s2n: TLS from Amazon

security_comps2n (signal to noise) is a new TLS security protocol implementation announced by Amazon yesterday. It’s home-grown by Amazon as an alternative to OpenSSL’s TLS implementation. Amazon Web Services is a product with high security requirements and the recent series of vulnerability discoveries in OpenSSL was the driving factor behind developing s2n. After 3 external security audits and penetration tests on s2n, the company has released the source under Apache 2.0 license as open source.

Amazon plans to introduce s2n to its AWS services in the next months. However, this will not require any changes on the client services as the TLS protocol is a standard one  and s2n implements it by the specs.

s2n is written in C. It implements SSLv3, TLS1.0, TLS1.1, and TLS1.2 and supports 128-bit and 256-bit AES, in the CBC and GCM modes, 3DES, and RC4 encryption algorithms. For forward secrecy, s2n supports both DHE and ECDHE. s2n also supports the Server Name Indicator (SNI), Application-Layer Protocol Negotiation (ALPN) and the Online Certificate Status Protocol (OCSP) TLS extensions. s2n supports blocking, non-blocking, and full-duplex I/O. Additionally there are no locks or mutexes within s2n.

SSLv3, RC4, and DHE are disabled by default for security related reasons. And by the time you are read this article, SSLv3 is deprecated as well. Note that s2n does not implement cryptographic algorithms of libcrypto. It is compatible with libcrypto.

Safety mechanisms

  • Small and auditable code base (just over 6000 lines of code at the time of writing)
  • Static analysis, fuzz-testing and penetration testing
  • Unit tests and end-to-end testing
  • Erase plaintext on read
  • Built-in memory protection
  • Minimalist feature adoption
  • Compartmentalized random number generation
  • Modularized encryption
  • Table based state-machines
  • C safety


To use the s2n library (libs2n.so) you need to compile it from source. On Ubuntu, run:

$ sudo apt-get install
$ git clone https://github.com/awslabs/s2n
$ cd s2n
$ make libs

Once the compilation is over, you’ll find libs2nso under the s2n/lib directory in the project tree.


It’s easy to use s2n n your code for testing. Sample API usage:

# include <api/s2n.h>

/* Use the latest s2n "default" set of ciphersuite and protocol preferences */
s2n_config_set_cipher_preferences(config, "default");
// OR
/* Use a specific set of preferences, update when you're ready */
// s2n_config_set_cipher_preferences(config, "20150306")

/* Create a server mode connection handle */
struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
if (conn == NULL) {
... error ...

/* Associate a connection with a file descriptor */
if (s2n_connection_set_fd(conn, fd) < 0) {
... error ...

/* Negotiate the TLS handshake */
int more;
if (s2n_negotiate(conn, &more) < 0) {
... error ...

/* Write data to the connection */
int bytes_written;
bytes_written = s2n_send(conn, "Hello World", sizeof("Hello World"), &more);

/* Shutdown the connection when you are done */
s2n_shutdown(conn, &more);

/* Free connection */

Note that you need to link to libs2n.so using -ls2n to compile your code.

Leave a Reply

Your email address will not be published. Required fields are marked *