On Sun, Feb 02, 2020 at 05:28:19PM +0000, Salz, Rich via openssl-users wrote: > TLS/TLS will take your data and wrap it inside it’s own record > structure. It has to, that’s the nature of the protocol. Thinking > that a single writev() is “encrypt buffers and then do analogous > syscall” is wrong. Right, the encryption is not in place, the user's data is copied for encryption, by which point there's no incentive for a writev between OpenSSL and the socket. What could be useful to the OP is some equivalent to "cork" and "uncork", that tell OpenSSL to not send anything until it has accumulated a maximal size TLS record or the user "uncorks" first. This could allow the OP to do multipe SSL_write calls from from his iovec, that would be buffered internally in OpenSSL, removing the need for the user to copy the data before OpenSSL copies it again. If the OP is actually looking for in-place encryption, that not generally possible with every block cipher mode. OCB can do in place encryption, but OpenSSL presents a general-purpose API. And one should it seems avoid OCB2: https://en.wikipedia.org/wiki/OCB_mode#Attacks -- Viktor.