8

I have used pre-build static libs of OpenSSL 1.0, but it makes my binary too big, (increase its size by about 800Kb in release mode).

I do not need most of the feature of OpenSSL such as BIO, I use my own sockets, therefore in the code I am only using a couple of SSL_XXXXXXXXX calls(SSL_accept(3) or SSL_connect(3), SSL_read(3) and SSL_write(3))

My only requirement is support SSLv2/v3 with winsock on windows, and sockets on linux for both client and server side (for C++)

Is there anyway to make OpenSSL much smaller (maybe by compiling it myself) or, in last resort, any other good but more lightwight SSL library that meet my requirements? The lib must be linked staticly.

Thanks you

JP.
  • 495
  • 1
  • 9
  • 20
  • Is there a reason 800Kb is a deal breaker? In the end if you want to start trimming down the OpenSSL libs, you'll have to start going through and weeding out functions that you do not need (which can get a bit hairy if you don't understand the entire inner workings). – Suroot Mar 24 '11 at 02:16
  • 1
    Current Binary size is about 700Kb, and its already big for our deployment, adding 800Kb seem small, but makes the whole thing twice bigger. Unfortunatly 1.5Mb is just not an option :( – JP. Mar 24 '11 at 03:43

3 Answers3

6

I think you want this page, particular the section on code size:

https://en.wikipedia.org/w/index.php?title=Comparison_of_TLS_implementations&oldid=585386367#Code_size_and_dependencies

(dated December 2013)

update: Alas no longer a part of the updated page.

Steve-o
  • 12,678
  • 2
  • 41
  • 60
  • thanks, seem like CyaSSL could be an option, but I will wait to see if someone has an idea on how to cut down OpenSSL size. – JP. Mar 24 '11 at 03:45
  • Seems like CyaSSL is perfect for me, and it only take 100-125Kb, and has Openssl compatibility layer. Thanks – JP. Mar 25 '11 at 01:07
  • 1
    As of 2019, this link no longer answers the question, because the Wikipedia page no longer has a "section on code size." – Edward Apr 25 '19 at 18:57
4

You can try compiling it yourself with --ffunction-sections and --fdata-sections, which tells gcc to put each function and global data variable in a separate section inside the object.

(When using static libraries, the linker copies the entire object which contains the needed function from the archive to the application.)

fwhacking
  • 980
  • 8
  • 6
2

OpenSSL does have a large number of compile-time options to control what features are built. I believe that the SSL functions use BIOs underneath, so you'll still need those, but there's a lot of other functionality you can probably go without (like ciphers you won't use, envelope encryption, S/MIME support...).

I'm not sure how much it will reduce the binary size by, but it's worth a try.

caf
  • 233,326
  • 40
  • 323
  • 462
  • Here are the options i found so far, unfortunatly they are not documented anywhere, except inside a mk1mf.pl file.... (no ref in the Readme..).. I am still looking at this.. – JP. Mar 24 '11 at 15:31
  • sorry, looks like all options are too big to post here... but the option "just-ssl" looks promising, but it might not bring the size down enough. – JP. Mar 24 '11 at 15:33
  • 2
    So, here are the results: I added a big bunch of no-includes: no-asm no-ssl2 no-zlib no-rc2 no-idea no-des no-bf no-cast no-md2 no-mdc2 no-dh no-err no-ripemd no-rc5 no-camellia no-seed no-krb5. The end result is the size is down my 200Kb. Original size = 650Kb, with full OpenSSL = 1416Kb, with the exclusion 1257. I am now looking at other implementation. – JP. Mar 24 '11 at 17:19