Free Radius problem with sending large certificate chains, using EAP-TLS

Alexander Clouter alex at
Fri Feb 20 20:51:31 CET 2009


* Smith, Brian (ESEA IS&A) <brian.smith at> [Fri, 20 Feb 2009 11:15:01 -0700]:
> We are running freeradius, version 1.1.7, on Fedora.  We are testing
> WPA2/EAP-TLS authentication, with large certificate chains (just under
> 64K in PEM format).  Some individual cert sizes in the chain approach
> 10K in DER format.  If the chain is small enough to fit in a single TLS
> message, authentication works fine.  But is the chain is greater than
> 16,384 bytes, eap-tls fails.  Looking at a packet trace, freeradius does
> not send a message above 16.438 bytes.  Instead of breaking it up into
> different records, it attempts to send it in one TLS record, with
> fragments that are too large.
Overlooking the possible FreeRADIUS bug, I'm pretty sure I remember 
chatting to Tom Rixom (of SecureW2 fame) and he was grumbling that some 
supplicants[1] would not accept standalone certificates above 4kB in 
size (it was something like that); as that's all the memory set aside in 
a buffer internally.

You might find there are supplicants out there that are going to sulk 
when forced to accept such whopping payloads :)


[1] in this case the grumble was pointed at Microsoft Windows CE

Alexander Clouter
.sigmonster says: Encyclopedia for sale by father.  Son knows everything.

More information about the Freeradius-Users mailing list