Preferring system crypto policy.

If we don't call SSL_CTX_set_cipher_list(), then it uses the
system's default.

Link: <https://fedoraproject.org/wiki/Changes/CryptoPolicy>
Link: <https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/>
Link: <https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8>
Signed-off-by: Remi Collet <remi@remirepo.net>
Acked-by: Andrei Belov <defan@nginx.com>
[ alx: add changelog and tweak commit message ]
Signed-off-by: Alejandro Colomar <alx@nginx.com>

docs/changes.xml

@@ -37,6 +37,12 @@ removed $uri auto-append for "share" when loading configuration.
 </para>
 </change>
 
+<change type="change">
+<para>
+prefer system crypto policy, instead of hardcoding a default.
+</para>
+</change>
+
 <change type="feature">
 <para>
 compatibility with PHP 8.2.

src/nxt_openssl.c

@@ -295,7 +295,7 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp,
     nxt_tls_init_t *tls_init, nxt_bool_t last)
 {
     SSL_CTX                *ctx;
-    const char             *ciphers, *ca_certificate;
+    const char             *ca_certificate;
     nxt_tls_conf_t         *conf;
     STACK_OF(X509_NAME)    *list;
     nxt_tls_bundle_conf_t  *bundle;
@@ -361,13 +361,13 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp,
     }
 */
 
-    ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5";
-
-    if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) {
-        nxt_openssl_log_error(task, NXT_LOG_ALERT,
+    if (conf->ciphers) {  /* else use system crypto policy */
+        if (SSL_CTX_set_cipher_list(ctx, conf->ciphers) == 0) {
+            nxt_openssl_log_error(task, NXT_LOG_ALERT,
                               "SSL_CTX_set_cipher_list(\"%s\") failed",
-                              ciphers);
-        goto fail;
+                              conf->ciphers);
+            goto fail;
+        }
     }
 
 #if (NXT_HAVE_OPENSSL_CONF_CMD)