Automatic report from sources (radiusd) between 19.11.2007 - 20.11.2007 GMT

Jouni Malinen j at
Wed Nov 21 06:04:57 CET 2007

On Wed, Nov 21, 2007 at 03:56:09AM +0100, Alan DeKok wrote:

>   The code should now get a little farther in doing PEAP/EAP-TLS, but it
> still doesn't work.  I'm no OpenSSL expert, but at least the FreeRADIUS
> side looks a little better now.

Something odd is happening with the EAP-PEAP fragmentation.. If I set
fragment_size=1300 in FreeRADIUS configuration, the first Phase 2
message from FreeRADIUS has TLS Message Length of 1333. The first
fragment includes 1300 bytes, so I would expect to see the remaining 33
bytes on the next fragment. However, that fragment is 37 bytes, i.e.,
extra 4 bytes.

If I change fragment_size to 1200, the TLS Message Length become 1237.
This does not sound correct, since the total data length should be more
or less the same here regardless of the fragment size (well, up to a
certain limit since making this very small could add more fragmentation
overhead to phase 2). However, with this fragment_size, the second
message is 37 bytes and that matches with the TLS Message Length. The
reassembled data is not a valid SSL record, though..

It looks like there are at least two issues. The TLS Message Length is
set to about fragment_size regardless of the real phase 2 length, i.e.,
the phase 2 gets truncated, not fragmented in full. In addition, the
phase 1 fragmentation seems to end up reporting incorrect total length
for the fragments (i.e., TLS Message Length can be smaller than the sum
of the lengths of all fragments).

Jouni Malinen                                            PGP id EFC895FA

More information about the Freeradius-Devel mailing list