Verification in progress... Full test may take a couple of minutes.
Feedback |
powered by

ImmuniWeb® SSLScan

0 tests running
  servers tested

Latest Tested SSL/TLS Servers

Free API

High-Tech Bridge provides you with a free API to test your SSL/TLS servers. To assure high speed of service and availability for everyone, the free API allows 20 requests in 3 minutes, 250 requests in total per 24 hours, from one IP address.

In order to prevent abuse, a protection mechanism has been set up to remove the ability to test IPs that are not related to the tested domain name. As a consequence if a domain name is resolved into several IPs, a second request will be mandatory, specifying one of the IPs replied by the server along with the token issued (examples are below). However, if the tested domain name can be resolved into only one IP address, it will be immediately tested.


License notice: The API is provided for free both for private and commercial purposes. If you use the API for publicly available service (commercial or not) a link to High-Tech Bridge's Free SSL Server Test is mandatory.

Unlimited API

High-Tech Bridge provides a commercial access to the SSLScan API without restrictions. Tailored for your needs, restrictions of the free API can be partially or entirely removed. Prices start at 200 USD per month.


Non-profit, research and academic institutions may request unlimited API for free. Please send your API usage requirements to for additional information.

API Documentation and How-To

Full API Documentation

API Specifications

Field Name Value
Protocol HTTPS
Request Type POST
URL https://www.htbridge.com/ssl/api/v1/check/[ustamp].html - where "ustamp" is an arbitrary UNIX time-stamp (must be an integer). Such construction is done to prevent caching on client side.

POST Data Specification

Field Name Value
api_key secret token which you submit alongside with the request
domain:port must be a valid domain name, or IP address, followed by a port number. If port is not supplied, 443 is used by default.
show_test_results "false" means that test results will be hidden, "true" means that test results will be displayed in statistics.
choosen_ip IP address of tested server (if tested domain resolves to multiple addresses).
recheck "false" will use results from cache if the server has been tested within the past 24 hours, "true" will perform a new test without looking at the cache.
verbosity 1 means output will be detailed, 0 means output will be short.
token value of the token sent by the server if the tested domain is resolved into several IP addresses.

Example of Transaction Using CURL

# New test (not cached) $ curl -XPOST -d 'domain=twitter.com:443&choosen_ip=any&show_test_results=true&recheck=false&verbosity=1' 'https://www.htbridge.com/ssl/api/v1/check/1451425590.html'

{"debug":true,"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"test_started","status_id":1,"message":"Test has started"}

# You need to keep calling this until test is finished $ curl -XPOST -d 'job_id=2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc' 'https://www.htbridge.com/ssl/api/v1/get_result/1451425590.html'

{"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"in_progress","status_id":2,"eta":2,"message":"Your test is in progress"}


# New test (cached) $ curl -XPOST -d 'domain=twitter.com:443&choosen_ip=any&show_test_results=true&recheck=false&verbosity=1' 'https://www.htbridge.com/ssl/api/v1/check/1451425590.html'

{"test_id":"c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004","status":"test_cached","status_id":3,"message":"Test is cached"}

$ curl -XPOST -d 'id=c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004' 'https://www.htbridge.com/ssl/api/v1/get_result/1451425590.html'


# Example with token $ curl -XPOST -d 'domain=twitter.com:443&show_test_results=true&recheck=false&verbosity=1' 'https://www.htbridge.com/ssl/api/v1/check/1451425590.html'

{"multiple_ips":["199.16.156.6","199.16.156.102","199.16.156.70","199.16.156.230"],"token":"68j3OCZLEomtjASxKoObjZXzX7p2M7L0"}

$ curl -XPOST -d 'domain=twitter.com:443&show_test_results=true&recheck=false&choosen_ip=199.16.156.230&verbosity=1&token=68j3OCZLEomtjASxKoObjZXzX7p2M7L0' 'https://www.htbridge.com/ssl/api/v1/check/1451425590.html'


# Example with error $ curl -XPOST -d 'domain=0.0.0.0&show_test_results=true&recheck=false&verbosity=1' 'https://www.htbridge.com/ssl/api/v1/check/1451425590.html'

{"error":"The domain name cannot be resolved","error_id":7}

System Messages

Message Name Response
multiple_mxes Result is associative array of hostnames with list of IPs - eg. {"multiple_mxes":{"ASPMX2.GOOGLEMAIL.COM":["64.233.164.26"],"alt2.aspmx.l.google.com":["74.125.68.27"],"ASPMX3.GOOGLEMAIL.COM":["74.125.68.26"]}, "token": "68j3OCZLEomtjASxKoObjZXzX7p2M7L0"}
multiple_ips Result is list of IPs - eg. {"multiple_ips":["67.205.108.218","67.205.102.121"], "token": "68j3OCZLEomtjASxKoObjZXzX7p2M7L0"}
error The domain name cannot be resolved
error An error has occurred while checking DNS records of domain
error Invalid IP address
error Error with token. Our API has changed, please take look at documentation.
error Sorry, your API key is invalid or has expired. Please double-check it or contact us
error You have performed N tests in the last 3 minutes. The system is currently busy, please try again a bit later.
error You have performed N tests in the last 24 hours. The system is currently busy, please try again a bit later.
error Sorry, our systems are very busy now, we are working on the issue. Please try again in a few minutes.
error You have reached the limit of N concurring running tests. Please wait until at least one of them is finished.
error An error occured while testing server configuration, server become unreachable during the test.

Example of Server Response

                      

About the Service

ImmuniWeb® SSLScan is a free product available online, provided and operated by High-Tech Bridge.

Aimed to enable anyone to assess how secure and reliable his or her SSL/TLS connection to a server (on any port) is, the service performs five distinct tests:

Scoring Methodology

- At the beginning of the test, server score is 100.
- Points are deducted when server configuration does not correspond to the PCI DSS requirements, HIPAA guidance or NIST guidelines.
- Points are deducted when server configuration contains exploitable vulnerabilities or weaknesses that are not yet covered by PCI DSS, HIPAA or NIST.
- Points are added for every extra best practice which is not mentioned in the PCI DSS requirements, HIPAA guidance or NIST guidelines.
- Server cannot get an A+ if a misconfiguration makes it lose more than 10 points.
Grade Score
A+ Score greater than 99
A Score between 90 and 99
A- Score between 80 and 89
Grade Score
B+ Score between 70 and 79
B Score between 60 and 69
B- Score between 50 and 59
Grade Score
C+ Score between 35 and 49
C Score between 20 and 34
F Score lower than 20

Scoring

Description Score
Certificate is an Extended Validation (EV) certificate +10 points
HTTP website redirects to HTTPS (Always-On SSL) +10 points
Server prefers cipher suites providing strong Perfect Forward Secrecy (PFS) +10 points
Server provides TLS_Fallback_SCSV extension +10 points
Server implements HTTP Strict Transport Security (HSTS) with long duration +10 points
Server X509 certificate is prior to version 3 -5 points
Server certificate has been issued for more than 3 year period -5 points
Server certificate has not been signed with the proper algorithm -5 points
Server does not support OCSP stapling -5 points
TLSv1.1 is not supported but TLSv1.2 is -5 points
Server does not support neither P-256 nor P-384 curves -5 points
Server does not support some cipher suites required by NIST guidelines or HIPAA guidance -5 points
TLS cipher suites that are not approved by NIST guidelines or HIPAA guidance are supported -5 points
Server supports Elliptic Curves but does not support EC Point Format extension -5 points
Certificate chain is not provided -10 points
TLSv1.1 and TLSv1.2 are both not supported -10 points
Website includes insecure (HTTP) content -10 points
Server accepts client-initiated secure renegotiation -10 points
Server does not provide information about support for secure renegotiation -10 points
Certificate is untrusted or invalid -20 points
Certificate signature is not SHA2 -20 points
Certificate does not provide revocation information -20 points
SSL is supported but TLSv1.1 or TLSv1.2 are preferred -20 points
SSL/TLS cipher suites that are not approved by PCI DSS are supported -20 points
Certificate key length or DH parameter are too small (< 2048 bits or 256 bits for EC) -40 points
Server supports at least one elliptic curve whose size is below 224 bits -40 points
SSL is supported while TLSv1.1 or TLSv1.2 are not -40 points
SSL/TLS cipher suites that are not approved by PCI DSS are preferred -40 points
Server supports TLS compression which may allow CRIME attack -40 points
Server is vulnerable to CVE-2014-0224 (OpenSSL CCS flaw) -60 points
Server is vulnerable to CVE-2016-2107 (OpenSSL padding-oracle flaw) -60 points
Server is vulnerable to POODLE over TLS -60 points
Server accepts client-initiated insecure renegotiation -60 points
Server is vulnerable to ROBOT (Return Of Bleichenbacher's Oracle Threat) -60 points
Server is vulnerable to Heartbleed -70 points

How-To

URL Description
Nginx Blog post for strong TLS configuration on Nginx
Apache2 Blog post for strong TLS configuration on Apache2
Lighttpd Blog post for strong TLS configuration on Lighttpd
IIS Blog post for good cipher suites configuration on IIS
Interactive SSL/TLS Security Live World Map
Hostname
Grade
Date/Time ()
Compliant with
Server location
Click to view full test results
View in fullscreen
Current time:
Latest update:

Recent HTTPS:

Recent non-HTTPS:

​Highest Scores: Web Servers

  • Highest Scores
  • Lowest Scores
The most secure HTTPS web servers recently tested:

Highest Scores: Email Servers

  • Highest Scores
  • Lowest Scores
The most secure TLS and STARTTLS email servers recently tested:

Summary of SSLScan

FINAL GRADE

Final Grade

COMPLIANT WITH

Compliant With

PCI DSS
HIPAA
NIST
TEST INFO

Test Info

Date
Server
Protocol
TEST OPTIONS

SSL Certificate Analysis

Test For Compliance With PCI DSS Requirements

Reference: PCI DSS 3.2.1 - Requirements 2.3 and 4.1

Test For Compliance With NIST Guidelines

Reference: NIST Special Publication 800-52 Revision 1 - Section 3

Test For Industry Best-Practices

Third-Party Content Analysis

Email Server Security Hardening

SSL/TLS Security Publications

InfoSecurity Europe 2017: High-Tech Bridge releases application security trends report

Wednesday, June 6, 2017 | High-Tech Bridge Security Research

The latest trends and insights on mobile and IoT security, DevSecOps, Bug Bounties, OWASP Top Ten and encryption.




High-Tech Bridge releases a new version of its free SSL testing service

Tuesday, September 20, 2016 | High-Tech Bridge Security Research

The new version of the service enables companies to easily test any SSL/TLS-based services for compliance with PCI DSS, HIPAA and NIST, while the new API provides much more flexibility for software developers.




Global companies aren't quick to patch "high" severity flaw in OpenSSL

Friday, May 27, 2016 | High-Tech Bridge Security Research

Yet another Padding Oracle flaw (CVE-2016-2107), allowing decrypting TLS traffic in a MITM attack, remains exploitable on the most popular web and email servers.




90% of SSL VPNs use insecure or outdated encryption, putting your data at risk

Tuesday, February 23, 2016 | High-Tech Bridge Security Research

In December 2015, we conducted a research on SSL/TLS encryption of the largest public email service providers that helped several large companies to improve the quality and reliability of their email servers SSL/TLS encryption.

Try other ImmuniWeb® Free Products

Mobile App Scanner ImmuniWeb® Mobile App Scanner

Audit your iOS or Android apps for OWASP Mobile Top 10 and other vulnerabilities.

Trademark Monitoring Radar ImmuniWeb® Trademark Monitor

Discover typosquatted, cybersquatted or phishing websites abusing your brand.

Web Server Security Test ImmuniWeb® WebScan

Test your Contest Security Policy (CSP) and HTTP Security Headers.

High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share