From b16a48f6137e08f43fc38b4d96d16d49b3392ed7 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@xpra.org>
Date: Wed, 28 Aug 2024 16:30:42 +0700
Subject: [PATCH] encryption may still be enabled when sending the challenge
 response

---
 xpra/client/base/client.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/xpra/client/base/client.py b/xpra/client/base/client.py
index 227f14f097..489a36f2ca 100644
--- a/xpra/client/base/client.py
+++ b/xpra/client/base/client.py
@@ -913,7 +913,9 @@ def validate_challenge_packet(self, packet) -> bool:
         digest = str(packet[3]).split(":", 1)[0]
         # don't send XORed password unencrypted:
         if digest in ("xor", "des"):
-            encrypted = p.is_sending_encrypted()
+            # verify that the connection is already encrypted,
+            # or that it will be configured for encryption in `send_challenge_reply`:
+            encrypted = p.is_sending_encrypted() or self.get_encryption()
             local = self.display_desc.get("local", False)
             authlog(f"{digest} challenge, encrypted={encrypted}, local={local}")
             if local and ALLOW_LOCALHOST_PASSWORDS: