1. Library
  2. Computer Networks
  3. Tools and Commands
  4. Online Tools

SSL Labs: TLS Configuration Testing

Updated 8 hours ago

Every HTTPS connection makes a promise: this conversation is private. SSL Labs tells you whether your server can keep that promise.

Qualys SSL Labs runs the industry-standard TLS configuration test. It examines your server's certificate, protocol support, cipher suites, and vulnerability exposure, then assigns a letter grade. That grade isn't a score—it's a verdict on whether your users' secrets are actually secret.

Running the Test

Visit https://www.ssllabs.com/ssltest/ and enter your hostname. The test takes a minute or two, probing your server's TLS configuration from multiple angles.

Results are publicly cached by default—anyone can see how your server is configured. Check "Do not show the results on the boards" for private testing, though hiding your configuration doesn't make it more secure.

What the Grades Mean

A+: Your server does everything right. Strong ciphers, modern protocols, perfect forward secrecy, complete certificate chain, and HSTS telling browsers to never connect over plain HTTP again. This is the target.

A: Strong configuration meeting current best practices. No critical vulnerabilities. Might lack HSTS or have minor issues that don't significantly impact security.

B: Notable weaknesses. Perhaps you still support TLS 1.0 or 1.1, or your cipher preference order puts weaker options first. Functional but not ideal.

C: Significant security concerns. Obsolete protocols, weak ciphers, or certificate problems. Users are at risk.

F: Critical failures. Expired certificates, support for known-vulnerable protocols like SSLv3, or configurations that actively endanger users. Fix immediately.

Certificate Analysis

SSL Labs examines your entire certificate chain:

  • Validity: Not expired, not future-dated
  • Trust: Issued by a recognized certificate authority
  • Chain completeness: All intermediate certificates present (missing intermediates cause trust failures in some browsers but not others—a frustrating debugging experience)
  • Name matching: Certificate covers the hostname you're testing
  • Signature strength: SHA-256 or better, not deprecated algorithms like SHA-1

The test also checks Certificate Transparency logs. This public logging system helps detect misissued certificates—if someone fraudulently obtains a certificate for your domain, CT logs make it visible.

Protocol Support

SSL and TLS have evolved through versions, each deprecating the last as vulnerabilities emerged:

  • SSLv2, SSLv3: Broken. Must not be supported. If your server accepts these, you fail.
  • TLS 1.0, 1.1: Deprecated. Should be disabled unless you have specific legacy requirements.
  • TLS 1.2: The current baseline. Widely supported, acceptably secure.
  • TLS 1.3: The modern standard. Faster handshakes, stronger security, no legacy baggage.

A secure configuration supports only TLS 1.2 and 1.3. Every older protocol you enable is an attack surface.

Cipher Suites

Cipher suites determine which encryption algorithms protect your connections. SSL Labs evaluates them on three dimensions:

Strength: AES-128 and AES-256 are strong. RC4 is broken. DES is too weak. Export-grade ciphers were intentionally weakened for 1990s regulations and should never appear on modern servers.

Forward Secrecy: Cipher suites using ECDHE or DHE key exchange provide perfect forward secrecy—even if someone steals your private key later, they can't decrypt traffic they recorded today. This matters. Prefer these.

Authentication: RSA and ECDSA authenticate your server. Anonymous cipher suites (ADH, AECDH) skip authentication entirely, enabling man-in-the-middle attacks. Never use them.

The test shows your cipher suites in server preference order. That order matters—your server should prefer strong modern ciphers, not offer them as fallbacks after weaker options.

Vulnerability Checks

SSL Labs tests for specific known attacks:

Heartbleed (2014): A catastrophic OpenSSL bug that leaked server memory, potentially including private keys. Servers must run patched versions. The fact that this still appears in some scans is remarkable.

POODLE: Exploits SSLv3. The fix is simple: don't support SSLv3.

BEAST: A TLS 1.0 attack, largely mitigated client-side now but still flagged for server configurations that make it easier.

Logjam: Exploits weak Diffie-Hellman parameters. Use 2048-bit or stronger.

FREAK: Exploits export-grade ciphers. Don't support export ciphers.

DROWN: Affects servers supporting SSLv2, even if you use the same certificate on a different server that does. SSLv2 must be disabled everywhere.

Any vulnerability flagged is a call to action. These aren't theoretical—they're attacks that have been used in the wild.

Handshake Simulation

The test simulates connections from dozens of clients—Chrome, Firefox, Safari, Internet Explorer, Android, iOS, curl, and more. This reveals:

  • Which clients can connect at all
  • Which protocol version each negotiates
  • Which cipher suite gets selected
  • Why certain clients fail

This is where theory meets reality. You might support TLS 1.3, but if your configuration makes clients fall back to 1.2, you'll see it here. You might need to support TLS 1.0 for that one legacy system your organization can't retire—the simulation shows exactly which clients require it.

HSTS: The Commitment

HTTP Strict Transport Security tells browsers: "Always use HTTPS with me. Never try HTTP. Not even once."

For an A+ grade, you need HSTS with:

  • max-age of at least six months (how long browsers remember the policy)
  • includeSubDomains recommended (applies to all subdomains)
  • preload optional (gets your domain hardcoded into browsers)

HSTS prevents downgrade attacks and protects users who accidentally type http:// or click old HTTP links. It's a promise that you're committed to encryption—and browsers hold you to it.

Acting on Results

Common fixes for lower grades:

Disable old protocols: Edit your nginx, Apache, or server configuration to remove SSLv2, SSLv3, TLS 1.0, and TLS 1.1. Test afterward to ensure nothing breaks.

Reorder cipher suites: Prefer ECDHE key exchange and AES-GCM encryption. Put forward-secrecy ciphers first. Remove RC4, DES, and export ciphers entirely.

Fix certificate chains: Ensure intermediate certificates are installed. Your CA provides these—they're not optional.

Add HSTS: One response header. Significant security improvement. Start with a short max-age while testing, then increase.

Update software: Old versions of OpenSSL, nginx, and Apache carry old vulnerabilities. Patch regularly.

After changes, clear SSL Labs' cache before retesting—otherwise you'll see stale results.

Limitations

SSL Labs tests TLS configuration thoroughly but tests nothing else. It won't find:

  • Application vulnerabilities
  • Weak passwords
  • Missing security headers beyond HSTS
  • Misconfigured firewalls
  • Insider threats

A+ means your encryption is configured correctly. It doesn't mean your application is secure. TLS protects data in transit—everything else requires different tools.

Ongoing Monitoring

SSL Labs provides point-in-time analysis. For production systems, consider:

  • Certificate expiration monitoring (expired certificates cause outages)
  • Configuration drift detection (changes that degrade security)
  • Automated periodic testing via the SSL Labs API

Some organizations integrate SSL Labs into CI/CD pipelines, failing deployments that would lower the grade.

Frequently Asked Questions About SSL Labs

Was this page helpful?

😔
🤨
😃