Hi, * Smith, Brian (ESEA IS&A) <brian.smith@honeywell.com> [Fri, 20 Feb 2009 11:15:01 -0700]:
We are running freeradius, version 1.1.7, on Fedora. We are testing WPA2/EAP-TLS authentication, with large certificate chains (just under 64K in PEM format). Some individual cert sizes in the chain approach 10K in DER format. If the chain is small enough to fit in a single TLS message, authentication works fine. But is the chain is greater than 16,384 bytes, eap-tls fails. Looking at a packet trace, freeradius does not send a message above 16.438 bytes. Instead of breaking it up into different records, it attempts to send it in one TLS record, with fragments that are too large.
Overlooking the possible FreeRADIUS bug, I'm pretty sure I remember chatting to Tom Rixom (of SecureW2 fame) and he was grumbling that some supplicants[1] would not accept standalone certificates above 4kB in size (it was something like that); as that's all the memory set aside in a buffer internally. You might find there are supplicants out there that are going to sulk when forced to accept such whopping payloads :) Cheers [1] in this case the grumble was pointed at Microsoft Windows CE -- Alexander Clouter .sigmonster says: Encyclopedia for sale by father. Son knows everything.