From 9dc08361bef67a331d1609c8629314c0ca5a79d5 Mon Sep 17 00:00:00 2001
From: Illia Volochii <illia.volochii@gmail.com>
Date: Thu, 24 Nov 2022 04:24:09 +0200
Subject: [PATCH] gh-96828: Add an `ssl.OP_ENABLE_KTLS` option (GH-96830)

Expose the constant when OpenSSL defines it.
---
 Doc/library/ssl.rst                              | 16 ++++++++++++++++
 ...2022-09-14-21-56-15.gh-issue-96828.ZoOY5G.rst |  2 ++
 Modules/_ssl.c                                   |  3 +++
 3 files changed, 21 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2022-09-14-21-56-15.gh-issue-96828.ZoOY5G.rst

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 4e6d06dc38d..08824feeb39 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -807,6 +807,22 @@ Constants
 
    .. versionadded:: 3.10
 
+.. data:: OP_ENABLE_KTLS
+
+   Enable the use of the kernel TLS. To benefit from the feature, OpenSSL must
+   have been compiled with support for it, and the negotiated cipher suites and
+   extensions must be supported by it (a list of supported ones may vary by
+   platform and kernel version).
+
+   Note that with enabled kernel TLS some cryptographic operations are
+   performed by the kernel directly and not via any available OpenSSL
+   Providers. This might be undesirable if, for example, the application
+   requires all cryptographic operations to be performed by the FIPS provider.
+
+   This option is only available with OpenSSL 3.0.0 and later.
+
+   .. versionadded:: 3.12
+
 .. data:: HAS_ALPN
 
    Whether the OpenSSL library has built-in support for the *Application-Layer
diff --git a/Misc/NEWS.d/next/Library/2022-09-14-21-56-15.gh-issue-96828.ZoOY5G.rst b/Misc/NEWS.d/next/Library/2022-09-14-21-56-15.gh-issue-96828.ZoOY5G.rst
new file mode 100644
index 00000000000..d8a448851f4
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-09-14-21-56-15.gh-issue-96828.ZoOY5G.rst
@@ -0,0 +1,2 @@
+Add an :data:`~ssl.OP_ENABLE_KTLS` option for enabling the use of the kernel
+TLS (kTLS). Patch by Illia Volochii.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 2826d159375..2885774295b 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -5864,6 +5864,9 @@ sslmodule_init_constants(PyObject *m)
     PyModule_AddIntConstant(m, "OP_IGNORE_UNEXPECTED_EOF",
                             SSL_OP_IGNORE_UNEXPECTED_EOF);
 #endif
+#ifdef SSL_OP_ENABLE_KTLS
+    PyModule_AddIntConstant(m, "OP_ENABLE_KTLS", SSL_OP_ENABLE_KTLS);
+#endif
 
 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
     PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",