diff --git a/ChangeLog.txt b/ChangeLog.txt
index e4dc155b..9e1d91b2 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -70,6 +70,9 @@ Broker:
   Previously update intervals were aligned to the time the broker was started.
 - Add `log_dest android` for logging to the Android logd daemon.
 - Fix some retained topic memory not being cleared immediately after used.
+- TLS v1.1 now not enabled by default. It is still possible to explicitly
+  choose TLS v1.1, but this is not recommended and will be removed in a future
+  version.
 
 Plugins / plugin interface:
 - Add persist-sqlite plugin.
@@ -153,6 +156,9 @@ Client library:
 - `mosquitto_property_read_binary/string/string_pair` will now set the
   name/value parameter to NULL if the binary/string is empty. This aligns the
   behaviour with other property functions. Closes #2648.
+- TLS v1.1 now not enabled by default. It is still possible to explicitly
+  choose TLS v1.1, but this is not recommended and will be removed in a future
+  version.
 
 Clients:
 - Add `-W` timeout support to Windows.
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 894d1d14..e3bdb8f8 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -697,7 +697,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #endif
 
 		if(!mosq->tls_version){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
 		}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
 			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index 9747f43a..dc89b1bb 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -1670,7 +1670,7 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 							<replaceable>tlsv1.3</replaceable>,
 							<replaceable>tlsv1.2</replaceable> and
 							<replaceable>tlsv1.1</replaceable>. If left unset,
-							the default of allowing TLS v1.3 and v1.2.</para>
+							the default is to allow TLS v1.3 and v1.2.</para>
 						<para>In Mosquitto version 1.6.x and earlier, this
 							option set the only TLS protocol version that
 							was allowed, rather than the minimum.</para>
diff --git a/src/net.c b/src/net.c
index f79b7ebc..cc66901a 100644
--- a/src/net.c
+++ b/src/net.c
@@ -377,7 +377,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 #endif
 
 	if(listener->tls_version == NULL){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
 	}else if(!strcmp(listener->tls_version, "tlsv1.3")){
 		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);