Ian Pilcher wrote:

... and the (non-working) server-side stunnel configuration:

cert = /etc/stunnel/rsyncs_cert.pem
key = /etc/stunnel/private/rsyncs_key.pem
client = no
pid = /var/run/stunnel.pid
RNDfile = /var/run/stunnel/random_seed
foreground = yes
debug = debug
output = /var/run/stunnel/stunnel.log

exec = /usr/bin/rsync
execargs = rsync --daemon

Amazing how sending off the question gets the old brain cells working (or maybe it was the second cup of coffee).

The problem was "foreground = yes". Since xinet.d redirects stderr back over the network connection, the stunnel startup messages were going back to the client. For some reason, the client didn't think that was a proper SSL handshake. ;-)