TLS Verifier Help

Back to the main page


Issue an url encoded POST Request to

Common Ports include: 443(HTTPS), 990(FTPS), 465(SMTP), 993(IMAP), 995(POP3)

This Application will not work with protocols/services that do not immediately start a TLS session. This includes these common protocols below:
21(FTP with AUTH TLS), 22(SSH), 25(SMTP with STARTTLS)


The answer is signed with an RSA key. You can use this to verify, that the answer itself has not been modified. To protect from reply attacks, you can submit a value of your choice as a "challenge". If you do not supply a challenge, the server will use an increasing time stamp. The server will include this value in the signed message.

To verify the signature, take the "Challenge" value from the response and append to it the "Result" value. Verify using the "Signature" value. If the result value gets changed in transport, you can supply serialize=1 (or any other value) to have the "Result" property converted to Base64. In that case you need to decode the property before attempting to verify the signature.

The "Pubkey" value should match the one on this page. If you use the API in your application you should hardcode the Key. You can find it on the bottom of the main page.

The API tries up to two seconds to connect to the supplied destination. If you supply a DNS name that resolves to multiple addresses, each address is tried until one succeeds or all attempts have been made. The API will stop as soon as a connection can be established. It also will not verify if all addresses supply the same certificate chain.

Properly verifying

Below are the steps necessary to properly verify the signature. Abort as soon as a condition is not satisfied.

  1. Check the HTTP Status code of the API Answer. It should be 200. A common other value is 400, which happens if you don't use HTTP POST or supply invalid values.
  2. Verify that the "Challenge" is the value you submitted to the API.
  3. Verify that the "SignatureAlgorithm" value is present and supported by your RSA library.
  4. Extract the signature and Base64-decode it.
  5. Convert the Result to a string. If you requested a serialized answer, do this by decoding the Base64 value, otherwise serialize the value as JSON without formatting and ensure you don't change the order of the Values.
  6. Concatenate Challenge+Result.
  7. Verify the signature against our Key. The key can be found on the main page but we recommend hardcoding it. If you are affected by a certificate swap, the key can be swapped too.


The format of the JSON object is as outlined below. The format applies to the regular format. If you choose to serialize the answer, the Answer Property will contain its data base64 encoded.