GP-6811 Added -ipAlt Ghidra Server option

2026-05-20 23:08:31 +08:00 · 2026-05-11 14:45:13 -04:00
parent cac61167fe
commit 7f2fbc9353
4 changed files with 46 additions and 7 deletions
@@ -132,6 +132,7 @@
 * _Logging_. Fixed a bug that prevented GhidraScript output from being directed to either the default or user-specified `script.log` file. (GP-6532)
 * _Memory_. Corrected various issues related to improper use of Addresses from one program in another program's AddressMap. (GP-6150)
 * _Multi-User_. Corrected potential security concern with Ghidra Server PKI Authentication.  If using PKI Authentication mode (`-a2`) for the server install, the user should upgrade the server.  See reported Ghidra GitHub Pull Request #9109 for more details. (GP-6678, Issue #9109)
+* _Multi-User_. Added Ghidra Server `-ipAlt` option to address self-signed certificate issues affecting docker container deployments where an formal certificate was not used (see `server.conf` and `svrREADME.md`. (GP-6811)
 * _Processors_. Fixed ARM `ldrsh.w` and `ldrsb.w` instruction semantics. (GP-4651, Issue #6564)
 * _Processors_. Reworded Tricore processor description. (GP-5243, Issue #7170)
 * _Processors_. Corrected AVR32 `ICALL` instruction behavior when `rd0` is the `LR` register. (GP-5306, Issue #5718)
@@ -78,7 +78,8 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan

 	private static String HELP_FILE = "ServerHelp.txt";
 	private static String USAGE_ARGS =
-		"[-ip <hostname>] [-i #.#.#.#] [-p#] [-n] [-a#] [-d<ad_domain>] [-e<days>] [-jaas <config_file>] [-u] [-autoProvision] [-anonymous] [-ssh] <repository_path>";
+		"[-ip <hostname>] [-ipAlt <hostname>[,...]] [-i #.#.#.#] [-p#] [-n] [-a#] [-d<ad_domain>]" +
+			" [-e<days>] [-jaas <config_file>] [-u] [-autoProvision] [-anonymous] [-ssh] <repository_path>";

 	private static final String RMI_SERVER_PROPERTY = "java.rmi.server.hostname";

@@ -539,6 +540,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 		int defaultPasswordExpiration = -1;
 		boolean autoProvision = false;
 		File jaasConfigFile = null;
+		Set<String> altNames = new TreeSet<>();

 		// Network name resolution disabled by default
 		InetNameLookup.setLookupEnabled(false);
@@ -588,6 +590,23 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 					System.exit(-1);
 				}
 			}
+			else if (s.startsWith("-ipAlt")) { // self-signed cert alt subject names
+				int nextArgIndex = i + 1;
+				String hostname;
+				if (s.length() == 6 && nextArgIndex < args.length) {
+					hostname = args[++i];
+				}
+				else {
+					hostname = s.substring(6);
+				}
+				for (String h : hostname.trim().split(";")) {
+					if (hostname.length() == 0 || hostname.startsWith("-")) {
+						displayUsage("Missing -ipAlt altName");
+						System.exit(-1);
+					}
+					altNames.add(h);
+				}
+			}
 			else if (s.startsWith("-ip")) { // setting server remote access hostname
 				int nextArgIndex = i + 1;
 				String hostname;
@@ -793,7 +812,6 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 				DefaultKeyManagerFactory.addSubjectAlternativeName(hostname);

 				// Collect alternate hostnames for inclusion in certificate
-				Set<String> altNames = new TreeSet<>();
 				Enumeration<NetworkInterface> nets = NetworkInterface.getNetworkInterfaces();
 				while (nets.hasMoreElements()) {
 					NetworkInterface netint = nets.nextElement();
@@ -134,12 +134,23 @@ ghidra.repositories.dir=./repositories
 # Ghidra server startup parameters.  
 #
 # Command line parameters: (Add command line parameters as needed and renumber each starting from .1)
-#						[-ip <hostname>] [-i #.#.#.#] [-p#] [-n]
-#						[-a#] [-d<ad_domain>] [-e<days>] [-jaas <config_file>] [-u] [-autoProvision] [-anonymous] [-ssh]
+#						[-ip <hostname>] [-ipAlt <altName>[;...]] [-i #.#.#.#] [-p#] [-n]
+#						[-a#] [-d<ad_domain>] [-e<days>] [-jaas <config_file>] [-u] [-autoProvision] 
+#                       [-anonymous] [-ssh]
 #						<repository_path>
 #
 #   -ip <hostname> : identifies the remote access IPv4 address or hostname (FQDN) which should be 
-#   	                used by remote clients to access the server.
+#   	             used by remote clients to access the server.  This option is frequently required
+#                    when deploying a Ghidra Server within a docker container.  When this option
+#                    specifies a hostname, and the -Dghidra.keystore JVM property has not been specified, 
+#                    it is generally required that the -ipAlt option be included to specify the IP 
+#                    Address which corresponds to the hostname.
+#
+#   -ipAlt <altName1>[;<altName2>,...] : identifies additional addresses and hostnames (FQDN) that
+#                    should be included as subject alternative names when generating a self-signed 
+#                    server certificate.  Currently, a temporary self-signed server certificate is 
+#                    generated whenever the -Dghidra.keystore option JVM property has not been specified.
+#                    NOTE: ';' must be used as separator for more than one altName. 
 #   	                 
 #   -i #.#.#.# : server interface IPv4 address to listen on (default will listen on all interfaces).
 #	
@@ -265,8 +265,17 @@ Identifies the remote access hostname (FQDN) or IPv4 address which should be  us
 to access the server.  By default the host name reported by the operating system is resolved to an 
 IPv4 address, if this fails the local loopback address is used.  The server log will indicate the 
 remote access hostname at startup.  This option may be required when a server has multiple IP 
-interfaces, relies on a dynamic DNS or other network address translation for incoming connections. 
-This option establishes the property value for _java.rmi.server.hostname_.
+interfaces, running within a docker container, or relies on a dynamic DNS or other network address 
+translation for incoming connections.  This option establishes the property value for 
+_java.rmi.server.hostname_.  When this option specifies a hostname, and the _-Dghidra.keystore_ JVM 
+property has not been specified, it is generally required that the _-ipAlt_ option be included to 
+specify the IP Address which corresponds to the hostname.
+
+#### `-ipAlt <altName1>[;<altName2>,...]`
+Identifies additional addresses and hostnames (FQDN) that should be included as subject alternative 
+names when generating a self-signed server certificate.  Currently, a temporary self-signed server 
+certificate is generated whenever the _-Dghidra.keystore_ JVM property has not been specified.  
+NOTE: ';' must be used as separator for more than one altName.
 			
 #### `-i <#.#.#.#>`
 Forces the server to be bound to a specific IPv4 interface on the server. If specified and the `-ip`