Index: generic/tls.c
==================================================================
--- generic/tls.c
+++ generic/tls.c
@@ -1270,16 +1270,10 @@
     int proto = 0, level = -1;
     int verify = 0, require = 0, request = 1, post_handshake = 0;
 
     dprintf("Called");
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2) && defined(NO_SSL3) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3)
-    ssl2 = 1;
-#endif
-#if !defined(OPENSSL_NO_SSL3) && !defined(NO_SSL3) && defined(NO_SSL2) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3)
-    ssl3 = 1;
-#endif
 #if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1)
     tls1 = 0;
 #endif
 #if defined(NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1)
     tls1_1 = 0;
@@ -1756,10 +1750,15 @@
     if (ENABLED(proto, TLS_PROTO_TLS1_3)) {
 	Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL);
 	return NULL;
     }
 #endif
+    if (proto == 0) {
+	/* Use full range */
+	SSL_CTX_set_min_proto_version(ctx, 0);
+	SSL_CTX_set_max_proto_version(ctx, 0);
+    }
 
     switch (proto) {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2)
     case TLS_PROTO_SSL2:
 	method = isServer ? SSLv2_server_method() : SSLv2_client_method();