SSL 3.0 is implemented by devssl. It has been broken since the POODLE and BEAST attacks in 2014.
However: it's hard-coded in cpu(1), oexportfs(4), and import(4) via a call to pushssl(). I don't think it's possible to upgrade them and keep the the protocol compatible. To use a working version of the TLS protocol, there's going to have to be a clean break. The SSL and TLS record formats seem incompatible, and there's no version negotiation in cpu. 9front already deprecated cpu/import, with rcpu and rimport as replacements, so this only affects 9legacy to 9front communication. It'd be nice to keep things interoperable without patching. Is there a path forward that doesn't leave us dragging along a broken, obsolete SSL version forever? ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T45587a22bb317243-Md4aba3c3b058795195e54f3d Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
