Is TLS over TLS possible?

Question

Would it be possible to establish a TLS connection over TLS with OpenSSL or some other tool?

If possible, would the certificates for each level need to be different?

Answer 1

TLS over TLS is OK in theory and, some specially designed protocol has already taken TLS over TLS into reality. TLS algorithm does not care about what you really want to encrypt, or, it sees any data stream equally and handles them in the same way, so it works.

Answer 2

ths tls rfc has confirmed such situation, and the answer is yes, please refer to this : https://www.rfc-editor.org/rfc/rfc5246, I couldn't find which part has mentioned this, but I remember I have read it.

Answer 3

This should work just fine in theory, though I cannot say for sure whether OpenSSL or something would support it easily. You can technically use the same certificate for multiple TLS connections, even if one is nested inside another.

However, I want to point out that one common reason to nest TLS connections might be to tunnel data over a multi-layered encrypted connection, making some subset of the data available at each stop in the tunnel (i.e. peeling back a layer of the encryption). Using the same certificate doesn't really support that use case. Perhaps you've got another use case in mind.

Furthermore, it is cryptographically sound to encrypt encrypted data. That is, more encryption cannot make data less secure. Lastly, encrypting encrypted data alone will not make it more secure. That is, AES(AES(x,key1),key2) where key1 != key2 is not more (or less) secure than AES(x, key1). Just in case that was your motivation.

Answer 4

TLS doesn't care what data you're sending and receiving, so it could well be another TLS session (though I've no idea why you'd want to do that).

Since it's another, independent session, there's no reason you wouldn't be able to use the same certificate.