SSL/TLS Grade methodology — v1.0
TL;DR.
The A–F SSL/TLS Grade aggregates 6 weighted categories: certificate validity (10 pts), trust chain integrity (8 pts), expiry margin (6 pts), hostname match (5 pts), protocol version with TLS 1.3 / 1.2 boost (8 pts), and cipher strength + perfect-forward-secrecy (8 pts). Source of truth: src/ssl.php. A single fail in validity / trust chain caps the grade at C even if everything else passes — a broken chain is a real-user failure mode that ranking arithmetic should not paper over.
1. Certificate Validity — 10 pts
- 10 pts — cert is valid (signed by a trusted CA, not yet expired, not revoked via OCSP/CRL)
- 6 pts — expiring within 14 days but otherwise valid (warning state)
- 0 pts — expired, revoked, or self-signed in production context
Hard cap: any 0-pt result here cannot grade higher than D regardless of other categories.
2. Trust Chain Integrity — 8 pts
- 8 pts — complete chain: leaf → intermediate(s) → trusted root, all delivered by the server
- 4 pts — AIA fetching required to complete chain (legacy clients without AIA fail)
- 0 pts — broken chain or missing intermediates
3. Expiry Margin — 6 pts
- 6 pts — > 30 days remain
- 4 pts — 14–30 days remain
- 2 pts — 7–14 days remain (renewal urgency)
- 0 pts — < 7 days remain
Thresholds match Enterno.io monitor SSL warning defaults (ssl_warning_days=14, ssl_critical_days=3 in admin settings) so the grade aligns with what alerting fires on.
4. Hostname Match — 5 pts
- 5 pts — requested hostname appears in CN or SAN list
- 0 pts — mismatch (browsers throw NET::ERR_CERT_COMMON_NAME_INVALID)
5. Protocol Version — 8 pts
- 8 pts — TLS 1.3 negotiated (modern, mandatory PFS, no downgrade-prone ciphers)
- 5 pts — TLS 1.2 negotiated (acceptable per Mozilla Modern profile)
- 2 pts — TLS 1.1 (deprecated, browsers warn)
- 0 pts — TLS 1.0 / SSL v3 / SSL v2 (forbidden per RFC 8996)
6. Cipher Strength + PFS — 8 pts
- 4 pts — AEAD cipher (AES-GCM, ChaCha20-Poly1305) — no CBC, no RC4
- 4 pts — perfect forward secrecy via ECDHE or DHE key exchange
Grade letter mapping
| Score | Grade | Notes |
|---|---|---|
| 40–45 | A+ | TLS 1.3 + PFS + valid + healthy expiry |
| 35–39 | A | TLS 1.2+ ok, all categories pass |
| 28–34 | B | minor issue (expiring soon or imperfect chain) |
| 20–27 | C | capped here if §1 or §2 fails |
| 10–19 | D | multiple categories degraded |
| 0–9 | F | no HTTPS or actively dangerous configuration |
References
- Mozilla Server-Side TLS Guidelines
- RFC 8446 — TLS 1.3
- RFC 8996 — Deprecating TLS 1.0 and TLS 1.1
- NIST SP 800-52 Rev. 2 — TLS Implementation Guidelines
- SSL Labs Rating Guide (reference for grading approach)
Versioning
v1.0 — published 2026-05-05. Mirrors src/ssl.php at HEAD on 2026-05-05. The category weights are author judgement based on browser-error blast radius (validity + trust chain rated highest because their failure produces a hard browser error; cipher strength rated alongside protocol because both can be silently weak without browsers warning the user). Future weight changes bump the version.