value |
|---|---|
| api_key | secret token which you submit alongside with the request |
| domain:port | must be a valid domain name, or IP address, followed by a port number. If port is not supplied, 443 is used by default. |
| show_test_results | "false" means that test results will be hidden, "true" means that test results will be displayed in statistics. |
| choosen_ip | IP address of tested server (if tested domain resolves to multiple addresses). |
| recheck | "false" will use results from cache if the server has been tested within the past 24 hours, "true" will perform a new test without looking at the cache. |
| verbosity | 1 means output will be detailed, 0 means output will be short. |
| token | value of the token sent by the server if the tested domain is resolved into several IP addresses. |
Example of Transaction Using CURL
{"debug":true,"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"test_started","status_id":1,"message":"Test has started"}
# You need to keep calling this until test is finished $ curl -XPOST -d 'job_id=2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc' 'https://www.immuniweb.com/ssl/api/v1/get_result/1451425590.html'
{"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"in_progress","status_id":2,"eta":2,"message":"Your test is in progress"}
{"test_id":"c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004","status":"test_cached","status_id":3,"message":"Test is cached"}
$ curl -XPOST -d 'id=c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004' 'https://www.immuniweb.com/ssl/api/v1/get_result/1451425590.html'
{"multiple_ips":["199.16.156.6","199.16.156.102","199.16.156.70","199.16.156.230"],"token":"68j3OCZLEomtjASxKoObjZXzX7p2M7L0"}
$ curl -XPOST -d 'domain=twitter.com:443&show_test_results=true&recheck=false&choosen_ip=199.16.156.230&verbosity=1&token=68j3OCZLEomtjASxKoObjZXzX7p2M7L0' 'https://www.immuniweb.com/ssl/api/v1/check/1451425590.html'
{"error":"The domain name cannot be resolved","error_id":7}
Example of Server Response
Scoring Methodology
| - At the beginning of the test, server score is 100. |
| - Points are deducted when server configuration does not correspond to the PCI DSS requirements, HIPAA guidance or NIST guidelines. |
| - Points are deducted when server configuration contains exploitable vulnerabilities or weaknesses that are not yet covered by PCI DSS, HIPAA or NIST. |
| - Points are added for every extra best practice which is not mentioned in the PCI DSS requirements, HIPAA guidance or NIST guidelines. |
| - Server cannot get an A+ if a misconfiguration makes it lose more than 10 points. |
| - Server gets an N if a tested port is closed. |
| Grade | Score |
|---|---|
| A+ | Score greater than 99 |
| A | Score between 90 and 99 |
| A- | Score between 80 and 89 |
| Grade | Score |
|---|---|
| B+ | Score between 70 and 79 |
| B | Score between 60 and 69 |
| B- | Score between 50 and 59 |
| Grade | Score |
|---|---|
| C+ | Score between 35 and 49 |
| C | Score between 20 and 34 |
| F | Score lower than 20 |
Scoring
| Description | Score |
|---|---|
| Certificate is an Extended Validation (EV) certificate | +10 points |
| HTTP website redirects to HTTPS (Always-On SSL) | +10 points |
| Server prefers cipher suites providing strong Perfect Forward Secrecy (PFS) | +10 points |
| Server provides TLS_Fallback_SCSV extension | +10 points |
| Server implements HTTP Strict Transport Security (HSTS) with long duration | +10 points |
| Server supports TLSv1.3 | +10 points |
| Server X509 certificate is prior to version 3 | -5 points |
| Server certificate has been issued for more than 3 year period | -5 points |
| Server certificate has not been signed with the proper algorithm | -5 points |
| Server does not support OCSP stapling | -5 points |
| Server does not support neither P-256 nor P-384 curves | -5 points |
| Server does not support some cipher suites required by NIST guidelines or HIPAA guidance | -5 points |
| TLS cipher suites that are not approved by NIST guidelines or HIPAA guidance are supported | -5 points |
| Server supports Elliptic Curves but does not support EC Point Format extension | -5 points |
| Certificate chain is not provided | -10 points |
| Website includes insecure (HTTP) content | -10 points |
| Server accepts client-initiated secure renegotiation | -10 points |
| Server does not provide information about support for secure renegotiation | -10 points |
| Server does not support TLSv1.3 | -10 points |
| Certificate is untrusted or invalid | -20 points |
| Certificate signature is not SHA2 | -20 points |
| Certificate does not provide revocation information | -20 points |
| SSL is supported but TLSv1.1 or TLSv1.2 or TLSv1.3 are preferred | -20 points |
| SSL/TLS cipher suites that are not approved by PCI DSS are supported | -40 points |
| Certificate key length or DH parameter are too small (< 2048 bits or 256 bits for EC) | -40 points |
| Server supports at least one elliptic curve whose size is below 224 bits | -40 points |
| SSL is supported while TLSv1.1 or TLSv1.2 or TLSv1.3 are not | -40 points |
| Server supports TLS compression which may allow CRIME attack | -40 points |
| SSL/TLS cipher suites that are not approved by PCI DSS are preferred | -50 points |
| Server is vulnerable to CVE-2014-0224 (OpenSSL CCS flaw) | -60 points |
| Server is vulnerable to CVE-2016-2107 (OpenSSL padding-oracle flaw) | -60 points |
| Server is vulnerable to POODLE over TLS | -60 points |
| Server is vulnerable to GOLDENDOODLE | -60 points |
| Server is vulnerable to Zombie POODLE | -60 points |
| Server is vulnerable to Sleeping POODLE | -60 points |
| Server is vulnerable to 0-Length OpenSSL | -60 points |
| Server accepts client-initiated insecure renegotiation | -60 points |
| Server is vulnerable to ROBOT (Return Of Bleichenbacher's Oracle Threat) | -60 points |
| Server is vulnerable to Heartbleed | -70 points |
About the Service
SSL Security Test is a free product available online, provided and operated by ImmuniWeb.
SSL Security Test performs the following tests:
- Test for compliance with PCI DSS Requirements;
Test for compliance with HIPAA Guidance;
Test for compliance with NIST Guidelines;
Test for the most recent SSL/TLS vulnerabilities and weaknesses;
Test for insecure third-party content (HTTP).
Test for email server's SPF, DKIM and DMARC implementation.
Test for SSL certificates expiration for enumerated subdomains.
How-To
| - Blog post for strong TLS configuration on Nginx - Nginx |
| - Blog post for strong TLS configuration on Apache2 - Apache2 |
| - Blog post for strong TLS configuration on Lighttpd - Lighttpd |
| - Blog post for good cipher suites configuration on IIS - IIS |
IP Ranges
IP ranges of our outbound servers are:
- 192.175.111.224/27
- 64.15.129.96/27
- 70.38.27.240/28
- 72.55.136.144/28
- 72.55.136.192/28
- 79.141.85.24/29
Recent HTTPS:
Recent non-HTTPS:
Recent Web Servers Security Tests
Recent Email Servers Security Tests
Trends and Statistics
Global SSL/TLS Grade Distribution
-
- A
- B
- C
- F
Web Servers
-
- A
- B
- C
- F
Email Servers
-
- A
- B
- C
- F
Other Servers
SSL/TLS Configurations Compliant with PCI DSS Requirements
-
Web Servers
-
Email Servers
-
Other Servers
Security Hardening of SSL/TLS Email Servers
-
SPF
-
DKIM
-
DMARC
Summary of SSL Security Test Test Summary
Compliance:
PCI DSS HIPAA NIST Your final score
Subdomain Discovery Subdomain Discovery
SSL Certificate Analysis SSL Certificate Analysis
GDPR Security Analysis GDPR Security Analysis
Test for Compliance with PCI DSS Requirements PCI DSS Requirements Compliance
Reference: PCI DSS 3.2.1 - Requirements 2.3 and 4.1
Test for Compliance with HIPAA Guidance HIPAA Guidance Compliance
Test for Compliance with NIST Guidelines NIST Guidelines Compliance
Reference: NIST Special Publication 800-52 Revision 1 - Section 3
