RevealTheme logo

SSL Grade Tester

Open a live TLS handshake to any HTTPS host on port 443 and read back the negotiated protocol, cipher, and certificate details, summarized as a quick grade.

How to use this tool

  1. 1

    Type a hostname or full URL into the input box (for example example.com or https://example.com) — the tool extracts the hostname and always connects on port 443.

  2. 2

    Click 'Grade SSL' to make the server open a TLS connection to that host.

  3. 3

    Read the big grade card (A+, A, or F) for the headline result.

  4. 4

    Scan the details table for the negotiated protocol, cipher, issuer, and certificate expiry date, plus any warning notes listed below it.

What does this SSL grade actually measure?

This tool opens a single live TLS handshake to the host you enter on port 443, using the hostname as the SNI server name, and then reports what the server and Node.js agreed on. The grade is a small heuristic, not the multi-dimensional score that Qualys SSL Labs produces. It works on exactly two signals: the negotiated protocol version and the negotiated cipher name. TLS 1.3 earns A+, TLS 1.2 earns A, and any older protocol (TLS 1.1, TLS 1.0, SSL 3.0) drops straight to F. Separately, if the cipher name contains the substring RC4 or DES, the grade is forced to F. There is no B, C, or D in practice. The certificate's expiry is read and shown, and a warning line appears when fewer than 30 days remain, but expiry does not change the letter grade. Crucially, the connection is made with certificate-chain verification disabled, so a self-signed, expired, or hostname-mismatched certificate still connects and still gets graded purely on its protocol and cipher. Treat the result as a fast sanity check on the single handshake your server happened to negotiate, not a full audit.

Common use cases

  • Confirm a freshly deployed site negotiates TLS 1.3 (A+) rather than silently falling back to TLS 1.2 or older.

  • Spot-check an internal or staging host that uses a self-signed certificate, since the tool connects even when the chain does not validate.

  • Quickly see a certificate's issuer and expiry date and whether it falls inside the 30-day warning window.

  • Catch a server still offering a legacy protocol or an RC4/DES cipher, which immediately scores F.

  • Sanity-check a vendor or partner endpoint before integrating, to see what protocol and cipher your client would actually get.

  • Demonstrate to a teammate, in seconds, why 'it has HTTPS' is not the same as 'it has a modern TLS configuration'.

Frequently asked questions

How is this different from Qualys SSL Labs?
SSL Labs enumerates every protocol and cipher the server supports and scores HSTS, OCSP stapling, key exchange, forward secrecy, and the full chain. This tool inspects only the single protocol and cipher that one handshake negotiated, so use it for a quick read and SSL Labs for a real audit.
Why does an expired or self-signed certificate still get a grade?
The connection is opened with chain verification turned off (rejectUnauthorized is false). That is deliberate so the tool can still report protocol and cipher for misconfigured or internal hosts, but it means the grade does not reflect whether the certificate is actually trusted. Check the issuer and expiry fields yourself.
Does the certificate expiry affect the grade?
No. Expiry is read and displayed, and a warning note appears when fewer than 30 days remain, but the letter grade is decided only by protocol version and cipher name. A long-expired certificate on TLS 1.3 will still show A+.
Can I test a host on a port other than 443?
No. Port 443 is hardcoded. If you enter a URL with a different port it is ignored; only the hostname is used and the connection always goes to 443.
Does the check run in my browser?
No. The handshake runs on this site's server, which makes the outbound TLS connection to the host you submit. The hostname you type is sent to our server, and your browser never connects to the target host directly.
What do A+, A, and F mean here?
A+ means the handshake negotiated TLS 1.3. A means TLS 1.2. F means either an older protocol (TLS 1.1, TLS 1.0, SSL 3.0) or a cipher whose name contains RC4 or DES. No other grades are produced.
Why did my test time out or error?
The tool waits up to 10 seconds for the TLS handshake. A timeout or error usually means the host is unreachable, not listening on 443, blocking the connection, or not speaking TLS on that port.

Related tools