OpenSSL Support Roadmap

[jmayclin]

Problem:

We need a clear statement around our intended compatibility with OpenSSL.

• Is there a ceiling?
• Is there a timeline with which we intended to drop OpenSSL support?

Solution:

There are two main consumers of s2n-tls with OpenSSL.

AWS Common Runtime: The common runtime is used in various SDK's. It uses AWS-LC by default, but my understanding is that customers can configure different libcryptos. The path to removing OpenSSL support would involve a "fork" on the CRT side where attempting to build s2n-tls with a different libcrypto would just fall back to an interned copy of AWS-LC.

aws-sdk-cpp: This is the official AWS SDK for C++. My understanding is that this always builds with OpenSSL, because it has a libcurl dependency, and AWS-LC is not compatible with curl Edit: AWS-LC is compatible with Curl. The path to removing OpenSSL support would then entail always interning AWS-LC.

The main downside of interning AWS-LC is increased artifact size. The exact increase is currently unclear. My understanding is that AWS-LC artifact size varies significantly based on Debug Info and Assembly inclusion. To determine the path forward, we should determine

• what is the size increase with a naive implementation, and how many customers can't use that?
• is there a path to keeping our artifact size the same for very restricted customers? Can we make the libs2n artifact smaller to "make room" for the AWS-LC artifact?

[cpu]

My understanding is that this always builds with OpenSSL, because it has a libcurl dependency, and AWS-LC is not compatible with curl.

Unless there's a detail I'm missing I think curl does support AWS-LC. The curl documentation on OpenSSL forks lists compatibility with AWS-LC, and it's also listed in the FAQ (emphasis mine):

curl can be built to use one of the following SSL alternatives: OpenSSL, LibreSSL, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Schannel (native Windows) or Rustls.

[jmayclin]

Oops, thanks for the correction! Although that raises other questions 🤔

[samuel40791765]

AWS-LC does support curl, but that support was only added years after AWS-LC initially integrated with aws-sdk-cpp. My hunch is that there simply hasn't been a compelling reason to migrate entirely, unless there are other unknown unknowns.

[bjosv]

OpenSSL 4 is scheduled for release in April 2026, but should I read this as there is no interest in supporting this release?
Would that mean that a PR with required changes to support OpenSSL 4 would not be accepted?