--- lib/IO/Socket/SSL.pm

+++ lib/IO/Socket/SSL.pm

@@ -116,7 +116,7 @@ my $algo2digest = do {

 # global defaults

 my %DEFAULT_SSL_ARGS = (

     SSL_check_crl => 0,

-    SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken

+    SSL_version => '',

     SSL_verify_callback => undef,

     SSL_verifycn_scheme => undef,  # fallback cn verification

     SSL_verifycn_publicsuffix => undef,  # fallback default list verification

@@ -2279,7 +2279,7 @@ sub new {

     my $ssl_op = $DEFAULT_SSL_OP;

-    my $ver;

+    my $ver = '';

     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {

 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i

 	or croak("invalid SSL_version specified");

--- lib/IO/Socket/SSL.pod

+++ lib/IO/Socket/SSL.pod

@@ -993,11 +993,12 @@ protocol to the specified version.

 All values are case-insensitive.  Instead of 'TLSv1_1' and 'TLSv1_2' one can

 also use 'TLSv11' and 'TLSv12'.  Support for 'TLSv1_1' and 'TLSv1_2' requires

 recent versions of Net::SSLeay and openssl.

+The default SSL_version is defined by the underlying cryptographic library.

 Independent from the handshake format you can limit to set of accepted SSL

 versions by adding !version separated by ':'.

-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the

+For example, 'SSLv23:!SSLv3:!SSLv2' means that the

 handshake format is compatible to SSL2.0 and higher, but that the successful

 handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because

 both of these versions have serious security issues and should not be used