Is SSL_CTX_set_tmp_rsa_callback() only for small keys?

Thomas Dwyer III tomiii at tomiii.com
Mon Mar 15 23:53:54 UTC 2021


I'm porting some very old code from 1.0.2 to 3.0 (but it still has to
compile for both) and I'm trying to understand it's use of
SSL_CTX_set_tmp_rsa_callback(). It looks like this was removed in 1.1.0 but
it's not obvious to me why it was necessary in the first place. My read of
the 1.0.2 man page suggests that the callback is only invoked for very
small key sizes in order to comply with US export restrictions from decades
ago, but I'm having trouble confirming this via code inspection. Is my
understanding correct and, given that this code will never see RSA keys
smaller than 2048 bits, I can just delete the callback rather than add a
bunch of:

#if OPENSSL_VERSION_NUMBER < 0x10100000L
...
#endif

Or is there some fundamental difference between the way key exchange works
in 1.0.2 compared to later versions that makes the callback in 1.0.2 still
necessary?


Thanks,
Tom.III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210315/6069ea1d/attachment.html>


More information about the openssl-users mailing list