Full_Name: Mike Jackson Version: 2.4.45 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.157.185.162)

Push replication via TLS fails to remote servers where the TCP/IP round-trip time is greater than 100ms. When the return packets finally arrive, the initiating server will close the connection with RST RST RST, which results in TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection will function normally and replication will occur.

The 100ms time limit comes from here:

servers/slapd/back-ldap/back-ldap.h: #define LDAP_BACK_RESULT_UTIMEOUT (100000)

Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005.

HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported the config keyword that sets the timeout number of retries"

In addition, the back_ldap man page is not up to date.

My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000) (900ms) and recompile. Problem immediately went away, but this is not a correct approach and the retry counter should be runtime configurable.