Home > Uncategorized > Enabling CRL checking and other important security features in Java Runtime Environment

Enabling CRL checking and other important security features in Java Runtime Environment

Previous versions of this article point out that enabling checking of OCSP and the CRL will help resolve CVE-2013-1493. This is incorrect. Apologies.

It’s possible that an exploit may use a previously valid certificate to bypass security settings in the JRE client. Today, on the Daily ISC StormCast it was mentioned that Oracle does not enable CRL (certificate revocation list) checking by default in JRE.

Enable CRL checking for your JRE clients:
Luckily, you can easily enable it using the same strategy you should be using now to deploy a control policy using GPO.

The specific setting is: deployment.security.validation.crl and is covered in the Deployment Configuration File and Properties documentation.

Hardening the rest of the JRE:
While we’re at it, since Oracle won’t do it for us, why don’t we enable several other settings to be deployed to our clients that will make them much more secure:

The following is a recommended config for deployment.properties file:

deployment.security.level=HIGH
deployment.security.level.locked
deployment.insecure.jres="PROMPT"
deployment.insecure.jres.locked
deployment.security.jsse.hostmismatch.warning=true
deployment.security.sandbox.awtwarningwindow=true
deployment.security.sandbox.awtwarningwindow.locked
deployment.security.mixcode=ENABLE
deployment.security.validation.ocsp=true
deployment.security.validation.ocsp.locked
deployment.security.validation.crl=true
deployment.security.validation.crl.locked

Note that you may have more settings or changed settings, deployment.security.level you may have set to VERY_HIGH, for instance. Some of the above are default settings, but it’s much better to make sure they’re configured than to let Oracle decide for you.

Conclusion:
It’s clear that Oracle is erring on the side of usability versus security, judging by the default settings deployed with JRE. This is the opposite of something like Internet Explorer, who doesn’t enable compatibility mode on all web pages (for instance). Yes, I just implied that IE has better security than JRE.

I suppose they expect that 99% of their users will be able to deduce that they must change their settings to make sure they are running securely.

Optimal config:
I think it would be better to eliminate apps that you can’t re-sign with your own internal CA or by certificate pinning by adding certificates to the local JRE certificate store. Again, this means that you have the people and skills to do this. In lieu of this, Oracle should really enable CRL and OCSP checking by default.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: