Free Radius problem with sending large certificate chains, using EAP-TLS

Smith, Brian (ESEA IS&A) brian.smith at
Mon Feb 23 19:34:46 CET 2009

Hi Alexander,
Thanks for your reply and yes, I expect you are right about some clients
not supporting large certificates.  Thanks for your help!

Brian Smith
Ph. 602-436-6691

-----Original Message-----
From: at
[ at lists.freerad] On Behalf Of Alexander Clouter
Sent: Friday, February 20, 2009 12:52 PM
To: freeradius-users at
Subject: Re: Free Radius problem with sending large certificate
chains,using EAP-TLS


* Smith, Brian (ESEA IS&A) <brian.smith at> [Fri, 20 Feb 2009
11:15:01 -0700]:
> We are running freeradius, version 1.1.7, on Fedora.  We are testing
> WPA2/EAP-TLS authentication, with large certificate chains (just under
> 64K in PEM format).  Some individual cert sizes in the chain approach
> 10K in DER format.  If the chain is small enough to fit in a single
> message, authentication works fine.  But is the chain is greater than
> 16,384 bytes, eap-tls fails.  Looking at a packet trace, freeradius
> not send a message above 16.438 bytes.  Instead of breaking it up into
> different records, it attempts to send it in one TLS record, with
> fragments that are too large.
Overlooking the possible FreeRADIUS bug, I'm pretty sure I remember 
chatting to Tom Rixom (of SecureW2 fame) and he was grumbling that some 
supplicants[1] would not accept standalone certificates above 4kB in 
size (it was something like that); as that's all the memory set aside in

a buffer internally.

You might find there are supplicants out there that are going to sulk 
when forced to accept such whopping payloads :)


[1] in this case the grumble was pointed at Microsoft Windows CE

Alexander Clouter
.sigmonster says: Encyclopedia for sale by father.  Son knows

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list