Hi, I was looking at this in a similar situation in IO::Socket::SSL GTk2 server and multiple clients, and I'll mention it just to help shed light on WHY the error may be happening. As the expert noxxi pointed out in the comments, the ssh_context $ctx is useful when having multiple clients. In my testing, I would get your same error about "needing a read first" when the ssh handshake failed, as when trying to connect with a non-ssl enabled client. Look at my code there. Applying an individual context to your forks may narrow down why the handshake fails, or whatever happens. Hope it helps, and this code is pretty much what the examples of IO::Socket::SSL do.

 my $server = IO::Socket::SSL->can_ipv6 ->new(
    Listen => 5,
    LocalAddr => $address,
    Reuse => 1,
    timeout => .1
) or die "failed to create SSL server at $address : $!";

my $ctx = IO::Socket::SSL::SSL_Context->new(
    SSL_server => 1,              
    SSL_cert_file => './host.crt',
    SSL_key_file  => './host.key',
    SSL_verify_mode => 0x00,  #SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO
+_PEER_CERT
    ) or die "cannot create context: $SSL_ERROR";

# in your forked child start the ssl with the $ctx context
 # test for SSL connection, if not close client
     IO::Socket::SSL->start_SSL($client, SSL_server => 1, SSL_reuse_ct
+x => $ctx) or do {
         warn "ssl handshake failed: $SSL_ERROR\n";
         my $peerAddress = $client->peerhost();
         my $peerPort = $client->peerport();
         warn "bad incoming from $peerAddress $peerPort\n";
[download]