diff --git a/ChangeLog b/ChangeLog
index 8fbdabf4e..b0900d2a0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,7 +26,8 @@ Changes
    * Remove test program o_p_test, the script compat.sh does more.
    * Remove test program ssl_test, superseded by ssl-opt.sh.
    * Remove helper script active-config.pl
-   * RC4 is now disabled by default in the SSL/TLS layer.
+   * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
+     default ciphersuite list returned by ssl_list_ciphersuites()
 
 = mbed TLS 1.3 branch
 
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 8b2a858e4..32a9ffff7 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -365,7 +365,7 @@
  *
  * Uncomment this macro to remove RC4 ciphersuites by default.
  */
-//#define POLARSSL_REMOVE_ARC4_CIPHERSUITES
+#define POLARSSL_REMOVE_ARC4_CIPHERSUITES
 
 /**
  * \def POLARSSL_ECP_XXXX_ENABLED