diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 64ff3ce3d6a..d65704f6110 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -106,12 +106,11 @@ be_tls_init(bool isServerStart)
 	 * settings.  If we fail partway through, we can avoid memory leakage by
 	 * freeing this context; we don't install it as active until the end.
 	 *
-	 * We use SSLv23_method() because it can negotiate use of the highest
+	 * We use TLS_method() because it can negotiate use of the highest
 	 * mutually supported protocol version, while alternatives like
-	 * TLSv1_2_method() permit only one specific version.  Note that we don't
-	 * actually allow SSL v2 or v3, only TLS protocols (see below).
+	 * TLSv1_2_method() permit only one specific version.
 	 */
-	context = SSL_CTX_new(SSLv23_method());
+	context = SSL_CTX_new(TLS_method());
 	if (!context)
 	{
 		ereport(isServerStart ? FATAL : LOG,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 78f9e84eb35..89669173412 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -767,7 +767,7 @@ initialize_SSL(PGconn *conn)
 	 * complicated if connections used different certificates. So now we
 	 * create a separate context for each connection, and accept the overhead.
 	 */
-	SSL_context = SSL_CTX_new(SSLv23_method());
+	SSL_context = SSL_CTX_new(TLS_method());
 	if (!SSL_context)
 	{
 		char	   *err = SSLerrmessage(ERR_get_error());