TLS Quick Scan
Probe which TLS protocol versions a server accepts and show the cipher each negotiates.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What does TLS Quick Scan check?
It probes which TLS protocol versions your server accepts — TLS 1.0, 1.1, 1.2, and 1.3 — and shows the specific cipher suite negotiated for each version. This lets you quickly spot deprecated protocols (TLS 1.0/1.1 are insecure and disabled in modern browsers) and weak or export-grade ciphers.
Why should I disable TLS 1.0 and TLS 1.1?
TLS 1.0 and 1.1 are vulnerable to attacks like POODLE and BEAST, and have been deprecated by major browser vendors since 2020. Leaving them enabled can fail PCI-DSS and HIPAA compliance audits. Modern servers should support TLS 1.2 and TLS 1.3 only.
What is a cipher suite?
A cipher suite is a named combination of algorithms that secure a TLS connection: a key exchange algorithm (e.g. ECDHE), authentication (e.g. RSA), bulk encryption (e.g. AES-256-GCM), and a MAC. Weak ciphers using RC4, 3DES, or export-grade key lengths should be disabled on any production server.
How is this different from TLS Deep Scan?
TLS Quick Scan is a fast protocol/cipher probe — ideal for a quick health check. TLS Deep Scan goes further: full certificate chain validation, OCSP stapling, Signed Certificate Timestamps (SCTs), and a complete per-version cipher matrix. Use Quick Scan for speed, Deep Scan for a thorough audit.
Can I test a non-standard port?
Yes — append the port to the hostname: mail.example.com:465. This is useful for testing SMTPS (465), IMAPS (993), POP3S (995), or any HTTPS service on a non-standard port.