Hi, * Smith, Brian (ESEA IS&A) <[email protected]> [Fri, 20 Feb 2009 11:15:01 -0700]: > > We are running freeradius, version 1.1.7, on Fedora. We are testing > WPA2/EAP-TLS authentication, with large certificate chains (just under > 64K in PEM format). Some individual cert sizes in the chain approach > 10K in DER format. If the chain is small enough to fit in a single TLS > message, authentication works fine. But is the chain is greater than > 16,384 bytes, eap-tls fails. Looking at a packet trace, freeradius does > not send a message above 16.438 bytes. Instead of breaking it up into > different records, it attempts to send it in one TLS record, with > fragments that are too large. > Overlooking the possible FreeRADIUS bug, I'm pretty sure I remember chatting to Tom Rixom (of SecureW2 fame) and he was grumbling that some supplicants[1] would not accept standalone certificates above 4kB in size (it was something like that); as that's all the memory set aside in a buffer internally.
You might find there are supplicants out there that are going to sulk when forced to accept such whopping payloads :) Cheers [1] in this case the grumble was pointed at Microsoft Windows CE -- Alexander Clouter .sigmonster says: Encyclopedia for sale by father. Son knows everything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
