Hi Alexander, Thanks for your reply and yes, I expect you are right about some clients not supporting large certificates. Thanks for your help!
Regards, Brian Smith Ph. 602-436-6691 Honeywell -----Original Message----- From: freeradius-users-bounces+brian.smith=honeywell....@lists.freeradius.org [mailto:[email protected] ius.org] On Behalf Of Alexander Clouter Sent: Friday, February 20, 2009 12:52 PM To: [email protected] Subject: Re: Free Radius problem with sending large certificate chains,using EAP-TLS Hi, * Smith, Brian (ESEA IS&A) <[email protected]> [Fri, 20 Feb 2009 11:15:01 -0700]: > > We are running freeradius, version 1.1.7, on Fedora. We are testing > WPA2/EAP-TLS authentication, with large certificate chains (just under > 64K in PEM format). Some individual cert sizes in the chain approach > 10K in DER format. If the chain is small enough to fit in a single TLS > message, authentication works fine. But is the chain is greater than > 16,384 bytes, eap-tls fails. Looking at a packet trace, freeradius does > not send a message above 16.438 bytes. Instead of breaking it up into > different records, it attempts to send it in one TLS record, with > fragments that are too large. > Overlooking the possible FreeRADIUS bug, I'm pretty sure I remember chatting to Tom Rixom (of SecureW2 fame) and he was grumbling that some supplicants[1] would not accept standalone certificates above 4kB in size (it was something like that); as that's all the memory set aside in a buffer internally. You might find there are supplicants out there that are going to sulk when forced to accept such whopping payloads :) Cheers [1] in this case the grumble was pointed at Microsoft Windows CE -- Alexander Clouter .sigmonster says: Encyclopedia for sale by father. Son knows everything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
