The NIT has issued a technical decision for Using 'diffie-hellman-group-exchange-sha256' in FCS_SSHC/S_EXT.1.7

The NIT understands that in case an open key exchange group is used which is then restricted to a specific cipher, the TOE would behave like a TOE where a specific key exchange group is implemented. But the restriction to acceptable key exchange groups is dependent on proper configuration of the TOE. From the NIT’s perspective the correct configuration would need to be tested to avoid the use of weak key exchange groups due to misconfiguration. The related supporting Documents (i.e. ND SD V2.0e and ND SD V2.1) do not foresee such testing. Since NDcPP requires exact conformance and the ND SD does not provide sufficient evaluation activities for the proposed approach, the NIT is of the opinion that the proposed approach is not suitable to fulfill the requirements in FCS_SSHC_EXT.1.7/FCS_SSHS_EXT.1.7.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201901.pdf

See issue description