diff --git a/ChangeLog b/ChangeLog
index 81a129e..95726fd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,7 @@ unreleased changes
 	- Fix lazy certificate check when connecting to TLS servers
 	- Fix connect is aborted if first host in list has invalid certificate
 	- Fix setstacksize for glibc 2.34 (#91)
+	- Fix system defaults/settings for TLS version not honored
 
 2021-05-28 1.9.0
 	New features:
diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example
index 1730e55..71b6c1e 100644
--- a/radsecproxy.conf-example
+++ b/radsecproxy.conf-example
@@ -105,6 +105,8 @@ tls default {
     # Optionally require that peer certs have one of the specified policyOIDs
     # policyoid     1.2.3 # this option can be used multiple times
     # policyoid     1.3.4
+	# Require at least TLS1.2, overriding system defaults
+	# TLSVersion TLS1_2:
 }
 
 # If you want one cert for all clients and another for all servers, use
diff --git a/radsecproxy.conf.5.in b/radsecproxy.conf.5.in
index 7d3027a..4440838 100644
--- a/radsecproxy.conf.5.in
+++ b/radsecproxy.conf.5.in
@@ -842,6 +842,7 @@ Specify the TLS/DTLS protocol \fIversion\fR to be used.
 Specify the range of allowed protocol versions between \fIminversion\fR and 
 \fImaxversion\fR (inclusive). If either is left out, any version up to, or 
 starting from this version is allowed. E.g. "TLS1_2:" will allow TLSv1.2 or later.
+If omitted, use the system defaults set in openssl.conf
 .br
 Currently supported values are
 .BR SSL3 , TLS1 , TLS1_1 , TLS1_2 , TLS1_3
diff --git a/tlscommon.c b/tlscommon.c
index d423aba..be82d82 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -390,8 +390,10 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
         /* TLS_method() was introduced in OpenSSL 1.1.0. */
         ctx = SSL_CTX_new(TLS_method());
-        SSL_CTX_set_min_proto_version(ctx, conf->tlsminversion);
-        SSL_CTX_set_max_proto_version(ctx, conf->tlsmaxversion);
+        if (conf->tlsminversion >= 0)
+            SSL_CTX_set_min_proto_version(ctx, conf->tlsminversion);
+        if (conf->tlsmaxversion >= 0)
+            SSL_CTX_set_max_proto_version(ctx, conf->tlsmaxversion);
 #else
         /* No TLS_method(), use SSLv23_method() and disable SSLv2 and SSLv3. */
         ctx = SSL_CTX_new(SSLv23_method());
@@ -408,8 +410,10 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
         /* DTLS_method() seems to have been introduced in OpenSSL 1.0.2. */
         ctx = SSL_CTX_new(DTLS_method());
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-        SSL_CTX_set_min_proto_version(ctx, conf->dtlsminversion);
-        SSL_CTX_set_max_proto_version(ctx, conf->dtlsmaxversion);
+        if (conf->dtlsminversion >= 0)
+            SSL_CTX_set_min_proto_version(ctx, conf->dtlsminversion);
+        if (conf->dtlsmaxversion >= 0)
+            SSL_CTX_set_max_proto_version(ctx, conf->dtlsmaxversion);
 #endif
 #else
         ctx = SSL_CTX_new(DTLSv1_method());
@@ -905,7 +909,8 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
 	conf->cacheexpiry = expiry;
     }
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-    conf->tlsminversion = TLS1_1_VERSION;
+    /* use -1 as 'not set' value */
+    conf->tlsminversion = conf->tlsmaxversion = conf->dtlsminversion = conf->dtlsmaxversion = -1;
     if (tlsversion) {
         if(!conf_tls_version(tlsversion, &conf->tlsminversion, &conf->tlsmaxversion)) {
             debug(DBG_ERR, "error in block %s, invalid TlsVersion %s", val, tlsversion);