Hi Alan, Thanks for the great reply. It makes perfect sense to me. Just be clear, FreeRadius will support a certificate/chain length up to the TLS record limit of 16384 bytes (minus some overhead). And, you don't know of anyone that has every tried to test beyond this, which tells me in practice, it's not done.... Also, you point out that very likely AP's and STA' might not support multiple records, though the RFC says they should. Also telling me, this is not normally done.
Two quick questions for you. - What do you think the market penetration of FreeRadius (or commercial clones) to authenticate wireless WPA2 clients is, verses commercial products? - Do you know of any other Radius Server that does support multiple TLS records for a single message? - What is the largest certificate chain you have seen used with FreeRadius? Thanks Again! Brian Smith Ph. 602-436-6691 Honeywell -----Original Message----- From: freeradius-users-bounces+brian.smith=honeywell....@lists.freeradius.org [mailto:freeradius-users-bounces+brian.smith=honeywell....@lists.freerad ius.org] On Behalf Of Alan DeKok Sent: Saturday, February 21, 2009 1:37 AM To: FreeRadius users mailing list Subject: Re: Free Radius problem with sending large certificate chains, usingEAP-TLS Smith, Brian (ESEA IS&A) wrote: > We are running freeradius, version 1.1.7, on Fedora. We are testing > WPA2/EAP-TLS authentication, with large certificate chains (just under > 64K in PEM format). Ouch... that's big. > Some individual cert sizes in the chain approach > 10K in DER format. If the chain is small enough to fit in a single TLS > message, authentication works fine. But is the chain is greater than > 16,384 bytes, eap-tls fails. Looking at a packet trace, freeradius does > not send a message above 16.438 bytes. Instead of breaking it up into > different records, it attempts to send it in one TLS record, with > fragments that are too large. Hmm... OK. > Per RFC's 2716 and 5216, it seems freeradius should brake a single TLS > message (larger than one 16,384 byte record can support) into multiple > TLS records. It's supposed to. It doesn't, however. > We could not find anything on this problem in the FAQ or user lists. > Can someone tell us what we are doing wrong, or is this a bug which > hasn't been reports, since this large cert chain is rare? We will > update to the latest freeradius release. I think that this is the first time someone ran into this problem. The other issue is that 64k certificate chains may cause other problems. Both supplicants && access points have EAP packet counters. Aftert 30-50 packets in one EAP session, they simply drop the session as "taking too long". i.e. You might get FreeRADIUS to support 64K certificate chains, and then discover that none of the access points or PC's can support it. I don't think it's too hard to fix this, it just requires some additional code to deal with messages greater than 16K. Right now, all of the internal code assumes that the maximum message size is one TLS fragment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html