[strongSwan] reduce size
martin at strongswan.org
Fri Sep 13 10:20:53 CEST 2013
> Is there a way to reduce the size of charon and strongswan
> #./configure CPPFLAGS=-Os
Passing -Os as preprocessor flag does not work (and makes no sense),
because strongSwan has default CFLAGS with -O2. Set -Os in CFLAGS
A monolithic build can reduce the size slightly, so you should keep that.
> -rw-r--r-- 1 root users 10998220 Sep 12 16:16 libcharon.a
> -rwxr-xr-x 1 root users 974 Sep 12 16:16 libcharon.la
> lrwxrwxrwx 1 root users 18 Sep 12 16:16 libcharon.so -> libcharon.so.0.0.0
> lrwxrwxrwx 1 root users 18 Sep 12 16:16 libcharon.so.0 -> libcharon.so.0.0.0
> -rwxr-xr-x 1 root users 4687143 Sep 12 16:16 libcharon.so.0.0.0
After make install, you can remove the *.a and *.la files, that should
save a few kbytes. Also you should really strip shared libraries and
binaries after installation with a "strip" tool of your choice.
It also seems that LLVM can produce slightly smaller binaries than gcc,
so if it is an option you can try to set CC=clang.
Regarding plugins, you might consider disabling the following:
* updown: if you don't need leftfirewall/leftupdown options
* attr: if you don't set IKE attributes in strongswan.conf
* x509: openssl has its own (but simpler) certificate support
* constraints: if you don't need advanced x509 constraints
* revocation: if you don't need CRL/OCSP checking
* reslove: if you don't receive DNS configuration from an IKE
* pubkey: usually not needed
* random: OpenSSL provides an RNG (for lower qualities) itself
Disabling these plugins does not have a huge impact, though.
OpenSSL by itself is huge, btw. If you have no other users for it, you
should consider removing it and use our own crypto plugins instead.
If you don't need IKEv1/IKEv2, you should disable these protocols
Following all these tips, it should be possible to reduce the overall
strongSwan footprint to under 1MB.
More information about the Users