Free Radius problem with sending large certificate chains, using EAP-TLS

Alan DeKok aland at
Sat Feb 21 09:37:09 CET 2009

Smith, Brian (ESEA IS&A) wrote:
> We are running freeradius, version 1.1.7, on Fedora.  We are testing
> WPA2/EAP-TLS authentication, with large certificate chains (just under
> 64K in PEM format). 

  Ouch... that's big.

> Some individual cert sizes in the chain approach
> 10K in DER format.  If the chain is small enough to fit in a single TLS
> message, authentication works fine.  But is the chain is greater than
> 16,384 bytes, eap-tls fails.  Looking at a packet trace, freeradius does
> not send a message above 16.438 bytes.  Instead of breaking it up into
> different records, it attempts to send it in one TLS record, with
> fragments that are too large. 

  Hmm... OK.

> Per RFC’s 2716 and 5216, it seems freeradius should brake a single TLS
> message (larger than one 16,384 byte record can support) into multiple
> TLS records. 

  It's supposed to.  It doesn't, however.

> We could not find anything on this problem in the FAQ or user lists.
>  Can someone tell us what we are doing wrong, or is this a bug which
> hasn’t been reports, since this large cert chain is rare?  We will
> update to the latest freeradius release.

  I think that this is the first time someone ran into this problem.

  The other issue is that 64k certificate chains may cause other
problems.  Both supplicants && access points have EAP packet counters.
Aftert 30-50 packets in one EAP session, they simply drop the session as
"taking too long".

  i.e. You might get FreeRADIUS to support 64K certificate chains, and
then discover that none of the access points or PC's can support it.

  I don't think it's too hard to fix this, it just requires some
additional code to deal with messages greater than 16K.  Right now, all
of the internal code assumes that the maximum message size is one TLS

  Alan DeKok.

More information about the Freeradius-Users mailing list