@jbrodsky_splunk I think we're finally getting to the crux of the issue that some of us are having with the language and implications in the advisory. There should be a statement that clearly indicates that using the default root cert is not the default behavior of Splunk out of the box. Therefore as tested and proven, you may still have older forwarders existing in your deployment and the expiring root cert will not affect them.
The reason for this is as you mention outputs.conf requires the SSL parameters to be set explicitly to force SSL between forwarders and indexers, again not the default behavior as implied. The only other communication is splunkd on 8089 by default, which has its SSL parameters defined in server.conf. When you look at the server.conf specs, you could easily get confused that this advisory would affect your deployment, since enableSplunkdSSL is set to true by default.
You hit the nail on the head however with regard to the sslVerifyServerCert parameter, this by default on a Splunk install is false, not forcing SSL communication for splunkd either. So we may surmise that in fact, there is no SSL communication by default forced by Splunk, this is probably by design for just this scenario.
sslVerifyServerCert = true|false
* Used by distributed search: when making a search request to another
server in the search cluster.
* Used by distributed deployment clients: when polling a deployment
server.
* If this is set to true, you should make sure that the server that is
being connected to is a valid one (authenticated). Both the common
name and the alternate name of the server are then checked for a
match if they are specified in this configuration file. A
certificiate is considered verified if either is matched.
* Default is false.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf
... View more