Home/aws/s2n-tls/Changelog

aws/s2n-tls

An implementation of the TLS/SSL protocols

30 Releases

Latest: 1w ago

Release v1.7.4v1.7.4Latest

CarolYeh910·1w ago·June 9, 2026

GitHub

📦 Release Summary

adds new security policies with post-quantum key exchange support

📋 What's Changed

test: add integration tests for serialization by @jmayclin in https://github.com/aws/s2n-tls/pull/5861
ci: fix OpenSSL 1.0.2u download in Rust bindings CI by @WesleyRosenblum in https://github.com/aws/s2n-tls/pull/5868
refactor: reset d2i pointer before private key type-hint fallback by @WesleyRosenblum in https://github.com/aws/s2n-tls/pull/5844
ci: update to CBMC 6.9.0 by @WesleyRosenblum in https://github.com/aws/s2n-tls/pull/5867
refactor(metrics-subscriber): key handshake counters by IANA id by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5858
test: document io behaviors by @jmayclin in https://github.com/aws/s2n-tls/pull/5864
chore: update fxhash dependency by @jmayclin in https://github.com/aws/s2n-tls/pull/5869
refactor(metrics-subscriber): serialize FrozenCounter as a list by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5870
+ 34 more

✨ New Contributors

@skmcgrail made their first contribution in https://github.com/aws/s2n-tls/pull/5875
@fabit0v made their first contribution in https://github.com/aws/s2n-tls/pull/5899
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.7.3...v1.7.4

Release v1.7.3v1.7.3

jmayclin·1mo ago·May 6, 2026

GitHub

📦 Release Summary

Add pure MLKEM1024 to AWS-CRT-SDK PQ policies

📋 What's Changed

chore: use s2n_add_overflow for arithmetics in s2n_server_key_exchange.c by @boquan-fang in https://github.com/aws/s2n-tls/pull/5809
fix: explicit size checks in s2n_connection_set_session by @boquan-fang in https://github.com/aws/s2n-tls/pull/5812
chore: bindings release 0.3.36 by @jouho in https://github.com/aws/s2n-tls/pull/5814
fix: add non-negative length check in s2n_utf8_string_from_extension_data by @jouho in https://github.com/aws/s2n-tls/pull/5816
fix: zero the blob in s2n_free_without_wipe before invoking callback by @boquan-fang in https://github.com/aws/s2n-tls/pull/5811
fix: add NULL check for X509_STORE_new() in s2n_x509_trust_store_add_pem by @jouho in https://github.com/aws/s2n-tls/pull/5817
fix: validate ML-DSA key type by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5772
fix: use uint32_t for partial_client_hello_size to prevent truncation by @mizunoyuuki in https://github.com/aws/s2n-tls/pull/5808
+ 23 more

✨ New Contributors

@mizunoyuuki made their first contribution in https://github.com/aws/s2n-tls/pull/5808
@mvanhorn made their first contribution in https://github.com/aws/s2n-tls/pull/5791
@xnox made their first contribution in https://github.com/aws/s2n-tls/pull/5840
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.7.2...v1.7.3

Release: v1.7.2v1.7.2

jouho·2mo ago·April 1, 2026

GitHub

📦 Release summary

Removed s2n's internal DRBG and delegates randomness generation to libcrypto when supported.
Added the strict CNSA 2.0 TLS policy and a transitional policy from CNSA 1.0 to 2.0
mTLS TLS1.3 handshakes are ~4% faster

📋 What's Changed

chore(s2n-tls): v0.3.35 release by @boquan-fang in https://github.com/aws/s2n-tls/pull/5765
fix: update memory snapshots by @jmayclin in https://github.com/aws/s2n-tls/pull/5771
fix: make get_alert idempotent by @jmayclin in https://github.com/aws/s2n-tls/pull/5767
chore: fix crate name by @jmayclin in https://github.com/aws/s2n-tls/pull/5769
chore: delete unused s2n_stuffer_alloc_ro functions by @firedog1234 in https://github.com/aws/s2n-tls/pull/5757
fix: add required metadata for subscriber by @jmayclin in https://github.com/aws/s2n-tls/pull/5776
docs: add comments about sslv3 weaknesses by @WesleyRosenblum in https://github.com/aws/s2n-tls/pull/5777
fix(bindings): replace bare as usize casts in Tokio I/O callbacks by @WesleyRosenblum in https://github.com/aws/s2n-tls/pull/5780
+ 16 more

✨ New Contributors

@firedog1234 made their first contribution in https://github.com/aws/s2n-tls/pull/5757
Full Changelog: https://github.com/aws/s2n-tls/compare/1.7.1...v1.7.2

v1.7.11.7.1

kaukabrizvi·3mo ago·March 2, 2026

GitHub

📦 Release Summary:

Delete all code that references Kyber.
Fix the alignment used in the Rust bindings custom allocator to match the C malloc alignment contract.
s2n-tls now errors if a peer sent an ECDSA signature with a mislabeled curve.
each connection now uses 57 less bytes.
We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting the following issues:
fix(bindings): use max_align_t for allocator alignment in https://github.com/aws/s2n-tls/pull/5745
fix(quic support): Wipe buffers after reading post-handshake message in https://github.com/aws/s2n-tls/pull/5750
fix(bindings): tie ClientHello lifetime to Fingerprint in https://github.com/aws/s2n-tls/pull/5747
+ 2 more

📋 What's Changed

fix: restrict mldsa signatures based on certificate by @jmayclin in https://github.com/aws/s2n-tls/pull/5713
feat(bindings): expose signature scheme API by @jmayclin in https://github.com/aws/s2n-tls/pull/5708
build(deps): update crabgrind requirement from 0.1 to 0.2 in /tests/regression in the all-cargo-updates group across 1 directory by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5716
ci: fix typo in readme by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5718
feat(bindings): add support for metric aggregation by @jmayclin in https://github.com/aws/s2n-tls/pull/5709
fix: correct calculation of extensions bitfield size by @WesleyRosenblum in https://github.com/aws/s2n-tls/pull/5719
build(deps): bump aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 in /.github/workflows in the all-gha-updates group by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5722
nix: Use rustup toolchain over nix packages rustc in devshell by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5712
+ 31 more

✨ New Contributors

@patel-parth7 made their first contribution in https://github.com/aws/s2n-tls/pull/5724
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.7.0...1.7.1

v1.7.0

dougch·4mo ago·January 31, 2026

GitHub

📦 Release summary

Kyber removal means we're bumping the the MINOR version to v1.7.0.

📋 What's Changed

(chore): Rust bindings bump 0.3.33 by @jouho in https://github.com/aws/s2n-tls/pull/5694
build(deps): update reqwest requirement from 0.12.7 to 0.13.1 in /tests/pcap in the all-cargo-updates group across 1 directory by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5690
chore: bump to nixpkgs 2025.05 by @dougch in https://github.com/aws/s2n-tls/pull/5489
chore: bump standard MSRV to 1.83 by @jmayclin in https://github.com/aws/s2n-tls/pull/5700
chore: Mark Kyber as unsupported on all LibCrypto variants by @alexw91 in https://github.com/aws/s2n-tls/pull/5701
chore: update s2n-tls-hyper crates version to 0.1.0 by @boquan-fang in https://github.com/aws/s2n-tls/pull/5702
chore: move s2n-tls-bench to Codebuild by @boquan-fang in https://github.com/aws/s2n-tls/pull/5693
test(integration): add rust test for session resumption by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5683
+ 5 more

Release v1.6.4v1.6.4

jouho·5mo ago·January 6, 2026

GitHub

📦 Release Summary:

Enables certificate intent validation by default. This also adds a config API `s2n_config_disable_x509_intent_verification()` to disable it if necessary
Fixed an issue where `selected_key_exchange_group` for a resumed TLS 1.2 connection would incorrectly report `secp256r1`.

📋 What's Changed

build(deps): bump ytanikin/pr-conventional-commits from 1.4.2 to 1.5.1 in /.github/workflows in the all-gha-updates group by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5656
ci: add typo check to ci by @brimonk in https://github.com/aws/s2n-tls/pull/5491
Import Cloudfront PQ TLS Policies by @alexw91 in https://github.com/aws/s2n-tls/pull/5539
feat(build): Improve OpenSSL libcrypto discovery by @goatgoose in https://github.com/aws/s2n-tls/pull/5572
test: update CRL certs to comply with intent validation by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5651
(chore): Rust bindings bump 0.3.32 by @maddeleine in https://github.com/aws/s2n-tls/pull/5662
ci: update clang format version by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5661
(chore): Revert "feat(build): Improve OpenSSL libcrypto discovery (#5572)" by @maddeleine in https://github.com/aws/s2n-tls/pull/5664
+ 14 more

✨ New Contributors

@brimonk made their first contribution in https://github.com/aws/s2n-tls/pull/5491
@ravindran-dev made their first contribution in https://github.com/aws/s2n-tls/pull/5660
@VIM4L-M made their first contribution in https://github.com/aws/s2n-tls/pull/5682
@thulasiramk-2310 made their first contribution in https://github.com/aws/s2n-tls/pull/5686
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.6.3...v1.6.4

Release v1.6.3v1.6.3

maddeleine·6mo ago·December 10, 2025

GitHub

📦 Release Summary

Weekly release for Dec 15, 2025

📦 Release Summary:

The TLS handshake now succeeds when the async cert callback is configured and peers sent multiple TLS handshake messages per record.

📋 What's Changed

tests(integration): cases for TLS 1.3 group selection by @jmayclin in https://github.com/aws/s2n-tls/pull/5652
fix: refactor negotiate loop to fix issue with async callback by @maddeleine in https://github.com/aws/s2n-tls/pull/5641
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.6.2...v1.6.3

Release v1.6.2v1.6.2

boquan-fang·6mo ago·December 4, 2025

GitHub

📦 Release Summary

Add a new public API, s2n_client_hello_get_random(), and move client_random storage from the connection to the s2n_client_hello struct so applications can retrieve the client random from a parsed ClientHello.
Allow multiple application contexts to be set on a s2n-tls connection.
Warning level TLS alerts may now be non-fatal prior to version negotiation
Added support for Security Policies to have "strongly preferred" SupportedGroups.

📋 What's Changed

feat: add client hello random getter by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5620
chore: Rust bindings release 0.3.30 by @dougch in https://github.com/aws/s2n-tls/pull/5633
chore: s2n-tls-hyper version bump by @jouho in https://github.com/aws/s2n-tls/pull/5636
build(deps): bump the all-gha-updates group across 1 directory with 2 updates by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5640
feat: add rfc9151 compat policies by @jouho in https://github.com/aws/s2n-tls/pull/5615
feat: improve performance of getting validated cert chain from libcrypto by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5622
feat: additional rfc9151 compat policy without sha1 hmac by @jouho in https://github.com/aws/s2n-tls/pull/5645
test: add test certs for cert intent validation by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5630
+ 8 more

Release v1.6.1v1.6.1

dougch·7mo ago·November 20, 2025

GitHub

📦 Release Summary:

Adds pure ML-KEM-1024 support: `s2n_pure_mlkem_1024` KEM group is now negotiable.

📋 What's Changed

test: add memory profiler test by @jmayclin in https://github.com/aws/s2n-tls/pull/5329
docs: comments for blob, stuffer methods by @jmayclin in https://github.com/aws/s2n-tls/pull/5326
refactor: remove unused s2n_socket_set_read_size method by @lrstewart in https://github.com/aws/s2n-tls/pull/5594
chore: Rust bindings release 0.3.29 by @maddeleine in https://github.com/aws/s2n-tls/pull/5595
feat(integration): enable CodeBuild and Nix for rust integration tests by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5578
fix: update action user name by @jmayclin in https://github.com/aws/s2n-tls/pull/5600
docs: update pull request template by @jmayclin in https://github.com/aws/s2n-tls/pull/5591
fix: update memory usage test assertions by @jmayclin in https://github.com/aws/s2n-tls/pull/5592
+ 18 more

Release: v1.6.0v1.6.0

crypto-transport-libs-ci-bot·7mo ago·October 30, 2025

GitHub

📋 Changes

Multiple changes to the s2n-tls default policy:
Changes to the RFC9151 policy: Removes RSA key exchange and DHE cipher suites. Use the numbered version of this policy instead (20250429) to maintain the current preferences.
Adds support for PQ only policies, which should not include classical ECC curves. This feature only works on libcryptos that support TLS 1.3 and PQ kem groups.
Fixed a validation issue in [s2n_connection_deserialize()](https://github.com/aws/s2n-tls/blob/30f40f2345a89570ed3c4cee2274942f1ebf85fa/tls/s2n_connection_serialize.c#L151) where malformed protocol version bytes could result in invalid connection state and inconsistent TLS behavior.
Add a synchronous rust binding API for `s2n_cert_validation_callback`
Upgrades MSRV for extended crates (s2n-tls-sys, s2n-tls, s2n-tls-tokio) from [1.63](https://blog.rust-lang.org/2022/08/11/Rust-1.63.0/) to [1.72](https://blog.rust-lang.org/2023/08/24/Rust-1.72.0/)

📋 What's Changed

docs: Small doc changes for KTLS by @maddeleine in https://github.com/aws/s2n-tls/pull/5521
ci: install missing rust component for gitthub action workflows by @jouho in https://github.com/aws/s2n-tls/pull/5528
refactor(aws-kms-tls-auth): add hmac based psk derivation by @jmayclin in https://github.com/aws/s2n-tls/pull/5519
chore: bindings release 0.3.27 by @jouho in https://github.com/aws/s2n-tls/pull/5526
fix(usage-guide): Update book.toml for mdbook 0.5 release by @goatgoose in https://github.com/aws/s2n-tls/pull/5535
bindings(rust): bump extended crates MSRV to 1.72.0 by @jouho in https://github.com/aws/s2n-tls/pull/5534
feat(bindings): expose cert validation callback by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5357
chore: bindings release 0.3.28 by @goatgoose in https://github.com/aws/s2n-tls/pull/5540
+ 24 more

✨ New Contributors

@AdnaneKhan made their first contribution in https://github.com/aws/s2n-tls/pull/5570
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.27...v1.6.0

Release: v1.5.27v1.5.27

crypto-transport-libs-ci-bot·8mo ago·September 25, 2025

GitHub

📦 Release Summary:

Our kTLS feature can now perform key updates, meaning that kTLS is now safe to turn on in TLS1.3 when using the newest version of the linux kernel (6.14+).

📋 What's Changed

docs(usage guide): description connection serialization by @jmayclin in https://github.com/aws/s2n-tls/pull/5504
test(integv2): trim bloated cases by @jmayclin in https://github.com/aws/s2n-tls/pull/5453
test: Adds test for serializing a previously-serialized connection by @maddeleine in https://github.com/aws/s2n-tls/pull/5495
chore: bindings release 0.3.26 by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5509
build(deps): bump the all-gha-updates group in /.github/workflows with 4 updates by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5497
ci: fix clippy by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5516
chore(ci): Update older integ job to prep for deprecation by @dougch in https://github.com/aws/s2n-tls/pull/5501
chore: delete files in preparation for refactor by @jmayclin in https://github.com/aws/s2n-tls/pull/5517
+ 6 more

v1.5.26

jmayclin·9mo ago·September 15, 2025

GitHub

📦 Release Summary

Adds async public key support: `s2n_pkey_verify()` can be performed asynchronously through the async offloading callback.
Add new `s2n_connection_get_signature_scheme` method to retrieve the IANA description of the server signature scheme

📋 What's Changed

chore(nix): Move nix integ jobs to ec2 fleets by @dougch in https://github.com/aws/s2n-tls/pull/5461
chore: Adds build file to get new codebuild project running in CI by @maddeleine in https://github.com/aws/s2n-tls/pull/5476
build(deps): bump the all-gha-updates group across 1 directory with 3 updates by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5479
chore(nix): switch to nixpkgs libressl by @dougch in https://github.com/aws/s2n-tls/pull/5467
chore(release): release s2n-tls v0.3.25 by @boquan-fang in https://github.com/aws/s2n-tls/pull/5486
ci: tweak ruff ci failure message by @lrstewart in https://github.com/aws/s2n-tls/pull/5485
refactor: signature scheme name adjustment by @lrstewart in https://github.com/aws/s2n-tls/pull/5472
feat: add method to get signature scheme name by @lrstewart in https://github.com/aws/s2n-tls/pull/5471
+ 14 more

✨ New Contributors

@sertonix made their first contribution in https://github.com/aws/s2n-tls/pull/5478
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.25...v1.5.26

Release: v1.5.25v1.5.25

crypto-transport-libs-ci-bot·9mo ago·August 25, 2025

GitHub

📦 Release Summary

Add a copy of the rfc9151 policy (20250429) which pins all of the policy parts to the current version.
Adds new TLSv1.3-enabled security policies for CloudFront's outbound ("upstream") connections to origin servers. We also add similar policies with PQ enabled.

📋 What's Changed

chore: bindings release 0.3.24 by @johubertj in https://github.com/aws/s2n-tls/pull/5455
chore: apply clippy fixes by @johubertj in https://github.com/aws/s2n-tls/pull/5459
Add fixed version of the rfc9151 policy by @Mark-Simulacrum in https://github.com/aws/s2n-tls/pull/5277
test(integration): add record padding test by @jmayclin in https://github.com/aws/s2n-tls/pull/5451
refactor(stuffer): Rename s2n_stuffer_has_pem_encapsulated_block by @alice-aws in https://github.com/aws/s2n-tls/pull/5465
ci: don't include tls/extensions in SAW build by @lrstewart in https://github.com/aws/s2n-tls/pull/5466
ci: fix wikipedia network test + better error message by @lrstewart in https://github.com/aws/s2n-tls/pull/5470
refactor: setup replacement default policies by @lrstewart in https://github.com/aws/s2n-tls/pull/5464
+ 1 more

✨ New Contributors

@alice-aws made their first contribution in https://github.com/aws/s2n-tls/pull/5465
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.24...v1.5.25

Release: v1.5.24v1.5.24

crypto-transport-libs-ci-bot·10mo ago·August 4, 2025

GitHub

📦 Release Summary

Adds new PQ security policies with ML-KEM for the CRT.

📋 What's Changed

refactor(bench): unify IO methods by @jmayclin in https://github.com/aws/s2n-tls/pull/5434
test(bench): add api for mutual auth handshake by @jmayclin in https://github.com/aws/s2n-tls/pull/5437
chore: bindings release 0.3.23 by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5439
ci: document how to manually run the codebuild jobs by @lrstewart in https://github.com/aws/s2n-tls/pull/5441
chore: add Awslc fips next to CI by @dougch in https://github.com/aws/s2n-tls/pull/5349
feat: add integration test for secp384r1_mlkem_1024 by @johubertj in https://github.com/aws/s2n-tls/pull/5438
fix(typo): fix a typo in codebuild.yml by @boquan-fang in https://github.com/aws/s2n-tls/pull/5445
build(deps): update criterion requirement from 0.6 to 0.7 in /bindings/rust/standard by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5442
+ 5 more

Release: v1.5.23v1.5.23

crypto-transport-libs-ci-bot·11mo ago·July 24, 2025

GitHub

📦 Release Summary

The `aws-kms-tls-auth` crate is now available, which provides utilities to do TLS-PSK based authentication using IAM and KMS.
Created a new hybrid KEM group `s2n_secp384r1_mlkem_1024`.
Updated the `default_pq` security policy to include the `secp384r1_mlkem_1024` hybrid KEM group.

📋 What's Changed

fix(ci): adding set -e to prevent nix develop to hide failing tests by @boquan-fang in https://github.com/aws/s2n-tls/pull/5393
chore: release 0.3.22 by @boquan-fang in https://github.com/aws/s2n-tls/pull/5397
docs: note that s2n_shutdown may keep reading by @lrstewart in https://github.com/aws/s2n-tls/pull/5370
feat(aws-kms-tls-auth): add codec and parsing by @jmayclin in https://github.com/aws/s2n-tls/pull/5398
ci: start codebuild jobs from github actions by @lrstewart in https://github.com/aws/s2n-tls/pull/5383
ci: Migrate Duvet GitHub Action to duvet-action repo by @johubertj in https://github.com/aws/s2n-tls/pull/5400
feat(aws-kms-tls-auth): add psk identity by @jmayclin in https://github.com/aws/s2n-tls/pull/5402
feat: add ML-KEM-1024 kem definition by @johubertj in https://github.com/aws/s2n-tls/pull/5367
+ 12 more

Release: v1.5.22v1.5.22

crypto-transport-libs-ci-bot·11mo ago·July 7, 2025

GitHub

📦 Release Summary

Add a new security policy for CRT that supports FIPS and TLS1.2.
The `fmt::Debug` message for application errors in the Rust bindings now use the application error's `fmt::Debug` implementation, rather than a generic message.

📋 What's Changed

chore(ci): add a cargo timing buildspec by @dougch in https://github.com/aws/s2n-tls/pull/5176
build(deps): update pprof requirement from 0.14 to 0.15 in /bindings/rust/standard by @dependabot in https://github.com/aws/s2n-tls/pull/5334
refactor(examples): remove connection pool by @jmayclin in https://github.com/aws/s2n-tls/pull/5353
ci: Fix the sslyze test for nix by @dougch in https://github.com/aws/s2n-tls/pull/5283
Include application message in Debug impl by @Mark-Simulacrum in https://github.com/aws/s2n-tls/pull/5359
build: prevent needless rebuild with S2N_INTERN_LIBCRYPTO=ON and Ninja by @kou in https://github.com/aws/s2n-tls/pull/5356
build(deps): bump baptiste0928/cargo-install from 3.3.0 to 3.3.1 in /.github/workflows in the all-gha-updates group by @dependabot in https://github.com/aws/s2n-tls/pull/5361
tests(integv2): fix flaky session resumption test by @lrstewart in https://github.com/aws/s2n-tls/pull/5362
+ 7 more

Release: v1.5.21v1.5.21

crypto-transport-libs-ci-bot·1y ago·June 4, 2025

GitHub

📦 Release Summary

Fixed bug preventing use of ML-DSA with mainline AWSLC built in FIPS mode

📋 What's Changed

feat(bindings): expose custom critical extension API by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5337
tests(integ): fix nondeterministic ocsp test shutdown behavior by @lrstewart in https://github.com/aws/s2n-tls/pull/5340
chore: Bindings release 0.3.21 by @dougch in https://github.com/aws/s2n-tls/pull/5344
ci: workaround for nix + gnutls + ubuntu24 issue by @lrstewart in https://github.com/aws/s2n-tls/pull/5345
fix: do not use "digest and sign" for ML-DSA in FIPS mode by @lrstewart in https://github.com/aws/s2n-tls/pull/5348
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.20...v1.5.21

Release: v1.5.20v1.5.20

crypto-transport-libs-ci-bot·1y ago·May 30, 2025

GitHub

📦 Release Summary:

Add a new CertificateRequest callback to allow clients to select a certificate chain during the handshake.
Add support for custom critical certificate extensions. Users MUST validate their custom extensions in the cert validation callback or after the handshake.

📋 What's Changed

feat(examples): add key log example by @jmayclin in https://github.com/aws/s2n-tls/pull/5314
build(deps): bump the all-gha-updates group across 1 directory with 3 updates by @dependabot in https://github.com/aws/s2n-tls/pull/5315
Add CertificateRequest certificate selection callback by @Mark-Simulacrum in https://github.com/aws/s2n-tls/pull/5318
CertificateRequest Rust bindings by @Mark-Simulacrum in https://github.com/aws/s2n-tls/pull/5331
chore: bindings release 0.3.20 by @goatgoose in https://github.com/aws/s2n-tls/pull/5332
fix(benches): reuse config for handshakes by @jmayclin in https://github.com/aws/s2n-tls/pull/5319
feat: add custom critical extension support by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5321
ci: Use official libcrypto verification model repository by @goatgoose in https://github.com/aws/s2n-tls/pull/5336
+ 2 more

Release: v1.5.19v1.5.19

jmayclin·1y ago·May 22, 2025

GitHub

📦 Release Summary:

Adds support for post-quantum ML-DSA certificates

📋 What's Changed

ci: handle 429 from yahoo.com network integ test by @lrstewart in https://github.com/aws/s2n-tls/pull/5280
ci: fix expectations when using system default libcrypto by @lrstewart in https://github.com/aws/s2n-tls/pull/5279
chore: bindings release 0.3.18 by @johubertj in https://github.com/aws/s2n-tls/pull/5284
build(deps): bump astral-sh/setup-uv from 5 to 6 in /.github/workflows in the all-gha-updates group by @dependabot in https://github.com/aws/s2n-tls/pull/5273
tests: improve coverage for s2n_stream_cipher_null by @wafuwafu13 in https://github.com/aws/s2n-tls/pull/5268
chore: Add comments to track dependency requirements by @johubertj in https://github.com/aws/s2n-tls/pull/5287
chore: bump standard MSRV to 1.82.0 by @johubertj in https://github.com/aws/s2n-tls/pull/5295
tests: fix flaky test_serialization by @lrstewart in https://github.com/aws/s2n-tls/pull/5288
+ 20 more

✨ New Contributors

@wafuwafu13 made their first contribution in https://github.com/aws/s2n-tls/pull/5268
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.18...v1.5.19

v1.5.18

johubertj·1y ago·May 1, 2025

GitHub

📦 Release summary:

Adds a new security policy (20250414), which fixes a gap in compatibility in 20250211 by extending the allowed signatures to include those on P-256.

📋 What's Changed

chore(ci): revert nix installer pin by @dougch in https://github.com/aws/s2n-tls/pull/5251
ci: add awslcfips to nix jobs by @dougch in https://github.com/aws/s2n-tls/pull/5205
chore: add new team member by @anupamym in https://github.com/aws/s2n-tls/pull/5259
chore: bindings release 0.3.17 by @anupamym in https://github.com/aws/s2n-tls/pull/5260
refactor: cleanup hash to better support multiple implementations by @lrstewart in https://github.com/aws/s2n-tls/pull/5258
tests: add ml-dsa test certs from RFC by @lrstewart in https://github.com/aws/s2n-tls/pull/5261
feature: add support for configuring (but not yet using) ml-dsa certs by @lrstewart in https://github.com/aws/s2n-tls/pull/5263
Add 20250414 security policy by @Mark-Simulacrum in https://github.com/aws/s2n-tls/pull/5253
+ 3 more

✨ New Contributors

@anupamym made their first contribution in https://github.com/aws/s2n-tls/pull/5259
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.17...v1.5.18

Release: v1.5.17v1.5.17

crypto-transport-libs-ci-bot·1y ago·April 17, 2025

GitHub

📋 What's Changed

ci: pin nix installer to older version by @dougch in https://github.com/aws/s2n-tls/pull/5245
chore: Fix new clippy warning by @goatgoose in https://github.com/aws/s2n-tls/pull/5243
ci: rebalance integV2 testcases by @johubertj in https://github.com/aws/s2n-tls/pull/5232
fix: tainted handshake.io and add large client hello test by @boquan-fang in https://github.com/aws/s2n-tls/pull/5208
chore: bindings release 0.3.16 by @goatgoose in https://github.com/aws/s2n-tls/pull/5242
refactor: remove legacy pkey impls by @lrstewart in https://github.com/aws/s2n-tls/pull/5241
Revert "ci: exclude new setuptools (#5215)" by @jmayclin in https://github.com/aws/s2n-tls/pull/5226
fix: make -fPIC flag private by @jmayclin in https://github.com/aws/s2n-tls/pull/5227
+ 5 more

Release: v1.5.16v1.5.16

crypto-transport-libs-ci-bot·1y ago·April 3, 2025

GitHub

📋 Changes

This change is considered a behavior change, though we don’t expect it to have impact. The potential impact shows up as a minor decrease in the amount of session tickets sent to clients in TLS1.2 connections, which may translate to a decrease in the amount of resumed handshakes. Look for handshakes in your logs of type “NEGOTIATED:WITH_SESSION_TICKET” to determine the precise number of handshakes that will no longer be sending session tickets. https://github.com/aws/s2n-tls/pull/5217
Adds s2n_connection_get_key_exchange_group for getting the negotiated named group. https://github.com/aws/s2n-tls/pull/5209
Deprecate experimental TLS 1.2 PQ security policies. This does not affect ML-KEM or any use of standard TLS1.3 PQ. https://github.com/aws/s2n-tls/pull/5194
Fix handshake message length integer overflow in s2n_handshake_finish_header. https://github.com/aws/s2n-tls/pull/5206

📋 What's Changed

ci: add libcrypto openssl-3.0-fips to integ tests by @lrstewart in https://github.com/aws/s2n-tls/pull/5202
ci: add openssl-3.0-fips to asan build properly by @lrstewart in https://github.com/aws/s2n-tls/pull/5204
fix: handshake message length integer overflow in s2n_handshake_finish_header by @boquan-fang in https://github.com/aws/s2n-tls/pull/5206
chore: deprecate s2n_set by @jmayclin in https://github.com/aws/s2n-tls/pull/5155
chore: binding release 0.3.14 by @maddeleine in https://github.com/aws/s2n-tls/pull/5210
Remove PQ TLS 1.2 from all Security Policies by @alexw91 in https://github.com/aws/s2n-tls/pull/5194
ci: exclude new setuptools by @jmayclin in https://github.com/aws/s2n-tls/pull/5215
fix: Update README.md to include Rust bindings docs by @maddeleine in https://github.com/aws/s2n-tls/pull/5212
+ 13 more

Release: v1.5.15v1.5.15

crypto-transport-libs-ci-bot·1y ago·March 20, 2025

GitHub

📋 Changes

Added support for FIPS mode when built with FIPS-validated Openssl-3.0

📋 What's Changed

chore(ci): pin symbolic-common by @lrstewart in https://github.com/aws/s2n-tls/pull/5166
chore: binding release 0.3.13 by @lrstewart in https://github.com/aws/s2n-tls/pull/5167
refactor: add libcrypto PRF impl for openssl-3.0-fips by @lrstewart in https://github.com/aws/s2n-tls/pull/5158
build(deps): bump nixbuild/nix-quick-install-action from 29 to 30 in /.github/workflows in the all-gha-updates group by @dependabot in https://github.com/aws/s2n-tls/pull/5153
style: fix redundant return by @jmayclin in https://github.com/aws/s2n-tls/pull/5150
chore: update git blame ignore commit ID by @johubertj in https://github.com/aws/s2n-tls/pull/5164
tests: fix flaky ja4 test by @lrstewart in https://github.com/aws/s2n-tls/pull/5169
fix: mark chachapoly as unavailable with openssl-3.0-fips by @lrstewart in https://github.com/aws/s2n-tls/pull/5168
+ 20 more

Release: v1.5.14v1.5.14

crypto-transport-libs-ci-bot·1y ago·March 5, 2025

GitHub

📦 Release Summary

Customers can now associate an arbitrary context with application owned certificate chains in the rust bindings.
A small memory leak related to session resumption was resolved. Long lived applications with session resumption enabled will see a reduction in the memory footprint of s2n_config.

📋 What's Changed

tests: use sig schemes as source of truth for valid hash+sig algs by @lrstewart in https://github.com/aws/s2n-tls/pull/5129
build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap in the all-cargo-updates group across 1 directory by @dependabot in https://github.com/aws/s2n-tls/pull/5087
test(integv2): fixes to allow test_record_padding to partially run by @johubertj in https://github.com/aws/s2n-tls/pull/5099
chore(nix): Add aws-lc-fips 2022/4 by @dougch in https://github.com/aws/s2n-tls/pull/5109
chore(ruff): apply formatting and integrate into CI by @johubertj in https://github.com/aws/s2n-tls/pull/5138
feat(bindings): expose context on cert chain by @jmayclin in https://github.com/aws/s2n-tls/pull/5132
refactor: cleanup prf header by @lrstewart in https://github.com/aws/s2n-tls/pull/5144
refactor: add alternative EVP signing method by @lrstewart in https://github.com/aws/s2n-tls/pull/5141
+ 7 more

Release: v1.5.13v1.5.13

crypto-transport-libs-ci-bot·1y ago·February 22, 2025

GitHub

📦 Release Summary

Add bindings for the External PSK functionality.
Adds `20250211`, a TLS 1.3-exclusive security policy intended for RFC 9151 migration.
A breaking change was made to the renegotiation callback interface. This only affects Rust customers using the unstable-renegotiate
feature.
Adds an option to prevent s2n-tls from overriding the libcrypto RAND engine.
Adds async support to `s2n_cert_validation_callback`.
Reduced connection memory usage by an estimated 4 to 5 percent.
A successful cert validation callback should return only `S2N_SUCCESS`. Previously, both 0 and any positive return value were considered successful.

📋 What's Changed

test: add minimal openssl-3.0-fips test by @lrstewart in https://github.com/aws/s2n-tls/pull/5081
feat(bindings): add external psk apis by @jmayclin in https://github.com/aws/s2n-tls/pull/5061
Fixed formatting for debugging statements by @johubertj in https://github.com/aws/s2n-tls/pull/5094
chore: ktls buildspec by @dougch in https://github.com/aws/s2n-tls/pull/5083
chore: bindings release 0.3.11 by @goatgoose in https://github.com/aws/s2n-tls/pull/5098
fix(integrationv2): Skip unsupported client auth tests by @goatgoose in https://github.com/aws/s2n-tls/pull/5096
build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 in /.github/workflows in the all-gha-updates group across 1 directory by @dependabot in https://github.com/aws/s2n-tls/pull/5107
refactor: remove s2n_hmac_is_available by @lrstewart in https://github.com/aws/s2n-tls/pull/5104
+ 22 more

Release: v1.5.12v1.5.12

crypto-transport-libs-ci-bot·1y ago·February 10, 2025

GitHub

📦 Release summary

Fix the improper calculation of session ticket lifetime.
Adds support for consuming s2n-tls from [CMake FetchContent](https://cmake.org/cmake/help/latest/module/FetchContent.html) with interning enabled.
Adds a new Security Policy deprecation mechanism, and deprecate the SIKE PQ Security Policies.

📋 What's Changed

fix(bindings): Specify correct minimum versions by @goatgoose in https://github.com/aws/s2n-tls/pull/5028
ci: add timeout for cbmc proof by @boquan-fang in https://github.com/aws/s2n-tls/pull/5038
test: add sslv2 client hello test w/ jvm by @jmayclin in https://github.com/aws/s2n-tls/pull/5019
docs: add C / s2n-tls-sys doc references to s2n-tls docs by @lrstewart in https://github.com/aws/s2n-tls/pull/5012
Add Security Policy Deprecation API by @alexw91 in https://github.com/aws/s2n-tls/pull/5034
ci: add openssl-3.0-fips builds by @lrstewart in https://github.com/aws/s2n-tls/pull/5037
fix: initial config should not influence sslv2 by @jmayclin in https://github.com/aws/s2n-tls/pull/4987
chore: bindings release for 0.3.10 by @boquan-fang in https://github.com/aws/s2n-tls/pull/5046
+ 21 more

✨ New Contributors

@kou made their first contribution in https://github.com/aws/s2n-tls/pull/5076
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.11...v1.5.12

Release: v1.5.11v1.5.11

crypto-transport-libs-ci-bot·1y ago·January 17, 2025

GitHub

📦 Release Summary:

Remove support for enabling fips mode with openssl-1.0.2-fips

📋 What's Changed

refactor(s2n-tls-hyper): Add HttpsConnector builder by @goatgoose in https://github.com/aws/s2n-tls/pull/4976
refactor(bindings/bench): make harness own IO by @jmayclin in https://github.com/aws/s2n-tls/pull/4847
chore(binding): release 0.3.9 by @boquan-fang in https://github.com/aws/s2n-tls/pull/4982
feat(s2n-tls-hyper): Allow plain HTTP connections by @goatgoose in https://github.com/aws/s2n-tls/pull/4978
chore: remove toidiu from teams.yml by @boquan-fang in https://github.com/aws/s2n-tls/pull/4985
chore: move hyper to a newer MSRV by @dougch in https://github.com/aws/s2n-tls/pull/4983
ci: run fuzz tests in parallel and generate coverage report by @jouho in https://github.com/aws/s2n-tls/pull/4960
ci: fix regression test paths by @lrstewart in https://github.com/aws/s2n-tls/pull/4996
+ 23 more

✨ New Contributors

@johubertj made their first contribution in https://github.com/aws/s2n-tls/pull/5006
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.10...v1.5.11

Release: v1.5.10v1.5.10

crypto-transport-libs-ci-bot·1y ago·December 16, 2024

GitHub

📦 Release Summary:

Updated CMake version from 3.0 to 3.9.
Added TLS1.2 support for RSA-PSS certificates. Previously, RSA-PSS certificates could only be used with TLS1.3.
Customers can now use application owned certs from the rust bindings. This allows rust consumers of s2n-tls to load certificates for many domains on a single config, and also allows certificates to be shared across a config.
Fixed a bug in certificate pem parsing. We now correctly reject certificate chains where the last certificate is unexpectedly significantly truncated (for example, missing the final "-- END CERTIFICATE --" marker).

📋 What's Changed

ci: add open fds valgrind check by @boquan-fang in https://github.com/aws/s2n-tls/pull/4851
chore: add a cargo audit action by @dougch in https://github.com/aws/s2n-tls/pull/4862
chore: bindings release 0.3.7 by @lrstewart in https://github.com/aws/s2n-tls/pull/4894
test: add rust well-known-endpoint tests by @jmayclin in https://github.com/aws/s2n-tls/pull/4884
test(s2n-tls-hyper): Add localhost http tests by @goatgoose in https://github.com/aws/s2n-tls/pull/4838
ci: fixes for cargo audit by @dougch in https://github.com/aws/s2n-tls/pull/4895
ci: grant dependabot status update permissions by @dougch in https://github.com/aws/s2n-tls/pull/4898
doc: add information about s2n-tls software architecture by @boquan-fang in https://github.com/aws/s2n-tls/pull/4868
+ 48 more

✨ New Contributors

@dependabot made their first contribution in https://github.com/aws/s2n-tls/pull/4889
@CarolYeh910 made their first contribution in https://github.com/aws/s2n-tls/pull/4939
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.9...v1.5.10

Release: v1.5.9v1.5.9

crypto-transport-libs-ci-bot·1y ago·November 13, 2024

GitHub

📦 Summary

Disables use of the atexit handler to cleanup global state. See https://github.com/aws/s2n-tls/security/advisories/GHSA-rp9h-rf7g-hwgr.

📋 What's Changed

chore: configure dependabot by @dougch in https://github.com/aws/s2n-tls/pull/4861
chore: broaden use of flaky mark by @dougch in https://github.com/aws/s2n-tls/pull/4865
feat: Reworking cleanup behavior by @maddeleine in https://github.com/aws/s2n-tls/pull/4871
Full Changelog: https://github.com/aws/s2n-tls/compare/v1.5.8...v1.5.9

Release: v1.5.8v1.5.8

crypto-transport-libs-ci-bot·1y ago·November 13, 2024

GitHub

📋 What's Changed

fix: typo in comment of s2n_self_talk_tls13_test by @boquan-fang in https://github.com/aws/s2n-tls/pull/4864
doc: fix incorrect README references by @jouho in https://github.com/aws/s2n-tls/pull/4863
chore: bindings release 0.3.6 by @goatgoose in https://github.com/aws/s2n-tls/pull/4867
build: add s2n_prelude.h to consolidate defines by @camshaft in https://github.com/aws/s2n-tls/pull/4465
fix: move prelude inclusion as PRIVATE by @camshaft in https://github.com/aws/s2n-tls/pull/4876
ci: remove www.mozilla.com from well-known to unblock CI by @toidiu in https://github.com/aws/s2n-tls/pull/4880
ci: Clean dup source tree for CRT by @dougch in https://github.com/aws/s2n-tls/pull/4882
chore: remove unused benchmarks by @jmayclin in https://github.com/aws/s2n-tls/pull/4869
+ 4 more

View all releases on GitHub

← Back to s2n-tls wiki