Slightly ironic that SSH has features like reverse port forwarding and the built-in SOCKS proxy that allow easy circumvention of other network security schemes.
And doing the x509 fake-CA MITM type bullshit is harder with SSH than with SSL. (I've never actually seen an ssh proxy deployed in the wild; I've seen "you must log in via a bastion host on which we log/analyze/filter everything" used instead.)