AWS s2n: Open-source TLS Implementation in Less than 6,000 Lines

| by Sergio De Simone Follow 18 Followers on Jul 01, 2015. Estimated reading time: 1 minute |

Amazon Web Services has recently introduced s2n, short for “signal to noise”, an open-source implementation of the TLS/SSL protocols that aims to be “simple, small, fast, and with security as a priority”.

According to Amazon, part of the challenge with the TLS protocol is its complexity, which has brought OpenSSL’s TLS implementation, its “de facto reference implementation”, to have at least 70,000 lines of code out of 500,000. Such a size presents “challenges for code audits, security reviews, performance, and efficiency”.

On the other hand, by not implementing less common options and extensions or features that have a record of vulnerabilities, such as session renegotiation or DTLS, s2n, has managed to keep its size to little more than 6,000 lines of C99 code. According to Amazon, this makes it easier to review s2n, which has already undergone three external security evaluations and penetration tests. Additionally, s2n relies on several mechanisms to improve safety:

  • Erase on read: decrypted data buffers are erased as soon as they are read by the application.
  • Compartmentalized random number generation: s2n uses two different random generators, one for public data that may appear in the clear, and one for private data.
  • Modular encryption: different encryption libraries may be used with s2n, such as OpenSSL, LibreSSL, and others.
  • C safety: s2n uses techniques to reduce liabilities coming from C99 and its standard library, such as enforcing boundary checks on all access to memory, string, and serialization.

Currently, s2n implements all the funcionality that is required for integration with AWS services – including Elastic Load Balancing, Amazon CloudFront, Amazon S3, etc – and its rollout will begin “over the coming months”. More importantly, thanks to TLS being a standardized protocol, this should not require changes in external applications.

As to its API, s2n is designed following POSIX I/O APIs. This should make its use intuitive for all developers familiar with the latter. Interestingly, s2n does not use any locks or mutexes.

According to Amazon, s2n can be seen as a analogue for OpenSSL’s libssl. It is released under the Apache Software License 2.0.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you