This patch should fix the spurious connection drops that fail jobs
as reported in bug #888.
Apply it to version 2.0.3 (possibly earlier versions of 2.0) with:

  cd <bacula-source>
  patch -p0 <2.0.3-tls-disconnect.patch
  make
  ...
  make install

Index: src/lib/tls.c
===================================================================
--- src/lib/tls.c	(revision 4668)
+++ src/lib/tls.c	(working copy)
@@ -540,14 +540,6 @@
     * The first time to initiate the shutdown handshake, and the second to
     * receive the peer's reply.
     *
-    * However, it is valid to close the SSL connection after the initial
-    * shutdown notification is sent to the peer, without waiting for the
-    * peer's reply, as long as you do not plan to re-use that particular
-    * SSL connection object.
-    *
-    * Because we do not re-use SSL connection objects, I do not bother
-    * calling SSL_shutdown a second time.
-    *
     * In addition, if the underlying socket is blocking, SSL_shutdown()
     * will not return until the current stage of the shutdown process has
     * completed or an error has occured. By setting the socket blocking
@@ -560,6 +552,10 @@
    flags = bnet_set_blocking(bsock);
 
    err = SSL_shutdown(bsock->tls->openssl);
+   if (err == 0) {
+      /* Finish up the closing */
+      err = SSL_shutdown(bsock->tls->openssl);
+   }
 
    switch (SSL_get_error(bsock->tls->openssl, err)) {
       case SSL_ERROR_NONE:
@@ -574,8 +570,6 @@
          break;
    }
 
-   /* Restore saved flags */
-   bnet_restore_blocking(bsock, flags);
 }
 
 /* Does all the manual labor for tls_bsock_readn() and tls_bsock_writen() */