In particular, if you aren’t concerned about supporting non-SSL traffic, then #3 is good enough. If you want to support non-SSL traffic or if you don’t want to install server certificates on the clients, you must use #2.
Is there any valid use case these days that absolutely requires no server certs or plaintext communications? If you own / control the host server, what would stop you from doing this? If you don’t have admin control, what 3rd party host are you using that doesn’t have SSL?!
And pedantically, isn’t everything TLS these days, not SSL? Does anyone care? Should do irrelevant factoids from “the careless pedant” on Twitter
