After Heartbleed: 4 OpenSSL alternatives that work

In the wake of Heartbleed, it's high time we take a closer look at SSL alternatives from Mozilla and others

Nobody needs to be reminded of the severity of the Heartbleed OpenSSL bug. Rather, people are looking for solutions: how to fix it now and how to prevent a similar event in the future. To that end, it's worth looking beyond OpenSSL and bearing in mind it's one of several competing software projects that satisfy many of the same needs.

First candidate: Mozilla's Network Security Services (NSS) library family, available under multiple license arrangements and with a fairly regular cycle of releases, the last debuting in mid-March 2014. Predictably, Mozilla's own applications -- Firefox, Mozilla Suite, Thunderbird -- all use it, but so do a slew of well-known third-party applications: AOL Instant Messenger and many third-party clients for the service; 2.0; and numerous Red Hat server products such as Red Hat Directory Server and mod_nss for the Apache httpd Web server.

NSS is especially attractive in mod_nss, since the latter includes support for certificate revocation lists -- one of a number of key mechanisms for better protecting the validity of certificate. It also works hand-in-hand with another Apache module, mod_revocator, which makes it possible for revocation lists to be processed automatically without restarting httpd.

Another possibility: GnuTLS, which has broad support for many different protocols and standards and is available under a relatively liberal licensing scheme (LGPL 2.0) that allows it to be used in closed source applications. It too is updated quite regularly; the last stable release was version 3.3.0, which came out on April 10, 2014. GnuTLS was actually created in response to OpenSSL's GPL-incompatible Apache and BSD licensing schemes.

Yet other implementations abound: Polar SSL, available in both open source and commercially licensed versions, and MatrixSSL, also multilicensed and built for embedded applications.

Servers aren't the only reason to think hard about substitutes for OpenSSL; after all, they aren't hard to keep patched. SSL alternatives may be needed in other items, such as home routers or cable boxes, which are infrequently updated (if at all) and must be based on code that's audited as rigorously as possible.

Not all substitutes would work as drop-in replacements, and some might be less useful in certain circles due to licensing concerns. But it's worth looking into what those projects have to offer. In the long run, it might be more worthwhile to switch rather than patch.

This article, "After Heartbleed: 4 OpenSSL alternatives that work," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform