TLS Studio

TLS protocol & cipher scanner

See exactly which TLS versions a host still offers — TLS 1.0 through 1.3 — the cipher it negotiates for each, and whether it has forward secrecy. Graded A–F.

Forces a handshake at each TLS version from our resolver network — a few seconds.

Why old TLS versions matter

TLS 1.0 and 1.1 are deprecated and carry known weaknesses; browsers and compliance regimes (PCI DSS, and most modern security baselines) require them to be disabled. A host that still negotiates TLS 1.0 is the clearest sign of an out-of-date configuration. The goal is TLS 1.2 and 1.3 only, with forward-secret cipher suites (ECDHE), so a compromised key cannot decrypt past traffic.

How the scan works

Rather than read a single negotiated version, this forces a separate handshake pinned to each TLS version in turn and records which succeed — so you see the full support matrix, not just what your browser happened to negotiate. The probe runs from our resolver network. For the certificate itself, use the certificate chain visualiser, and for the whole domain, the full report.