Quasselcore <0.10 usse a manual selection for the SSL protocol, and this defaulted to SSLv3.
In version 0.10, the selector was removed and auto negotiation was used.
However, a >=0.10 client is connected to a <0.10 core, you can't change that SSL protocol.
The first option is to upgrade the core to 0.10 or later.
You can also either use an old client (<0.10) to change the SSL protocol to TLSv1 for that connection (once you change it, you can go back to using whichever client version you want) or update the client to 0.12-rc1, which restores the SSL protocol selector for connections to old cores.
All recent versions of irssi seem to work. If DANE verification doesn't work, ensure it is enabled and compiled in. See also https://github.com/irssi/irssi/commit/d826896f74925f2e77536d69a3d1a4b86b0cec61
/connect -ssl -ssl_verify irc.darkfasel.net 6697
if the above command fails, you need to specify the cacert root certificate:
-ssl_cafile .irssi/ca_cacert.pem
/server add darkfasel irc.darkfasel.net/+6697 -ssl -autoconnect /set irc.server.darkfasel.ssl_verify on /connect darkfasel /save /j #lobby
Click here: ircs://irc.darkfasel.net
Click here for Hexchat.
Configure stunnel in the following way to connect unsupported clients to localhost:
[irc] client = yes accept = 127.0.0.1:6667 connect = irc.darkfasel.net:9999 CAfile = /etc/ssl/certs/cacert-root.pem verify = 2 checkHost = irc.darkfasel.net