diff --git a/auth.go b/auth.go
index 8072e74..c6421ce 100644
--- a/auth.go
+++ b/auth.go
@@ -219,7 +219,7 @@ func signatureSchemesForCertificate(version uint16, cert *Certificate) []Signatu
 	}
 
 	// Filter out any unsupported signature algorithms, for example due to
-	// FIPS 140-3 policy, or any downstream changes to defaults.go.
+	// FIPS 140-3 policy, tlssha1=0, or any downstream changes to defaults.go.
 	supportedAlgs := supportedSignatureAlgorithms(version)
 	sigAlgs = slices.DeleteFunc(sigAlgs, func(sigAlg SignatureScheme) bool {
 		return !isSupportedSignatureAlgorithm(sigAlg, supportedAlgs)
@@ -239,7 +239,12 @@ func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureSche
 	if len(peerAlgs) == 0 && vers == VersionTLS12 {
 		// For TLS 1.2, if the client didn't send signature_algorithms then we
 		// can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
-		peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
+		// RFC 9155 made signature_algorithms mandatory in TLS 1.2, and we gated
+		// it behind the tlssha1 GODEBUG setting.
+		// if tlssha1.Value() != "1" {
+			return 0, errors.New("tls: missing signature_algorithms from TLS 1.2 peer")
+		// }
+		// peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
 	}
 	// Pick signature scheme in the peer's preference order, as our
 	// preference order is not configurable.
diff --git a/defaults.go b/defaults.go
index 4a1230e..617235b 100644
--- a/defaults.go
+++ b/defaults.go
@@ -23,6 +23,8 @@ func defaultCurvePreferences() []CurveID {
 	return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}
 }
 
+//var tlssha1 = godebug.New("tlssha1")
+
 // defaultSupportedSignatureAlgorithms returns the signature and hash algorithms that
 // the code advertises and supports in a TLS 1.2+ ClientHello and in a TLS 1.2+
 // CertificateRequest. The two fields are merged to match with TLS 1.3.
@@ -39,8 +41,6 @@ func defaultSupportedSignatureAlgorithms() []SignatureScheme {
 		PKCS1WithSHA512,
 		ECDSAWithP384AndSHA384,
 		ECDSAWithP521AndSHA512,
-		PKCS1WithSHA1,
-		ECDSAWithSHA1,
 	}
 }