diff --git a/ChangeLog.d/remove_default_alllow_sha1.txt b/ChangeLog.d/remove_default_alllow_sha1.txt
index 633504bdf..9ec10cf6b 100644
--- a/ChangeLog.d/remove_default_alllow_sha1.txt
+++ b/ChangeLog.d/remove_default_alllow_sha1.txt
@@ -4,3 +4,7 @@ Removals
      signing. It was intended to facilitate the transition in environments
      with SHA-1 certificates. SHA-1 is considered a weak message digest and
      its use constitutes a security risk.
+
+Changes
+   * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
+     disabled by default.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index a95ec0290..2c7bed206 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3912,7 +3912,7 @@
  *            on it, and considering stronger message digests instead.
  *
  */
-#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
+//#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 
 /**
  * Uncomment the macro to let mbed TLS use your alternate implementation of