s2n-tls

s2n-tls is an open-source C library from AWS that implements TLS and SSL, the protocols that encrypt traffic between a client and a server. When you visit a website over HTTPS, TLS is what protects the connection. s2n-tls provides that same capability as a library that developers can build into their own applications. The name is short for "signal to noise", referring to encryption disguising meaningful data as what looks like random noise.

The design priorities are simplicity, small code size, and security. The codebase is deliberately kept compact so it can be audited: AWS commissions external security reviews on an annual basis and has had two full code-level reviews by outside vendors. The library also goes through regular static analysis, fuzz testing, and penetration testing. There are no locks or mutexes inside the library, which avoids a class of concurrency bugs.

On the technical side, s2n-tls supports TLS versions from 1.0 through 1.3 as well as the older SSLv3. It supports a range of encryption algorithms including AES-128, AES-256, and ChaCha20. Several older algorithms (SSLv3, RC4, 3DES, DHE) are disabled by default for security reasons but can be enabled if backward compatibility is required. The API for choosing which cipher suites and protocol versions to support is designed to be simple: you can either pick the current recommended defaults or pin to a specific versioned preference set.

The I/O interface is modeled after the POSIX socket API, so developers familiar with standard network programming will find it straightforward. It supports blocking, non-blocking, and full-duplex modes.

s2n-tls is tested across a range of Linux distributions (Ubuntu, Amazon Linux, NixOS), BSD systems (OpenBSD, FreeBSD), and macOS. Rust bindings are also available. It is released under the Apache 2.0 license and is the TLS library used inside several AWS services.