crypto-policies

java disableAlgorithms gotcha

When you want to set security properties for java. You can do this through a properties files and include this in the java options.
I'll show you how below. Normally these properties are loaded and used but there are exceptions on some Linux distros.
Especially when update-crypto-policies is used.

For example:

cat /etc/app/java.security
jdk.tls.disabledAlgorithms = SSLv2Hello, TLSv1, TLSv1.1, DES
app.custom.security.flag=THIS_PROPERTY_IS_LOADED

These settings are then loaded when you add the following to you java process: -Djava.security.properties=/etc/app/java.security
You can see which log the properties are loaded with adding -Djava.security.debug=properties as well.

Now in the logs you can see the custom property app.custom.security.flag=THIS_PROPERTY_IS_LOADED
but the jdk.tls.disabledAlgorithms = SSLv2Hello, TLSv1, TLSv1.1, DES seems to be ignored.
This is because update-crypto-policies will create a file /etc/crypto-policies/back-ends/java.config which takes precedence.

From the manpage: man update-crypto-policies

...Note that the system property java.security.properties is loaded with a lower preference than the crypto policies...