Is SSL_CTX_set_tmp_rsa_callback() only for small keys?

Matt Caswell matt at
Tue Mar 16 00:15:49 UTC 2021

On 15/03/2021 23:53, Thomas Dwyer III wrote:
> I'm porting some very old code from 1.0.2 to 3.0 (but it still has to 
> compile for both) and I'm trying to understand it's use of 
> SSL_CTX_set_tmp_rsa_callback(). It looks like this was removed in 1.1.0 
> but it's not obvious to me why it was necessary in the first place. My 
> read of the 1.0.2 man page suggests that the callback is only invoked 
> for very small key sizes in order to comply with US export restrictions 
> from decades ago, but I'm having trouble confirming this via code 
> inspection. Is my understanding correct and, given that this code will 
> never see RSA keys smaller than 2048 bits, I can just delete the 
> callback rather than add a bunch of:
> #if OPENSSL_VERSION_NUMBER < 0x10100000L
> ...
> #endif
> Or is there some fundamental difference between the way key exchange 
> works in 1.0.2 compared to later versions that makes the callback in 
> 1.0.2 still necessary?

You are correct. Just delete the code.


More information about the openssl-users mailing list