Remove SSL 3.0 support unconditionally
SSL 3.0 is quite different from its later incarnations (TLS1.0+), and requires a lot of protocol specific code. That is quite an additional attack vector we could avoid in modern systems. For that we should completely remove that codebase.
The information we have about usage of SSL 3.0:
- On the public internet, SSL 3.0 seems to be completely eliminated. According to wikimedia sites statistics, there are no SSL 3.0 connections on their websites.
- On the private internet such as legacy and embedded systems we can only speculate. SSL 3.0 is already disabled by default on systems like Fedora 23, and Debian already disables code for SSL 3.0 on openssl.
Most likely we will be able to drop that code base on the next major update.