diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
index c514cbeeb5..63d0ca0b0c 100644
--- a/.github/workflows/integrations.yml
+++ b/.github/workflows/integrations.yml
@@ -257,3 +257,32 @@ jobs:
- name: Run accp build
run: |
./tests/ci/integration/run_accp_integration.sh
+ netty-tcnative:
+ if: github.repository_owner == 'aws'
+ runs-on: ubuntu-latest
+ steps:
+ - name: Install OS Dependencies
+ run: |
+ sudo apt-get update
+ sudo apt-get install -y --no-install-recommends \
+ build-essential \
+ libapr1-dev \
+ libtool-bin \
+ pkg-config \
+ cmake \
+ gcc \
+ ninja-build \
+ golang
+ - uses: actions/checkout@v4
+ - name: Setup Java JDK
+ uses: actions/setup-java@v4.5.0
+ with:
+ distribution: corretto
+ java-version: 8
+ - name: Build netty-tcnative latest
+ run: |
+ ./tests/ci/integration/run_netty_tcnative_integration.sh
+ - name: Build netty-tcnative 2.0.62.Final
+ run: |
+ ./tests/ci/integration/run_netty_tcnative_integration.sh netty-tcnative-parent-2.0.62.Final
+
diff --git a/tests/ci/integration/netty_tcnative_patch/latest.patch b/tests/ci/integration/netty_tcnative_patch/latest.patch
new file mode 100644
index 0000000000..383217b3f3
--- /dev/null
+++ b/tests/ci/integration/netty_tcnative_patch/latest.patch
@@ -0,0 +1,1303 @@
+diff --git a/openssl-dynamic/src/main/c/cert_compress.c b/openssl-dynamic/src/main/c/cert_compress.c
+index 833889e..f6b9d06 100644
+--- a/openssl-dynamic/src/main/c/cert_compress.c
++++ b/openssl-dynamic/src/main/c/cert_compress.c
+@@ -16,7 +16,7 @@
+
+ #include "tcn.h"
+ #include "ssl_private.h"
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ #include "cert_compress.h"
+
+ static int compress(jobject compression_algorithm, jmethodID compress_method, SSL* ssl, CBB* out,
+@@ -168,4 +168,4 @@ int zstd_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len,
+ ssl, out, uncompressed_len, in, in_len);
+ }
+
+-#endif // OPENSSL_IS_BORINGSSL
+\ No newline at end of file
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+\ No newline at end of file
+diff --git a/openssl-dynamic/src/main/c/cert_compress.h b/openssl-dynamic/src/main/c/cert_compress.h
+index bc0669e..d6807b9 100644
+--- a/openssl-dynamic/src/main/c/cert_compress.h
++++ b/openssl-dynamic/src/main/c/cert_compress.h
+@@ -17,7 +17,7 @@
+ #ifndef NETTY_TCNATIVE_CERT_COMPRESS_H_
+ #define NETTY_TCNATIVE_CERT_COMPRESS_H_
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ int zlib_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len, const uint8_t* in, size_t in_len);
+ int zlib_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
+@@ -28,6 +28,6 @@ int brotli_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
+ int zstd_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len, const uint8_t* in, size_t in_len);
+ int zstd_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ #endif /* NETTY_TCNATIVE_CERT_COMPRESS_H_ */
+\ No newline at end of file
+diff --git a/openssl-dynamic/src/main/c/native_constants.c b/openssl-dynamic/src/main/c/native_constants.c
+index b3884e9..55f80b4 100644
+--- a/openssl-dynamic/src/main/c/native_constants.c
++++ b/openssl-dynamic/src/main/c/native_constants.c
+@@ -572,7 +572,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslSignRsaPkcs1Md
+ }
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateNever)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_never;
+ #else
+ return 0;
+@@ -580,7 +580,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateNev
+ }
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateOnce)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_once;
+ #else
+ return 0;
+@@ -588,7 +588,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateOnc
+ }
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateFreely)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_freely;
+ #else
+ return 0;
+@@ -597,7 +597,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateFre
+
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateIgnore)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_ignore;
+ #else
+ return 0;
+@@ -605,7 +605,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateIgn
+ }
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateExplicit)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_explicit;
+ #else
+ return 0;
+diff --git a/openssl-dynamic/src/main/c/ssl.c b/openssl-dynamic/src/main/c/ssl.c
+index eec69a0..3a00376 100644
+--- a/openssl-dynamic/src/main/c/ssl.c
++++ b/openssl-dynamic/src/main/c/ssl.c
+@@ -114,7 +114,7 @@ struct TCN_bio_bytebuffer {
+ R |= SSL_TMP_KEY_INIT_DH(2048); \
+ R |= SSL_TMP_KEY_INIT_DH(4096)
+
+-#if !defined(OPENSSL_IS_BORINGSSL)
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ // This is the maximum overhead when encrypting plaintext as defined by
+ // rfc5264,
+ // rfc5289 and openssl implementation itself.
+@@ -133,7 +133,7 @@ struct TCN_bio_bytebuffer {
+ // See SSL#getMaxWrapOverhead for the overhead based upon the SSL*
+ // TODO(scott): this may be an over estimate because we don't account for short headers.
+ #define TCN_MAX_SEAL_OVERHEAD_LENGTH (TCN_MAX_ENCRYPTED_PACKET_LENGTH + SSL3_RT_HEADER_LENGTH)
+-#endif /*!defined(OPENSSL_IS_BORINGSSL)*/
++#endif /*!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) */
+
+ static jint tcn_flush_sslbuffer_to_bytebuffer(struct TCN_bio_bytebuffer* bioUserData) {
+ jint writeAmount = TCN_MIN(bioUserData->bufferLength, bioUserData->nonApplicationBufferLength) * sizeof(char);
+@@ -499,7 +499,7 @@ static apr_status_t ssl_init_cleanup(void *data)
+ /*
+ * Try to kill the internals of the SSL library.
+ */
+-#if OPENSSL_VERSION_NUMBER >= 0x00907001 && !defined(OPENSSL_IS_BORINGSSL)
++#if OPENSSL_VERSION_NUMBER >= 0x00907001 && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ /* Corresponds to OPENSSL_load_builtin_modules():
+ * XXX: borrowed from apps.h, but why not CONF_modules_free()
+ * which also invokes CONF_modules_finish()?
+@@ -537,10 +537,10 @@ static apr_status_t ssl_init_cleanup(void *data)
+ }
+
+ // In case we loaded any engine we should also call cleanup. This is especialy important in openssl < 1.1.
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ // This is deprecated since openssl 1.1 but does not exist at all in BoringSSL.
+ ENGINE_cleanup();
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) || !defined(OPENSSL_IS_AWSLC)
+ #endif // OPENSSL_NO_ENGINE
+
+ /* Don't call ERR_free_strings here; ERR_load_*_strings only
+@@ -1249,7 +1249,7 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getAlpnSelected)(TCN_STDARGS,
+ jlong ssl /* SSL * */) {
+ // Use weak linking with GCC as this will alow us to run the same packaged version with multiple
+ // version of openssl.
+- #if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__))
++ #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (defined(__GNUC__) || defined(__GNUG__))
+ if (!SSL_get0_alpn_selected) {
+ return NULL;
+ }
+@@ -1273,7 +1273,7 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getAlpnSelected)(TCN_STDARGS,
+ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ jlong ssl /* SSL * */)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ const STACK_OF(CRYPTO_BUFFER) *chain = NULL;
+ const CRYPTO_BUFFER * cert = NULL;
+ const tcn_ssl_ctxt_t* c = NULL;
+@@ -1281,7 +1281,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ STACK_OF(X509) *chain = NULL;
+ X509 *cert = NULL;
+ unsigned char *buf = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ int len;
+ int i;
+ int length;
+@@ -1295,7 +1295,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ TCN_CHECK_NULL(ssl_, ssl, NULL);
+
+ // Get a stack of all certs in the chain.
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ TCN_GET_SSL_CTX(ssl_, c);
+
+ TCN_ASSERT(c != NULL);
+@@ -1313,7 +1313,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ chain = SSL_get_peer_cert_chain(ssl_);
+ len = sk_X509_num(chain);
+ offset = 0;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ len -= offset;
+ if (len <= 0) {
+@@ -1329,7 +1329,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+
+ for(i = 0; i < len; i++) {
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ cert = sk_CRYPTO_BUFFER_value(chain, i + offset);
+ length = CRYPTO_BUFFER_len(cert);
+ #else
+@@ -1341,11 +1341,11 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ // In case of error just return an empty byte[][]
+ return (*e)->NewObjectArray(e, 0, byteArrayClass, NULL);
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ bArray = (*e)->NewByteArray(e, length);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (bArray == NULL) {
+ return NULL;
+ }
+@@ -1360,7 +1360,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ OPENSSL_free(buf);
+ buf = NULL;
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ (*e)->SetObjectArrayElement(e, array, i, bArray);
+
+ // Delete the local reference as we not know how long the chain is and local references are otherwise
+@@ -1373,13 +1373,13 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
+ jlong ssl /* SSL * */)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ const STACK_OF(CRYPTO_BUFFER) *certs = NULL;
+ const CRYPTO_BUFFER *leafCert = NULL;
+ #else
+ X509 *cert = NULL;
+ unsigned char *buf = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ jbyteArray bArray = NULL;
+ int length;
+@@ -1388,7 +1388,7 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
+
+ TCN_CHECK_NULL(ssl_, ssl, NULL);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // Get a stack of all certs in the chain, the first is the leaf.
+ certs = SSL_get0_peer_certificates(ssl_);
+ if (certs == NULL || sk_CRYPTO_BUFFER_num(certs) <= 0) {
+@@ -1403,10 +1403,10 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
+ }
+
+ length = i2d_X509(cert, &buf);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ if ((bArray = (*e)->NewByteArray(e, length)) != NULL) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) CRYPTO_BUFFER_data(leafCert));
+ }
+ #else
+@@ -1419,7 +1419,7 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
+ X509_free(cert);
+
+ OPENSSL_free(buf);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return bArray;
+ }
+
+@@ -1522,13 +1522,13 @@ TCN_IMPLEMENT_CALL(void, SSL, setVerify)(TCN_STDARGS, jlong ssl, jint level, jin
+ TCN_ASSERT(state != NULL);
+ TCN_ASSERT(state->ctx != NULL);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_set_custom_verify(ssl_, tcn_set_verify_config(&state->verify_config, level, depth), tcn_SSL_cert_custom_verify);
+ #else
+ // No need to specify a callback for SSL_set_verify because we override the default certificate verification via SSL_CTX_set_cert_verify_callback.
+ SSL_set_verify(ssl_, tcn_set_verify_config(&state->verify_config, level, depth), NULL);
+ SSL_set_verify_depth(ssl_, state->verify_config.verify_depth);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, setOptions)(TCN_STDARGS, jlong ssl,
+@@ -1585,7 +1585,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, getMaxWrapOverhead)(TCN_STDARGS, jlong ssl)
+ TCN_CHECK_NULL(ssl_, ssl, 0);
+
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) SSL_max_seal_overhead(ssl_);
+ #else
+ // TODO(scott): When OpenSSL supports something like SSL_max_seal_overhead ... use it!
+@@ -1664,12 +1664,12 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuites)(TCN_STDARGS, jlong ssl,
+ rv = SSL_set_cipher_list(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+ #else
+ if (tlsv13 == JNI_TRUE) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // BoringSSL does not support setting TLSv1.3 cipher suites explicit for now.
+ rv = JNI_TRUE;
+ #else
+ rv = SSL_set_ciphersuites(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ } else {
+ rv = SSL_set_cipher_list(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+ }
+@@ -1896,7 +1896,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setHostNameValidation)(TCN_STDARGS, jlong ssl, jin
+
+ TCN_CHECK_NULL(ssl_, ssl, /* void */);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (flags != 0) {
+ tcn_ThrowException(e, "flags must be 0");
+ }
+@@ -1936,7 +1936,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setHostNameValidation)(TCN_STDARGS, jlong ssl, jin
+ tcn_ThrowException(e, "hostname verification requires OpenSSL 1.0.2+");
+ #endif // (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) || LIBRESSL_VERSION_NUMBER >= 0x2060000fL || defined(__GNUC__) || defined(__GNUG__)
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jobjectArray, SSL, authenticationMethods)(TCN_STDARGS, jlong ssl) {
+@@ -1970,7 +1970,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setCertificateBio)(TCN_STDARGS, jlong ssl,
+ jlong cert, jlong key,
+ jstring password)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ #else
+ SSL *ssl_ = J2P(ssl, SSL *);
+@@ -2032,7 +2032,7 @@ cleanup:
+ TCN_FREE_CSTRING(password);
+ EVP_PKEY_free(pkey); // this function is safe to call with NULL
+ X509_free(xcert); // this function is safe to call with NULL
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, setCertificateChainBio)(TCN_STDARGS, jlong ssl,
+@@ -2047,7 +2047,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setCertificateChainBio)(TCN_STDARGS, jlong ssl,
+
+ // This call is only used to detect if we support KeyManager or not in netty. As we know that we support it in
+ // BoringSSL we can just ignore this call. In the future we should remove the method all together.
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ char err[ERR_LEN];
+
+ if (tcn_SSL_use_certificate_chain_bio(ssl_, b, skipfirst) < 0) {
+@@ -2055,7 +2055,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setCertificateChainBio)(TCN_STDARGS, jlong ssl,
+ ERR_clear_error();
+ tcn_Throw(e, "Error setting certificate chain (%s)", err);
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jlong, SSL, loadPrivateKeyFromEngine)(TCN_STDARGS, jstring keyId, jstring password)
+@@ -2119,7 +2119,7 @@ TCN_IMPLEMENT_CALL(jlong, SSL, parseX509Chain)(TCN_STDARGS, jlong x509ChainBio)
+ {
+ BIO *cert_bio = J2P(x509ChainBio, BIO *);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
+ CRYPTO_BUFFER *buffer = NULL;
+ char *name = NULL;
+@@ -2129,14 +2129,14 @@ TCN_IMPLEMENT_CALL(jlong, SSL, parseX509Chain)(TCN_STDARGS, jlong x509ChainBio)
+ #else
+ X509* cert = NULL;
+ STACK_OF(X509) *chain = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ char err[ERR_LEN];
+ unsigned long error;
+
+ TCN_CHECK_NULL(cert_bio, x509ChainBio, 0);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ while (PEM_read_bio(cert_bio, &name, &header, &data, &data_len)) {
+
+ OPENSSL_free(name);
+@@ -2154,15 +2154,15 @@ TCN_IMPLEMENT_CALL(jlong, SSL, parseX509Chain)(TCN_STDARGS, jlong x509ChainBio)
+ chain = sk_X509_new_null();
+ while ((cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) != NULL) {
+ if (sk_X509_push(chain, cert) <= 0) {
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ tcn_Throw(e, "No Certificate specified or invalid format");
+ goto cleanup;
+ }
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ cert = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ // ensure that if we have an error its just for EOL.
+@@ -2182,25 +2182,25 @@ TCN_IMPLEMENT_CALL(jlong, SSL, parseX509Chain)(TCN_STDARGS, jlong x509ChainBio)
+ cleanup:
+ ERR_clear_error();
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ sk_CRYPTO_BUFFER_pop_free(chain, CRYPTO_BUFFER_free);
+ #else
+ sk_X509_pop_free(chain, X509_free);
+ X509_free(cert);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ return 0;
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, freeX509Chain)(TCN_STDARGS, jlong x509Chain)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ STACK_OF(CRYPTO_BUFFER) *chain = J2P(x509Chain, STACK_OF(CRYPTO_BUFFER) *);
+ sk_CRYPTO_BUFFER_pop_free(chain, CRYPTO_BUFFER_free);
+ #else
+ STACK_OF(X509) *chain = J2P(x509Chain, STACK_OF(X509) *);
+ sk_X509_pop_free(chain, X509_free);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chain, jlong key)
+@@ -2214,14 +2214,14 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chai
+
+ EVP_PKEY* pkey = J2P(key, EVP_PKEY *);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ STACK_OF(CRYPTO_BUFFER) *cchain = J2P(chain, STACK_OF(CRYPTO_BUFFER) *);
+ int numCerts = sk_CRYPTO_BUFFER_num(cchain);
+ CRYPTO_BUFFER** certs = NULL;
+ #else
+ STACK_OF(X509) *cchain = J2P(chain, STACK_OF(X509) *);
+ int numCerts = sk_X509_num(cchain);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ char err[ERR_LEN];
+ int i;
+@@ -2230,7 +2230,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chai
+
+ TCN_CHECK_NULL(cchain, chain, /* void */);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if ((certs = OPENSSL_malloc(sizeof(CRYPTO_BUFFER*) * numCerts)) == NULL) {
+ tcn_Throw(e, "OPENSSL_malloc returned NULL");
+ return;
+@@ -2244,14 +2244,14 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chai
+ #else
+ // SSL_use_certificate will increment the reference count of the cert.
+ if (numCerts <= 0 || SSL_use_certificate(ssl_, sk_X509_value(cchain, 0)) <= 0) {
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ ERR_error_string_n(ERR_get_error(), err, ERR_LEN);
+ ERR_clear_error();
+ tcn_Throw(e, "Error setting certificate (%s)", err);
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ OPENSSL_free(certs);
+ #else
+ if (pkey != NULL) {
+@@ -2283,7 +2283,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chai
+ return;
+ }
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ #endif
+ }
+@@ -2294,6 +2294,8 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterialClientSide)(TCN_STDARGS, jlong ssl,
+ tcn_Throw(e, "Not supported with LibreSSL");
+ #elif defined(OPENSSL_IS_BORINGSSL)
+ tcn_Throw(e, "Not supported with BoringSSL");
++#elif defined(OPENSSL_IS_AWSLC)
++ tcn_Throw(e, "Not supported with AWS-LC");
+ #else
+ SSL *ssl_ = J2P(ssl, SSL *);
+
+@@ -2374,7 +2376,7 @@ TCN_IMPLEMENT_CALL(void, SSL, enableOcsp)(TCN_STDARGS, jlong ssl) {
+ #elif defined(TCN_OCSP_NOT_SUPPORTED)
+ tcn_ThrowException(e, "OCSP stapling is not supported");
+
+-#elif defined(OPENSSL_IS_BORINGSSL)
++#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_enable_ocsp_stapling(ssl_);
+
+ #else
+@@ -2404,7 +2406,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setOcspResponse)(TCN_STDARGS, jlong ssl, jbyteArra
+ #elif defined(TCN_OCSP_NOT_SUPPORTED)
+ tcn_ThrowException(e, "OCSP stapling is not supported");
+
+-#elif defined(OPENSSL_IS_BORINGSSL)
++#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ uint8_t *value = OPENSSL_malloc(sizeof(uint8_t) * length);
+ if (value == NULL) {
+ tcn_ThrowException(e, "OPENSSL_malloc() returned null");
+@@ -2455,7 +2457,7 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getOcspResponse)(TCN_STDARGS, jlong ssl) {
+ #elif defined(TCN_OCSP_NOT_SUPPORTED)
+ tcn_ThrowException(e, "OCSP stapling is not supported");
+
+-#elif defined(OPENSSL_IS_BORINGSSL)
++#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ const uint8_t *response = NULL;
+ size_t length = 0;
+
+@@ -2532,7 +2534,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getSigAlgs)(TCN_STDARGS, jlong ssl) {
+ // Not supported in LibreSSL
+ #if defined(LIBRESSL_VERSION_NUMBER)
+ return NULL;
+-#elif defined(OPENSSL_IS_BORINGSSL)
++#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // Using a different API in BoringSSL
+ // https://boringssl.googlesource.com/boringssl/+/ba16a1e405c617f4179bd780ad15522fb25b0a65%5E%21/
+ int i;
+@@ -2619,14 +2621,14 @@ complete:
+ }
+ return array;
+ #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
+-#endif // defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) || defined(LIBRESSL_VERSION_NUMBER)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, setRenegotiateMode)(TCN_STDARGS, jlong ssl, jint mode) {
+ SSL *ssl_ = J2P(ssl, SSL *);
+
+ TCN_CHECK_NULL(ssl_, ssl, /* void */);
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported");
+ #else
+ SSL_set_renegotiate_mode(ssl_, (enum ssl_renegotiate_mode_t) mode);
+diff --git a/openssl-dynamic/src/main/c/ssl_private.h b/openssl-dynamic/src/main/c/ssl_private.h
+index 786b440..bc5454c 100644
+--- a/openssl-dynamic/src/main/c/ssl_private.h
++++ b/openssl-dynamic/src/main/c/ssl_private.h
+@@ -189,7 +189,7 @@ extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
+ #endif /*X509_V_ERR_UNSPECIFIED*/
+
+ // BoringSSL compat
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ #ifndef SSL_ERROR_WANT_PRIVATE_KEY_OPERATION
+ #define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION -1
+ #endif // SSL_ERROR_WANT_PRIVATE_KEY_OPERATION
+@@ -251,7 +251,7 @@ extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
+ #define SSL_SIGN_RSA_PKCS1_MD5_SHA1 0xff01
+ #endif // SSL_SIGN_RSA_PKCS1_MD5_SHA1
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+
+ // OCSP stapling should be present in OpenSSL as of version 1.0.0 but
+ // we've only tested 1.0.2 and we need to support 1.0.1 because the
+@@ -306,9 +306,9 @@ typedef struct {
+ int verify_mode;
+ } tcn_ssl_verify_config_t;
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ extern const SSL_PRIVATE_KEY_METHOD private_key_method;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ struct tcn_ssl_ctxt_t {
+ apr_pool_t* pool;
+@@ -341,7 +341,7 @@ struct tcn_ssl_ctxt_t {
+ jmethodID ssl_session_cache_creation_method;
+ jmethodID ssl_session_cache_get_method;
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ jobject ssl_private_key_method;
+ jmethodID ssl_private_key_sign_method;
+ jmethodID ssl_private_key_decrypt_method;
+@@ -360,7 +360,7 @@ struct tcn_ssl_ctxt_t {
+
+ jobject keylog_callback;
+ jmethodID keylog_callback_method;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ tcn_ssl_verify_config_t verify_config;
+
+@@ -446,10 +446,10 @@ int tcn_SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, bool);
+ int tcn_SSL_CTX_use_certificate_chain_bio(SSL_CTX *, BIO *, bool);
+ int tcn_SSL_CTX_use_client_CA_bio(SSL_CTX *, BIO *);
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ X509 *tcn_load_pem_cert_bio(const char *, const BIO *);
+ int tcn_SSL_use_certificate_chain_bio(SSL *, BIO *, bool);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+
+ EVP_PKEY *tcn_load_pem_key_bio(const char *, const BIO *);
+ int tcn_set_verify_config(tcn_ssl_verify_config_t* c, jint tcn_mode, jint depth);
+@@ -460,16 +460,16 @@ int tcn_SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned
+ int tcn_SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
+ const char *tcn_SSL_cipher_authentication_method(const SSL_CIPHER *);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ enum ssl_verify_result_t tcn_SSL_cert_custom_verify(SSL* ssl, uint8_t *out_alert);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ #if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) || LIBRESSL_VERSION_NUMBER >= 0x2090200fL
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ #define tcn_SSL_add1_chain_cert(ssl, x509) SSL_add1_chain_cert(ssl, x509)
+ #define tcn_SSL_add0_chain_cert(ssl, x509) SSL_add0_chain_cert(ssl, x509)
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+
+ #define tcn_SSL_get0_certificate_types(ssl, clist) SSL_get0_certificate_types(ssl, clist)
+ #else
+@@ -481,7 +481,7 @@ enum ssl_verify_result_t tcn_SSL_cert_custom_verify(SSL* ssl, uint8_t *out_alert
+
+ #if defined(__GNUC__) || defined(__GNUG__)
+ // only supported with GCC, this will be used to support different openssl versions at the same time.
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ extern int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
+ unsigned protos_len) __attribute__((weak));
+ extern void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out,
+@@ -496,18 +496,18 @@ enum ssl_verify_result_t tcn_SSL_cert_custom_verify(SSL* ssl, uint8_t *out_alert
+ extern int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen) __attribute__((weak));
+ extern int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) __attribute__((weak));
+ extern int SSL_SESSION_up_ref(SSL_SESSION *session) __attribute__((weak));
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+
+ extern int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) __attribute__((weak));
+ #endif
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ #define tcn_SSL_CTX_set1_curves_list(ctx, s) SSL_CTX_set1_curves_list(ctx, s)
+ #else
+ #ifndef SSL_CTRL_SET_GROUPS_LIST
+ #define SSL_CTRL_SET_GROUPS_LIST 92
+ #endif // SSL_CTRL_SET_GROUPS_LIST
+ #define tcn_SSL_CTX_set1_curves_list(ctx, s) SSL_CTX_ctrl(ctx, SSL_CTRL_SET_GROUPS_LIST, 0, (char *)(s))
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ #endif /* SSL_PRIVATE_H */
+diff --git a/openssl-dynamic/src/main/c/sslcontext.c b/openssl-dynamic/src/main/c/sslcontext.c
+index c31b797..e35a16e 100644
+--- a/openssl-dynamic/src/main/c/sslcontext.c
++++ b/openssl-dynamic/src/main/c/sslcontext.c
+@@ -75,7 +75,7 @@ static apr_status_t ssl_context_cleanup(void *data)
+
+ tcn_get_java_env(&e);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (c->ssl_private_key_method != NULL) {
+ if (e != NULL) {
+ (*e)->DeleteGlobalRef(e, c->ssl_private_key_method);
+@@ -107,7 +107,7 @@ static apr_status_t ssl_context_cleanup(void *data)
+ c->keylog_callback = NULL;
+ }
+ c->keylog_callback_method = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ if (c->ssl_session_cache != NULL) {
+ if (e != NULL) {
+@@ -186,7 +186,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mod
+ tcn_ssl_ctxt_t *c = NULL;
+ SSL_CTX *ctx = NULL;
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // When using BoringSSL we want to use CRYPTO_BUFFER to reduce memory usage and minimize overhead as we do not need
+ // X509* at all and just need the raw bytes of the certificates to construct our Java X509Certificate.
+ //
+@@ -340,7 +340,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mod
+ tcn_Throw(e, "Unsupported SSL protocol (%d)", protocol);
+ goto cleanup;
+ }
+-#endif /* OPENSSL_IS_BORINGSSL */
++#endif /* defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) */
+
+ if (ctx == NULL) {
+ char err[ERR_LEN];
+@@ -443,7 +443,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mod
+ SSL_CTX_set_default_passwd_cb(c->ctx, (pem_password_cb *) tcn_SSL_password_callback);
+ SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void *) c->password);
+
+-#if defined(OPENSSL_IS_BORINGSSL)
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (mode != SSL_MODE_SERVER) {
+ // Set this to make the behaviour consistent with openssl / libressl
+ SSL_CTX_set_allow_unknown_alpn_protos(ctx, 1);
+@@ -553,12 +553,12 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong ctx,
+ #else
+
+ if (tlsv13 == JNI_TRUE) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // BoringSSL does not support setting TLSv1.3 cipher suites explicit for now.
+ rv = JNI_TRUE;
+ #else
+ rv = SSL_CTX_set_ciphersuites(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ } else {
+ rv = SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+@@ -577,7 +577,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainFile)(TCN_STDARGS, j
+ jstring file,
+ jboolean skipfirst)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ return JNI_FALSE;
+ #else
+@@ -597,14 +597,14 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainFile)(TCN_STDARGS, j
+ }
+ TCN_FREE_CSTRING(file);
+ return rv;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainBio)(TCN_STDARGS, jlong ctx,
+ jlong chain,
+ jboolean skipfirst)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ return JNI_FALSE;
+ #else
+@@ -620,7 +620,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainBio)(TCN_STDARGS, jl
+ return JNI_TRUE;
+ }
+ return JNI_FALSE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCACertificateBio)(TCN_STDARGS, jlong ctx, jlong certs)
+@@ -641,7 +641,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setNumTickets)(TCN_STDARGS, jlong ctx,
+
+ TCN_CHECK_NULL(c, ctx, JNI_FALSE);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // Not supported by BoringSSL
+ return JNI_FALSE;
+ #else
+@@ -688,7 +688,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setTmpDHLength)(TCN_STDARGS, jlong ctx, jin
+ #endif // OPENSSL_VERSION_NUMBER < 0x30000000L
+ }
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ static EVP_PKEY *load_pem_key(tcn_ssl_ctxt_t *c, const char *file)
+ {
+ BIO *bio = NULL;
+@@ -791,13 +791,13 @@ static void free_and_reset_pass(tcn_ssl_ctxt_t *c, char* old_password, const jbo
+ }
+ }
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx,
+ jstring cert, jstring key,
+ jstring password)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ return JNI_FALSE;
+ #else
+@@ -887,14 +887,14 @@ cleanup:
+ X509_free(xcert); // this function is safe to call with NULL
+ free_and_reset_pass(c, old_password, rv);
+ return rv;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateBio)(TCN_STDARGS, jlong ctx,
+ jlong cert, jlong key,
+ jstring password)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ return JNI_FALSE;
+ #else
+@@ -975,7 +975,7 @@ cleanup:
+ X509_free(xcert); // this function is safe to call with NULL
+ free_and_reset_pass(c, old_password, rv);
+ return rv;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setNpnProtos0)(TCN_STDARGS, jlong ctx, jbyteArray next_protos,
+@@ -1006,7 +1006,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setAlpnProtos0)(TCN_STDARGS, jlong ctx, jby
+ jint selectorFailureBehavior)
+ {
+ // Only supported with GCC
+- #if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__))
++ #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (defined(__GNUC__) || defined(__GNUG__))
+ if (!SSL_CTX_set_alpn_protos || !SSL_CTX_set_alpn_select_cb) {
+ return;
+ }
+@@ -1462,7 +1462,7 @@ static STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) {
+ }
+ #endif
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, const STACK_OF(CRYPTO_BUFFER)* chain) {
+ CRYPTO_BUFFER *cert = NULL;
+ const int totalQueuedLength = sk_CRYPTO_BUFFER_num(chain);
+@@ -1471,7 +1471,7 @@ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, STACK_OF(X509)* chain) {
+ X509 *cert = NULL;
+ unsigned char *buf = NULL;
+ const int totalQueuedLength = sk_X509_num(chain);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ tcn_ssl_state_t* state = tcn_SSL_get_app_state(ssl);
+ TCN_ASSERT(state != NULL);
+@@ -1496,13 +1496,13 @@ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, STACK_OF(X509)* chain) {
+
+ for(i = 0; i < len; i++) {
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ cert = sk_CRYPTO_BUFFER_value(chain, i);
+ length = CRYPTO_BUFFER_len(cert);
+ #else
+ cert = sk_X509_value(chain, i);
+ length = i2d_X509(cert, &buf);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ if (length <= 0 || (bArray = (*e)->NewByteArray(e, length)) == NULL) {
+ NETTY_JNI_UTIL_DELETE_LOCAL(e, array);
+@@ -1510,14 +1510,14 @@ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, STACK_OF(X509)* chain) {
+ goto complete;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) CRYPTO_BUFFER_data(cert));
+ #else
+ (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) buf);
+
+ OPENSSL_free(buf);
+ buf = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ (*e)->SetObjectArrayElement(e, array, i, bArray);
+
+ // Delete the local reference as we not know how long the chain is and local references are otherwise
+@@ -1528,10 +1528,10 @@ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, STACK_OF(X509)* chain) {
+
+ complete:
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ // We need to delete the local references so we not leak memory as this method is called via callback.
+ OPENSSL_free(buf);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ // Delete the local reference as we not know how long the chain is and local references are otherwise
+ // only freed once jni method returns.
+@@ -1539,7 +1539,7 @@ complete:
+ return array;
+ }
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ // See https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_cert_verify_callback.html for return values.
+ static int SSL_cert_verify(X509_STORE_CTX *ctx, void *arg) {
+ /* Get Apache context back through OpenSSL context */
+@@ -1623,7 +1623,7 @@ complete:
+ ret = result == X509_V_OK ? 1 : 0;
+ return ret;
+ }
+-#else // OPENSSL_IS_BORINGSSL
++#else // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ enum ssl_verify_result_t tcn_SSL_cert_custom_verify(SSL* ssl, uint8_t *out_alert) {
+ enum ssl_verify_result_t ret = ssl_verify_invalid;
+@@ -1742,7 +1742,7 @@ complete:
+ }
+ return ret;
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)(TCN_STDARGS, jlong ctx, jint level, jint depth)
+@@ -1752,7 +1752,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)(TCN_STDARGS, jlong ctx, jint lev
+ TCN_CHECK_NULL(c, ctx, /* void */);
+
+ int mode = tcn_set_verify_config(&c->verify_config, level, depth);
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (c->verifier != NULL) {
+ SSL_CTX_set_custom_verify(c->ctx, mode, tcn_SSL_cert_custom_verify);
+ }
+@@ -1760,7 +1760,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)(TCN_STDARGS, jlong ctx, jint lev
+ // No need to set the callback for SSL_CTX_set_verify because we override the default certificate verification via SSL_CTX_set_cert_verify_callback.
+ SSL_CTX_set_verify(c->ctx, mode, NULL);
+ SSL_CTX_set_verify_depth(c->ctx, c->verify_config.verify_depth);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong ctx, jobject verifier)
+@@ -1773,11 +1773,11 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong c
+ if (verifier == NULL) {
+ c->verifier = NULL;
+ c->verifier_method = NULL;
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_CTX_set_custom_verify(c->ctx, SSL_VERIFY_NONE, NULL);
+ #else
+ SSL_CTX_set_cert_verify_callback(c->ctx, NULL, NULL);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ } else {
+ jclass verifier_class = (*e)->GetObjectClass(e, verifier);
+ jmethodID method = (*e)->GetMethodID(e, verifier_class, "verify", "(J[[BLjava/lang/String;)I");
+@@ -1795,12 +1795,12 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong c
+ c->verifier = v;
+ c->verifier_method = method;
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_CTX_set_custom_verify(c->ctx, tcn_set_verify_config(&c->verify_config, c->verify_config.verify_mode,
+ c->verify_config.verify_depth), tcn_SSL_cert_custom_verify);
+ #else
+ SSL_CTX_set_cert_verify_callback(c->ctx, SSL_cert_verify, NULL);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ // Delete the reference to the previous specified verifier if needed.
+ if (oldVerifier != NULL) {
+@@ -1831,14 +1831,14 @@ static jbyteArray keyTypes(JNIEnv* e, SSL* ssl) {
+ * Partly based on code from conscrypt:
+ * https://android.googlesource.com/platform/external/conscrypt/+/master/src/main/native/org_conscrypt_NativeCrypto.cpp
+ */
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(CRYPTO_BUFFER)* names) {
+ CRYPTO_BUFFER* principal = NULL;
+ #else
+ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names) {
+ unsigned char *buf = NULL;
+ X509_NAME* principal = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ jobjectArray array = NULL;
+ jbyteArray bArray = NULL;;
+ int i;
+@@ -1851,11 +1851,11 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ return NULL;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ count = sk_CRYPTO_BUFFER_num(names);
+ #else
+ count = sk_X509_NAME_num(names);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ if (count <= 0) {
+ return NULL;
+@@ -1866,7 +1866,7 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ }
+
+ for (i = 0; i < count; i++) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ principal = sk_CRYPTO_BUFFER_value(names, i);
+ length = CRYPTO_BUFFER_len(principal);
+ #else
+@@ -1880,11 +1880,11 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ // In case of error just return an empty byte[][]
+ return (*e)->NewObjectArray(e, 0, byteArrayClass, NULL);
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ bArray = (*e)->NewByteArray(e, length);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (bArray == NULL) {
+ return NULL;
+ }
+@@ -1897,7 +1897,7 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) buf);
+ OPENSSL_free(buf);
+ buf = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ (*e)->SetObjectArrayElement(e, array, i, bArray);
+
+@@ -1910,7 +1910,7 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ }
+ #endif // LIBRESSL_VERSION_NUMBER
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ static int cert_requested(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) {
+ #if defined(LIBRESSL_VERSION_NUMBER)
+ // Not supported with LibreSSL
+@@ -1949,7 +1949,7 @@ static int cert_requested(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) {
+ return 1;
+ #endif /* defined(LIBRESSL_VERSION_NUMBER) */
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setCertRequestedCallback)(TCN_STDARGS, jlong ctx, jobject callback)
+ {
+@@ -1957,7 +1957,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertRequestedCallback)(TCN_STDARGS, jlon
+
+ TCN_CHECK_NULL(c, ctx, /* void */);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ #else
+ jobject oldCallback = c->cert_requested_callback;
+@@ -2037,11 +2037,11 @@ static int certificate_cb(SSL* ssl, void* arg) {
+ } else {
+ types = keyTypes(e, ssl);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ issuers = principalBytes(e, SSL_get0_server_requested_CAs(ssl));
+ #else
+ issuers = principalBytes(e, SSL_get_client_CA_list(ssl));
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ int ret = 0;
+@@ -2086,7 +2086,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertificateCallback)(TCN_STDARGS, jlong
+
+ // Use weak linking with GCC as this will alow us to run the same packaged version with multiple
+ // version of openssl.
+-#if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__))
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (defined(__GNUC__) || defined(__GNUG__))
+ if (!SSL_CTX_set_cert_cb) {
+ tcn_ThrowException(e, "Requires OpenSSL 1.0.2+");
+ return;
+@@ -2136,7 +2136,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertificateCallback)(TCN_STDARGS, jlong
+ }
+
+ // Support for SSL_PRIVATE_KEY_METHOD.
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ static enum ssl_private_key_result_t tcn_private_key_sign_java(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {
+ enum ssl_private_key_result_t ret = ssl_private_key_failure;
+@@ -2333,14 +2333,14 @@ const SSL_PRIVATE_KEY_METHOD private_key_method = {
+ &tcn_private_key_decrypt_java,
+ &tcn_private_key_complete_java
+ };
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setPrivateKeyMethod0)(TCN_STDARGS, jlong ctx, jobject method) {
+ tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+
+ TCN_CHECK_NULL(c, ctx, /* void */);
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ char* name = NULL;
+ char* combinedName = NULL;
+
+@@ -2398,7 +2398,7 @@ error:
+ free(combinedName);
+ #else
+ tcn_ThrowException(e, "Requires BoringSSL");
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ static int tcn_new_session_cb(SSL *ssl, SSL_SESSION *session) {
+@@ -2590,7 +2590,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setSniHostnameMatcher)(TCN_STDARGS, jlong c
+ }
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ static void keylog_cb(const SSL* ssl, const char *line) {
+ if (line == NULL) {
+ return;
+@@ -2625,7 +2625,7 @@ static void keylog_cb(const SSL* ssl, const char *line) {
+ (*e)->CallVoidMethod(e, state->ctx->keylog_callback, state->ctx->keylog_callback_method,
+ P2J(ssl), outputLine);
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setKeyLogCallback)(TCN_STDARGS, jlong ctx, jobject callback)
+ {
+@@ -2633,7 +2633,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setKeyLogCallback)(TCN_STDARGS, jlong c
+
+ TCN_CHECK_NULL(c, ctx, JNI_FALSE);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ jobject oldCallback = c->keylog_callback;
+ if (callback == NULL) {
+ c->keylog_callback = NULL;
+@@ -2667,7 +2667,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setKeyLogCallback)(TCN_STDARGS, jlong c
+ return JNI_TRUE;
+ #else
+ return JNI_FALSE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setSessionIdContext)(TCN_STDARGS, jlong ctx, jbyteArray sidCtx)
+@@ -2840,7 +2840,7 @@ TCN_IMPLEMENT_CALL(jint, SSLContext, addCertificateCompressionAlgorithm0)(TCN_ST
+ return 0;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ jclass algorithmClass = (*e)->GetObjectClass(e, algorithm);
+ if (algorithmClass == NULL) {
+@@ -2920,7 +2920,7 @@ TCN_IMPLEMENT_CALL(jint, SSLContext, addCertificateCompressionAlgorithm0)(TCN_ST
+ #else
+ tcn_Throw(e, "TLS Cert Compression only supported by BoringSSL");
+ return 0;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ // JNI Method Registration Table Begin
+diff --git a/openssl-dynamic/src/main/c/sslsession.c b/openssl-dynamic/src/main/c/sslsession.c
+index 709eed4..1118aae 100644
+--- a/openssl-dynamic/src/main/c/sslsession.c
++++ b/openssl-dynamic/src/main/c/sslsession.c
+@@ -74,7 +74,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLSession, upRef)(TCN_STDARGS, jlong session) {
+ TCN_CHECK_NULL(session_, session, JNI_FALSE);
+
+ // Only supported with GCC
+- #if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__))
++ #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (defined(__GNUC__) || defined(__GNUG__))
+ if (!SSL_SESSION_up_ref) {
+ return JNI_FALSE;
+ }
+@@ -98,13 +98,13 @@ TCN_IMPLEMENT_CALL(void, SSLSession, free)(TCN_STDARGS, jlong session) {
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLSession, shouldBeSingleUse)(TCN_STDARGS, jlong session) {
+ // Only supported by BoringSSL atm
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_SESSION *session_ = J2P(session, SSL_SESSION *);
+ TCN_CHECK_NULL(session_, session, JNI_FALSE);
+ return SSL_SESSION_should_be_single_use(session_) == 0 ? JNI_FALSE : JNI_TRUE;
+ #else
+ return JNI_FALSE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ // JNI Method Registration Table Begin
+diff --git a/openssl-dynamic/src/main/c/sslutils.c b/openssl-dynamic/src/main/c/sslutils.c
+index 29a72e4..b0ea628 100644
+--- a/openssl-dynamic/src/main/c/sslutils.c
++++ b/openssl-dynamic/src/main/c/sslutils.c
+@@ -78,7 +78,7 @@ const char* TCN_UNKNOWN_AUTH_METHOD = "UNKNOWN";
+ * https://android.googlesource.com/platform/external/openssl/+/master/patches/0003-jsse.patch
+ */
+ const char* tcn_SSL_cipher_authentication_method(const SSL_CIPHER* cipher){
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return SSL_CIPHER_get_kx_name(cipher);
+ #elif OPENSSL_VERSION_NUMBER >= 0x10100000L && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
+ switch (SSL_CIPHER_get_kx_nid(cipher)) {
+@@ -462,12 +462,12 @@ int tcn_SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file, bool skipf
+ // TODO: in the future we may want to add a function which does not need X509 at all for this.
+ static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ STACK_OF(CRYPTO_BUFFER) *names = sk_CRYPTO_BUFFER_new_null();
+ CRYPTO_BUFFER *buffer = NULL;
+ uint8_t *outp = NULL;
+ int len;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ X509 *x509 = NULL;
+ unsigned long err;
+@@ -483,7 +483,7 @@ static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
+
+ if (ca) {
+ while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ len = i2d_X509_NAME(X509_get_subject_name(x509), &outp);
+ if (len < 0) {
+ sk_CRYPTO_BUFFER_pop_free(names, CRYPTO_BUFFER_free);
+@@ -508,19 +508,19 @@ static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
+ // SSL_CTX_add_client_CA does not take ownership of the x509. It just calls X509_get_subject_name
+ // and make a duplicate of this value. So we should always free the x509 after this call.
+ // See https://github.com/netty/netty/issues/6249.
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ X509_free(x509);
+ n++;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_CTX_set0_client_CAs(ctx, names);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ } else {
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return -1;
+ #else
+ /* free a perhaps already configured extra chain */
+@@ -535,7 +535,7 @@ static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
+ }
+ n++;
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ }
+ /* Make sure that only the error is just an EOF */
+@@ -559,7 +559,7 @@ int tcn_SSL_CTX_use_client_CA_bio(SSL_CTX *ctx, BIO *bio)
+ return SSL_CTX_setup_certs(ctx, bio, false, true);
+ }
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ int tcn_SSL_use_certificate_chain_bio(SSL *ssl, BIO *bio, bool skipfirst)
+ {
+ #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090200fL
+@@ -613,7 +613,7 @@ X509 *tcn_load_pem_cert_bio(const char *password, const BIO *bio)
+ }
+ return cert;
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ EVP_PKEY *tcn_load_pem_key_bio(const char *password, const BIO *bio)
+ {
+@@ -626,7 +626,7 @@ EVP_PKEY *tcn_load_pem_key_bio(const char *password, const BIO *bio)
+ }
+
+ int tcn_EVP_PKEY_up_ref(EVP_PKEY* pkey) {
+-#if !defined(OPENSSL_IS_BORINGSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL))
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL))
+ return CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+ #else
+ return EVP_PKEY_up_ref(pkey);
+@@ -634,7 +634,7 @@ int tcn_EVP_PKEY_up_ref(EVP_PKEY* pkey) {
+ }
+
+ int tcn_X509_up_ref(X509* cert) {
+-#if !defined(OPENSSL_IS_BORINGSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000fL))
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000fL))
+ return CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+ #else
+ return X509_up_ref(cert);
diff --git a/tests/ci/integration/netty_tcnative_patch/netty-tcnative-parent-2.0.62.Final.patch b/tests/ci/integration/netty_tcnative_patch/netty-tcnative-parent-2.0.62.Final.patch
new file mode 100644
index 0000000000..5b24504e63
--- /dev/null
+++ b/tests/ci/integration/netty_tcnative_patch/netty-tcnative-parent-2.0.62.Final.patch
@@ -0,0 +1,1276 @@
+diff --git a/openssl-dynamic/src/main/c/cert_compress.c b/openssl-dynamic/src/main/c/cert_compress.c
+index e14fe97..3cb59a0 100644
+--- a/openssl-dynamic/src/main/c/cert_compress.c
++++ b/openssl-dynamic/src/main/c/cert_compress.c
+@@ -16,7 +16,7 @@
+
+ #include "tcn.h"
+ #include "ssl_private.h"
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ #include "cert_compress.h"
+
+ static int compress(jobject compression_algorithm, jmethodID compress_method, SSL* ssl, CBB* out,
+@@ -162,4 +162,4 @@ int zstd_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len,
+ ssl, out, uncompressed_len, in, in_len);
+ }
+
+-#endif // OPENSSL_IS_BORINGSSL
+\ No newline at end of file
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+\ No newline at end of file
+diff --git a/openssl-dynamic/src/main/c/cert_compress.h b/openssl-dynamic/src/main/c/cert_compress.h
+index bc0669e..d6807b9 100644
+--- a/openssl-dynamic/src/main/c/cert_compress.h
++++ b/openssl-dynamic/src/main/c/cert_compress.h
+@@ -17,7 +17,7 @@
+ #ifndef NETTY_TCNATIVE_CERT_COMPRESS_H_
+ #define NETTY_TCNATIVE_CERT_COMPRESS_H_
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ int zlib_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len, const uint8_t* in, size_t in_len);
+ int zlib_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
+@@ -28,6 +28,6 @@ int brotli_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
+ int zstd_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len, const uint8_t* in, size_t in_len);
+ int zstd_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ #endif /* NETTY_TCNATIVE_CERT_COMPRESS_H_ */
+\ No newline at end of file
+diff --git a/openssl-dynamic/src/main/c/native_constants.c b/openssl-dynamic/src/main/c/native_constants.c
+index b3884e9..55f80b4 100644
+--- a/openssl-dynamic/src/main/c/native_constants.c
++++ b/openssl-dynamic/src/main/c/native_constants.c
+@@ -572,7 +572,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslSignRsaPkcs1Md
+ }
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateNever)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_never;
+ #else
+ return 0;
+@@ -580,7 +580,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateNev
+ }
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateOnce)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_once;
+ #else
+ return 0;
+@@ -588,7 +588,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateOnc
+ }
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateFreely)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_freely;
+ #else
+ return 0;
+@@ -597,7 +597,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateFre
+
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateIgnore)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_ignore;
+ #else
+ return 0;
+@@ -605,7 +605,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateIgn
+ }
+
+ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateExplicit)(TCN_STDARGS) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) ssl_renegotiate_explicit;
+ #else
+ return 0;
+diff --git a/openssl-dynamic/src/main/c/ssl.c b/openssl-dynamic/src/main/c/ssl.c
+index 9745d96..2110b8e 100644
+--- a/openssl-dynamic/src/main/c/ssl.c
++++ b/openssl-dynamic/src/main/c/ssl.c
+@@ -108,7 +108,7 @@ struct TCN_bio_bytebuffer {
+ R |= SSL_TMP_KEY_INIT_DH(2048); \
+ R |= SSL_TMP_KEY_INIT_DH(4096)
+
+-#if !defined(OPENSSL_IS_BORINGSSL)
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ // This is the maximum overhead when encrypting plaintext as defined by
+ // rfc5264,
+ // rfc5289 and openssl implementation itself.
+@@ -127,7 +127,7 @@ struct TCN_bio_bytebuffer {
+ // See SSL#getMaxWrapOverhead for the overhead based upon the SSL*
+ // TODO(scott): this may be an over estimate because we don't account for short headers.
+ #define TCN_MAX_SEAL_OVERHEAD_LENGTH (TCN_MAX_ENCRYPTED_PACKET_LENGTH + SSL3_RT_HEADER_LENGTH)
+-#endif /*!defined(OPENSSL_IS_BORINGSSL)*/
++#endif /*!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) */
+
+ static jint tcn_flush_sslbuffer_to_bytebuffer(struct TCN_bio_bytebuffer* bioUserData) {
+ jint writeAmount = TCN_MIN(bioUserData->bufferLength, bioUserData->nonApplicationBufferLength) * sizeof(char);
+@@ -345,7 +345,7 @@ static long bio_java_bytebuffer_ctrl(BIO* bio, int cmd, long num, void* ptr) {
+ case BIO_CTRL_FLUSH:
+ return 1;
+ case BIO_C_SET_FD:
+-#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
++#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC)
+ bio->num = *((int *)ptr);
+ #endif
+ return 1;
+@@ -500,7 +500,7 @@ static apr_status_t ssl_init_cleanup(void *data)
+ /*
+ * Try to kill the internals of the SSL library.
+ */
+-#if OPENSSL_VERSION_NUMBER >= 0x00907001 && !defined(OPENSSL_IS_BORINGSSL)
++#if OPENSSL_VERSION_NUMBER >= 0x00907001 && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ /* Corresponds to OPENSSL_load_builtin_modules():
+ * XXX: borrowed from apps.h, but why not CONF_modules_free()
+ * which also invokes CONF_modules_finish()?
+@@ -538,10 +538,10 @@ static apr_status_t ssl_init_cleanup(void *data)
+ }
+
+ // In case we loaded any engine we should also call cleanup. This is especialy important in openssl < 1.1.
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ // This is deprecated since openssl 1.1 but does not exist at all in BoringSSL.
+ ENGINE_cleanup();
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) || !defined(OPENSSL_IS_AWSLC)
+ #endif // OPENSSL_NO_ENGINE
+
+ /* Don't call ERR_free_strings here; ERR_load_*_strings only
+@@ -1257,7 +1257,7 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getAlpnSelected)(TCN_STDARGS,
+ jlong ssl /* SSL * */) {
+ // Use weak linking with GCC as this will alow us to run the same packaged version with multiple
+ // version of openssl.
+- #if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__))
++ #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (defined(__GNUC__) || defined(__GNUG__))
+ if (!SSL_get0_alpn_selected) {
+ return NULL;
+ }
+@@ -1281,7 +1281,7 @@ TCN_IMPLEMENT_CALL(jstring, SSL, getAlpnSelected)(TCN_STDARGS,
+ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ jlong ssl /* SSL * */)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ const STACK_OF(CRYPTO_BUFFER) *chain = NULL;
+ const CRYPTO_BUFFER * cert = NULL;
+ const tcn_ssl_ctxt_t* c = NULL;
+@@ -1289,7 +1289,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ STACK_OF(X509) *chain = NULL;
+ X509 *cert = NULL;
+ unsigned char *buf = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ int len;
+ int i;
+ int length;
+@@ -1303,7 +1303,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ TCN_CHECK_NULL(ssl_, ssl, NULL);
+
+ // Get a stack of all certs in the chain.
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ TCN_GET_SSL_CTX(ssl_, c);
+
+ TCN_ASSERT(c != NULL);
+@@ -1321,7 +1321,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ chain = SSL_get_peer_cert_chain(ssl_);
+ len = sk_X509_num(chain);
+ offset = 0;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ len -= offset;
+ if (len <= 0) {
+@@ -1337,7 +1337,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+
+ for(i = 0; i < len; i++) {
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ cert = sk_CRYPTO_BUFFER_value(chain, i + offset);
+ length = CRYPTO_BUFFER_len(cert);
+ #else
+@@ -1349,11 +1349,11 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ // In case of error just return an empty byte[][]
+ return (*e)->NewObjectArray(e, 0, byteArrayClass, NULL);
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ bArray = (*e)->NewByteArray(e, length);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (bArray == NULL) {
+ return NULL;
+ }
+@@ -1368,7 +1368,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ OPENSSL_free(buf);
+ buf = NULL;
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ (*e)->SetObjectArrayElement(e, array, i, bArray);
+
+ // Delete the local reference as we not know how long the chain is and local references are otherwise
+@@ -1381,13 +1381,13 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
+ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
+ jlong ssl /* SSL * */)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ const STACK_OF(CRYPTO_BUFFER) *certs = NULL;
+ const CRYPTO_BUFFER *leafCert = NULL;
+ #else
+ X509 *cert = NULL;
+ unsigned char *buf = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ jbyteArray bArray = NULL;
+ int length;
+@@ -1396,7 +1396,7 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
+
+ TCN_CHECK_NULL(ssl_, ssl, NULL);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // Get a stack of all certs in the chain, the first is the leaf.
+ certs = SSL_get0_peer_certificates(ssl_);
+ if (certs == NULL || sk_CRYPTO_BUFFER_num(certs) <= 0) {
+@@ -1411,10 +1411,10 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
+ }
+
+ length = i2d_X509(cert, &buf);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ if ((bArray = (*e)->NewByteArray(e, length)) != NULL) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) CRYPTO_BUFFER_data(leafCert));
+ }
+ #else
+@@ -1427,7 +1427,7 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
+ X509_free(cert);
+
+ OPENSSL_free(buf);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return bArray;
+ }
+
+@@ -1541,13 +1541,13 @@ TCN_IMPLEMENT_CALL(void, SSL, setVerify)(TCN_STDARGS, jlong ssl, jint level, jin
+ state->verify_config->verify_depth = state->ctx->verify_config.verify_depth;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_set_custom_verify(ssl_, tcn_set_verify_config(state->verify_config, level, depth), tcn_SSL_cert_custom_verify);
+ #else
+ // No need to specify a callback for SSL_set_verify because we override the default certificate verification via SSL_CTX_set_cert_verify_callback.
+ SSL_set_verify(ssl_, tcn_set_verify_config(state->verify_config, level, depth), NULL);
+ SSL_set_verify_depth(ssl_, state->verify_config->verify_depth);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, setOptions)(TCN_STDARGS, jlong ssl,
+@@ -1604,7 +1604,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, getMaxWrapOverhead)(TCN_STDARGS, jlong ssl)
+ TCN_CHECK_NULL(ssl_, ssl, 0);
+
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return (jint) SSL_max_seal_overhead(ssl_);
+ #else
+ // TODO(scott): When OpenSSL supports something like SSL_max_seal_overhead ... use it!
+@@ -1683,12 +1683,12 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuites)(TCN_STDARGS, jlong ssl,
+ rv = SSL_set_cipher_list(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+ #else
+ if (tlsv13 == JNI_TRUE) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // BoringSSL does not support setting TLSv1.3 cipher suites explicit for now.
+ rv = JNI_TRUE;
+ #else
+ rv = SSL_set_ciphersuites(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ } else {
+ rv = SSL_set_cipher_list(ssl_, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+ }
+@@ -1916,7 +1916,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setHostNameValidation)(TCN_STDARGS, jlong ssl, jin
+
+ TCN_CHECK_NULL(ssl_, ssl, /* void */);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (flags != 0) {
+ tcn_ThrowException(e, "flags must be 0");
+ }
+@@ -1956,7 +1956,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setHostNameValidation)(TCN_STDARGS, jlong ssl, jin
+ tcn_ThrowException(e, "hostname verification requires OpenSSL 1.0.2+");
+ #endif // (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) || LIBRESSL_VERSION_NUMBER >= 0x2060000fL || defined(__GNUC__) || defined(__GNUG__)
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jobjectArray, SSL, authenticationMethods)(TCN_STDARGS, jlong ssl) {
+@@ -1990,7 +1990,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setCertificateBio)(TCN_STDARGS, jlong ssl,
+ jlong cert, jlong key,
+ jstring password)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ #else
+ SSL *ssl_ = J2P(ssl, SSL *);
+@@ -2052,7 +2052,7 @@ cleanup:
+ TCN_FREE_CSTRING(password);
+ EVP_PKEY_free(pkey); // this function is safe to call with NULL
+ X509_free(xcert); // this function is safe to call with NULL
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, setCertificateChainBio)(TCN_STDARGS, jlong ssl,
+@@ -2067,7 +2067,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setCertificateChainBio)(TCN_STDARGS, jlong ssl,
+
+ // This call is only used to detect if we support KeyManager or not in netty. As we know that we support it in
+ // BoringSSL we can just ignore this call. In the future we should remove the method all together.
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ char err[ERR_LEN];
+
+ if (tcn_SSL_use_certificate_chain_bio(ssl_, b, skipfirst) < 0) {
+@@ -2075,7 +2075,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setCertificateChainBio)(TCN_STDARGS, jlong ssl,
+ ERR_clear_error();
+ tcn_Throw(e, "Error setting certificate chain (%s)", err);
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jlong, SSL, loadPrivateKeyFromEngine)(TCN_STDARGS, jstring keyId, jstring password)
+@@ -2139,7 +2139,7 @@ TCN_IMPLEMENT_CALL(jlong, SSL, parseX509Chain)(TCN_STDARGS, jlong x509ChainBio)
+ {
+ BIO *cert_bio = J2P(x509ChainBio, BIO *);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
+ CRYPTO_BUFFER *buffer = NULL;
+ char *name = NULL;
+@@ -2149,14 +2149,14 @@ TCN_IMPLEMENT_CALL(jlong, SSL, parseX509Chain)(TCN_STDARGS, jlong x509ChainBio)
+ #else
+ X509* cert = NULL;
+ STACK_OF(X509) *chain = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ char err[ERR_LEN];
+ unsigned long error;
+
+ TCN_CHECK_NULL(cert_bio, x509ChainBio, 0);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ while (PEM_read_bio(cert_bio, &name, &header, &data, &data_len)) {
+
+ OPENSSL_free(name);
+@@ -2174,15 +2174,15 @@ TCN_IMPLEMENT_CALL(jlong, SSL, parseX509Chain)(TCN_STDARGS, jlong x509ChainBio)
+ chain = sk_X509_new_null();
+ while ((cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) != NULL) {
+ if (sk_X509_push(chain, cert) <= 0) {
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ tcn_Throw(e, "No Certificate specified or invalid format");
+ goto cleanup;
+ }
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ cert = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ // ensure that if we have an error its just for EOL.
+@@ -2202,25 +2202,25 @@ TCN_IMPLEMENT_CALL(jlong, SSL, parseX509Chain)(TCN_STDARGS, jlong x509ChainBio)
+ cleanup:
+ ERR_clear_error();
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ sk_CRYPTO_BUFFER_pop_free(chain, CRYPTO_BUFFER_free);
+ #else
+ sk_X509_pop_free(chain, X509_free);
+ X509_free(cert);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ return 0;
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, freeX509Chain)(TCN_STDARGS, jlong x509Chain)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ STACK_OF(CRYPTO_BUFFER) *chain = J2P(x509Chain, STACK_OF(CRYPTO_BUFFER) *);
+ sk_CRYPTO_BUFFER_pop_free(chain, CRYPTO_BUFFER_free);
+ #else
+ STACK_OF(X509) *chain = J2P(x509Chain, STACK_OF(X509) *);
+ sk_X509_pop_free(chain, X509_free);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chain, jlong key)
+@@ -2234,14 +2234,14 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chai
+
+ EVP_PKEY* pkey = J2P(key, EVP_PKEY *);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ STACK_OF(CRYPTO_BUFFER) *cchain = J2P(chain, STACK_OF(CRYPTO_BUFFER) *);
+ int numCerts = sk_CRYPTO_BUFFER_num(cchain);
+ CRYPTO_BUFFER** certs = NULL;
+ #else
+ STACK_OF(X509) *cchain = J2P(chain, STACK_OF(X509) *);
+ int numCerts = sk_X509_num(cchain);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ char err[ERR_LEN];
+ int i;
+@@ -2250,7 +2250,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chai
+
+ TCN_CHECK_NULL(cchain, chain, /* void */);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if ((certs = OPENSSL_malloc(sizeof(CRYPTO_BUFFER*) * numCerts)) == NULL) {
+ tcn_Throw(e, "OPENSSL_malloc returned NULL");
+ return;
+@@ -2264,14 +2264,14 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chai
+ #else
+ // SSL_use_certificate will increment the reference count of the cert.
+ if (numCerts <= 0 || SSL_use_certificate(ssl_, sk_X509_value(cchain, 0)) <= 0) {
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ ERR_error_string_n(ERR_get_error(), err, ERR_LEN);
+ ERR_clear_error();
+ tcn_Throw(e, "Error setting certificate (%s)", err);
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ OPENSSL_free(certs);
+ #else
+ if (pkey != NULL) {
+@@ -2303,7 +2303,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterial)(TCN_STDARGS, jlong ssl, jlong chai
+ return;
+ }
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ #endif
+ }
+@@ -2314,6 +2314,8 @@ TCN_IMPLEMENT_CALL(void, SSL, setKeyMaterialClientSide)(TCN_STDARGS, jlong ssl,
+ tcn_Throw(e, "Not supported with LibreSSL");
+ #elif defined(OPENSSL_IS_BORINGSSL)
+ tcn_Throw(e, "Not supported with BoringSSL");
++#elif defined(OPENSSL_IS_AWSLC)
++ tcn_Throw(e, "Not supported with AWS-LC");
+ #else
+ SSL *ssl_ = J2P(ssl, SSL *);
+
+@@ -2394,7 +2396,7 @@ TCN_IMPLEMENT_CALL(void, SSL, enableOcsp)(TCN_STDARGS, jlong ssl) {
+ #elif defined(TCN_OCSP_NOT_SUPPORTED)
+ tcn_ThrowException(e, "OCSP stapling is not supported");
+
+-#elif defined(OPENSSL_IS_BORINGSSL)
++#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_enable_ocsp_stapling(ssl_);
+
+ #else
+@@ -2424,7 +2426,7 @@ TCN_IMPLEMENT_CALL(void, SSL, setOcspResponse)(TCN_STDARGS, jlong ssl, jbyteArra
+ #elif defined(TCN_OCSP_NOT_SUPPORTED)
+ tcn_ThrowException(e, "OCSP stapling is not supported");
+
+-#elif defined(OPENSSL_IS_BORINGSSL)
++#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ uint8_t *value = OPENSSL_malloc(sizeof(uint8_t) * length);
+ if (value == NULL) {
+ tcn_ThrowException(e, "OPENSSL_malloc() returned null");
+@@ -2475,7 +2477,7 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getOcspResponse)(TCN_STDARGS, jlong ssl) {
+ #elif defined(TCN_OCSP_NOT_SUPPORTED)
+ tcn_ThrowException(e, "OCSP stapling is not supported");
+
+-#elif defined(OPENSSL_IS_BORINGSSL)
++#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ const uint8_t *response = NULL;
+ size_t length = 0;
+
+@@ -2552,7 +2554,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getSigAlgs)(TCN_STDARGS, jlong ssl) {
+ // Not supported in LibreSSL
+ #if defined(LIBRESSL_VERSION_NUMBER)
+ return NULL;
+-#elif defined(OPENSSL_IS_BORINGSSL)
++#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // Using a different API in BoringSSL
+ // https://boringssl.googlesource.com/boringssl/+/ba16a1e405c617f4179bd780ad15522fb25b0a65%5E%21/
+ int i;
+@@ -2639,14 +2641,14 @@ complete:
+ }
+ return array;
+ #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L || defined(__GNUC__) || defined(__GNUG__)
+-#endif // defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) || defined(LIBRESSL_VERSION_NUMBER)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSL, setRenegotiateMode)(TCN_STDARGS, jlong ssl, jint mode) {
+ SSL *ssl_ = J2P(ssl, SSL *);
+
+ TCN_CHECK_NULL(ssl_, ssl, /* void */);
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported");
+ #else
+ SSL_set_renegotiate_mode(ssl_, (enum ssl_renegotiate_mode_t) mode);
+diff --git a/openssl-dynamic/src/main/c/ssl_private.h b/openssl-dynamic/src/main/c/ssl_private.h
+index f8f75a6..d6b9fef 100644
+--- a/openssl-dynamic/src/main/c/ssl_private.h
++++ b/openssl-dynamic/src/main/c/ssl_private.h
+@@ -186,7 +186,7 @@ extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
+ #endif /*X509_V_ERR_UNSPECIFIED*/
+
+ // BoringSSL compat
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ #ifndef SSL_ERROR_WANT_PRIVATE_KEY_OPERATION
+ #define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION -1
+ #endif // SSL_ERROR_WANT_PRIVATE_KEY_OPERATION
+@@ -248,7 +248,7 @@ extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
+ #define SSL_SIGN_RSA_PKCS1_MD5_SHA1 0xff01
+ #endif // SSL_SIGN_RSA_PKCS1_MD5_SHA1
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+
+ // OCSP stapling should be present in OpenSSL as of version 1.0.0 but
+ // we've only tested 1.0.2 and we need to support 1.0.1 because the
+@@ -299,9 +299,9 @@ typedef struct {
+ int verify_mode;
+ } tcn_ssl_verify_config_t;
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ extern const SSL_PRIVATE_KEY_METHOD private_key_method;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ struct tcn_ssl_ctxt_t {
+ apr_pool_t* pool;
+@@ -334,7 +334,7 @@ struct tcn_ssl_ctxt_t {
+ jmethodID ssl_session_cache_creation_method;
+ jmethodID ssl_session_cache_get_method;
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ jobject ssl_private_key_method;
+ jmethodID ssl_private_key_sign_method;
+ jmethodID ssl_private_key_decrypt_method;
+@@ -350,7 +350,7 @@ struct tcn_ssl_ctxt_t {
+ jobject ssl_cert_compression_zstd_algorithm;
+ jmethodID ssl_cert_compression_zstd_compress_method;
+ jmethodID ssl_cert_compression_zstd_decompress_method;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ tcn_ssl_verify_config_t verify_config;
+
+@@ -434,10 +434,10 @@ int tcn_SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, bool);
+ int tcn_SSL_CTX_use_certificate_chain_bio(SSL_CTX *, BIO *, bool);
+ int tcn_SSL_CTX_use_client_CA_bio(SSL_CTX *, BIO *);
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ X509 *tcn_load_pem_cert_bio(const char *, const BIO *);
+ int tcn_SSL_use_certificate_chain_bio(SSL *, BIO *, bool);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+
+ EVP_PKEY *tcn_load_pem_key_bio(const char *, const BIO *);
+ int tcn_set_verify_config(tcn_ssl_verify_config_t* c, jint tcn_mode, jint depth);
+@@ -448,16 +448,16 @@ int tcn_SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned
+ int tcn_SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
+ const char *tcn_SSL_cipher_authentication_method(const SSL_CIPHER *);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ enum ssl_verify_result_t tcn_SSL_cert_custom_verify(SSL* ssl, uint8_t *out_alert);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ #if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) || LIBRESSL_VERSION_NUMBER >= 0x2090200fL
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ #define tcn_SSL_add1_chain_cert(ssl, x509) SSL_add1_chain_cert(ssl, x509)
+ #define tcn_SSL_add0_chain_cert(ssl, x509) SSL_add0_chain_cert(ssl, x509)
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+
+ #define tcn_SSL_get0_certificate_types(ssl, clist) SSL_get0_certificate_types(ssl, clist)
+ #else
+@@ -469,7 +469,7 @@ enum ssl_verify_result_t tcn_SSL_cert_custom_verify(SSL* ssl, uint8_t *out_alert
+
+ #if defined(__GNUC__) || defined(__GNUG__)
+ // only supported with GCC, this will be used to support different openssl versions at the same time.
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ extern int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
+ unsigned protos_len) __attribute__((weak));
+ extern void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out,
+@@ -484,18 +484,18 @@ enum ssl_verify_result_t tcn_SSL_cert_custom_verify(SSL* ssl, uint8_t *out_alert
+ extern int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen) __attribute__((weak));
+ extern int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) __attribute__((weak));
+ extern int SSL_SESSION_up_ref(SSL_SESSION *session) __attribute__((weak));
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+
+ extern int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) __attribute__((weak));
+ #endif
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ #define tcn_SSL_CTX_set1_curves_list(ctx, s) SSL_CTX_set1_curves_list(ctx, s)
+ #else
+ #ifndef SSL_CTRL_SET_GROUPS_LIST
+ #define SSL_CTRL_SET_GROUPS_LIST 92
+ #endif // SSL_CTRL_SET_GROUPS_LIST
+ #define tcn_SSL_CTX_set1_curves_list(ctx, s) SSL_CTX_ctrl(ctx, SSL_CTRL_SET_GROUPS_LIST, 0, (char *)(s))
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ #endif /* SSL_PRIVATE_H */
+diff --git a/openssl-dynamic/src/main/c/sslcontext.c b/openssl-dynamic/src/main/c/sslcontext.c
+index 1d45ca7..89ca4a0 100644
+--- a/openssl-dynamic/src/main/c/sslcontext.c
++++ b/openssl-dynamic/src/main/c/sslcontext.c
+@@ -75,7 +75,7 @@ static apr_status_t ssl_context_cleanup(void *data)
+
+ tcn_get_java_env(&e);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (c->ssl_private_key_method != NULL) {
+ if (e != NULL) {
+ (*e)->DeleteGlobalRef(e, c->ssl_private_key_method);
+@@ -100,7 +100,7 @@ static apr_status_t ssl_context_cleanup(void *data)
+ }
+ c->ssl_cert_compression_zstd_algorithm = NULL;
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ if (c->ssl_session_cache != NULL) {
+ if (e != NULL) {
+@@ -179,7 +179,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mod
+ tcn_ssl_ctxt_t *c = NULL;
+ SSL_CTX *ctx = NULL;
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // When using BoringSSL we want to use CRYPTO_BUFFER to reduce memory usage and minimize overhead as we do not need
+ // X509* at all and just need the raw bytes of the certificates to construct our Java X509Certificate.
+ //
+@@ -328,7 +328,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mod
+ tcn_Throw(e, "Unsupported SSL protocol (%d)", protocol);
+ goto cleanup;
+ }
+-#endif /* OPENSSL_IS_BORINGSSL */
++#endif /* defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) */
+
+ if (ctx == NULL) {
+ char err[ERR_LEN];
+@@ -427,7 +427,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jint protocol, jint mod
+ SSL_CTX_set_default_passwd_cb(c->ctx, (pem_password_cb *) tcn_SSL_password_callback);
+ SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void *) c->password);
+
+-#if defined(OPENSSL_IS_BORINGSSL)
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (mode != SSL_MODE_SERVER) {
+ // Set this to make the behaviour consistent with openssl / libressl
+ SSL_CTX_set_allow_unknown_alpn_protos(ctx, 1);
+@@ -537,12 +537,12 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong ctx,
+ #else
+
+ if (tlsv13 == JNI_TRUE) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // BoringSSL does not support setting TLSv1.3 cipher suites explicit for now.
+ rv = JNI_TRUE;
+ #else
+ rv = SSL_CTX_set_ciphersuites(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ } else {
+ rv = SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers)) == 0 ? JNI_FALSE : JNI_TRUE;
+@@ -561,7 +561,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainFile)(TCN_STDARGS, j
+ jstring file,
+ jboolean skipfirst)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ return JNI_FALSE;
+ #else
+@@ -581,14 +581,14 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainFile)(TCN_STDARGS, j
+ }
+ TCN_FREE_CSTRING(file);
+ return rv;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainBio)(TCN_STDARGS, jlong ctx,
+ jlong chain,
+ jboolean skipfirst)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ return JNI_FALSE;
+ #else
+@@ -604,7 +604,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainBio)(TCN_STDARGS, jl
+ return JNI_TRUE;
+ }
+ return JNI_FALSE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCACertificateBio)(TCN_STDARGS, jlong ctx, jlong certs)
+@@ -625,7 +625,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setNumTickets)(TCN_STDARGS, jlong ctx,
+
+ TCN_CHECK_NULL(c, ctx, JNI_FALSE);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ // Not supported by BoringSSL
+ return JNI_FALSE;
+ #else
+@@ -670,7 +670,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setTmpDHLength)(TCN_STDARGS, jlong ctx, jin
+ }
+ }
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ static EVP_PKEY *load_pem_key(tcn_ssl_ctxt_t *c, const char *file)
+ {
+ BIO *bio = NULL;
+@@ -773,13 +773,13 @@ static void free_and_reset_pass(tcn_ssl_ctxt_t *c, char* old_password, const jbo
+ }
+ }
+
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx,
+ jstring cert, jstring key,
+ jstring password)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ return JNI_FALSE;
+ #else
+@@ -869,14 +869,14 @@ cleanup:
+ X509_free(xcert); // this function is safe to call with NULL
+ free_and_reset_pass(c, old_password, rv);
+ return rv;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateBio)(TCN_STDARGS, jlong ctx,
+ jlong cert, jlong key,
+ jstring password)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ return JNI_FALSE;
+ #else
+@@ -957,7 +957,7 @@ cleanup:
+ X509_free(xcert); // this function is safe to call with NULL
+ free_and_reset_pass(c, old_password, rv);
+ return rv;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setNpnProtos0)(TCN_STDARGS, jlong ctx, jbyteArray next_protos,
+@@ -988,7 +988,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setAlpnProtos0)(TCN_STDARGS, jlong ctx, jby
+ jint selectorFailureBehavior)
+ {
+ // Only supported with GCC
+- #if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__))
++ #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (defined(__GNUC__) || defined(__GNUG__))
+ if (!SSL_CTX_set_alpn_protos || !SSL_CTX_set_alpn_select_cb) {
+ return;
+ }
+@@ -1413,7 +1413,7 @@ static STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) {
+ }
+ #endif
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, const STACK_OF(CRYPTO_BUFFER)* chain) {
+ CRYPTO_BUFFER *cert = NULL;
+ const int totalQueuedLength = sk_CRYPTO_BUFFER_num(chain);
+@@ -1422,7 +1422,7 @@ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, STACK_OF(X509)* chain) {
+ X509 *cert = NULL;
+ unsigned char *buf = NULL;
+ const int totalQueuedLength = sk_X509_num(chain);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ tcn_ssl_state_t* state = tcn_SSL_get_app_state(ssl);
+ TCN_ASSERT(state != NULL);
+@@ -1448,13 +1448,13 @@ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, STACK_OF(X509)* chain) {
+
+ for(i = 0; i < len; i++) {
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ cert = sk_CRYPTO_BUFFER_value(chain, i);
+ length = CRYPTO_BUFFER_len(cert);
+ #else
+ cert = sk_X509_value(chain, i);
+ length = i2d_X509(cert, &buf);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ if (length <= 0 || (bArray = (*e)->NewByteArray(e, length)) == NULL ) {
+ NETTY_JNI_UTIL_DELETE_LOCAL(e, array);
+@@ -1462,14 +1462,14 @@ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, STACK_OF(X509)* chain) {
+ goto complete;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) CRYPTO_BUFFER_data(cert));
+ #else
+ (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) buf);
+
+ OPENSSL_free(buf);
+ buf = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ (*e)->SetObjectArrayElement(e, array, i, bArray);
+
+ // Delete the local reference as we not know how long the chain is and local references are otherwise
+@@ -1480,10 +1480,10 @@ static jbyteArray get_certs(JNIEnv *e, SSL* ssl, STACK_OF(X509)* chain) {
+
+ complete:
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ // We need to delete the local references so we not leak memory as this method is called via callback.
+ OPENSSL_free(buf);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ // Delete the local reference as we not know how long the chain is and local references are otherwise
+ // only freed once jni method returns.
+@@ -1491,7 +1491,7 @@ complete:
+ return array;
+ }
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ // See https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_cert_verify_callback.html for return values.
+ static int SSL_cert_verify(X509_STORE_CTX *ctx, void *arg) {
+ /* Get Apache context back through OpenSSL context */
+@@ -1575,7 +1575,7 @@ complete:
+ ret = result == X509_V_OK ? 1 : 0;
+ return ret;
+ }
+-#else // OPENSSL_IS_BORINGSSL
++#else // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ enum ssl_verify_result_t tcn_SSL_cert_custom_verify(SSL* ssl, uint8_t *out_alert) {
+ enum ssl_verify_result_t ret = ssl_verify_invalid;
+@@ -1694,7 +1694,7 @@ complete:
+ }
+ return ret;
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)(TCN_STDARGS, jlong ctx, jint level, jint depth)
+@@ -1704,7 +1704,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)(TCN_STDARGS, jlong ctx, jint lev
+ TCN_CHECK_NULL(c, ctx, /* void */);
+
+ int mode = tcn_set_verify_config(&c->verify_config, level, depth);
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (c->verifier != NULL) {
+ SSL_CTX_set_custom_verify(c->ctx, mode, tcn_SSL_cert_custom_verify);
+ }
+@@ -1712,7 +1712,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)(TCN_STDARGS, jlong ctx, jint lev
+ // No need to set the callback for SSL_CTX_set_verify because we override the default certificate verification via SSL_CTX_set_cert_verify_callback.
+ SSL_CTX_set_verify(c->ctx, mode, NULL);
+ SSL_CTX_set_verify_depth(c->ctx, c->verify_config.verify_depth);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong ctx, jobject verifier)
+@@ -1725,11 +1725,11 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong c
+ if (verifier == NULL) {
+ c->verifier = NULL;
+ c->verifier_method = NULL;
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_CTX_set_custom_verify(c->ctx, SSL_VERIFY_NONE, NULL);
+ #else
+ SSL_CTX_set_cert_verify_callback(c->ctx, NULL, NULL);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ } else {
+ jclass verifier_class = (*e)->GetObjectClass(e, verifier);
+ jmethodID method = (*e)->GetMethodID(e, verifier_class, "verify", "(J[[BLjava/lang/String;)I");
+@@ -1747,12 +1747,12 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertVerifyCallback)(TCN_STDARGS, jlong c
+ c->verifier = v;
+ c->verifier_method = method;
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_CTX_set_custom_verify(c->ctx, tcn_set_verify_config(&c->verify_config, c->verify_config.verify_mode,
+ c->verify_config.verify_depth), tcn_SSL_cert_custom_verify);
+ #else
+ SSL_CTX_set_cert_verify_callback(c->ctx, SSL_cert_verify, NULL);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ // Delete the reference to the previous specified verifier if needed.
+ if (oldVerifier != NULL) {
+@@ -1783,14 +1783,14 @@ static jbyteArray keyTypes(JNIEnv* e, SSL* ssl) {
+ * Partly based on code from conscrypt:
+ * https://android.googlesource.com/platform/external/conscrypt/+/master/src/main/native/org_conscrypt_NativeCrypto.cpp
+ */
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(CRYPTO_BUFFER)* names) {
+ CRYPTO_BUFFER* principal = NULL;
+ #else
+ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names) {
+ unsigned char *buf = NULL;
+ X509_NAME* principal = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ jobjectArray array = NULL;
+ jbyteArray bArray = NULL;;
+ int i;
+@@ -1803,11 +1803,11 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ return NULL;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ count = sk_CRYPTO_BUFFER_num(names);
+ #else
+ count = sk_X509_NAME_num(names);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ if (count <= 0) {
+ return NULL;
+@@ -1818,7 +1818,7 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ }
+
+ for (i = 0; i < count; i++) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ principal = sk_CRYPTO_BUFFER_value(names, i);
+ length = CRYPTO_BUFFER_len(principal);
+ #else
+@@ -1832,11 +1832,11 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ // In case of error just return an empty byte[][]
+ return (*e)->NewObjectArray(e, 0, byteArrayClass, NULL);
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ bArray = (*e)->NewByteArray(e, length);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if (bArray == NULL) {
+ return NULL;
+ }
+@@ -1849,7 +1849,7 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) buf);
+ OPENSSL_free(buf);
+ buf = NULL;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ (*e)->SetObjectArrayElement(e, array, i, bArray);
+
+@@ -1862,7 +1862,7 @@ static jobjectArray principalBytes(JNIEnv* e, const STACK_OF(X509_NAME)* names)
+ }
+ #endif // LIBRESSL_VERSION_NUMBER
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ static int cert_requested(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) {
+ #if defined(LIBRESSL_VERSION_NUMBER)
+ // Not supported with LibreSSL
+@@ -1901,7 +1901,7 @@ static int cert_requested(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) {
+ return 1;
+ #endif /* defined(LIBRESSL_VERSION_NUMBER) */
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setCertRequestedCallback)(TCN_STDARGS, jlong ctx, jobject callback)
+ {
+@@ -1909,7 +1909,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertRequestedCallback)(TCN_STDARGS, jlon
+
+ TCN_CHECK_NULL(c, ctx, /* void */);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ tcn_Throw(e, "Not supported using BoringSSL");
+ #else
+ jobject oldCallback = c->cert_requested_callback;
+@@ -1989,11 +1989,11 @@ static int certificate_cb(SSL* ssl, void* arg) {
+ } else {
+ types = keyTypes(e, ssl);
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ issuers = principalBytes(e, SSL_get0_server_requested_CAs(ssl));
+ #else
+ issuers = principalBytes(e, SSL_get_client_CA_list(ssl));
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ int ret = 0;
+@@ -2038,7 +2038,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertificateCallback)(TCN_STDARGS, jlong
+
+ // Use weak linking with GCC as this will alow us to run the same packaged version with multiple
+ // version of openssl.
+-#if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__))
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (defined(__GNUC__) || defined(__GNUG__))
+ if (!SSL_CTX_set_cert_cb) {
+ tcn_ThrowException(e, "Requires OpenSSL 1.0.2+");
+ return;
+@@ -2088,7 +2088,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setCertificateCallback)(TCN_STDARGS, jlong
+ }
+
+ // Support for SSL_PRIVATE_KEY_METHOD.
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ static enum ssl_private_key_result_t tcn_private_key_sign_java(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {
+ enum ssl_private_key_result_t ret = ssl_private_key_failure;
+@@ -2275,14 +2275,14 @@ const SSL_PRIVATE_KEY_METHOD private_key_method = {
+ &tcn_private_key_decrypt_java,
+ &tcn_private_key_complete_java
+ };
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+
+ TCN_IMPLEMENT_CALL(void, SSLContext, setPrivateKeyMethod0)(TCN_STDARGS, jlong ctx, jobject method) {
+ tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+
+ TCN_CHECK_NULL(c, ctx, /* void */);
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ char* name = NULL;
+ char* combinedName = NULL;
+
+@@ -2340,7 +2340,7 @@ error:
+ free(combinedName);
+ #else
+ tcn_ThrowException(e, "Requires BoringSSL");
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ static int tcn_new_session_cb(SSL *ssl, SSL_SESSION *session) {
+@@ -2702,7 +2702,7 @@ TCN_IMPLEMENT_CALL(jint, SSLContext, addCertificateCompressionAlgorithm0)(TCN_ST
+ return 0;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ jclass algorithmClass = (*e)->GetObjectClass(e, algorithm);
+ if (algorithmClass == NULL) {
+@@ -2782,7 +2782,7 @@ TCN_IMPLEMENT_CALL(jint, SSLContext, addCertificateCompressionAlgorithm0)(TCN_ST
+ #else
+ tcn_Throw(e, "TLS Cert Compression only supported by BoringSSL");
+ return 0;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ // JNI Method Registration Table Begin
+diff --git a/openssl-dynamic/src/main/c/sslsession.c b/openssl-dynamic/src/main/c/sslsession.c
+index 709eed4..1118aae 100644
+--- a/openssl-dynamic/src/main/c/sslsession.c
++++ b/openssl-dynamic/src/main/c/sslsession.c
+@@ -74,7 +74,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLSession, upRef)(TCN_STDARGS, jlong session) {
+ TCN_CHECK_NULL(session_, session, JNI_FALSE);
+
+ // Only supported with GCC
+- #if !defined(OPENSSL_IS_BORINGSSL) && (defined(__GNUC__) || defined(__GNUG__))
++ #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (defined(__GNUC__) || defined(__GNUG__))
+ if (!SSL_SESSION_up_ref) {
+ return JNI_FALSE;
+ }
+@@ -98,13 +98,13 @@ TCN_IMPLEMENT_CALL(void, SSLSession, free)(TCN_STDARGS, jlong session) {
+
+ TCN_IMPLEMENT_CALL(jboolean, SSLSession, shouldBeSingleUse)(TCN_STDARGS, jlong session) {
+ // Only supported by BoringSSL atm
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_SESSION *session_ = J2P(session, SSL_SESSION *);
+ TCN_CHECK_NULL(session_, session, JNI_FALSE);
+ return SSL_SESSION_should_be_single_use(session_) == 0 ? JNI_FALSE : JNI_TRUE;
+ #else
+ return JNI_FALSE;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ }
+
+ // JNI Method Registration Table Begin
+diff --git a/openssl-dynamic/src/main/c/sslutils.c b/openssl-dynamic/src/main/c/sslutils.c
+index 74c9726..508a549 100644
+--- a/openssl-dynamic/src/main/c/sslutils.c
++++ b/openssl-dynamic/src/main/c/sslutils.c
+@@ -78,7 +78,7 @@ const char* TCN_UNKNOWN_AUTH_METHOD = "UNKNOWN";
+ * https://android.googlesource.com/platform/external/openssl/+/master/patches/0003-jsse.patch
+ */
+ const char* tcn_SSL_cipher_authentication_method(const SSL_CIPHER* cipher){
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return SSL_CIPHER_get_kx_name(cipher);
+ #elif OPENSSL_VERSION_NUMBER >= 0x10100000L && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
+ switch (SSL_CIPHER_get_kx_nid(cipher)) {
+@@ -460,12 +460,12 @@ int tcn_SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file, bool skipf
+ // TODO: in the future we may want to add a function which does not need X509 at all for this.
+ static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ STACK_OF(CRYPTO_BUFFER) *names = sk_CRYPTO_BUFFER_new_null();
+ CRYPTO_BUFFER *buffer = NULL;
+ uint8_t *outp = NULL;
+ int len;
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ X509 *x509 = NULL;
+ unsigned long err;
+@@ -481,7 +481,7 @@ static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
+
+ if (ca) {
+ while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ len = i2d_X509_NAME(X509_get_subject_name(x509), &outp);
+ if (len < 0) {
+ sk_CRYPTO_BUFFER_pop_free(names, CRYPTO_BUFFER_free);
+@@ -506,19 +506,19 @@ static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
+ // SSL_CTX_add_client_CA does not take ownership of the x509. It just calls X509_get_subject_name
+ // and make a duplicate of this value. So we should always free the x509 after this call.
+ // See https://github.com/netty/netty/issues/6249.
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ X509_free(x509);
+ n++;
+ }
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_CTX_set0_client_CAs(ctx, names);
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ } else {
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ return -1;
+ #else
+ /* free a perhaps already configured extra chain */
+@@ -533,7 +533,7 @@ static int SSL_CTX_setup_certs(SSL_CTX *ctx, BIO *bio, bool skipfirst, bool ca)
+ }
+ n++;
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ }
+ /* Make sure that only the error is just an EOF */
+@@ -557,7 +557,7 @@ int tcn_SSL_CTX_use_client_CA_bio(SSL_CTX *ctx, BIO *bio)
+ return SSL_CTX_setup_certs(ctx, bio, false, true);
+ }
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ int tcn_SSL_use_certificate_chain_bio(SSL *ssl, BIO *bio, bool skipfirst)
+ {
+ #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090200fL
+@@ -611,7 +611,7 @@ X509 *tcn_load_pem_cert_bio(const char *password, const BIO *bio)
+ }
+ return cert;
+ }
+-#endif // OPENSSL_IS_BORINGSSL
++#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ EVP_PKEY *tcn_load_pem_key_bio(const char *password, const BIO *bio)
+ {
+@@ -624,7 +624,7 @@ EVP_PKEY *tcn_load_pem_key_bio(const char *password, const BIO *bio)
+ }
+
+ int tcn_EVP_PKEY_up_ref(EVP_PKEY* pkey) {
+-#if !defined(OPENSSL_IS_BORINGSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL))
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL))
+ return CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+ #else
+ return EVP_PKEY_up_ref(pkey);
+@@ -632,7 +632,7 @@ int tcn_EVP_PKEY_up_ref(EVP_PKEY* pkey) {
+ }
+
+ int tcn_X509_up_ref(X509* cert) {
+-#if !defined(OPENSSL_IS_BORINGSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000fL))
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000fL))
+ return CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+ #else
+ return X509_up_ref(cert);
diff --git a/tests/ci/integration/run_netty_tcnative_integration.sh b/tests/ci/integration/run_netty_tcnative_integration.sh
new file mode 100755
index 0000000000..a46941cf46
--- /dev/null
+++ b/tests/ci/integration/run_netty_tcnative_integration.sh
@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -euxo pipefail
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# SRC_ROOT(aws-lc)
+# - SCRATCH_FOLDER
+# - NETTY_TCNATIVE_SRC
+# - AWS_LC_BUILD_FOLDER
+# - AWS_LC_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER=${SRC_ROOT}/"scratch"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+NETTY_TCNATIVE_SRC="${SCRATCH_FOLDER}/netty-tcnative"
+NETTY_TCNATIVE_GIT_URL="https://github.com/netty/netty-tcnative.git"
+NETTY_TCNATIVE_REFSPEC="${1:-main}"
+NETTY_TCNATIVE_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/netty_tcnative_patch"
+
+function build_netty_tcnative() {
+ pushd "${NETTY_TCNATIVE_SRC}"
+
+ local PKG_CONFIG_PATH
+ PKG_CONFIG_PATH="$(find "${AWS_LC_INSTALL_FOLDER}" -type d -name pkgconfig)"
+ export PKG_CONFIG_PATH
+
+ local NETTY_LD_LIBRARY_PATH
+ NETTY_LD_LIBRARY_PATH="$(pkg-config --variable=libdir libcrypto)"
+
+ local NETTY_LDFLAGS
+ NETTY_LDFLAGS="$(pkg-config --libs libssl libcrypto)"
+ NETTY_LDFLAGS+="${LDFLAGS:-}"
+
+ local NETTY_CFLAGS
+ NETTY_CFLAGS="$(pkg-config --cflags libssl libcrypto)"
+ NETTY_CFLAGS+="${CFLAGS:-}"
+
+ env LD_LIBRARY_PATH="${NETTY_LD_LIBRARY_PATH}" LDFLAGS="${NETTY_LDFLAGS}" CFLAGS="${NETTY_CFLAGS}" ./mvnw "$@"
+
+ unset PKG_CONFIG_PATH
+ popd # "${NETTY_TCNATIVE_SRC}"
+}
+
+
+function clone_and_patch_netty_tcnative() {
+ git clone "${NETTY_TCNATIVE_GIT_URL}" "${NETTY_TCNATIVE_SRC}"
+ pushd "${NETTY_TCNATIVE_SRC}"
+ git fetch origin "${NETTY_TCNATIVE_REFSPEC}"
+ git checkout -b aws-lc "${NETTY_TCNATIVE_REFSPEC}"
+ if [[ -e "${NETTY_TCNATIVE_PATCH_FOLDER}/${NETTY_TCNATIVE_REFSPEC}.patch" ]]; then
+ patch -p1 -i "${NETTY_TCNATIVE_PATCH_FOLDER}/${NETTY_TCNATIVE_REFSPEC}.patch"
+ else
+ patch -p1 --no-backup-if-mismatch -i "${NETTY_TCNATIVE_PATCH_FOLDER}/latest.patch"
+ fi
+ popd # "${NETTY_TCNATIVE_SRC}"
+}
+
+function wrapper_aws_lc_build() {
+ rm -rf "${AWS_LC_INSTALL_FOLDER:?}"/*
+ rm -rf "${AWS_LC_BUILD_FOLDER:?}"/*
+ aws_lc_build "${SRC_ROOT}" "${AWS_LC_BUILD_FOLDER}" "${AWS_LC_INSTALL_FOLDER}" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo "$@"
+}
+
+function verify_static_netty_build() {
+ local UNAME_P
+ local UNAME_S
+ local TARGET_DIR
+ local TARGET_JAR
+ local INTERROGATE_DIR
+
+ UNAME_P="$(uname -p)"
+ UNAME_S="$(uname -s | tr '[:upper:]' '[:lower:]')"
+ TARGET_DIR="${NETTY_TCNATIVE_SRC}/${1:?}/target"
+ TARGET_JAR=$(find "${TARGET_DIR}" -name "*-${UNAME_S}-${UNAME_P}.jar")
+ INTERROGATE_DIR="${SCRATCH_FOLDER}/inspect_jar"
+
+ mkdir -p "${INTERROGATE_DIR}"
+ pushd "${INTERROGATE_DIR}"
+ unzip "${TARGET_JAR}"
+ nm "META-INF/native/libnetty_tcnative_${UNAME_S}_${UNAME_P}.so" | grep awslc_api_version_num
+ popd # "${INTERROGATE_DIR}"
+
+ rm -rf "${INTERROGATE_DIR}"
+}
+
+# Make script execution idempotent.
+mkdir -p "${SCRATCH_FOLDER}"
+rm -rf "${SCRATCH_FOLDER:?}"/*
+pushd "${SCRATCH_FOLDER}"
+
+clone_and_patch_netty_tcnative
+
+mkdir -p "${AWS_LC_BUILD_FOLDER}" "${AWS_LC_INSTALL_FOLDER}"
+
+# Shared Build
+wrapper_aws_lc_build "-DBUILD_SHARED_LIBS=1"
+
+build_netty_tcnative -am -pl openssl-dynamic clean verify
+
+# Shared FIPS Build
+wrapper_aws_lc_build "-DBUILD_SHARED_LIBS=1" "-DFIPS=1"
+
+build_netty_tcnative -am -pl openssl-dynamic clean verify
+
+# Static Build
+wrapper_aws_lc_build "-DBUILD_SHARED_LIBS=0"
+
+build_netty_tcnative -am -pl openssl-static "-DopensslHome=${AWS_LC_INSTALL_FOLDER}" clean verify
+verify_static_netty_build "openssl-static"
+
+# Static FIPS Build
+wrapper_aws_lc_build "-DBUILD_SHARED_LIBS=0" "-DFIPS=1"
+
+build_netty_tcnative -am -pl openssl-static "-DopensslHome=${AWS_LC_INSTALL_FOLDER}" clean verify
+verify_static_netty_build "openssl-static"
+
+popd # "${SCRATCH_FOLDER}"
+rm -rf "${SCRATCH_FOLDER:?}"