Free Radius problem with sending large certificate chains, using EAP-TLS
Smith, Brian (ESEA IS&A)
brian.smith at honeywell.com
Mon Feb 23 19:34:46 CET 2009
Hi Alexander,
Thanks for your reply and yes, I expect you are right about some clients
not supporting large certificates. Thanks for your help!
Regards,
Brian Smith
Ph. 602-436-6691
Honeywell
-----Original Message-----
From:
freeradius-users-bounces+brian.smith=honeywell.com at lists.freeradius.org
[mailto:freeradius-users-bounces+brian.smith=honeywell.com at lists.freerad
ius.org] On Behalf Of Alexander Clouter
Sent: Friday, February 20, 2009 12:52 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Free Radius problem with sending large certificate
chains,using EAP-TLS
Hi,
* Smith, Brian (ESEA IS&A) <brian.smith at honeywell.com> [Fri, 20 Feb 2009
11:15:01 -0700]:
>
> We are running freeradius, version 1.1.7, on Fedora. We are testing
> WPA2/EAP-TLS authentication, with large certificate chains (just under
> 64K in PEM format). Some individual cert sizes in the chain approach
> 10K in DER format. If the chain is small enough to fit in a single
TLS
> message, authentication works fine. But is the chain is greater than
> 16,384 bytes, eap-tls fails. Looking at a packet trace, freeradius
does
> not send a message above 16.438 bytes. Instead of breaking it up into
> different records, it attempts to send it in one TLS record, with
> fragments that are too large.
>
Overlooking the possible FreeRADIUS bug, I'm pretty sure I remember
chatting to Tom Rixom (of SecureW2 fame) and he was grumbling that some
supplicants[1] would not accept standalone certificates above 4kB in
size (it was something like that); as that's all the memory set aside in
a buffer internally.
You might find there are supplicants out there that are going to sulk
when forced to accept such whopping payloads :)
Cheers
[1] in this case the grumble was pointed at Microsoft Windows CE
--
Alexander Clouter
.sigmonster says: Encyclopedia for sale by father. Son knows
everything.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list