{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 冷血范 的问题《Java - Lock down TLS version in java.security, but》','https://www.manongdao.com/q-1025948.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've got a bunch of java apps that run on a single server.
I'd like to disable TLSv1 and other insecure protocols by default for all apps on the server, but allow some apps to override this using a command line argument.
For example, I can use a line like so in my java.security file in the JVM to disable TLSv1 for all apps by default.
jdk.tls.disabledAlgorithms=TLSv1, SSLv3
I then tried to use the jdk.tls.client.protocols property to enable it for some apps, but it doesnt seem to override what was set in the JRE.
e.g. This doesn't use TLSv1 if I've disabled it in java.security
java -Djdk.tls.client.protocols=TLSv1 MyTestApp
Can this be done? Or do I need to take a different approach?
It appears I can use the following command line arg to do this. I thought I'd tried this recently and it didn't work, but I tried again today and it seems to ;-)
java -Djava.security.properties=disabled_tlsv1.properties MyTestAppwhere
disabled_tlsv1.propertiesis a file that contains the same line you would've put in yourjava.securityfiledisabled_tlsv1.properties
I assume you meant the commandline option to be
-D...(with hyphen);D...doesn't work.Yes, the security properties take precedence. The only way to re-enable TLSv1 is to change the security property,
and there is no standard option for that.correction: you're right, but I'll leave this as an alternate.What you could do is write an agent which calls
Security.setProperty()(at JVM startup) invoked by a-javaagentcommandline option. Note this applies JVM-wide; different apps can be different only if/when they are in different JVM processes.