Skip to content

Commit 58bcb0e

Browse files
renetapopovarenetapopova
committed
apply suggestions from review
1 parent d4f682f commit 58bcb0e

File tree

2 files changed

+23
-16
lines changed

2 files changed

+23
-16
lines changed

modules/ROOT/pages/backup-restore/online-backup.adoc

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -309,8 +309,9 @@ For more information on how to configure SSL in Neo4j, see xref:security/ssl-fra
309309

310310
Configuration for the backup server should be added to the _neo4j.conf_ file and configuration for backup client to the _neo4j-admin.conf_ file.
311311
The easiest way to ensure compatibility is to use the same SSL policy configuration for both the server and the client.
312-
However, this approach is not recommended for production environments, where it is better to use Certificate Authorities (CAs) to sign the certificates used by both the server and the client.
313-
For details, see xref:security/ssl-framework.adoc[SSL framework].
312+
For production environments, it is recommended to use Certificate Authorities (CAs) to sign certificates rather than self-signed certificates.
313+
314+
314315

315316
The default backup port is 6362, configured with key `server.backup.listen_address`.
316317
The SSL configuration policy has the key of `dbms.ssl.policy.backup`.
@@ -323,7 +324,7 @@ As an example, add the following content to your _neo4j.conf_ and _neo4j-admin.c
323324
dbms.ssl.policy.backup.enabled=true
324325
dbms.ssl.policy.backup.client_auth=REQUIRE
325326
dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
326-
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
327+
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
327328
----
328329

329330
.Client configuration in _neo4j-admin.conf_
@@ -332,7 +333,7 @@ dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE
332333
dbms.ssl.policy.backup.enabled=true
333334
dbms.ssl.policy.backup.client_auth=REQUIRE
334335
dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
335-
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
336+
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
336337
----
337338

338339
[TIP]

modules/ROOT/pages/security/ssl-framework.adoc

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -846,15 +846,21 @@ However, if your backup communication uses a different port, you need to enable
846846
847847
When setting up SSL for backup communication, you can choose between two options for certificates:
848848
849-
* self-signed certificates -- This is typically the case where the system is fully internal (not internet-facing), you control both ends of the connection, and the distribution of certificates can be automated and secured.
850-
* certificates signed by a certificate authority (CA) -- This is typically the case where at least one end of the connection is internet-facing, and you want to use certificates signed by a trusted CA to avoid security flaws associated with self-signed certificates.
849+
* self-signed certificates -- This is typically the case where you control both ends of the connection, and the distribution of certificates can be automated and secured.
850+
However, self-signed certificates do not verify the identity of the server, so they cannot be trusted by clients and are vulnerable to man-in-the-middle attacks.
851+
* certificates signed by a certificate authority (CA) -- more secure option, because a known trusted authority verifies the identity of the server, ensuring authenticity and preventing impersonation.
851852
852-
There are three possible approaches to set up SSL for backup communication:
853853
854-
* Use the same self-signed certificates in the _trusted_dir_ on both the backup server and client.
855-
* Mirror the self-signed certificates if you want mutual TLS.
856-
This means, the server has the client's certificates in its _trusted_dir_, and the client has the server's certificates in its _trusted_dir_.
857-
* Use a certificate authority (CA) to signs both the client's and server's certificates.
854+
You can configure SSL for backup communication in one of the following ways:
855+
856+
* Use the same certificates in the _trusted_dir_ on both the backup server and client. +
857+
This approach is simpler to configure but less secure, as both ends share the same identity and trust the same certificate.
858+
859+
* Mirror the certificates on the backup server and client to achieve mutual authentication. +
860+
Add the server certificate to the client's _trusted_dir_ and the client certificate to the server's _trusted_dir_.
861+
This way, the server validates the client's certificate in addition to the typical normal TLS where only the client validates the server's certificate.
862+
863+
* Use a certificate authority (CA) to sign both the client's and server's certificates.
858864
In this case, the _trusted_dir_ must contain only the CA or intermediate certificates.
859865
860866
==== Set up SSL certificates for backup
@@ -1014,7 +1020,7 @@ dbms.ssl.policy.backup.private_key=private.key
10141020
dbms.ssl.policy.backup.public_certificate=public.crt
10151021
dbms.ssl.policy.backup.client_auth=REQUIRE
10161022
dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
1017-
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1023+
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
10181024
----
10191025
10201026
[[ssl-other-configs]]
@@ -1112,25 +1118,25 @@ However, you still can use them by explicitly specifying their configuration and
11121118
.Bolt
11131119
[source, properties]
11141120
----
1115-
dbms.ssl.policy.bolt.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1121+
dbms.ssl.policy.bolt.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3844
11161122
----
11171123
11181124
.HTTPS
11191125
[source, properties]
11201126
----
1121-
dbms.ssl.policy.https.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1127+
dbms.ssl.policy.https.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3844
11221128
----
11231129
11241130
.Intra-cluster encryption
11251131
[source, properties]
11261132
----
1127-
dbms.ssl.policy.cluster.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1133+
dbms.ssl.policy.cluster.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3844
11281134
----
11291135
11301136
.Backup
11311137
[source, properties]
11321138
----
1133-
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1139+
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3844
11341140
----
11351141
11361142
[[ssl-ocsp-config]]

0 commit comments

Comments
 (0)