diff --git a/nsd-4.3.7-crypto-policies.patch b/nsd-4.3.7-crypto-policies.patch
new file mode 100644
index 0000000..adfa462
--- /dev/null
+++ b/nsd-4.3.7-crypto-policies.patch
@@ -0,0 +1,20 @@
+diff --git a/server.c b/server.c
+index a813ea0a..46afb948 100644
+--- a/server.c
++++ b/server.c
+@@ -1995,9 +1995,12 @@ server_tls_ctx_setup(char* key, char* pem, char* verifypem)
+ 	}
+ #endif
+ #if defined(SHA256_DIGEST_LENGTH) && defined(SSL_TXT_CHACHA20)
+-	/* if we have sha256, set the cipher list to have no known vulns */
+-	if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20"))
+-		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
++	/* if we detect system-wide crypto policies, use those */
++	if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
++		/* if we have sha256, set the cipher list to have no known vulns */
++		if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20"))
++			log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
++	}
+ #endif
+ 	if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
+ 		SSL_OP_CIPHER_SERVER_PREFERENCE) !=
diff --git a/nsd.spec b/nsd.spec
index efb71e0..6c3dcda 100644
--- a/nsd.spec
+++ b/nsd.spec
@@ -1,7 +1,8 @@
+%global _hardened_build 1
 Summary: Fast and lean authoritative DNS Name Server
 Name: nsd
 Version: 4.3.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/nsd/
 Source0: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?prever}.tar.gz
@@ -20,10 +21,8 @@ BuildRequires: systemd-devel
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-#workaround for broken system detection, introduced in 4.1.24 :/
-#BuildRequires: autoconf automake
 
-%global _hardened_build 1
+Patch1: nsd-4.3.7-crypto-policies.patch
 
 %description
 NSD is a complete implementation of an authoritative DNS name server.
@@ -32,8 +31,7 @@ consult the REQUIREMENTS document which is a part of this distribution.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
-#workaround for broken system detection, introduced in 4.1.24 :/
-#autoreconf
+%patch1 -p1
 
 %build
 CFLAGS="%{optflags} -fPIE -pie"
@@ -139,6 +137,9 @@ fi
 %endif
 
 %changelog
+* Wed Aug 11 2021 Paul Wouters <paul.wouters@aiven.io> - 4.3.7-2
+- Resolves: rhbz#1992399 nsd: recently added TLS support should support system wide crypto policies
+
 * Tue Aug 10 2021 Paul Wouters <paul.wouters@aiven.io> - 4.3.7-1
 - Resolves: rhbz#1982585 nsd-4.3.7 is available
 - Clean out legacy sysvinit / trigger support