Configure SSL Policy for Bolt server and HTTPS server
This section describes how to configure the SSL policy for Bolt and HTTPS servers.
Neo4j 3.5 allows encrypted connections with the default configuration. Self-signed certificates are automatically generated if no certificate is installed before a server starts. However, from 4.0 onwards, the default encryption setting is off and Neo4j no longer generates certificates when none are provided. As a result, Bolt server only allows plaintext connections, and HTTPS server is not enabled by default.
3.5 Neo4j Bolt Server | 4.0 Neo4j Bolt Server | 3.5 Neo4j HTTPS Server | 4.0 Neo4j HTTPS Server | |
---|---|---|---|---|
Server Enabled |
Yes |
Yes |
Yes |
No |
Encryption on client connections |
Optional |
Not allowed |
Always |
Always |
Certificates |
Auto-generated self-signed certificates if not provided. |
None |
Auto-generated self-signed certificates if not provided. |
None |
Default Certificates Path |
|
None |
|
None |
Default Certificate Names |
|
|
|
|
To re-enable encryption in 4.x, you have to configure the SSL policy in the neo4j.conf
file.
Given certificates named public.crt
and private.key
in folder $neo4jHome/certificates/bolt
for Bolt server, and certificates with the same file names in folder $neo4jHome/certificates/https
for HTTPS server.
The example shows how to turn encryption back on for the Bolt server and re-enable the HTTPS server.
dbms.connector.bolt.enabled=true
dbms.connector.bolt.tls_level=OPTIONAL # allows both encrypted and unencrypted driver connections
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.base_directory=certificates/bolt
#dbms.ssl.policy.bolt.private_key=private.key # Optional if the file name is the same as the default.
#dbms.ssl.policy.bolt.public_certificate=public.crt # Optional if the file name is the same as the default.
dbms.connector.https.enabled=true
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.base_directory=certificates/https
#dbms.ssl.policy.https.private_key=private.key # Optional if the file name is the same as the default.
#dbms.ssl.policy.https.public_certificate=public.crt # Optional if the file name is the same as the default.