GP-4330 facilitate specification of enabled TLS cipher suites for Ghidra

Server

Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java

@@ -69,6 +69,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 	private static final String SERIAL_FILTER_FILE = "serial.filter";
 
 	private static final String TLS_SERVER_PROTOCOLS_PROPERTY = "ghidra.tls.server.protocols";
+	private static final String TLS_ENABLED_CIPHERS_PROPERTY = "jdk.tls.server.cipherSuites";
 
 	private static SslRMIServerSocketFactory serverSocketFactory;
 	private static SslRMIClientSocketFactory clientSocketFactory;
@@ -796,7 +797,16 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 			}
 			log.info(
 				"   Anonymous server access: " + (allowAnonymousAccess ? "enabled" : "disabled"));
-
+			
+			String enabledCiphers = System.getProperty(TLS_ENABLED_CIPHERS_PROPERTY);
+			if (enabledCiphers != null) {
+				String[] cipherList = enabledCiphers.split(",");
+				log.info("   Enabled cipher suites:");
+				for (String s : cipherList) {
+					log.info("       " + s);
+				}
+			}
+			
 			serverSocketFactory = new SslRMIServerSocketFactory(null, getEnabledTlsProtocols(),
 				authMode == PKI_LOGIN) {
 				@Override

Ghidra/Framework/FileSystem/src/main/java/ghidra/framework/client/ClientUtil.java

@@ -199,6 +199,9 @@ public class ClientUtil {
 			Msg.debug(ClientUtil.class, "Server not connected (" + operation + ")");
 			promptForReconnect(repository, operation, mustRetry, parent);
 		}
+		else if (exc instanceof RepositoryNotFoundException) {
+			Msg.showError(ClientUtil.class, parent, title, exc.getMessage());
+		}
 		else if (exc instanceof UserAccessException) {
 			Msg.showError(ClientUtil.class, parent, title,
 				"Access denied: " + repository + "\n" + exc.getMessage());

Ghidra/RuntimeScripts/Common/server/server.conf

@@ -40,29 +40,36 @@ wrapper.java.additional.5=-Djna.tmpdir=${wrapper_tmpdir}
 # NOTE: multiple protocols must be separated with a semi-colon (e.g., TLSv1.2;TLSv1.3).
 wrapper.java.additional.6=-Dghidra.tls.server.protocols=TLSv1.2;TLSv1.3
 
+# Restrict server to specific TLS cipher suites for all secure communications
+# NOTE: multiple ciphers must be separated using "\,".  The specified list includes both TLSv1.2 and TLSv1.3 supported ciphers.
+# TLSv1.3 info: https://www.packetmania.net/en/2023/08/21/TLS1-3-intro/
+# See Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3
+#   RFC 9151 https://datatracker.ietf.org/doc/rfc9151/
+wrapper.java.additional.7=-Djdk.tls.server.cipherSuites="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\,TLS_AES_256_GCM_SHA384"
+
 # A suitable cacerts file must be installed when using PKI authentication
-#wrapper.java.additional.7=-Dghidra.cacerts=./Ghidra/cacerts
+#wrapper.java.additional.8=-Dghidra.cacerts=./Ghidra/cacerts
 
 # If Ghidra clients must authenticate the server, the server will need to install
 # a server key/certificate in a secure location (e.g., /etc/pki/...) 
 # and specify the location and password via the properties below.
 # Be sure to properly set permissions on the Ghidra installation and this file
 # if using these settings.
-#wrapper.java.additional.8=-Dghidra.keystore=
-#wrapper.java.additional.9=-Dghidra.password=
+#wrapper.java.additional.9=-Dghidra.keystore=
+#wrapper.java.additional.10=-Dghidra.password=
 
 # Enable/Disable use of compression for DataBuffer serialization and Block Streams
-wrapper.java.additional.10=-Ddb.buffers.DataBuffer.compressedOutput=true
+wrapper.java.additional.11=-Ddb.buffers.DataBuffer.compressedOutput=true
 
 # Uncomment to enable remote debug support
 # The debug address will listen on all network interfaces, if desired the '*' may be
 # set to a specific interface IP address (e.g., 127.0.0.1) if you wish to restrict.
 # During debug it may be necessary to increase timeout values to prevent the wrapper
 # from restarting the server due to unresponsiveness.
-#wrapper.java.additional.11=-Xdebug
-#wrapper.java.additional.12=-Xnoagent
-#wrapper.java.additional.13=-Djava.compiler=NONE
-#wrapper.java.additional.14=-Xrunjdwp:transport=dt_socket\,server=y\,suspend=n\,address=*:18200
+#wrapper.java.additional.12=-Xdebug
+#wrapper.java.additional.13=-Xnoagent
+#wrapper.java.additional.14=-Djava.compiler=NONE
+#wrapper.java.additional.15=-Xrunjdwp:transport=dt_socket\,server=y\,suspend=n\,address=*:18200
 #wrapper.startup.timeout=0
 #wrapper.ping.timeout=0
 
@@ -73,10 +80,10 @@ wrapper.java.additional.10=-Ddb.buffers.DataBuffer.compressedOutput=true
 
 # Uncomment to enable remote use of jvisualvm for profiling
 # See JMX documentation for more information: http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
-#wrapper.java.additional.15=-Dcom.sun.management.jmxremote.port=9010
-#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.local.only=false
-#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.authenticate=false
-#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.ssl=false
+#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.port=9010
+#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.local.only=false
+#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.authenticate=false
+#wrapper.java.additional.19=-Dcom.sun.management.jmxremote.ssl=false
 
 # YAJSW will by default assume a POSIX spawn for Linux and Mac OS X systems, unfortunately it has 
 # not yet been implemented for Mac OS X.  The default process support within YAJSW for Mac OS X is