TLS Connections

Users will need to create a s2n_connection struct to store all of the state necessary for a TLS connection. Call s2n_connection_new() to create a new server or client connection. Call s2n_connection_free() to free the memory allocated for this struct when no longer needed.

Connection Memory

The connection struct is roughly 4KB with some variation depending on how it is configured. Maintainers of the s2n-tls library carefully consider increases to the size of the connection struct as they are aware some users are memory-constrained.

A connection struct has memory allocated specifically for the TLS handshake. Memory-constrained users can free that memory by calling s2n_connection_free_handshake() after the handshake is successfully negotiated. Note that the handshake memory can be reused for another connection if s2n_connection_wipe() is called, so freeing it may result in more memory allocations later. Additionally some functions that print information about the handshake may not produce meaningful results after the handshake memory is freed.

The input and output buffers consume the most memory on the connection after the handshake. It may not be necessary to keep these buffers allocated when a connection is in a keep-alive or idle state. Call s2n_connection_release_buffers() to wipe and free the in and out buffers associated with a connection to reduce memory overhead of long-lived connections.

s2n_connection_get_actual_protocol_version(): The actual TLS protocol version negotiated during the handshake. This is the primary value referred to as "protocol_version", and the most commonly used.
s2n_connection_get_server_protocol_version(): The highest TLS protocol version the server supports.
s2n_connection_get_client_protocol_version(): The highest TLS protocol version the client advertised.

TLS Connections

Connection Memory

Connection Reuse

Connection Info

Protocol Version