Skip to main content
dnsverifier.com

TLS Grader — Free SSL/TLS Test

The dnsverifier.com TLS Grader is a free, browser-based SSL/TLS test that grades any public HTTPS endpoint from A+ to F using the same methodology as Qualys SSL Labs. It probes every TLS protocol version, enumerates the 35 most common cipher suites, analyzes the full certificate chain (validity, SCTs, OCSP stapling, must-staple, pin SHA-256), audits HSTS and CAA, and runs raw-TCP active probes for Heartbleed, SSL 2.0/DROWN, and TLS-handshake intolerance.

Frequently asked questions

How does the TLS Grader compute an A+ to F grade?
It follows the Qualys SSL Labs 2009p Rating Guide. Each scan produces sub-grades for Protocol, Key Exchange, Cipher Strength, and Certificate; the overall grade is the lowest. Caps then apply (for example, accepting SSLv3 caps the grade at C). A+ requires HSTS ≥ 180 days plus a perfect base score.
What is the difference between dnsverifier.com and SSL Labs?
Both grade a host A+ to F using the same rubric. dnsverifier.com streams results live (you see findings in 2-3 seconds instead of waiting 90 seconds for a report), shows the negotiated key-exchange group per cipher (X25519, X25519MLKEM768, P-256), tags PQC hybrids, and runs in-browser without queueing. SSL Labs has a longer history and IP-block trust-score modelling we do not replicate.
Does the TLS Grader actually test for Heartbleed?
Yes — for Heartbleed, SSL 2.0, and TLS version/extension/SNI/long-handshake intolerance, the grader builds raw TCP records and observes the server's response. The other CVEs (BEAST, POODLE, ROBOT, FREAK, Logjam, DROWN, Sweet32, RC4 biases) are flagged when the server still negotiates the cipher or protocol that is the precondition for the attack.
Is it safe to scan a production server?
Yes. The grader only initiates regular TLS handshakes plus one extra TCP connection for each active probe (about 10 connections total). It never sends real exploit payloads. The Heartbleed probe sends a malformed Heartbeat request — modern OpenSSL discards it instantly with no impact.
Why is my A+ grade now an A?
Common reasons: HSTS max-age below 180 days, no preload directive, missing CAA record, an OCSP response that did not staple, or an intermediate cert that expires within 30 days. Open the 'Certificate' and 'Extras' panels in the report — every grade-affecting finding shows the precise field that caused it.
Is the TLS Grader free? Do I need an account?
Yes, completely free. No account, no sign-up, no API key. Tool inputs are not persisted server-side. The service is provided under the dnsverifier.com Acceptable Use Policy — only scan hosts you own or are authorized to test.