
Introducing s2n, a New Open-Source TLS Implementation - ukj
http://blogs.aws.amazon.com/security/post/TxCKZM94ST1S6Y/Introducing-s2n-a-New-Open-Source-TLS-Implementation
======
edwintorok
If I counted right:

    
    
      OCaml TLS: ~4400 LoC
      OCaml X509: ~1550 LoC
      OCaml ASN1: ~1400 LoC
      OCaml nocrypto: ~5250 LoC
    

Total ~12600 LoC but you get a fully self-contained implementation, having
only some crypto code in C and the rest as pure OCaml:

[https://mirage.io/blog/why-ocaml-tls](https://mirage.io/blog/why-ocaml-tls)
[https://mirage.io/blog/announcing-
mirage-25-release](https://mirage.io/blog/announcing-mirage-25-release)

~~~
wbond
Also note that s2n links with OpenSSL (or LibreSSL, BoringSSL) for the ciphers
and ASN.1 functionality.

At first I was really surprised/impressed/worried that they managed to pull
off an ASN.1 parser in C along with TLS is just 6,000 lines of code. Alas,
they did not.

So, when they mention the 500,000 lines of OpenSSL, they are probably actually
using a good 20,000+ of it for ASN.1 and all of the ciphers.

Yay marketing!

~~~
gsnedders
Still using it for ASN.1 is quite sad, given ASN.1 is where a fair few
security bugs have been. If I'm not mistaken, this includes CVE-2015-0286,
CVE-2015-0287, CVE-2012-2110, CVE-2009-0590, CVE-2009-0789, and CVE-2006-2937
from the last decade (and more if you go further back). The ciphers are pretty
damned solid — the ASN.1 code… not so much. I'd argue that the ASN.1 parsing
and the like is one of the areas that sorely needs replacing in OpenSSL,
precisely because it has had so many vulnerabilities found in it over the
years.

~~~
userbinator
Incidentally, Fabrice Bellard has written a small ASN.1 compiler:

[http://bellard.org/ffasn1/](http://bellard.org/ffasn1/)

However, he does not want to give it away.

ASN.1 is a rather hairy standard overall, but AFAIK only a part of it is
needed for TLS.

------
richm44
Note that this library is currently only providing server functionality, and
doesn't do certificate validation (in fact it appears to not do any of the
X.509 parts of SSL/TLS). It's certainly interesting, but one of the reasons
it's so small is that it's missing critical functionality for many use cases.

~~~
cperciva
I think that's kind of the point. If your web server's TLS stack is trying to
validate client certificates, you're doing it wrong.

~~~
richm44
There's nothing wrong with client certs (other than insane complexity).
However ultimately s2n is likely to need to support operation as a client too
at which point things like certificate validation etc. will be needed and the
amount of code will increase.

~~~
cperciva
Insane complexity is exactly why supporting client certs is a bad idea.

~~~
marcosdumay
No, sorry. The insane complexity is on the requirements. If you need client
certs, anything you do to satisfy the need will be at least as complex.

~~~
cperciva
Yes, but 99.999% of web servers don't need client certs.

~~~
Tepix
Source?

~~~
aaronbrethorst
I think cperciva's opinion is a sufficiently valid source on this sort of
issue, which is probably why you're being down voted.

~~~
cperciva
Thank you for the vote of confidence, but you're wrong. The question of "real
world usage of TLS" is one where I would immediately defer to tptacek without
question... and you've been around long enough to know that's something I
don't do very often.

------
userbinator
I wonder if this could motivate others to try making even simpler
implementations of TLS - essentially, an effort toward the bare minimum
necessary to be secure.

The fact that they are focusing on the TLS protocol itself and not the actual
encryption implementation is a good way to start; the "extraneous complexity"
is not really in algorithms like RSA/ECDSA/AES since those are specified
mathematically, but in the handling of the protocol messages and states. That
is also where most of the bugs tend to be.

It reminds me of this Hoare quote: "There are two ways of constructing a
software design: One way is to make it so simple that there are obviously no
deficiencies and the other way is to make it so complicated that there are no
obvious deficiencies."

------
agazso
Can you use this library without having to use its IO capabilities?

My biggest issue with OpenSSL is that it also tries to do IO, but does it in a
not too well-performing and non cross-platform way.

~~~
bodyfour
At least with OpenSSL you can implement your own BIO objects and do the I/O
yourself if you want/need to. It's not the cleanest or best-documented
interface in the world, but it's certainly usable.

~~~
harshaw
it is usable. But I think you would be hard pressed to find a more widely used
piece of software that has absolute terrible documentation. The only real way
to figure it out is to read the code or read the examples.

------
geertj
Unfortunately this still uses libcrypto from OpenSSL. This isn't a fully self-
contained implementation of TLS.

~~~
tyho
Nobody is particularly worried about libcrypto. There would be little point in
reimplementing it's functionality.

~~~
alricb
libcrypto includes the OpenSSL ASN.1 code, which is worrying as all hell,
e.g.:
[https://git.openssl.org/?p=openssl.git;a=blob;f=crypto/asn1/...](https://git.openssl.org/?p=openssl.git;a=blob;f=crypto/asn1/tasn_dec.c;h=7a6414ad04761b5b355869c4fd8d095ce5ddbe6c;hb=HEAD)

Or any file in that directory.

~~~
imaginenore
Oh man, that code is just horrible. No comments on some of the functions, no
comments on the input parameters and return values pretty much throughout.

I really thought OpenSSL was in a much better shape.

~~~
jerf
Code that implements standards should be read with the standard open next to
it. This code:
[https://git.openssl.org/?p=openssl.git;a=blob;f=crypto/md5/m...](https://git.openssl.org/?p=openssl.git;a=blob;f=crypto/md5/md5_dgst.c;h=335126c76d8fdc7f59dd68b2bbe134216c68ae26;hb=HEAD)
looks like awful garbage, until you compare it to
[https://www.ietf.org/rfc/rfc1321.txt](https://www.ietf.org/rfc/rfc1321.txt) ,
and then you realize you don't really _want_ comments or anything else
cluttering up the implementation.

------
VeejayRampay
Glad to see that some of the big players are starting to get into the habit of
giving back to the communities building the bricks their success was built
upon. Facebook, Google, Apple, Amazon, Twitter, all of them have contributed
major pieces of the web fabric in the past few years. The power and money they
can divert to such operations is a key factor in producing mature tools which
will help foster the web ecosystem in the end.

------
xvilka
I wonder why do implement SSLv3 in the new product, while others already
deprecating and removing it?

~~~
andruby
Amazon uses this library on all their AWS api's. They probably still need to
support SSLv3.

~~~
scosman
Amazon disabled SSLv3 on S3 very recently (May 20th), prob as part of moving
to S2N.

------
yellowapple
> As a result of this, we’ve found that it is easier to review s2n; we have
> already completed three external security evaluations and penetration tests
> on s2n, a practice we will be continuing.

"Our pill has been clinically tested."

What were the _results_?

------
borplk
Very impressive, thanks Amazon!

------
nailer
> s2n is short for “signal to noise”

Anyone else think this was a contraction of the a11y, i18n, a16z or f6s
variety?

~~~
DanWaterworth
Here are your options:

sawn scan seen sewn shin shun sign skin soon sown span spin spun stun swan

"Yeh, we're not vulnerable, because we've been using the swan library"

~~~
jnky
> "Yeh, we're not vulnerable, because we've been using the swan library"

Yeah, who would name a crypto implementation something stupid like "swan". Oh
wait...
[https://en.wikipedia.org/wiki/Openswan](https://en.wikipedia.org/wiki/Openswan)

------
mattbillenstein
I think another implementation is not necessarily a bad thing, but it's a
shame that this effort couldn't be combined with LibreSSL and BoringSSL or
even OpenSSL under a single project. Having more eyes on one thing would be
better it would seem.

~~~
cwp
No! Let's have many implementations all with completely separate code bases.
Then when the next security bug is found it won't affect the whole internet.

~~~
mattbillenstein
I can see that side of it, but when N >> M I don't really see how that helps
things significantly.

N = number of https sites M = number of tls implementations

~~~
cwp
You don't think N(M-1)/M sites not being affected by the next heartbleed
wouldn't be significant?

------
s2m
Is it me, or is Amazon s2n (signal to noise) logo very similar to our company
(signal2meaning) logo?

[https://signal2meaning.com/](https://signal2meaning.com/)

------
mback2k
Sounds great. I hope that Windows support without an additional crypto library
dependency is added soon, e.g. using Windows CryptoAPI or Windows Cryptography
API: Next Generation (CNG).

------
zymhan
I wonder if they will include it in Amazon Linux at some point.

------
kvb
How does this compare to miTLS[1]?

[1] - [http://www.mitls.org/wsgi/home](http://www.mitls.org/wsgi/home)

------
devy
So I bet there will be a rust implementation before long :)

~~~
kibwen
There are some Mozilla security folks feeling out the waters as we speak.

------
mwcampbell
I hope libcurl supports this soon.

~~~
cbr
s2n is server-only

~~~
mback2k
I don't think that this is true. See
[https://github.com/awslabs/s2n/blob/master/bin/s2nc.c](https://github.com/awslabs/s2n/blob/master/bin/s2nc.c)

