GP-4330 facilitate specification of enabled TLS cipher suites for Ghidra

Server

Ghidra/RuntimeScripts/Common/server/server.conf

@@ -40,29 +40,36 @@ wrapper.java.additional.5=-Djna.tmpdir=${wrapper_tmpdir}
 # NOTE: multiple protocols must be separated with a semi-colon (e.g., TLSv1.2;TLSv1.3).
 wrapper.java.additional.6=-Dghidra.tls.server.protocols=TLSv1.2;TLSv1.3
 
+# Restrict server to specific TLS cipher suites for all secure communications
+# NOTE: multiple ciphers must be separated using "\,".  The specified list includes both TLSv1.2 and TLSv1.3 supported ciphers.
+# TLSv1.3 info: https://www.packetmania.net/en/2023/08/21/TLS1-3-intro/
+# See Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3
+#   RFC 9151 https://datatracker.ietf.org/doc/rfc9151/
+wrapper.java.additional.7=-Djdk.tls.server.cipherSuites="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\,TLS_AES_256_GCM_SHA384"
+
 # A suitable cacerts file must be installed when using PKI authentication
-#wrapper.java.additional.7=-Dghidra.cacerts=./Ghidra/cacerts
+#wrapper.java.additional.8=-Dghidra.cacerts=./Ghidra/cacerts
 
 # If Ghidra clients must authenticate the server, the server will need to install
 # a server key/certificate in a secure location (e.g., /etc/pki/...) 
 # and specify the location and password via the properties below.
 # Be sure to properly set permissions on the Ghidra installation and this file
 # if using these settings.
-#wrapper.java.additional.8=-Dghidra.keystore=
-#wrapper.java.additional.9=-Dghidra.password=
+#wrapper.java.additional.9=-Dghidra.keystore=
+#wrapper.java.additional.10=-Dghidra.password=
 
 # Enable/Disable use of compression for DataBuffer serialization and Block Streams
-wrapper.java.additional.10=-Ddb.buffers.DataBuffer.compressedOutput=true
+wrapper.java.additional.11=-Ddb.buffers.DataBuffer.compressedOutput=true
 
 # Uncomment to enable remote debug support
 # The debug address will listen on all network interfaces, if desired the '*' may be
 # set to a specific interface IP address (e.g., 127.0.0.1) if you wish to restrict.
 # During debug it may be necessary to increase timeout values to prevent the wrapper
 # from restarting the server due to unresponsiveness.
-#wrapper.java.additional.11=-Xdebug
-#wrapper.java.additional.12=-Xnoagent
-#wrapper.java.additional.13=-Djava.compiler=NONE
-#wrapper.java.additional.14=-Xrunjdwp:transport=dt_socket\,server=y\,suspend=n\,address=*:18200
+#wrapper.java.additional.12=-Xdebug
+#wrapper.java.additional.13=-Xnoagent
+#wrapper.java.additional.14=-Djava.compiler=NONE
+#wrapper.java.additional.15=-Xrunjdwp:transport=dt_socket\,server=y\,suspend=n\,address=*:18200
 #wrapper.startup.timeout=0
 #wrapper.ping.timeout=0
 
@@ -73,10 +80,10 @@ wrapper.java.additional.10=-Ddb.buffers.DataBuffer.compressedOutput=true
 
 # Uncomment to enable remote use of jvisualvm for profiling
 # See JMX documentation for more information: http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
-#wrapper.java.additional.15=-Dcom.sun.management.jmxremote.port=9010
-#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.local.only=false
-#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.authenticate=false
-#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.ssl=false
+#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.port=9010
+#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.local.only=false
+#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.authenticate=false
+#wrapper.java.additional.19=-Dcom.sun.management.jmxremote.ssl=false
 
 # YAJSW will by default assume a POSIX spawn for Linux and Mac OS X systems, unfortunately it has 
 # not yet been implemented for Mac OS X.  The default process support within YAJSW for Mac OS X is