I've got a bunch of java apps that run on a single server.

I'd like to disable TLSv1 and other insecure protocols by default for all apps on the server, but allow some apps to override this using a command line argument.

For example, I can use a line like so in my java.security file in the JVM to disable TLSv1 for all apps by default.

jdk.tls.disabledAlgorithms=TLSv1, SSLv3

I then tried to use the jdk.tls.client.protocols property to enable it for some apps, but it doesnt seem to override what was set in the JRE.

e.g. This doesn't use TLSv1 if I've disabled it in java.security

java -Djdk.tls.client.protocols=TLSv1 MyTestApp

Can this be done? Or do I need to take a different approach?

It appears I can use the following command line arg to do this. I thought I'd tried this recently and it didn't work, but I tried again today and it seems to ;-)

java -Djava.security.properties=disabled_tlsv1.properties MyTestApp

where disabled_tlsv1.properties is a file that contains the same line you would've put in your java.security file

disabled_tlsv1.properties

jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4

I assume you meant the commandline option to be -D... (with hyphen); D... doesn't work.

Yes, the security properties take precedence. The only way to re-enable TLSv1 is to change the security property, and there is no standard option for that. correction: you're right, but I'll leave this as an alternate.

What you could do is write an agent which calls Security.setProperty() (at JVM startup) invoked by a -javaagent commandline option. Note this applies JVM-wide; different apps can be different only if/when they are in different JVM processes.