diff --git a/CHANGES b/CHANGES
index 54e643f80f5728340b23863d96e74dbe19227a16..00ea5eecb2fd28d0a6ac734983bf3cf8c52ef86e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -881,6 +881,11 @@
 
  Changes between 0.9.8l (?) and 0.9.8m (?)  [xx XXX xxxx]
 
+  *) Handle TLS versions 2.0 and later properly and correctly use the
+     highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
+     off ancient servers have a habit of sticking around for a while...
+     [Steve Henson]
+
   *) Modify compression code so it frees up structures without using the
      ex_data callbacks. This works around a problem where some applications
      call CRYPTO_free_all_ex_data() before application exit (e.g. when
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 03efdf74c1b44d803b350765da252ce32b3bdf51..05e4e0b47b64d97ec05d96803a46da1105fbf7a5 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -323,7 +323,7 @@ int ssl23_get_client_hello(SSL *s)
 			 (p[1] == SSL3_VERSION_MAJOR) &&
 			 (p[5] == SSL3_MT_CLIENT_HELLO) &&
 			 ((p[3] == 0 && p[4] < 5 /* silly record length? */)
-				|| (p[9] == p[1])))
+				|| (p[9] >= p[1])))
 			{
 			/*
 			 * SSLv3 or tls1 header
@@ -347,6 +347,13 @@ int ssl23_get_client_hello(SSL *s)
 				v[1] = TLS1_VERSION_MINOR;
 #endif
 				}
+			/* if major version number > 3 set minor to a value
+			 * which will use the highest version 3 we support.
+			 * If TLS 2.0 ever appears we will need to revise
+			 * this....
+			 */
+			else if (p[9] > SSL3_VERSION_MAJOR)
+				v[1]=0xff;
 			else
 				v[1]=p[10]; /* minor version according to client_version */
 			if (v[1] >= TLS1_VERSION_MINOR)