What were you trying to do that didn't work?

PostgreSQL 16 (and probably all other releases we ship as well) do not honor system-wide crypto policy. Feel free to create clones for all supported streams.
For example, when using DEFAULT, the allowed ciphers for SSL are:

# cat /etc/crypto-policies/back-ends/openssl.config 
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

e.g. there is no CAMELLIA cipher, but PostgreSQL will propose that cipher anyway:

# nmap --script=ssl-enum-ciphers -sV -p 5432 localhost
[...]
PORT     STATE SERVICE    VERSION
5432/tcp open  postgresql PostgreSQL DB 9.6.0 or later
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
[...]
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
[...]

The reason for this is the configuration sets HIGH:MEDIUM:+3DES:!aNULL by default:

#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers

while it should set this below instead:

ssl_ciphers = 'PROFILE=SYSTEM'

What is the impact of this issue to you?

Compliance

Please provide the package NVR for which the bug is seen:

postgresql-server-16.11-1.module+el9.7.0+23784+0c5a3b34.x86_64
and probably all other streams and base packages

How reproducible is this bug?

Always

Steps to reproduce

1. Start postgresql.service with default configuration file
2. Query SSL ciphers using nmap

Expected results

Only SSL for DEFAULT are enabled.

Actual results

More ciphers are enabled.