Ambiguous SSL/TLS error messages from slapd

[Steve Polyack <korvus@comcast.net>]

I've noticed that some of the error messages presented by slapd can be 
quite ambiguous in nature.  For example, if TLSCertificateKeyFile is 
specified in slapd.conf, yet is not readable by the user slapd runs as, 
the following error is observed:

2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] 
slapd[6261]: @(#) $OpenLDAP: slapd 2.3.43 (Feb 5 2010 10:47:47) $ 
root@host:/usr/obj/usr/ports/net/openldap23-server/work/openldap-2.3.43/servers/slapd
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] 
slapd[6261]: main: TLS init def ctx failed: -1
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] 
slapd[6261]: slapd stopped.
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] 
slapd[6261]: connections_destroy: nothing to destroy.

For reference, this is on FreeBSD 7.2-RELEASE, base OpenSSL v0.9.8e.  
Looking briefly at the code, this error message is returned when 
ldap_pvt_init_def_ctx() fails.  I'm not sure which OpenSSL SSL_* 
function call fails within this function, however I do notice that the 
only call made to an OpenSSL library's ERR_* function is if the initial 
SSL_CTX_new() method fails.

Am I looking at this wrong altogether, is it simply a question of my 
slapd loglevel not being high enough or including TLS errors?  It will 
indeed typically list TLS negotation failures.

Thanks