Steve, I agree:
This error gets printed with "-1" under too many conditions. Just look at: libraries/libldap/tls2.c::ldap_pvt_tls_set_option()
RC Return Code -1 could happen in about a dozen places.
I think we need to take a two step approach to fixing this:
1) Long term, implement OpenSSL's err(3) 2) Short term, in servers/slapd/main.c:
Debug( LDAP_DEBUG_ANY, "main: TLS init def ctx failed: %d\n", rc, 0, 0 );
We should change / append to this to clarify:
if (rc < 0) Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n",rc,0,0);
if (rc > 0) Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);
I will submit a patch.
~BAS