libssl and applications using it take configuration parameters from configuration file set by environment variable OPENSSL_CONF or from default file /etc/ssl/openssl.cnf.

Openssl documentation is not the easiest one to read, but man 5ssl config and some googling got me what I wanted.

/etc/ssl/openssl.no-tls13.cnf:

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MaxProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1

/etc/systemd/system/rsyslog.service.d/override-openssl-params.conf:

[Service]
Environment="OPENSSL_CONF=/etc/ssl/openssl.cnf.no-tls13"

And finally applying the new configuration:

systemd daemon-reload
systemd restart rsyslog