After Heartbleed: 4 OpenSSL alternatives that work

Nobody needs to be reminded of the severity of the Heartbleed OpenSSL bug. Rather, people are looking for solutions: how to fix it now and how to prevent a similar event in the future. To that end, it's worth looking beyond OpenSSL and bearing in mind it's one of several competing software projects that satisfy many of the same needs.

First candidate: Mozilla's Network Security Services (NSS) library family, available under multiple license arrangements and with a fairly regular cycle of releases, the last debuting in mid-March 2014. Predictably, Mozilla's own applications -- Firefox, Mozilla Suite, Thunderbird -- all use it, but so do a slew of well-known third-party applications: AOL Instant Messenger and many third-party clients for the service; OpenOffice.org 2.0; and numerous Red Hat server products such as Red Hat Directory Server and mod_nss for the Apache httpd Web server.

NSS is especially attractive in mod_nss, since the latter includes support for certificate revocation lists -- one of a number of key mechanisms for better protecting the validity of certificate. It also works hand-in-hand with another Apache module, mod_revocator, which makes it possible for revocation lists to be processed automatically without restarting httpd.

Another possibility: GnuTLS, which has broad support for many different protocols and standards and is available under a relatively liberal licensing scheme (LGPL 2.0) that allows it to be used in closed source applications. It too is updated quite regularly; the last stable release was version 3.3.0, which came out on April 10, 2014. GnuTLS was actually created in response to OpenSSL's GPL-incompatible Apache and BSD licensing schemes.

Yet other implementations abound: Polar SSL, available in both open source and commercially licensed versions, and MatrixSSL, also multilicensed and built for embedded applications.

Servers aren't the only reason to think hard about substitutes for OpenSSL; after all, they aren't hard to keep patched. SSL alternatives may be needed in other items, such as home routers or cable boxes, which are infrequently updated (if at all) and must be based on code that's audited as rigorously as possible.

Not all substitutes would work as drop-in replacements, and some might be less useful in certain circles due to licensing concerns. But it's worth looking into what those projects have to offer. In the long run, it might be more worthwhile to switch rather than patch.

This story, "After Heartbleed: 4 OpenSSL alternatives that work" was originally published by InfoWorld.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies
See more