New TLS guidelines landed in

December 9, 2019
As of today you can use to test if your website and mail are compliant with the latest 'IT Security Guidelines for TLS' from NCSC-NL. This also means that TLS 1.3 is now supported in the website and mail test.

TLS in

The test tool checks TLS configurations for websites under the test category 'HTTPS' and for mail servers under the test category 'STARTTLS and DANE'. The latest 'IT guidelines for TLS' from NCSC-NL are used as a baseline. If a 'good' or 'sufficient' setting is found, then will show a green check ('passed'). In case of a 'phase out' setting, like TLS 1.0 and 1.1, you will see an orange exclamation mark ('warning'), and an 'insufficient' configuration gets a red cross ('fail').

ICT guidelines for TLS

In April 2019 NCSC-NL published the 'IT Security Guidelines for Transport Layer Security (TLS) v2.0'. The advised settings are future proof; as expected TLS connections which are secured according to the new guidelines will not require any modifications in the near future. At the same time the guidelines also ensure that systems remain interoperable and prevent TLS settings to be incompatible.

'Phase out' TLS settings

'Phase out' settings are known to be fragile and are at risk of becoming insufficiently secure. Take the following into consideration when making a decision regarding these 'phase out' settings.

Browser makers have announced that they will stop supporting TLS 1.1 and 1.0 by Q1 2020. This will impact the reachability of websites that do not offer support for TLS 1.2 and/or 1.3.

Quite some mail servers only support older TLS versions. If the sending and receiving mail server both do not support the same TLS version, they will usually fall back to unencrypted mail transport. Because of that it could be advisable to keep supporting TLS versions with a 'phase out' status for a while. Make an informed decision based on log data on when to disable these 'phase out' TLS versions.


The test tool is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. ECP provides for the administrative home of the platform. Open Netlabs / NLnet Labs is responsible for the technical realisation of

Release notes

  • Various UI/webdesign fixes/improvements
  • New:
    • Updated TLS tests to conform to the new v2 NCSC guidelines
    • TLS1.3 is supported in the TLS tests
    • Improved Hall of Fame which adds mail tests and champions
    • Widget for starting the website and email test from other websites
  • Bugfixes:
    • Connection test: DNSSEC no longer defaults to secure when the bogus url is not visited and none of the others tests could be performed. It falls back to not tested instead