Apply system_default configuration on SSL_CTX_new().

When SSL_CTX is created preinitialize it with system default
configuration from system_default section.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4848)

2 files changed, 17 insertions, 1 deletions

diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod
index 1b14a73..cdfebc8 100644
--- a/doc/man3/SSL_read_early_data.pod
+++ b/doc/man3/SSL_read_early_data.pod
@@ -180,7 +180,7 @@ server application will either use both of SSL_read_early_data() and
 SSL_CTX_set_max_early_data() (or SSL_set_max_early_data()), or neither of them,
 since there is no practical benefit from using only one of them. If the maximum
 early data setting for a server is non-zero then replay protection is
-automatically enabled (see L<REPLAY PROTECTION> below).
+automatically enabled (see L</REPLAY PROTECTION> below).
 
 In the event that the current maximum early data setting for the server is
 different to that originally specified in a session that a client is resuming
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 485ec08..7885d6a 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -247,6 +247,22 @@ For example:
  ECDSA.Certificate = server-ecdsa.pem
  Ciphers = ALL:!RC4
 
+The system default configuration with name B<system_default> if present will
+be applied during any creation of the B<SSL_CTX> structure.
+
+Example of a configuration with the system default:
+
+ ssl_conf = ssl_sect
+
+ [ssl_sect]
+
+ system_default = system_default_sect
+
+ [system_default_sect]
+
+ MinProtocol = TLSv1.2
+
+
 =head1 NOTES
 
 If a configuration file attempts to expand a variable that doesn't exist