On Tue, Feb 24, 2009 at 9:20 AM, Alan DeKok <[email protected]> wrote: > No... they *do* support multiple round trips. But they have an upper > limit on "too many" round trips. For example, WPA supplicant (the most > widely used one) has a default limit of 50. This means it's *highly* > unlikely that it will work with 64K certificate chains.
The main (well, more or less, the only) reason for that limit on number of round trips is to work around issues where the EAP peer and server ended up in an infinite loop ACKing their messages. I would prefer to change that to be based on whether any real progress has been made during the last round trip or two, i.e., to remove the hard limit and allow as many round trips as it takes to get through the authentication (or whatever else one adds into EAP, e.g., TNC). It would be nicer to support the whatever maximum length is described for EAP-TLS or TNC, but not at the cost of bringing back interop issues that may result in infinite authentication loops. Anyway, the only case I remember of someone discussing the round trip limit as a too strict limit was for TNC, not for certificate sizes. If someone is really using huge certificates (or well, long enough chain to make the total size of the TLS message long) in real world, I would like to make sure it can be done. I just haven't come up with a real use case so far. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
