Skip to content
Dev0 Docs

C25519 Is Not Allowed In Fips Mode

Issue

kex_gen_client: Key exchange type c25519 is not allowed in FIPS mode

Solution

  1. Check the server for accepted KEX
    Terminal window
    ssh -Q kex contoso.com -p 22
    diffie-hellman-group1-sha1
    diffie-hellman-group14-sha1
    diffie-hellman-group14-sha256
    diffie-hellman-group16-sha512
    diffie-hellman-group18-sha512
    diffie-hellman-group-exchange-sha1
    diffie-hellman-group-exchange-sha256
    ecdh-sha2-nistp256
    ecdh-sha2-nistp384
    ecdh-sha2-nistp521
    curve25519-sha256
    curve25519-sha256@libssh.org
    sntrup761x25519-sha512@openssh.com
  2. Omit the issue KEX, since you have working ones that can be used
    Terminal window
    ssh -o KexAlgorithms=-curve25519-sha256 contoso.com
  3. If this works /etc/crypto-policies/back-ends/openssh.config and remove the offending KEX entries that are most likely the first 2:
curve25519-sha256,curve25519-sha256@libssh.org