Feature or enhancement

A newssl.OP_ENABLE_KTLS option for enabling the use of the kernel TLS.

Pitch

Kernel Transport Layer Security (kTLS) can improve performance of programs using TLS by reducing the number of switches between the user space and the kernel space. kTLS allows using thesendfile system call for sending data using TLS. Also, it may offload TLS to network interface controllers.

kTLS is not enabled by default for various reasons which you can find inopenssl/openssl#13794. Even if a system supports the feature and OpenSSL was compiled with support for it, Python still has to set an OpenSSL's optionSSL_OP_ENABLE_KTLS to use it.

In theory, it is possible to enable the kernel TLS in any Python compiled against OpenSSL 3 using this following code. If all other requirements are met, Python should start writing to and reading from a secure socket using the kernel TLS.

importsslcontext=ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)context.options|=8# SSL_OP_ENABLE_KTLS

Since Python'sssl module defines a few constants similar toSSL_OP_ENABLE_KTLS, it should provide anssl.OP_ENABLE_KTLS option.

Previous discussion

I createdhttps://discuss.python.org/t/sslsocket-sendfile-and-kernel-tls/18886 previously to discuss benefiting from the OpenSSL'sSSL_sendfile function. An option for enabling kTLS is a base for the work.