Has anyone tested this scenario with a number of stunnel clients and servers chained in a row with failover capability. The problem is that Stunnel in server mode accepts a connection and performs the SSL handshake before it checks if the connect endpoint is reachable.

This causes the downlink client peer wrongly assumes that the link is up and therefore would not try the alternative failover endpoint.

You will only observe this problem if you cascade several nodes in a row Ex:

Dummy TCP Client <-> Stunnel1 (client) <-> Stunnel2 (server) <-> Stunnel3 (client) <-> Dummy SSL Server

In this scenario, dummy client connects to S1, S1 connects to S2 (SSL), S2 tries to connect to S3 but since Dummy SSL server is down, S3 rejects but this rejection is not bouncing back to Dummy Client because S2 has down the downlink handshake and therefore S1 assumes everything is OK.

So, the ultimate question is how can we tell Stunnel to first try to connect to endpoints and then send a SYN-ACK back to downlink TCP connection request. This way, a client sends a SYN to Stunnel, Stunnel holds on 3-way handshake, tries to connect to the uplink and completes the downlink handshake only if the uplink connection is OK.