how to tell client to use ssf=256 instead of ssf=128

[Tobias Hachmer <lists@kokelnet.de>]

Hello,

I'm using openldap 2.4.28 on ubuntu server and configured TLS.
I want to allow write operations only when ssf=256 is used. (security 
update_ssf=256)
Certificates were set up with openssl CA.pl.

When I connect via
# ldapadd -Y EXTERNAL -ZZ -f /src/test.ldif

I get this:
SASL/EXTERNAL authentication started
SASL username: cn=ldapadmin,.............
SASL SSF: 0
adding new entry "dc=example,dc=com"
ldap_add: Confidentiality required (13)
	additional info: stronger confidentiality required for update

the log says:
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 ACCEPT from 
IP=127.0.0.1:56698 (IP=0.0.0.0:389)
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=0 STARTTLS
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=0 RESULT oid= err=0 
text=
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 TLS established 
tls_ssf=128 ssf=128
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="" method=163
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND 
authcid="cn=ldapadmin,........." authzid="cn=ldapadmin,........"
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND 
dn="cn=ldapadmin,......." mech=EXTERNAL sasl_ssf=0 ssf=128
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=1 RESULT tag=97 err=0 
text=
Oct  8 19:38:14 ldap slapd[2205]: connection_input: conn=1003 deferring 
operation: binding
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=2 ADD 
dn="dc=example,dc=com"
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=2 RESULT tag=105 err=13 
text=stronger confidentiality required for update
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=3 UNBIND
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 closed

1. Why is the client connecting with ssf=128?
2. Can I influence the ssf used by client, if yes, how?
3. Maybe a certificate issue?

Thanks in advance,
Tobias Hachmer