SSL Certificates with iOS application

Question

I am kind of new with SSL certificates and I would like to validate my understanding.

We are a startup and we have one particular domain name that we want to protect with a SSL certificate.

The domain is associated to a server, which has a webserver installed on it and another server application written in Java with its own protocol, we would like to protect the two services with SSL.

We are developing an OS X app and an iOS client app. Those are using Foundation's CFStreamCreatePairWithSocketToHost(...) to connect to the Java server through a CFReadStream(...) and a CFWriteStream(...).

I would like to validate my understanding:

(1) The sole advantage of having a OV certificate instead of a DV certificate would be that the name of our organization name would be listed in the certificate details.

(2) Only one Single SSL certificate is sufficient to protect the webserver and the custom Java server application, I would need to install it in Apache and provide to the Java Keystore file using the Oracle Keytool Utility.

(3) We are considering a Go Daddy EV or DV certificate and it would be trusted by default in iOS since "Go Daddy Class 2 Certification Authority" and "Go Daddy Root Certificate Authority - G2" are listed in the "List of available trusted root certificates in iOS 11".

(4) Once installed on the server, there is nothing particular to do in my OS X/iOS app but insert this before opening the streams (in Swift):

inputStream.setProperty(StreamSocketSecurityLevel.ssLv3, forKey: Stream.PropertyKey.socketSecurityLevelKey)
outputStream.setProperty(StreamSocketSecurityLevel.ssLv3, forKey: Stream.PropertyKey.socketSecurityLevelKey)

Thanks for your insights!

Answer 1

You should definitely not allow SSLv3. That protocol is highly insecure. TLSv1.2 is the absolute minimum version that you should allow, and assuming both your client OS version and the server support it, you should limit it to TLS v1.3 and above.