SSL/TLS Checker

Enter your domain to check which TLS protocol versions your server accepts (TLS 1.0–1.3), the negotiated cipher and whether it provides forward secrecy, certificate validity and HSTS — and get an A+ to F grade with a prioritised fix list.


Enter your domain — e.g. yourbusiness.com.au. No "https://", no "www", no path.


Use — Guide

How to use this tool

  1. Enter your domain — for example, yourbusiness.com.au — and press "Check TLS".
  2. The check contacts your server to probe TLS protocol versions and negotiate a connection; this may take a few seconds.
  3. Read your TLS grade (A+ to F) and the description explaining what it means for your configuration.
  4. Review the Protocol versions table — TLS 1.3 and 1.2 should show Enabled — Secure; any older versions enabled are flagged Insecure.
  5. Check the Cipher and key exchange panel for forward secrecy, and the Certificate and HSTS sections for expiry and enforcement.
  6. Work through the prioritised fixes, or send your result to Peritus Digital for help hardening your TLS configuration.

FAQ — Questions

Frequently asked questions

01What is the difference between TLS 1.2 and TLS 1.3?

TLS 1.3 (2018) is significantly faster and more secure than TLS 1.2. It removes legacy cipher suites, reduces the handshake from two round trips to one, and mandates forward secrecy on every connection. Most modern browsers and servers support TLS 1.3 — there is almost no reason to keep TLS 1.2 as your only option, but it remains a safe fallback.

02Why are TLS 1.0 and TLS 1.1 flagged as insecure?

TLS 1.0 and 1.1 are vulnerable to known attacks including POODLE and BEAST, use deprecated cipher suites, and have been formally deprecated by the IETF (RFC 8996, March 2021). PCI DSS 3.2+ requires TLS 1.0 to be disabled. All major browsers removed support in 2020. If your server still accepts TLS 1.0 or 1.1, disable them in your web server configuration.

03What is forward secrecy and why does it matter?

Forward secrecy (or Perfect Forward Secrecy) means each TLS session uses a unique, ephemeral key. If an attacker records encrypted traffic today and later obtains your server's private key, they still cannot decrypt past sessions. Cipher suites using ECDHE or DHE key exchange provide forward secrecy. Without it, a future private-key compromise exposes all previously recorded sessions.

04How is this different from the Domain & SSL Health Check?

The Domain & SSL Health Check covers certificate basics (issuer, expiry, hostname match) alongside DNS records and mail blacklists — a broad domain health snapshot. This SSL/TLS Checker goes deeper on the TLS configuration itself: it enumerates which protocol versions your server accepts, reports the negotiated cipher and whether it provides forward secrecy, checks HSTS, and grades the overall TLS posture. Use both for a complete picture.