The kernel TLS patches were merged to net-next today, which puts them on track for v4.13: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit... So far only outgoing encryption is handled in the kernel. The handshake must still be handled by userspace code. Since ELL's tls implementation can be used separately from TCP (as iwd does), ELL can't rely on kernel TLS entirely. However, using kernel TLS for TCP sockets would eliminate the extra system calls to handle encryption using AF_ALG. I think it's early to build support in to ELL, but we should keep this on our radar. -- Mat Martineau Intel OTC