connectbot · kruton · Jun 9, 2026 · Jun 9, 2026
diff --git a/src/main/java/com/trilead/ssh2/transport/KexManager.java b/src/main/java/com/trilead/ssh2/transport/KexManager.java
@@ -897,7 +897,15 @@ public synchronized void handleMessage(byte[] msg, int msglen) throws IOExceptio
 		throw new IllegalStateException("Unkown KEX method! (" + kxs.np.kex_algo + ")");
 	}
 
+	/**
+	 * Returns whether strict key exchange has been negotiated for the current exchange.
+	 *
+	 * @return {@code true} if strict key exchange has been negotiated, or {@code false}
+	 *         if negotiation has not completed or strict key exchange is not enabled
+	 */
 	public boolean isStrictKex() {
-		return kxs.np.isStrictKex;
+		KexState currentKex = kxs;
+		NegotiatedParameters negotiatedParameters = currentKex == null ? null : currentKex.np;
+		return negotiatedParameters != null && negotiatedParameters.isStrictKex;
 	}
 }
diff --git a/src/test/java/com/trilead/ssh2/transport/KexManagerTest.java b/src/test/java/com/trilead/ssh2/transport/KexManagerTest.java
@@ -18,6 +18,7 @@
 import java.io.IOException;
 import java.security.SecureRandom;
 
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -76,6 +77,13 @@ public void twoKEXCalls_OneOutputPacket() throws Exception {
 		verify(tm, times(1)).sendKexMessage(any());
 	}
 
+	@Test
+	public void strictKexBeforeNegotiation_ReturnsFalse() throws Exception {
+		kexManager.initiateKEX(new CryptoWishList(), new DHGexParameters());
+
+		assertFalse(kexManager.isStrictKex());
+	}
+
 	@Test
 	public void handlePacket_BeforeKex_NotKexInit_ThrowsException() throws Exception {
 		assertThrows(IOException.class, () -> {