Hi Alexander, Thanks for your reply and yes, I expect you are right about some clients not supporting large certificates. Thanks for your help! Regards, Brian Smith Ph. 602-436-6691 Honeywell -----Original Message----- From: freeradius-users-bounces+brian.smith=honeywell.com@lists.freeradius.org [mailto:freeradius-users-bounces+brian.smith=honeywell.com@lists.freerad ius.org] On Behalf Of Alexander Clouter Sent: Friday, February 20, 2009 12:52 PM To: freeradius-users@lists.freeradius.org Subject: Re: Free Radius problem with sending large certificate chains,using EAP-TLS Hi, * Smith, Brian (ESEA IS&A) <brian.smith@honeywell.com> [Fri, 20 Feb 2009 11:15:01 -0700]:
We are running freeradius, version 1.1.7, on Fedora. We are testing WPA2/EAP-TLS authentication, with large certificate chains (just under 64K in PEM format). Some individual cert sizes in the chain approach 10K in DER format. If the chain is small enough to fit in a single
TLS
message, authentication works fine. But is the chain is greater than 16,384 bytes, eap-tls fails. Looking at a packet trace, freeradius does not send a message above 16.438 bytes. Instead of breaking it up into different records, it attempts to send it in one TLS record, with fragments that are too large.
Overlooking the possible FreeRADIUS bug, I'm pretty sure I remember chatting to Tom Rixom (of SecureW2 fame) and he was grumbling that some supplicants[1] would not accept standalone certificates above 4kB in size (it was something like that); as that's all the memory set aside in a buffer internally. You might find there are supplicants out there that are going to sulk when forced to accept such whopping payloads :) Cheers [1] in this case the grumble was pointed at Microsoft Windows CE -- Alexander Clouter .sigmonster says: Encyclopedia for sale by father. Son knows everything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html