Loading…
Loading…
Paste any URL you're authorized to test. Scorifya attempts TLS handshakes across protocol versions and reports which ones your server accepts, including the deprecated TLS 1.0 and TLS 1.1.
Free tool
TLS 1.0 and TLS 1.1 were deprecated by RFC 8996 in 2021 and are disabled in all major browsers. But servers configured years ago often still accept them, especially when TLS terminates at a load balancer or CDN that was set up and never revisited. PCI DSS 4.0 (effective March 2025) explicitly requires both to be disabled, and HIPAA guidance and NIST SP 800-52r2 say the same.
Paste any public URL. Scorifya negotiates TLS handshakes across protocol versions and reports exactly which ones your server accepts. If TLS 1.0 or TLS 1.1 negotiate successfully, the scan flags them with the points they cost against the TLS category of the 0-100 score and shows where to disable them.
This page is written for people searching for TLS 1.0 checker, same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like. Paste your URL above for a live score on your site.
Example A, TLS 1.0 and 1.1 still accepted
The server negotiates all four TLS versions including the deprecated 1.0 and 1.1. PCI DSS 4.0 requires disabling both.
TLS 1.0 accepted
Disable TLS 1.0 at your TLS terminator. On Nginx: ssl_protocols TLSv1.2 TLSv1.3. On Apache: SSLProtocol -all +TLSv1.2 +TLSv1.3.
TLS 1.1 accepted
Disable alongside TLS 1.0. RFC 8996 deprecated both. No modern client requires either version.
Example B, TLS 1.2 and 1.3 only
Only TLS 1.2 and TLS 1.3 negotiate. Legacy protocol acceptance is not a finding. Remaining gap is in security headers.
Content-Security-Policy missing
TLS is no longer the bottleneck. CSP is the next highest-impact header to add.
Disable TLS 1.0 and 1.1 at your TLS terminator
The change is a one-line config at your CDN, load balancer, or web server. On Nginx: ssl_protocols TLSv1.2 TLSv1.3. On Apache: SSLProtocol -all +TLSv1.2 +TLSv1.3. On Cloudflare: set Minimum TLS Version to 1.2 in SSL/TLS settings.
Check every hostname independently
Different subdomains may terminate TLS at different layers. A CDN-fronted hostname and a direct-access hostname can have different protocol support even within the same stack.
Verify no clients still require TLS 1.0
Check your access logs for TLS version negotiated before disabling. Very old devices (pre-2016 Android, IE 10) may break, but they represent a negligible fraction of modern traffic.
Enable TLS 1.3 alongside 1.2
TLS 1.3 is faster (1-RTT handshake, 0-RTT resumption) and has a smaller attack surface. All major CDNs and load balancers support it. There is no reason to run 1.2 without also enabling 1.3.
Re-scan after every infrastructure change
CDN reconfigurations, load balancer updates, and certificate reissues can inadvertently re-enable legacy protocols. Run the TLS checker after any TLS-layer change.
For weights and penalties behind each category, see How Scorifya works.
By real browsers, no. All major browsers disabled TLS 1.0 in 2020-2021. But many servers still accept it, which creates a compliance gap and a theoretical attack surface for older clients and non-browser HTTP clients.
Yes. PCI DSS 4.0, effective March 31 2025, requires disabling all versions of SSL and early TLS (1.0 and 1.1). TLS 1.2 is the minimum acceptable version. TLS 1.3 is strongly recommended.
TLS 1.0 (1999) and 1.1 (2006) have known weaknesses including BEAST, POODLE, and weak cipher suites. TLS 1.2 (2008) is the current baseline. TLS 1.3 (2018) removed weak cipher suites entirely and reduced handshake round trips.
Set ssl_protocols TLSv1.2 TLSv1.3 in your nginx.conf server or http block. Reload Nginx and re-scan to confirm TLS 1.0 no longer negotiates.
In the Cloudflare dashboard, go to SSL/TLS > Edge Certificates > Minimum TLS Version and set it to TLS 1.2. This applies to all hostnames on the zone.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly, without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.