TLS code size on OpenWRT 10.03

Simon Josefsson simon at
Wed Feb 9 20:57:24 CET 2011


For curiousity I built all TLS implementations that OpenWRT 10.03
supports, for the mips/brcm-2.4 platform (the default) like this:

svn co svn://
mv backfire/ openwrt-10.03
cd openwrt-10.03/
make package/symlinks
make menuconfig
# go to Libraries=>SSL and enable them all

The installed (stripped) object size is as follows:

jas at latte:~/src/openwrt-10.03$ ls -laR build_dir/target-mipsel_uClibc-*/ipkg-brcm-2.4|egrep -e '(libaxtls|libcyassl|libgnutls|libmatrixssl|libssl|libpolarssl)\.so' | grep -v -e ' -> ' -e \\.la
-rwxr-xr-x 1 jas jas 74970  9 feb 20.06
-rwxr-xr-x 1 jas jas 144407  9 feb 20.04
-rwxr-xr-x 1 jas jas 548215  9 feb 20.10
-rwxr-xr-x 1 jas jas 82311  9 feb 20.10
-rw-r--r-- 1 jas jas  249115  9 feb 20.13
-rwxr-xr-x 1 jas jas 211210  9 feb 20.10
jas at latte:~/src/openwrt-10.03$ 

Of course, that isn't the complete picture since dependencies aren't
included.  I believe these dependencies are involved:

-rwxr-xr-x 1 jas jas 66018  9 feb 20.06
-rwxr-xr-x 1 jas jas 326403  9 feb 20.07
-rwxr-xr-x 1 jas jas 11162  9 feb 20.06
-rw-r--r-- 1 jas jas 75618  9 feb 20.02
-rw-r--r-- 1 jas jas 1077339  9 feb 20.13

Thus the results would be:

AXTLS: 75kb no dependencies?
CyaSSL: 144kb no dependencies?
GnuTLS: 548kb zlib 66kb libgcrypt 326kb libgpg-error 11kb => 951kb
MatrixSSL: 82kb (+pthread 76kb) => 82/158kb
OpenSSL: 249kb libcrypto 1077kb => 1326kb
PolarSSL: 211kb no dependencies?

Libpthread is part of base-files, so I'm not sure it is fair to include
it as a dependency of MatrixSSL but none of the other libraries depended
on libpthread so it should be mentioned.

Note that GnuTLS's zlib support could be disabled (which is done by at
least OpenSSL and CyaSSL) to save the 66kb from zlib and likely a few
kb's in GnuTLS too, resulting in a ~880kb size for GnuTLS.

And finally note that the abilities of the libraries are very different.
For example, both OpenSSL and GnuTLS are large projects that contains
many things that are useful but not strictly necessary by a TLS
implementation.  The supported features of some projects are mentioned
on this page

however the builds in OpenWRT disable some of the features.  I'm curious
how small you could get GnuTLS if you really tried...


More information about the Gnutls-devel mailing list