Is SSL_CTX_set_tmp_rsa_callback() only for small keys?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is SSL_CTX_set_tmp_rsa_callback() only for small keys?

Thomas Dwyer III
I'm porting some very old code from 1.0.2 to 3.0 (but it still has to compile for both) and I'm trying to understand it's use of SSL_CTX_set_tmp_rsa_callback(). It looks like this was removed in 1.1.0 but it's not obvious to me why it was necessary in the first place. My read of the 1.0.2 man page suggests that the callback is only invoked for very small key sizes in order to comply with US export restrictions from decades ago, but I'm having trouble confirming this via code inspection. Is my understanding correct and, given that this code will never see RSA keys smaller than 2048 bits, I can just delete the callback rather than add a bunch of:

#if OPENSSL_VERSION_NUMBER < 0x10100000L
...
#endif

Or is there some fundamental difference between the way key exchange works in 1.0.2 compared to later versions that makes the callback in 1.0.2 still necessary?


Thanks,
Tom.III

Reply | Threaded
Open this post in threaded view
|

Re: Is SSL_CTX_set_tmp_rsa_callback() only for small keys?

Matt Caswell-2


On 15/03/2021 23:53, Thomas Dwyer III wrote:

> I'm porting some very old code from 1.0.2 to 3.0 (but it still has to
> compile for both) and I'm trying to understand it's use of
> SSL_CTX_set_tmp_rsa_callback(). It looks like this was removed in 1.1.0
> but it's not obvious to me why it was necessary in the first place. My
> read of the 1.0.2 man page suggests that the callback is only invoked
> for very small key sizes in order to comply with US export restrictions
> from decades ago, but I'm having trouble confirming this via code
> inspection. Is my understanding correct and, given that this code will
> never see RSA keys smaller than 2048 bits, I can just delete the
> callback rather than add a bunch of:
>
> #if OPENSSL_VERSION_NUMBER < 0x10100000L
> ...
> #endif
>
> Or is there some fundamental difference between the way key exchange
> works in 1.0.2 compared to later versions that makes the callback in
> 1.0.2 still necessary?

You are correct. Just delete the code.

Matt