Free Radius problem with sending large certificate chains, usingEAP-TLS

Smith, Brian (ESEA IS&A) brian.smith at honeywell.com
Tue Feb 24 17:37:08 CET 2009


Hi Jouni,
Thanks for your reply.  I understand your concern on wasting time when in a failure condition.  I agree it would be ideal for the code to continue transfers, based on progress.  We will try to validate the use case before taking this further.

Regards,
 
Brian Smith
Ph. 602-436-6691
Honeywell

-----Original Message-----
From: freeradius-users-bounces+brian.smith=honeywell.com at lists.freeradius.org [mailto:freeradius-users-bounces+brian.smith=honeywell.com at lists.freeradius.org] On Behalf Of Jouni Malinen
Sent: Tuesday, February 24, 2009 1:20 AM
To: FreeRadius users mailing list
Subject: Re: Free Radius problem with sending large certificate chains, usingEAP-TLS

On Tue, Feb 24, 2009 at 9:20 AM, Alan DeKok <aland at deployingradius.com> wrote:
>  No... they *do* support multiple round trips.  But they have an upper
> limit on "too many" round trips.  For example, WPA supplicant (the most
> widely used one) has a default limit of 50.  This means it's *highly*
> unlikely that it will work with 64K certificate chains.

The main (well, more or less, the only) reason for that limit on
number of round trips is to work around issues where the EAP peer and
server ended up in an infinite loop ACKing their messages. I would
prefer to change that to be based on whether any real progress has
been made during the last round trip or two, i.e., to remove the hard
limit and allow as many round trips as it takes to get through the
authentication (or whatever else one adds into EAP, e.g., TNC). It
would be nicer to support the whatever maximum length is described for
EAP-TLS or TNC, but not at the cost of bringing back interop issues
that may result in infinite authentication loops.

Anyway, the only case I remember of someone discussing the round trip
limit as a too strict limit was for TNC, not for certificate sizes. If
someone is really using huge certificates (or well, long enough chain
to make the total size of the TLS message long) in real world, I would
like to make sure it can be done. I just haven't come up with a real
use case so far.

- Jouni

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list