Qualys’ SSL labs is a free, in-depth tool to test your deployment of SSL on your server.
NB. You can run an SSL health check with Qualys SSL Labs directly within Really Simple SSL. This SSL health check does not only contain your SSL certificate, but also pertains to server configurations that can only be improved by your hosting provider.
What are the most important metrics?
The score is calculated by a mix of metrics, including server configurations, your SSL certificate and how this is leveraged. We will explain the most important metrics below, the metrics that will give you the opportunity to be at the top 20% website that have used SSL labs.
TLS protocol and Cipher suites
Grades will be capped to a lower tier when the sever still supports TLS protocols 1.1 or lower. Supporting other protocols than TLS will set your score to F by default. In the modern protocols it’s also required to move towards TLS protocols with AES 256 GCM encryption. A server that has the wrong order preference or supports 128 bits or RSA without Galois/Counter mode will be capped. Read more
HSTS HTTP Strict Transport Security
HSTS means HTTP Strict Transport Security, and makes browsers force your visitors over https. Why do you need this when you already have redirected your site to SSL?
HSTS is meant for situations when users are not actually visiting your site, but a site that is pretending to be your site, and therefore does not have an SSL certificate. So this fake site won’t have a redirect to SSL! Read more
Certificate
A SSL certificate should be signed and updated. Grades will be capped if there are any chain issues. A certificate chain is a list of SSL certificates, each issued by an authority from a previous certificate in the chain. If one of these certificates is not chained correctly, you’ll see chain issues. This is mostly due to incorrect installation or configuration.
DNS CAA is a restriction in which CA’s (Certification Authority e.g. Let’s Encrypt or Comodo) should be listed in a DNS record before issue a certificate. It enhances the control over CA’s. Certificate transparency is a publicly logged certificate, from a Certified Authority and will break a SSL chain if not present.
How to get an A+?
A perfect score can only occur when your server configuration is truly modern, a trusted SSL certificate is leveraged correctly and security headers are present.
