tomaswolf commented on code in PR #449:
URL: https://github.com/apache/mina-sshd/pull/449#discussion_r1442186669
##########
sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java:
##########
@@ -2520,8 +2614,34 @@ protected String resolveSessionKexProposal(String
hostKeyTypes) throws IOExcepti
}
}
+ protected Map<KexProposalOption, String>
doStrictKexProposal(Map<KexProposalOption, String> proposal) {
+ String value = proposal.get(KexProposalOption.ALGORITHMS);
+ String askForStrictKex = isServerSession()
+ ? KexExtensions.STRICT_KEX_SERVER_EXTENSION
+ : KexExtensions.STRICT_KEX_CLIENT_EXTENSION;
+ if (!initialKexDone) {
+ // On the initial KEX, include the strict KEX flag
Review Comment:
There is nothing in the SSH protocol that says the client had to send its
proposal first. Apache MINA sshd even has a config flag to delay sending the
client's KEX_INIT only once the server's has been received. Apparently that is
needed to get it to work with some servers out there (don't know what SSH
implementation).
A peer that doesn't know about this extension will just treat it as a kex
algorithm, but since its own proposal will not have it, it'll never end up
being negotiated as a kex algorithm and thus be ignored by that peer.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
