From b096e47f57a66fdfc32b6ff86604c901c279c62f Mon Sep 17 00:00:00 2001 From: James Muehlner Date: Tue, 13 Sep 2022 21:39:38 +0000 Subject: [PATCH] GUACAMOLE-1669: Include ext-info-c in preferred KEX algorithms to ensure RSA key upgrades can happen. --- src/common-ssh/ssh.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/common-ssh/ssh.c b/src/common-ssh/ssh.c index 5ceba57b..1cbd4834 100644 --- a/src/common-ssh/ssh.c +++ b/src/common-ssh/ssh.c @@ -49,9 +49,12 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL; /** * A list of all key exchange algorithms that are both FIPS-compliant, and - * OpenSSL-supported. + * OpenSSL-supported. Note that "ext-info-c" is also included. While not a key + * exchange algorithm per se, it must be in the list to ensure that the server + * will send a SSH_MSG_EXT_INFO response, which is required to perform RSA key + * upgrades. */ -#define FIPS_COMPLIANT_KEX_ALGORITHMS "diffie-hellman-group-exchange-sha256" +#define FIPS_COMPLIANT_KEX_ALGORITHMS "diffie-hellman-group-exchange-sha256,ext-info-c" /** * A list of ciphers that are both FIPS-compliant, and OpenSSL-supported.