seg fault with TLS syncrepl ?

My N-WAY replication works properly with a "bindmethod=simple".

However, I don't like keeping a password in clear in a configuration file, then I tryed this :

On server "ldap-master1.example.fr" :

TLSVerifyClient allow

syncrepl rid=101 provider=ldap://ldap-master2.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master1/server.crt tls_key=/etc/openldap/cacerts/master1/server.key tls_cacert=/etc/openldap/cacerts/CA.crt tls_reqcert=demand

On server "ldap-master2.example.fr" :

TLSVerifyClient allow

syncrepl rid=201 provider=ldap://ldap-master1.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master2/server.crt tls_key=/etc/openldap/cacerts/master2/server.key tls_cacert=/etc/openldap/cacerts/CA.crt

I get a segmentation fault :

ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256

@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable <= bdb_inequality_candidates: (entryCSN) not indexed slapd starting slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error, ldap_start_tls failed (-1) do_syncrepl: rid=101 rc -1 retrying conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 conn=1000 op=1 BIND dn="" method=163 conn=1000 op=1 BIND authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" conn=1000 op=1 BIND dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" mech=EXTERNAL sasl_ssf=0 ssf=256 conn=1000 op=1 RESULT tag=97 err=0 text= conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=2 SRCH attr=* + conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1000 op=3 UNBIND conn=1000 fd=12 closed Erreur de segmentation

The segfault happened when the second server tried to sync with the first one :

[root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256 @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= TLS: error: accept - force handshake failure: errno 2 - moznss error -5938 TLS: can't accept: TLS error -5938:Encountered end of file. conn=1000 fd=12 closed (TLS negotiation failure) ^C daemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped.

Any idea ?

NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that produce the seg fault.

--- Olivier