neo4j · NataliaIvakina · Nov 14, 2024 · Nov 14, 2024 · Nov 14, 2024
diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc
@@ -1084,6 +1084,21 @@ One can set up a Neo4j configuration by specifying the list of cipher suites tha
 Valid values depend on the current JRE and SSL provider.
 For Oracle JRE here is the list of supported ones - https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#jsse-cipher-suite-names.
 
+[IMPORTANT]
+====
+label:deprecated[Deprecated in 5.26]
+
+CBC (cipher block chaining) ciphers, as used in TLS v1.2 network encryption, have several security vulnerabilities that make them less secure compared to the alternative methods.
+The Internet Engineering Task Force (IETF) doesn't recommend using CBC-based ciphers (RFC 8447), and these ciphers were removed from the TLS standard with the development of TLS v1.3.
+
+Note that the use of the following CBC-based ciphers has been deprecated in Neo4j 5.26:
+
+* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+====
+
 .Bolt
 [source, properties]
 ----