Thanks Andrey. change to use TLS did the trick.
On 10/14/19, Andrey Semashev via Boost
I think your question is more about OpenSSL rather than Boost.ASIO. The function names for the TLS connection methods are misleading (for historical reasons).
Both SSLv2 and SSLv3 are long outdated and insecure and are actually removed from the recent OpenSSL versions. What SSLv23_method does is actually negotiate the TLS version between the server and the client, and the result will most certainly not be SSLv2 or SSLv3. In OpenSSL 1.1.0, IIRC, SSLv23_method was renamed to TLS_method, and SSLv23_method was left as an alias.
SSLv3_method, as well as other
_method functions, instruct OpenSSL to use this specific protocol version only. Since SSLv3 is removed, I imagine using it would give you the result you're seeing. In general, unless you have a serious reason to, you should not use specific versions of TLS protocols since this will prevent your application from using more secure protocol versions as they are released. I would recommend using TLS_method (and its client/server variants) to allow protocol version negotiation and use SSL_CTX_set_min/max_proto_version to control the negotiated protocol versions, if needed. I'm not sure how that maps onto Boost.ASIO API.
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_new.html
You're right, changing to use TLS did the trick. Thanks Andrey. - jh