diff --git a/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java b/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java
index 96a386c26..38dd0097a 100644
--- a/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java
+++ b/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java
@@ -47,7 +47,8 @@ import org.apache.http.ProtocolException;
 import org.apache.http.client.CookieStore;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.params.HttpClientParams;
-import org.apache.http.conn.ManagedClientConnection;
+import org.apache.http.conn.HttpRoutedConnection;
+import org.apache.http.conn.routing.HttpRoute;
 import org.apache.http.cookie.Cookie;
 import org.apache.http.cookie.CookieOrigin;
 import org.apache.http.cookie.CookieSpec;
@@ -118,7 +119,7 @@ public class RequestAddCookies implements HttpRequestInterceptor {
         }
 
         // Obtain the client connection (required)
-        ManagedClientConnection conn = (ManagedClientConnection) context.getAttribute(
+        HttpRoutedConnection conn = (HttpRoutedConnection) context.getAttribute(
                 ExecutionContext.HTTP_CONNECTION);
         if (conn == null) {
             throw new IllegalStateException("Client connection not specified in HTTP context");
@@ -144,7 +145,21 @@ public class RequestAddCookies implements HttpRequestInterceptor {
         String hostName = targetHost.getHostName();
         int port = targetHost.getPort();
         if (port < 0) {
-            port = conn.getRemotePort();
+            HttpRoute route = conn.getRoute();
+            if (route.getHopCount() == 1) {
+                port = conn.getRemotePort();
+            } else {
+                // Target port will be selected by the proxy.
+                // Use conventional ports for known schemes
+                String scheme = targetHost.getSchemeName();
+                if (scheme.equalsIgnoreCase("http")) {
+                    port = 80;
+                } else if (scheme.equalsIgnoreCase("https")) {
+                    port = 443;
+                } else {
+                    port = 0;
+                }
+            }
         }
 
         CookieOrigin cookieOrigin = new CookieOrigin(
diff --git a/httpclient/src/main/java/org/apache/http/client/protocol/RequestClientConnControl.java b/httpclient/src/main/java/org/apache/http/client/protocol/RequestClientConnControl.java
index 1e48c2396..d6dfc3cbf 100644
--- a/httpclient/src/main/java/org/apache/http/client/protocol/RequestClientConnControl.java
+++ b/httpclient/src/main/java/org/apache/http/client/protocol/RequestClientConnControl.java
@@ -34,7 +34,7 @@ import org.apache.http.annotation.Immutable;
 import org.apache.http.HttpException;
 import org.apache.http.HttpRequest;
 import org.apache.http.HttpRequestInterceptor;
-import org.apache.http.conn.ManagedClientConnection;
+import org.apache.http.conn.HttpRoutedConnection;
 import org.apache.http.conn.routing.HttpRoute;
 import org.apache.http.protocol.ExecutionContext;
 import org.apache.http.protocol.HTTP;
@@ -69,7 +69,7 @@ public class RequestClientConnControl implements HttpRequestInterceptor {
         }
 
         // Obtain the client connection (required)
-        ManagedClientConnection conn = (ManagedClientConnection) context.getAttribute(
+        HttpRoutedConnection conn = (HttpRoutedConnection) context.getAttribute(
                 ExecutionContext.HTTP_CONNECTION);
         if (conn == null) {
             throw new IllegalStateException("Client connection not specified in HTTP context");
diff --git a/httpclient/src/main/java/org/apache/http/conn/HttpRoutedConnection.java b/httpclient/src/main/java/org/apache/http/conn/HttpRoutedConnection.java
new file mode 100644
index 000000000..c778ca1a5
--- /dev/null
+++ b/httpclient/src/main/java/org/apache/http/conn/HttpRoutedConnection.java
@@ -0,0 +1,78 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.conn;
+
+import javax.net.ssl.SSLSession;
+
+import org.apache.http.HttpInetConnection;
+import org.apache.http.conn.routing.HttpRoute;
+
+/**
+ * Interface to access routing information of a client side connection.
+ *
+ * @since 4.1
+ */
+public interface HttpRoutedConnection extends HttpInetConnection {
+
+    /**
+     * Indicates whether this connection is secure.
+     * The return value is well-defined only while the connection is open.
+     * It may change even while the connection is open.
+     *
+     * @return  <code>true</code> if this connection is secure,
+     *          <code>false</code> otherwise
+     */
+    boolean isSecure();
+
+    /**
+     * Obtains the current route of this connection.
+     *
+     * @return  the route established so far, or
+     *          <code>null</code> if not connected
+     */
+    HttpRoute getRoute();
+
+    /**
+     * Obtains the SSL session of the underlying connection, if any.
+     * If this connection is open, and the underlying socket is an
+     * {@link javax.net.ssl.SSLSocket SSLSocket}, the SSL session of
+     * that socket is obtained. This is a potentially blocking operation.
+     * <br/>
+     * <b>Note:</b> Whether the underlying socket is an SSL socket
+     * can not necessarily be determined via {@link #isSecure}.
+     * Plain sockets may be considered secure, for example if they are
+     * connected to a known host in the same network segment.
+     * On the other hand, SSL sockets may be considered insecure,
+     * for example depending on the chosen cipher suite.
+     *
+     * @return  the underlying SSL session if available,
+     *          <code>null</code> otherwise
+     */
+    SSLSession getSSLSession();
+
+}
diff --git a/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java b/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java
index 92c805b1d..358465c6b 100644
--- a/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java
@@ -33,7 +33,6 @@ import java.util.concurrent.TimeUnit;
 import javax.net.ssl.SSLSession;
 
 import org.apache.http.HttpClientConnection;
-import org.apache.http.HttpInetConnection;
 import org.apache.http.HttpHost;
 import org.apache.http.params.HttpParams;
 import org.apache.http.protocol.HttpContext;
@@ -47,7 +46,7 @@ import org.apache.http.conn.routing.HttpRoute;
  * @since 4.0
  */
 public interface ManagedClientConnection extends
-    HttpClientConnection, HttpInetConnection, ConnectionReleaseTrigger {
+    HttpClientConnection, HttpRoutedConnection, ConnectionReleaseTrigger {
 
     /**
      * Indicates whether this connection is secure.
diff --git a/httpclient/src/main/java/org/apache/http/impl/client/DefaultUserTokenHandler.java b/httpclient/src/main/java/org/apache/http/impl/client/DefaultUserTokenHandler.java
index eece087b1..6acdfe152 100644
--- a/httpclient/src/main/java/org/apache/http/impl/client/DefaultUserTokenHandler.java
+++ b/httpclient/src/main/java/org/apache/http/impl/client/DefaultUserTokenHandler.java
@@ -37,7 +37,7 @@ import org.apache.http.auth.AuthState;
 import org.apache.http.auth.Credentials;
 import org.apache.http.client.UserTokenHandler;
 import org.apache.http.client.protocol.ClientContext;
-import org.apache.http.conn.ManagedClientConnection;
+import org.apache.http.conn.HttpRoutedConnection;
 import org.apache.http.protocol.ExecutionContext;
 import org.apache.http.protocol.HttpContext;
 
@@ -74,7 +74,7 @@ public class DefaultUserTokenHandler implements UserTokenHandler {
         }
 
         if (userPrincipal == null) {
-            ManagedClientConnection conn = (ManagedClientConnection) context.getAttribute(
+            HttpRoutedConnection conn = (HttpRoutedConnection) context.getAttribute(
                     ExecutionContext.HTTP_CONNECTION);
             if (conn.isOpen()) {
                 SSLSession sslsession = conn.getSSLSession();