OpenSSL Static Library too big, any alternative or way to reduce its size?

7
votes

I have used pre-build static libs of OpenSSL 1.0, but it makes my binary too big, (increase its size by about 800Kb in release mode).

I do not need most of the feature of OpenSSL such as BIO, I use my own sockets, therefore in the code I am only using a couple of SSL_XXXXXXXXX calls(SSL_accept(3) or SSL_connect(3), SSL_read(3) and SSL_write(3))

My only requirement is support SSLv2/v3 with winsock on windows, and sockets on linux for both client and server side (for C++)

Is there anyway to make OpenSSL much smaller (maybe by compiling it myself) or, in last resort, any other good but more lightwight SSL library that meet my requirements? The lib must be linked staticly.

Thanks you

3
c++opensslstatic-libraries
Is there a reason 800Kb is a deal breaker? In the end if you want to start trimming down the OpenSSL libs, you'll have to start going through and weeding out functions that you do not need (which can get a bit hairy if you don't understand the entire inner workings).Suroot
Current Binary size is about 700Kb, and its already big for our deployment, adding 800Kb seem small, but makes the whole thing twice bigger. Unfortunatly 1.5Mb is just not an option :(JP.

3 Answers

6
votes

I think you want this page, particular the section on code size:

https://en.wikipedia.org/w/index.php?title=Comparison_of_TLS_implementations&oldid=585386367#Code_size_and_dependencies

(dated December 2013)

update: Alas no longer a part of the updated page.

4
votes

You can try compiling it yourself with --ffunction-sections and --fdata-sections, which tells gcc to put each function and global data variable in a separate section inside the object.

(When using static libraries, the linker copies the entire object which contains the needed function from the archive to the application.)

2
votes

OpenSSL does have a large number of compile-time options to control what features are built. I believe that the SSL functions use BIOs underneath, so you'll still need those, but there's a lot of other functionality you can probably go without (like ciphers you won't use, envelope encryption, S/MIME support...).

I'm not sure how much it will reduce the binary size by, but it's worth a try.