Skip to content

Document removed insecure cipher suites #2656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

Document removed insecure cipher suites #2656

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a60b703
Document removed insecure cipher suites
NataliaIvakina Oct 14, 2025
cd618f4
Apply suggestions from code review
NataliaIvakina Oct 15, 2025
f6ac0e4
syntax fix
NataliaIvakina Oct 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions modules/ROOT/pages/changes-deprecations-removals.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -650,3 +650,17 @@ The included *neo4j.count* metrics class replaces the deprecated *ids_in_use* me
+
For more information, see xref:monitoring/metrics/reference.adoc#db-data-count-metrics[Monitoring -> Metrics reference] and the tables _Database data count metrics_ and _Database data metrics_ respectively.


[[ssl-framework-changes]]
=== SSL framework

Neo4j 2025.10::

As of 2025.10, the Java 21 default cipher suites that use insecure CBC-based ciphers are removed from Neo4j:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to say that the ciphers are removed by default. But if a user specifies a cipher config and explicitly references these ciphers then they can use them still.


* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256


14 changes: 12 additions & 2 deletions modules/ROOT/pages/security/ssl-framework.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1033,8 +1033,18 @@ One can set up a Neo4j configuration by specifying the list of cipher suites tha
Valid values depend on the current JRE and SSL provider.
For Oracle JRE here is the list of supported ones - https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html#jsse-cipher-suite-names.

Note that CBC (cipher block chaining)-based ciphers (RFC 8447), used in TLS v1.2 network encryption, are not supported in 2025.01.
See xref:changes-deprecations-removals.adoc[] for more information.
Note that CBC (cipher block chaining)-based ciphers (RFC 8447), used in TLS v1.2 network encryption, are not supported since 2025.01.
See xref:changes-deprecations-removals.adoc#_ssl_framework[Changes, deprecations, and removals -> Breaking changes in SSL framework] for more information.

[CAUTION]
====
Starting from 2025.10, the Java 21 default cipher suites that use insecure CBC-based ciphers are removed from Neo4j:

* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
====

.Bolt
[source, properties]
Expand Down