diff --git a/src/backend/distributed/utils/enable_ssl.c b/src/backend/distributed/utils/enable_ssl.c
index 5151db26d..c30bee214 100644
--- a/src/backend/distributed/utils/enable_ssl.c
+++ b/src/backend/distributed/utils/enable_ssl.c
@@ -255,7 +255,7 @@ CreateCertificatesWhenNeeded()
 	SSL_library_init();
 #endif
 
-	sslContext = SSL_CTX_new(SSLv23_method());
+	sslContext = SSL_CTX_new(TLS_method());
 	if (!sslContext)
 	{
 		ereport(WARNING, (errmsg("unable to create ssl context, please verify ssl "
@@ -386,12 +386,12 @@ CreateCertificate(EVP_PKEY *privateKey)
 	 */
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 
-	/* OpenSSL 1.1.0+ */
-	X509_gmtime_adj(X509_getm_notBefore(certificate), 0);
-	X509_gmtime_adj(X509_getm_notAfter(certificate), 0);
+	/* New mutable accessors (present in 1.1, 3.x). */
+    X509_gmtime_adj(X509_getm_notBefore(certificate), 0);
+    X509_gmtime_adj(X509_getm_notAfter(certificate), 0);
 #else
 
-	/* OpenSSL < 1.1.0 */
+	/* Legacy functions kept for 1.0.x compatibility. */
 	X509_gmtime_adj(X509_get_notBefore(certificate), 0);
 	X509_gmtime_adj(X509_get_notAfter(certificate), 0);
 #endif