Setting up s2n on Linux

Amazon has released a compact implementation of the TLS protocol calling it s2n for "signal to noise". One can get it right here on github: https://github.com/awslabs/s2n

The smaller code base in comparison to other SSL implementation should make s2n more observable, and thus verified better and potentially more robust than competitors. In this post I focus on installing s2n and trying it out on your Linux machine. For this I use Ubuntu 14.04, but the instructions apply to other Linux kinds as well.

A nice way to start with s2n would be building it as it is described here: Github s2n Usage Guide

Disclaimer On this web site you might read about or get access to various kinds of software and technology, including but not limited to libraries, operating systems, software for communications, mobile phones and tablets, Android software and Linux, even cars and motorcycles, security and penetration testing software, software used in security research and forensics, some samples of software which can be used (elsewhere) for malicious or illegal purposes. You will read about or be provided with the ways to change it, to operate it and to use it. You might find advice and recommendations, which are only an opinion, and not a legal advice or commercial recommendation..
Bear in mind, please, that everything you do, you do solely at your own risk and responsibility. In no way the author of this web site, information, graphics and other materials presented here or related to it can be made liable or anyhow else responsible for your own actions as well as actions of any third party and their direct or indirect results or consequences with or without the use of this information as well as the software, technology and systems mentioned and/or presented here, no matter if developed by the author or by any third party.
In no way it is guaranteed that you will meet any suitability for any particular purpose, safety, security, legality or even simply functioning of the software and systems described here. You have to make sure each time yourself, whether what you do, is really what you intend to do, and that you are ready to be yourself responsible for. All the recommendations and experiences described here are the opinions of corresponding authors and are to be taken with care and own full responsibility.
The software provided on or through this web site, linked to from this web site or anyhow else related to this web site is provided by the corresponding authors on their own terms. We provide all the software here as is without any guarantees to you. You are responsible for deciding whether it is suitable for you or not. You are also responsible for all direct or indirect consequences of using this software.
Other web sites linked to from the current one are out of the author's control, we can not guarantee anything about their content, its quality or even legality. We can not be liable for any use of the linked to web sites or of the information presented there.
We reasonably try to keep this website running smoothly and to deliver information to the best of our knowledge corresponding to the state of the art at the times when the information is composed, usually presented together with the information, and out of good intents. We can not however guarantee and can not be liable for this website being temporarily or permanently unavailable, presenting unreliable information or software, or any other similar or not malfunctioning or functioning not up to your expectations as well as any consequences which might result from this site's operation.

Building s2n with OpenSSL

Some cryptographic primitives from classical SSL implementations are reused in s2n, this is why another SSL implementation is needed to build s2n. We take OpenSSL for this purpose. Essentially the following commands build s2n against OpenSSL.

# clone s2n
git clone https://github.com/awslabs/s2n.git
cd s2n

# Get OpenSSL
cd libcrypto-build
curl -LO https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
tar -xzvf openssl-1.0.2-latest.tar.gz
# Build it
cd openssl-1.0.2d

./config -fPIC no-shared no-libunbound no-gmp no-jpake no-krb5 \
no-md2 no-rc5 no-rfc3779 no-sctp no-ssl-trace no-store no-zlib \
no-hw no-mdc2 no-seed no-idea enable-ec-nist_64_gcc_128 no-camellia\
no-bf no-ripemd no-dsa no-ssl2 no-ssl3 no-capieng \
-DSSL_FORBID_ENULL -DOPENSSL_NO_DTLS1 -DOPENSSL_NO_HEARTBEATS \
--prefix=`pwd`/../../libcrypto-root/

make depend
make
make install

# Build s2n
cd ../../
make

After Building s2n

We deal here mainly with the question of how to try s2n out and start the development based with it. For this purpose, as the manual recommends, it is good to have a look on the code of an example project in the bin folder: https://github.com/awslabs/s2n/tree/master/bin

There are a simple server and a simple client which can securely pass text messages to each other. They are already built after you have built s2n. Next step would be running the examples.

To run the server and the client you need two separate consoles. In the first one we run the server.

cd s2n/bin
./s2nd localhost 2000

and in the second one we run the client

cd s2n/bin
./s2nc localhost 2000

In this example 2000 is a example port number, you might use whatever else free port your machine has to offer. Once the programs are running type any characters to the server or to the client console. They should securely pass and echo the message to each other.

Troubleshooting

You might fall into the following problems when executing the samples.

1. The "dynamic library not found" problem.

You can get this error message when running the examples.

./s2nd: error while loading shared libraries: libs2n.so: cannot open shared object file: No such file or directory

To fix it, just specify where the s2n dynamic library lies. From the bin folder execute:

export LD_LIBRARY_PATH=`readlink -f ../lib/`

This has to be done in both consoles. Note that this overwrites your dynamic library path for the current console session. Refer to the manual of your system to figure out, how to permanently add s2nlib.so in the dynamic libraries.

2. The client does not send the Alert

If your server sample terminates with this message:

Failed to negotiate: 'No Alert present' -1

and the client terminates as well afterwards:

Error getting new connection: 'client connections not allowed'

then you have to set an environment variable in the client console to have it fixed. In the client console execute:

export S2N_ENABLE_CLIENT_MODE=1

and start over. It should work just fine.

Where to go next?

Once you have the sample client and server running, you could proceed by investigating the POSIX-like interface of s2n, which is used in the examples to a good extent. The documentation of s2n is available on-line and might help you proceeding, once the code is not enough :)

Have fun implementing secure communication using s2n!