AuditCoreAuditCore
Beyond cert expiry · 8 deeper checks

Free SSL / TLS
security checker

Most SSL checkers tell you if your certificate is valid and when it expires. Ours goes deeper — protocol versions, cipher quality, Heartbleed, OCSP stapling, certificate transparency, HSTS preload status. The kind of issues that pass a casual check but fail real audits.

Free tool · No signup · No credit card · Results in 60 seconds

A valid cert is not a secure cert

Cert expiry monitoring is a solved problem — most providers email you 30 days before. The harder problems are the silent ones. A site can have a perfectly valid Let's Encrypt cert AND still accept TLS 1.0 connections, AND still negotiate RC4 ciphers with old clients, AND still leak its private key to clients that send a Heartbleed payload. We test for all of those.

12%

of public-facing HTTPS endpoints in 2026 still accept TLS 1.0 or 1.1 — both deprecated and removed from major browsers.

60s

to scan all protocol versions, cipher suites, and known TLS vulnerabilities. Live test, no caching.

A→F

grade scale matching SSLLabs convention. Below B is a P1 ticket; below D is incident-response territory.

What our SSL/TLS checker tests

The tests below are a superset of what most free checkers run. We use the sslyze engine plus 5 custom probes.

Certificate validity & expiry

Trust chain to a known root CA, expiry within 90 days flagged as warning, expired or self-signed flagged as critical. We also detect cross-signed certificates that present older trust anchors.

critical

Deprecated protocol versions (TLS 1.0 / 1.1)

Both have been formally deprecated since 2020 and are blocked by all major browsers. Still accepting them lets attackers force-downgrade clients via MITM. We probe with explicit version handshakes.

high

Weak ciphers — RC4, 3DES, EXPORT, NULL

Even with TLS 1.2 enabled, accepting weak cipher suites lets attackers downgrade encryption. We enumerate all offered cipher suites and flag any in OWASP's deprecated list.

high

Heartbleed (CVE-2014-0160)

11 years old and still found in the wild on legacy systems. Live probe — sends a heartbeat record and checks if the server leaks more memory than requested.

critical

POODLE, BEAST, CRIME, BREACH

Cipher-block-chaining and compression-related attacks. Most modern stacks are immune, but legacy load balancers and some F5 appliances are still vulnerable.

high

OCSP stapling

Without OCSP stapling, every browser visit triggers a separate OCSP query to the CA — leaking visit metadata and adding latency. We verify your server staples a recent OCSP response.

medium

Certificate Transparency (CT) logs

Modern browsers refuse certs that aren't logged in CT. We verify your cert appears in at least 2 CT logs with valid SCTs (Signed Certificate Timestamps).

medium

HSTS preload eligibility

If you advertise HSTS, are you also in the Chromium HSTS preload list? Sites not preloaded are vulnerable to first-visit downgrade attacks. We check the public preload list.

medium

Cipher suite ordering & forward secrecy

We verify the server prefers ECDHE/DHE suites (forward secrecy) and that AEAD ciphers (GCM, ChaCha20-Poly1305) are preferred over CBC.

low

ALPN advertisement

Modern HTTP/2 and HTTP/3 require correct ALPN advertising. Misconfigured ALPN forces clients back to HTTP/1.1, losing performance and some security properties.

low

Our methodology

We open a TCP connection to your server on port 443 and run the sslyze test suite — Mozilla's official open-source TLS probe. That gives us full enumeration of protocol versions and cipher suites without any assumption-based heuristics.

On top of sslyze, we run 5 custom probes: Heartbleed (live, with safe payload), CT log presence (via Google's CT search API), HSTS preload list lookup (against the latest Chromium snapshot), OCSP stapling timing (we measure the freshness of the stapled response), and certificate-chain consistency (some servers serve different chains to different clients).

Every probe is a real connection — we don't trust cached results. The total scan takes 30-60 seconds and tests roughly 200 cipher suite combinations. The full AuditCore audit pairs SSL/TLS results with header checks, sensitive-file detection and the rest of the 50+ scanner stack.

FAQ

Frequently asked questions

How is this different from SSL Labs?+

SSL Labs is the gold standard for cipher and protocol grading — and we use compatible methodology. The difference: we plug SSL findings into a wider audit (headers, sensitive files, OWASP Top 10) and tie them to fix prompts. We also run faster (30-60s vs 2-3 min) because we don't run the full handshake-counting load test.

My cert is from Let's Encrypt — is that less secure?+

No. Let's Encrypt issues the same X.509 RSA-2048 / ECDSA-256 certs as paid CAs, with the same trust roots in major browsers. Free vs paid affects only validation level (DV vs OV vs EV) and warranty, not encryption strength. We test the actual TLS configuration, not the brand of CA.

What does 'forward secrecy' actually protect me from?+

Without forward secrecy, if your private key is later compromised (a single root-server breach years later), all past TLS sessions can be decrypted from captured traffic. With forward secrecy (ECDHE/DHE), each session uses a fresh ephemeral key — past traffic stays safe even if the long-term key leaks.

Should I disable TLS 1.2 in 2026?+

Generally not yet — too many legacy clients still need it. Disable TLS 1.0 and 1.1 (yes), keep TLS 1.2 enabled with strong ciphers only, prefer TLS 1.3. Pure TLS 1.3-only is fine if you control your client base (e.g. internal API), risky for public sites.

Does this work for non-HTTPS ports? IMAP, SMTP, MySQL?+

The free tool tests port 443 only. The full audit can target any port and supports STARTTLS for SMTP/IMAP/POP3.

How do I fix 'TLS 1.0 still accepted'?+

Depends on your stack. nginx: `ssl_protocols TLSv1.2 TLSv1.3;`. Apache: `SSLProtocol -all +TLSv1.2 +TLSv1.3`. Cloudflare: dashboard → SSL/TLS → Edge Certificates → Minimum TLS Version. AWS ALB: change the listener security policy to ELBSecurityPolicy-TLS13-1-2-2021-06.

Can I run this on internal / staging servers?+

Yes, as long as the server is reachable from the public internet. For private servers behind a VPN or firewall, the AuditCore self-hosted agent (Business tier) can run the same tests from inside your network.

Are my scan results stored?+

We store the URL and a sanitized result summary so you can come back to the report. We don't store cipher details or certificate contents long-term. Stored data is deleted automatically after 30 days. Run the same URL signed in to keep history longer.

Related free tools

Security Headers Checker

Test 10 critical HTTP security headers — HSTS, CSP, X-Frame-Options, Permissions-Policy.

Try it free

DMARC Checker

Email-auth records (SPF/DKIM/DMARC) — the email-side of TLS.

Try it free

AI-Readiness Checker

Is your site visible to ChatGPT, Claude, Perplexity? 30+ checks.

Try it free

Run a complete audit, not just one check

The free tool above checks one dimension. Our full audit runs 50+ scanners across security, SEO and AI-readiness in one report. Free Trial gives you the full stack on your homepage — no credit card.