Free Radius problem with sending large certificate chains, using EAP-TLS
alex at digriz.org.uk
Fri Feb 20 20:51:31 CET 2009
* Smith, Brian (ESEA IS&A) <brian.smith at honeywell.com> [Fri, 20 Feb 2009 11:15:01 -0700]:
> We are running freeradius, version 1.1.7, on Fedora. We are testing
> WPA2/EAP-TLS authentication, with large certificate chains (just under
> 64K in PEM format). Some individual cert sizes in the chain approach
> 10K in DER format. If the chain is small enough to fit in a single TLS
> message, authentication works fine. But is the chain is greater than
> 16,384 bytes, eap-tls fails. Looking at a packet trace, freeradius does
> not send a message above 16.438 bytes. Instead of breaking it up into
> different records, it attempts to send it in one TLS record, with
> fragments that are too large.
Overlooking the possible FreeRADIUS bug, I'm pretty sure I remember
chatting to Tom Rixom (of SecureW2 fame) and he was grumbling that some
supplicants would not accept standalone certificates above 4kB in
size (it was something like that); as that's all the memory set aside in
a buffer internally.
You might find there are supplicants out there that are going to sulk
when forced to accept such whopping payloads :)
 in this case the grumble was pointed at Microsoft Windows CE
.sigmonster says: Encyclopedia for sale by father. Son knows everything.
More information about the Freeradius-Users