ct-lib-based clients enabling extended password encryption (CS_SEC_EXTENDED_ENCRYPTION=CS_TRUE) must set CS_SEC_NON_ENCRYPTION_RETRY = CS_TRUE to connect to ECDAs. The initial connection attempt using the encrypted password fails, but after you set CS_SEC_NON_ENCRYPTION_RETRY = CS_TRUE, ct-lib automatically resends the password as plain text.
