just for the archives: i did define a lifetime for the encryption-suites some time ago for a former configuration that once worked. deleting these lifetimes and thus using the defaults now works. so, no actually wrong config but rather too much config ;)
thanks for the personal replies! -- tobias