https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-settings-in/m-p/126154#M25969 <P>I am also running into this concern with our use of Splunk in a Federal environment and CRIME vulnerabilities showing up. I read the same answer you linked, but there have been major changes since then. I haven't seen any official word on mitigating that risk. Even with SSL in general, even without browsers, the traffic can still be hijacked. </P> Wed, 30 Aug 2017 15:42:36 GMT PhilipDudley 2017-08-30T15:42:36Z https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-settings-in/m-p/126153#M25968 <P>Security scans of my forwarders are alerting on "TLS CRIME". I have read the <A href="http://answers.splunk.com/answers/65218/splunk-shows-vulnerable-to-cve-2012-4929-in-my-nessus-vulnerability-scan-what-is-going-on.html">Splunk Answer</A> regarding this but I am a little bit unsatisfied with the answer. Basically they describe this as being a browser vulnerability, but everything I read seems to indicate that the remediation actions are to disable the use of SSL encryption. So I am unclear if SSL encryption is fundamentally flawed and is vulnerable regardless of whether it is web browser traffic.</P> <P>Splunk Answer: <A href="http://answers.splunk.com/answers/65218/splunk-shows-vulnerable-to-cve-2012-4929-in-my-nessus-vulnerability-scan-what-is-going-on.html">http://answers.splunk.com/answers/65218/splunk-shows-vulnerable-to-cve-2012-4929-in-my-nessus-vulnerability-scan-what-is-going-on.html</A></P> <P>I have been told by multiple people at this point that SSL encryption in Splunk is best left enabled for performance reasons, so I want to leave it enabled, but I would like to have a better understanding of which SSL settings in server.conf do what exactly. Which setting actually controls the encryption of the logs being forwarded? I've been told to shut-off port 8089 on the forwarders, will that disable the ability to use a deployment manager? Is there a way I can keep compression on the log traffic and disable it on 8089 in a way that will not show up as a false positive on security scans?</P> Thu, 02 Apr 2015 22:56:25 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-settings-in/m-p/126153#M25968 fd26645 2015-04-02T22:56:25Z https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-settings-in/m-p/126154#M25969 <P>I am also running into this concern with our use of Splunk in a Federal environment and CRIME vulnerabilities showing up. I read the same answer you linked, but there have been major changes since then. I haven't seen any official word on mitigating that risk. Even with SSL in general, even without browsers, the traffic can still be hijacked. </P> Wed, 30 Aug 2017 15:42:36 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-settings-in/m-p/126154#M25969 PhilipDudley 2017-08-30T15:42:36Z https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-settings-in/m-p/126155#M25970 <P>In the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf</A> , I would set the following options to false</P> <UL> <LI>useSSLCompression = false</LI> <LI>allowSslCompression = false</LI> </UL> <P>There'll be a few different stanzas depending on what you're disabling it on, but disabling Compression for each setting explicitly would probably help negate this since the options seem to change regularly. </P> Wed, 30 Aug 2017 15:50:10 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-settings-in/m-p/126155#M25970 PhilipDudley 2017-08-30T15:50:10Z