Amazon announced today a new library called “s2n”, an open source implementation of TLS/SSL, the cryptographic security protocols behind HTTPS, SSH, SFTP, secure SMTP, and many others. Weighing in at about 6k lines of code, it’s just a little more than 1% the size of OpenSSL, which is really good news in terms of security auditing and testing. OpenSSL isn’t going away, and Amazon has made clear that they will continue to support it. Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.
For most uses, this is a good thing. The more features that are supported, the more chances for bugs to be introduced into the code, and the more opportunities there are for protocol-level vulnerabilities, of which we’ve seen many in SSL and TLS. For certain applications, especially legacy applications, these missing features may be a show stopper, which is when you can fall back on OpenSSL. But for most common use cases (e.g., setting up a secure web server), the limited feature set of s2n will be plenty sufficient.
Time will tell how the security of s2n holds up in real world use, and whether or not anyone is actually interested in adopting s2n. For now, it’s exciting to see a major player taking a serious stand for security, and against feature bloat!