[rsync]

"double encrypted SSL"

Not sure if serious ...

[opless]

Certain BYOD email suites use https encapsulation of another protocol (also using TLS) to ensure that the data can go through firewalls that do MITM attacks on clients for security reasons. Bluecoat do this for example.

I believe they also certificate pin the tunneled protocol.

[rmrfstar]

I think they mean that AWS acts as a proxy and only terminates the outer layer.

Wouldn't it be pretty easy to fingerprint a TLS session that always starts with another TLS handshake?

[red0point]

Well not easily, because once the outer TLS has been set up, you can‘t see the contents of the second TLS handshake. You could maybe deduce it via packet sizes and timings, but certainly not pretty easily.