Nobody needs to be reminded of the severity of the Heartbleed OpenSSL bug. Rather, people are looking for solutions: how to fix it now and how to prevent a similar event in the future. To that end, it’s worth looking beyond OpenSSL and bearing in mind it’s one of several competing software projects that satisfy many of the same needs.
First candidate: Mozilla’s Network Security Services (NSS) library family, available under multiple license arrangements and with a fairly regular cycle of releases, the last debuting in mid-March 2014. Predictably, Mozilla’s own applications — Firefox, Mozilla Suite, Thunderbird — all use it, but so do a slew of well-known third-party applications: AOL Instant Messenger and many third-party clients for the service; OpenOffice.org 2.0; and numerous Red Hat server products such as Red Hat Directory Server and mod_nss for the Apache httpd Web server.
NSS is especially attractive in mod_nss, since the latter includes support for certificate revocation lists — one of a number of key mechanisms for better protecting the validity of certificate. It also works hand-in-hand with another Apache module, mod_revocator, which makes it possible for revocation lists to be processed automatically without restarting httpd.
Servers aren’t the only reason to think hard about substitutes for OpenSSL; after all, they aren’t hard to keep patched. SSL alternatives may be needed in other items, such as home routers or cable boxes, which are infrequently updated (if at all) and must be based on code that’s audited as rigorously as possible.
Not all substitutes would work as drop-in replacements, and some might be less useful in certain circles due to licensing concerns. But it’s worth looking into what those projects have to offer. In the long run, it might be more worthwhile to switch rather than patch.