diff --git a/gnutls-3.7.6-ktls-disable-by-default.patch b/gnutls-3.7.6-ktls-disable-by-default.patch
new file mode 100644
index 0000000..2a88eb3
--- /dev/null
+++ b/gnutls-3.7.6-ktls-disable-by-default.patch
@@ -0,0 +1,124 @@
+From f41151c8a218f255af08362b74cd6ee0dfd45c00 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?=
+ <krenzelok.frantisek@gmail.com>
+Date: Tue, 14 Jun 2022 16:16:11 +0200
+Subject: [PATCH] KTLS: disable by default enable by config
+
+KTLS will be disabled by default when build with `--enable-ktls` to
+enable it, use config file option `ktls = true` in [global] section.
+
+Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
+---
+ doc/cha-config.texi | 18 ++++++++----------
+ lib/gnutls_int.h    |  2 +-
+ lib/handshake.c     |  2 +-
+ lib/priority.c      | 12 ++++++------
+ 4 files changed, 16 insertions(+), 18 deletions(-)
+
+diff --git a/doc/cha-config.texi b/doc/cha-config.texi
+index e550f2e4b1..eaab7fd799 100644
+--- a/doc/cha-config.texi
++++ b/doc/cha-config.texi
+@@ -26,7 +26,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}.
+ * Querying for disabled algorithms and protocols::
+ * Overriding the parameter verification profile::
+ * Overriding the default priority string::
+-* Disabling system/acceleration protocols::
++* Enabling/Disabling system/acceleration protocols::
+ @end menu
+ 
+ @node Application-specific priority strings
+@@ -253,16 +253,14 @@ default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3
+ @end example
+ 
+ 
+-@node Disabling system/acceleration protocols
+-@section Disabling system/acceleration protocols
+-When system/acceleration protocol is enabled during build, it is usually
+-enabled by default. The following options can overwrite this behavior
+-system-wide.
++@node Enabling/Disabling system/acceleration protocols
++@section Enabling/Disabling system/acceleration protocols
++The following options can overwrite default behavior of protocols system-wide.
+ @example
+ [global]
+-ktls = false
++ktls = true
+ 
+ @end example
+-@subsection Disabling KTLS
+-When GnuTLS is build with -–enable-ktls configuration, it uses KTLS by default.
+-This can be overwritten by setting @code{ktls = false} in @code{[global]} section.
++@subsection Enabling KTLS
++When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default.
++This can be enabled by setting @code{ktls = true} in @code{[global]} section.
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index 872188696b..8c7bdaa1db 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -1649,6 +1649,6 @@ get_certificate_type(gnutls_session_t session,
+ 
+ extern unsigned int _gnutls_global_version;
+ 
+-bool _gnutls_config_is_ktls_disabled(void);
++bool _gnutls_config_is_ktls_enabled(void);
+ 
+ #endif /* GNUTLS_LIB_GNUTLS_INT_H */
+diff --git a/lib/handshake.c b/lib/handshake.c
+index f3edbbdacb..4dd457bf22 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2815,7 +2815,7 @@ int gnutls_handshake(gnutls_session_t session)
+ 
+ 	session->internals.ktls_enabled = 0;
+ #ifdef ENABLE_KTLS
+-	if (_gnutls_config_is_ktls_disabled() == false)
++	if (_gnutls_config_is_ktls_enabled() == true)
+ 		_gnutls_ktls_enable(session);
+ #endif
+ 
+diff --git a/lib/priority.c b/lib/priority.c
+index 7279c03c88..d163d8169f 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -1027,7 +1027,7 @@ static void dummy_func(gnutls_priority_t c)
+ 
+ struct cfg {
+ 	bool allowlisting;
+-	bool ktls_disabled;
++	bool ktls_enabled;
+ 
+ 	name_val_array_t priority_strings;
+ 	char *priority_string;
+@@ -1140,7 +1140,7 @@ cfg_steal(struct cfg *dst, struct cfg *src)
+ 	src->default_priority_string = NULL;
+ 
+ 	dst->allowlisting = src->allowlisting;
+-	dst->ktls_disabled = src->ktls_disabled;
++	dst->ktls_enabled = src->ktls_enabled;
+ 	memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers));
+ 	memcpy(dst->macs, src->macs, sizeof(src->macs));
+ 	memcpy(dst->groups, src->groups, sizeof(src->groups));
+@@ -1268,8 +1268,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
+ 			}
+ 		} else if (c_strcasecmp(name, "ktls") == 0) {
+ 			p = clear_spaces(value, str);
+-			if (c_strcasecmp(p, "false") == 0) {
+-				cfg->ktls_disabled = true;
++			if (c_strcasecmp(p, "true") == 0) {
++				cfg->ktls_enabled = true;
+ 			} else {
+ 				_gnutls_debug_log("cfg: unknown ktls mode %s\n",
+ 					p);
+@@ -3490,6 +3490,6 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags)
+ 	return NULL;
+ }
+ 
+-bool _gnutls_config_is_ktls_disabled(void){
+-	return system_wide_config.ktls_disabled;
++bool _gnutls_config_is_ktls_enabled(void){
++	return system_wide_config.ktls_enabled;
+ }
+-- 
+2.36.1
+
diff --git a/gnutls-3.7.6-ktls-fixes.patch b/gnutls-3.7.6-ktls-fixes.patch
new file mode 100644
index 0000000..9aa3271
--- /dev/null
+++ b/gnutls-3.7.6-ktls-fixes.patch
@@ -0,0 +1,230 @@
+From 7b700dbcd5907944a7dd2f74cd26ad8586cd4bac Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 28 Jun 2022 09:37:22 +0900
+Subject: [PATCH 1/3] tests: enable KTLS config while running gnutls_ktls test
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/Makefile.am   |  9 +++++----
+ tests/gnutls_ktls.c |  4 ++--
+ tests/ktls.sh       | 46 +++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 53 insertions(+), 6 deletions(-)
+ create mode 100755 tests/ktls.sh
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 4deeb6462b..cba67e8db8 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -441,10 +441,6 @@ ctests += x509self x509dn anonself pskself pskself2 dhepskself	\
+ 	resume-with-record-size-limit
+ endif
+ 
+-if ENABLE_KTLS
+-ctests += gnutls_ktls
+-endif
+-
+ ctests += record-sendfile
+ 
+ gc_CPPFLAGS = $(AM_CPPFLAGS) \
+@@ -500,6 +496,11 @@ if ENABLE_TPM2
+ dist_check_SCRIPTS += tpm2.sh
+ endif
+ 
++if ENABLE_KTLS
++indirect_tests += gnutls_ktls
++dist_check_SCRIPTS += ktls.sh
++endif
++
+ if !WINDOWS
+ 
+ #
+diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
+index 3966e2b10a..8f9c5fa36e 100644
+--- a/tests/gnutls_ktls.c
++++ b/tests/gnutls_ktls.c
+@@ -84,7 +84,7 @@ static void client(int fd, const char *prio)
+ 
+ 	ret = gnutls_transport_is_ktls_enabled(session);
+ 	if (!(ret & GNUTLS_KTLS_RECV)){
+-		fail("client: KTLS was not properly inicialized\n");
++		fail("client: KTLS was not properly initialized\n");
+ 		goto end;
+ 	}
+ 
+@@ -208,7 +208,7 @@ static void server(int fd, const char *prio)
+ 
+ 	ret = gnutls_transport_is_ktls_enabled(session);
+ 	if (!(ret & GNUTLS_KTLS_SEND)){
+-		fail("server: KTLS was not properly inicialized\n");
++		fail("server: KTLS was not properly initialized\n");
+ 		goto end;
+ 	}
+ 	do {
+diff --git a/tests/ktls.sh b/tests/ktls.sh
+new file mode 100755
+index 0000000000..ba52bd5775
+--- /dev/null
++++ b/tests/ktls.sh
+@@ -0,0 +1,46 @@
++#!/bin/sh
++
++# Copyright (C) 2022 Red Hat, Inc.
++#
++# Author: Daiki Ueno
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++: ${builddir=.}
++
++. "$srcdir/scripts/common.sh"
++
++if ! grep '^tls ' /proc/modules 2>1 >& /dev/null; then
++    exit 77
++fi
++
++testdir=`create_testdir ktls`
++
++cfg="$testdir/config"
++
++cat <<EOF > "$cfg"
++[global]
++ktls = true
++EOF
++
++GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
++GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
++"$builddir/gnutls_ktls" "$@"
++rc=$?
++
++rm -rf "$testdir"
++exit $rc
+-- 
+2.36.1
+
+
+From 4a492462535a7f3a831685d3cf420b50ef219511 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 28 Jun 2022 10:23:33 +0900
+Subject: [PATCH 2/3] handshake: do not reset KTLS enablement in
+ gnutls_handshake
+
+As gnutls_handshake can be repeatedly called upon non-blocking setup,
+we shouldn't try to call setsockopt for KTLS upon every call.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/handshake.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 4dd457bf22..3886306eb4 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2813,12 +2813,6 @@ int gnutls_handshake(gnutls_session_t session)
+ 	const version_entry_st *vers = get_version(session);
+ 	int ret;
+ 
+-	session->internals.ktls_enabled = 0;
+-#ifdef ENABLE_KTLS
+-	if (_gnutls_config_is_ktls_enabled() == true)
+-		_gnutls_ktls_enable(session);
+-#endif
+-
+ 	if (unlikely(session->internals.initial_negotiation_completed)) {
+ 		if (vers->tls13_sem) {
+ 			if (session->security_parameters.entity == GNUTLS_CLIENT) {
+@@ -2864,6 +2858,12 @@ int gnutls_handshake(gnutls_session_t session)
+ 			end->tv_nsec =
+ 				(start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
+ 		}
++
++#ifdef ENABLE_KTLS
++		if (_gnutls_config_is_ktls_enabled()) {
++			_gnutls_ktls_enable(session);
++		}
++#endif
+ 	}
+ 
+ 	if (session->internals.recv_state == RECV_STATE_FALSE_START) {
+-- 
+2.36.1
+
+
+From ce13208e13b5dec73993c583d4c64ab7714e4a7a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 28 Jun 2022 10:53:55 +0900
+Subject: [PATCH 3/3] ktls: _gnutls_ktls_enable: fix GNUTLS_KTLS_SEND
+ calculation
+
+Previously, if the first setsockopt for GNUTLS_KTLS_RECV fails and the
+same socket is used for both sending and receiving, GNUTLS_KTLS_SEND
+was unconditionally set.  This fixes the conditions and also adds more
+logging.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/system/ktls.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lib/system/ktls.c b/lib/system/ktls.c
+index b9f7a73fb5..ddf27fac76 100644
+--- a/lib/system/ktls.c
++++ b/lib/system/ktls.c
+@@ -47,7 +47,7 @@
+ gnutls_transport_ktls_enable_flags_t
+ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
+ 	if (unlikely(!session->internals.initial_negotiation_completed)){
+-		_gnutls_debug_log("Initial negotiation is not yet complete");
++		_gnutls_debug_log("Initial negotiation is not yet complete\n");
+ 		return 0;
+ 	}
+ 
+@@ -57,16 +57,27 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
+ void _gnutls_ktls_enable(gnutls_session_t session)
+ {
+ 	int sockin, sockout;
++
+ 	gnutls_transport_get_int2(session, &sockin, &sockout);
+ 
+-	if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
++	if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
+ 		session->internals.ktls_enabled |= GNUTLS_KTLS_RECV;
++		if (sockin == sockout) {
++			session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
++		}
++	} else {
++		_gnutls_record_log("Unable to set TCP_ULP for read socket: %d\n",
++				   errno);
++	}
+ 
+ 	if (sockin != sockout) {
+-		if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
++		if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
+ 			session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
+-	} else
+-		session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
++		} else {
++			_gnutls_record_log("Unable to set TCP_ULP for write socket: %d\n",
++					   errno);
++		}
++	}
+ }
+ 
+ int _gnutls_ktls_set_keys(gnutls_session_t session)
+-- 
+2.36.1
+
diff --git a/gnutls.spec b/gnutls.spec
index 0808d03..5e3c82a 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }
 
 Version: 3.7.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 # not upstreamed
 Patch: gnutls-3.6.7-no-now-guile.patch
 Patch: gnutls-3.2.7-rpath.patch
@@ -22,6 +22,8 @@ Patch: gnutls-3.7.2-no-explicit-init.patch
 
 # upstreamed
 Patch: gnutls-3.7.6-fips-run-selftests.patch
+Patch: gnutls-3.7.6-ktls-disable-by-default.patch
+Patch: gnutls-3.7.6-ktls-fixes.patch
 
 # not upstreamed
 Patch: gnutls-3.7.3-disable-config-reload.patch
@@ -241,6 +243,7 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
 %else
            --without-tpm2 \
 %endif
+           --enable-ktls \
            --htmldir=%{_docdir}/manual \
 %if %{with guile}
            --enable-guile \
@@ -356,6 +359,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Tue Jul 19 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-2
+- Allow enabling KTLS with config file (#2042009)
+
 * Fri Jul  1 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-1
 - Update to gnutls 3.7.6 (#2097327)