<div dir="ltr">Hi Martin,<div>I would keep ikev1and ikev2 , but how can i disable .</div><div><span style="font-family:arial,sans-serif;font-size:13px"> * updown: if you don't need leftfirewall/leftupdown options</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> * attr: if you don't set IKE attributes in strongswan.conf</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> * x509: openssl has its own (but simpler) certificate support</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> * constraints: if you don't need advanced x509 constraints</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> checking</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> * revocation: if you don't need CRL/OCSP checking</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> * reslove: if you don't receive DNS configuration from an IKE</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> server</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> * pubkey: usually not needed</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> * random: OpenSSL provides an RNG (for lower qualities) itself</span><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">Are these above compiled by default and is there a configuration option to disable the same.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Thanks</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Naveen</span></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Sep 13, 2013 at 1:20 AM, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div class="im"><br>
> Is there a way to reduce the size of charon and strongswan<br>
<br>
</div>> #./configure CPPFLAGS=-Os<br>
<br>
Passing -Os as preprocessor flag does not work (and makes no sense),<br>
because strongSwan has default CFLAGS with -O2. Set -Os in CFLAGS<br>
instead.<br>
<br>
> --enable-monolithic<br>
<br>
A monolithic build can reduce the size slightly, so you should keep that.<br>
<div class="im"><br>
> -rw-r--r-- 1 root users 10998220 Sep 12 16:16 libcharon.a<br>
> -rwxr-xr-x 1 root users 974 Sep 12 16:16 <a href="http://libcharon.la" target="_blank">libcharon.la</a><br>
> lrwxrwxrwx 1 root users 18 Sep 12 16:16 libcharon.so -> libcharon.so.0.0.0<br>
> lrwxrwxrwx 1 root users 18 Sep 12 16:16 libcharon.so.0 -> libcharon.so.0.0.0<br>
> -rwxr-xr-x 1 root users 4687143 Sep 12 16:16 libcharon.so.0.0.0<br>
<br>
</div>After make install, you can remove the *.a and *.la files, that should<br>
save a few kbytes. Also you should really strip shared libraries and<br>
binaries after installation with a "strip" tool of your choice.<br>
<br>
It also seems that LLVM can produce slightly smaller binaries than gcc,<br>
so if it is an option you can try to set CC=clang.<br>
<br>
Regarding plugins, you might consider disabling the following:<br>
* updown: if you don't need leftfirewall/leftupdown options<br>
* attr: if you don't set IKE attributes in strongswan.conf<br>
* x509: openssl has its own (but simpler) certificate support<br>
* constraints: if you don't need advanced x509 constraints<br>
checking<br>
* revocation: if you don't need CRL/OCSP checking<br>
* reslove: if you don't receive DNS configuration from an IKE<br>
server<br>
* pubkey: usually not needed<br>
* random: OpenSSL provides an RNG (for lower qualities) itself<br>
Disabling these plugins does not have a huge impact, though.<br>
<br>
OpenSSL by itself is huge, btw. If you have no other users for it, you<br>
should consider removing it and use our own crypto plugins instead.<br>
<br>
If you don't need IKEv1/IKEv2, you should disable these protocols<br>
accordingly.<br>
<br>
Following all these tips, it should be possible to reduce the overall<br>
strongSwan footprint to under 1MB.<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888">Martin<br>
<br>
</font></span></blockquote></div><br></div>