TLS negotiation failure

[manu@netbsd.org (Emmanuel Dreyfus)]

Hello

I experience a wierd problem with OpenLDAP and TLS connexions. slapd
will randomly reject connexions, with "TLS negotiation failure" error
message.

That happens with various clients (MacOS, NetBSD, Linux), and it happens
on multiples machines that run slapd, the current setup is below:
OpenLDAP 2.4.16
OpenSSL 0.9.9-dev 09 May 2008
NetBSD 5.0.1

But the problem also existed before upgrades with NetBSD 4.0 and
OpenLDAP 2.4.14. It seems to become worse over time.

Here is a trace obtained with a breakpoint set on the error message in
slapd. 

conn=0 fd=19 ACCEPT from IP=193.54.82.248:59782 (IP=193.54.82.23:636)
TLS: can't accept: (null).

Breakpoint 1, connection_read (s=19, cri=0xa63ff8ac) at
connection.c:1326
1326 connection_closing( c, "TLS negotiation failure" );
(gdb) bt
#0 connection_read (s=19, cri=0xa63ff8ac) at connection.c:1326
#1 0x08078bf9 in connection_read_thread (ctx=0xa63ff900, argv=0x13) at
connection.c:1216
#2 0xbbbaad3a in ldap_int_thread_pool_wrapper (xpool=0xbb540080) at
tpool.c:663
#3 0xbb85e9df in pthread_create () from /usr/lib/libpthread.so.0
#4 0xbb7aa640 in swapcontext () from /usr/lib/libc.so.12
(gdb) c
Continuing.
conn=1 fd=20 ACCEPT from IP=193.54.82.248:59783 (IP=193.54.82.23:636)
conn=0 fd=19 closed (TLS negotiation failure)

So connection_read() reports an error from ldap_pvt_tls_accept(), which
is caused by tls_imp->ti_session_accept(). For OpenSSL, that is
tlso_session_accept(), which just calls SSL_accept()

Does that ring a bell to anyone? Any suggestion for a workaround?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org