SSL Security Test

  • Web Server SSL Test
  • SSL Certificate Test
  • Email Server SSL Test
  • PCI DSS, HIPAA & NIST Test
Free online tool to test SSL security
143,495,257SSL security tests performed

Scoring Methodology

  • At the beginning of the test, server score is 100.
  • Points are deducted when server configuration does not correspond to the PCI DSS requirements, HIPAA guidance or NIST guidelines.
  • Points are deducted when server configuration contains exploitable vulnerabilities or weaknesses that are not yet covered by PCI DSS, HIPAA or NIST.
  • Points are added for every extra best practice which is not mentioned in the PCI DSS requirements, HIPAA guidance or NIST guidelines.
  • Server cannot get an "A+" if a misconfiguration makes it lose more than 10 points.
  • Server gets an "N" if a tested port is closed.
  • The server gets an "F" grade if HTTPS (443/tcp) port is closed but HTTP (80/tcp) port is open.
GradeScore
A+
Score greater than 100
A
Score between 90 and 99
A-
Score between 80 and 89
GradeScore
B+
Score between 70 and 79
B
Score between 60 and 69
B-
Score between 50 and 59
GradeScore
C+
Score between 35 and 49
C
Score between 20 and 34
F
Score lower than 20

Scoring

DescriptionScore
Description
Certificate is an Extended Validation (EV) certificate
+10 points
Description
HTTP website redirects to HTTPS (Always-On SSL)
+10 points
Description
Server prefers cipher suites providing strong Perfect Forward Secrecy (PFS)
+10 points
Description
Server provides TLS_Fallback_SCSV extension
+10 points
Description
Server implements HTTP Strict Transport Security (HSTS) with long duration
+10 points
Description
Server supports TLSv1.3
+10 points
Description
Server X509 certificate is prior to version 3
-5 points
Description
Server certificate has been issued for more than 3 year period
-5 points
Description
Server certificate has not been signed with the proper algorithm
-5 points
Description
Server does not support OCSP stapling
-5 points
Description
Server does not support neither P-256 nor P-384 curves
-5 points
Description
Server does not support some cipher suites required by NIST guidelines or HIPAA guidance
-5 points
Description
TLS cipher suites that are not approved by NIST guidelines or HIPAA guidance are supported
-5 points
Description
Server supports Elliptic Curves but does not support EC Point Format extension
-5 points
Description
Certificate chain is not provided
-10 points
Description
Website includes insecure (HTTP) content
-10 points
Description
Server accepts client-initiated secure renegotiation
-10 points
Description
Server does not provide information about support for secure renegotiation
-10 points
Description
Server does not support TLSv1.3
-10 points
Description
Certificate chain relies on expired certificate, it can break connection for some clients.
-20 points
Description
Certificate signature is not SHA2
-20 points
Description
Certificate does not provide revocation information
-20 points
Description
SSL is supported but TLSv1.1 or TLSv1.2 or TLSv1.3 are preferred
-20 points
Description
SSL/TLS cipher suites that are not approved by PCI DSS are supported
-40 points
Description
Certificate key length or DH parameter are too small (< 2048 bits or 256 bits for EC)
-40 points
Description
Server supports at least one elliptic curve whose size is below 224 bits
-40 points
Description
SSL is supported while TLSv1.1 or TLSv1.2 or TLSv1.3 are not
-40 points
Description
Server supports TLS compression which may allow CRIME attack
-40 points
Description
SSL/TLS cipher suites that are not approved by PCI DSS are preferred
-50 points
Description
Certificate is untrusted or invalid*
-60 points
Description
Server is vulnerable to CVE-2014-0224 (OpenSSL CCS flaw)
-60 points
Description
Server is vulnerable to CVE-2016-2107 (OpenSSL padding-oracle flaw)
-60 points
Description
Server may be vulnerable to CVE-2021-3449 (OpenSSL maliciously crafted renegotiation vulnerability)
-60 points
Description
Server is vulnerable to POODLE over TLS
-60 points
Description
Server is vulnerable to GOLDENDOODLE
-60 points
Description
Server is vulnerable to Zombie POODLE
-60 points
Description
Server is vulnerable to Sleeping POODLE
-60 points
Description
Server is vulnerable to 0-Length OpenSSL
-60 points
Description
Server accepts client-initiated insecure renegotiation
-60 points
Description
Server is vulnerable to ROBOT (Return Of Bleichenbacher's Oracle Threat)
-60 points
Description
Server is vulnerable to Heartbleed
-70 points
* including mismatch of the certificate’s CN and SAN unless the test is for an IP and IP’s PTR matches domain from CN and SAN