Feature or enhancement

A new ssl.OP_ENABLE_KTLS option for enabling the use of the kernel TLS.

Pitch

Kernel Transport Layer Security (kTLS) can improve performance of programs using TLS by reducing the number of switches between the user space and the kernel space. kTLS allows using the sendfile system call for sending data using TLS. Also, it may offload TLS to network interface controllers.

kTLS is not enabled by default for various reasons which you can find in openssl/openssl#13794. Even if a system supports the feature and OpenSSL was compiled with support for it, Python still has to set an OpenSSL's option SSL_OP_ENABLE_KTLS to use it.

In theory, it is possible to enable the kernel TLS in any Python compiled against OpenSSL 3 using this following code. If all other requirements are met, Python should start writing to and reading from a secure socket using the kernel TLS.

import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.options |= 8  # SSL_OP_ENABLE_KTLS

Since Python's ssl module defines a few constants similar to SSL_OP_ENABLE_KTLS, it should provide an ssl.OP_ENABLE_KTLS option.

Previous discussion

I created https://discuss.python.org/t/sslsocket-sendfile-and-kernel-tls/18886 previously to discuss benefiting from the OpenSSL's SSL_sendfile function. An option for enabling kTLS is a base for the work.