⚠️ Caution: This is an early demo of our test updates for NCSC's 2025 TLS guidelines, to allow you to test against the new guidelines.

Some explanation text is still missing, out of date, or in rough draft state. Test evaluations may still change.
This URL is an active development environment and has limited availability - it may be down for hours or days.

Tests from this instance originate from different IPs than those used in production. If you use allowlisting on our production IPs, results may vary, particularly for email TLS. To include this instance, allowlist 62.204.66.0/26 and 2a00:d00:ff:162::/64.

Volledig geactualiseerde TLS-test in nieuwe versie van Internet.nl

21 april 2026
Vanaf vandaag kan je op Internet.nl testen of de beveiligde verbinding van je website of e-mail voldoet aan de nieuwste TLS-richtlijnen van NCSC-NL. Dit betekent ook dat websites en e-mailservers die eerder slaagden voor de test nu toch verbeterpunten kunnen hebben.

Wat is TLS?

Waarom is veilig ingestelde TLS belangrijk?

Nieuwste TLS-richtlijnen van NCSC

Andere verbeteringen in deze release

Roadmap volgende release

Over Internet.nl

De testtool Internet.nl is een initiatief van het Platform Internetstandaarden, een samenwerkingsverband van partijen uit de Internetgemeenschap en de Nederlandse overheid. Het doel van het platform is om gezamenlijk het gebruik van moderne internetstandaarden verder te vergroten om daarmee het internet voor iedereen toegankelijker, veiliger en betrouwbaarder te maken. De softwarecode van Internet.nl is online beschikbaar onder een open source licentie.

Release notes 1.11

TLS updates for NCSC 2025 guidelines

All tests were updated to match the 2025-05 version of the NCSC TLS guidelines. Most significant changes:

  • The list of good/sufficient/phase out/insufficient TLS versions, TLS authentication, curves, hashes, key exchange algorithms, FFDHE groups, RSA key lengths, and bulk encryption algorithms were updated to match the new guidelines.
  • A test for Extended Master Secret (RFC7627) was added.
  • Client-initiated renegotiation is now acceptable, if limited to less than 10 renegotiations.
  • All checks on certificates apply to all certificates sent by the server, except root certificates (according to our trust store). In previous versions, the certificate selection was different per test.

Other TLS updates

  • Certificates that do not have OCSP enabled, which means stapling is not possible, are now detected as such. Several issues with OCSP stapling reliability were also resolved.
  • Issues were fixed where the cipher order failed to detect some bad scenarios, including some where servers preferred RSA over ECDHE, or CBC over POLY1305.
  • CCM_8 ciphers are now detected when enabled on a server.
  • OLD ciphers are no longer detected.
  • The cipher order test no longer separates between "the server cipher order preference is wrong" and "the server has no preference".

Significant internal changes

  • Upgraded to Django 5, Python 3.13, and Debian Trixie base image.
  • Switched TLS implementation to sslyze/nassl based reimplementation.
  • Switched to pyproject/uv.lock for project dependencies, replacing requirements files.
  • Added post-quantum hybrid ECDHE-MLKEM for TLS 1.3 in our web server.
  • Outgoing traffic now uses the configured public IPv4/IPv6 addresses.
  • Routinator can now be configured with an allowlist for shared instances.

Bug fixes

API changes

This release has API version 2.7.0.

The changes noted above are reflected in the API as well, e.g. which ciphers are considered bad, as listed in the API output, along with score impacts.

Additionally, the API structure changes are: - OCSP stapling has a new status not_in_cert (not_tested), for when a certificate does not have OCSP enabled, therefore stapling is neither required nor possible. - The cipher order status no longer returns not_prescribed or not_seclevel for new tests. The insufficient status is now bad (failed) for preferring phase out over good and/or sufficient, regardless of the reason (server not enforcing any preference or server enforcing wrong preference). - cert_signature_phase_out was added to the TLS details, listing certificate signature algorithms that are at phase-out level (warning). Analogous to the existing cert_signature_bad. - extended_master_secret was added to the TLS details, with values: supported (good), not_supported (failed), na_no_tls_1_2 (good), unknown (not_tested). - client_reneg in the TLS details was changed from a boolean to a string enum with values: not_allowed (good), allowed_with_low_limit (info), allowed_with_too_high_limit (failed).