You can read in this topic for details about the interactions between Telnet servers, clients, and SSL.
Sometimes understanding what goes on during SSL processing can help you determine where a problem might have occurred.
The Telnet server attempts to initialize SSL every time the server is started. During initialization, the Telnet server checks the certificate information in the QIBM_QTV_TELNET_SERVER application. You can tell that the SSL initialization is successful when more than one active QTVTELNET job appears in the QSYSWRK subsystem. Of course, if the number of server jobs to start field in the Telnet properties General page is set to 1, you see only one active QTVTELNET job.
The Telnet server does not initialize SSL when you have a restricted telnet-ssl port. The Telnet server sends the TCP2550 message Access to port 992 is restricted to the QTVTELNET job log and to the QSYSOPR message queue.
When a certificate is incorrect or expired, initialization fails and the Telnet server sends message CPDBC nn to the QTVTELNET job log.
Even if no certificate or an expired certificate is in the QIBM_QTV_TELNET_SERVER application, the Telnet server successfully initializes SSL. However, the SSL handshake fails when the client tries to connect to the Telnet server. The Telnet server sends message CPDBC nn to the QTVTELNET job log.
When the certificate in the QIBM_QTV_TELNET_SERVER application changes, the Telnet server reinitializes SSL if a DCM change occurs. This means that you can restore an expired certificate or add or remove user certificates and Telnet will pick up changes automatically. The process is the same as SSL initialization. New Telnet SSL client sessions use the new certificate. Telnet SSL client sessions that are already established use the original certificate. After the Telnet server is ended and started again, all Telnet SSL client sessions use the new certificate.
If the SSL re-initialization fails, established SSL sessions use the original certificate that was initialized when the server started and new sessions are blocked from connecting. The next time you start the Telnet server, SSL initialization fails, although there will still be an active SSL listener. However, no new SSL connections will be successful until a change in the DCM forces Telnet server to re-initialize successfully.
An SSL handshake occurs when the Telnet SSL client connects to TCP port 992 and attempts an SSL negotiation with the server. While the client is connecting to the server, it displays status numbers or messages on the status bar of the open window.
If the SSL handshake fails, the Telnet session is not established. For example, a sign-on screen does not appear in the Telnet SSL client window. Consult the user guide or online help for your Telnet SSL client for information about specific status numbers or messages. The Telnet server sends message CPDBC nn to the QTVTELNET job log.