Systems and methods are described for authentication of tunneled connections. A method includes establishing a first connection (CIO) from an inner agent to an outer agent including making a first TCP connection from the inner agent to the outer agent, negotiating a first SSL/TLS session (SSLSessionIO) between the inner agent and the outer agent over the first TCP connection and applying the second SSL/TLS session (SSLSessionIO) between the inner agent and the outer agent over the first TCP connection; establishing a second connection (CCO) from a client and the outer agent including making a second TCP connection from the client to the outer agent, negotiating a second SSL/TLS session (SSLSessionCO) between the client and the outer agent over the second TCP connection and applying the second SSL/TLS session (SSLSessionCO) between the client and the outer agent over the second TCP connection; and then negotiating a third SSL/TLS session (SSLSessionCI) between the client and the inner agent via both the first SSL/TLS session (SSLSessionIO) and the second SSL/TLS session (SSLSessionCO) and applying the third SSL/TLS session (SSLSessionCI) between the client and the inner agent layered over both the first SSL/TLS session (SSLSessionIO) and the second SSL/TLS session (SSLSessionCO), wherein negotiating the second SSL/TLS session (SSLSessionCO) includes verifying at the outer agent that the client possesses a certificate signed with a certificate associated with the inner agent.