Pedro Ribeiro <pribeiro-bulk@net.ipl.pt> wrote:
The "Radiator" people are talking about problems with SSL empty fragments handing in Windows Vista ... I've tried to compile FreeRADIUS with SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same, clients can't connect!
i.e. the patch below MAY help. There is still an issue in the FreeRADIUS state machine where it MAY send an empty ACK once the SSL tunnel is set up. Most clients seem to be OK with this, but maybe Vista isn't. A solution, I *think* would be to have FreeRADIUS send an EAP Identity request inside of the tunneled session for PEAP, as soon as the session is established. This should work with third-party supplicants, and may allow Vista to work, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog Index: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c =================================================================== RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c,v retrieving revision 1.21.4.11 diff -u -r1.21.4.11 rlm_eap_tls.c --- src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 26 Oct 2006 17:13:04 -0000 1.21.4.11 +++ src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 28 Nov 2006 22:04:44 -0000 @@ -368,7 +368,7 @@ * time needed during negotiation, but it is not very * large. */ - ctx_options |= SSL_OP_SINGLE_DH_USE; + ctx_options |= SSL_OP_SINGLE_DH_USE | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; SSL_CTX_set_options(ctx, ctx_options); /*