Document removed insecure cipher suites (#2656)

NataliaIvakina · web-flow · commit ae816a189ce1 · 2025-10-20T12:44:21.000+02:00
diff --git a/modules/ROOT/pages/changes-deprecations-removals.adoc b/modules/ROOT/pages/changes-deprecations-removals.adoc
@@ -650,3 +650,18 @@ The included *neo4j.count* metrics class replaces the deprecated *ids_in_use* me
 +
 For more information, see xref:monitoring/metrics/reference.adoc#db-data-count-metrics[Monitoring -> Metrics reference] and the tables _Database data count metrics_ and _Database data metrics_ respectively.
 
+
+[[ssl-framework-changes]]
+=== SSL framework
+
+Neo4j 2025.10::
+
+As of 2025.10, the Java 21 default cipher suites that use insecure CBC-based ciphers are removed from Neo4j:
+
+* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
++
+However, you still can use them by explicitly specifying their configuration and referencing them in your setup.
+
diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc
@@ -1033,8 +1033,20 @@ One can set up a Neo4j configuration by specifying the list of cipher suites tha
 Valid values depend on the current JRE and SSL provider.
 For Oracle JRE here is the list of supported ones - https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html#jsse-cipher-suite-names.
 
-Note that CBC (cipher block chaining)-based ciphers (RFC 8447), used in TLS v1.2 network encryption, are not supported in 2025.01.
-See xref:changes-deprecations-removals.adoc[] for more information.
+Note that CBC (cipher block chaining)-based ciphers (RFC 8447), used in TLS v1.2 network encryption, are not supported since 2025.01.
+See xref:changes-deprecations-removals.adoc#_ssl_framework[Changes, deprecations, and removals -> Breaking changes in SSL framework] for more information.
+
+[CAUTION]
+====
+Starting from 2025.10, the Java 21 default cipher suites that use insecure CBC-based ciphers are removed from Neo4j:
+
+* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+
+However, you still can use them by explicitly specifying their configuration and referencing them in your setup.
+====
 
 .Bolt
 [source, properties]
