No TLS handshake in kernel

Why not instead copy and extend what FreeBSD has done:
1) TLS handshake is done normally in user space
2) user space uploads the encryption and/or decryption keys to kernel
3) kernel does the encryption/decryption in place
4) socket is now essentially TCP for both kernel and userspace uses

FreeBSD supports the above for now only for sendfile, where there are obvious performance benefits compared to userspace reading file, encrypting it and sending over socket.

Kernel already has the required code to do the encryption/decryption while the TLS handshakes, certificates and other policies are better handled in user space. Kernel also has better HW crypto accelerator support and possibility to do zero-copy operations.

I can also envision a systemwide TLS handshake daemon that could be enabled with socket option. Much easier than current distro work to patch tls libraries written for multiple languages to honour a system wide configuration. It would also be much easier to update single hanshake daemon to support next TLS version or fix bugs.