Qualys SSL Labs is the technical gold standard for TLS audits. It's also a 400-line technical report written for engineers. Non-technical small business owners who see "Your server supports TLS 1.2 with AES_256_GCM_SHA384 cipher" have no idea if that's good or bad.
The SSL Grade tool rolls the same underlying signals into a letter grade. A / A+ means modern, B means acceptable but worth improving, C means you have one or two real gaps, D or F means fix this today.
What the grade is based on
Protocol version — 40 points. TLS 1.3 is full credit. TLS 1.2 loses 10. Anything older loses 40.
Cipher suite — 15 points. AEAD ciphers (AES-GCM, ChaCha20-Poly1305) get full credit. Non-AEAD loses 15.
Certificate expiry — 50 points. Current certs (30+ days remaining) get full credit. Under 30 loses 5, under 14 loses 15, expired loses 50.
Certificate chain validation — 20 points. A valid trust chain from your leaf cert to a browser-trusted root gets full credit. Broken chain loses 20.
Certificate key strength — 30 points (context-aware). RSA must be 2048+, ECDSA must be 256+ (P-256), Ed25519 gets full credit. Weak keys lose 30.
HSTS header — 10 points. Present with max-age ≥ 1 year gets full. Under 1 year loses 5. Missing loses 10.
Post-quantum hybrid key exchange — info only (not scored). We note whether you support X25519MLKEM768 but don't deduct for classical-only. Most sites are classical-only in 2026; the PQC Analyzer goes deeper.
Grade bands
- A+ (95+) — modern, fully-deployed, HSTS preloaded.
- A (85-94) — modern with one minor gap.
- B (75-84) — acceptable but with two or three soft issues.
- C (65-74) — one real concern. Fix it.
- D (50-64) — multiple concerns. Fix soon.
- F (<50) — something is broken. Fix today.
The common failure modes
Cert expired last week and auto-renewal didn't fire. Browsers show a red warning page. Visitors bounce. First-time fix: run certbot renew on your server or check your hosting provider's cert dashboard. Ongoing fix: set up monitoring that alerts 14 days before expiry.
Cert key is 1024-bit RSA. Pre-2013 certs were often 1024-bit. CAs stopped issuing them in 2014. If your cert is still 1024-bit, it's either a very old installation or a self-signed cert. Reissue with 2048-bit RSA minimum, or an ECDSA P-256 key (smaller, faster, equally strong).
HSTS missing. The HSTS header tells browsers to always use HTTPS for your domain, even if a user types http://. Without it, the first request to your site can be downgraded by an attacker on a coffeeshop WiFi. Fix: add Strict-Transport-Security: max-age=31536000; includeSubDomains; preload to your server headers.
TLS 1.2 still active but 1.3 not yet on. TLS 1.3 has been standard since 2018. If you're on a managed host (Netlify, Vercel, Cloudflare, AWS CloudFront) you're on TLS 1.3 by default. If you're running your own nginx or Apache and showing TLS 1.2 only, you have an old config. Upgrade.
When to use SSL Grade vs. Qualys SSL Labs
Use SSL Grade when:
- You just want a quick letter-grade answer.
- You're checking several sites in a sitting.
- You want to see HSTS + PQC + cert chain in one report.
Use Qualys SSL Labs when:
- You need the full technical breakdown for a compliance audit.
- You suspect a specific cipher-suite misconfiguration.
- Your customer or insurer requires an SSL Labs report as documentation.
Related reading
- PQC Analyzer for post-quantum cryptography readiness
- Mega Security Analyzer for the multi-layer security scan
- Modern Security Headers for the headers that pair with TLS
- Server-side Audit Probes for how the TLS probe works
Fact-check notes and sources
- Qualys SSL Labs rating methodology (2025 edition).
- NIST SP 800-57 key-strength recommendations.
- IETF RFC 8996 on deprecating TLS 1.0 and 1.1.
- Mozilla TLS configuration guidelines (intermediate + modern).
This post is informational, not security-consulting advice. SSL Labs (Qualys) is the reference benchmark for this class of audit; mentions are nominative fair use. Letter grades are heuristic summaries; enterprise compliance contexts should use Qualys's full report.
