How to Use the TLS Configuration Auditor
The TLS auditor connects to your server and tests which protocol versions and cipher suites it accepts, giving you a security grade and specific fix recommendations.
How to Use the TLS Configuration Auditor
The TLS Configuration Auditor tests your server's SSL/TLS setup and grades it against current security standards. It detects deprecated protocols, weak cipher suites, and known vulnerabilities.
Accessing the Tool
Go to Tools → TLS Auditor.
Running an Audit
- Enter your domain name (e.g., example.com).
- Optionally specify a port (default is 443).
- Click Audit.
The auditor establishes connections using different protocol versions and cipher suites to test what your server accepts.
What Gets Tested
Protocol Versions
| Protocol | Status | Action |
|---|---|---|
| TLS 1.3 | Recommended | Enable if not already active |
| TLS 1.2 | Acceptable | Keep enabled for compatibility |
| TLS 1.1 | Deprecated | Disable immediately |
| TLS 1.0 | Critically deprecated | Disable immediately — PCI DSS violation |
| SSL 3.0 | Critically vulnerable | Disable — POODLE attack vector |
| SSL 2.0 | Critically vulnerable | Disable — DROWN attack vector |
Cipher Suites
The auditor tests which cipher suites your server accepts:
- Forward secrecy (ECDHE key exchange) — required for A rating
- AES-GCM — modern AEAD cipher, recommended
- ChaCha20-Poly1305 — good alternative to AES
- 3DES — deprecated, should be disabled
- RC4 — broken cipher, critical finding
- NULL ciphers — no encryption, critical finding
- Anonymous ciphers — no authentication, critical finding
Certificate
- Validity, expiry, chain validity
- Key size and signature algorithm
- CT log presence
Additional Checks
- HSTS header presence
- OCSP stapling support
- TLS renegotiation settings
Security Grades
| Grade | Meaning |
|---|---|
| A+ | TLS 1.3 only, HSTS preloaded, forward secrecy, strong ciphers |
| A | TLS 1.2+ with strong ciphers and HSTS |
| B | Minor issues (weak cipher available but not default) |
| C | Deprecated protocol enabled (TLS 1.0 or 1.1) |
| F | Critical vulnerability or SSL 3.0/TLS 1.0 in active use |
Common Fixes
Nginx — disable old protocols and weak ciphers:
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers off;
Cloudflare
In the SSL/TLS section of your Cloudflare dashboard, set Minimum TLS Version to TLS 1.2 or TLS 1.3 Only.