Associates a public certificate chain with a s2n_cert_chain_and_key object. It does NOT set a private key, so the connection will need to be configured to offload private key operations.

s2n_cert_chain_and_key_new^⚠

Creates a new s2n_cert_chain_and_key object. This object can be associated with many config objects. It is used to represent a certificate and key pair.

s2n_cert_chain_and_key_set_ctx^⚠

Adds a context to the s2n_cert_chain_and_key object.

s2n_cert_chain_and_key_set_ocsp_data^⚠

Set the raw OCSP stapling data for a certificate chain.

s2n_cert_chain_and_key_set_sct_list^⚠

Set the signed certificate timestamp (SCT) for a certificate chain. This is used for Certificate Transparency.

s2n_cert_chain_get_cert^⚠

Returns the certificate out_cert present at the index cert_idx of the certificate chain chain_and_key.

s2n_cert_chain_get_length^⚠

@param chain_and_key A pointer to the s2n_cert_chain_and_key object being read. @param cert_length This return value represents the length of the s2n certificate chain chain_and_key. @returns the length of the s2n certificate chain chain_and_key.

s2n_cert_get_der^⚠

Returns the s2n certificate in DER format along with its length.

s2n_cert_get_utf8_string_from_extension_data^⚠

Returns the UTF8 String representation of the DER encoded ASN.1 X.509 certificate extension data.

s2n_cert_get_utf8_string_from_extension_data_length^⚠

Returns the UTF8 String length of the ASN.1 X.509 certificate extension data.

s2n_cert_get_x509_extension_value^⚠

Returns the DER encoding of an ASN.1 X.509 certificate extension value, it’s length and a boolean critical.

s2n_cert_get_x509_extension_value_length^⚠

Returns the length of the DER encoded extension value of the ASN.1 X.509 certificate extension.

s2n_cleanup^⚠

Cleans up any internal resources used by s2n-tls. This function should be called from each thread or process that is created subsequent to calling s2n_init when that thread or process is done calling other s2n-tls functions.

s2n_client_hello_cb_done^⚠

Marks the non-blocking callback as complete. Can be invoked from within the callback when operating in non-blocking mode to continue the handshake.

s2n_client_hello_get_cipher_suites^⚠

Copies into the out buffer max_length bytes of the cipher_suites on the ClientHello.

s2n_client_hello_get_cipher_suites_length^⚠

Function to determine the size of the Client Hello cipher suites. This can be used to allocate the out buffer for s2n_client_hello_get_cipher_suites().

s2n_client_hello_get_extension_by_id^⚠

Copies into the out buffer max_length bytes of a given extension type on the ClientHello

s2n_client_hello_get_extension_length^⚠

Query the ClientHello message received by the server. Use this function to allocate the out buffer for other client hello extension functions.

s2n_client_hello_get_extensions^⚠

Copies into the out buffer max_length bytes of the extensions in the ClientHello.

s2n_client_hello_get_extensions_length^⚠

Function to determine the size of the Client Hello extensions. This can be used to allocate the out buffer for s2n_client_hello_get_extensions().

s2n_client_hello_get_raw_message^⚠

Copies max_length bytes of the ClientHello message into the out buffer. The ClientHello instrumented using this function will have the Random bytes zero-ed out. For SSLv2 ClientHello messages, the raw message contains only the cipher_specs, session_id and members portions of the hello message (see RFC5246). To access other members, you may use s2n_connection_get_client_hello_version(), s2n_connection_get_client_protocol_version() and s2n_connection_get_session_id_length() accessors functions.

s2n_client_hello_get_raw_message_length^⚠

Function to determine the size of the raw Client Hello buffer.

s2n_client_hello_get_session_id^⚠

Copies up to max_length bytes of the ClientHello session_id into the out buffer and stores the number of copied bytes in out_length.

s2n_client_hello_get_session_id_length^⚠

Get the the ClientHello session id length in bytes

s2n_client_hello_has_extension^⚠

Used to check if a particular extension exists in the client hello.

s2n_config_accept_max_fragment_length^⚠

Allows the server to opt-in to accept client’s TLS maximum fragment length extension requests. If this API is not called, and client requests the extension, server will ignore the request and continue TLS handshake with default maximum fragment length of 8k bytes

s2n_config_add_cert_chain_and_key^⚠

Associates a certificate chain and private key with an s2n_config object. Using this API, only one cert chain of each type (like ECDSA or RSA) may be associated with a config. cert_chain_pem should be a PEM encoded certificate chain, with the first certificate in the chain being your server’s certificate. private_key_pem should be a PEM encoded private key corresponding to the server certificate.

s2n_config_add_cert_chain_and_key_to_store^⚠

The preferred method of associating a certificate chain and private key pair with an s2n_config object. This method may be called multiple times to support multiple key types(RSA, ECDSA) and multiple domains. On the server side, the certificate selected will be based on the incoming SNI value and the client’s capabilities(supported ciphers).

s2n_config_add_dhparams^⚠

Associates a set of Diffie-Hellman parameters with an s2n_config object. @note dhparams_pem should be PEM encoded DH parameters.

s2n_config_add_pem_to_trust_store^⚠

Adds a PEM to the trust store. This will allocate memory, and load PEM into the Trust Store. Note that the trust store will be initialized with the common locations for the host operating system by default. To completely override those locations, call s2n_config_wipe_trust_store before calling this function.

s2n_config_add_ticket_crypto_key^⚠

Adds session ticket key on the server side. It would be ideal to add new keys after every (encrypt_decrypt_key_lifetime_in_nanos/2) nanos because this will allow for gradual and linear transition of a key from encrypt-decrypt state to decrypt-only state.

s2n_config_append_protocol_preference^⚠

Appends the provided application protocol to the preference list

s2n_config_disable_x509_verification^⚠

Turns off all X.509 validation during the negotiation phase of the connection. This should only be used for testing or debugging purposes.

s2n_config_enable_cert_req_dss_legacy_compat^⚠

s2n_config_enable_cert_req_dss_legacy_compat adds a dss cert type in the server certificate request when being called. It only sends the dss cert type in the cert request but does not succeed the handshake if a dss cert is received. Please DO NOT call this api unless you know you actually need legacy DSS certificate type compatibility @param config Config to enable legacy DSS certificates for

s2n_config_free^⚠

Frees the memory associated with an s2n_config object.

s2n_config_free_cert_chain_and_key^⚠

Frees the certificate chain and key associated with an s2n_config object.

s2n_config_free_dhparams^⚠

Frees the DH params associated with an s2n_config object.

s2n_config_get_client_auth_type^⚠

Gets Client Certificate authentication method the s2n_config object is using.

s2n_config_get_ctx^⚠

Gets the user defined context from the s2n_config object. The context is set by calling s2n_config_set_ctx()

s2n_config_new^⚠

Create a new s2n_config object. This object can (and should) be associated with many connection objects.

s2n_config_send_max_fragment_length^⚠

Allows the caller to set a TLS Maximum Fragment Length extension that will be used to fragment outgoing messages. s2n-tls currently does not reject fragments larger than the configured maximum when in server mode. The TLS negotiated maximum fragment length overrides the preference set by the s2n_connection_prefer_throughput and s2n_connection_prefer_low_latency.

s2n_config_set_alert_behavior^⚠

Sets the config’s alert behavior based on the s2n_alert_behavior enum.

s2n_config_set_async_pkey_callback^⚠

Sets up the callback to invoke when private key operations occur.

s2n_config_set_async_pkey_validation_mode^⚠

Configures whether or not s2n-tls will perform potentially expensive validation of the results of a private key operation.

s2n_config_set_cache_delete_callback^⚠

Allows the caller to set a callback function that will be used to delete SSL session data from a cache.

s2n_config_set_cache_retrieve_callback^⚠

Allows the caller to set a callback function that will be used to retrieve SSL session data from a cache.

s2n_config_set_cache_store_callback^⚠

Allows the caller to set a callback function that will be used to store SSL session data in a cache.

s2n_config_set_cert_chain_and_key_defaults^⚠

Explicitly sets certificate chain and private key pairs to be used as defaults for each auth method (key type). A “default” certificate is used when there is not an SNI match with any other configured certificate.

s2n_config_set_cert_tiebreak_callback^⚠

Sets the s2n_cert_tiebreak_callback for resolving domain name conflicts. If no callback is set, the first certificate added for a domain name will always be preferred.

s2n_config_set_check_stapled_ocsp_response^⚠

Toggles whether or not to validate stapled OCSP responses.

s2n_config_set_cipher_preferences^⚠

Sets the security policy that includes the cipher/kem/signature/ecc preferences and protocol version.

s2n_config_set_client_auth_type^⚠

Sets whether or not a Client Certificate should be required to complete the TLS Connection.

s2n_config_set_client_hello_cb^⚠

Allows the caller to set a callback function that will be called after ClientHello was parsed.

s2n_config_set_client_hello_cb_mode^⚠

Sets the callback execution mode.

s2n_config_set_ct_support_level^⚠

Set the Certificate Transparency Support level.

s2n_config_set_ctx^⚠

Sets user defined context on the s2n_config object.

s2n_config_set_early_data_cb^⚠

Set a callback to accept or reject early data.

s2n_config_set_extension_data^⚠

Sets the extension data in the s2n_config object for the specified extension. This method will clear any existing data that is set. If the data and length parameters are set to NULL, no new data is set in the s2n_config object, effectively clearing existing data.

s2n_config_set_initial_ticket_count^⚠

Sets the initial number of session tickets to send after a >=TLS1.3 handshake. The default value is one ticket.

s2n_config_set_key_log_cb^⚠

Sets a key logging callback on the provided config

s2n_config_set_max_cert_chain_depth^⚠

Sets the maximum allowed depth of a cert chain used for X509 validation. The default value is 7. If this limit is exceeded, validation will fail if s2n_config_disable_x509_verification() has not been called. 0 is an illegal value and will return an error. 1 means only a root certificate will be used.

s2n_config_set_monotonic_clock^⚠

Allows the caller to set a callback function that will be used to get monotonic time. The monotonic time is the time since an arbitrary, unspecified point. Unlike wall clock time, it MUST never move backwards.

s2n_config_set_protocol_preferences^⚠

Sets the application protocol preferences on an s2n_config object. protocols is a list in order of preference, with most preferred protocol first, and of length protocol_count.

s2n_config_set_psk_mode^⚠

Sets the PSK mode on the s2n config object. The supported PSK modes are listed in the enum s2n_psk_mode above.

s2n_config_set_psk_selection_callback^⚠

Sets the callback to select the matching PSK. If this callback is not set s2n-tls uses a default PSK selection logic that selects the first matching server PSK.

s2n_config_set_send_buffer_size^⚠

Set a custom send buffer size.

s2n_config_set_server_max_early_data_size^⚠

Sets the maximum bytes of early data the server will accept.

s2n_config_set_session_cache_onoff^⚠

Enable or disable session caching.

s2n_config_set_session_state_lifetime^⚠

Sets the lifetime of the cached session state. The default value is 15 hours.

s2n_config_set_session_ticket_cb^⚠

Sets a session ticket callback to be called when a client receives a new session ticket.

s2n_config_set_session_tickets_onoff^⚠

Enable or disable session resumption using session ticket.

s2n_config_set_status_request_type^⚠

Sets up an S2N_CLIENT to request the server certificate status during an SSL handshake. If set to S2N_STATUS_REQUEST_NONE, no status request is made.

s2n_config_set_ticket_decrypt_key_lifetime^⚠

Sets how long a session ticket key will be in a state where it can used just for decryption of already assigned tickets on the server side. Once decrypted, the session will resume and the server will issue a new session ticket encrypted using a key in encrypt-decrypt state.

s2n_config_set_ticket_encrypt_decrypt_key_lifetime^⚠

Sets how long a session ticket key will be in a state where it can be used for both encryption and decryption of tickets on the server side.

s2n_config_set_verification_ca_location^⚠

Adds to the trust store from a CA file or directory containing trusted certificates. To completely override those locations, call s2n_config_wipe_trust_store() before calling this function.

s2n_config_set_verify_after_sign^⚠

Toggle whether generated signatures are verified before being sent.

s2n_config_set_verify_host_callback^⚠

Sets the callback to use for verifying that a hostname from an X.509 certificate is trusted.

s2n_config_set_wall_clock^⚠

Allows the caller to set a callback function that will be used to get the system time. The time returned should be the number of nanoseconds since the Unix epoch (Midnight, January 1st, 1970).

s2n_config_wipe_trust_store^⚠

Clear the trust store.

s2n_connection_add_new_tickets_to_send^⚠

Increases the number of session tickets to send after a >=TLS1.3 handshake.

s2n_connection_append_protocol_preference^⚠

Appends the provided application protocol to the preference list

s2n_connection_append_psk^⚠

Appends a PSK object to the list of PSKs supported by the s2n connection. If a PSK with a duplicate identity is found, an error is returned and the PSK is not added to the list. Note that a copy of psk is stored on the connection. The user is still responsible for freeing the memory associated with psk.

s2n_connection_client_cert_used^⚠

Check if Client Auth was used for a connection.

s2n_connection_free^⚠

Frees the memory associated with an s2n_connection handle. The handle is considered invalid after s2n_connection_free is used. s2n_connection_wipe() does not need to be called prior to this function. s2n_connection_free performs its own wipe of sensitive data.

s2n_connection_free_handshake^⚠

Wipes and releases buffers and memory allocated during the TLS handshake.

s2n_connection_get_actual_protocol_version^⚠

Access the protocol version selected for the connection.

s2n_connection_get_alert^⚠

Function to get the alert that caused a connection to close. s2n-tls considers all TLS alerts fatal and shuts down a connection whenever one is received.

s2n_connection_get_cipher^⚠

A function that provides a human readable string of the cipher suite that was chosen for a connection.

s2n_connection_get_cipher_iana_value^⚠

Returns the IANA value for the connection’s negotiated cipher suite.

s2n_connection_get_client_auth_type^⚠

Gets Client Certificate authentication method the s2n_connection object is using.

s2n_connection_get_client_cert_chain^⚠

Gets the client certificate chain and places it in the der_cert_chain_out buffer. cert_chain_len is updated to match the size the chain buffer.

s2n_connection_get_client_hello^⚠

Get the Client Hello from a s2n_connection.

s2n_connection_get_client_hello_version^⚠

Access the client hello protocol version for the connection.

s2n_connection_get_client_protocol_version^⚠

Access the protocol version supported by the client.

s2n_connection_get_ctx^⚠

Gets user defined context from a s2n_connection object.

s2n_connection_get_curve^⚠

Function to get the human readable elliptic curve name for the connection.

s2n_connection_get_delay^⚠

Query the connection object for the configured blinding delay. @param conn The connection object being updated @returns the number of nanoseconds an application using self-service blinding should pause before calling close() or shutdown().

s2n_connection_get_early_data_status^⚠

Reports the current state of early data for a connection.

s2n_connection_get_handshake_type_name^⚠

Function to return the last TLS handshake type that was processed. The returned format is a human readable string.

s2n_connection_get_kem_group_name^⚠

Function to get the human readable KEM group name for the connection.

s2n_connection_get_kem_name^⚠

Function to get the human readable KEM name for the connection.

s2n_connection_get_last_message_name^⚠

Function to return the last TLS message that was processed. The returned format is a human readable string. @param conn A pointer to the s2n connection @returns The last message name in the TLS state machine, e.g. “SERVER_HELLO”, “APPLICATION_DATA”.

s2n_connection_get_max_early_data_size^⚠

Reports the maximum size of the early data allowed by a connection.

s2n_connection_get_negotiated_psk_identity^⚠

Gets the negotiated PSK identity from the s2n connection object. If the negotiated PSK does not exist, the PSK identity will not be obtained and no error will be returned. Prior to this API call, use s2n_connection_get_negotiated_psk_identity_length to determine if a negotiated PSK exists or not.

s2n_connection_get_negotiated_psk_identity_length^⚠

Gets the negotiated PSK identity length from the s2n connection object. The negotiated PSK refers to the chosen PSK by the server to be used for the connection.

s2n_connection_get_ocsp_response^⚠

Query the connection for a buffer containing the OCSP response.

s2n_connection_get_peer_cert_chain^⚠

Returns the validated peer certificate chain as a s2n_cert_chain_and_key opaque object.

s2n_connection_get_read_fd^⚠

Gets the assigned file descriptor for the read channel of an s2n connection.

s2n_connection_get_remaining_early_data_size^⚠

Reports the remaining size of the early data allowed by a connection.

s2n_connection_get_sct_list^⚠

Query the connection for a buffer containing the Certificate Transparency response.

s2n_connection_get_selected_cert^⚠

Get the certificate used during the TLS handshake

s2n_connection_get_selected_client_cert_digest_algorithm^⚠

Get the client certificate’s digest algorithm.

s2n_connection_get_selected_client_cert_signature_algorithm^⚠

Get the client certificate’s signature algorithm.

s2n_connection_get_selected_digest_algorithm^⚠

Get the connection’s selected digest algorithm.

s2n_connection_get_selected_signature_algorithm^⚠

Get the connection’s selected signature algorithm.

s2n_connection_get_server_protocol_version^⚠

Access the protocol version supported by the server.

s2n_connection_get_session^⚠

Serializes the session state from connection and copies into the session buffer and returns the number of copied bytes

s2n_connection_get_session_id^⚠

Gets the latest session id from the connection, copies it into the session_id buffer, and returns the number of copied bytes.

s2n_connection_get_session_id_length^⚠

Gets the latest session id’s length from the connection.

s2n_connection_get_session_length^⚠

Use this to query the serialized session state size before copying it into a buffer.

s2n_connection_get_session_ticket_lifetime_hint^⚠

Retrieves a hint from the server indicating how long this ticket’s lifetime is.

s2n_connection_get_tickets_sent^⚠

Returns the number of session tickets issued by the server.

s2n_connection_get_wire_bytes_in^⚠

Get the number of bytes the connection has received.

s2n_connection_get_wire_bytes_out^⚠

Get the number of bytes the connection has transmitted out.

s2n_connection_get_write_fd^⚠

Gets the assigned file descriptor for the write channel of an s2n connection.

s2n_connection_is_ocsp_stapled^⚠

Check is the connection is OCSP stapled.

s2n_connection_is_session_resumed^⚠

Check if the connection was resumed from an earlier handshake.

s2n_connection_is_valid_for_cipher_preferences^⚠

Function to check if the cipher used by current connection is supported by the current cipher preferences. @param conn A pointer to the s2n connection @param version A string representing the security policy to check against. @returns 1 if the connection satisfies the cipher suite. 0 if the connection does not satisfy the cipher suite. -1 if there is an error.

s2n_connection_new^⚠

Creates a new connection object. Each s2n-tls SSL/TLS connection uses one of these objects. These connection objects can be operated on by up to two threads at a time, one sender and one receiver, but neither sending nor receiving are atomic, so if these objects are being called by multiple sender or receiver threads, you must perform your own locking to ensure that only one sender or receiver is active at a time.

s2n_connection_prefer_low_latency^⚠

Change the behavior of s2n-tls when sending data to prefer low latency.

s2n_connection_prefer_throughput^⚠

Change the behavior of s2n-tls when sending data to prefer high throughput.

s2n_connection_release_buffers^⚠

Wipes and free the in and out buffers associated with a connection.

s2n_connection_server_name_extension_used^⚠

Must be invoked if any of the connection properties were changed on the basis of the server_name extension. This must be invoked before marking the Client Hello callback done.

s2n_connection_set_blinding^⚠

Used to configure s2n-tls to either use built-in blinding (set blinding to S2N_BUILT_IN_BLINDING) or self-service blinding (set blinding to S2N_SELF_SERVICE_BLINDING).

s2n_connection_set_cipher_preferences^⚠

Sets the cipher preference override for the s2n_connection. Calling this function is not necessary unless you want to set the cipher preferences on the connection to something different than what is in the s2n_config.

s2n_connection_set_client_auth_type^⚠

Sets whether or not a Client Certificate should be required to complete the TLS Connection.

s2n_connection_set_config^⚠

Associates a configuration object with a connection.

s2n_connection_set_ctx^⚠

Sets user defined context in s2n_connection object.

s2n_connection_set_dynamic_buffers^⚠

Configure the connection to free IO buffers when they are not currently in use.

s2n_connection_set_dynamic_record_threshold^⚠

Changes the behavior of s2n-tls when sending data to initially prefer records small enough to fit in single ethernet frames.

s2n_connection_set_fd^⚠

Sets the file descriptor for a s2n connection.

s2n_connection_set_protocol_preferences^⚠

Sets the protocol preference override for the s2n_connection. Calling this function is not necessary unless you want to set the protocol preferences on the connection to something different than what is in the s2n_config.

s2n_connection_set_psk_mode^⚠

Sets the PSK mode on the s2n connection object. The supported PSK modes are listed in the enum s2n_psk_mode above. This API overrides the PSK mode set on config for this connection.

s2n_connection_set_read_fd^⚠

Sets the file descriptor for the read channel of an s2n connection.

s2n_connection_set_recv_cb^⚠

Configure a connection to use a recv callback to receive data.

s2n_connection_set_recv_ctx^⚠

Set a context containing anything needed in the recv callback function (for example, a file descriptor), the buffer holding data to be sent or received, and the length of the buffer.

s2n_connection_set_send_cb^⚠

Configure a connection to use a send callback to send data.

s2n_connection_set_send_ctx^⚠

Set a context containing anything needed in the send callback function (for example, a file descriptor), the buffer holding data to be sent or received, and the length of the buffer.

s2n_connection_set_server_early_data_context^⚠

Sets the user context associated with early data on a server.

s2n_connection_set_server_keying_material_lifetime^⚠

Sets the keying material lifetime for >=TLS1.3 session tickets so that one session doesn’t get re-used ad infinitum. The default value is one week.

s2n_connection_set_server_max_early_data_size^⚠

Sets the maximum bytes of early data the server will accept.

s2n_connection_set_session^⚠

De-serializes the session state and updates the connection accordingly.

s2n_connection_set_verify_host_callback^⚠

Sets the callback to use for verifying that a hostname from an X.509 certificate is trusted.

s2n_connection_set_write_fd^⚠

Sets the assigned file descriptor for the write channel of an s2n connection.

s2n_connection_use_corked_io^⚠

Indicates to s2n that the connection is using corked IO.

s2n_connection_wipe^⚠

Wipes an existing connection and allows it to be reused. Erases all data associated with a connection including pending reads.

s2n_crypto_disable_init^⚠

Prevents S2N from calling OPENSSL_init_crypto/OPENSSL_cleanup/EVP_cleanup on OpenSSL versions prior to 1.1.x. This allows applications or languages that also init OpenSSL to interoperate with S2N.

s2n_disable_atexit^⚠

Prevents S2N from installing an atexit handler, which allows safe shutdown of S2N from within a re-entrant shared library

s2n_errno_location^⚠

This function can be used instead of trying to resolve s2n_errno directly in runtimes where thread-local variables may not be easily accessible.

s2n_error_get_type^⚠

Gets the category of error from an error.

s2n_external_psk_new^⚠

Creates a new s2n external pre-shared key (PSK) object with S2N_PSK_HMAC_SHA256 as the default PSK hash algorithm. An external PSK is a key established outside of TLS using a secure mutually agreed upon mechanism.

s2n_free_stacktrace^⚠

Clean up the memory used to contain the stack trace.

s2n_get_application_protocol^⚠

Query the connection for the selected application protocol.

s2n_get_openssl_version^⚠

Fetches the OpenSSL version s2n-tls was compiled with. This can be used by applications to validate at runtime that the versions of s2n-tls and Openssl that they have loaded are correct.

s2n_get_server_name^⚠

Query the connection for the selected server name.

s2n_get_stacktrace^⚠

Export the s2n_stacktrace.

s2n_init^⚠

Initializes the s2n-tls library and should be called once in your application, before any other s2n-tls functions are called. Failure to call s2n_init() will result in errors from other s2n-tls functions.

s2n_mem_set_callbacks^⚠

Allows the caller to override s2n-tls’s internal memory handling functions.

s2n_negotiate^⚠

Performs the initial “handshake” phase of a TLS connection and must be called before any s2n_recv() or s2n_send() calls.

s2n_offered_early_data_accept^⚠

Accept early data offered by the client.

s2n_offered_early_data_get_context^⚠

Get the early data context set by the user.

s2n_offered_early_data_get_context_length^⚠

Get the length of the early data context set by the user.

s2n_offered_early_data_reject^⚠

Reject early data offered by the client.

s2n_offered_psk_free^⚠

Frees the memory associated with the s2n_offered_psk object.

s2n_offered_psk_get_identity^⚠

Gets the PSK identity and PSK identity length for a given offered PSK object.

s2n_offered_psk_list_choose_psk^⚠

Chooses a PSK from the offered PSK list to be used for the connection. This API matches the PSK identity received from the client against the server’s known PSK identities list, in order to choose the PSK to be used for the connection. If the PSK identity sent from the client is NULL, no PSK is chosen for the connection. If the client offered PSK identity has no matching PSK identity with the server, an error will be returned. Use this API along with the s2n_psk_selection_callback callback to select a PSK identity.

s2n_offered_psk_list_has_next^⚠

Checks whether the offered PSK list has an offered psk object next in line in the list. An offered PSK list contains all the PSKs offered by the client for the server to select.

s2n_offered_psk_list_next^⚠

Obtains the next offered PSK object from the list of offered PSKs. Use s2n_offered_psk_list_has_next prior to this API call to ensure we have not reached the end of the list.

s2n_offered_psk_list_reread^⚠

Returns the offered PSK list to its original read state.

s2n_offered_psk_new^⚠

Creates a new s2n offered PSK object. An offered PSK object represents a single PSK sent by the client.

s2n_peek^⚠

Allows users of s2n-tls to peek inside the data buffer of an s2n-tls connection to see if there more data to be read without actually reading it.

s2n_print_stacktrace^⚠

Prints the s2n stack trace to a file. The file descriptor is expected to be open and ready for writing.

s2n_psk_configure_early_data^⚠

Configures a particular pre-shared key to allow early data.

s2n_psk_free^⚠

Frees the memory associated with the external PSK object.

s2n_psk_set_application_protocol^⚠

Sets the optional application_protocol associated with the given pre-shared key.

s2n_psk_set_early_data_context^⚠

Sets the optional user early data context associated with the given pre-shared key.

s2n_psk_set_hmac^⚠

Sets the hash algorithm for a given external PSK object. The supported PSK hash algorithms are as listed in the enum s2n_psk_hmac above.

s2n_psk_set_identity^⚠

Sets the identity for a given external PSK object. The identity is a unique identifier for the pre-shared secret. It is a non-secret value represented by raw bytes.

s2n_psk_set_secret^⚠

Sets the out-of-band/externally provisioned secret for a given external PSK object.

s2n_rand_set_callbacks^⚠

Allows the caller to override s2n-tls’s entropy functions.

s2n_recv^⚠

Decrypts and reads *size to buf data from the associated connection.

s2n_recv_early_data^⚠

Called by the server to begin negotiation and accept any early data the client sends.

s2n_send^⚠

Writes and encrypts size of buf data to the associated connection. s2n_send() will return the number of bytes written, and may indicate a partial write.

s2n_send_early_data^⚠

Called by the client to begin negotiation and send early data.

s2n_sendv^⚠

Works in the same way as s2n_sendv_with_offset() except that the latter’s offs parameter is implicitly assumed to be 0. Therefore in the partial write case, the caller would have to make sure that bufs and count fields are modified in a way that takes the partial writes into account.

s2n_sendv_with_offset^⚠

Works in the same way as s2n_send() except that it accepts vectorized buffers. Will return the number of bytes written, and may indicate a partial write. Partial writes are possible not just for non-blocking I/O, but also for connections aborted while active.

s2n_session_ticket_get_data^⚠

Gets the session ticket data from a session ticket object.

s2n_session_ticket_get_data_len^⚠

Gets the length of the session ticket from a session ticket object.

s2n_session_ticket_get_lifetime^⚠

Gets the lifetime in seconds of the session ticket from a session ticket object.

s2n_set_server_name^⚠

Sets the server name for the connection.

s2n_shutdown^⚠

Attempts a closure at the TLS layer. Does not close the underlying transport. This call may block in either direction.

s2n_stack_traces_enabled^⚠

Checks if s2n stack trace captures are enabled.

s2n_stack_traces_enabled_set^⚠

Configures the s2n stack trace captures option.

s2n_strerror^⚠

Translates an s2n_error code to a human readable string explaining the error.

s2n_strerror_debug^⚠

Translates an s2n_error code to a human readable string containing internal debug information, including file name and line number. This function is useful when reporting issues to the s2n-tls development team.

s2n_strerror_name^⚠

Translates an s2n_error code to a human readable string.

Type Definitions

s2n_async_pkey_fn

Callback function for handling private key operations

s2n_cache_delete_callback

Cache callback function that allows the caller to set a callback function that will be used to delete SSL session data from a cache.

s2n_cache_retrieve_callback

Cache callback function that allows the caller to retrieve SSL session data from a cache.

s2n_cache_store_callback

Cache callback function that allows the caller to store SSL session data in a cache.

s2n_cert_private_key

Opaque private key type.

s2n_cert_public_key

Opaque public key type.

s2n_cert_tiebreak_callback

A callback function that is invoked if s2n-tls cannot resolve a conflict between two certificates with the same domain name. This function is invoked while certificates are added to an s2n_config.

s2n_client_hello_fn

The callback function takes a s2n-tls connection as input, which receives the ClientHello and the context previously provided in s2n_config_set_client_hello_cb. The callback can access any ClientHello information from the connection and use the s2n_connection_set_config call to change the config of the connection.

s2n_clock_time_nanoseconds

Callback function type used to get the system time.

s2n_early_data_cb

A callback which can be implemented to accept or reject early data.

s2n_key_log_fn

Callback function for handling key log events

s2n_mem_cleanup_callback

Will be called when s2n_cleanup is executed.

s2n_mem_free_callback

Frees memory allocated by s2n_mem_malloc_callback.

s2n_mem_init_callback

Called when s2n_init is executed.

s2n_mem_malloc_callback

A function that can allocate at least requested bytes of memory.

s2n_psk_selection_callback

Callback function to select a PSK from a list of offered PSKs. Use this callback to implement custom PSK selection logic. The s2n-tls default PSK selection logic chooses the first matching PSK from the list of offered PSKs sent by the client.

s2n_rand_cleanup_callback

A callback function that will be called when s2n_cleanup is executed.

s2n_rand_init_callback

A callback function that will be called when s2n-tls is initialized.

s2n_rand_mix_callback

A callback function that will be used to mix in entropy every time the RNG is invoked.

s2n_rand_seed_callback

A callback function that will be used to provide entropy to the s2n-tls random number generators.

s2n_recv_fn

Function pointer for a user provided send callback.

s2n_send_fn

Function pointer for a user provided send callback.