TLS Deep Scan
Full chain validation, OCSP stapling, SCT count, and per-TLS-version cipher matrix.
Rate-limited to 5 scans/min per IP. Results cached for 5 min per (host, port, SNI, options).
negotiated TLS 1.2 and refuses TLS 1.3. The cert chain itself can still be valid — this is a handshake-layer issue, not a verification one. Typical fingerprint: older Apache / IIS / Nginx with a modern Let's Encrypt cert grafted on, or a stale load-balancer config. Modern Chrome (124+) sends a TLS 1.3 ClientHello with a post-quantum key share (~1.5 KB); older servers often mishandle that and surface as ERR_SSL_PROTOCOL_ERROR. The fix is to upgrade the origin (or fronting LB) to support TLS 1.3.
Protocols & accepted ciphers
| Version | Supported | Ciphers |
|---|
Received chain
Certificates expire silently — and browsers block your site the moment they do.
Never check certificates manually again
- ✓Monitor every certificate
- ✓Email alerts at 30 / 14 / 7 days
- ✓SMS and Slack notifications
- ✓Historical expiry trends
- ✓Multi-domain support
- ✓Auto-renewal reminders
Frequently Asked Questions
What does TLS Deep Scan check beyond a quick scan?
TLS Deep Scan runs a full inspection powered by sslyze: certificate chain validation (trust anchors, expiry, hostname match), OCSP stapling status, Signed Certificate Timestamp (SCT) count for Certificate Transparency compliance, and a matrix of every cipher suite accepted per TLS version.
What is OCSP stapling and why does it matter?
OCSP stapling lets the server attach a cached, CA-signed proof that its certificate hasn't been revoked, delivered during the TLS handshake. Without stapling, browsers contact the CA's OCSP server on every connection — adding latency and leaking browsing history to the CA. Stapling improves both performance and privacy.
What are Signed Certificate Timestamps (SCTs)?
SCTs are receipts from Certificate Transparency logs proving a certificate was submitted for public auditing before issuance. Chrome requires at least 2 SCTs on certificates issued after April 2018 — without them the browser shows a certificate error. SCTs can be embedded in the certificate itself, delivered via OCSP, or included in the TLS handshake extension.
What does 'forward secrecy' mean in the cipher matrix?
Forward secrecy (PFS) means that compromise of the server's private key does not expose past session traffic. It's achieved by cipher suites using ephemeral Diffie-Hellman key exchange (ECDHE or DHE). Cipher suites using plain RSA key exchange lack forward secrecy and should be disabled on modern servers.
How long does a deep scan take?
Typically 15–45 seconds. The scan tries every TLS version and cipher combination against the server, which is thorough but slower than a quick probe. Complex servers or slow OCSP responders may take longer. Use TLS Quick Scan for a faster check.