In HTTP tunnelling using CONNECT method, when client and proxy communicates over plain HTTP (no TLS), the setup works at TCP layer. Client sends TCP segments to Proxy and Proxy forwards it to final server. As TCP segments are being blindly forwarded, proxy just acts as a hop between client and server providing just anonymisation by replacing client Ip with its own as source IP. Also, client can establish a secure with destination server using TLS (as TLS handshake packets will be forwarded by proxy to final server without interpretation).
However, what happens when connection between client and Proxy is itself encrypted using TLS i.e. the initial CONNECT method was sent on a secure channel. How will client do TLS handshake(client hello, server hello etc.) with the destination server. As I understand it, TLS is used to to encrypt application layer data. Does client prepare the client hello message and pass it as application layer payload to proxy over the TLS channel established with Proxy. Proxy then decrypts this client hello (as application layer payload) and forward it as TCP segment it to server i.e. proxy is relaying application layer data that it received from client as TCP segments to server?
Thank!!
