diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
index 8090828578df..3174bbae937e 100644
--- a/docs/root/version_history/current.rst
+++ b/docs/root/version_history/current.rst
@@ -9,6 +9,8 @@ Minor Behavior Changes
 ----------------------
 *Changes that may cause incompatibilities for some users, but should not for most*
 
+* tls: removed SHA-1 cipher suites from the server-side defaults.
+
 Bug Fixes
 ---------
 *Changes expected to improve the state of the world and are unlikely to have negative effects*
diff --git a/source/extensions/transport_sockets/tls/context_config_impl.cc b/source/extensions/transport_sockets/tls/context_config_impl.cc
index dcd87d3b9fb9..4500bb49e84e 100644
--- a/source/extensions/transport_sockets/tls/context_config_impl.cc
+++ b/source/extensions/transport_sockets/tls/context_config_impl.cc
@@ -369,16 +369,10 @@ const std::string ServerContextConfigImpl::DEFAULT_CIPHER_SUITES =
     "ECDHE-ECDSA-AES128-GCM-SHA256:"
     "ECDHE-RSA-AES128-GCM-SHA256:"
 #endif
-    "ECDHE-ECDSA-AES128-SHA:"
-    "ECDHE-RSA-AES128-SHA:"
     "AES128-GCM-SHA256:"
-    "AES128-SHA:"
     "ECDHE-ECDSA-AES256-GCM-SHA384:"
     "ECDHE-RSA-AES256-GCM-SHA384:"
-    "ECDHE-ECDSA-AES256-SHA:"
-    "ECDHE-RSA-AES256-SHA:"
-    "AES256-GCM-SHA384:"
-    "AES256-SHA";
+    "AES256-GCM-SHA384:";
 
 const std::string ServerContextConfigImpl::DEFAULT_CURVES =
 #ifndef BORINGSSL_FIPS
diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc
index 5244965da8f4..fc9c7cb08c0c 100644
--- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc
+++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc
@@ -4487,6 +4487,12 @@ TEST_P(SslSocketTest, CipherSuites) {
 
   // Client connects with unsupported cipher suite, connection fails.
   client_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256");
+  client_params->add_cipher_suites("ECDHE-ECDSA-AES128-SHA");
+  client_params->add_cipher_suites("ECDHE-RSA-AES128-SHA");
+  client_params->add_cipher_suites("AES128-SHA");
+  client_params->add_cipher_suites("ECDHE-ECDSA-AES256-SHA");
+  client_params->add_cipher_suites("ECDHE-RSA-AES256-SHA");
+  client_params->add_cipher_suites("AES256-SHA");
   server_params->add_cipher_suites("ECDHE-RSA-CHACHA20-POLY1305");
   updateFilterChain(tls_context, *filter_chain);
   TestUtilOptionsV2 error_test_options(listener, client, false, GetParam());