this should be considered a duplicate of Bug#871765. the patch is rather incomplete in the compat wrapper part. but my own patch does not touch it at all, and i think i'll leave it at that (introducing new features to the compat wrapper seems anti-thetical).
also, don't mix in the ssl2/3 removal into the same patch. i'll remove sslv2 separately in master (to be 1.3 soon). i know that debian disables sslv3 in openssl, but it seems odd to prune it from mbsync at this point.