Cryptography and SSL should have less configurations and be hard to misuse. As mentioned earlier, AWS-LC has cut down on the available knobs in crypto/ssl and made certain optimizations the default. Most configuration flags OpenSSL historically had available have been changed to no-ops in AWS-LC. No-op flags can also be differentiated into two types here:
- The configuration is already provided by default in AWS-LC.
- There are certain configurations and historic workarounds in OpenSSL that we don’t support (see
SSL_OP_ALL).
There are also a few configurations which OpenSSL has “OFF” by default, that AWS-LC has turned “ON” by default. This section outlines all known no-op configuration flags and default configuration differences.
The following tables only contains the differences in configuration options AWS-LC and OpenSSL provides.
- The following two tables under
libsslandlibcryptoonly focus on the flags that exist within AWS-LC. There are other flags supported by only OpenSSL that aren’t listed here. Missing flags we are aware of are documented in Intentionally Omitted Configuration Flags. If there is a valid use case for an undocumented flag non-existent within AWS-LC, feel free to cut an issue to us. - Flags that are no-ops within both AWS-LC and OpenSSL have been omitted from the table.
- Flags that are listed as no-ops in the Configurability section, means that there is no support to configure the listed behavior within AWS-LC. The flags are merely provided for easier compatibility.
When integrating with AWS-LC, it is important to keep note if your application is dependent on any of the flags outlined in the following tables. Your application should have tests regarding expected behavior and understand the customer impact behavioral changes will cause before migrating to AWS-LC.
- Anything that is labeled “ON” in “AWS-LC Default” is a behavioral difference between AWS-LC and OpenSSL (with the exception of
SSL_MODE_AUTO_RETRY). Developers should make sure that migrating to AWS-LC, is the equivalent of turning these flags “ON” by default in OpenSSL.- Aside from
SSL_MODE_NO_AUTO_CHAIN, there is no way to clear any flags that are “ON” by default in AWS-LC.
- Aside from
- Anything that is labeled “OFF” in “AWS-LC Default” is also a "NO-OP". These flags merely exist for compatibility and the state of AWS-LC does not change when attempting to configure them. If any of these flags are used, differences will be exposed at run-time with your application.
To determine whether your consuming application is impacted, do a search for the relevant “Context Flags Setting Function"s in your codebase. If the function is used, be aware of any relevant flags that have been listed in “Context Flags”. More context on what each flag configures can be found in our documentation by clicking the corresponding link.
The following table contains the differences in libssl configuration options AWS-LC and OpenSSL provides. These flags are relevant to all TLS connections, unless specified otherwise.
- Aside from and
SSL_MODE_AUTO_RETRYbeing "ON" by default in OpenSSL, everything is "OFF" by default in OpenSSL. - Each “Context Flag” has a link that provides more details on the flag’s functionality and our decision behind it (WIP)
|
Context Flags Setting Function |
Context Flags |
AWS-LC Default |
Configurability |
|
SSL_CTX_set_mode |
ON |
Configurable |
|
|
ON |
NO-OP |
||
|
ON |
NO-OP |
||
|
OFF |
NO-OP |
||
|
ON |
NO-OP |
||
|
SSL_CTX_set_options |
OFF |
NO-OP |
|
|
OFF |
NO-OP |
||
|
OFF |
NO-OP |
||
|
ON |
NO-OP |
||
|
OFF |
NO-OP |
||
|
ON |
NO-OP |
||
|
ON |
NO-OP |
||
|
ON |
NO-OP |
||
|
ON |
NO-OP |
||
|
ON |
NO-OP |
||
|
ON |
NO-OP |
||
|
OFF |
NO-OP |
||
|
OFF |
NO-OP |
||
|
SSL_set_hostflags |
ON |
NO-OP |
|
|
OFF |
NO-OP |
The following table contains the differences in libcrypto configuration options AWS-LC and OpenSSL provides.
- Everything is "OFF" and "Configurable" by default in OpenSSL.
- Each “Context Flag” has a link that provides more details on the flag’s functionality (WIP)
|
Context Flags Setting Function |
Context Flags |
AWS-LC Default |
Configurability |
|
X509_check_host |
OFF |
Configurable |
|
|
OFF |
Configurable |
||
|
OFF |
NO-OP |
||
|
ON |
NO-OP |
||
|
OFF |
NO-OP |
||
|
OFF |
NO-OP |
||
|
OFF |
Configurable |
||
|
Partially Supported |
Must be used along with PKCS7_DETACHED. Other combinations are not supported. |
||
|
OFF |
NO-OP |
||
|
OFF |
NO-OP |
||
|
OFF |
NO-OP |
||
|
OFF |
NO-OP |
||
|
Not Supported |
NO-OP |
||
|
Not Supported |
NO-OP |
||
|
Not Supported |
NO-OP |
||
|
Not Supported |
NO-OP |
The following table contains configuration options AWS-LC has intentionally omitted. If your application uses a non-existent flag outlined here, it will fail to compile with AWS-LC.
- Each “Context Flag” has a link that provides more details on the flag’s functionality (WIP)
- If you feel that there is a valid use case for any of these flags, feel free to cut an issue to us.
|
Context Flags Setting Function |
Context Flags |
AWS-LC Default |
|
BN_set_flags |
Not Implemented |
|
|
ASN1_aux_cb |
ASN1_OP_I2D_PRE |
Not Implemented |
|
ASN1_OP_I2D_POST |
Not Implemented |