TLS Detect Compliance Scoring
TrustFour and TLSCompliance.com use the following numeric scoring framework to rate how well a given domain is configured against NIST Special Publication 800-52 Revision (800-52-R2).
NIST 800-52-R2 provides guidelines for the implementation of the Transport Layer Security (TLS) protocol to ensure data confidentiality, integrity, and authenticity.
Using a numeric scoring of TLS compliance against NIST 800-52-R2 provides a structured approach to evaluating the security of your data transmissions.
Achieving and maintaining a high compliance score is an ongoing process that requires continuous monitoring and adaptation to evolving security threats. TrustFour has solutions ranging from detection with continuous compliance monitoring through control and auto-protect capabilities TrustFour Control Plane Solutions.
T4
Scoring Strategy
As with ITEF and NIST standards, TrustFour follows the convention in other normative documents for the verbs “shall”, “shall not”, “should”, “should not” and “may” which are a subset of the IETF Request for Comments (RFC) 2119 key words (RFC 2119).
Server & Domain Rating
| Rating | score | Red Amber Green (RAG) Status |
| A + | 99 – 100 | Green |
| A | 95 – 98 | Green |
| A- | 90 – 94 | Green |
| B | 80 – 89 | Amber |
| C | 70 – 79 | Amber |
| D | 60 – 69 | Amber |
| E | 50 – 59 | Amber |
| F | 0 – 49 | Red |
If critical vulnerabilities are detected, the score is downgraded to F.
Interpretation of the verbs is as below
| verb | Implies | score |
| shall | must do |
compliance → 1 non compliance → 0 |
| shall not | must not do |
compliance → 1 non compliance → 0 |
| should | recommended |
compliance → 1 non compliance → 0 |
| should not | not recommended |
compliance → 1 non compliance → 0 |
| may | optional |
compliance → no scoring non compliance → 0 If implemented and non-compliant, scored as a 0. If not implemented, not included in the overall score. |
There are two categories: Server Certificate and TLS Handshake. The Server Certificate is common for all TLS Versions while TLS Handshake parameters will differ from one TLS Version to another.
Server Certificate Compliance
| Server Certificate Param | Mandatory | Verb | |
| 1 | Public Cert Auth Info | yes | Should |
| 2 | Public Cert Auth Key Identifier | yes | Should |
| 3 | Public Cert Expiry Date | yes | Should |
| 4 | Public Cert Extended Key Usage | yes | Should |
| 5 | Public Cert Issuer DN | yes | Should |
| 6 | Public Cert Issuer Signature Algorithm | yes | Shall |
| 7 | Public Cert Key Length | yes | Shall |
| 8 | Public Cert Key Usage | yes | Should |
| 9 | Public Cert SAN Entries | yes | Should |
| 10 | Public Cert Signature Algorithm | yes | Should |
| 11 | Public Cert Sub Key Identifier | yes | Should |
| 12 | Public Cert Subject DN | yes | Should |
| 13 | Public Cert Subject DN CN | yes | Shall |
| 14 | Public Cert Type | yes | Shall |
| 15 | Public Cert Version (X509 Version) | yes | Shall |
| 16 | ECDSA Public Key Curve | yes ( only for ECDSA cert type ) | Should |
TLS 1.3 Handshake Compliance
| TLS Handshake Param | Mandatory | Verb | |
| 1 | Supported Cipher Suites | yes | Shall |
| 2 | Server Name Indication Extension Support | yes | Shall |
| 3 | Signature Algorithms Extension Support | yes | Shall |
| 4 | Certificate Status Request Extension Support | yes | Shall |
| 5 | Supported Groups Extension Support | yes | Shall |
| 6 | Key Share Extension Support | yes | Shall |
| 7 | Supported Versions Extension Support | yes | Shall |
| 8 | Signed Certificate Timestamps Extension Support | yes | Should |
| 9 | Early Data Indication Extension Support | yes | Should Not |
| 10 | Cookie Extension Support | no | May (Scored if implemented) |
TLS 1.2
| TLS Handshake Param | Mandatory | Verb | |
| 1 | Renegotiation Indication Extension Support | yes | Shall |
| 2 | Supported Cipher Suites | yes | Shall |
| 3 | Server Name Indication Extension Support | yes | Shall |
| 4 | Extended Master Secret Extension Support | yes | Shall |
| 5 | Signature Algorithms Extension Support | yes | Shall |
| 6 | Certificate Status Request Extension Support | yes | Shall |
| 7 | Fallback Signaling Cipher Suite Value Support | yes | Shall |
| 8 | Supported Groups Extension Support | yes | Shall |
| 9 | Supported Point Formats Extension Support | yes | Shall |
| 10 | Encrypt-then-MAC Extension Support | yes | Shall |
| 11 | Signed Certificate Timestamps Extension Support | yes | Should |
TLS 1.1 & TLS 1.0
| TLS Handshake Param | Mandatory | Verb | |
| 1 | Renegotiation Indication Extension Support | yes | Shall |
| 2 | Server Name Indication Extension Support | yes | Shall |
| 3 | Extended Master Secret Extension Support | yes | Shall |
| 4 | Certificate Status Request Extension Support | yes | Shall |
| 5 | Fallback Signaling Cipher Suite Value Support | yes | Shall |
| 6 | Supported Groups Extension Support | yes | Shall |
| 7 | Supported Point Formats Extension Support | yes | Shall |
| 8 | Encrypt-then-MAC Extension Support | yes | Shall |
| 9 | Signed Certificate Timestamps Extension Support | yes | Should |
| 10 | Supported Cipher Suites | yes | Shall |
T4
Calculation of Key Strength
| Key exchange aspect | Score |
| Weak key (Debian OpenSSL flaw) | 0% |
| Anonymous key exchange (no authentication) | 0% |
| Key or DH parameter strength < 512 bits | 20% |
| Exportable key exchange (limited to 512 bits) | 40% |
| Key or DH parameter strength < 1024 bits (e.g., 512) | 40% |
| Key or DH parameter strength < 2048 bits (e.g., 1024) | 80% |
| Key or DH parameter strength < 4096 bits (e.g., 2048) | 90% |
| Key or DH parameter strength >= 4096 bits (e.g., 4096) | 100% |
Calculation of Cipher Strength
| Cipher strength | Score |
| 0 bits (no encryption) | 0% |
| < 128 bits (e.g., 40, 56) | 20% |
| < 256 bits (e.g., 128, 168) | 80% |
| >= 256 bits (e.g., 256) | 100% |
Scoring Notes
- If Server supports TLS 1.1 – reduce 1 point in TLS Handshake score of the server
- If Server supports TLS 1.0 – reduce 1 point in TLS Handshake score of the server
- If cipher suite of type TLS_AKE_WITH* is encountered (e.g. TLS_AKE_WITH_AES_128_GCM_SHA256) analyze as if TLS_AES_128_GCM_SHA256. Some implementations define these cipher suites with a non-standard naming convention.
T4
Scoring Example
This example is a domain that has only one server supporting TLS 1.3 and TLS 1.2. The score is calculated for each TLS version and then averaged for an overall score.
TLS 1.3
| Category | Score | Total Score | Score % |
| TLS Handshake | 7 | 9 | 77.78 % |
| Certificate | 13 | 15 | 86.67 % |
| Cipher Strength | 90% | ||
| Key Strength | 90% |
TLS 1.3 Score : Avg of all 4 scores = (77.78 + 86.67+ 90 + 90)/4 = 86.11 %
TLS 1.2
|
Category |
Score |
Total Score |
Score % |
|
TLS Handshake |
9 |
11 |
81.81 % |
|
Certificate |
13 |
15 |
86.67 % |
|
Cipher Strength |
90 % |
||
|
Key Strength |
90 % |
TLS 1.2 Score : Avg of all 4 scores = (81.81+ 86.67 + 90 + 90)/4 = 87.12 %
For the overall domain score, we combine scores of all versions of TLS found. In this case only TLS 1.3 and TLS 1.2 were found.
Overall Domain Score
| Category | Score |
| TLS Handshake | 16/21 (76.19 %) |
| Certificate | 26/30 ( 86.67 %) |
| Cipher Strength | 90% |
| Key Strength | 90% |
Overall score = Average of the 4 sub-scores = ( 76.19 + 86.67 + 90 + 90 )/4 = 85.71 %, Rating B
Our Products
