Hi Martin, I would keep ikev1and ikev2 , but how can i disable . * updown: if you don't need leftfirewall/leftupdown options * attr: if you don't set IKE attributes in strongswan.conf * x509: openssl has its own (but simpler) certificate support * constraints: if you don't need advanced x509 constraints checking * revocation: if you don't need CRL/OCSP checking * reslove: if you don't receive DNS configuration from an IKE server * pubkey: usually not needed * random: OpenSSL provides an RNG (for lower qualities) itself Are these above compiled by default and is there a configuration option to disable the same.
Thanks Naveen On Fri, Sep 13, 2013 at 1:20 AM, Martin Willi <mar...@strongswan.org> wrote: > Hi, > > > Is there a way to reduce the size of charon and strongswan > > > #./configure CPPFLAGS=-Os > > Passing -Os as preprocessor flag does not work (and makes no sense), > because strongSwan has default CFLAGS with -O2. Set -Os in CFLAGS > instead. > > > --enable-monolithic > > A monolithic build can reduce the size slightly, so you should keep that. > > > -rw-r--r-- 1 root users 10998220 Sep 12 16:16 libcharon.a > > -rwxr-xr-x 1 root users 974 Sep 12 16:16 libcharon.la > > lrwxrwxrwx 1 root users 18 Sep 12 16:16 libcharon.so -> > libcharon.so.0.0.0 > > lrwxrwxrwx 1 root users 18 Sep 12 16:16 libcharon.so.0 -> > libcharon.so.0.0.0 > > -rwxr-xr-x 1 root users 4687143 Sep 12 16:16 libcharon.so.0.0.0 > > After make install, you can remove the *.a and *.la files, that should > save a few kbytes. Also you should really strip shared libraries and > binaries after installation with a "strip" tool of your choice. > > It also seems that LLVM can produce slightly smaller binaries than gcc, > so if it is an option you can try to set CC=clang. > > Regarding plugins, you might consider disabling the following: > * updown: if you don't need leftfirewall/leftupdown options > * attr: if you don't set IKE attributes in strongswan.conf > * x509: openssl has its own (but simpler) certificate support > * constraints: if you don't need advanced x509 constraints > checking > * revocation: if you don't need CRL/OCSP checking > * reslove: if you don't receive DNS configuration from an IKE > server > * pubkey: usually not needed > * random: OpenSSL provides an RNG (for lower qualities) itself > Disabling these plugins does not have a huge impact, though. > > OpenSSL by itself is huge, btw. If you have no other users for it, you > should consider removing it and use our own crypto plugins instead. > > If you don't need IKEv1/IKEv2, you should disable these protocols > accordingly. > > Following all these tips, it should be possible to reduce the overall > strongSwan footprint to under 1MB. > > Regards > Martin > >
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users