On 9/15/2019 8:29 AM, Kyle Hamilton wrote: > OpenSSL is a toolkit, not a full implementation. More importantly, it > is a library, so anyone who can link against it can perform all > operations that the library can support, and the library has no > concept of role separation built in.
Still more importantly, almost everything OpenSSL does is just math and file manipulation. S_client and s_server add basic network operations. There's probably some low-level goop for hardware acceleration, but that's just acceleration. You can write a program to do those things without needing to involve OpenSSL, so restrictions on OpenSSL per se aren't very interesting. The way to restrict PKI operations (in a simple configuration) is through file and directory permissions on the data involved. -- Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris