Neo4j SSL framework

This section describes breaking changes for the Neo4j SSL framework.

v3.x Change v4.x

The configuration settings and are used to disallow properties.


The Cypher® DENY command replaces the blocking functionality. Note that the DENY command must be applied while Neo4j is running.

For details, see Cypher Manual 4.0 → Graph and sub-graph access control.


This setting is replaced by two new settings: and

dbms.connector.https.enabled is set to true by default.

This setting is no longer true by default.

To enable Neo4j to listen for incoming connections on the HTTPS port, you have to configure this setting to true.

The different communication channels are secured independently from each other, using the following configuration settings:

bolt.ssl_policy=<policy name>

https.ssl_policy=<policy name>

causal_clustering.ssl_policy=<policy name>

dbms.backup.ssl_policy=<policy name>


These settings have been replaced by the setting dbms.ssl.policy.<scope>.enabled=true, where <scope> substitutes the communication channel (bolt, https, cluster, and backup).

SSL support for Bolt and HTTPS using the legacy SSL system.


It is recommended to use the standard SSL configuration.

The dbms.directories.certificates setting is used to explicitly configure the directory that stores the private key and certificate files.


It is recommended to use the standard SSL configuration.



Neo4j no longer automatically generates a self-signed certificate.

For further details on the SSL framework changes, see Operations Manual → SSL framework.