Changelog note and documentation for #1401.

- Merge #1401: Add a new build-time option for system TLS.
  The --enable-system-tls flag enables the
  tls-use-system-policy-versions setting by default.

config.h.in

@@ -1136,6 +1136,9 @@
 #endif
 
 
+/* Define to 1 to prefer TLS crypto settings from the system. */
+#undef USE_SYSTEM_TLS
+
 /* Define this to enable server TCP Fast Open. */
 #undef USE_TCP_FASTOPEN
 

configure

@@ -669,6 +669,7 @@ SOURCEFILE
 SOURCEDETERMINE
 IPSET_OBJ
 IPSET_SRC
+SYSTEM_TLS_DEFAULT
 IPSECMOD_HEADER
 IPSECMOD_OBJ
 CACHEDB_OBJ
@@ -936,6 +937,7 @@ enable_dnscrypt
 with_libsodium
 enable_cachedb
 enable_ipsecmod
+enable_system_tls
 enable_ipset
 with_libmnl
 enable_explicit_port_randomisation
@@ -1641,6 +1643,8 @@ Optional Features:
                           storage
   --enable-ipsecmod       Enable ipsecmod module that facilitates
                           opportunistic IPsec
+  --enable-system-tls     Enable preference of system configured TLS socket
+                          options
   --enable-ipset          enable ipset module
   --disable-explicit-port-randomisation
                           disable explicit source port randomisation and rely
@@ -25102,6 +25106,26 @@ printf "%s\n" "#define USE_IPSECMOD 1" >>confdefs.h
 		;;
 esac
 
+# check for system TLS preference if requested
+# Check whether --enable-system-tls was given.
+if test ${enable_system_tls+y}
+then :
+  enableval=$enable_system_tls;
+fi
+
+case "$enable_system_tls" in
+	yes)
+
+printf "%s\n" "#define USE_SYSTEM_TLS 1" >>confdefs.h
+
+		SYSTEM_TLS_DEFAULT="yes"
+		;;
+	no|*)
+		SYSTEM_TLS_DEFAULT="no"
+		;;
+esac
+
+
 # check for ipset if requested
 # Check whether --enable-ipset was given.
 if test ${enable_ipset+y}

configure.ac

@@ -2085,11 +2085,13 @@ AC_ARG_ENABLE(system-tls, AS_HELP_STRING([--enable-system-tls],[Enable preferenc
 case "$enable_system_tls" in
 	yes)
 		AC_DEFINE([USE_SYSTEM_TLS], [1], [Define to 1 to prefer TLS crypto settings from the system.])
+		SYSTEM_TLS_DEFAULT="yes"
 		;;
 	no|*)
-		# nothing
+		SYSTEM_TLS_DEFAULT="no"
 		;;
 esac
+AC_SUBST([SYSTEM_TLS_DEFAULT])
 
 # check for ipset if requested
 AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module]))

doc/Changelog

@@ -1,3 +1,8 @@
+9 February 2026: Wouter
+	- Merge #1401: Add a new build-time option for system TLS.
+	  The --enable-system-tls flag enables the
+	  tls-use-system-policy-versions setting by default.
+
 6 February 2026: Yorgos
 	- Fix #1389: [FR] replacement with ECC-GOST12 according to RFC9558.
 	  Patch contributed by Igor V. Ruzanov, available in

doc/example.conf.in

@@ -971,8 +971,8 @@ server:
 	# Allow general-purpose version-flexible TLS server configuration that
 	# may be further restricted by the system's policy.
 	# Use only if you want to support legacy TLS client connections.
-	# Default is no and Unbound will only use the latest available TLS
-	# version.
+	# Default is a compilation choice.
+	# With 'no' Unbound will only use the latest available TLS version.
 	# Changing the value requires a reload.
 	# tls-use-system-policy-versions: no
 

doc/unbound.conf.rst

@@ -1178,19 +1178,22 @@ These options are part of the ``server:`` section.
 
 
 @@UAHL@unbound.conf@tls-use-system-policy-versions@@: *<yes or no>*
-    Enable or disable general-puspose version-flexible TLS server configuration
+    Enable or disable general-purpose version-flexible TLS server configuration
     when serving TLS.
     This will allow the whole list of available TLS versions provided by the
     crypto library, which may have been further restricted by the system's
     crypto policy.
 
-    By default Unbound only uses the latest available TLS version.
+    If disabled Unbound only uses the latest available TLS version.
+
+    The default depends on a compilation choice, it is set
+    at @SYSTEM_TLS_DEFAULT@ .
 
     .. caution:: Use only if you want to support legacy TLS client connections.
 
     .. note:: Changing the value requires a reload.
 
-    Default: no
+    Default: @SYSTEM_TLS_DEFAULT@
 
 
 @@UAHL@unbound.conf@pad-responses@@: *<yes or no>*