Amazon's New SSL/TLS Implementation In 6,000 Lines of Code

bmearns writes: Amazon has announced a new library called "s2n," an open source implementation of SSL/TLS, the cryptographic security protocols behind HTTPS, SSH, SFTP, secure SMTP, and many others. Weighing in at about 6k lines of code, it's just a little more than 1% the size of OpenSSL, which is really good news in terms of security auditing and testing. OpenSSL isn't going away, and Amazon has made clear that they will continue to support it. Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.

Compile errors

[Aethedor]

... which is really good news in terms of security auditing and testing.

Good, then start debugging. Because I got compile errors on both Linux and MacOS X.

This isn't as good as it sounds

[jonwil]

Ok so firstly it still uses large chunks of OpenSSL (all the crypto stuff) and is still vulnerable to any security holes in that stuff. So its no good on that score.
Also, it disables DHE (which is supposed to be good for ensuring forward secrecy) claiming its a "security risk" (to be fair, maybe there is some security flaw with DHE that I haven't read about yet and that is why its turned off)
Oh and it still supports horridly broken things like RC4, 3DES, SSLv3 and TLS1.0 (all of which contain known unfixable security flaws making them unsuitable going forward)

Apples and oranges

[QuietLagoon]

... it's just a little more than 1% the size of OpenSSL...Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions....

So then, aren't size comparisons between OpenSSL and s2n at best useless, and at worst intentionally misleading?