1. Assume that replication server does not have valid certificate
2. Setup replication with ads-replUseTls=true and ads-replStrictCertValidation=true
I think in that case connection should always fail!
The first connect to that server will really fails with InvalidConnectionException, but next time ReplicationConsumerImpl will reconnect it will ignore startTLS and it will successfully connected over TCP!
Problem caused by ReplicationConsumerImpl implementation:
The first time startTls() method fails, but on reconnect it's not called because connection is not null.