diff --git a/openldap-nss-ciphers-use-nss-defaults.patch b/openldap-nss-ciphers-use-nss-defaults.patch
new file mode 100644
index 0000000..d1045fa
--- /dev/null
+++ b/openldap-nss-ciphers-use-nss-defaults.patch
@@ -0,0 +1,27 @@
+Use what NSS considers default for DEFAULT cipher string.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1387868
+Backports: #1245279 #1300701
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -645,7 +645,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ 			}
+ 		} else if (!strcmp(cipher, "DEFAULT")) {
+ 			for (i=0; i<ciphernum; i++) {
+-				cipher_list[i] = ciphers_def[i].enabled == SSL_ALLOWED ? 1 : 0;
++				PRBool enabled;
++				if (SSL_CipherPrefGetDefault(ciphers_def[i].num, &enabled) == SECSuccess) {
++					if (!(ciphers_def[i].attr & SSL_eNULL)) {
++						cipher_list[i] = enabled == SSL_ALLOWED ? 1 : 0;
++					} else {
++						cipher_list[i] = -1;
++					}
++				} else {
++					cipher_list[i] = -1;
++				}
+ 			}
+ 		} else {
+ 			int mask = 0;
diff --git a/openldap.spec b/openldap.spec
index bec1ed4..106bb5d 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -5,7 +5,7 @@
 
 Name: openldap
 Version: 2.4.44
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -50,6 +50,7 @@ Patch22: openldap-nss-protocol-version-new-api.patch
 
 Patch50: openldap-nss-cipher-attributes.patch
 Patch51: openldap-nss-ciphers-parsing.patch
+Patch52: openldap-nss-ciphers-use-nss-defaults.patch
 
 # check-password module specific patches
 Patch90: check-password-makefile.patch
@@ -157,6 +158,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 
 %patch50 -p1
 %patch51 -p1
+%patch52 -p1
 
 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@@ -549,6 +551,9 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
+- NSS: Use what NSS considers default for DEFAULT cipher string (#1387868)
+
 * Thu Jan 26 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
 - NSS: fix: incorrect multi-keyword parsing and support new ones (#1243517)