From 2c65b1f796c046acadce7f853b0f349e1e0dca13 Mon Sep 17 00:00:00 2001 From: ghidra1 Date: Thu, 15 Feb 2024 17:48:27 -0500 Subject: [PATCH] GP-4330 facilitate specification of enabled TLS cipher suites for Ghidra Server --- .../ghidra/server/remote/GhidraServer.java | 12 ++++++- .../ghidra/framework/client/ClientUtil.java | 3 ++ .../RuntimeScripts/Common/server/server.conf | 31 ++++++++++++------- 3 files changed, 33 insertions(+), 13 deletions(-) diff --git a/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java b/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java index bf61b2d010..744b3a9581 100644 --- a/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java +++ b/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java @@ -69,6 +69,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan private static final String SERIAL_FILTER_FILE = "serial.filter"; private static final String TLS_SERVER_PROTOCOLS_PROPERTY = "ghidra.tls.server.protocols"; + private static final String TLS_ENABLED_CIPHERS_PROPERTY = "jdk.tls.server.cipherSuites"; private static SslRMIServerSocketFactory serverSocketFactory; private static SslRMIClientSocketFactory clientSocketFactory; @@ -796,7 +797,16 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan } log.info( " Anonymous server access: " + (allowAnonymousAccess ? "enabled" : "disabled")); - + + String enabledCiphers = System.getProperty(TLS_ENABLED_CIPHERS_PROPERTY); + if (enabledCiphers != null) { + String[] cipherList = enabledCiphers.split(","); + log.info(" Enabled cipher suites:"); + for (String s : cipherList) { + log.info(" " + s); + } + } + serverSocketFactory = new SslRMIServerSocketFactory(null, getEnabledTlsProtocols(), authMode == PKI_LOGIN) { @Override diff --git a/Ghidra/Framework/FileSystem/src/main/java/ghidra/framework/client/ClientUtil.java b/Ghidra/Framework/FileSystem/src/main/java/ghidra/framework/client/ClientUtil.java index c9dc6d8976..e7a423b44c 100644 --- a/Ghidra/Framework/FileSystem/src/main/java/ghidra/framework/client/ClientUtil.java +++ b/Ghidra/Framework/FileSystem/src/main/java/ghidra/framework/client/ClientUtil.java @@ -199,6 +199,9 @@ public class ClientUtil { Msg.debug(ClientUtil.class, "Server not connected (" + operation + ")"); promptForReconnect(repository, operation, mustRetry, parent); } + else if (exc instanceof RepositoryNotFoundException) { + Msg.showError(ClientUtil.class, parent, title, exc.getMessage()); + } else if (exc instanceof UserAccessException) { Msg.showError(ClientUtil.class, parent, title, "Access denied: " + repository + "\n" + exc.getMessage()); diff --git a/Ghidra/RuntimeScripts/Common/server/server.conf b/Ghidra/RuntimeScripts/Common/server/server.conf index 40007f2e93..5b13f6ef2c 100644 --- a/Ghidra/RuntimeScripts/Common/server/server.conf +++ b/Ghidra/RuntimeScripts/Common/server/server.conf @@ -40,29 +40,36 @@ wrapper.java.additional.5=-Djna.tmpdir=${wrapper_tmpdir} # NOTE: multiple protocols must be separated with a semi-colon (e.g., TLSv1.2;TLSv1.3). wrapper.java.additional.6=-Dghidra.tls.server.protocols=TLSv1.2;TLSv1.3 +# Restrict server to specific TLS cipher suites for all secure communications +# NOTE: multiple ciphers must be separated using "\,". The specified list includes both TLSv1.2 and TLSv1.3 supported ciphers. +# TLSv1.3 info: https://www.packetmania.net/en/2023/08/21/TLS1-3-intro/ +# See Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3 +# RFC 9151 https://datatracker.ietf.org/doc/rfc9151/ +wrapper.java.additional.7=-Djdk.tls.server.cipherSuites="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\,TLS_AES_256_GCM_SHA384" + # A suitable cacerts file must be installed when using PKI authentication -#wrapper.java.additional.7=-Dghidra.cacerts=./Ghidra/cacerts +#wrapper.java.additional.8=-Dghidra.cacerts=./Ghidra/cacerts # If Ghidra clients must authenticate the server, the server will need to install # a server key/certificate in a secure location (e.g., /etc/pki/...) # and specify the location and password via the properties below. # Be sure to properly set permissions on the Ghidra installation and this file # if using these settings. -#wrapper.java.additional.8=-Dghidra.keystore= -#wrapper.java.additional.9=-Dghidra.password= +#wrapper.java.additional.9=-Dghidra.keystore= +#wrapper.java.additional.10=-Dghidra.password= # Enable/Disable use of compression for DataBuffer serialization and Block Streams -wrapper.java.additional.10=-Ddb.buffers.DataBuffer.compressedOutput=true +wrapper.java.additional.11=-Ddb.buffers.DataBuffer.compressedOutput=true # Uncomment to enable remote debug support # The debug address will listen on all network interfaces, if desired the '*' may be # set to a specific interface IP address (e.g., 127.0.0.1) if you wish to restrict. # During debug it may be necessary to increase timeout values to prevent the wrapper # from restarting the server due to unresponsiveness. -#wrapper.java.additional.11=-Xdebug -#wrapper.java.additional.12=-Xnoagent -#wrapper.java.additional.13=-Djava.compiler=NONE -#wrapper.java.additional.14=-Xrunjdwp:transport=dt_socket\,server=y\,suspend=n\,address=*:18200 +#wrapper.java.additional.12=-Xdebug +#wrapper.java.additional.13=-Xnoagent +#wrapper.java.additional.14=-Djava.compiler=NONE +#wrapper.java.additional.15=-Xrunjdwp:transport=dt_socket\,server=y\,suspend=n\,address=*:18200 #wrapper.startup.timeout=0 #wrapper.ping.timeout=0 @@ -73,10 +80,10 @@ wrapper.java.additional.10=-Ddb.buffers.DataBuffer.compressedOutput=true # Uncomment to enable remote use of jvisualvm for profiling # See JMX documentation for more information: http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html -#wrapper.java.additional.15=-Dcom.sun.management.jmxremote.port=9010 -#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.local.only=false -#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.authenticate=false -#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.ssl=false +#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.port=9010 +#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.local.only=false +#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.authenticate=false +#wrapper.java.additional.19=-Dcom.sun.management.jmxremote.ssl=false # YAJSW will by default assume a POSIX spawn for Linux and Mac OS X systems, unfortunately it has # not yet been implemented for Mac OS X. The default process support within YAJSW for Mac OS X is