diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 1af2703c81d..8d5c8b76607 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1005,8 +1005,6 @@ ssl_init(void)
 static int
 do_ssl_init(void)
 {
-    SSL_METHOD *method;
-
     if (!RAND_status()) {
         /* We occasionally see OpenSSL fail to seed its random number generator
          * in heavily loaded hypervisors.  I suspect the following scenario:
@@ -1037,19 +1035,14 @@ do_ssl_init(void)
         RAND_seed(seed, sizeof seed);
     }
 
-    /* OpenSSL has a bunch of "connection methods": SSLv2_method(),
-     * SSLv3_method(), TLSv1_method(), SSLv23_method(), ...  Most of these
-     * support exactly one version of SSL/TLS, e.g. TLSv1_method() supports
-     * TLSv1 only, not any earlier *or later* version.  The only exception is
-     * SSLv23_method(), which in fact supports *any* version of SSL and TLS.
-     * We don't want SSLv2 or SSLv3 support, so we turn it off below with
-     * SSL_CTX_set_options().
+    /* Using version-flexible "connection method".  Allowed versions will
+     * be restricted below.
      *
-     * The cast is needed to avoid a warning with newer versions of OpenSSL in
-     * which SSLv23_method() returns a "const" pointer. */
-    method = CONST_CAST(SSL_METHOD *, SSLv23_method());
+     * The context can be used for both client and server connections, so
+     * not using specific TLS_server_method() or TLS_client_method() here. */
+    const SSL_METHOD *method = TLS_method();
     if (method == NULL) {
-        VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL));
+        VLOG_ERR("TLS_method: %s", ERR_error_string(ERR_get_error(), NULL));
         return ENOPROTOOPT;
     }
 
diff --git a/python/ovs/stream.py b/python/ovs/stream.py
index 5578b7a6b5d..ac582c3c526 100644
--- a/python/ovs/stream.py
+++ b/python/ovs/stream.py
@@ -790,9 +790,10 @@ def _open(suffix, dscp):
         if sock is None:
             return family, sock
 
-        # Create an SSL context
-        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        # Create an SSL context.
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         ctx.verify_mode = ssl.CERT_REQUIRED
+        ctx.check_hostname = False
         ctx.options |= ssl.OP_NO_SSLv2
         ctx.options |= ssl.OP_NO_SSLv3
         ctx.options |= ssl.OP_NO_TLSv1