Based on your tags and comments, I assume that you only want TLS connections. Clients should only initiate TLS connections. If so, why do you insist on SSLv23_client_method ? But in my test, a TLS 1.0 client greeting was sent:
ctx = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
To prevent a POODLE attack, it would be best to completely disable SSL3 support on the client and servers. In your case, you mentioned that servers only support TLS. Therefore, there is no need for backward compatibility with clients on SSL3. In case the server does talk with SSL3 in order to prevent a POODLE attack, the client and server must implement TLS return signaling. Cipher Suite Value- https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05
Client-side TLS configuration examples:
/* Exclude SSLv2 and SSLv3 */ ctx = SSL_CTX_new(TLSv1_client_method()); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3); /* Exclude SSLv2, SSLv3 and TLS 1.0 */ ctx = SSL_CTX_new(TLSv1_1_client_method()); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3); SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1); /* Exclude SSLv2, SSLv3 ,TLS 1.0 and TLS 1.1 */ ctx = SSL_CTX_new(TLSv1_2_client_method()); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3); SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1); SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1_1);
You can also use OR and go to SSL_CTX_set_options at a time.