diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 94a0c81904e..422cf569bb9 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -387,7 +387,7 @@ Certificate handling
      >>> time.ctime(ssl.cert_time_to_seconds("May  9 00:00:00 2007 GMT"))
      'Wed May  9 00:00:00 2007'
 
-.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None)
+.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None)
 
    Given the address ``addr`` of an SSL-protected server, as a (*hostname*,
    *port-number*) pair, fetches the server's certificate, and returns it as a
@@ -401,6 +401,10 @@ Certificate handling
    .. versionchanged:: 3.3
       This function is now IPv6-compatible.
 
+   .. versionchanged:: 3.5
+      The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to
+      :data:`PROTOCOL_SSLv23` for maximum compatibility with modern servers.
+
 .. function:: DER_cert_to_PEM_cert(DER_cert_bytes)
 
    Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded
diff --git a/Lib/ssl.py b/Lib/ssl.py
index d3c18ed1b79..d2be3ce5acd 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -922,7 +922,7 @@ def PEM_cert_to_DER_cert(pem_cert_string):
     d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
     return base64.decodebytes(d.encode('ASCII', 'strict'))
 
-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
+def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
     """Retrieve the certificate from the server at the specified address,
     and return it as a PEM-encoded string.
     If 'ca_certs' is specified, validate the server cert against it.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 2b3de1f477e..9f5bd09b99d 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1371,14 +1371,12 @@ class NetworkedTests(unittest.TestCase):
     def test_get_server_certificate(self):
         def _test_get_server_certificate(host, port, cert=None):
             with support.transient_internet(host):
-                pem = ssl.get_server_certificate((host, port),
-                                                 ssl.PROTOCOL_SSLv23)
+                pem = ssl.get_server_certificate((host, port))
                 if not pem:
                     self.fail("No server certificate on %s:%s!" % (host, port))
 
                 try:
                     pem = ssl.get_server_certificate((host, port),
-                                                     ssl.PROTOCOL_SSLv23,
                                                      ca_certs=CERTFILE)
                 except ssl.SSLError as x:
                     #should fail
@@ -1388,7 +1386,6 @@ class NetworkedTests(unittest.TestCase):
                     self.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
 
                 pem = ssl.get_server_certificate((host, port),
-                                                 ssl.PROTOCOL_SSLv23,
                                                  ca_certs=cert)
                 if not pem:
                     self.fail("No server certificate on %s:%s!" % (host, port))
diff --git a/Misc/NEWS b/Misc/NEWS
index 6d4a6e4eebc..2ebfe3f2ff4 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -50,6 +50,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #20896: ssl.get_server_certificate() now uses PROTOCOL_SSLv23, not
+  PROTOCOL_SSLv3, for maximum compatibility.
+
 - Issue #21239: patch.stopall() didn't work deterministically when the same
   name was patched more than once.