PCI-DSS 4.0 vs SSL Labs: why our scores diverge
Run UnveilScan against a domain that earned an A+ on SSL Labs and you may see a B, a C, sometimes a D. Same server, same handshake, same cert. The yardstick is different.
This article explains exactly why and lets you decide which of the two scores you actually care about — because the answer depends on what question you're asking.
Two different questions
SSL Labs answers "is this server hardened against known TLS attacks?"
UnveilScan answers "would this server pass a strict compliance audit today?"
Those questions overlap heavily but not entirely. A server can be safe against every published TLS vulnerability and still fail PCI-DSS 4.0 because it offers TLS 1.0 to clients that ask for it. Inversely, a server can be PCI-compliant and still ship with weak ECDH curves that SSL Labs would penalise for cryptographic hygiene.
What SSL Labs weights heavily
- Cert chain validity, signature algorithm, key size
- Cipher suite cryptographic strength (penalises legacy 3DES, RC4, etc.)
- Vulnerability fingerprints — Heartbleed, POODLE, ROBOT, Logjam, BEAST
- Forward secrecy
- HSTS presence (small bonus)
Protocol versions enter the score, but lightly. A server with TLS 1.0/1.1/1.2/1.3 all enabled, with modern AEAD ciphers on 1.2/1.3, easily lands an A or A+. The grade is in some sense an aesthetic of "we're not actively bleeding".
What we weight heavily
We grade against three reference frameworks that auditors actually consult:
| Framework | What it forbids |
|---|---|
| PCI-DSS 4.0 § 4.2.1 | Strong cryptography only; TLS 1.0/1.1 not allowed for cardholder data channels |
| ANSSI Reco-TLS R1 | TLS 1.2 minimum, TLS 1.3 recommended, no exception |
| RFC 8996 (BCP) | "TLS 1.0 and TLS 1.1 MUST NOT be used" |
| NIST SP 800-52 Rev 2 | TLS 1.2 minimum; SHOULD use TLS 1.3 |
A server that still negotiates TLS 1.0 on its main listener fails all four. We mark it CRITICAL. SSL Labs marks it "minor" and proceeds to A+.
Concrete divergence: google.fr
We documented this case in detail. Two openssl probes show TLS 1.0 and 1.1 both active. Cert chain is perfect. Cipher suites on TLS 1.2/1.3 are best-in-class. SSL Labs rates A+. UnveilScan Basic rates D (63/100).
Both grades are correct. They just answer different questions.
Where SSL Labs is stricter than us
It's not one-way. SSL Labs catches things we currently don't, by design:
- Per-cipher cryptographic ranking. SSL Labs penalises moderately-old ECDH curves and any RSA < 2048 in the chain. We flag the same RSA < 2048 in the cert (always), but we don't currently rank ECDHE curves.
- Vulnerability fingerprints. SSL Labs runs Heartbleed/POODLE/ROBOT probes which are beautifully precise but slow (~2 min). We run them only on opt-in (the
include_ssllabsflag). - HSTS preload registry check. SSL Labs verifies the actual preload list. So do we, but only in Extended.
The include_ssllabs: true opt-in on UnveilScan delegates to the Qualys SSL Labs API
and embeds the score alongside ours, so you get both views in one report.
Other scanners worth knowing
- Mozilla Observatory grades web headers (HSTS, CSP, X-Frame-Options, etc.) — closer in philosophy to us but doesn't probe TLS.
- Hardenize covers a similar surface, with strong focus on email auth (SPF/DMARC/MTA-STS).
- testssl.sh is the gold standard for offline TLS deep-dives. Use it when you want every cipher exhaustively probed; not a SaaS.
Picking your reference
There is no "right" scanner. Pick whichever framework matches the regulator you actually answer to. If that regulator is PCI-DSS 4.0, ANSSI, NIST or any GDPR cybersecurity guideline, we're closer to the truth. If it's "I run a personal blog and want a green badge for my README", SSL Labs is the simpler tool.
Either way, run the scan and read the findings. The number on the front is just the index — the finding list is where the work is.
Curious how strict-mode scoring grades your domain?
Free Basic scan, results in 60 seconds, no signup needed.
Run a Basic scan