> but I think this can go in before we get rid of
> devtls; cpu bypasses the handshake, so as long as
> we keep devtls it should keep working regardless of
> libsec.

getting rid of devtls o_O? i think you meant devssl.

also, while reviewing my diff more, i found 2 more flaws
in it:

1. i shouldn't have scrapped the ssl2 handshake support.
i learned that some old versions of java that has tls 1.0
still sends the clienthello in the ssl2 format.

2. if initial clienthello has 0x0300 as its record layer
version, devtls will reject it with this diff. this is not good,
clients may put the minimum version they support
in the record layer version, for compatibility with
old servers. fix this up.

3 more changes, that is not related with the diff:

1. don't reject protocol versions that is higher than 0x03ff.
this behavior is useless.

2. devtls shouldn't accept versions higher
than 0x0303 in the fd and version commands.

3. in tlshand, use the minimum protocol version
we support for the record layer version for compatibility
until we manage to negotiate the version.