{"id":13480313,"url":"https://github.com/aws/s2n-tls","last_synced_at":"2025-05-12T05:30:10.337Z","repository":{"id":18175063,"uuid":"21287076","full_name":"aws/s2n-tls","owner":"aws","description":"An implementation of the TLS/SSL protocols","archived":false,"fork":false,"pushed_at":"2025-05-12T00:13:27.000Z","size":36740,"stargazers_count":4588,"open_issues_count":334,"forks_count":722,"subscribers_count":171,"default_branch":"main","last_synced_at":"2025-05-12T02:44:59.615Z","etag":null,"topics":["c","c99","crypto","cryptography","encryption","s2n","ssl","tls"],"latest_commit_sha":null,"homepage":"https://aws.github.io/s2n-tls/usage-guide/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aws.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2014-06-27T19:37:59.000Z","updated_at":"2025-05-11T09:14:24.000Z","dependencies_parsed_at":"2024-03-08T20:32:53.687Z","dependency_job_id":"8b48bbd4-fcbe-4c8f-b7fb-931a38daa5cc","html_url":"https://github.com/aws/s2n-tls","commit_stats":{"total_commits":4022,"total_committers":245,"mean_commits":"16.416326530612245","dds":0.8928393833913476,"last_synced_commit":"3c9a802d63d137b51bbcdc4489012a5fe21b311a"},"previous_names":["awslabs/s2n"],"tags_count":149,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws%2Fs2n-tls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws%2Fs2n-tls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws%2Fs2n-tls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws%2Fs2n-tls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aws","download_url":"https://codeload.github.com/aws/s2n-tls/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253672731,"owners_count":21945482,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","c99","crypto","cryptography","encryption","s2n","ssl","tls"],"created_at":"2024-07-31T17:00:37.274Z","updated_at":"2025-05-12T05:30:10.304Z","avatar_url":"https://github.com/aws.png","language":"C","readme":"\u003cimg src=\"docs/images/s2n_logo_github.png\" alt=\"s2n\"\u003e\n\ns2n-tls is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority. It is released and licensed under the Apache License 2.0.\n\n\u003e s2n-tls is short for \"signal to noise\" and is a nod to the almost magical act of encryption — disguising meaningful signals, like your critical data, as seemingly random noise.\n\u003e\n\u003e -- [s2n-tls announcement](https://aws.amazon.com/blogs/security/introducing-s2n-a-new-open-source-tls-implementation/)\n\n[![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiMndlTzJNbHVxWEo3Nm82alp4eGdGNm4rTWdxZDVYU2VTbitIR0ZLbHVtcFFGOW5majk5QnhqaUp3ZEkydG1ueWg0NGlhRE43a1ZnUzZaQTVnSm91TzFFPSIsIml2UGFyYW1ldGVyU3BlYyI6IlJLbW42NENlYXhJNy80QnYiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D\u0026branch=main)](https://github.com/aws/s2n-tls/)\n[![Apache 2 License](https://img.shields.io/github/license/aws/s2n-tls.svg)](http://aws.amazon.com/apache-2-0/)\n[![C99](https://img.shields.io/badge/language-C99-blue.svg)](http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf)\n[![Github forks](https://img.shields.io/github/forks/aws/s2n-tls.svg)](https://github.com/aws/s2n-tls/network)\n[![Github stars](https://img.shields.io/github/stars/aws/s2n-tls.svg)](https://github.com/aws/s2n-tls/stargazers)\n\n## Quickstart for Ubuntu\n\n```bash\n# clone s2n-tls\ngit clone https://github.com/aws/s2n-tls.git\ncd s2n-tls\n\n# install build dependencies\nsudo apt update\nsudo apt install cmake\n\n# install a libcrypto\nsudo apt install libssl-dev\n\n# build s2n-tls\ncmake . -Bbuild \\\n    -DCMAKE_BUILD_TYPE=Release \\\n    -DCMAKE_INSTALL_PREFIX=./s2n-tls-install\ncmake --build build -j $(nproc)\nCTEST_PARALLEL_LEVEL=$(nproc) ctest --test-dir build\ncmake --install build\n```\n\nSee the [s2n-tls build documentation](docs/BUILD.md) for further guidance on building s2n-tls for your platform.\n\n## Have a Question?\nIf you think you might have found a security impacting issue, please follow our [Security Notification Process.](#security-issue-notifications)\n\nIf you have any questions about submitting PRs, s2n-tls API usage, or something similar, please open an issue.\n\n## Documentation\n\ns2n-tls uses [Doxygen](https://doxygen.nl/index.html) to document its public API. The latest s2n-tls documentation can be found on [GitHub pages](https://aws.github.io/s2n-tls/doxygen/). The [Usage Guide](https://aws.github.io/s2n-tls/usage-guide/) explains how different TLS features can be configured and used. s2n-tls Rust bindings docs can be found [here](https://docs.rs/s2n-tls/latest/s2n_tls/).\n\nDocumentation for older versions or branches of s2n-tls can be generated locally. To generate the documentation, install doxygen and run `doxygen docs/doxygen/Doxyfile`. The doxygen documentation can now be found at `docs/doxygen/output/html/index.html`.\n\nDoxygen installation instructions are available at the [Doxygen](https://doxygen.nl/download.html) webpage.\n\n## Platform Support\n\nWe’ve listed the distributions and platforms under two tiers: Tier 1 platforms are guaranteed to build, run, and pass tests in CI. Tier 2 platforms are guaranteed to build and we'll address issues opened against them, but they aren't currently running in our CI and are not actively reviewed with every commit. If you use a platform not listed below and would like to request (or help!) add it to our CI, please open an issue for discussion.\n\n### Tier 1\n\n|Distribution in CI                                     |Platforms        |\n|-------------------------------------------------------|-----------------|\n|Ubuntu18, Ubuntu24**                                   | x86_64          |\n|Ubuntu22                                               | x86_64, i686    |\n|AL2, AL2023**                                          | x86_64, aarch64 |\n|NixOS                                                  | x86_64, aarch64 |\n|OpenBSD [7.4](https://github.com/cross-platform-actions/action/blob/master/readme.md#supported-platforms)| x86_64 |\n|FreeBSD [latest](https://github.com/vmactions/freebsd-vm/blob/v1/conf/default.release.conf)| x86_64  |\n|OSX [latest](https://github.com/actions/runner-images?tab=readme-ov-file#available-images) | aarch64 |\n\n**Work in Progress\n\n### Tier 2\n\n|Distribution not in CI |Platforms|\n|-----------------------|---------|\n| Fedora Core 34-36     | x86_64, aarch64 |\n| Ubuntu14/16/20        | x86_64, aarch64 |\n| Ubuntu18/22/24        | aarch64         |\n| [OSX](https://github.com/actions/runner-images/tree/main/images/macos) 12-14 |x86_64|\n\nThese distribution lists are not exhaustive and missing tooling or a missing supported libcrypto library could prevent a successful build.\n\n## Using s2n-tls\n\nThe s2n-tls I/O APIs are designed to be intuitive to developers familiar with the widely-used POSIX I/O APIs, and s2n-tls supports blocking, non-blocking, and full-duplex I/O. Additionally there are no locks or mutexes within s2n-tls.\n\n```c\n/* Create a server mode connection handle */\nstruct s2n_connection *conn = s2n_connection_new(S2N_SERVER);\nif (conn == NULL) {\n    ... error ...\n}\n\n/* Associate a connection with a file descriptor */\nif (s2n_connection_set_fd(conn, fd) \u003c 0) {\n    ... error ...\n}\n\n/* Negotiate the TLS handshake */\ns2n_blocked_status blocked;\nif (s2n_negotiate(conn, \u0026blocked) \u003c 0) {\n    ... error ...\n}\n\n/* Write data to the connection */\nint bytes_written;\nbytes_written = s2n_send(conn, \"Hello World\", sizeof(\"Hello World\"), \u0026blocked);\n```\n\nFor details on building the s2n-tls library and how to use s2n-tls in an application you are developing, see the [Usage Guide](https://aws.github.io/s2n-tls/usage-guide).\n\n## s2n-tls features\n\ns2n-tls implements SSLv3, TLS1.0, TLS1.1, TLS1.2, and TLS1.3. For encryption, s2n-tls supports 128-bit and 256-bit AES in the CBC and GCM modes, ChaCha20, 3DES, and RC4. For forward secrecy, s2n-tls supports both DHE and ECDHE. s2n-tls also supports the Server Name Indicator (SNI), Application-Layer Protocol Negotiation (ALPN), and Online Certificate Status Protocol (OCSP) TLS extensions. SSLv3, RC4, 3DES, and DHE are each disabled by default for security reasons.\n\nAs it can be difficult to keep track of which encryption algorithms and protocols are best to use, s2n-tls features a simple API to use the latest \"default\" set of preferences. If you prefer to remain on a specific version for backwards compatibility, that is also supported.\n\n```c\n/* Use the latest s2n-tls \"default\" set of ciphersuite and protocol preferences */\ns2n_config_set_cipher_preferences(config, \"default\");\n\n/* Use a specific set of preferences, update when you're ready */\ns2n_config_set_cipher_preferences(config, \"20150306\")\n```\n\n## s2n-tls safety mechanisms\n\nInternally s2n-tls takes a systematic approach to data protection and includes several mechanisms designed to improve safety.\n\n##### Auditable code base\ns2n-tls's code is structured and written with a focus on reviewability. All s2n-tls code is subject to code review, and we plan to complete security evaluations of s2n-tls on an annual basis.\n\nTo date there have been two external code-level reviews of s2n-tls, including one by a commercial security vendor. s2n-tls has also been shared with some trusted members of the broader cryptography, security, and Open Source communities. Any issues discovered are always recorded in the s2n-tls issue tracker.\n\n##### Static analysis, fuzz-testing and penetration testing\n\nIn addition to code reviews, s2n-tls is subject to regular static analysis, fuzz-testing, and penetration testing. Several penetration tests have occurred, including two by commercial vendors.\n\n##### Unit tests and end-to-end testing\n\ns2n-tls includes positive and negative unit tests and end-to-end test cases.\n\nUnit test coverage can be viewed [here](https://dx1inn44oyl7n.cloudfront.net/main/index.html). Note that this represents unit coverage for a particular build. Since that build won't necessarily support all s2n-tls features, test coverage may be artificially lowered.\n\n##### Erase on read\ns2n-tls encrypts or erases plaintext data as quickly as possible. For example, decrypted data buffers are erased as they are read by the application.\n\n##### Built-in memory protection\ns2n-tls uses operating system features to protect data from being swapped to disk or appearing in core dumps.\n\n##### Minimalist feature adoption\ns2n-tls avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example, there is no support for DTLS.\n\n##### Compartmentalized random number generation\nThe security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n-tls provides every thread with two separate random number generators. One for \"public\" randomly generated data that may appear in the clear, and one for \"private\" data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts.\n\n##### Modularized encryption\ns2n-tls has been structured so that different encryption libraries may be used. Today s2n-tls supports AWS-LC, OpenSSL (versions 1.0.2, 1.1.1 and 3.0.x), LibreSSL, and BoringSSL to perform the underlying cryptographic operations. Check the [libcrypto build documentation](docs/BUILD.md#building-with-a-specific-libcrypto) for a list of libcrypto-specific features.\n\n##### Timing blinding\ns2n-tls includes structured support for blinding time-based side-channels that may leak sensitive data. For example, if s2n-tls fails to parse a TLS record or handshake message, s2n-tls will add a randomized delay of between 10 and 30 seconds, granular to nanoseconds, before responding. This raises the complexity of real-world timing side-channel attacks by a factor of at least tens of trillions.\n\n##### Table based state-machines\ns2n-tls uses simple tables to drive the TLS/SSL state machines, making it difficult for invalid out-of-order states to arise.\n\n##### C safety\ns2n-tls is written in C, but makes light use of standard C library functions and wraps all memory handling, string handling, and serialization in systematic boundary-enforcing checks.\n\n## Security issue notifications\nIf you discover a potential security issue in s2n-tls we ask that you notify\nAWS Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.\n\nIf you package or distribute s2n-tls, or use s2n-tls as part of a large multi-user service, you may be eligible for pre-notification of future s2n-tls releases. Please contact s2n-pre-notification@amazon.com.\n\n## Contributing to s2n-tls\nIf you are interested in contributing to s2n-tls, please see our [development guide](https://github.com/aws/s2n-tls/blob/main/docs/DEVELOPMENT-GUIDE.md).\n\n## Language Bindings for s2n-tls\nSee our [language bindings list](https://github.com/aws/s2n-tls/blob/main/docs/BINDINGS.md) for language bindings for s2n-tls that we're aware of.\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws%2Fs2n-tls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faws%2Fs2n-tls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws%2Fs2n-tls/lists"}