Stefan Winter wrote:
The RADIUS/TLS wrapper around those datagrams is not size-limited at all
The TLS protocol sends data in packets with headers. Those packets can be up to 64K in length. The TLS code in FreeRADIUS was originally based on the EAP-TLS code. The EAP-TLS packets run over ethernet, which means that the encoded RADIUS + EAP + TLS packets must fit within an ethernet frame. i.e. about 1K. The TLS code in FreeRADIUS still has that limitation.
My guess is that main/tls.c "thinks" it operates within a EAP context and tries to warn of too big data chunks, while there is actually nothing to warn about.
Yeah. The warning is just that the code doesn't handle more than 1K of TLS data at a time. It's easy enough to fix, though. Alan DeKok.