diff --git a/CHANGES b/CHANGES
index 307584c..05dca31 100755
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,7 @@ Changes to proxytunnel version 1.8.0svn -- Sat Jan 19 04:42:11 CET 2008
 - Added remote proxy authentication (-R/--remproxyauth) (Dag Wieers)
 - Use REMPROXYUSER and REMPROXYPASS environment variables (Dag Wieers)
 - Pick up proxy settings from HTTP_PROXY env var (Mark)
+- Remote Proxy SSL (-X --encrypt-remproxy)
 
 Changes to proxytunnel version 1.8.0 -- Mon Dec 31 16:46:52 CET 2007
 
diff --git a/cmdline.c b/cmdline.c
index cc0bad1..22f9919 100644
--- a/cmdline.c
+++ b/cmdline.c
@@ -58,6 +58,7 @@ void cmdline_parser_print_help (void) {
 #ifdef USE_SSL
 " -e, --encrypt             SSL encrypt data between local proxy and destination\n"
 " -E, --encrypt-proxy       SSL encrypt data between client and local proxy\n"
+" -X, --encrypt-remproxy    Encrypt between 1st and 2nd proxy using SSL\n"
 #endif
 "\n"
 "Additional options for specific features:\n"
@@ -129,6 +130,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 	args_info->domain_given = 0;
 	args_info->encrypt_given = 0;
 	args_info->encryptproxy_given = 0;
+	args_info->encryptremproxy_given = 0;
 	args_info->proctitle_given = 0;
 
 /* No... we can't make this a function... -- Maniac */
@@ -153,6 +155,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 	args_info->standalone_arg = 0; \
 	args_info->encrypt_flag = 0; \
 	args_info->encryptproxy_flag = 0; \
+	args_info->encryptremproxy_flag = 0; \
 	args_info->proctitle_arg = NULL; \
 } 
 
@@ -194,12 +197,13 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 			{ "quiet",			0, NULL, 'q' },
 			{ "encrypt",		0, NULL, 'e' },
 			{ "encrypt-proxy",	0, NULL, 'E' },
+			{ "encrypt-remproxy",0,NULL, 'X' },
 			{ NULL,				0, NULL, 0 }
 		};
 
-		c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEq", long_options, &option_index);
+		c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXq", long_options, &option_index);
 #else
-		c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEq" );
+		c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXq" );
 #endif
 
 		if (c == -1)
@@ -360,6 +364,13 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 				args_info->remproxyauth_arg = gengetopt_strdup (optarg);
 				break;
 
+			case 'X':   /* Turn on local to remote proxy SSL encryption */
+				args_info->encryptremproxy_flag = !(args_info->encryptremproxy_flag);
+				if( args_info->verbose_flag )
+					message("SSL local to remote proxy enabled\n");
+				break;
+
+
 			case 'd':	/* Destination host to built the tunnel to.  */
 				if (args_info->dest_given) {
 					fprintf (stderr, "%s: `--dest' (`-d') option given more than once\n", PACKAGE);
diff --git a/cmdline.h b/cmdline.h
index 36a747d..2eccab7 100644
--- a/cmdline.h
+++ b/cmdline.h
@@ -46,6 +46,7 @@ struct gengetopt_args_info {
 	int standalone_arg;		/* Turn on stdalone (-a) on port */
 	int encrypt_flag;		/* Turn on SSL encryption (default=off). */
 	int encryptproxy_flag;	/* Turn on client to proxy SSL encryption (def=off).*/
+	int encryptremproxy_flag;  /* Turn on local to remote proxy SSL encryption (def=off).*/
 	char *proctitle_arg;	/* Override process title (default=off). */
 	int help_given;			/* Whether help was given. */
 	int version_given;		/* Whether version was given. */
@@ -68,6 +69,7 @@ struct gengetopt_args_info {
 	int header_given;		/* Whether extra headers are given */
 	int encrypt_given;		/* Whether encrypt was given */
 	int encryptproxy_given;	/* Whether encrypt was given */
+	int encryptremproxy_given;   /* Whether encrypt was given */
 	int proctitle_given;	/* Whether to override process title */
 };
 
diff --git a/http.c b/http.c
index 44574f3..f2f307d 100644
--- a/http.c
+++ b/http.c
@@ -157,6 +157,12 @@ void proxy_protocol(PTSTREAM *pts) {
 		while ( strcmp( buf, "\r\n" ) != 0 )
 			readline(pts);
 
+/* If --encrypt-remproxy is specified, connect to the remote proxy using SSL */
+#ifdef USE_SSL
+	if ( args_info.encryptremproxy_flag )
+		stream_enable_ssl(stunnel);
+#endif
+
 		if( args_info.verbose_flag )
 			message( "\nTunneling to %s (destination)\n", args_info.dest_arg );
 		sprintf( buf, "CONNECT %s HTTP/1.0\r\n", args_info.dest_arg);
diff --git a/proxytunnel.c b/proxytunnel.c
index f840b23..a33ed91 100644
--- a/proxytunnel.c
+++ b/proxytunnel.c
@@ -359,10 +359,12 @@ int main( int argc, char *argv[] ) {
 		}
 	}
 
-	/* Only one of -E (SSL encrypt client to proxy connection) or
-	 * -e (SSL encrypt tunnel data) can be specified. */
-	if (args_info.encryptproxy_flag && args_info.encrypt_flag) {
-		message("Error: only one of --encrypt-proxy and --encrypt can be specified for a tunnel\n");
+	/* Only one of -E/-e/-R can be specified. */
+	if ((args_info.encrypt_flag ? 1 : 0) +
+		(args_info.encryptproxy_flag ? 1 : 0) +
+		(args_info.encryptremproxy_flag ? 1 : 0) > 1)
+	{
+		message("Error: only one of --encrypt-proxy, --encrypt-remproxy and --encrypt can be specified for a tunnel\n");
 		exit( 1 );
 	}