Use case for me is Cloudflare's "Authenticated Origin Pulls", in which Cloudflare authenticates itself to the origin server using client certificates. Thus the origin server can ensure that it only accepts traffic through Cloudflare, without resorting to IP whitelists.

We'll need to update the configure script to check for OpenSSL and conditionally build this. Ekam users will need to add -DKJ_HAS_OPENSSL to their CXXFLAGS if they've arranged to link against the correct libs.