There is a conflict between the security requirements of FCS_SSH_EXT.1.7 and the test activity (Test 2) specified on TD 0574 for TOEs acting as an SSH client.

FCS_SSH_EXT.1.7 requires the TOE must ensure that only the selected algorithms are the only allowed key exchange method for SSH. Test 2 of the test activity specified in TD0574 instructs the evaluator to configure the SSH client to allow only DH-group1-sha1 and the SSH server to allow all the methods selected in the SFR, and verify the connection fails. If the TOE acts as an SSH client, this causes a conflict between the SFR requirement and the test instruction.

FCS_SSH_EXT.1.7 Test 2, as specified in TD0574 is updated as follows, with red highlighted strikethroughs denoting deletions and green highlighted underlines denoting additions:

Test 2: The evaluator shall attempt to establish an SSH connection, using the TSF, where the SSH client peer only allows the diffiehellman-group1-sha1 key exchange and the SSH server TOE is configured according to the algorithms allowed in the SFR. The evaluator shall observe that the attempt fails.

See issue description.