TLS SSF does not imply a transport_ssf.

servers/slapd/syncrepl.c

@@ -312,15 +312,17 @@ do_syncrep1(
 	/* Set SSF to strongest of TLS, SASL SSFs */
 	op->o_sasl_ssf = 0;
 	op->o_tls_ssf = 0;
+	op->o_transport_ssf = 0;
 #ifdef HAVE_TLS
-	if ( ldap_get_option( si->si_ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl ) == LDAP_SUCCESS &&
+	if ( ldap_get_option( si->si_ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl )
-	     ssl != NULL ) {
+		== LDAP_SUCCESS && ssl != NULL )
+	{
 		op->o_tls_ssf = ldap_pvt_tls_get_strength( ssl );
 	}
 #endif /* HAVE_TLS */
 	ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_sasl_ssf );
-	op->o_transport_ssf = op->o_ssf = ( op->o_sasl_ssf > op->o_tls_ssf ) ?
+	op->o_ssf = ( op->o_sasl_ssf > op->o_tls_ssf )
-		op->o_sasl_ssf : op->o_tls_ssf;
+		?  op->o_sasl_ssf : op->o_tls_ssf;
 
 	/* get syncrepl cookie of shadow replica from subentry */
 	assert( si->si_rid < 1000 );