TLS Version Check

Check which TLS versions (1.0–1.3) a server supports and grade safety.

TLS Version Check tests in real time which protocols a server allows for the handshake among TLS 1.0, 1.1, 1.2 and 1.3. It attempts an actual connection with each version, reports support exactly as observed, and grades the overall configuration as safe, caution, or danger.

TLS 1.0 and 1.1 are deprecated legacy protocols; leaving them enabled exposes you to downgrade attacks and weak cipher suites. Just enter a domain — the tool probes port 443, and results are briefly cached for speed.

Domaine.g. example.com (domain only, no protocol or path; port 443)

Why disable TLS 1.0 / 1.1

TLS 1.0 (1999) and TLS 1.1 (2006) were formally deprecated by the IETF in RFC 8996 (2021). They rely on weak hashes and cipher suites and carry known vulnerabilities like BEAST and POODLE, and standards such as PCI DSS require disabling them. If either is supported, this tool flags a caution.

TLS 1.2 / 1.3 recommended

TLS 1.2: the widely deployed, safe baseline. Pair it with AEAD cipher suites.
TLS 1.3: the modern version with a faster handshake and weak options removed. Enable it alongside 1.2 when possible.
The ideal configuration supports only TLS 1.2 + 1.3 with 1.0 and 1.1 fully disabled.

Reading the result

Supporting both 1.2 and 1.3 with legacy versions off is rated safe. If 1.0 or 1.1 is enabled it is a caution — disable those protocols in your server config. If neither 1.2 nor 1.3 is supported it is a danger, meaning a secure connection is not possible. To check the certificate's expiry and chain trust alongside the protocol, use the SSL Certificate Checker as well.

Frequently asked questions

Which port is tested?

The default HTTPS port 443. The tool attempts a real handshake with each TLS version and reports whether it succeeds.

Is it risky if TLS 1.0 is supported?

TLS 1.0 and 1.1 are deprecated legacy protocols exposed to downgrade and weak-cipher attacks. We recommend disabling them on the server for security.

What if neither 1.2 nor 1.3 is supported?

It is flagged as danger. Modern browsers and clients may fail to connect securely, so enable TLS 1.2 or higher immediately.

Can it test internal servers or private IPs?

No. For security, hosts resolving to private or internal IPs are blocked. Only publicly reachable domains can be checked.

Is the domain I enter stored?

Results are cached for only 60 seconds to reduce load, and the input is not otherwise retained.

Related tools

SSL Error Message Decoder

Explain browser SSL errors like ERR_CERT_COMMON_NAME_INVALID.

CAA Record Check

Check which CAs are allowed to issue certificates via CAA records.

SSL Certificate Checker

Check a domain's SSL certificate expiry, issuer, chain and TLS version live.

SSL Certificate Decoder

Paste a PEM certificate to decode subject, issuer, validity and SANs.

CSR Decoder

Paste a CSR to decode its subject and key information.

CIDR Calculator

Calculate IP range, subnet mask and host count from CIDR notation.