diff --git a/lib/secure-streams/system/auth-sigv4/sign.c b/lib/secure-streams/system/auth-sigv4/sign.c
index a5b59ce63..4f5492f7a 100644
--- a/lib/secure-streams/system/auth-sigv4/sign.c
+++ b/lib/secure-streams/system/auth-sigv4/sign.c
@@ -147,27 +147,6 @@ bin2hex(uint8_t *in, size_t len, char *out)
 	*out = '\0';
 }
 
-static int
-sha256hash(uint8_t *data, size_t len, char *out)
-{
-	struct lws_genhash_ctx hash_ctx;
-	uint8_t hash_bin[32];
-
-	if (lws_genhash_init(&hash_ctx, LWS_GENHASH_TYPE_SHA256) ||
-		  lws_genhash_update(&hash_ctx, (void *)data, len) ||
-		   lws_genhash_destroy(&hash_ctx, hash_bin))
-	{
-
-		lws_genhash_destroy(&hash_ctx, NULL);
-		lwsl_err("%s lws_genhash error \n", __func__);
-		return -1;
-	}
-
-	bin2hex(hash_bin, sizeof(hash_bin), out);
-
-	return 0;
-}
-
 static int
 hmacsha256(const uint8_t *key, size_t keylen, const uint8_t *txt,
 			size_t txtlen, uint8_t *digest)
@@ -192,43 +171,85 @@ hmacsha256(const uint8_t *key, size_t keylen, const uint8_t *txt,
 	return 0;
 }
 
+/* cut the last byte of the str */
+static inline int hash_update_bite_str(struct lws_genhash_ctx *ctx, const char * str)
+{
+	int ret = 0;
+	if ((ret = lws_genhash_update(ctx, (void *)str, strlen(str)-1))) {
+		lws_genhash_destroy(ctx, NULL);
+		lwsl_err("%s err %d line \n", __func__, ret);
+	}
+	return ret;
+}
+
+static inline int hash_update_str(struct lws_genhash_ctx *ctx, const char * str)
+{
+	int ret = 0;
+	if ((ret = lws_genhash_update(ctx, (void *)str, strlen(str)))) {
+		lws_genhash_destroy(ctx, NULL);
+		lwsl_err("%s err %d \n", __func__, ret);
+	}
+	return ret;
+}
+
 static int
 build_sign_string(struct lws *wsi, char *buf, size_t bufsz,
 		struct lws_ss_handle *h, struct sigv4 *s)
 {
 	char hash[65], *end = &buf[bufsz - 1], *start;
-	int i;
+	struct lws_genhash_ctx hash_ctx;
+	uint8_t hash_bin[32];
+	int i, ret = 0;
 
 	start = buf;
 
+	if ((ret = lws_genhash_init(&hash_ctx, LWS_GENHASH_TYPE_SHA256))) {
+		lws_genhash_destroy(&hash_ctx, NULL);
+		lwsl_err("%s genhash init err %d \n", __func__, ret);
+		return -1;
+	}
 	/*
-	 * build canonical_request and hash it
+	 * hash canonical_request
 	 */
-	buf += lws_snprintf(buf, lws_ptr_diff_size_t(end, buf), "%s\n%s\n",
-				h->policy->u.http.method,
-				lws_hdr_simple_ptr(wsi, _WSI_TOKEN_CLIENT_URI));
+
+	if (hash_update_str(&hash_ctx, h->policy->u.http.method) ||
+			hash_update_str(&hash_ctx, "\n"))
+		return -1;
+	if (hash_update_str(&hash_ctx, lws_hdr_simple_ptr(wsi, _WSI_TOKEN_CLIENT_URI)) ||
+			hash_update_str(&hash_ctx, "\n"))
+		return -1;
+
 	/* TODO, append query string */
-	buf += lws_snprintf(buf, lws_ptr_diff_size_t(end, buf), "\n");
+	if (hash_update_str(&hash_ctx, "\n"))
+		return -1;
+
 	for (i = 0; i < s->hnum; i++) {
-		buf += lws_snprintf(buf, lws_ptr_diff_size_t(end, buf), "%s%s\n",
-				s->headers[i].name, s->headers[i].value);
+		if (hash_update_str(&hash_ctx, s->headers[i].name) ||
+		    hash_update_str(&hash_ctx, s->headers[i].value) ||
+		    hash_update_str(&hash_ctx, "\n"))
+		return -1;
+
 	}
-	buf += lws_snprintf(buf, lws_ptr_diff_size_t(end, buf), "\n");
-	for (i = 0; i < s->hnum; i++) {
-		buf += lws_snprintf(buf, lws_ptr_diff_size_t(end, buf), "%s",
-				         s->headers[i].name);
-		buf--; /* remove ':' */
-		*buf++ = ';';
+	if (hash_update_str(&hash_ctx, "\n"))
+		return -1;
+
+	for (i = 0; i < s->hnum-1; i++) {
+		if (hash_update_bite_str(&hash_ctx, s->headers[i].name) ||
+		    hash_update_str(&hash_ctx, ";"))
+			return -1;
 	}
-	buf--; /* remove the trailing ';' */
-	buf += lws_snprintf(buf, lws_ptr_diff_size_t(end, buf), "\n%s",
-				s->payload_hash);
-	*buf++ = '\0';
+	if (hash_update_bite_str(&hash_ctx, s->headers[i].name) ||
+	    hash_update_str(&hash_ctx, "\n") ||
+	    hash_update_str(&hash_ctx, s->payload_hash))
+		return -1;
 
-	assert(buf <= start + bufsz);
-
-	sha256hash((uint8_t *)start, strlen(start), hash);
+	if ((ret = lws_genhash_destroy(&hash_ctx, hash_bin))) {
+		lws_genhash_destroy(&hash_ctx, NULL);
+		lwsl_err("%s lws_genhash error \n", __func__);
+		return -1;
+	}
 
+	bin2hex(hash_bin, sizeof(hash_bin), hash);
 	/*
 	 * build sign string like the following
 	 *
diff --git a/minimal-examples/secure-streams/minimal-secure-streams-sigv4/ss-s3-main.c b/minimal-examples/secure-streams/minimal-secure-streams-sigv4/ss-s3-main.c
index 3d88dc45d..d80bacc99 100644
--- a/minimal-examples/secure-streams/minimal-secure-streams-sigv4/ss-s3-main.c
+++ b/minimal-examples/secure-streams/minimal-secure-streams-sigv4/ss-s3-main.c
@@ -75,7 +75,7 @@ static const char * const default_ss_policy =
 	  "],"
 	  "\"auth\": [" /* named cert chains */
 	       "{"
-			"\"name\": \"sigv4_brahms\","
+			"\"name\": \"sigv4_br\","
 			"\"type\": \"sigv4\","
 			"\"blob\": 0"
 		"}"
@@ -93,7 +93,7 @@ static const char * const default_ss_policy =
 			"\"tls_trust_store\":"	"\"s3-root-cert\","
 			"\"opportunistic\":" "true,"
 			"\"retry\":" "\"default\","
-			"\"use_auth\":" "\"sigv4_brahms\","
+			"\"use_auth\":" "\"sigv4_br\","
 			"\"aws_region\":" "\"region\","
 			"\"aws_service\":" "\"service\","
 			"\"metadata\": ["
diff --git a/minimal-examples/secure-streams/minimal-secure-streams-sigv4/ss-s3-ss.c b/minimal-examples/secure-streams/minimal-secure-streams-sigv4/ss-s3-ss.c
index e941c6df7..c1f4692e4 100644
--- a/minimal-examples/secure-streams/minimal-secure-streams-sigv4/ss-s3-ss.c
+++ b/minimal-examples/secure-streams/minimal-secure-streams-sigv4/ss-s3-ss.c
@@ -65,7 +65,12 @@ ss_s3_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len,
 static const char *awsService	= "s3",
 		  *awsRegion	= "us-west-2",
 		  *s3bucketName = "sstest2020",
-		  *s3ObjName	= "SSs3upload2.txt";
+#if 1
+		  *s3ObjName    = "SSs3upload2.txt";
+#else
+		  /* test huge string sigv4 hashing works */
+		  *s3ObjName	= "SSs3uploadaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa2.txt";
+#endif
 static char timestamp[32], payload_hash[65];
 static uint8_t jpl[1 * 1024];