I just want to know what TLS version is used!
There are several reasons why this is difficult. Some of them are described in this FAQ: Why do you "score" TLS instead of giving a Yes or No answer? Just as there is no fool-proof Yes or No answer to "Does this address do TLS?", there often is not a definitive answer to "What versions of TLS does this address use?"
But difficult or not, people still want an answer to the version question. So we make it easy to get the (potentially wrong) answer. And unique to CheckTLS, we let you add intelligence and tune the question to make it as "less wrong" as you want.
Note that these instructions require a Corporate Subscription to CheckTLS ($25 to try for 30 days) and a few minutes of your time. It is easy, and we offer free, unlimited support so we are sure you will be satisfied.
TLS Version using Excel
Create a Batch
All email addresses to the same Domain (the part after the "@" in an email address) have the same security so you only need to list each Domain once. CheckTLS calls a list of email addresses a "Batch" and each unique Domain a "Target".
Batches are controlled by a Batch Input XML file, which can be complicated, so CheckTLS offers an Excel workbook to make the input easier. We encourage you to use the workbook as is for your first time through, then make changes and run it as often as you want. Common sources for your own Targets are your address book, a send log on an email server, an export from your CRM system, etc.
Create the Excel Workbook
Download this Excel workbook.
Enter your Targets (email address domains) one per row on the Targets tab of the Excel workbook. Our example uses:
Choose The Settings You Want To Extract
Fill in the Settings tab of the Excel workbook:
|BatchID||use "new" to create a batch, then put the batch number here when you want to update it|
|Description||type a description to remind you what the batch is|
|RunNow||use "Y" to run the batch right away, "N" to just save it for later|
|BatchTest-Attribute||leave this as "TestType="receiverquick""|
|Delivery-To||put your email address here (where you want the results sent)|
|Delivery-Format||leave this as "csv" (another option is "xml-detail")|
|Target-Attribute||leave this as "TimeOut="30""|
Here are the Settings from the example Excel workbook:
|Description||My First Extract Batch|
Upload the Excel Workbook
Browse to . Use the Excel File: choice to navagate to your saved Excel workbook. You can turn on Show XML if you want to see the underlying XML that your workbook creates. It is not necessary and can be confusing.
When you click the Update/Run button, your workbook is uploaded to our servers. It is checked for errors, and if all the Settings are good it creates (or updates) the Batch and optionally runs it:
Batch #1 Created | Batch #1 Queued (Estimated finish: 04-08 07:54)
Your results will be emailed to you in a few minutes. The entire Batch should take about 4 seconds per Target.
You can use the and/or buttons into monitor your Batch and see your results.
See the Results
If you put "csv" in the Delivery-Format row on the Settings tab, your results will look like:
"eMailAddress","ConfidenceQFactor","SSLVersion" "CheckTLS.com","121","TLSv1_3" "RefuseTLS.CheckTLS.com","0", "NoDNS.CheckTLS.com","50", "TLSv1.CheckTLS.com","71","TLSv1"
If you put "xml-detail" in the Delivery-Format row on the Settings tab, your results will look like:
<CheckTLS> <Results test="BatchTest_receiver" version="V03.19.02" format="xml-detail" id="1" description="My First Extract Batch"> <Result origin="www11-do.CheckTLS.com"> <eMailAddress>CheckTLS.com</eMailAddress> <ConfidenceQFactor>121</ConfidenceQFactor> <SSLVersion>TLSv1_3</SSLVersion> </Result> <Result origin="www11-do.CheckTLS.com"> <eMailAddress>RefuseTLS.CheckTLS.com</eMailAddress> <ConfidenceQFactor>0</ConfidenceQFactor> </Result> <Result origin="www11-do.CheckTLS.com"> <eMailAddress>NoDNS.CheckTLS.com</eMailAddress> <ConfidenceQFactor>50</ConfidenceQFactor> </Result> <Result origin="www11-do.CheckTLS.com"> <eMailAddress>TLSv1.CheckTLS.com</eMailAddress> <ConfidenceQFactor>71</ConfidenceQFactor> <SSLVersion>TLSv1</SSLVersion> </Result> </Results> </CheckTLS>
If you run this Batch:
You will get this result:
<Results test="BatchTest_receiverquick" version="V03.21.05" format="xml-detail" id="78" description="Sample XSLT 3 fields into xml">
If you change "-xml-" in the <BatchXSL> text to "-csv-" you will get this result:
Sample XSLT 3 fields into csv
A bit of explanation: the <BatchXSL> line in the Batch tells it to "transform" (XSLT) the XML_Detail output from
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
If you decide to use this XSL, you should copy it onto a webserver that you control. We may make changes to it in the future and we don't want to break someone's production systems.
Add Intelligence and Tune the Question
Back to why this is difficult. The tests above only do a Quick test, so they are just testing the first MX. You can change it to test multiple MXs, but then you have to decide which ones to test, and how to weigh the different MX preferences and number of hosts in each MX group, and the strength of the cipher(s) used, and the validity of the certificate(s) used, and so on.
You can add other fields besides the above eMailAddress, ConfidenceQFactor, and SSLVersion. Use the interactive ("TestReceiver") to see what other fields are available. These can be added to the Excel workbook. While the Excel front-end to Batch testing is not designed to pull out information from multiple MX hosts, the full XML Batch option can extract any and all information about an email system, so you can decide for yourself what the answer to "What version of TLS is this site using?"
We do have clients who, after understanding the question better, come back to using the CheckTLS (Confidence Factor℠) to decide the "TLS version". For only allowing TLS1.2 and above we suggest a Confidence Factor 88 and above. While it’s not cast in stone (again see the other FAQ), the Confidence Factor falls into:
|TLS Version||Starting Score|
|no TLS (or even SSL)||0|
|unable to test||50 (exactly)|
These can go down a little bit if the cipher is weak or the name does not match. 88 is as low as TLSv1_2 can go, which is why we use it as the breakpoint for TLSv1_2.
These can go up based on things like cipher strength, MTASTS, DANE. It’s hard to move up a whole level, almost impossible for TLSv1_1 to make it to TLSv1_2 (score 92) and impossible for TLSv1_2 to make it to TLSv1_3 (score 108).
We will always keep 50 as the untestable number and below 50 as no encryption. We will also try to keep 90 as the breakpoint for what we consider Yes/No. For example, if a site uses TLSv1_2 but has a bad cipher and the name does not match, is it still “good”? That shows the site either doesn’t know what they are doing or doesn’t care much about real security, and we think we need to show that.