diff --git a/src/rdkafka.h b/src/rdkafka.h
index 2065e72533..b24a9917f9 100644
--- a/src/rdkafka.h
+++ b/src/rdkafka.h
@@ -8736,7 +8736,7 @@ typedef struct rd_kafka_UserScramCredentialAlteration_s
 /**
  * @brief Allocates a new UserScramCredentialUpsertion given its fields.
  *        If salt isn't given a 64 B salt is generated using OpenSSL
- *        RAND_bytes, if available.
+ *        RAND_priv_bytes, if available.
  *
  * @param username The username (not empty).
  * @param mechanism SASL/SCRAM mechanism.
@@ -8746,6 +8746,9 @@ typedef struct rd_kafka_UserScramCredentialAlteration_s
  * @param salt Salt bytes (optional).
  * @param salt_size Size of \p salt (optional).
  *
+ * @remark A random salt is generated, when NULL, only if OpenSSL >= 1.1.1.
+ *         Otherwise it's a required param.
+ *
  * @return A newly created instance of rd_kafka_UserScramCredentialAlteration_t.
  *         Ownership belongs to the caller, use
  *         rd_kafka_UserScramCredentialAlteration_destroy to destroy.
diff --git a/src/rdkafka_admin.c b/src/rdkafka_admin.c
index dfa38e55d0..8628dd14c3 100644
--- a/src/rdkafka_admin.c
+++ b/src/rdkafka_admin.c
@@ -5426,7 +5426,7 @@ rd_kafka_UserScramCredentialUpsertion_new(const char *username,
                 alteration->alteration.upsertion.salt =
                     rd_kafkap_bytes_new(salt, salt_size);
         } else {
-#if WITH_SSL
+#if WITH_SSL && OPENSSL_VERSION_NUMBER >= 0x10101000L
                 unsigned char random_salt[64];
                 if (RAND_priv_bytes(random_salt, sizeof(random_salt)) == 1) {
                         alteration->alteration.upsertion.salt =