On Friday 27 March 2009 15:53, you wrote:

Hi,

...

(B)

I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection (which included C) – each hop creates new proxy-pair

...

TLS connection by itself can't create >*new* proxy. One needs some additional way to do that.

Of course, so you do:

(1) Create a new proxy using OpenSSL (2) using this proxy to create the TLS connection

Is that wrong?

That depends if TLS connection in next hop is going to be established using identity impersonation. If yes, then step (1) can't be performed because previous step did not provide delegated credentials. (Or did it? Delegation is very tightly coupled here.) If no, then credentials of service (or whatever is available) are used and step (1) is not necessary. A.K.