Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I am looking for clarification on SSL compression settings in relation to security.

fd26645
Path Finder
‎04-02-2015 03:56 PM

Security scans of my forwarders are alerting on "TLS CRIME". I have read the Splunk Answer regarding this but I am a little bit unsatisfied with the answer. Basically they describe this as being a browser vulnerability, but everything I read seems to indicate that the remediation actions are to disable the use of SSL encryption. So I am unclear if SSL encryption is fundamentally flawed and is vulnerable regardless of whether it is web browser traffic.

Splunk Answer: http://answers.splunk.com/answers/65218/splunk-shows-vulnerable-to-cve-2012-4929-in-my-nessus-vulner...

I have been told by multiple people at this point that SSL encryption in Splunk is best left enabled for performance reasons, so I want to leave it enabled, but I would like to have a better understanding of which SSL settings in server.conf do what exactly. Which setting actually controls the encryption of the logs being forwarded? I've been told to shut-off port 8089 on the forwarders, will that disable the ability to use a deployment manager? Is there a way I can keep compression on the log traffic and disable it on 8089 in a way that will not show up as a false positive on security scans?

Tags (3)
0 Karma
Reply

PhilipDudley
Engager
‎08-30-2017 08:50 AM

In the http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf , I would set the following options to false

  • useSSLCompression = false
  • allowSslCompression = false

There'll be a few different stanzas depending on what you're disabling it on, but disabling Compression for each setting explicitly would probably help negate this since the options seem to change regularly.

0 Karma
Reply

PhilipDudley
Engager
‎08-30-2017 08:42 AM

I am also running into this concern with our use of Splunk in a Federal environment and CRIME vulnerabilities showing up. I read the same answer you linked, but there have been major changes since then. I haven't seen any official word on mitigating that risk. Even with SSL in general, even without browsers, the traffic can still be hijacked.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...