From 630a532ed251ade3070ac6c2f1a8ea8dc1864a0d Mon Sep 17 00:00:00 2001 From: Natalia Ivakina Date: Thu, 14 Nov 2024 14:03:09 +0100 Subject: [PATCH 1/2] Add deprecation note about CBC-based ciphers --- modules/ROOT/pages/security/ssl-framework.adoc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc index 9d3f72b23..6bbe94b9e 100644 --- a/modules/ROOT/pages/security/ssl-framework.adoc +++ b/modules/ROOT/pages/security/ssl-framework.adoc @@ -1084,6 +1084,21 @@ One can set up a Neo4j configuration by specifying the list of cipher suites tha Valid values depend on the current JRE and SSL provider. For Oracle JRE here is the list of supported ones - https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#jsse-cipher-suite-names. +[IMPORTANT] +==== +label:deprecated[Deprecated in 5.26] + +CBC (cipher block chaining) ciphers, as used in TLS v1.2 network encryption, have several security vulnerabilities that make them less secure compared to the alternative methods. +The Internet Engineering Task Force (IETF) doesn't recommend using CBC-based ciphers (RFC 8447), and these ciphers were removed from the TLS standard with the development of TLS v1.3. + +Note that the use of the following CBC-based ciphers has been deprecated in Neo4j 5.26: + +* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 +* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 +* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +==== + .Bolt [source, properties] ---- From c35946ec88eb85a6944d0f0bad2c383ad50f2c8f Mon Sep 17 00:00:00 2001 From: NataliaIvakina <82437520+NataliaIvakina@users.noreply.github.com> Date: Thu, 14 Nov 2024 14:24:57 +0100 Subject: [PATCH 2/2] Update modules/ROOT/pages/security/ssl-framework.adoc --- modules/ROOT/pages/security/ssl-framework.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc index 6bbe94b9e..b0a01c25a 100644 --- a/modules/ROOT/pages/security/ssl-framework.adoc +++ b/modules/ROOT/pages/security/ssl-framework.adoc @@ -1088,7 +1088,7 @@ For Oracle JRE here is the list of supported ones - https://docs.oracle.com/en/j ==== label:deprecated[Deprecated in 5.26] -CBC (cipher block chaining) ciphers, as used in TLS v1.2 network encryption, have several security vulnerabilities that make them less secure compared to the alternative methods. +CBC (cipher block chaining) ciphers, as used in TLS v1.2 network encryption, have several security vulnerabilities that make them less secure than alternative methods. The Internet Engineering Task Force (IETF) doesn't recommend using CBC-based ciphers (RFC 8447), and these ciphers were removed from the TLS standard with the development of TLS v1.3. Note that the use of the following CBC-based ciphers has been deprecated in Neo4j 5.26: