Rainer, There is a commercial apache-based reverse proxy in Switzerland (with substantial market share) which is able to use / create a client certificate _per_ session.
So the client connects to the RP, performs authentication. When creating the session serverside, the RP creates a client cert and fills it with information received from the client and binds this cert to the session. Then it connects to the backend and uses this dynamic client cert in the handshake. I realise this is way beyond what Apache is capable of doing. But when looking into the limitations of SSLProxy..., one might consider an architecture, that would allow this. Maybe not immediately, but sometime down the road. Best, Christian -- Seek simplicity, and distrust it. -- Alfred North Whitehead