diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 4acca4b0446f..a6fed92a2e75 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -15,6 +15,9 @@ HOME			= .
 #oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
 
+# System default
+openssl_conf = default_conf
+
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
@@ -348,3 +351,12 @@ ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
 ess_cert_id_alg		= sha1	# algorithm to compute certificate
 				# identifier (optional, default: sha1)
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+CipherSuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
+CipherString = DEFAULT@SECLEVEL=2