On Sun Dec 03 07:13:14 2017, each@isc.org wrote:
> I think if we're going to support PKCS#11, native is the better way to
> go. If I recall correctly, the only reason we kept OpenSSL PKCS#11 was
> that you couldn't run native PKCS#11 with the AEP Keyper. (And that may
> not even be true anymore.)

=> I confirm the last statement. In fact any HSM which can be supported
by a PKCS#11 OpenSSL engine ("a" means our and others) should work
with native PKCS#11 code.