From 7d13539d1b3562669d8dc6de98ed2255e0a84f24 Mon Sep 17 00:00:00 2001
From: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Date: Fri, 27 Aug 2021 15:36:47 +0200
Subject: [PATCH] Disable MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE in
 default config.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
---
 ChangeLog.d/remove_default_alllow_sha1.txt | 4 ++++
 include/mbedtls/config.h                   | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ChangeLog.d/remove_default_alllow_sha1.txt b/ChangeLog.d/remove_default_alllow_sha1.txt
index 633504bdf..9ec10cf6b 100644
--- a/ChangeLog.d/remove_default_alllow_sha1.txt
+++ b/ChangeLog.d/remove_default_alllow_sha1.txt
@@ -4,3 +4,7 @@ Removals
      signing. It was intended to facilitate the transition in environments
      with SHA-1 certificates. SHA-1 is considered a weak message digest and
      its use constitutes a security risk.
+
+Changes
+   * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
+     disabled by default.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index a95ec0290..2c7bed206 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3912,7 +3912,7 @@
  *            on it, and considering stronger message digests instead.
  *
  */
-#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
+//#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 
 /**
  * Uncomment the macro to let mbed TLS use your alternate implementation of