diff --git a/ChangeLog b/ChangeLog
index cb543bd495..3befcade56 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,15 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 mbed TLS 2.x.x branch released xxxx-xx-xx
 
+Security
+
+   * SHA-1 deprecation: remove it from the default allowed hash
+     algorithms for certificate verification and TLS 1.2 handshake
+     signatures. It can be turned back on at compile time with
+     MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions.
+   * Removed RIPEMD-160 from the default hash algorithms for
+     certificate verification.
+
 Bugfix
    * Remove invalid use of size zero arrays in ECJPAKE test suite.
    * Fix insufficient support for signature-hash-algorithm extension,
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index f5df5c94c0..d52026e88b 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2251,7 +2251,8 @@
  *          library/ssl_tls.c
  *          library/x509write_crt.c
  *
- * This module is required for SSL/TLS and SHA1-signed certificates.
+ * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
+ * depending on the handshake parameters, and for SHA1-signed certificates.
  */
 #define MBEDTLS_SHA1_C
 
@@ -2636,6 +2637,15 @@
 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8   /**< Maximum number of intermediate CAs in a verification chain. */
 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN     512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
 
+/**
+ * Allow SHA-1 in the default TLS configuration for certificate signing and
+ * TLS 1.2 handshake signature. Without this build-time option, SHA-1
+ * support must be activated explicitly through mbedtls_ssl_conf_cert_profile
+ * and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in
+ * HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default.
+ */
+// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
+
 /* \} name SECTION: Customisation configuration options */
 
 /* Target and application specific configurations */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b67ed4a29a..d5510472dd 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = {
     MBEDTLS_MD_SHA256,
     MBEDTLS_MD_SHA224,
 #endif
-#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
     MBEDTLS_MD_SHA1,
 #endif
     MBEDTLS_MD_NONE
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 234f14563e..4de9e85d7e 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -85,9 +85,11 @@ static void mbedtls_zeroize( void *v, size_t n ) {
  */
 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
 {
-    /* Hashes from SHA-1 and above */
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
+    /* Allow SHA-1 (weak, but still safe in controlled environments) */
     MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
+#endif
+    /* Only SHA-2 hashes */
     MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
     MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
     MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |