SSL/TLS Checker
Enter your domain to check which TLS protocol versions your server accepts (TLS 1.0–1.3), the negotiated cipher and whether it provides forward secrecy, certificate validity and HSTS — and get an A+ to F grade with a prioritised fix list.
Looking for DNS records, MX and blacklist checks?Domain & SSL Health Check →
Protocol versions
Cipher & key exchange
——Risk if not fixed If your server's private key is ever compromised, previously recorded encrypted traffic can be decrypted after the fact.
Certificate
HSTS
Prioritised fixes
Excellent — TLS is configured securely. Keep your certificate renewal automated and monitor for new TLS advisories.
Use — Guide
How to use this tool
- Enter your domain — for example, yourbusiness.com.au — and press "Check TLS".
- The check contacts your server to probe TLS protocol versions and negotiate a connection; this may take a few seconds.
- Read your TLS grade (A+ to F) and the description explaining what it means for your configuration.
- Review the Protocol versions table — TLS 1.3 and 1.2 should show Enabled — Secure; any older versions enabled are flagged Insecure.
- Check the Cipher and key exchange panel for forward secrecy, and the Certificate and HSTS sections for expiry and enforcement.
- Work through the prioritised fixes, or send your result to Peritus Digital for help hardening your TLS configuration.
FAQ — Questions
Frequently asked questions
01What is the difference between TLS 1.2 and TLS 1.3?
TLS 1.3 (2018) is significantly faster and more secure than TLS 1.2. It removes legacy cipher suites, reduces the handshake from two round trips to one, and mandates forward secrecy on every connection. Most modern browsers and servers support TLS 1.3 — there is almost no reason to keep TLS 1.2 as your only option, but it remains a safe fallback.
02Why are TLS 1.0 and TLS 1.1 flagged as insecure?
TLS 1.0 and 1.1 are vulnerable to known attacks including POODLE and BEAST, use deprecated cipher suites, and have been formally deprecated by the IETF (RFC 8996, March 2021). PCI DSS 3.2+ requires TLS 1.0 to be disabled. All major browsers removed support in 2020. If your server still accepts TLS 1.0 or 1.1, disable them in your web server configuration.
03What is forward secrecy and why does it matter?
Forward secrecy (or Perfect Forward Secrecy) means each TLS session uses a unique, ephemeral key. If an attacker records encrypted traffic today and later obtains your server's private key, they still cannot decrypt past sessions. Cipher suites using ECDHE or DHE key exchange provide forward secrecy. Without it, a future private-key compromise exposes all previously recorded sessions.
04How is this different from the Domain & SSL Health Check?
The Domain & SSL Health Check covers certificate basics (issuer, expiry, hostname match) alongside DNS records and mail blacklists — a broad domain health snapshot. This SSL/TLS Checker goes deeper on the TLS configuration itself: it enumerates which protocol versions your server accepts, reports the negotiated cipher and whether it provides forward secrecy, checks HSTS, and grades the overall TLS posture. Use both for a complete picture.
More — Keep exploring
Related free tools
Want hands-on help, not just a check? Explore ourCyber Security service.
Harden your TLS configuration
These gaps leave you exposed — let's close them.
Our Newcastle team reviews your web server's TLS settings, disables insecure protocols, configures modern cipher suites with forward secrecy, enables HSTS and sets up ongoing monitoring so your configuration doesn't drift. Send your result through and we'll come back with clear next steps.
Prefer to talk? Call 02 4081 9500.
