Change the default of tls-use-system-policy-versions at build-time

Allow simple switch to change default of that option. Use it on Red Hat
builds where we want crypto-policy to be a primary source of such
configuration. Of course keep ability to disable that or reconfigure
explicit TLS settings.

Resolves: RHEL-147790

unbound-1.25-tls-crypto-policy-default.patch

@@ -0,0 +1,61 @@
+From 87e5c3ccad91c72166ed72c7366d8681308d84a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 9 Feb 2026 15:40:51 +0100
+Subject: [PATCH] Add a new build-time option for system TLS
+
+We want to use crypto-policy provided configuration always in our
+builds. Allow changing the default of tls-use-system-policy-versions at
+build time by a simple configure parameter.
+---
+ unbound-1.24.2/configure.ac       | 11 +++++++++++
+ unbound-1.24.2/util/config_file.c |  5 ++++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/unbound-1.24.2/configure.ac b/unbound-1.24.2/configure.ac
+index 6a43fd5..13c910f 100644
+--- a/unbound-1.24.2/configure.ac
++++ b/unbound-1.24.2/configure.ac
+@@ -2067,6 +2067,17 @@ case "$enable_ipsecmod" in
+ 		;;
+ esac
+ 
++# check for system TLS preference if requested
++AC_ARG_ENABLE(system-tls, AS_HELP_STRING([--enable-system-tls],[Enable preference of system configured TLS socket options]))
++case "$enable_system_tls" in
++	yes)
++		AC_DEFINE([USE_SYSTEM_TLS], [1], [Define to 1 to prefer TLS crypto settings from the system.])
++		;;
++	no|*)
++		# nothing
++		;;
++esac
++
+ # check for ipset if requested
+ AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module]))
+ case "$enable_ipset" in
+diff --git a/unbound-1.24.2/util/config_file.c b/unbound-1.24.2/util/config_file.c
+index 1565b05..8079ec9 100644
+--- a/unbound-1.24.2/util/config_file.c
++++ b/unbound-1.24.2/util/config_file.c
+@@ -71,6 +71,9 @@
+ #ifdef HAVE_PWD_H
+ #include <pwd.h>
+ #endif
++#ifndef USE_SYSTEM_TLS
++#define USE_SYSTEM_TLS 0
++#endif
+ 
+ /** from cfg username, after daemonize setup performed */
+ uid_t cfg_uid = (uid_t)-1;
+@@ -129,7 +132,7 @@ config_create(void)
+ 	cfg->tls_cert_bundle = NULL;
+ 	cfg->tls_win_cert = 0;
+ 	cfg->tls_use_sni = 1;
+-	cfg->tls_use_system_policy_versions = 0;
++	cfg->tls_use_system_policy_versions = USE_SYSTEM_TLS;
+ 	cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
+ 	if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
+ 	cfg->http_max_streams = 100;
+-- 
+2.52.0
+

unbound.spec

@@ -69,6 +69,8 @@ Source30: tmpfiles-unbound-libs.conf
 Patch1:   unbound-fedora-config.patch
 # https://github.com/NLnetLabs/unbound/pull/1349
 Patch2:   %{forgeurl}/pull/1349.patch#/unbound-1.25-tls-crypto-policy.patch
+# https://github.com/NLnetLabs/unbound/pull/1401
+Patch3:   %{forgeurl}/pull/1401.patch#/unbound-1.25-tls-crypto-policy-default.patch
 
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@@ -260,7 +262,7 @@ cp -a %{dir_primary} %{dir_secondary}
             --enable-sha2 --disable-gost --enable-ecdsa \\\
             --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
             --with-username=unbound \\\
-            --enable-linux-ip-local-port-range \\\
+            --enable-linux-ip-local-port-range --enable-system-tls \\\
 
 
 pushd %{dir_primary}