This was actually something I was wondering about for the last several days. I haven’t developed using OpenSSL or anything related to security or networks in the past. But is there no real alternative to OpenSSL? I would be genuinely surprised in this case given that almost every other library has multiple competing implementations.
GnuTLS is the other open-source TLS implementation. It has its own set of security holes.
A quick note: OpenSSL has a BSD license. GnuTLS is LGPL. You’re correct, I’m just noting the license differences.
NSS is also open source (Mozilla/GPL/LGPL licenses).
I was going to mention the license differences, but I’m not sure how much of a role that plays in deciding to use one or the other. Most software depending on a TLS implementation dynamically link to the shared library, so LGPL shouldn’t be an issue.