I presume you were only sending the signals to the main process. Right?
So it sends RST 0.01ms after it received the final ACK of the TCP
handshake. My theory is that it is caused by the listening socket
being momentarily closed in the middle of the TCP handshake, i.e.,
before the kernel informs the userspace (stunnel in this case) about
the newly established TCP connection.

The solution would require identifying the listening sockets defined
both in the old and the new configuration file (i.e. before and after
the reload), and caching the file descriptors instead of reopening
them. This would introduce a relatively complex (and thus
error-prone) piece of code just to enable accepting new connections
during the configuration file reload.

I might only consider implementing this for a paying customer.
According to my theory this is because the userspace never gets
notified about this half-established connection.

Best regards,
Mike

Correct.
I think you are right.

I thought the tcp connection was established during the call to accept().
Because of this I concentrated my research around that call and I simply
could not understand why none of the traces put around it were triggered.

Well, that's because the situation is happening when the program loops
somewhere else, most likely in daemon_loop. For instance, after receiving a
signal or after accepting one connection. Because the socket is still
listening, the OS lets a new tcp connection come in. If a sighup signal is
about to be pulled from signal_pipe, it is entirely possible the socket
gets closed right after the new tcp connection is established and before it
can be accept()ed by the program. The socket is closed without checking if
there are pending connections. And so there can't be any indication of that
in the log.

Note I am not making any claim that situation could or should be detected.
I was mostly interested in understanding .

Thanks for your input!

This is not how BSD sockets work. The interface between applications
and the kernel resembles function calls, but kernel is nothing like a
library. When you call listen(2), the TCP state machine in the kernel
starts accepting new connections. The kernel keeps an internal
backlog queue of the *successfully established connections*. The size
of this queue is specified as the second parameter of listen(2). A
file descriptor of a newly established connection can then be read
from the backlog queue with accept(2). The simplest way to wait for a
new connection is to execute a blocking accept(2). This is however
*not* the way stunnel does it. Instead, stunnel awaits incoming
connections on multiple accepting sockets using poll(2), and only then
it retrieves the file descriptors of the newly established connections.

Normally, accepting a new connection works as follows:
(initial connection state: closed)
- The kernel receives a SYN packet.
- The kernel sends the SYN+ACK reply.
(new connection state: half-open)
- The kernel receives the final ACK packet.
(new connection state: open)
- The kernel signals that a new connection is available on the
listening socket.
- stunnel function poll(2) returns indicating a new open connection.
- stunnel retrieves the file descriptor with accept(2).

In your case:
(initial connection state: closed)
- The kernel receives a SYN packet.
- The kernel sends the SYN+ACK reply.
(new connection state: half-open)
- stunnel closes the listening socket, invalidating any half-open
connections.
(new connection state: closed)
- The kernel receives the final ACK packet.
- The kernel sends back RST, because the ACK packet does not match
any connection known to the kernel's TCP state machine.

I guess the part that confused you is that the server's TCP handshake
is only complete after *receiving* the final ACK, while the client's
TCP handshake is complete after *sending* the final ACK.
Consequently, while your client reports the connection as opened and
quickly reset, the server's connection is never opened (the server's
handshake is never completed).

Best regards,
Mike