There is no real need for RSA/ECDSA keys to reside in the same process as the user-application, or for that matter for the ephemeral keys used to encrypt data. TLS permits at least three process model;

• Process 1: Use RSA/ECDSA keys to sign/decrypt when needed
• Process 2: Use AES/3DES/RC4 keys to encrypt/decrypt the actual data on the wire
• Process 3: The calling application

While good for security, this kind of model might be tough to make performant; especially to privsep the 2nd process. Can we use vmsplice() to help here? are Unix pipes the way to go? or some kind of lockless ring structure using shared memory? is the additional complexity worth it?