Security scans of my forwarders are alerting on "TLS CRIME". I have read the Splunk Answer regarding this but I am a little bit unsatisfied with the answer. Basically they describe this as being a browser vulnerability, but everything I read seems to indicate that the remediation actions are to disable the use of SSL encryption. So I am unclear if SSL encryption is fundamentally flawed and is vulnerable regardless of whether it is web browser traffic.
Splunk Answer: http://answers.splunk.com/answers/65218/splunk-shows-vulnerable-to-cve-2012-4929-in-my-nessus-vulner...
I have been told by multiple people at this point that SSL encryption in Splunk is best left enabled for performance reasons, so I want to leave it enabled, but I would like to have a better understanding of which SSL settings in server.conf do what exactly. Which setting actually controls the encryption of the logs being forwarded? I've been told to shut-off port 8089 on the forwarders, will that disable the ability to use a deployment manager? Is there a way I can keep compression on the log traffic and disable it on 8089 in a way that will not show up as a false positive on security scans?
In the http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf , I would set the following options to false
There'll be a few different stanzas depending on what you're disabling it on, but disabling Compression for each setting explicitly would probably help negate this since the options seem to change regularly.
I am also running into this concern with our use of Splunk in a Federal environment and CRIME vulnerabilities showing up. I read the same answer you linked, but there have been major changes since then. I haven't seen any official word on mitigating that risk. Even with SSL in general, even without browsers, the traffic can still be hijacked.