Hi Mark,
I can confirm removing it from adm.conf prevents it working. Adding it back, it works
again.
Possibly there's another means that normally ensures the correct range is set for the
config DS connection?
The function returning the error that shows up in the log with the debug build is this
'ssl3_CheckRangeValidAndConstrainByPolicy' in 'nss/lib/ssl/sslsock.c'.
Following the call stack, ADMSSL_Init calls initNSS which in turn calls
SSL_VersionRangeSetDefault (again in 'nss/lib/ssl/sslsock.c'). This takes an
initial range as input and checks and constrains it (calling
ssl3_CheckRangeValidAndConstrainByPolicy which generates the error).
That initial range passed to SSL_VersionRangeSetDefault comes from the following in
initNSS:
range.min = admldapGetSSLMin(info);
range.max = admldapGetSSLMax(info);
Tracing back, that info was the AdmldapInfo constructed for the config connection which
came from adm.conf. So that was what led me to attempt adding the entries to adm.conf
which seemed to do the trick.
Hope that helps.
David