TLS Protocol Version Diagnostic Tool

Enter a domain name to check which TLS versions (1.0-1.3) it supports. Instantly see whether deprecated legacy versions are still enabled on your server, for free.

Tips

  • PCI DSS (the payment card industry security standard) has required disabling TLS 1.0/1.1 as "insufficiently secure protocols" since 2018. Sites handling payments should check this first.
  • Unlike an SSL certificate checker, which inspects the expiry date and issuer of a certificate, this tool diagnoses the protocol-level configuration itself — which versions the server is willing to negotiate. Using both together gives a fuller picture.
  • Leaving TLS 1.0/1.1 enabled won't break ordinary traffic immediately, but major browsers are increasingly moving toward rejecting them by default, so disabling them early reduces future compatibility risk.
  • Conversely, if both TLS 1.2 and 1.3 are disabled, that strongly suggests a misconfiguration, since modern browsers may be unable to connect at all — treat this as the highest-priority issue to fix.
  • If your site runs on shared hosting or behind a CDN, TLS version settings are usually controlled by the hosting provider, so report any issues found here to their support team.

Frequently asked questions

TLS 1.0, standardized in 1999, is an aging protocol affected by cryptographic weaknesses exploited by attacks such as BEAST and POODLE. PCI DSS mandated migrating away from TLS 1.0/1.1 by the end of June 2018, and major browsers have been phasing out support ever since.

Just enter your domain name into this tool. It attempts a real handshake for each of TLS 1.0 through 1.3 and shows you which ones succeed, with no need for command-line tools like openssl.

Very old operating systems and browsers (such as the default browser on Windows XP) may lose access, but every mainstream browser and OS in use today already supports TLS 1.2 or later, so the practical impact is usually minimal.

TLS 1.3, standardized in 2018, offers faster handshakes and a simplified, more secure cipher suite selection. TLS 1.2 has no known critical vulnerabilities either, so a common approach is to enable both — letting newer clients use 1.3 while older ones fall back to 1.2.

This tool only diagnoses protocol version support. To check certificate expiry, issuer, or SAN entries, use the SSL Certificate Checker in the same category.
ツールくん

Side Note — The evolution of TLS versions and their vulnerabilities

SSL, the predecessor of TLS, was developed by Netscape in the mid-1990s, but both SSL 2.0 and 3.0 had fundamental design flaws. TLS 1.0, standardized in 1999 as SSL 3.0's successor, still suffered from improper handling of initialization vectors in CBC-mode ciphers in some implementations — a weakness demonstrated by the BEAST attack in 2011.

In 2014, the POODLE attack exposed a design flaw in SSL 3.0 itself, and concern quickly spread to the architecturally similar TLS 1.0/1.1. PCI DSS, the payment card industry's security standard, announced a phased ban on TLS 1.0 in 2015 and set June 2018 as the deadline for a complete migration away from TLS 1.1 and below.

TLS 1.3, standardized in 2018, learned from these past vulnerabilities by removing cipher suites prone to weaknesses (such as RC4 and CBC-mode block ciphers) and cutting down the number of handshake round trips. Today, most major browsers and server software enable TLS 1.3 by default and have already dropped support for TLS 1.0/1.1.

Even so, servers that still depend on legacy systems exist worldwide, and it is not uncommon to find TLS 1.0/1.1 left enabled unnoticed. Making a server's configuration easy to see at a glance — something administrators can otherwise overlook — is exactly the value a diagnostic tool like this one provides.