I hope it is OK to send this to both the hunchentoot and cl+ssl lists. I think it is relevant to both.
I've appended a test case in which I think I may have found the source of hunchentoot's problems with ssl and concurrency.
Code containing good and bad toy servers is attached at end of email.
Apologies in advance if this is way out in left field.
Here's my explanation - the comments in the code explain it in greater detail.
It appears that if you run a main listener thread and turn a client connection into an SSL socket using cl+ssl:make-ssl-server-stream within the main listener, and pass this ssl-socket to a child thread, then things work.
However, if you pass the raw socket to the child thread, and the child thread itself runs cl+ssl:make-ssl-server-stream, then SSL can fail and crash lisp if there are concurrent connections.
It seems that hunchentoot passes the job of running cl+ssl:make-ssl-server-stream to child threads, as described in the comments to the code.
I'd be interested if people agree with the diagnosis. I'm not really clear on what the broader repercussions of moving the initialization are, so I haven't patched hunchentoot. (plus I might not have more time for a while).
John