Okay... netscape's client works fine against slapd (ldaps://ldap.openldap.org). Tests of ldapsearch -x -H ldaps://host/ against openssl s_server -accept 636 -cert foo.pem -key foo.pem failed, leading me to believe ldapsearch -H ldaps://host/ is actually initiating an SSL_connect(). The StartTLS problems are apparently different. I'd appreciate help from OpenSSL-aware programmers!