Free Radius problem with sending large certificate chains, usingEAP-TLS

Jouni Malinen jkmalinen at
Tue Feb 24 09:20:28 CET 2009

On Tue, Feb 24, 2009 at 9:20 AM, Alan DeKok <aland at> wrote:
>  No... they *do* support multiple round trips.  But they have an upper
> limit on "too many" round trips.  For example, WPA supplicant (the most
> widely used one) has a default limit of 50.  This means it's *highly*
> unlikely that it will work with 64K certificate chains.

The main (well, more or less, the only) reason for that limit on
number of round trips is to work around issues where the EAP peer and
server ended up in an infinite loop ACKing their messages. I would
prefer to change that to be based on whether any real progress has
been made during the last round trip or two, i.e., to remove the hard
limit and allow as many round trips as it takes to get through the
authentication (or whatever else one adds into EAP, e.g., TNC). It
would be nicer to support the whatever maximum length is described for
EAP-TLS or TNC, but not at the cost of bringing back interop issues
that may result in infinite authentication loops.

Anyway, the only case I remember of someone discussing the round trip
limit as a too strict limit was for TNC, not for certificate sizes. If
someone is really using huge certificates (or well, long enough chain
to make the total size of the TLS message long) in real world, I would
like to make sure it can be done. I just haven't come up with a real
use case so far.

- Jouni

More information about the Freeradius-Users mailing list