Is SSL_CTX_set_tmp_rsa_callback() only for small keys?
Matt Caswell
matt at openssl.org
Tue Mar 16 00:15:49 UTC 2021
On 15/03/2021 23:53, Thomas Dwyer III wrote:
> I'm porting some very old code from 1.0.2 to 3.0 (but it still has to
> compile for both) and I'm trying to understand it's use of
> SSL_CTX_set_tmp_rsa_callback(). It looks like this was removed in 1.1.0
> but it's not obvious to me why it was necessary in the first place. My
> read of the 1.0.2 man page suggests that the callback is only invoked
> for very small key sizes in order to comply with US export restrictions
> from decades ago, but I'm having trouble confirming this via code
> inspection. Is my understanding correct and, given that this code will
> never see RSA keys smaller than 2048 bits, I can just delete the
> callback rather than add a bunch of:
>
> #if OPENSSL_VERSION_NUMBER < 0x10100000L
> ...
> #endif
>
> Or is there some fundamental difference between the way key exchange
> works in 1.0.2 compared to later versions that makes the callback in
> 1.0.2 still necessary?
You are correct. Just delete the code.
Matt
More information about the openssl-users
mailing list