[strongSwan] reduce size

Naveen Neelakanta nbnopenswan at gmail.com
Fri Sep 13 17:23:42 CEST 2013


Hi Martin,
I would keep ikev1and ikev2 , but how can i disable .
      * updown: if you don't need leftfirewall/leftupdown options
      * attr: if you don't set IKE attributes in strongswan.conf
      * x509: openssl has its own (but simpler) certificate support
      * constraints: if you don't need advanced x509 constraints
        checking
      * revocation: if you don't need CRL/OCSP checking
      * reslove: if you don't receive DNS configuration from an IKE
        server
      * pubkey: usually not needed
      * random: OpenSSL provides an RNG (for lower qualities) itself
Are these above compiled by default and is there a configuration option to
disable the same.

Thanks
Naveen


On Fri, Sep 13, 2013 at 1:20 AM, Martin Willi <martin at strongswan.org> wrote:

> Hi,
>
> > Is there a way to reduce the size of charon and strongswan
>
> > #./configure CPPFLAGS=-Os
>
> Passing -Os as preprocessor flag does not work (and makes no sense),
> because strongSwan has default CFLAGS with -O2. Set -Os in CFLAGS
> instead.
>
> > --enable-monolithic
>
> A monolithic build can reduce the size slightly, so you should keep that.
>
> > -rw-r--r-- 1 root users 10998220 Sep 12 16:16 libcharon.a
> > -rwxr-xr-x 1 root users      974 Sep 12 16:16 libcharon.la
> > lrwxrwxrwx 1 root users       18 Sep 12 16:16 libcharon.so ->
> libcharon.so.0.0.0
> > lrwxrwxrwx 1 root users       18 Sep 12 16:16 libcharon.so.0 ->
> libcharon.so.0.0.0
> > -rwxr-xr-x 1 root users  4687143 Sep 12 16:16 libcharon.so.0.0.0
>
> After make install, you can remove the *.a and *.la files, that should
> save a few kbytes. Also you should really strip shared libraries and
> binaries after installation with a "strip" tool of your choice.
>
> It also seems that LLVM can produce slightly smaller binaries than gcc,
> so if it is an option you can try to set CC=clang.
>
> Regarding plugins, you might consider disabling the following:
>       * updown: if you don't need leftfirewall/leftupdown options
>       * attr: if you don't set IKE attributes in strongswan.conf
>       * x509: openssl has its own (but simpler) certificate support
>       * constraints: if you don't need advanced x509 constraints
>         checking
>       * revocation: if you don't need CRL/OCSP checking
>       * reslove: if you don't receive DNS configuration from an IKE
>         server
>       * pubkey: usually not needed
>       * random: OpenSSL provides an RNG (for lower qualities) itself
> Disabling these plugins does not have a huge impact, though.
>
> OpenSSL by itself is huge, btw. If you have no other users for it, you
> should consider removing it and use our own crypto plugins instead.
>
> If you don't need IKEv1/IKEv2, you should disable these protocols
> accordingly.
>
> Following all these tips, it should be possible to reduce the overall
> strongSwan footprint to under 1MB.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130913/ac0c80f7/attachment.html>


More information about the Users mailing list