Comment 6 for bug 1103353

Correct. The workaround to avoid the crash is to use a strictly valid GnuTLS cipher suite string, for example "NORMAL" or "SECURE128" or "SECURE192" or "SECURE256".

In those rare cases where those existing defaults are not acceptable (due to security concerns, for example), the minimal "search.c" program I attached to #4 can be used to try to find a valid cipher suite string, connecting to an LDAP server (using ldap:// URI, and StartTLS). It also reports the cipher, mac, and kx achieved when the StartTLS is successful.

I'll see if I can report this upstream to openldap.org, too.