diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index d885d213e..b38bd72e0 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2943,8 +2943,9 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
  * \note           By default, all supported hashes whose length is at least
  *                 256 bits are allowed. This is the same set as the default
  *                 for certificate verification
- *                 (#mbedtls_x509_crt_profile_default). Larger hashes are
- *                 preferred.
+ *                 (#mbedtls_x509_crt_profile_default).
+ *                 The preference order is currently unspecified and may
+ *                 change in future versions.
  *
  * \param conf     SSL configuration
  * \param hashes   Ordered list of allowed signature hashes,
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 07569b240..3bbdcb086 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6099,8 +6099,8 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 /* The selection should be the same as mbedtls_x509_crt_profile_default in
- * x509_crt.c. Here, the order matters: larger hashes first, for consistency
- * with curves.
+ * x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
+ * for no fundamental reason.
  * See the documentation of mbedtls_ssl_conf_curves() for what we promise
  * about this list. */
 static int ssl_preset_default_hashes[] = {