diff --git a/ChangeLog.d/remove-enable-weak-ciphersuites.txt b/ChangeLog.d/remove-enable-weak-ciphersuites.txt
new file mode 100644
index 0000000000..97f63ebb8a
--- /dev/null
+++ b/ChangeLog.d/remove-enable-weak-ciphersuites.txt
@@ -0,0 +1,2 @@
+Removals
+   * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.
diff --git a/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md b/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md
new file mode 100644
index 0000000000..c3c3306234
--- /dev/null
+++ b/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md
@@ -0,0 +1,12 @@
+Remove the configuration to enable weak ciphersuites in SSL / TLS
+-----------------------------------------------------------------
+
+This does not affect users who use the default `config.h`, as this option was
+already off by default.
+
+If you were using a weak cipher, please switch to any of the modern,
+recommended ciphersuites (based on AES-GCM, AES-CCM or ChachaPoly for example)
+and if your peer doesn't support any, encourage them to upgrade their software.
+
+If you were using a ciphersuite without encryption, you just have to
+enable MBEDTLS_CIPHER_NULL_CIPHER now.