seg fault with TLS syncrepl ?

[Olivier <ldap@guillard.nom.fr>]

My N-WAY replication works properly with a
"bindmethod=simple".

However, I don't like keeping a password in clear in
a configuration file, then I tryed this :

On server "ldap-master1.example.fr" :

TLSVerifyClient allow

syncrepl rid=101
    provider=ldap://ldap-master2.example.fr:389
    searchbase="dc=example,dc=fr"
    schemachecking=on
    type=refreshOnly
    interval=00:00:01:00
    retry="10 +"
    bindmethod=sasl
    saslmech=EXTERNAL
    starttls=critical
    tls_cert=/etc/openldap/cacerts/master1/server.crt
    tls_key=/etc/openldap/cacerts/master1/server.key
    tls_cacert=/etc/openldap/cacerts/CA.crt
    tls_reqcert=demand

On server "ldap-master2.example.fr" :

TLSVerifyClient allow

syncrepl rid=201
    provider=ldap://ldap-master1.example.fr:389
    searchbase="dc=example,dc=fr"
    schemachecking=on
    type=refreshOnly
    interval=00:00:01:00
    retry="10 +"
    bindmethod=sasl
    saslmech=EXTERNAL
    starttls=critical
    tls_cert=/etc/openldap/cacerts/master2/server.crt
    tls_key=/etc/openldap/cacerts/master2/server.key
    tls_cacert=/etc/openldap/cacerts/CA.crt

I get a segmentation fault :

ldap-master1 #$ /usr/sbin/slapd -h  ldap:/// -u ldap -d256

@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
	mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
<= bdb_inequality_candidates: (entryCSN) not indexed
slapd starting
slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error,
ldap_start_tls failed (-1)
do_syncrepl: rid=101 rc -1 retrying
conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389)
conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1000 op=0 STARTTLS
conn=1000 op=0 RESULT oid= err=0 text=
conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
conn=1000 op=1 BIND dn="" method=163
conn=1000 op=1 BIND
authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
conn=1000 op=1 BIND
dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
mech=EXTERNAL sasl_ssf=0 ssf=256
conn=1000 op=1 RESULT tag=97 err=0 text=
conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0
filter="(objectClass=*)"
conn=1000 op=2 SRCH attr=* +
conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=1000 op=3 UNBIND
conn=1000 fd=12 closed
Erreur de segmentation

The segfault happened when the second server tried to sync with the first one :

[root@ldap-master2 cacerts]# /usr/sbin/slapd -h  ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
	mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
slapd starting
conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389)
conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1000 op=0 STARTTLS
conn=1000 op=0 RESULT oid= err=0 text=
TLS: error: accept - force handshake failure: errno 2 - moznss error -5938
TLS: can't accept: TLS error -5938:Encountered end of file.
conn=1000 fd=12 closed (TLS negotiation failure)
^C
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd stopped.

Any idea ?

NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that
produce the seg fault.

---
Olivier