0

I am kind of new with SSL certificates and I would like to validate my understanding.

We are a startup and we have one particular domain name that we want to protect with a SSL certificate.

The domain is associated to a server, which has a webserver installed on it and another server application written in Java with its own protocol, we would like to protect the two services with SSL.

We are developing an OS X app and an iOS client app. Those are using Foundation's CFStreamCreatePairWithSocketToHost(...) to connect to the Java server through a CFReadStream(...) and a CFWriteStream(...).

I would like to validate my understanding:

(1) The sole advantage of having a OV certificate instead of a DV certificate would be that the name of our organization name would be listed in the certificate details.

(2) Only one Single SSL certificate is sufficient to protect the webserver and the custom Java server application, I would need to install it in Apache and provide to the Java Keystore file using the Oracle Keytool Utility.

(3) We are considering a Go Daddy EV or DV certificate and it would be trusted by default in iOS since "Go Daddy Class 2 Certification Authority" and "Go Daddy Root Certificate Authority - G2" are listed in the "List of available trusted root certificates in iOS 11".

(4) Once installed on the server, there is nothing particular to do in my OS X/iOS app but insert this before opening the streams (in Swift):

inputStream.setProperty(StreamSocketSecurityLevel.ssLv3, forKey: Stream.PropertyKey.socketSecurityLevelKey)
outputStream.setProperty(StreamSocketSecurityLevel.ssLv3, forKey: Stream.PropertyKey.socketSecurityLevelKey)

Thanks for your insights!

Improve this question
3
  • 1
    1) pretty much + its harder for someone to fake being you and issuing a new certificate + more expensive, takes longer to set up 2) one single certificate, yes. unsure about how to "install" it. 3) yes 4) yes, but you can consider using certificate pinning as well. Commented Oct 6, 2017 at 19:19
  • 1
    EV certificates add no additional security controls. They are a marketing gimmick, and a way for CA to restore profit levels to the 1990's. The checks performed in a EV certificates are the same checks CA were supposed to be doing the entire time before the price of a certificate was driven down and the CA stopped performing the checks. Commented Oct 7, 2017 at 16:14
  • 1
    OV certificates are dangerous. They allow an organization to mint certificates for domains other than the ones under their administrative control. CA's sell them by signing an organization's intermediate certificate (which allow signing an end-entity certificate) to organizations for big money. The organizations, in turn, can spoof any domain they wish. Commented Oct 7, 2017 at 16:17

1 Answer 1

Reset to default
1

You should definitely not allow SSLv3. That protocol is highly insecure. TLSv1.2 is the absolute minimum version that you should allow, and assuming both your client OS version and the server support it, you should limit it to TLS v1.3 and above.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

With TLS 1.3, is there any difference in the choice of a SSL certificate or the stream pair implementation?
If I understand correctly, a SSL certificate is also a certificate for TLS, it's just a name. All I need to do to enable TLS is replacing StreamSocketSecurityLevel.ssLv3 by StreamSocketSecurityLevel.tlSv1?
Largely the same, yes. There are different crypto algorithms supported by different standards (for keys, signing, hashing, etc), and certain algorithms are forbidden in the new standards because they're too weak, but no CAs should still support those old algorithms anyway (though some CAs are no longer trusted because they tried).
And NSStreamSocketSecurityLevelNegotiatedSSL is generally recommended, because it will allow you to keep your client code the same even if Apple later adds new levels and deprecates old ones. (Old, untrusted SSL levels are never negotiated by iOS unless you explicitly enable them, so you're more likely to weaken security by specifying a specific level than to strengthen it.)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.