Unfortunately, not all upstreams make good decisions. OpenSSL ships
with a set of default ciphers that is completely insecure. There is no
reason that every application using OpenSSL directly or indirectly[0]
should have to disable exportable ciphers, especially since almost
nobody uses them (nor wants to). HIGH:MEDIUM:!aNULL is a better
default.