Introducing s2n, a New Open Source TLS Implementation
At Amazon Web Services, strong encryption is one of our standard features, and an integral aspect of that is the TLS (previously called SSL) encryption protocol. TLS is used with every AWS API and is also available directly to customers of many AWS services including Elastic Load Balancing (ELB), AWS Elastic Beanstalk, Amazon CloudFront, Amazon S3, Amazon RDS, and Amazon SES.
The last 18 months or so has been an eventful time for the TLS protocol. Impressive cryptography analysis highlighted flaws in several TLS algorithms that are more serious than previously thought, and security research revealed issues in several software implementations of TLS. Overall, these developments are positive and improve security, but for many they have also led to time-consuming operational events, such as software upgrades and certificate rotations.
Part of the challenge is that the TLS protocol, including all of its optional extensions, has become very complex. OpenSSL, the de facto reference implementation, contains more than 500,000 lines of code with at least 70,000 of those involved in processing TLS. Naturally, with each line of code there is a risk of error, but this large size also presents challenges for code audits, security reviews, performance, and efficiency.
In order to simplify our TLS implementation and as part of our support for strong encryption for everyone, we are pleased to announce the availability of a new Open Source implementation of the TLS protocol: s2n. s2n is a library that has been designed to be small, fast, with simplicity as a priority. s2n avoids implementing rarely used options and extensions, and today is just more than 6,000 lines of code. As a result of this, we’ve found that it is easier to review s2n; we have already completed three external security evaluations and penetration tests on s2n, a practice we will be continuing.
Over the coming months, we will begin integrating s2n into several AWS services. TLS is a standardized protocol and s2n already implements the functionality that we use, so this won’t require any changes in your own applications and everything will remain interoperable.
If you are interested in using or contributing to s2n, the source code, documentation, commits and enhancements are all publically available under the terms of the Apache Software License 2.0 from the s2n GitHub repository.
s2n isn’t intended as a replacement for OpenSSL, which we remain committed to supporting through our involvement in the Linux Foundation’s Core Infrastructure Initiative. OpenSSL provides two main libraries: “libssl”, which implements TLS, and “libcrypto,” which is a general-purpose cryptography library. Think of s2n as an analogue of “libssl,” but not “libcrypto.”
Oh and the name? s2n is short for “signal to noise” and is a nod to the almost magical act of encryption—disguising meaningful signals, like your critical data, as seemingly random noise.