I've just uploaded:

ftp://ftp.openldap.org/incoming/rhafer-Use-non-blocking-IO-during-SSL-Handshake-ITS-7428.dif

which tries to address the issue. If LDAP_OPT_NETWORK_TIMEOUT is set ldap_int_tls_start will switch to non-blocking IO and call ldap_int_tls_connect as often as needed unless it times out inbetween. Currently I have only tested this with openssl but AFAICS this should also work with the NSS and gnutls backends

Please review and comment.

Ralf