Role Separation

Jordan Brown openssl at
Mon Sep 16 18:59:30 UTC 2019

On 9/15/2019 8:29 AM, Kyle Hamilton wrote:
> OpenSSL is a toolkit, not a full implementation.  More importantly, it
> is a library, so anyone who can link against it can perform all
> operations that the library can support, and the library has no
> concept of role separation built in.

Still more importantly, almost everything OpenSSL does is just math and
file manipulation.  S_client and s_server add basic network operations. 
There's probably some low-level goop for hardware acceleration, but
that's just acceleration.

You can write a program to do those things without needing to involve
OpenSSL, so restrictions on OpenSSL per se aren't very interesting.

The way to restrict PKI operations (in a simple configuration) is
through file and directory permissions on the data involved.

Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list