> If I run ldapsearch from another machine which has another version of > openldap that is not 2.3.11 nor 2.3.10, then it works.
So this is against your 2.3.11 slapd, 2.3.11 ldapsearch -ZZ fails while <2.3.10 connects OK (2.3.11 server held constant)? Do you have identical ldap.conf and/or .ldaprc on the 2.3.11 machines, and of course identical file contents referenced? Also, your logs are from slapd -d -1 (which is a good debugging step), but you might want to try a ldapsearch -d -1 too so we can see the other side of the equation. The "telnet" seems to me a bad example, I'm pretty sure that will get "TLS: can't accept" in all situations. (Unless you know how to perform a TLS handshake by hand.)
