I was looking in Rust OpenSSL docs for the SslAcceptor type and saw the first sentence was:
OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL structures, configuring cipher suites, session options, and more.
I then looked at the source and see they setting diffie-hellman parameters as well as the cipher suite per Mozilla's recommendations.
Why doesn't the original OpenSSL configuration use this config, and why is it left to individual libraries to set it correctly?
Why doesn't the original OpenSSL configuration use this config ...
Requirements for cryptographic algorithms change over time, i.e. there is no right config which is the best one forever. OpenSSL has settings like DEFAULT or HIGH which gets updates from time to time, usually with major releases. So the defaults used by an application with no specific settings actually, depend on the OpenSSL version used, the compile time options and sometimes on the system configuration.
... and why is it left to individual libraries to set it correctly?
If one wants to have a consistent behavior across setups independent from a specific library version and system setup, one need to provide the intended setting in the code instead of relying on external libs and settings.
I then looked at the source and see they setting diffie-hellman paramters as well as the cipher suite per Mozilla's recommendations.
That's only what is claimed in the code. And it might have been true a while ago. But the recommendations have moved on.
Specifically the code still enables 3DES as symmetric encryotion and SHA1 for HMAC. It also allows TLS 1.0 and TLS 1.1 while disabling TLS 1.3. All of this does not match the current description for intermediate in what they link to.
Insofar Rust faces the same problem as OpenSSL - a specific library version has hard coded security settings which were useful at some time but after a while get outdated.