From a60b7036ac92e8b557127f4035cdf3aa4dcc911d Mon Sep 17 00:00:00 2001 From: Natalia Ivakina Date: Tue, 14 Oct 2025 09:54:37 +0200 Subject: [PATCH 1/3] Document removed insecure cipher suites --- .../ROOT/pages/changes-deprecations-removals.adoc | 14 ++++++++++++++ modules/ROOT/pages/security/ssl-framework.adoc | 14 ++++++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/changes-deprecations-removals.adoc b/modules/ROOT/pages/changes-deprecations-removals.adoc index 678d11996..14f1482d1 100644 --- a/modules/ROOT/pages/changes-deprecations-removals.adoc +++ b/modules/ROOT/pages/changes-deprecations-removals.adoc @@ -650,3 +650,17 @@ The included *neo4j.count* metrics class replaces the deprecated *ids_in_use* me + For more information, see xref:monitoring/metrics/reference.adoc#db-data-count-metrics[Monitoring -> Metrics reference] and the tables _Database data count metrics_ and _Database data metrics_ respectively. + +[[ssl-framework-changes]] +=== SSL framework + +Neo4j 2025.10:: + +As of 2025.10, the Java 21 default cipher suites that use insecure CBC-based ciphers are removed from Neo4j: + +* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 +* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 +* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + + diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc index a6c7dc65b..4ee75125a 100644 --- a/modules/ROOT/pages/security/ssl-framework.adoc +++ b/modules/ROOT/pages/security/ssl-framework.adoc @@ -1033,8 +1033,18 @@ One can set up a Neo4j configuration by specifying the list of cipher suites tha Valid values depend on the current JRE and SSL provider. For Oracle JRE here is the list of supported ones - https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html#jsse-cipher-suite-names. -Note that CBC (cipher block chaining)-based ciphers (RFC 8447), used in TLS v1.2 network encryption, are not supported in 2025.01. -See xref:changes-deprecations-removals.adoc[] for more information. +Note that CBC (cipher block chaining)-based ciphers (RFC 8447), used in TLS v1.2 network encryption, are not supported since 2025.01. +See xref:changes-deprecations-removals.adoc#_ssl_framework[Changes, deprecations, and removals -> Breaking changes in SSL framework] for more information. + +[CAUTION] +==== +Starting from 2025.10, the Java 21 default cipher suites that use insecure CBC-based ciphers are removed from Neo4j: + +* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 +* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 +* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +==== .Bolt [source, properties] From cd618f413bae1d12c7be7d81d2604f4c8449f376 Mon Sep 17 00:00:00 2001 From: Natalia Ivakina <82437520+NataliaIvakina@users.noreply.github.com> Date: Wed, 15 Oct 2025 14:20:15 +0200 Subject: [PATCH 2/3] Apply suggestions from code review Clarify that ciphers remain available if you define them in the config --- modules/ROOT/pages/changes-deprecations-removals.adoc | 1 + modules/ROOT/pages/security/ssl-framework.adoc | 2 ++ 2 files changed, 3 insertions(+) diff --git a/modules/ROOT/pages/changes-deprecations-removals.adoc b/modules/ROOT/pages/changes-deprecations-removals.adoc index 14f1482d1..1b237e6a8 100644 --- a/modules/ROOT/pages/changes-deprecations-removals.adoc +++ b/modules/ROOT/pages/changes-deprecations-removals.adoc @@ -663,4 +663,5 @@ As of 2025.10, the Java 21 default cipher suites that use insecure CBC-based cip * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +However, you still can use them by explicitly specifying their configuration and referencing them in your setup. diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc index 4ee75125a..ffd78dddb 100644 --- a/modules/ROOT/pages/security/ssl-framework.adoc +++ b/modules/ROOT/pages/security/ssl-framework.adoc @@ -1044,6 +1044,8 @@ Starting from 2025.10, the Java 21 default cipher suites that use insecure CBC-b * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + +However, you still can use them by explicitly specifying their configuration and referencing them in your setup. ==== .Bolt From f6ac0e445f7aa4d0ad59fa4bbd71f0c80aa960a2 Mon Sep 17 00:00:00 2001 From: Natalia Ivakina <82437520+NataliaIvakina@users.noreply.github.com> Date: Wed, 15 Oct 2025 14:27:14 +0200 Subject: [PATCH 3/3] syntax fix --- modules/ROOT/pages/changes-deprecations-removals.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/changes-deprecations-removals.adoc b/modules/ROOT/pages/changes-deprecations-removals.adoc index 1b237e6a8..f494a6e0a 100644 --- a/modules/ROOT/pages/changes-deprecations-removals.adoc +++ b/modules/ROOT/pages/changes-deprecations-removals.adoc @@ -662,6 +662,6 @@ As of 2025.10, the Java 21 default cipher suites that use insecure CBC-based cip * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - ++ However, you still can use them by explicitly specifying their configuration and referencing them in your setup.