This is a weird question, since there's almost nothing that uses RSA's library as their TLS library. Every mainstream OS BSAFE is available for already provides a TLS library.
This is a little like asking whether it's safer to use PHP or DTLS.
PolarSSL said it wasn't affected by Heartbleed. There's quite a few non-OpenSSL libraries out there to use which might or might not be affected by any given bug in OpenSSL. I just remember PolarSSL because I stumbled on that claim while reading on users of Frama-C tool for finding bugs. They use it apparently.
The LibreSSL people showed one commit at a time that OpenSSL was just poor coding through and through. I'd expect any implementation that paid more attention to code quality to do better. That's just one part of getting a crypto library done right, though.
You say those OpenSSL alternatives can be dangerous. Yet, you also never recommend against OpenSSL despite it proving itself to be quite dangerous in more ways than just cryptographic. Strange double standard.
Anyway, Fox IT [1] recently used PolarSSL in their OpenVPN respin. It's been immune to a number of issues that hit OpenSSL while their mailing list indicates steady work at finding and fixing its own problems. Improved the cryptographic defaults, too. The effort is open source. If you see non-OpenSSL crypto problems, feel free to publish them and suggest improvements so people in or outside those projects can make the systems better. So far, you mainly just blanket recommend against while pushing dangerous stuff (OpenSSL) on readers.
Note: At least you endorsed two alternatives to OpenSSL in this one. A first.
That's straightforward and means we agree on an alternative (LibreSSL). You haven't mentioned the converse issue though: only vague warnings with a broad word (cryptographic). I'm not even disagreeing with you on PolarSSL, necessarily. The problem is you quickly dismiss them without details while you don't do the same for OpenSSL despite known, horrific details available justifying avoiding it. So, I guess the dispute boils down to those issues:
1. What's the specific reason those libraries suck worse than OpenSSL (which SUCKS) and where did you publish that for peer review/improvement?
2. Why don't you treat OpenSSL the same for all its problems and recommend what you believe is a decent alternative (eg LibreSSL)? (Double standards always bother me in this field.)
That's the consistent trend in these threads: deny several for vague reasons; fine with a known bad one despite non-vague reasons against.
My first question was serious--If there is a secure and reliable commercial ssl library out there, I know people would pay for it. No one wants to deal with these reoccurring OpenSSL issues while they work to clean up their code.
If they're really any good, I'll at least say that hardly anyone will pay for a secure alternative. It's hard to sell more secure anything to businesses. Much less a protocol library that they have to integrate into everything. Especially at the prices they're sold at by the companies that might be competent enough to make a good library. They want to get back their engineering investment while users want the product for next to nothing.
There's also the problem of integrating it into GPL software. Many companies are using such software. Companies specializing in software I.P. don't want their stuff released as GPL because it was used in a GPL app. There's ways to skirt around this but they add complexity. Stuff like this is why I recommend BSD-style licenses so that good, proprietary stuff can be integrated with it.
I agree most small time companies would not spend an extra price for a library. Even though doing so would make sense based on the financial risk you take by utilizing a free option.
With that said, major vendors who sell very expensive gear that use open source libraries like OpenSSL could afford to pay a license fee per device, and then pass that price on to their enterprise customers. An enterprise customer would gladly pay an extra 500-1000 dollars for a stable SSL/TLS library if it meant they wouldn't have to upgrade their devices every ~8 weeks due to OpenSSL bugs. Its cheaper to pay for a more stable/secure library (if one exists) than to upgrade mission critical devices so often (or worse, get hacked).
One thing you can say is that a bank has a lot to lose--they'll invest in whatever it takes to secure their networks and devices.
They could and that is one of the models. It's a very niche, tiny group that would. I mostly saw developments in high-end smartcards, premium guards in defense, custom work for government/commercial by contractors in high assurance... that's pretty much it. There's so little work in high security field that I straight up left it and now mainly do R&D on various problems. Even NSA uses HAIPE and SCIP internally for Type 1 (their best) stuff. They clearly didn't trust SSL/TLS, even default IPsec, from the get go. Most just use whatever is cheapest with majority of those buying "certified" products doing it for extra government sales and false due diligence (C.Y.A.).
That includes banks. They get breached all the time in various ways while trying to hide it or obscure what exactly happened. I've seen this myself. One said the industry goal is to keep their losses at about 6% or less of risky revenues. They have just enough security (and incompetent enemies) to achieve this. The other trick is "investing in" politicians to keep liability laws in their favor to block most lawsuit risk. Past these two, most banks are focused on just cranking out more profit. Just like everyone else.
Post-Snowden, we've seen increase demand for real security. Yet, it requires you to ditch a fully-featured OS, most Internet functionality, a bit of performance, and a significant chunk of the wallet. Further, the widespread use of IT and security that are shit makes most people not know what a strong offering would even look like. These combine to make the sales process for high security an uphill battle. Not likely to change: even I tell new people interested to treat it as a hobby and do mainstream INFOSEC practices to ensure job security. We embed our style invisibly where we can, though. ;)
