We were trying to setup a connection to our RDT via FTPS (FTP with TLS/SSL), but the client fails to connect. In the z console log we get a handshake failure with the message 

BPXF024I (FTPD) ..   ftps 50397270 : FR0601 authClient: 38init failed with rc = 402 (No SSL cipher specifications)

We checked the cipher suites specified in FTP.DATA, and there should definitely be a match with the cipher suites available on the client.

So we switched on the trace log in the SSL server GSKSRVR using GSK_TRACE=0x0F - after that we found the following message in the trace log:

03/21/2014-10:56:36 Thd-0   EDC5205S DLL module not found. 

But it does not say which DLL is missing?!?

The trace log continues with 

03/21/2014-10:56:36 Thd-0 INFO crypto_init(): SHA-1 crypto assist is available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): SHA-224 crypto assist is available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): SHA-256 crypto assist is available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): SHA-384 crypto assist is available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): SHA-512 crypto assist is available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): DES crypto assist is available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): DES3 crypto assist is available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): AES 128-bit crypto assist is available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): AES 256-bit crypto assist is not available03/21/2014-10:56:36 Thd-0 INFO crypto_init(): ICSF services are not available 

It is unclear to me if the crypto algorithms are available now or not? We assume that our cipher suites require a crypto service that is unavailable on our system. If we use cipher suites with no encryption, the handshake succeeds, and we can connect without problems. So our IP and FTPS setup seems to be generally okay.

How can we get (any) encryption to work? What is missing?

Your problem is that the code is looking for the TLS 3 DLL and it can't find it on the host.   TLS 3 crypto support is export restricted and thus is not included in the RD&T deliverable.  We are exploring ways to make this code available.

RDzJohn

Thank you for the quick response!

I already had an idea that something like that might be the problem. So I tried to enable some weak encryption by configuring the SSL server to start in non-FIPS mode. Although this is documented to be the default, I did not get  the expected log message until I had explicitly set

GSK_FIPS_STATE=GSK_FIPS_STATE_OFF

 in /etc/gskssl/server/envar

However, the problem during the handshake remained the same. :-(

How can I achieve that FTPS uses any available encryption, however weak it may be? I really do not care, as it is just for a proof of concept!