<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 9/15/2019 8:29 AM, Kyle Hamilton
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPMEXDbjV0Q+5husNPoF6WW41oxVZfEM5GMPdSSs4LsKPHKEyA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">OpenSSL is a toolkit, not a full implementation.
More importantly, it is a library, so anyone who can link
against it can perform all operations that the library can
support, and the library has no concept of role separation built
in.</div>
</blockquote>
<br>
Still more importantly, almost everything OpenSSL does is just math
and file manipulation. S_client and s_server add basic network
operations. There's probably some low-level goop for hardware
acceleration, but that's just acceleration.<br>
<br>
You can write a program to do those things without needing to
involve OpenSSL, so restrictions on OpenSSL per se aren't very
interesting.<br>
<br>
The way to restrict PKI operations (in a simple configuration) is
through file and directory permissions on the data involved.<br>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris</pre>
</body>
</html>