I've just tested this scenario using the back-meta sources (and slap.h,sl_malloc.c) from HEAD. I also tried to add "tls start" to the back-meta configuration.
Unfortunately, the problem still persists. (But the workaround, setting LDAPTLS_..., still works)
When I look at the debug outputs (at debug level 1), the first difference is in the SSL_connect messages. Only my workaround method is sending the "write certificate verify" to authenticate with the certificate, whereas it doesn't send this message without the workaround.
The Output from the "good" request (with workaround) is ----------------------------------------------------------------------------------------- TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server key exchange A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write certificate verify A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_int_sasl_open: host=localhost ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request -----------------------------------------------------------------------------------------
The output from the request without the workaround: ----------------------------------------------------------------------------------------- TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server key exchange A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_int_sasl_open: host=localhost ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 15 TLS trace: SSL3 alert write:warning:close notify ldap_free_connection: actually freed -----------------------------------------------------------------------------------------
Regards, Manuel