ok, finaly fed up with that shut down thingabob. this _instantly_ closes our server sockets so no more new sessions can be established in first place.
I had the symptom figured: netcat an ssl port (without saying a word into it) and no shutdown would finish.
when the first warning message about "we're not shutting down but we want to" arives, walk all client contexts, and close their fd's.
we probably still would have issues with pop3 aggregators or RSS-clients hanging, we don't have a way to access their FD's so far, right?