diff --git a/.github/workflows/alpinelinux.yaml b/.github/workflows/alpinelinux.yaml
index b143c398b34..a1c049b9b31 100644
--- a/.github/workflows/alpinelinux.yaml
+++ b/.github/workflows/alpinelinux.yaml
@@ -54,6 +54,7 @@ jobs:
       run: |
         cmake -B build -G Ninja            \
          -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+         -DSeastar_USE_OPENSSL=yes         \
          -DSeastar_DOCS=OFF
 
     - name: Build Seastar
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 69aa186a70f..e69a953faa6 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -33,6 +33,11 @@ on:
         type: string
         default: ''
         required: false
+      crypto_provider:
+        description: 'cryptographic provider to use'
+        type: string
+        default: 'GnuTLS'
+        required: false
 
 jobs:
   test:
@@ -81,14 +86,15 @@ jobs:
           if ${{ inputs.enable-ccache }}; then
             MAYBE_CCACHE_OPT="--ccache"
           fi
-          ./configure.py                          \
-            --c++-standard ${{ inputs.standard }} \
-            --compiler ${{ inputs.compiler }}     \
-            --c-compiler $CC                      \
-            --mode ${{ inputs.mode }}             \
-            $MAYBE_CCACHE_OPT                     \
-            ${{ inputs.options }}                 \
-            ${{ inputs.enables }}
+          ./configure.py                                     \
+            --c++-standard ${{ inputs.standard }}            \
+            --compiler ${{ inputs.compiler }}                \
+            --c-compiler $CC                                 \
+            --mode ${{ inputs.mode }}                        \
+            $MAYBE_CCACHE_OPT                                \
+            ${{ inputs.options }}                            \
+            ${{ inputs.enables }}                            \
+            --crypto-provider ${{ inputs.crypto_provider }}
 
       - name: Build
         run: cmake --build build/${{inputs.mode}}
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 91e23d8e3c9..eb91eb0d501 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -11,7 +11,7 @@ concurrency:
 
 jobs:
   regular_test:
-    name: "Test (${{ matrix.compiler }}, C++${{ matrix.standard}}, ${{ matrix.mode }})"
+    name: "Test (${{ matrix.compiler }}, C++${{ matrix.standard}}, ${{ matrix.mode }}, ${{ matrix.crypto_provider }})"
     uses: ./.github/workflows/test.yaml
     strategy:
       fail-fast: false
@@ -19,12 +19,14 @@ jobs:
         compiler: [clang++, g++]
         standard: [20, 23]
         mode: [dev, debug, release]
+        crypto_provider: [GnuTLS, OpenSSL]
     with:
       compiler: ${{ matrix.compiler }}
       standard: ${{ matrix.standard }}
       mode: ${{ matrix.mode }}
       enables: ${{ matrix.enables }}
       options: ${{ matrix.options }}
+      crypto_provider: ${{ matrix.crypto_provider }}
   build_with_dpdk:
     name: "Test with DPDK enabled"
     uses: ./.github/workflows/test.yaml
@@ -36,8 +38,8 @@ jobs:
       mode: release
       enables: --enable-dpdk
       options: --cook dpdk
-  build_with_cxx_modules:
-    name: "Test with C++20 modules enabled"
+  build_with_cxx_modules_gnutls:
+    name: "Test with C++20 modules enabled (GnuTLS)"
     uses: ./.github/workflows/test.yaml
     strategy:
       fail-fast: false
@@ -47,3 +49,22 @@ jobs:
       mode: debug
       enables: --enable-cxx-modules
       enable-ccache: false
+      crypto_provider: GnuTLS
+    # disable modules build as we aren't using module and it is quite
+    # broken at the moment
+    if: false
+  build_with_cxx_modules_openssl:
+    name: "Test with C++20 modules enabled (OpenSSL)"
+    uses: ./.github/workflows/test.yaml
+    strategy:
+      fail-fast: false
+    with:
+      compiler: clang++
+      standard: 23
+      mode: debug
+      enables: --enable-cxx-modules
+      enable-ccache: false
+      crypto_provider: OpenSSL
+    # disable modules build as we aren't using module and it is quite
+    # broken at the moment
+    if: false
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 982a9ba6a69..97cb3b2647e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -89,6 +89,16 @@ if (NOT Seastar_SCHEDULING_GROUPS_COUNT MATCHES "^[1-9][0-9]*")
   message(FATAL_ERROR "Seastar_SCHEDULING_GROUPS_COUNT must be a positive number (${Seastar_SCHEDULING_GROUPS_COUNT})")
 endif ()
 
+option (Seastar_USE_OPENSSL
+  "Use OpenSSL rather than GnuTLS for cryptographic operations, including TLS"
+  OFF)
+
+if (Seastar_USE_OPENSSL)
+  set (Seastar_USE_GNUTLS OFF)
+else ()
+  set (Seastar_USE_GNUTLS ON)
+endif ()
+
 #
 # Add a dev build type.
 #
@@ -677,6 +687,7 @@ add_library (seastar
   src/core/reactor_backend.cc
   src/core/thread_pool.cc
   src/core/app-template.cc
+  src/core/cpu_profiler.cc
   src/core/disk_params.cc
   src/core/dpdk_rte.cc
   src/core/exception_hacks.cc
@@ -709,6 +720,7 @@ add_library (seastar
   src/core/io_queue.cc
   src/core/semaphore.cc
   src/core/condition-variable.cc
+  src/core/signal_mutex.cc
   src/http/api_docs.cc
   src/http/common.cc
   src/http/file_handler.cc
@@ -736,13 +748,16 @@ add_library (seastar
   src/net/native-stack-impl.hh
   src/net/native-stack.cc
   src/net/net.cc
+  $<$<BOOL:${Seastar_USE_OPENSSL}>:src/net/ossl.cc>
   src/net/packet.cc
   src/net/posix-stack.cc
   src/net/proxy.cc
   src/net/socket_address.cc
   src/net/stack.cc
   src/net/tcp.cc
-  src/net/tls.cc
+  $<$<BOOL:${Seastar_USE_GNUTLS}>:src/net/tls.cc>
+  src/net/tls-impl.cc
+  src/net/tls-impl.hh
   src/net/udp.cc
   src/net/unix_address.cc
   src/net/virtio.cc
@@ -840,7 +855,9 @@ target_link_libraries (seastar
     SourceLocation::source_location
   PRIVATE
     ${CMAKE_DL_LIBS}
-    GnuTLS::gnutls
+    $<$<BOOL:${Seastar_USE_GNUTLS}>:GnuTLS::gnutls>
+    $<$<BOOL:${Seastar_USE_OPENSSL}>:OpenSSL::SSL>
+    $<$<BOOL:${Seastar_USE_OPENSSL}>:OpenSSL::Crypto>
     StdAtomic::atomic
     lksctp-tools::lksctp-tools
     protobuf::libprotobuf
@@ -892,6 +909,8 @@ include (CTest)
 target_compile_definitions(seastar
   PUBLIC
   SEASTAR_API_LEVEL=${Seastar_API_LEVEL}
+  $<$<BOOL:${Seastar_USE_OPENSSL}>:SEASTAR_USE_OPENSSL>
+  $<$<BOOL:${Seastar_USE_GNUTLS}>:SEASTAR_USE_GNUTLS>
   $<$<BOOL:${BUILD_SHARED_LIBS}>:SEASTAR_BUILD_SHARED_LIBS>)
 
 target_compile_features(seastar
diff --git a/cmake/SeastarDependencies.cmake b/cmake/SeastarDependencies.cmake
index 2335a12d234..8731f306935 100644
--- a/cmake/SeastarDependencies.cmake
+++ b/cmake/SeastarDependencies.cmake
@@ -88,7 +88,12 @@ macro (seastar_find_dependencies)
   endif()
   seastar_find_dep (fmt 8.1.1 REQUIRED)
   seastar_find_dep (lz4 1.7.3 REQUIRED)
-  seastar_find_dep (GnuTLS 3.3.26 REQUIRED)
+  if (Seastar_USE_GNUTLS)
+    seastar_find_dep (GnuTLS 3.3.26 REQUIRED)
+  endif()
+  if (Seastar_USE_OPENSSL)
+    seastar_find_dep (OpenSSL 3.0.0 REQUIRED)
+  endif()
   if (Seastar_IO_URING)
     seastar_find_dep (LibUring 2.0 REQUIRED)
   endif()
diff --git a/configure.py b/configure.py
index c0b284bc170..68ccdebfa1e 100755
--- a/configure.py
+++ b/configure.py
@@ -89,6 +89,9 @@ def standard_supported(standard, compiler='g++'):
 arg_parser.add_argument('--verbose', dest='verbose', action='store_true', help='Make configure output more verbose.')
 arg_parser.add_argument('--scheduling-groups-count', action='store', dest='scheduling_groups_count', default='16',
                         help='Number of available scheduling groups in the reactor')
+arg_parser.add_argument('--crypto-provider', dest='crypto_provider', choices=seastar_cmake.SUPPORTED_CRYPTO_PROVIDERS,
+                        default='GnuTLS', help='The cryptographic provider ot use')
+arg_parser.add_argument('--openssl-root-dir', dest='openssl_root_dir', help="Root directory for OpenSSL library")
 
 add_tristate(
     arg_parser,
@@ -191,6 +194,7 @@ def configure_mode(mode):
         '-DBUILD_SHARED_LIBS={}'.format('yes' if mode in ('debug', 'dev') else 'no'),
         '-DSeastar_API_LEVEL={}'.format(args.api_level),
         '-DSeastar_SCHEDULING_GROUPS_COUNT={}'.format(args.scheduling_groups_count),
+        '-DSeastar_USE_OPENSSL={}'.format('yes' if args.crypto_provider == 'OpenSSL' else 'no'),
         tr(args.exclude_tests, 'EXCLUDE_TESTS_FROM_ALL'),
         tr(args.exclude_apps, 'EXCLUDE_APPS_FROM_ALL'),
         tr(args.exclude_demos, 'EXCLUDE_DEMOS_FROM_ALL'),
@@ -211,6 +215,9 @@ def configure_mode(mode):
         tr(args.debug_shared_ptr, 'DEBUG_SHARED_PTR', value_when_none='default'),
     ]
 
+    if args.openssl_root_dir is not None:
+        TRANSLATED_ARGS.appen(f'-DOPENSSL_ROOT_DIR={args.openssl_root_dir}')
+
     ingredients_to_cook = set(args.cook)
 
     if args.dpdk:
diff --git a/demos/tls_echo_server.hh b/demos/tls_echo_server.hh
index e7185dac95e..4c633b1c520 100644
--- a/demos/tls_echo_server.hh
+++ b/demos/tls_echo_server.hh
@@ -46,70 +46,86 @@ class echoserver {
     seastar::gate _gate;
     bool _stopped = false;
     bool _verbose = false;
+
+    future<stop_iteration> run_once() {
+        if (_stopped) {
+            return make_ready_future<stop_iteration>(stop_iteration::yes);
+        }
+        return with_gate(_gate, [this] {
+            return _socket.accept().then([this](accept_result ar) {
+                ::connected_socket s = std::move(ar.connection);
+                    socket_address a = std::move(ar.remote_address);
+                    if (_verbose) {
+                        std::cout << "Got connection from "<< a << std::endl;
+                    }
+                    auto strms = make_lw_shared<streams>(std::move(s));
+                    return repeat([strms, this]() {
+                        return strms->in.read().then([this, strms](temporary_buffer<char> buf) {
+                            if (buf.empty()) {
+                                if (_verbose) {
+                                    std::cout << "EOM" << std::endl;
+                                }
+                                return make_ready_future<stop_iteration>(stop_iteration::yes);
+                            }
+                            sstring tmp(buf.begin(), buf.end());
+                            if (_verbose) {
+                                std::cout << "Read " << tmp.size() << "B" << std::endl;
+                            }
+                            return strms->out.write(tmp).then([strms]() {
+                                return strms->out.flush();
+                            }).then([] {
+                                return make_ready_future<stop_iteration>(stop_iteration::no);
+                            });
+                        });
+                    }).then([strms]{
+                        return strms->out.close();
+                    }).handle_exception([](auto ep) {
+                        std::cout << "Exception: " << ep << std::endl;
+                    }).finally([this, strms]{
+                        if (_verbose) {
+                            std::cout << "Ending session" << std::endl;
+                        }
+                        return strms->in.close();
+                    });
+            }).handle_exception([this](auto ep) {
+                if (!_stopped) {
+                    std::cerr << "Error: " << ep << std::endl;
+                }
+            }).then([this] {
+                return make_ready_future<stop_iteration>(_stopped ? stop_iteration::yes : stop_iteration::no);
+            });
+        });
+    }
 public:
     echoserver(bool verbose = false)
             : _certs(make_shared<tls::server_credentials>(make_shared<tls::dh_params>()))
             , _verbose(verbose)
     {}
 
-    future<> listen(socket_address addr, sstring crtfile, sstring keyfile, tls::client_auth ca = tls::client_auth::NONE) {
-        _certs->set_client_auth(ca);
-        return _certs->set_x509_key_file(crtfile, keyfile, tls::x509_crt_format::PEM).then([this, addr] {
-            ::listen_options opts;
-            opts.reuse_address = true;
+    future<> listen(socket_address addr, sstring crtfile, sstring keyfile, sstring cafile) {
+        _certs->set_dn_verification_callback([](seastar::tls::session_type, sstring subject, sstring issuer){
+            std::cout << "DN Verification callback, subject: " << subject << " issuer: " << issuer << std::endl;
+        });
+        auto f = make_ready_future();
+        auto cauth = tls::client_auth::NONE;
+        if (cafile != "") {
+            cauth = tls::client_auth::REQUIRE;
+            f = _certs->set_x509_trust_file(cafile, tls::x509_crt_format::PEM);
+        }
+        _certs->set_client_auth(cauth);
+        return f.then([this, addr, crtfile, keyfile] {
+            return _certs->set_x509_key_file(crtfile, keyfile, tls::x509_crt_format::PEM).then([this, addr] {
+                ::listen_options opts;
+                    opts.reuse_address = true;
 
-            _socket = tls::listen(_certs, addr, opts);
+                    _socket = tls::listen(_certs, addr, opts);
 
-            // Listen in background.
-            (void)repeat([this] {
-                if (_stopped) {
-                    return make_ready_future<stop_iteration>(stop_iteration::yes);
-                }
-                return with_gate(_gate, [this] {
-                    return _socket.accept().then([this](accept_result ar) {
-                        ::connected_socket s = std::move(ar.connection);
-                        socket_address a = std::move(ar.remote_address);
-                        if (_verbose) {
-                            std::cout << "Got connection from "<< a << std::endl;
-                        }
-                        auto strms = make_lw_shared<streams>(std::move(s));
-                        return repeat([strms, this]() {
-                            return strms->in.read().then([this, strms](temporary_buffer<char> buf) {
-                                if (buf.empty()) {
-                                    if (_verbose) {
-                                        std::cout << "EOM" << std::endl;
-                                    }
-                                    return make_ready_future<stop_iteration>(stop_iteration::yes);
-                                }
-                                sstring tmp(buf.begin(), buf.end());
-                                if (_verbose) {
-                                    std::cout << "Read " << tmp.size() << "B" << std::endl;
-                                }
-                                return strms->out.write(tmp).then([strms]() {
-                                    return strms->out.flush();
-                                }).then([] {
-                                    return make_ready_future<stop_iteration>(stop_iteration::no);
-                                });
-                            });
-                        }).then([strms]{
-                            return strms->out.close();
-                        }).handle_exception([](auto ep) {
-                        }).finally([this, strms]{
-                            if (_verbose) {
-                                std::cout << "Ending session" << std::endl;
-                            }
-                            return strms->in.close();
-                        });
-                    }).handle_exception([this](auto ep) {
-                        if (!_stopped) {
-                            std::cerr << "Error: " << ep << std::endl;
-                        }
-                    }).then([this] {
-                        return make_ready_future<stop_iteration>(_stopped ? stop_iteration::yes : stop_iteration::no);
+                    // Listen in background.
+                    (void)repeat([this] {
+                        return run_once();
                     });
-                });
+                    return make_ready_future();
             });
-            return make_ready_future();
         });
     }
 
diff --git a/demos/tls_echo_server_demo.cc b/demos/tls_echo_server_demo.cc
index 4c445fea973..9611f5e8b06 100644
--- a/demos/tls_echo_server_demo.cc
+++ b/demos/tls_echo_server_demo.cc
@@ -37,6 +37,7 @@ int main(int ac, char** av) {
     app.add_options()
                     ("port", bpo::value<uint16_t>()->default_value(10000), "Server port")
                     ("address", bpo::value<std::string>()->default_value("127.0.0.1"), "Server address")
+                    ("ca,a", bpo::value<std::string>()->default_value(""), "Server CA chain file")
                     ("cert,c", bpo::value<std::string>()->required(), "Server certificate file")
                     ("key,k", bpo::value<std::string>()->required(), "Certificate key")
                     ("verbose,v", bpo::value<bool>()->default_value(false)->implicit_value(true), "Verbose")
@@ -46,6 +47,7 @@ int main(int ac, char** av) {
             seastar_apps_lib::stop_signal stop_signal;
             auto&& config = app.configuration();
             uint16_t port = config["port"].as<uint16_t>();
+            auto ca = config["ca"].as<std::string>();
             auto crt = config["cert"].as<std::string>();
             auto key = config["key"].as<std::string>();
             auto addr = config["address"].as<std::string>();
@@ -61,7 +63,7 @@ int main(int ac, char** av) {
             auto stop_server = deferred_stop(server);
 
             try {
-                server.invoke_on_all(&echoserver::listen, socket_address(ia), sstring(crt), sstring(key), tls::client_auth::NONE).get();
+                server.invoke_on_all(&echoserver::listen, socket_address(ia), sstring(crt), sstring(key),sstring(ca)).get();
             } catch (...) {
                 std::cerr << "Error: " << std::current_exception() << std::endl;
                 return 1;
diff --git a/demos/tls_simple_client_demo.cc b/demos/tls_simple_client_demo.cc
index 0f93ec6e606..5a425271776 100644
--- a/demos/tls_simple_client_demo.cc
+++ b/demos/tls_simple_client_demo.cc
@@ -39,6 +39,8 @@ int main(int ac, char** av) {
                     ("port", bpo::value<uint16_t>()->default_value(10000), "Remote port")
                     ("address", bpo::value<std::string>()->default_value("127.0.0.1"), "Remote address")
                     ("trust,t", bpo::value<std::string>(), "Trust store")
+                    ("certificate", bpo::value<std::string>(), "Certficiate")
+                    ("key,k", bpo::value<std::string>(), "Private Keyfile")
                     ("msg,m", bpo::value<std::string>(), "Message to send")
                     ("bytes,b", bpo::value<size_t>()->default_value(512), "Use random bytes of length as message")
                     ("iterations,i", bpo::value<size_t>()->default_value(1), "Repeat X times")
@@ -68,6 +70,15 @@ int main(int ac, char** av) {
             f = certs->set_x509_trust_file(config["trust"].as<std::string>(), tls::x509_crt_format::PEM);
         }
 
+        if (config.count("certificate") && config.count("key")) {
+            f = f.then([certs,
+                        cert = config["certificate"].as<std::string>(),
+                        key = config["key"].as<std::string>()]{
+                return certs->set_x509_key_file(cert, key, tls::x509_crt_format::PEM);
+            });
+        }
+
+
         seastar::shared_ptr<sstring> msg;
 
         if (config.count("msg")) {
diff --git a/include/seastar/core/circular_buffer_fixed_capacity.hh b/include/seastar/core/circular_buffer_fixed_capacity.hh
index 6c8871e66a7..2671a7feb35 100644
--- a/include/seastar/core/circular_buffer_fixed_capacity.hh
+++ b/include/seastar/core/circular_buffer_fixed_capacity.hh
@@ -30,6 +30,7 @@
 
 #ifndef SEASTAR_MODULE
 #include <type_traits>
+#include <algorithm>
 #include <cstddef>
 #include <iterator>
 #include <utility>
diff --git a/include/seastar/core/deleter.hh b/include/seastar/core/deleter.hh
index 8957c578cda..5a7945d67d1 100644
--- a/include/seastar/core/deleter.hh
+++ b/include/seastar/core/deleter.hh
@@ -22,6 +22,7 @@
 #pragma once
 
 #ifndef SEASTAR_MODULE
+#include <atomic>
 #include <cassert>
 #include <cstdint>
 #include <cstdlib>
@@ -30,7 +31,15 @@
 #include <seastar/util/modules.hh>
 #endif
 
+// The forward declarations of classes below are used for 
+// friending by the deleter.
+struct test_deleter_append_does_not_free_shared_object;
+struct test_deleter_append_same_shared_object_twice;
+
 namespace seastar {
+namespace net {
+    class packet;
+};
 
 /// \addtogroup memory-module
 /// @{
@@ -86,11 +95,19 @@ public:
         this->~deleter();
         new (this) deleter(i);
     }
+private:
     /// \endcond
     /// Appends another deleter to this deleter.  When this deleter is
     /// destroyed, both encapsulated actions will be carried out.
+    ///
+    /// This operation is not thread-safe and therefore not made public
+    /// except for a few manually verified uses that are marked as freinds
+    /// below.
     void append(deleter d);
-private:
+    friend class ::seastar::net::packet;
+    friend struct ::test_deleter_append_does_not_free_shared_object;
+    friend struct ::test_deleter_append_same_shared_object_twice;
+
     static bool is_raw_object(impl* i) noexcept {
         auto x = reinterpret_cast<uintptr_t>(i);
         return x & 1;
@@ -113,7 +130,9 @@ private:
 
 /// \cond internal
 struct deleter::impl {
-    unsigned refs = 1;
+    // The memory ordering on operations to this counter is similar to
+    // std::shared_ptr.
+    std::atomic<unsigned int> refs = 1;
     deleter next;
     impl(deleter next) : next(std::move(next)) {}
     virtual ~impl() {}
@@ -126,7 +145,7 @@ deleter::~deleter() {
         std::free(to_raw_object());
         return;
     }
-    if (_impl && --_impl->refs == 0) {
+    if (_impl && _impl->refs.fetch_sub(1, std::memory_order_acq_rel) == 1) {
         delete _impl;
     }
 }
@@ -209,7 +228,7 @@ deleter::share() {
     if (is_raw_object()) {
         _impl = new free_deleter_impl(to_raw_object());
     }
-    ++_impl->refs;
+    _impl->refs.fetch_add(1, std::memory_order_relaxed);
     return deleter(_impl);
 }
 
diff --git a/include/seastar/core/disk_params.hh b/include/seastar/core/disk_params.hh
index dfbf5aaef0c..e3f2b8d01dc 100644
--- a/include/seastar/core/disk_params.hh
+++ b/include/seastar/core/disk_params.hh
@@ -47,6 +47,7 @@ struct disk_params {
     uint64_t write_saturation_length = std::numeric_limits<uint64_t>::max();
     bool duplex = false;
     float rate_factor = 1.0;
+    bool max_cost_function = true;
 };
 
 SEASTAR_MODULE_EXPORT
diff --git a/include/seastar/core/internal/cpu_profiler.hh b/include/seastar/core/internal/cpu_profiler.hh
new file mode 100644
index 00000000000..7fb369cb1f6
--- /dev/null
+++ b/include/seastar/core/internal/cpu_profiler.hh
@@ -0,0 +1,182 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright (C) 2023 ScyllaDB
+ */
+
+#pragma once
+
+#include <seastar/util/backtrace.hh>
+#include <seastar/core/circular_buffer_fixed_capacity.hh>
+#include <seastar/core/internal/signal_mutex.hh>
+#include <seastar/core/internal/timers.hh>
+#include <seastar/core/scheduling.hh>
+
+#include <boost/container/static_vector.hpp>
+
+#include <chrono>
+#include <csignal>
+#include <cstdint>
+#include <ctime>
+#include <atomic>
+#include <optional>
+
+namespace seastar {
+
+class reactor;
+
+struct cpu_profiler_trace {
+    using kernel_trace_vec = boost::container::static_vector<uintptr_t, 64>;
+    simple_backtrace user_backtrace;
+    kernel_trace_vec kernel_backtrace;
+    // The scheduling group active at the time the same was taken. Note that
+    // non-task reactor work (such as polling) ends up the in the default
+    // scheduling group (with name "main").
+    scheduling_group sg;
+};
+
+constexpr size_t max_number_of_traces = 128;
+
+namespace internal {
+
+// Temporarily enable/disable the CPU profiler from taking stacktraces on this thread,
+// but don't disable the profiler completely. This can be used disable the profiler
+// for cases when taking a backtrace isn't valid (IE JIT generated code).
+void profiler_drop_stacktraces(bool) noexcept;
+
+// A small RAII object to disable profiling temporarily
+//
+// This is not reentrant.
+class scoped_disable_profile_temporarily {
+public:
+    scoped_disable_profile_temporarily() noexcept {
+        profiler_drop_stacktraces(true);
+    }
+    ~scoped_disable_profile_temporarily() noexcept {
+        profiler_drop_stacktraces(false);
+    }
+};
+
+struct cpu_profiler_config {
+    bool enabled;
+    std::chrono::nanoseconds period;
+};
+
+struct cpu_profiler_stats {
+    unsigned dropped_samples_from_manual_disablement{0};
+    unsigned dropped_samples_from_exceptions{0};
+    unsigned dropped_samples_from_buffer_full{0};
+    unsigned dropped_samples_from_mutex_contention{0};
+
+    void clear_dropped() {
+        dropped_samples_from_manual_disablement = 0;
+        dropped_samples_from_exceptions = 0;
+        dropped_samples_from_buffer_full = 0;
+        dropped_samples_from_mutex_contention = 0;
+    }
+
+    unsigned sum_dropped() const {
+        return dropped_samples_from_manual_disablement
+            + dropped_samples_from_buffer_full
+            + dropped_samples_from_exceptions
+            + dropped_samples_from_mutex_contention;
+    }
+};
+
+class cpu_profiler {
+private:
+    circular_buffer_fixed_capacity<cpu_profiler_trace, max_number_of_traces> _traces;
+    // The operations in `_traces` are not reentrant. Therefore mutex is used to ensure
+    // that an interrupt cannot access `_traces` if the interrupted thread was already
+    // accessing it.
+    signal_mutex _traces_mutex;
+    cpu_profiler_config _cfg;
+    std::chrono::nanoseconds _last_set_timeout;
+    cpu_profiler_stats _stats;
+    bool _is_stopped{true};
+
+
+    bool is_enabled() const;
+    std::chrono::nanoseconds period() const;
+    std::chrono::nanoseconds get_next_timeout();
+
+protected:
+    friend reactor;
+
+public:
+    static int signal_number() { return SIGRTMIN + 2; }
+
+    cpu_profiler(cpu_profiler_config cfg) : _cfg(cfg) {}
+
+    // Allows for the sampling period of the profiler to be adjusted
+    // and the profiler to be enabled and disabled.
+    void update_config(cpu_profiler_config cfg);
+    // Stops the profiler if running and prevents it from starting until
+    // `start()` is explicitly called.
+    void stop();
+    // Allows to profiler to run when it's enabled via the `cpu_profiler_config`.
+    void start();
+    void on_signal();
+    size_t results(std::vector<cpu_profiler_trace>& results_buffer);
+
+    virtual ~cpu_profiler() = default;
+    virtual void arm_timer(std::chrono::nanoseconds) = 0;
+    virtual void disarm_timer() = 0;
+    virtual bool is_spurious_signal() { return false; }
+    virtual std::optional<linux_perf_event::kernel_backtrace>
+    try_get_kernel_backtrace() { return std::nullopt; }
+};
+
+class cpu_profiler_posix_timer : public cpu_profiler {
+    posix_timer _timer;
+public:
+    cpu_profiler_posix_timer(cpu_profiler_config cfg)
+            : cpu_profiler(cfg)
+            // CLOCK_MONOTONIC is used here in place of CLOCK_THREAD_CPUTIME_ID.
+            // This is since for intervals of ~5ms or less CLOCK_THREAD_CPUTIME_ID
+            // fires 200-600% after it's configured time. Therefore it is not granular
+            // enough for cases where the reactor is configured to sleep when idle and
+            // is only active for short intervals. CLOCK_MONOTONIC doesn't suffer from
+            // this issue.
+            , _timer({signal_number()}, CLOCK_MONOTONIC) {}
+
+    virtual ~cpu_profiler_posix_timer() override = default;
+    virtual void arm_timer(std::chrono::nanoseconds) override;
+    virtual void disarm_timer() override;
+};
+
+class cpu_profiler_linux_perf_event : public cpu_profiler {
+    linux_perf_event _perf_event;
+public:
+    static std::unique_ptr<cpu_profiler_linux_perf_event> try_make(cpu_profiler_config);
+    cpu_profiler_linux_perf_event(linux_perf_event perf_event, cpu_profiler_config cfg)
+            : cpu_profiler(cfg)
+            , _perf_event(std::move(perf_event)) {}
+
+    virtual ~cpu_profiler_linux_perf_event() override = default;
+    virtual void arm_timer(std::chrono::nanoseconds) override;
+    virtual void disarm_timer() override;
+    virtual bool is_spurious_signal() override;
+    virtual std::optional<linux_perf_event::kernel_backtrace>
+    try_get_kernel_backtrace() override;
+};
+
+std::unique_ptr<cpu_profiler> make_cpu_profiler(cpu_profiler_config cfg = {false, std::chrono::milliseconds(100)});
+
+}
+}
diff --git a/include/seastar/core/internal/signal_mutex.hh b/include/seastar/core/internal/signal_mutex.hh
new file mode 100644
index 00000000000..e48841cc772
--- /dev/null
+++ b/include/seastar/core/internal/signal_mutex.hh
@@ -0,0 +1,52 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright (C) 2025 ScyllaDB
+ */
+
+#pragma once
+
+#include <atomic>
+#include <optional>
+
+namespace seastar::internal {
+
+/// A lightweight mutex designed to work with interrupts
+/// utilizing only compiler barriers.
+class signal_mutex {
+public:
+    class guard {
+    private:
+        signal_mutex* _mutex;
+        guard(signal_mutex* m) : _mutex(m) {}
+        friend class signal_mutex;
+    public:
+        guard(guard&& o) : _mutex(o._mutex) { o._mutex = nullptr; }
+        ~guard();
+    };
+
+    // Returns a `guard` if the lock was acquired.
+    // Otherwise returns a nullopt.
+    std::optional<guard> try_lock();
+
+private:
+    friend class guard;
+    std::atomic_bool _mutex;
+};
+
+} // namespace seastar::internal
diff --git a/include/seastar/core/internal/stall_detector.hh b/include/seastar/core/internal/stall_detector.hh
index 9505e7cddea..8e167e60a53 100644
--- a/include/seastar/core/internal/stall_detector.hh
+++ b/include/seastar/core/internal/stall_detector.hh
@@ -34,6 +34,7 @@
 #include <seastar/core/posix.hh>
 #include <seastar/core/metrics_registration.hh>
 #include <seastar/core/scheduling.hh>
+#include <seastar/core/internal/timers.hh>
 #include <seastar/util/modules.hh>
 
 namespace seastar {
@@ -97,85 +98,25 @@ public:
 };
 
 class cpu_stall_detector_posix_timer : public cpu_stall_detector {
-    timer_t _timer;
+    posix_timer _timer;
 public:
     explicit cpu_stall_detector_posix_timer(cpu_stall_detector_config cfg = {});
-    virtual ~cpu_stall_detector_posix_timer() override;
+    virtual ~cpu_stall_detector_posix_timer() override = default;
 private:
     virtual void arm_timer() override;
     virtual void start_sleep() override;
 };
 
 class cpu_stall_detector_linux_perf_event : public cpu_stall_detector {
-    file_desc _fd;
-    bool _enabled = false;
-    uint64_t _current_period = 0;
-    struct ::perf_event_mmap_page* _mmap;
-    char* _data_area;
-    size_t _data_area_mask;
-    // after the detector has been armed (i.e., _enabled is true), this
-    // is the moment at or after which the next signal is expected to occur
-    // and can be used for detecting spurious signals
-    sched_clock::time_point _next_signal_time{};
-private:
-    class data_area_reader {
-        cpu_stall_detector_linux_perf_event& _p;
-        const char* _data_area;
-        size_t _data_area_mask;
-        uint64_t _head;
-        uint64_t _tail;
-    public:
-        explicit data_area_reader(cpu_stall_detector_linux_perf_event& p)
-                : _p(p)
-                , _data_area(p._data_area)
-                , _data_area_mask(p._data_area_mask) {
-            _head = _p._mmap->data_head;
-            _tail = _p._mmap->data_tail;
-            std::atomic_thread_fence(std::memory_order_acquire); // required after reading data_head
-        }
-        ~data_area_reader() {
-            std::atomic_thread_fence(std::memory_order_release); // not documented, but probably required before writing data_tail
-            _p._mmap->data_tail = _tail;
-        }
-        uint64_t read_u64() {
-            uint64_t ret;
-            // We cannot wrap around if the 8-byte unit is aligned
-            std::copy_n(_data_area + (_tail & _data_area_mask), 8, reinterpret_cast<char*>(&ret));
-            _tail += 8;
-            return ret;
-        }
-        template <typename S>
-        S read_struct() {
-            static_assert(sizeof(S) % 8 == 0);
-            S ret;
-            char* p = reinterpret_cast<char*>(&ret);
-            for (size_t i = 0; i != sizeof(S); i += 8) {
-                uint64_t w = read_u64();
-                std::copy_n(reinterpret_cast<const char*>(&w), 8, p + i);
-            }
-            return ret;
-        }
-        void skip(uint64_t bytes_to_skip) {
-            _tail += bytes_to_skip;
-        }
-        // skip all the remaining data in the buffer, as-if calling read until
-        // have_data returns false (but much faster)
-        void skip_all() {
-            _tail = _head;
-        }
-        bool have_data() const {
-            return _head != _tail;
-        }
-    };
-
-    virtual void maybe_report_kernel_trace(backtrace_buffer& buf) override;
+    linux_perf_event _perf_event;
 public:
     static std::unique_ptr<cpu_stall_detector_linux_perf_event> try_make(cpu_stall_detector_config cfg = {});
-    explicit cpu_stall_detector_linux_perf_event(file_desc fd, cpu_stall_detector_config cfg = {});
-    ~cpu_stall_detector_linux_perf_event();
+    explicit cpu_stall_detector_linux_perf_event(linux_perf_event perf_event, cpu_stall_detector_config cfg = {});
+    virtual ~cpu_stall_detector_linux_perf_event() override = default;
     virtual void arm_timer() override;
     virtual void start_sleep() override;
     virtual bool is_spurious_signal() override;
+    virtual void maybe_report_kernel_trace(backtrace_buffer& buf) override;
 };
 
 std::unique_ptr<cpu_stall_detector> make_cpu_stall_detector(cpu_stall_detector_config cfg = {});
diff --git a/include/seastar/core/internal/timers.hh b/include/seastar/core/internal/timers.hh
new file mode 100644
index 00000000000..1aeb04d4c36
--- /dev/null
+++ b/include/seastar/core/internal/timers.hh
@@ -0,0 +1,147 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright (C) 2023 ScyllaDB
+ */
+
+#pragma once
+
+#ifndef SEASTAR_MODULE
+#include <atomic>
+#include <chrono>
+#include <cstdint>
+#include <optional>
+#include <functional>
+
+#include <linux/perf_event.h>
+#endif
+
+#include <seastar/core/posix.hh>
+#include <seastar/core/scheduling.hh>
+#include <seastar/util/modules.hh>
+
+namespace seastar {
+namespace internal {
+
+struct timer_cfg {
+    int signal_number;
+};
+
+class posix_timer {
+    timer_t _timer;
+public:
+    explicit posix_timer(timer_cfg cfg, clockid_t clock_id = CLOCK_THREAD_CPUTIME_ID);
+    virtual ~posix_timer();
+    void arm_timer(std::chrono::nanoseconds);
+    void disarm_timer();
+};
+
+class linux_perf_event {
+    file_desc _fd;
+    bool _enabled = false;
+    uint64_t _current_period = 0;
+    struct ::perf_event_mmap_page* _mmap;
+    char* _data_area;
+    size_t _data_area_mask;
+    // after the detector has been armed (i.e., _enabled is true), this
+    // is the moment at or after which the next signal is expected to occur
+    // and can be used for detecting spurious signals
+    sched_clock::time_point _next_signal_time{};
+private:
+    class data_area_reader {
+        std::reference_wrapper<linux_perf_event> _p;
+        const char* _data_area;
+        size_t _data_area_mask;
+        uint64_t _head;
+        uint64_t _tail;
+    public:
+        explicit data_area_reader(linux_perf_event& p)
+                : _p(p)
+                , _data_area(p._data_area)
+                , _data_area_mask(p._data_area_mask) {
+            _head = _p.get()._mmap->data_head;
+            _tail = _p.get()._mmap->data_tail;
+            std::atomic_thread_fence(std::memory_order_acquire); // required after reading data_head
+        }
+        data_area_reader(data_area_reader&& o) 
+                : _p(o._p)
+                , _data_area(o._data_area)
+                , _data_area_mask(o._data_area_mask)
+                , _head(o._head)
+                , _tail(o._tail) {
+            o._data_area = nullptr;
+        }
+        ~data_area_reader() {
+            if(_data_area != nullptr) {
+                std::atomic_thread_fence(std::memory_order_release); // not documented, but probably required before writing data_tail
+                _p.get()._mmap->data_tail = _tail;
+            }
+        }
+        uint64_t read_u64() {
+
+            uint64_t ret;
+            // We cannot wrap around if the 8-byte unit is aligned
+            std::copy_n(_data_area + (_tail & _data_area_mask), 8, reinterpret_cast<char*>(&ret));
+            _tail += 8;
+            return ret;
+        }
+        template <typename S>
+        S read_struct() {
+            static_assert(sizeof(S) % 8 == 0);
+            S ret;
+            char* p = reinterpret_cast<char*>(&ret);
+            for (size_t i = 0; i != sizeof(S); i += 8) {
+                uint64_t w = read_u64();
+                std::copy_n(reinterpret_cast<const char*>(&w), 8, p + i);
+            }
+            return ret;
+        }
+        void skip(uint64_t bytes_to_skip) {
+            _tail += bytes_to_skip;
+        }
+        // skip all the remaining data in the buffer, as-if calling read until
+        // have_data returns false (but much faster)
+        void skip_all() {
+            _tail = _head;
+        }
+        bool have_data() const {
+            return _head != _tail;
+        }
+    };
+
+    explicit linux_perf_event(file_desc fd);
+public:
+
+    class kernel_backtrace {
+        data_area_reader _reader;
+    public:
+        kernel_backtrace(data_area_reader reader) : _reader(std::move(reader)) {}
+        void read_backtrace(std::function<void(uintptr_t)>);
+    };
+
+    linux_perf_event(linux_perf_event&&);
+    static linux_perf_event try_make(timer_cfg cfg);
+    ~linux_perf_event();
+    void arm_timer(std::chrono::nanoseconds);
+    void disarm_timer();
+    bool is_spurious_signal();
+    std::optional<kernel_backtrace> try_get_kernel_backtrace();
+};
+
+}
+}
diff --git a/include/seastar/core/io_queue.hh b/include/seastar/core/io_queue.hh
index f8466f3496b..c9e6f8591b4 100644
--- a/include/seastar/core/io_queue.hh
+++ b/include/seastar/core/io_queue.hh
@@ -24,6 +24,7 @@
 #ifndef SEASTAR_MODULE
 #include <boost/container/static_vector.hpp>
 #include <chrono>
+#include <limits>
 #include <memory>
 #include <vector>
 #include <sys/uio.h>
@@ -196,6 +197,13 @@ public:
         double flow_ratio_backpressure_threshold = 1.1;
         std::chrono::milliseconds stall_threshold = std::chrono::milliseconds(100);
         std::chrono::microseconds tau = std::chrono::milliseconds(5);
+
+        // Original values of io-properties (if available)
+        size_t read_bytes_rate = std::numeric_limits<size_t>::max();
+        size_t write_bytes_rate = std::numeric_limits<size_t>::max();
+        size_t read_req_rate = std::numeric_limits<size_t>::max();
+        size_t write_req_rate = std::numeric_limits<size_t>::max();
+        bool max_cost_function = true;
     };
 
     io_queue(io_group_ptr group, internal::io_sink& sink);
diff --git a/include/seastar/core/metrics.hh b/include/seastar/core/metrics.hh
index 73bc293a046..ebc8cee3a91 100644
--- a/include/seastar/core/metrics.hh
+++ b/include/seastar/core/metrics.hh
@@ -405,6 +405,7 @@ public:
     virtual metric_groups_def& add_metric(group_name_type name, const metric_definition& md) = 0;
     virtual metric_groups_def& add_group(group_name_type name, const std::initializer_list<metric_definition>& l) = 0;
     virtual metric_groups_def& add_group(group_name_type name, const std::vector<metric_definition>& l) = 0;
+    virtual int get_handle() const = 0;
 };
 
 instance_id_type shard();
@@ -679,6 +680,13 @@ impl::metric_definition_impl make_total_operations(metric_name_type name,
     return make_counter(name, std::forward<T>(val), d, labels).set_type("total_operations");
 }
 
+/*!
+ * \brief Update the aggregation labels of a metric family
+ */
+void update_aggregate_labels(const group_name_type& group_name,
+                             const metric_name_type& metric_name,
+                             const std::vector<label>& aggregate_labels);
+
 /*! @} */
 }
 }
diff --git a/include/seastar/core/metrics_api.hh b/include/seastar/core/metrics_api.hh
index 6c9ae7fdff5..d073852dc7f 100644
--- a/include/seastar/core/metrics_api.hh
+++ b/include/seastar/core/metrics_api.hh
@@ -45,6 +45,9 @@ namespace impl {
 using labels_type = std::map<sstring, sstring>;
 using internalized_labels_ref = lw_shared_ptr<const labels_type>;
 
+
+int default_handle();
+
 }
 }
 }
@@ -237,6 +240,8 @@ inline bool operator<(const internalized_holder& lhs, const internalized_holder&
 
 
 class impl;
+using metric_implementations = std::unordered_map<int, ::seastar::shared_ptr<impl>>;
+metric_implementations& get_metric_implementations();
 
 class registered_metric final {
     metric_info _info;
@@ -257,6 +262,11 @@ public:
     void set_skip_when_empty(skip_when_empty skip) noexcept {
         _info.should_skip_when_empty = skip;
     }
+
+    skip_when_empty get_skip_when_empty() const {
+        return _info.should_skip_when_empty;
+    }
+
     const metric_id& get_id() const {
         return _info.id;
     }
@@ -277,16 +287,18 @@ using metric_instances = std::map<internalized_holder, register_ref, std::less<>
 using metrics_registration = std::vector<register_ref>;
 
 class metric_groups_impl : public metric_groups_def {
+    int _handle;
     metrics_registration _registration;
     shared_ptr<impl> _impl; // keep impl alive while metrics are registered
 public:
-    metric_groups_impl();
+    explicit metric_groups_impl(int handle = default_handle());
     ~metric_groups_impl();
     metric_groups_impl(const metric_groups_impl&) = delete;
     metric_groups_impl(metric_groups_impl&&) = default;
     metric_groups_impl& add_metric(group_name_type name, const metric_definition& md);
     metric_groups_impl& add_group(group_name_type name, const std::initializer_list<metric_definition>& l);
     metric_groups_impl& add_group(group_name_type name, const std::vector<metric_definition>& l);
+    int get_handle() const;
 };
 
 class metric_family {
@@ -458,6 +470,7 @@ class impl {
     std::vector<relabel_config> _relabel_configs;
     std::vector<metric_family_config> _metric_family_configs;
     internalized_set _internalized_labels;
+    std::unordered_multimap<seastar::sstring, int> _metric_families_to_replicate;
 public:
     value_map& get_value_map() {
         return _value_map;
@@ -469,6 +482,7 @@ public:
 
     register_ref add_registration(const metric_id& id, const metric_type& type, metric_function f, const description& d, bool enabled, skip_when_empty skip, const std::vector<std::string>& aggregate_labels);
     internalized_labels_ref internalize_labels(labels_type labels);
+    void update_aggregate_labels(const metric_id& id, const std::vector<label>& aggregate_labels);
     void remove_registration(const metric_id& id);
     future<> stop() {
         return make_ready_future<>();
@@ -499,6 +513,7 @@ public:
     const std::vector<relabel_config>& get_relabel_configs() const noexcept {
         return _relabel_configs;
     }
+
     const std::vector<metric_family_config>& get_metric_family_configs() const noexcept {
         return _metric_family_configs;
     }
@@ -507,19 +522,49 @@ public:
 
     void update_aggregate(metric_family_info& mf) const noexcept;
 
+    // Set the metrics families to be replicated from this metrics::impl.
+    // All metrics families that match one of the keys of
+    // the 'metric_families_to_replicate' argument will be replicated
+    // on the metrics::impl identified by the corresponding value.
+    //
+    // If this function was called previously, any previously
+    // replicated metrics will be removed before the provided ones are
+    // replicated.
+    //
+    // Metric replication spans the full life cycle of this class.
+    // Newly registered metrics that belong to a replicated family
+    // be replicated too and unregistering a replicated metric will
+    // unregister the replica.
+    void set_metric_families_to_replicate(
+            std::unordered_multimap<seastar::sstring, int> metric_families_to_replicate);
+
 private:
     void gc_internalized_labels();
     bool apply_relabeling(const relabel_config& rc, metric_info& info);
+    void replicate_metric_family(const seastar::sstring& name,
+                                 int destination_handle) const;
+    void replicate_metric_if_required(const shared_ptr<registered_metric>& metric) const;
+    void replicate_metric(const shared_ptr<registered_metric>& metric,
+                          const metric_family& family,
+                          const shared_ptr<impl>& destination,
+                          int destination_handle) const;
+
+    void remove_metric_replica_family(const seastar::sstring& name,
+                                      int destination_handle) const;
+    void remove_metric_replica(const metric_id& id,
+                               const shared_ptr<impl>& destination) const;
+    void remove_metric_replica_if_required(const metric_id& id) const;
 };
 
-const value_map& get_value_map();
+const value_map& get_value_map(int handle = default_handle());
 using values_reference = shared_ptr<values_copy>;
 
-foreign_ptr<values_reference> get_values();
+foreign_ptr<values_reference> get_values(int handle = default_handle());
+
+shared_ptr<impl> get_local_impl(int handle = default_handle());
 
-shared_ptr<impl> get_local_impl();
 
-void unregister_metric(const metric_id & id);
+void unregister_metric(const metric_id & id, int handle = default_handle());
 
 /*!
  * \brief initialize metric group
@@ -527,7 +572,7 @@ void unregister_metric(const metric_id & id);
  * Create a metric_group_def.
  * No need to use it directly.
  */
-std::unique_ptr<metric_groups_def> create_metric_groups();
+std::unique_ptr<metric_groups_def> create_metric_groups(int handle = default_handle());
 
 }
 
@@ -544,7 +589,7 @@ struct options : public program_options::option_group {
 /*!
  * \brief set the metrics configuration
  */
-future<> configure(const options& opts);
+future<> configure(const options& opts, int handle = default_handle());
 
 /*!
  * \brief Perform relabeling and operation on metrics dynamically.
@@ -622,5 +667,12 @@ void set_metric_family_configs(const std::vector<metric_family_config>& metrics_
  * This function returns a vector of the current metrics family config
  */
 const std::vector<metric_family_config>& get_metric_family_configs();
+
+/*!
+ * \brief replicate metric families accross internal metrics implementations
+ */
+future<>
+replicate_metric_families(int source_handle, std::unordered_multimap<seastar::sstring, int> metric_families_to_replicate);
+
 }
 }
diff --git a/include/seastar/core/metrics_registration.hh b/include/seastar/core/metrics_registration.hh
index 341903089be..4eb64b2735a 100644
--- a/include/seastar/core/metrics_registration.hh
+++ b/include/seastar/core/metrics_registration.hh
@@ -54,6 +54,7 @@ namespace seastar {
 namespace metrics {
 
 namespace impl {
+int default_handle();
 class metric_groups_def;
 struct metric_definition_impl;
 class metric_groups_impl;
@@ -61,7 +62,10 @@ class metric_groups_impl;
 
 SEASTAR_MODULE_EXPORT_BEGIN
 
+int default_handle();
+
 using group_name_type = sstring; /*!< A group of logically related metrics */
+using metric_name_type = sstring; /*!< A single metric name */
 class metric_groups;
 
 class metric_definition {
@@ -94,7 +98,7 @@ public:
 class metric_groups {
     std::unique_ptr<impl::metric_groups_def> _impl;
 public:
-    metric_groups() noexcept;
+    explicit metric_groups(int handle = default_handle()) noexcept;
     metric_groups(metric_groups&&) = default;
     virtual ~metric_groups();
     metric_groups& operator=(metric_groups&&) = default;
@@ -103,7 +107,7 @@ public:
      *
      * combine the constructor with the add_group functionality.
      */
-    metric_groups(std::initializer_list<metric_group_definition> mg);
+    metric_groups(std::initializer_list<metric_group_definition> mg, int handle = default_handle());
 
     /*!
      * \brief Add metrics belonging to the same group.
@@ -159,7 +163,7 @@ public:
  */
 class metric_group : public metric_groups {
 public:
-    metric_group() noexcept;
+    explicit metric_group(int handle = default_handle()) noexcept;
     metric_group(const metric_group&) = delete;
     metric_group(metric_group&&) = default;
     virtual ~metric_group();
@@ -170,7 +174,7 @@ public:
      *
      *
      */
-    metric_group(const group_name_type& name, std::initializer_list<metric_definition> l);
+    metric_group(const group_name_type& name, std::initializer_list<metric_definition> l, int handle = default_handle());
 };
 
 SEASTAR_MODULE_EXPORT_END
diff --git a/include/seastar/core/prometheus.hh b/include/seastar/core/prometheus.hh
index 25058280515..db6686912f5 100644
--- a/include/seastar/core/prometheus.hh
+++ b/include/seastar/core/prometheus.hh
@@ -44,12 +44,15 @@ struct config {
     std::optional<metrics::label_instance> label; //!< A label that will be added to all metrics, we advice not to use it and set it on the prometheus server
     sstring prefix = "seastar"; //!< a prefix that will be added to metric names
     bool allow_protobuf = false; // protobuf support is experimental and off by default
+    int handle = metrics::default_handle(); //!< Handle that specifies which metric implementation to query
+    sstring route = "/metrics"; //!< Name of the route on which to expose the metrics
 };
 
 future<> start(httpd::http_server_control& http_server, config ctx);
 
-/// \defgroup add_prometheus_routes adds a /metrics endpoint that returns prometheus metrics
-///    both in txt format and in protobuf according to the prometheus spec
+/// \defgroup add_prometheus_routes adds a specified endpoint (defaults to /metrics) that returns prometheus metrics
+///    in txt format format and in protobuf according to the prometheus spec
+
 /// @{
 future<> add_prometheus_routes(distributed<httpd::http_server>& server, config ctx);
 future<> add_prometheus_routes(httpd::http_server& server, config ctx);
diff --git a/include/seastar/core/reactor.hh b/include/seastar/core/reactor.hh
index 07745d528ab..33a562452e6 100644
--- a/include/seastar/core/reactor.hh
+++ b/include/seastar/core/reactor.hh
@@ -115,11 +115,13 @@ class reactor_backend_selector;
 
 class reactor_backend;
 struct pollfn;
+struct cpu_profiler_trace;
 
 namespace internal {
 
 class reactor_stall_sampler;
 class cpu_stall_detector;
+class cpu_profiler;
 class buffer_allocator;
 class priority_class;
 class poller;
@@ -253,6 +255,7 @@ private:
     uint64_t _polls = 0;
     metrics::internal::time_estimated_histogram _stalls_histogram;
     std::unique_ptr<internal::cpu_stall_detector> _cpu_stall_detector;
+    std::unique_ptr<internal::cpu_profiler> _cpu_profiler;
 
     timer<>::set_t _timers;
     timer<>::set_t::timer_list_t _expired_timers;
@@ -744,6 +747,21 @@ public:
     void update_blocked_reactor_notify_ms(std::chrono::milliseconds ms);
     std::chrono::milliseconds get_blocked_reactor_notify_ms() const;
 
+    bool get_cpu_profiler_enabled();
+    void set_cpu_profiler_enabled(bool);
+    std::chrono::nanoseconds get_cpu_profiler_period();
+    void set_cpu_profiler_period(std::chrono::nanoseconds);
+    /// Copies all profiler samples that were collected since the function
+    /// was last called into `results_buffer`.
+    ///
+    /// Returns the number of samples that had to be dropped since the function
+    /// was last called due to a full internal buffer.
+    ///
+    /// Note: All existing data in `results_buffer` will be overriden. And if
+    /// `results_buffer` does not have enough capacity to hold all samples it's
+    /// capacity will be increased internally. The capacity is never shrunk though.
+    size_t profiler_results(std::vector<cpu_profiler_trace>& results_buffer);
+
     class test {
     public:
         static void with_allow_abandoned_failed_futures(unsigned count, noncopyable_function<void ()> func);
diff --git a/include/seastar/core/reactor_config.hh b/include/seastar/core/reactor_config.hh
index b37c04e9aec..ec8e7d85e31 100644
--- a/include/seastar/core/reactor_config.hh
+++ b/include/seastar/core/reactor_config.hh
@@ -110,6 +110,14 @@ struct reactor_options : public program_options::option_group {
     ///
     /// Default: \p true.
     program_options::value<bool> blocked_reactor_report_format_oneline;
+    /// \brief The sample rate for the reactor profiler.
+    ///
+    /// Default 100.
+    program_options::value<unsigned> profiler_sample_period_ms;
+    /// \brief Optionally enable the profiler.
+    ///
+    /// Default false.
+    program_options::value<bool> profiler_enabled;
     /// \brief Allow using buffered I/O if DMA is not available (reduces performance).
     program_options::value<> relaxed_dma;
     /// \brief Use the Linux NOWAIT AIO feature, which reduces reactor stalls due
diff --git a/include/seastar/core/scheduling.hh b/include/seastar/core/scheduling.hh
index 2478d0f7905..2d530eefd1f 100644
--- a/include/seastar/core/scheduling.hh
+++ b/include/seastar/core/scheduling.hh
@@ -426,6 +426,13 @@ public:
     friend unsigned internal::scheduling_group_index(scheduling_group sg) noexcept;
     friend scheduling_group internal::scheduling_group_from_index(unsigned index) noexcept;
 
+    struct stats {
+        sched_clock::duration runtime;
+        sched_clock::duration waittime;
+        sched_clock::duration starvetime;
+    };
+    stats get_stats() const noexcept;
+
     template<typename SpecificValType, typename Mapper, typename Reducer, typename Initial>
     requires requires(SpecificValType specific_val, Mapper mapper, Reducer reducer, Initial initial) {
         {reducer(initial, mapper(specific_val))} -> std::convertible_to<Initial>;
diff --git a/include/seastar/core/scollectd.hh b/include/seastar/core/scollectd.hh
index 83ff82aacea..9c9191cd081 100644
--- a/include/seastar/core/scollectd.hh
+++ b/include/seastar/core/scollectd.hh
@@ -374,7 +374,7 @@ struct options : public program_options::option_group {
     /// \endcond
 };
 
-void configure(const options&);
+void configure(const options&, int handle = seastar::metrics::default_handle());
 void remove_polled_metric(const type_instance_id &);
 
 class plugin_instance_metrics;
@@ -393,8 +393,8 @@ class plugin_instance_metrics;
  */
 struct registration {
     registration() = default;
-    registration(const type_instance_id& id);
-    registration(type_instance_id&& id);
+    registration(const type_instance_id& id, int handle = seastar::metrics::default_handle());
+    registration(type_instance_id&& id, int handle = seastar::metrics::default_handle());
     registration(const registration&) = delete;
     registration(registration&&) = default;
     ~registration();
@@ -782,8 +782,8 @@ seastar::metrics::impl::metric_id to_metrics_id(const type_instance_id & id);
  */
 template<typename Arg>
 [[deprecated("Use the metrics layer")]] static type_instance_id add_polled_metric(const type_instance_id & id, description d,
-        Arg&& arg, bool enabled = true) {
-    seastar::metrics::impl::get_local_impl()->add_registration(to_metrics_id(id), arg.type, seastar::metrics::impl::make_function(arg.value, arg.type), d, enabled);
+        Arg&& arg, bool enabled = true, int handle = seastar::metrics::default_handle()) {
+    seastar::metrics::impl::get_local_impl(handle)->add_registration(to_metrics_id(id), arg.type, seastar::metrics::impl::make_function(arg.value, arg.type), d, enabled);
     return id;
 }
 /*!
diff --git a/include/seastar/core/sstring.hh b/include/seastar/core/sstring.hh
index 51ed5a2673f..ff62c3d9550 100644
--- a/include/seastar/core/sstring.hh
+++ b/include/seastar/core/sstring.hh
@@ -842,7 +842,7 @@ namespace std {
 
 SEASTAR_MODULE_EXPORT
 template <typename T>
-[[deprecated("Use {fmt} instead")]]
+// [[deprecated("Use {fmt} instead")]]
 inline
 std::ostream& operator<<(std::ostream& os, const std::vector<T>& v) {
     bool first = true;
@@ -861,7 +861,7 @@ std::ostream& operator<<(std::ostream& os, const std::vector<T>& v) {
 
 SEASTAR_MODULE_EXPORT
 template <typename Key, typename T, typename Hash, typename KeyEqual, typename Allocator>
-[[deprecated("Use {fmt} instead")]]
+// [[deprecated("Use {fmt} instead")]]
 std::ostream& operator<<(std::ostream& os, const std::unordered_map<Key, T, Hash, KeyEqual, Allocator>& v) {
     bool first = true;
     os << "{";
diff --git a/include/seastar/core/temporary_buffer.hh b/include/seastar/core/temporary_buffer.hh
index 2a57ed3fbc3..eef62f21332 100644
--- a/include/seastar/core/temporary_buffer.hh
+++ b/include/seastar/core/temporary_buffer.hh
@@ -27,14 +27,54 @@
 #include <cstring>
 #include <string_view>
 #include <malloc.h>
+#include <memory>
 #endif
 #include <seastar/core/deleter.hh>
 #include <seastar/util/eclipse.hh>
 #include <seastar/util/std-compat.hh>
 #include <seastar/util/modules.hh>
 
+class hdr_hist; // Class from Redpanda
+
 namespace seastar {
 
+/*
+ * The custom-deleter constructor of temporary_buffer has been made private to
+ * better ensure the safety of cross-shard sharing the temporary_buffer.
+ *
+ * The forward declarations here are to allow for some manually verified, pre-existing,
+ * code to still access the newly-private constructor.
+ */
+
+namespace net {
+class packet;
+class packet_data_source;
+
+template <typename Protocol>
+class native_connected_socket_impl;
+}
+
+
+template <typename PtrType>
+requires (!std::is_pointer_v<PtrType>)
+class foreign_ptr;
+
+namespace rpc {
+template<typename T> T make_shard_local_buffer_copy(foreign_ptr<std::unique_ptr<T>> org);
+}
+
+class file_data_source_impl;
+class file;
+
+template <typename CharType>
+class temporary_buffer;
+
+template <typename CharType>
+temporary_buffer<CharType> make_temporary_buffer(std::pmr::polymorphic_allocator<CharType>* allocator, std::size_t size);
+
+template <typename char_type, typename Size, Size max_size, bool NulTerminate>
+class basic_sstring;
+
 /// \addtogroup memory-module
 /// @{
 
@@ -95,6 +135,7 @@ public:
         x._size = 0;
     }
 
+private:
     /// Creates a \c temporary_buffer with a specific deleter.
     ///
     /// \param buf beginning of the buffer held by this \c temporary_buffer
@@ -103,6 +144,26 @@ public:
     ///          will be destroyed when there are no longer any users for the buffer.
     temporary_buffer(CharType* buf, size_t size, deleter d) noexcept
         : _buffer(buf), _size(size), _deleter(std::move(d)) {}
+
+    friend class ::seastar::net::packet;
+    friend class ::seastar::file_data_source_impl;
+    friend class ::seastar::net::packet_data_source;
+    friend class ::seastar::file;
+    friend class ::hdr_hist;
+
+    template<typename T> 
+    friend T rpc::make_shard_local_buffer_copy(foreign_ptr<std::unique_ptr<T>> org);
+
+    template <typename T>
+    friend temporary_buffer<T> make_temporary_buffer(std::pmr::polymorphic_allocator<T>* allocator, std::size_t size);
+
+    template <typename T>
+    friend class ::seastar::net::native_connected_socket_impl;
+
+    template <typename char_type, typename Size, Size max_size, bool NulTerminate>
+    friend class ::seastar::basic_sstring;
+
+public:
     /// Creates a `temporary_buffer` containing a copy of the provided data
     ///
     /// \param src  data buffer to be copied
diff --git a/include/seastar/http/exception.hh b/include/seastar/http/exception.hh
index 5b43284c82b..c770f79de9a 100644
--- a/include/seastar/http/exception.hh
+++ b/include/seastar/http/exception.hh
@@ -43,6 +43,16 @@ public:
             : _msg(msg), _status(status) {
     }
 
+    /**
+     * A base_exception with a content_type is specifying a full response body, whereas
+     * a base_exception with only a _status is specifying a string that may be wrapped
+     * in e.g. a json_exception.
+     */
+    base_exception(const std::string& msg, http::reply::status_type status, const std::string &content_type)
+            : _msg(msg), _status(status), _content_type(content_type) {
+    }
+
+
     virtual const char* what() const noexcept {
         return _msg.c_str();
     }
@@ -54,9 +64,14 @@ public:
     virtual const std::string& str() const {
         return _msg;
     }
+
+    virtual const std::string& content_type() const {
+        return _content_type;
+    }
 private:
     std::string _msg;
     http::reply::status_type _status;
+    std::string _content_type;
 
 };
 
@@ -65,10 +80,22 @@ private:
  */
 class redirect_exception : public base_exception {
 public:
-    redirect_exception(const std::string& url, http::reply::status_type status = http::reply::status_type::moved_permanently)
-            : base_exception("", status), url(url) {
+    redirect_exception(const std::string& url, http::reply::status_type status = http::reply::status_type::moved_permanently, const std::optional<int>& retry_after = std::nullopt)
+            : base_exception("", status), url(url), retry_after(retry_after) {
+    }
+
+    http::reply to_reply() const {
+        http::reply reply{};
+        reply.add_header("Location", url);
+        if (retry_after.has_value()) {
+            reply.add_header("Retry-After", std::to_string(retry_after.value()));
+        }
+        reply.set_status(status());
+        return reply;
     }
+
     std::string url;
+    std::optional<int> retry_after;
 };
 
 /**
@@ -127,7 +154,7 @@ public:
     explicit response_parsing_exception(const std::string& msg) : server_error_exception(msg) {}
 };
 
-class [[deprecated("Use base_exception or any of its inheritants instead")]] json_exception : public json::json_base {
+class /* [[deprecated("Use base_exception or any of its inheritants instead")]] */json_exception : public json::json_base {
 public:
     json::json_element<std::string> _msg;
     json::json_element<int> _code;
diff --git a/include/seastar/http/httpd.hh b/include/seastar/http/httpd.hh
index 543a8085662..70eeca92fe2 100644
--- a/include/seastar/http/httpd.hh
+++ b/include/seastar/http/httpd.hh
@@ -79,29 +79,32 @@ class connection : public boost::intrusive::list_base_hook<> {
     queue<std::unique_ptr<http::reply>> _replies { 10 };
     bool _done = false;
     const bool _tls;
+    int _listener_idx;
 public:
-    [[deprecated("use connection(http_server&, connected_socket&&, bool tls)")]]
-    connection(http_server& server, connected_socket&& fd, socket_address, bool tls)
-            : connection(server, std::move(fd), tls) {}
-    connection(http_server& server, connected_socket&& fd, bool tls)
+    [[deprecated("use connection(http_server&, connected_socket&&, bool tls, int listener_idx)")]]
+    connection(http_server& server, connected_socket&& fd, socket_address, bool tls, int listener_idx)
+            : connection(server, std::move(fd), tls, listener_idx) {}
+    connection(http_server& server, connected_socket&& fd, bool tls, int listener_idx)
             : _server(server)
             , _fd(std::move(fd))
             , _read_buf(_fd.input())
             , _write_buf(_fd.output())
             , _client_addr(_fd.remote_address())
             , _server_addr(_fd.local_address())
-            , _tls(tls) {
+            , _tls(tls)
+            , _listener_idx(listener_idx) {
         on_new_connection();
     }
     connection(http_server& server, connected_socket&& fd,
-            socket_address client_addr, socket_address server_addr, bool tls)
+            socket_address client_addr, socket_address server_addr, bool tls, int listener_idx)
             : _server(server)
             , _fd(std::move(fd))
             , _read_buf(_fd.input())
             , _write_buf(_fd.output())
             , _client_addr(std::move(client_addr))
-            , _server_addr(std::move(server_addr))
-            , _tls(tls) {
+            , _server_addr(std::move(server_addr)) 
+            , _tls(tls)
+            , _listener_idx(listener_idx) {
         on_new_connection();
     }
     ~connection();
@@ -119,7 +122,7 @@ public:
     future<> start_response();
 
     future<bool> generate_reply(std::unique_ptr<http::request> req);
-    void generate_error_reply_and_close(std::unique_ptr<http::request> req, http::reply::status_type status, const sstring& msg);
+    void generate_error_reply_and_close(std::unique_ptr<http::request> req, http::reply::status_type status, const sstring& msg, const sstring &content_type={});
 
     future<> write_body();
 
diff --git a/include/seastar/http/request.hh b/include/seastar/http/request.hh
index d27604b6a06..67d2a71768a 100644
--- a/include/seastar/http/request.hh
+++ b/include/seastar/http/request.hh
@@ -77,6 +77,7 @@ struct request {
     std::unordered_map<sstring, sstring> chunk_extensions;
     sstring protocol_name = "http";
     noncopyable_function<future<>(output_stream<char>&&)> body_writer; // for client
+    int listener_idx;
 
     /**
      * Get the address of the client that generated the request
@@ -152,6 +153,13 @@ struct request {
     bool is_form_post() const {
         return content_type_class == ctclass::app_x_www_urlencoded;
     }
+    /**
+     * Get index of listener which accepted connection receiving this request
+     * @return position of listener in server _listeners vector
+     */
+    int get_listener_idx() const {
+        return listener_idx;
+    }
 
     bool should_keep_alive() const {
         if (_version == "0.9") {
diff --git a/include/seastar/net/api.hh b/include/seastar/net/api.hh
index 0209aaffa0f..455cbfd043c 100644
--- a/include/seastar/net/api.hh
+++ b/include/seastar/net/api.hh
@@ -25,6 +25,7 @@
 #include <chrono>
 #include <memory>
 #include <vector>
+#include <cstddef>
 #include <cstring>
 #include <sys/types.h>
 #endif
@@ -176,6 +177,12 @@ struct session_dn {
     sstring issuer;
 };
 
+  /// Information about a certificate
+struct cert_info {
+    std::vector<std::byte> serial;
+    time_t expiry;
+};
+
 /// A TCP (or other stream-based protocol) connection.
 ///
 /// A \c connected_socket represents a full-duplex stream between
diff --git a/include/seastar/net/tcp.hh b/include/seastar/net/tcp.hh
index 74e98c7e555..7f37158ea14 100644
--- a/include/seastar/net/tcp.hh
+++ b/include/seastar/net/tcp.hh
@@ -30,8 +30,12 @@
 #include <random>
 #include <stdexcept>
 #include <system_error>
+#ifdef SEASTAR_USE_OPENSSL
+#include <openssl/evp.h>
+#else
 #include <gnutls/crypto.h>
 #endif
+#endif
 #include <seastar/core/shared_ptr.hh>
 #include <seastar/core/queue.hh>
 #include <seastar/core/semaphore.hh>
@@ -43,6 +47,7 @@
 #include <seastar/net/const.hh>
 #include <seastar/net/packet-util.hh>
 #include <seastar/util/assert.hh>
+#include <seastar/util/defer.hh>
 #include <seastar/util/std-compat.hh>
 
 namespace seastar {
@@ -2085,6 +2090,36 @@ tcp_seq tcp<InetTraits>::tcb::get_isn() {
     //   ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
     //   M is the 4 microsecond timer
     using namespace std::chrono;
+#ifdef SEASTAR_USE_OPENSSL
+    uint32_t hash[8];
+    hash[0] = _local_ip.ip;
+    hash[1] = _foreign_ip.ip;
+    hash[2] = (_local_port << 16) + _foreign_port;
+    unsigned int hash_size = sizeof(hash);
+
+    // Why SHA-256 for OpenSSL vs MD5?
+    // MD5 may be disabled if OpenSSL is in FIPS mode, also some bench testing
+    // has shown that the SHA-256 performance is equivalent or better than MD5
+    // as SHA256 is hardware accelerated on most modern CPU architectures
+    auto md_ptr = EVP_MD_fetch(nullptr, "SHA256", nullptr);
+    SEASTAR_ASSERT(md_ptr);
+    auto free_md_ptr = defer([&]() noexcept { EVP_MD_free(md_ptr); });
+    SEASTAR_ASSERT(hash_size == static_cast<unsigned int>(EVP_MD_get_size(md_ptr)));
+    auto md_ctx = EVP_MD_CTX_new();
+    SEASTAR_ASSERT(md_ctx);
+    auto free_md_ctx = defer([&]() noexcept { EVP_MD_CTX_free(md_ctx); });
+    auto res = EVP_DigestInit(md_ctx, md_ptr);
+    SEASTAR_ASSERT(1 == res);
+    res = EVP_DigestUpdate(
+        md_ctx, hash, 3 * sizeof(hash[0]));
+    SEASTAR_ASSERT(1 == res);
+    res = EVP_DigestUpdate(
+        md_ctx, _isn_secret.key, sizeof(_isn_secret.key));
+    SEASTAR_ASSERT(1 == res);
+    res = EVP_DigestFinal_ex(
+        md_ctx, reinterpret_cast<unsigned char *>(hash), &hash_size);
+    SEASTAR_ASSERT(1 == res);
+#else
     uint32_t hash[4];
     hash[0] = _local_ip.ip;
     hash[1] = _foreign_ip.ip;
@@ -2097,6 +2132,7 @@ tcp_seq tcp<InetTraits>::tcb::get_isn() {
     // reuse "hash" for the output of digest
     SEASTAR_ASSERT(sizeof(hash) == gnutls_hash_get_len(GNUTLS_DIG_MD5));
     gnutls_hash_deinit(md5_hash_handle, hash);
+#endif
     auto seq = hash[0];
     auto m = duration_cast<microseconds>(clock_type::now().time_since_epoch());
     seq += m.count() / 4;
diff --git a/include/seastar/net/tls.hh b/include/seastar/net/tls.hh
index e7d5239cac3..8ed41b38bb1 100644
--- a/include/seastar/net/tls.hh
+++ b/include/seastar/net/tls.hh
@@ -25,6 +25,7 @@
 #include <unordered_set>
 #include <map>
 #include <any>
+#include <span>
 #include <fmt/format.h>
 #endif
 
@@ -115,6 +116,16 @@ namespace tls {
         shared_ptr<impl> _impl;
     };
 
+    enum class tls_version {
+        tlsv1_0,
+        tlsv1_1,
+        tlsv1_2,
+        tlsv1_3
+    };
+
+    std::string_view format_as(tls_version);
+    std::ostream& operator<<(std::ostream&, const tls_version&);
+
     class abstract_credentials {
     protected:
         abstract_credentials() = default;
@@ -157,6 +168,18 @@ namespace tls {
      */
     using dn_callback = noncopyable_function<void(session_type type, sstring subject, sstring issuer)>;
 
+    enum class client_auth {
+        NONE, REQUEST, REQUIRE
+    };
+
+    /**
+     * Session resumption support.
+     * We only support TLS1.3 session tickets.
+     */
+    enum class session_resume_mode {
+        NONE, TLS13_SESSION_TICKET
+    };
+
     /**
      * Holds certificates and keys.
      *
@@ -190,6 +213,7 @@ namespace tls {
 
         // TODO add methods for certificate verification
 
+#ifdef SEASTAR_USE_GNUTLS
         /**
          * TLS handshake priority string. See gnutls docs and syntax at
          * https://gnutls.org/manual/html_node/Priority-Strings.html
@@ -197,6 +221,49 @@ namespace tls {
          * Allows specifying order and allowance for handshake alg.
          */
         void set_priority_string(const sstring&);
+#endif
+
+#ifdef SEASTAR_USE_OPENSSL
+        /**
+         * Used to set the cipher string for TLS versions 1.2 and below
+         *
+         * See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html
+         * for documentation on the format of the cipher list string
+         */
+        void set_cipher_string(const sstring&);
+
+        /**
+         * Used to set the cipher suites to use for TLSv1.3
+         *
+         * See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
+         * for documentation on the format of the ciphersuites string.
+         */
+        void set_ciphersuites(const sstring&);
+
+        /**
+         * Call this when you want to enable server precedence when
+         * negotitating the TLS handshake.  Client precedence is on
+         * by default.
+         */
+        void enable_server_precedence();
+        /**
+         * @brief Set the minimum tls version for this connection
+         *
+         * If unset, will default to the minimum of the underlying
+         * implementation
+         */
+        void set_minimum_tls_version(tls_version);
+        /**
+         * @brief Set the maximum tls version for this connection
+         *
+         * If unset, will default to the maximum of the underly implementation
+         */
+        void set_maximum_tls_version(tls_version);
+        /**
+         * @brief Permits TLS renegotiation on TLSv1.2 and below
+         */
+        void enable_tls_renegotiation();
+#endif
 
         /**
          * Register a callback for receiving Distinguished Name (DN) information
@@ -226,6 +293,24 @@ namespace tls {
          */
         void set_enable_certificate_verification(bool enable);
 
+        /**
+         * Retrieve information about loaded certificates.
+         *
+         * Returns a std::vector of cert_info, each extracted from a loaded
+         * certificate, std::nullopt if the impl does not exist or we detect
+         * an error during extraction.
+         */
+        std::optional<std::vector<cert_info>> get_cert_info() const noexcept;
+
+        /**
+         * Retrieve information about the loaded current trust list.
+         *
+         * Returns a std::vector of cert_info, each extracted from a CA in the
+         * trust list, std::nullopt if the impl does not exist or we detect
+         * an error during extraction.
+         */
+        std::optional<std::vector<cert_info>> get_trust_list_info() const noexcept;
+
     private:
         class impl;
         friend class session;
@@ -235,6 +320,13 @@ namespace tls {
         template<typename Base>
         friend class reloadable_credentials;
         shared_ptr<impl> _impl;
+
+        // The following methods are provided so classes that inherit from
+        // certificate_credentials can access the underly implementation
+        void enable_load_system_trust();
+        void set_client_auth(client_auth);
+        void set_session_resume_mode(session_resume_mode, std::span<const uint8_t> key = {});
+        void set_alpn_protocols(const std::vector<sstring> & protocols);
     };
 
     /** Exception thrown on certificate validation error */
@@ -243,18 +335,6 @@ namespace tls {
         using runtime_error::runtime_error;
     };
 
-    enum class client_auth {
-        NONE, REQUEST, REQUIRE
-    };
-
-    /**
-     * Session resumption support.
-     * We only support TLS1.3 session tickets.
-    */
-    enum class session_resume_mode {
-        NONE, TLS13_SESSION_TICKET
-    };
-
     /**
      * Extending certificates and keys for server usage.
      * More probably goes in here...
@@ -293,6 +373,7 @@ namespace tls {
 
     using reload_callback = std::function<void(const std::unordered_set<sstring>&, std::exception_ptr)>;
     using reload_callback_ex = std::function<future<>(const credentials_builder&, const std::unordered_set<sstring>&, std::exception_ptr)>;
+    using reload_callback_with_creds = std::function<void(const std::unordered_set<sstring> &, const certificate_credentials &, std::exception_ptr, std::optional<blob>)>;
 
     /**
      * Intentionally "primitive", and more importantly, copyable
@@ -320,7 +401,6 @@ namespace tls {
 
         future<> set_system_trust();
         void set_client_auth(client_auth);
-        void set_priority_string(const sstring&);
         /**
          * Sets session resume mode to be applied to all created server credential sets
          * Note: setting this will generate a session key that will be reused across all
@@ -336,6 +416,19 @@ namespace tls {
          */
         void set_alpn_protocols(const std::vector<sstring>& protocols);
 
+#ifdef SEASTAR_USE_GNUTLS
+        void set_priority_string(const sstring&);
+#endif
+
+#ifdef SEASTAR_USE_OPENSSL
+        void set_cipher_string(const sstring&);
+        void set_ciphersuites(const sstring&);
+        void enable_server_precedence();
+        void set_minimum_tls_version(tls_version);
+        void set_maximum_tls_version(tls_version);
+        void enable_tls_renegotiation();
+#endif
+
         void apply_to(certificate_credentials&) const;
 
         shared_ptr<certificate_credentials> build_certificate_credentials() const;
@@ -351,6 +444,11 @@ namespace tls {
 
         future<shared_ptr<certificate_credentials>> build_reloadable_certificate_credentials(reload_callback, std::optional<std::chrono::milliseconds> tolerance = {}) const;
         future<shared_ptr<server_credentials>> build_reloadable_server_credentials(reload_callback, std::optional<std::chrono::milliseconds> tolerance = {}) const;
+
+        future<shared_ptr<certificate_credentials>> build_reloadable_certificate_credentials(reload_callback_with_creds, std::optional<std::chrono::milliseconds> tolerance = {}) const;
+        future<shared_ptr<server_credentials>> build_reloadable_server_credentials(reload_callback_with_creds, std::optional<std::chrono::milliseconds> tolerance = {}) const;
+
+        std::optional<blob> get_trust_file_blob() const;
     private:
         friend class reloadable_credentials_base;
 
@@ -360,6 +458,12 @@ namespace tls {
         sstring _priority;
         std::vector<uint8_t> _session_resume_key;
         std::vector<sstring> _alpn_protocols;
+        sstring _cipher_string;
+        sstring _ciphersuites;
+        bool _enable_server_precedence = false;
+        bool _enable_tls_renegotiation = false;
+        std::optional<tls_version> _min_tls_version;
+        std::optional<tls_version> _max_tls_version;
     };
 
     using session_data = std::vector<uint8_t>;
@@ -475,6 +579,11 @@ namespace tls {
     server_socket listen(shared_ptr<server_credentials>, server_socket);
     /// @}
 
+    enum class dn_format {
+        legacy, // legacy format
+        rfc2253
+    };
+
     /**
      * Get distinguished name from the leaf certificate in the certificate chain that
      * the connected peer is using.
@@ -485,7 +594,7 @@ namespace tls {
      * during the handshake the function returns nullopt. If the socket is not connected the
      * system_error exception will be thrown.
      */
-    future<std::optional<session_dn>> get_dn_information(connected_socket& socket);
+    future<std::optional<session_dn>> get_dn_information(connected_socket& socket, dn_format format = dn_format::legacy);
 
     /**
      * Subject alt name types.
@@ -629,13 +738,19 @@ namespace tls {
     extern const int ERROR_NO_CIPHER_SUITES;
     extern const int ERROR_DECRYPTION_FAILED;
     extern const int ERROR_MAC_VERIFY_FAILED;
+#ifdef SEASTAR_USE_OPENSSL
+    // OpenSSL specific errors
+    extern const int ERROR_WRONG_VERSION_NUMBER;
+    extern const int ERROR_HTTP_REQUEST;
+    extern const int ERROR_HTTPS_PROXY_REQUEST;
+#endif
 }
 }
 
 template <> struct fmt::formatter<seastar::tls::subject_alt_name_type> : fmt::formatter<string_view> {
     template <typename FormatContext>
     auto format(seastar::tls::subject_alt_name_type type, FormatContext& ctx) const {
-        return formatter<string_view>::format(format_as(type), ctx);
+        return fmt::format_to(ctx.out(), "{}", format_as(type));
     }
 };
 
@@ -654,3 +769,10 @@ template <> struct fmt::formatter<seastar::tls::subject_alt_name> : fmt::formatt
         return fmt::format_to(ctx.out(), "{}={}", name.type, name.value);
     }
 };
+
+template <> struct fmt::formatter<seastar::tls::tls_version> : fmt::formatter<string_view> {
+    template<typename FormatContext>
+    auto format(seastar::tls::tls_version version, FormatContext& ctx) const {
+        return fmt::format_to(ctx.out(), "{}", format_as(version));
+    }
+};
diff --git a/include/seastar/rpc/rpc_impl.hh b/include/seastar/rpc/rpc_impl.hh
index bcb0d8f3878..15b1db6d729 100644
--- a/include/seastar/rpc/rpc_impl.hh
+++ b/include/seastar/rpc/rpc_impl.hh
@@ -679,12 +679,12 @@ auto recv_helper(signature<Ret (InArgs...)> sig, Func&& func, WantClientInfo, Wa
                                                            gate::holder guard) mutable {
         auto memory_consumed = client->estimate_request_size(data.size);
         if (memory_consumed > client->max_request_size()) {
-            auto err = format("request size {:d} large than memory limit {:d}", memory_consumed, client->max_request_size());
+            auto err = ::seastar::format("request size {:d} large than memory limit {:d}", memory_consumed, client->max_request_size());
             client->get_logger()(client->peer_address(), err);
             // FIXME: future is discarded
             (void)try_with_gate(client->get_server().reply_gate(), [client, timeout, msg_id, err = std::move(err)] {
                 return reply<Serializer>(wait_style(), futurize<Ret>::make_exception_future(std::runtime_error(err.c_str())), msg_id, client, timeout, std::nullopt).handle_exception([client, msg_id] (std::exception_ptr eptr) {
-                    client->get_logger()(client->info(), msg_id, seastar::format("got exception while processing an oversized message: {}", eptr));
+                    client->get_logger()(client->info(), msg_id, ::seastar::format("got exception while processing an oversized message: {}", eptr));
                 });
             }).handle_exception_type([] (gate_closed_exception&) {/* ignore */});
             return make_ready_future();
@@ -698,11 +698,11 @@ auto recv_helper(signature<Ret (InArgs...)> sig, Func&& func, WantClientInfo, Wa
                         auto start = rpc_clock_type::now();
                         return apply(func, client->info(), timeout, WantClientInfo(), WantTimePoint(), signature(), std::move(args)).then_wrapped([client, timeout, msg_id, permit = std::move(permit), start] (futurize_t<Ret> ret) mutable {
                             return reply<Serializer>(wait_style(), std::move(ret), msg_id, client, timeout, rpc_clock_type::now() - start).handle_exception([permit = std::move(permit), client, msg_id] (std::exception_ptr eptr) {
-                                client->get_logger()(client->info(), msg_id, seastar::format("got exception while processing a message: {}", eptr));
+                                client->get_logger()(client->info(), msg_id, ::seastar::format("got exception while processing a message: {}", eptr));
                             });
                         });
                     } catch (...) {
-                        client->get_logger()(client->info(), msg_id, seastar::format("caught exception while processing a message: {}", std::current_exception()));
+                        client->get_logger()(client->info(), msg_id, ::seastar::format("caught exception while processing a message: {}", std::current_exception()));
                         return make_ready_future();
                     }
                 }).handle_exception_type([g = std::move(g)] (gate_closed_exception&) {/* ignore */});
diff --git a/include/seastar/util/backtrace.hh b/include/seastar/util/backtrace.hh
index 3f6ab1bdf95..70909a2b70e 100644
--- a/include/seastar/util/backtrace.hh
+++ b/include/seastar/util/backtrace.hh
@@ -25,6 +25,7 @@
 #include <seastar/core/sstring.hh>
 #include <seastar/core/scheduling.hh>
 #include <seastar/core/shared_ptr.hh>
+#include <seastar/core/internal/signal_mutex.hh>
 #include <seastar/util/assert.hh>
 #include <seastar/util/modules.hh>
 
@@ -60,6 +61,17 @@ bool operator==(const frame& a, const frame& b) noexcept;
 // will be considered as part of the executable.
 frame decorate(uintptr_t addr) noexcept;
 
+
+// Wrapper for ::backtrace which takes a signal-safe thread-local mutex before
+// calling ::backtrace, to avoid concurrent backtrace calls on the same thread,
+// which is known to crash. If the lock cannot be obtained, no backtrace is taken
+// and this method returns 0.
+#ifdef HAVE_EXECINFO
+int guarded_backtrace(void **array, int size) noexcept;
+#endif
+
+
+
 // Invokes func for each frame passing it as argument.
 // incremental=false is the default mode and simply calls ::backtrace once
 // and then calls func for each frame. If the ::backtrace call crashes,
@@ -78,7 +90,7 @@ void backtrace(Func&& func, bool incremental = false) noexcept(noexcept(func(fra
 
     if (incremental) {
         for (size_t last_frame = 1; last_frame <= max_backtrace; ++last_frame) {
-            int n = ::backtrace(buffer, last_frame);
+            int n = guarded_backtrace(buffer, last_frame);
             if (n < static_cast<int>(last_frame)) {
                 return;
             }
@@ -86,7 +98,7 @@ void backtrace(Func&& func, bool incremental = false) noexcept(noexcept(func(fra
             func(decorate(ip - 1));
         }
     } else {
-        int n = ::backtrace(buffer, max_backtrace);
+        int n = guarded_backtrace(buffer, max_backtrace);
         for (int i = 0; i < n; ++i) {
             auto ip = reinterpret_cast<uintptr_t>(buffer[i]);
             func(decorate(ip - 1));
@@ -127,6 +139,10 @@ public:
     bool operator!=(const simple_backtrace& o) const noexcept {
         return !(*this == o);
     }
+
+    bool is_empty() const noexcept {
+        return _frames.empty();
+    }
 };
 
 using shared_backtrace = seastar::lw_shared_ptr<simple_backtrace>;
diff --git a/include/seastar/util/log.hh b/include/seastar/util/log.hh
index 90e3a516e20..866c114249a 100644
--- a/include/seastar/util/log.hh
+++ b/include/seastar/util/log.hh
@@ -328,6 +328,25 @@ public:
         }
     }
 
+    /// \cond internal
+    /// logs to desired level if enabled, otherwise we ignore the log line
+    ///
+    /// \param writer a function which writes directly to the underlying log buffer
+    /// \param fmt - optional logger::format_info passed down the call chain.
+    ///
+    /// This is a low level method for use cases where it is very important to
+    /// avoid any allocations. The \arg writer will be passed a
+    /// internal::log_buf::inserter_iterator that allows it to write into the log
+    /// buffer directly, avoiding the use of any intermediary buffers.
+    void log(log_level level, log_writer& writer, format_info_t<> fmt = {}) noexcept {
+        if (is_enabled(level)) {
+            try {
+                do_log(level, writer);
+            } catch (...) {
+                failed_to_log(std::current_exception(), "", fmt.loc);
+            }
+        }
+    }
     /// logs to desired level if enabled, otherwise we ignore the log line
     ///
     /// \param writer a function which writes directly to the underlying log buffer
diff --git a/install-dependencies.sh b/install-dependencies.sh
index 3c913f81524..92ecdd050f6 100755
--- a/install-dependencies.sh
+++ b/install-dependencies.sh
@@ -44,6 +44,7 @@ debian_packages=(
     libpciaccess-dev
     libprotobuf-dev
     libsctp-dev
+    libssl-dev
     libtool
     liburing-dev
     libxml2-dev
@@ -96,6 +97,7 @@ redhat_packages=(
     meson
     numactl-devel
     openssl
+    openssl-devel
     protobuf-compiler
     protobuf-devel
     python3
@@ -227,6 +229,7 @@ opensuse_packages=(
     meson
     ninja
     openssl
+    openssl-devel
     protobuf-devel
     python3-PyYAML
     ragel
diff --git a/seastar_cmake.py b/seastar_cmake.py
index 105c01c50c0..e9718fc6dbf 100644
--- a/seastar_cmake.py
+++ b/seastar_cmake.py
@@ -25,6 +25,8 @@
 
 COOKING_BASIC_ARGS = ['./cooking.sh']
 
+SUPPORTED_CRYPTO_PROVIDERS = ['GnuTLS', 'OpenSSL']
+
 def build_path(mode, build_root):
     """Return the absolute path to the build directory for the given mode,
     i.e., seastar_dir/<build_root>/<mode>"""
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a0163905861..5bdc1d3ff81 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -67,7 +67,9 @@ target_sources (seastar-module
     net/packet.cc
     net/inet_address.cc
     net/socket_address.cc
-    net/tls.cc
+    $<$<BOOL:${Seastar_USE_GNUTLS}>:net/tls.cc>
+    $<$<BOOL:${Seastar_USE_OPENSSL}>:net/ossl.cc>
+    net/tls-impl.cc
     net/virtio.cc
     http/client.cc
     http/common.cc
@@ -96,6 +98,8 @@ target_compile_definitions (seastar-module
     $<$<BOOL:${Seastar_SSTRING}>:SEASTAR_SSTRING>
     SEASTAR_API_LEVEL=${Seastar_API_LEVEL}
     SEASTAR_SCHEDULING_GROUPS_COUNT=${Seastar_SCHEDULING_GROUPS_COUNT}
+    $<$<BOOL:${Seastar_USE_OPENSSL}>:SEASTAR_USE_OPENSSL>
+    $<$<BOOL:${Seastar_USE_GNUTLS}>:SEASTAR_USE_GNUTLS>
   PRIVATE
     SEASTAR_MODULE
     ${Seastar_PRIVATE_COMPILE_DEFINITIONS})
@@ -121,7 +125,9 @@ target_link_libraries (seastar-module
     SourceLocation::source_location
   PRIVATE
     ${CMAKE_DL_LIBS}
-    GnuTLS::gnutls
+    $<$<BOOL:${Seastar_USE_GNUTLS}>:GnuTLS::gnutls>
+    $<$<BOOL:${Seastar_USE_OPENSSL}>:OpenSSL::SSL>
+    $<$<BOOL:${Seastar_USE_OPENSSL}>:OpenSSL::Crypto>
     StdAtomic::atomic
     lksctp-tools::lksctp-tools
     rt::rt
diff --git a/src/core/cpu_profiler.cc b/src/core/cpu_profiler.cc
new file mode 100644
index 00000000000..b920cf846f8
--- /dev/null
+++ b/src/core/cpu_profiler.cc
@@ -0,0 +1,247 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright (C) 2023 ScyllaDB
+ */
+
+#include <chrono>
+#include <optional>
+#include <random>
+
+#include <seastar/core/internal/cpu_profiler.hh>
+#include <seastar/core/scheduling.hh>
+#include <seastar/util/log.hh>
+
+namespace seastar {
+seastar::logger cpu_profiler_logger("cpu_profiler");
+
+namespace internal {
+
+using namespace std::chrono_literals;
+
+namespace {
+thread_local bool force_drop_stacktraces = false;
+}
+
+void profiler_drop_stacktraces(bool should_drop) noexcept {
+    force_drop_stacktraces = should_drop;
+}
+
+/**
+ * The profiler breaks sample periods into windows of size _cfg.period.
+ * I.e, [1ns, _cfg.period), [_cfg.period, 2*_cfg.period)... etc. And it
+ * will ensure that a sample is taken exactly once per window. The goal
+ * of this function is to randomly select a point in the window to sample.
+ * This avoids potential bias from sampling at the same point in time every
+ * window.
+ */
+std::chrono::nanoseconds cpu_profiler::get_next_timeout() {
+    using ns_rep = std::chrono::nanoseconds::rep;
+    static thread_local std::mt19937_64 gen = std::mt19937_64(std::default_random_engine()());
+
+    auto remaining_time_for_last_profiler_period = _cfg.period - _last_set_timeout;
+
+    std::uniform_int_distribution<ns_rep> profiler_dist{0, _cfg.period / 1ns};
+    auto rwait = profiler_dist(gen);
+    _last_set_timeout = std::chrono::nanoseconds(rwait);
+
+    // The interrupt needs to be at least 1ns for perf_event
+    auto wait = std::max(_last_set_timeout + remaining_time_for_last_profiler_period, 1ns);
+    return wait;
+}
+
+bool cpu_profiler::is_enabled() const {
+    return _cfg.enabled;
+}
+
+std::chrono::nanoseconds cpu_profiler::period() const {
+    return _cfg.period;
+}
+
+void cpu_profiler::update_config(cpu_profiler_config cfg) {
+    auto is_stopped = _is_stopped;
+    stop();
+    _cfg = cfg;
+    // Don't start the profiler if it's been explicitly
+    // stopped elsewhere.
+    if (!is_stopped) {
+        start();
+    }
+}
+
+void cpu_profiler::stop() {
+    if (_is_stopped) {
+        return;
+    }
+    if (_cfg.enabled) {
+        disarm_timer();
+    }
+    _is_stopped = true;
+}
+
+void cpu_profiler::start() {
+    _is_stopped = false;
+    if (_cfg.enabled) {
+        _last_set_timeout = _cfg.period;
+        auto next = get_next_timeout();
+        arm_timer(next);
+    }
+}
+
+void cpu_profiler::on_signal() {
+    if (is_spurious_signal()) {
+        return;
+    }
+
+    // During exception handling in libgcc there is a critical section
+    // where the stack is being modified so execution can be returned to
+    // a handler for the exception. This modification isn't capture by
+    // the eh_frames for the program though. So when libgcc's backtrace
+    // enters the partially modified stack it will follow invalid addresses
+    // and cause a segfault. To avoid this we check if any exception
+    // is currently being unwound and avoid taking a profiling sample if so.
+    //
+    // Note: this only protects against C++ exceptions, therefore foreign
+    // exceptions or long jumps could still cause segfaults within the profiler.
+    const bool no_uncaught_exceptions = std::uncaught_exceptions() == 0;
+
+    if (force_drop_stacktraces) {
+        _stats.dropped_samples_from_manual_disablement++;
+    } else if (!no_uncaught_exceptions) {
+        _stats.dropped_samples_from_exceptions++;
+    } else if (auto guard_opt = _traces_mutex.try_lock(); guard_opt.has_value()) {
+        // Skip the sample if the main thread is currently reading
+        // _traces. This case shouldn't happen often though.
+
+        // The oldest trace will be overridden if the circular
+        // buffer is full so update the bookkeeping to indicate
+        // this.
+        if (_traces.size() == _traces.capacity()) {
+            _traces.pop_front();
+            _stats.dropped_samples_from_buffer_full++;
+        }
+        _traces.emplace_back();
+        _traces.back().user_backtrace = current_backtrace_tasklocal();
+        _traces.back().sg = current_scheduling_group();
+
+        if (_traces.back().user_backtrace.is_empty()) {
+            // An empty backtrace implies that there was some issue collecting
+            // the backtrace. Currently the most likely reason is that another
+            // backtrace was being collected when the profiler interrupted the
+            // process.
+            _stats.dropped_samples_from_mutex_contention++;
+        }
+
+        auto kernel_bt = try_get_kernel_backtrace();
+        if (kernel_bt) {
+            auto& kernel_vec = _traces.back().kernel_backtrace;
+
+            kernel_bt->read_backtrace([&] (uintptr_t addr) {
+                if((kernel_vec.size() + 1) <= kernel_vec.max_size()) {
+                    kernel_vec.push_back(addr);
+                }
+            });
+        }
+    } else {
+        _stats.dropped_samples_from_mutex_contention++;
+    }
+
+    auto next = get_next_timeout();
+    arm_timer(next);
+}
+
+size_t cpu_profiler::results(std::vector<cpu_profiler_trace>& results_buffer) {
+    // Since is this not called in the interrupt it should always succeed
+    // in acquiring the lock.
+    auto guard_opt = _traces_mutex.try_lock();
+    if (!guard_opt.has_value()) {
+        results_buffer.clear();
+        return 0;
+    }
+
+    results_buffer.assign(_traces.cbegin(), _traces.cend());
+    _traces.clear();
+
+    auto dropped_samples = _stats.sum_dropped();
+    _stats.clear_dropped();
+
+    return dropped_samples;
+}
+
+void cpu_profiler_posix_timer::arm_timer(std::chrono::nanoseconds ns) {
+    return _timer.arm_timer(ns);
+}
+
+void cpu_profiler_posix_timer::disarm_timer() {
+    return _timer.disarm_timer();
+}
+
+bool cpu_profiler_linux_perf_event::is_spurious_signal() {
+    return _perf_event.is_spurious_signal();
+}
+
+std::optional<linux_perf_event::kernel_backtrace>
+cpu_profiler_linux_perf_event::try_get_kernel_backtrace() {
+    return _perf_event.try_get_kernel_backtrace();
+}
+
+void cpu_profiler_linux_perf_event::arm_timer(std::chrono::nanoseconds ns) {
+    _perf_event.arm_timer(ns);
+}
+
+void cpu_profiler_linux_perf_event::disarm_timer() {
+    _perf_event.disarm_timer();
+}
+
+std::unique_ptr<cpu_profiler_linux_perf_event>
+cpu_profiler_linux_perf_event::try_make(cpu_profiler_config cfg) {
+    return std::make_unique<cpu_profiler_linux_perf_event>(
+            linux_perf_event::try_make({signal_number()}), std::move(cfg));
+}
+
+std::unique_ptr<cpu_profiler> make_cpu_profiler(cpu_profiler_config cfg) {
+    std::unique_ptr<cpu_profiler> profiler;
+
+    try {
+        profiler = cpu_profiler_linux_perf_event::try_make(cfg);
+
+    } catch (std::system_error& e) {
+        // This failure occurs when /proc/sys/kernel/perf_event_paranoid is set
+        // to 2 or higher, and is expected since most distributions set it to that
+        // way as of 2023. In this case we log a different message and only at INFO
+        // level on shard 0.
+        if (e.code() == std::error_code(EACCES, std::system_category())) {
+            cpu_profiler_logger.info0("Perf-based cpu profiler creation failed (EACCESS), "
+                    "try setting /proc/sys/kernel/perf_event_paranoid to 1 or less to "
+                    "enable kernel backtraces: falling back to posix timer.");
+        } else {
+            cpu_profiler_logger.warn("Creation of perf_event based cpu profiler failed: falling back to posix timer: {}", e.what());
+        }
+    } catch (...) {
+        cpu_profiler_logger.warn("Creation of perf_event based cpu profiler failed: falling back to posix timer: {}", std::current_exception());
+    }
+
+    if (!profiler) {
+        profiler = std::make_unique<cpu_profiler_posix_timer>(cfg);
+    }
+
+    return profiler;
+}
+
+} // namespace internal
+} // namespace seastar
diff --git a/src/core/disk_params.cc b/src/core/disk_params.cc
index 71da56a2ca5..5f84b6d714a 100644
--- a/src/core/disk_params.cc
+++ b/src/core/disk_params.cc
@@ -71,7 +71,9 @@ struct convert<seastar::internal::disk_params> {
         if (node["rate_factor"]) {
             mp.rate_factor = node["rate_factor"].as<float>();
         }
-        return true;
+        if (node["max_cost_function"]) {
+            mp.max_cost_function = node["max_cost_function"].as<bool>();
+        }        return true;
     }
 };
 }
@@ -202,6 +204,12 @@ struct io_queue::config disk_config_params::generate_config(const disk_params& p
     cfg.block_count_limit_min = (64 << 10) >> io_queue::block_size_shift;
     cfg.stall_threshold = stall_threshold();
 
+    cfg.read_bytes_rate = p.read_bytes_rate;
+    cfg.write_bytes_rate = p.write_bytes_rate;
+    cfg.read_req_rate = p.read_req_rate;
+    cfg.write_req_rate = p.write_req_rate;
+    cfg.max_cost_function = p.max_cost_function;
+
     return cfg;
 }
 
diff --git a/src/core/exception_hacks.cc b/src/core/exception_hacks.cc
index a67bcdd2c05..9c7f4caaa3f 100644
--- a/src/core/exception_hacks.cc
+++ b/src/core/exception_hacks.cc
@@ -168,7 +168,10 @@ int dl_iterate_phdr(int (*callback) (struct dl_phdr_info *info, size_t size, voi
     return r;
 }
 
-#ifndef NO_EXCEPTION_INTERCEPT
+// We disable interception of _Unwind_RaiseException when ASAN is enabled
+// since it can produce a large number of stack-related false positives when
+// it is enabled and exceptions are thrown.
+#if !defined(NO_EXCEPTION_INTERCEPT) && !defined(SEASTAR_ASAN_ENABLED)
 extern "C"
 [[gnu::visibility("default")]]
 [[gnu::used]]
diff --git a/src/core/io_queue.cc b/src/core/io_queue.cc
index 1b43035abed..be89262b9a0 100644
--- a/src/core/io_queue.cc
+++ b/src/core/io_queue.cc
@@ -42,6 +42,7 @@ module seastar;
 #include <seastar/core/io_queue.hh>
 #include <seastar/core/io_intent.hh>
 #include <seastar/core/reactor.hh>
+#include <seastar/core/smp.hh>
 #include <seastar/core/when_all.hh>
 #include <seastar/core/metrics.hh>
 #include <seastar/core/internal/io_desc.hh>
@@ -822,7 +823,7 @@ void io_queue::register_stats(sstring name, priority_class_data& pc) {
     }
 
     new_metrics.add_group("io_queue", std::move(metrics));
-    pc.metric_groups = std::exchange(new_metrics, {});
+    pc.metric_groups = std::exchange(new_metrics, sm::metric_groups{});
 }
 
 io_queue::priority_class_data& io_queue::find_or_create_class(internal::priority_class pc) {
@@ -895,7 +896,14 @@ double internal::request_tokens(io_direction_and_length dnl, const io_queue::con
 
     const auto& m = mult[dnl.rw_idx()];
 
-    return double(m.weight) / cfg.req_count_rate + double(m.size) * (dnl.length() >> io_queue::block_size_shift) / cfg.blocks_count_rate;
+    // See https://redpandadata.atlassian.net/wiki/x/CgAIGw#io-queue-cost-function
+    double iops_cost = double(m.weight) / cfg.req_count_rate;
+    double tp_cost = double(m.size) * (dnl.length() >> io_queue::block_size_shift) / cfg.blocks_count_rate;
+    if (cfg.max_cost_function) {
+        return std::max(iops_cost, tp_cost);
+    } else {
+        return iops_cost + tp_cost;
+    }
 }
 
 fair_queue_entry::capacity_t io_queue::request_capacity(io_direction_and_length dnl) const noexcept {
diff --git a/src/core/metrics.cc b/src/core/metrics.cc
index d6ddadeb0a5..3e0ca8a5b2e 100644
--- a/src/core/metrics.cc
+++ b/src/core/metrics.cc
@@ -46,16 +46,21 @@ namespace seastar {
 extern seastar::logger seastar_logger;
 namespace metrics {
 
+int default_handle() {
+    return impl::default_handle();
+};
+
 double_registration::double_registration(std::string what): std::runtime_error(what) {}
 
-metric_groups::metric_groups() noexcept : _impl(impl::create_metric_groups()) {
+metric_groups::metric_groups(int handle) noexcept : _impl(impl::create_metric_groups(handle)) {
 }
 
 void metric_groups::clear() {
-    _impl = impl::create_metric_groups();
+    const auto current_handle = _impl->get_handle();
+    _impl = impl::create_metric_groups(current_handle);
 }
 
-metric_groups::metric_groups(std::initializer_list<metric_group_definition> mg) : _impl(impl::create_metric_groups()) {
+metric_groups::metric_groups(std::initializer_list<metric_group_definition> mg, int handle) : _impl(impl::create_metric_groups(handle)) {
     for (auto&& i : mg) {
         add_group(i.name, i.metrics);
     }
@@ -68,10 +73,9 @@ metric_groups& metric_groups::add_group(const group_name_type& name, const std::
     _impl->add_group(name, l);
     return *this;
 }
-metric_group::metric_group() noexcept = default;
+metric_group::metric_group(int handle) noexcept : metric_groups(handle) {}
 metric_group::~metric_group() = default;
-metric_group::metric_group(const group_name_type& name, std::initializer_list<metric_definition> l) {
-    add_group(name, l);
+metric_group::metric_group(const group_name_type& name, std::initializer_list<metric_definition> l, int handle) : metric_groups({metric_group_definition(name, l)}, handle) {
 }
 
 metric_group_definition::metric_group_definition(const group_name_type& name, std::initializer_list<metric_definition> l) : name(name), metrics(l) {
@@ -117,11 +121,11 @@ options::options(program_options::option_group* parent_group)
 {
 }
 
-future<> configure(const options& opts) {
+future<> configure(const options& opts, int handle) {
     impl::config c;
     c.hostname = opts.metrics_hostname.get_value();
-    return smp::invoke_on_all([c] {
-        impl::get_local_impl()->set_config(c);
+    return smp::invoke_on_all([c, handle] {
+        impl::get_local_impl(handle)->set_config(c);
     });
 }
 
@@ -204,6 +208,17 @@ bool impl::impl::apply_relabeling(const relabel_config& rc, metric_info& info) {
     return true;
 }
 
+future<>
+replicate_metric_families(
+        int source_handle,
+        std::unordered_multimap<seastar::sstring, int> metric_families_to_replicate) {
+    return smp::invoke_on_all([source_handle, metric_families_to_replicate] {
+        auto source_impl = impl::get_local_impl(source_handle);
+        source_impl->set_metric_families_to_replicate(
+                std::move(metric_families_to_replicate));
+    });
+}
+
 bool label_instance::operator!=(const label_instance& id2) const {
     auto& id1 = *this;
     return !(id1 == id2);
@@ -296,15 +311,15 @@ metric_definition_impl& metric_definition_impl::set_skip_when_empty(bool skip) n
     return *this;
 }
 
-std::unique_ptr<metric_groups_def> create_metric_groups() {
-    return  std::make_unique<metric_groups_impl>();
+std::unique_ptr<metric_groups_def> create_metric_groups(int handle) {
+    return  std::make_unique<metric_groups_impl>(handle);
 }
 
-metric_groups_impl::metric_groups_impl() {}
+metric_groups_impl::metric_groups_impl(int handle) : _handle(handle) {}
 
 metric_groups_impl::~metric_groups_impl() {
     for (const auto& i : _registration) {
-        unregister_metric(i->info().id);
+        unregister_metric(i->info().id, _handle);
     }
 }
 
@@ -322,14 +337,15 @@ metric_groups_impl& metric_groups_impl::add_metric(group_name_type name, const m
     // than where the actual metrics are added.
     // Hence, the shared_ptr owning shard check would fail so we do it only here.
     if (_impl == nullptr) {
-        _impl = get_local_impl();
+        _impl = get_local_impl(_handle);
     }
 
-    auto internalized_labels = get_local_impl()->internalize_labels(md._impl->labels);
+    auto internalized_labels = get_local_impl(_handle)->internalize_labels(md._impl->labels);
 
     metric_id id(name, md._impl->name, internalized_labels);
 
-    auto reg = get_local_impl()->add_registration(id, md._impl->type, md._impl->f, md._impl->d, md._impl->enabled, md._impl->_skip_when_empty, md._impl->aggregate_labels);
+    auto reg = get_local_impl(_handle)->add_registration(
+            id, md._impl->type, md._impl->f, md._impl->d, md._impl->enabled, md._impl->_skip_when_empty, md._impl->aggregate_labels);
 
     _registration.push_back(std::move(reg));
     return *this;
@@ -349,6 +365,10 @@ metric_groups_impl& metric_groups_impl::add_group(group_name_type name, const st
     return *this;
 }
 
+int metric_groups_impl::get_handle() const {
+    return _handle;
+}
+
 bool metric_id::operator<(
         const metric_id& id2) const {
     return as_tuple() < id2.as_tuple();
@@ -369,14 +389,20 @@ bool metric_id::operator==(
     return as_tuple() == id2.as_tuple();
 }
 
-// Unfortunately, metrics_impl can not be shared because it
-// need to be available before the first users (reactor) will call it
+shared_ptr<impl> get_local_impl(int handle) {
+    auto& impls = get_metric_implementations();
+    auto [it, inserted] = impls.try_emplace(handle);
+
+    if (inserted) {
+        it->second = ::seastar::make_shared<impl>();
+    }
 
-shared_ptr<impl>  get_local_impl() {
-    static thread_local auto the_impl = ::seastar::make_shared<impl>();
-    return the_impl;
+    return it->second;
 }
+
 void impl::remove_registration(const metric_id& id) {
+    remove_metric_replica_if_required(id);
+
     auto i = get_value_map().find(id.full_name());
     if (i != get_value_map().end()) {
         auto j = i->second.find(id.labels());
@@ -391,20 +417,51 @@ void impl::remove_registration(const metric_id& id) {
     }
 }
 
-void unregister_metric(const metric_id & id) {
-    get_local_impl()->remove_registration(id);
+void impl::remove_metric_replica_family(const seastar::sstring& name,
+                                        int destination_handle) const {
+    auto entry = _value_map.find(name);
+
+    if (entry == _value_map.end()) {
+        return;
+    }
+
+    auto destination = get_local_impl(destination_handle);
+    for (const auto& metric_instance: entry->second) {
+        const auto& registered_metric = metric_instance.second;
+        remove_metric_replica(registered_metric->get_id(),
+                              destination);
+    }
+}
+
+void impl::remove_metric_replica(const metric_id& id,
+                                 const shared_ptr<impl>& destination) const {
+    destination->remove_registration(id);
+}
+
+void impl::remove_metric_replica_if_required(const metric_id& id) const {
+    auto [begin, end] = _metric_families_to_replicate.equal_range(id.full_name());
+
+    for (; begin != end; ++begin) {
+        auto destination = get_local_impl(begin->second);
+        remove_metric_replica(id, destination);
+    }
 }
 
-const value_map& get_value_map() {
-    return get_local_impl()->get_value_map();
+void unregister_metric(const metric_id & id, int handle) {
+    get_local_impl(handle)->remove_registration(id);
 }
 
-foreign_ptr<values_reference> get_values() {
+const value_map& get_value_map(int handle) {
+    return get_local_impl(handle)->get_value_map();
+}
+
+foreign_ptr<values_reference> get_values(int handle) {
     shared_ptr<values_copy> res_ref = ::seastar::make_shared<values_copy>();
     auto& res = *(res_ref.get());
     auto& mv = res.values;
-    res.metadata = get_local_impl()->metadata();
-    auto & functions = get_local_impl()->functions();
+    auto impl = get_local_impl(handle);
+    res.metadata = impl->metadata();
+    auto & functions = impl->functions();
     for (auto&& i : functions) {
         value_vector values;
         for (auto&& v : i) {
@@ -430,6 +487,67 @@ void impl::gc_internalized_labels() {
     }
 }
 
+void
+impl::set_metric_families_to_replicate(
+        std::unordered_multimap<seastar::sstring, int> metric_families_to_replicate) {
+    // Remove all previous metric replica families
+    for (const auto& [name, destination]: _metric_families_to_replicate) {
+        remove_metric_replica_family(name, destination);
+    }
+
+    // Replicate the specified metric families.
+    for (const auto& [name, destination]: metric_families_to_replicate) {
+        replicate_metric_family(name, destination);
+    }
+
+    _metric_families_to_replicate = std::move(metric_families_to_replicate);
+}
+
+void impl::replicate_metric_family(const seastar::sstring& name,
+                                   int destination_handle) const {
+    const auto& entry = _value_map.find(name);
+
+    if (entry == _value_map.end()) {
+        return;
+    }
+
+    const auto& metric_family = entry->second;
+    auto destination = get_local_impl(destination_handle);
+    for (const auto& [labels, metric_ptr]: metric_family) {
+        replicate_metric(metric_ptr, metric_family, destination, destination_handle);
+    }
+}
+
+void impl::replicate_metric_if_required(const shared_ptr<registered_metric>& metric) const {
+    auto full_name = metric->get_id().full_name();
+    auto [begin, end]= _metric_families_to_replicate.equal_range(full_name);
+
+    for (; begin != end; ++begin) {
+        const auto& [name, destination_handle] = *begin;
+        const auto& metric_family = _value_map.at(name);
+
+        auto destination = get_local_impl(destination_handle);
+        replicate_metric(metric, metric_family, destination, destination_handle);
+    }
+}
+
+void impl::replicate_metric(const shared_ptr<registered_metric>& metric,
+                            const metric_family& family,
+                            const shared_ptr<impl>& destination,
+                            int destination_handle) const {
+    const auto& family_info = family.info();
+    metric_type type = { .base_type = family_info.type,
+                         .type_name = family_info.inherit_type };
+
+    destination->add_registration(metric->get_id(),
+                                  type,
+                                  metric->get_function(),
+                                  family_info.d,
+                                  metric->is_enabled(),
+                                  metric->get_skip_when_empty(),
+                                  family_info.aggregate_labels);
+}
+
 void impl::update_metrics_if_needed() {
     if (_dirty) {
         // Forcing the metadata to an empty initialization
@@ -506,9 +624,24 @@ register_ref impl::add_registration(const metric_id& id, const metric_type& type
     }
     dirty();
 
+    replicate_metric_if_required(rm);
+
     return rm;
 }
 
+void impl::update_aggregate_labels(const metric_id& id,
+                                   const std::vector<label>& aggregate_labels) {
+    auto iter = _value_map.find(id.full_name());
+    if (iter != _value_map.end()) {
+        iter->second.info().aggregate_labels.clear();
+        std::transform(aggregate_labels.begin(), aggregate_labels.end(),
+            std::back_inserter(iter->second.info().aggregate_labels),
+            [] (const label& l) { return l.name(); });
+
+        dirty();
+    }
+}
+
 future<metric_relabeling_result> impl::set_relabel_configs(const std::vector<relabel_config>& relabel_configs) {
     _relabel_configs = relabel_configs;
     metric_relabeling_result conflicts{0};
@@ -582,6 +715,11 @@ void impl::set_metric_family_configs(const std::vector<metric_family_config>& fa
         }
     }
 }
+
+int default_handle() {
+    return 0;
+}
+
 }
 
 const bool metric_disabled = false;
@@ -634,5 +772,11 @@ histogram histogram::operator+(histogram&& c) const {
     return std::move(c);
 }
 
+void update_aggregate_labels(const group_name_type& group_name,
+                             const metric_name_type& metric_name,
+                             const std::vector<label>& aggregate_labels) {
+    impl::metric_id id(group_name, metric_name, {});
+    impl::get_local_impl()->update_aggregate_labels(id, aggregate_labels);
+}
 }
 }
diff --git a/src/core/prometheus.cc b/src/core/prometheus.cc
index 53bf093f593..d4c3eaaac0c 100644
--- a/src/core/prometheus.cc
+++ b/src/core/prometheus.cc
@@ -401,11 +401,11 @@ class metrics_families_per_shard {
     /** @} */
 };
 
-static future<> get_map_value(metrics_families_per_shard& vec) {
+static future<> get_map_value(metrics_families_per_shard& vec, int handle) {
     vec.resize(smp::count);
-    return parallel_for_each(std::views::iota(0u, smp::count), [&vec] (auto cpu) {
-        return smp::submit_to(cpu, [] {
-            return mi::get_values();
+    return parallel_for_each(std::views::iota(0u, smp::count), [handle, &vec] (auto cpu) {
+        return smp::submit_to(cpu, [handle] {
+            return mi::get_values(handle);
         }).then([&vec, cpu] (auto res) {
             vec[cpu] = std::move(res);
         });
@@ -930,7 +930,7 @@ class metrics_handler : public httpd::handler_base  {
         rep->write_body(is_protobuf_format ? "proto" : "txt", [this, is_protobuf_format, metric_family_name, prefix, show_help, enable_aggregation, filter] (output_stream<char>&& s) {
             return do_with(metrics_families_per_shard(), output_stream<char>(std::move(s)),
                     [this, is_protobuf_format, prefix, &metric_family_name, show_help, enable_aggregation, filter] (metrics_families_per_shard& families, output_stream<char>& s) mutable {
-                return get_map_value(families).then([&s, &families, this, is_protobuf_format, prefix, &metric_family_name, show_help, enable_aggregation, filter]() mutable {
+                return get_map_value(families, _ctx.handle).then([&s, &families, this, is_protobuf_format, prefix, &metric_family_name, show_help, enable_aggregation, filter]() mutable {
                     return do_with(get_range(families, metric_family_name, prefix),
                             [&s, this, is_protobuf_format, show_help, enable_aggregation, filter](metric_family_range& m) {
                         return (is_protobuf_format) ?  write_protobuf_representation(s, _ctx, m, enable_aggregation, filter) :
@@ -950,7 +950,7 @@ std::function<bool(const mi::labels_type&)> metrics_handler::_true_function = []
 };
 
 future<> add_prometheus_routes(httpd::http_server& server, config ctx) {
-    server._routes.put(httpd::GET, "/metrics", new metrics_handler(ctx));
+    server._routes.put(httpd::GET, ctx.route, new metrics_handler(ctx));
     return make_ready_future<>();
 }
 
diff --git a/src/core/reactor.cc b/src/core/reactor.cc
index 37d0629b045..9940b6a8dda 100644
--- a/src/core/reactor.cc
+++ b/src/core/reactor.cc
@@ -131,6 +131,7 @@ module seastar;
 #include <seastar/core/make_task.hh>
 #include <seastar/core/memory.hh>
 #include <seastar/core/metrics.hh>
+#include <seastar/core/metrics_api.hh>
 #include <seastar/core/posix.hh>
 #include <seastar/core/prefetch.hh>
 #include <seastar/core/print.hh>
@@ -152,10 +153,12 @@ module seastar;
 #include <seastar/core/with_scheduling_group.hh>
 #include <seastar/core/internal/buffer_allocator.hh>
 #include <seastar/core/disk_params.hh>
+#include <seastar/core/internal/cpu_profiler.hh>
 #include <seastar/core/internal/io_desc.hh>
 #include <seastar/core/internal/uname.hh>
 #include <seastar/core/internal/stall_detector.hh>
 #include <seastar/core/internal/run_in_background.hh>
+#include <seastar/core/internal/timers.hh>
 #include <seastar/coroutine/all.hh>
 #include <seastar/net/native-stack.hh>
 #include <seastar/net/packet.hh>
@@ -176,6 +179,7 @@ module seastar;
 #include "core/reactor_backend.hh"
 #include "core/syscall_result.hh"
 #include "core/thread_pool.hh"
+#include "core/scollectd-impl.hh"
 #include "syscall_work_queue.hh"
 #include "cgroup.hh"
 #ifdef SEASTAR_HAVE_DPDK
@@ -968,7 +972,7 @@ reactor::task_queue::register_stats() {
 
     register_net_metrics_for_scheduling_group(new_metrics, _id, group_label);
 
-    _metrics = std::exchange(new_metrics, {});
+    _metrics = std::exchange(new_metrics, sm::metric_groups{});
 }
 
 void
@@ -1027,6 +1031,7 @@ reactor::reactor(std::shared_ptr<seastar::smp> smp, alien::instance& alien, unsi
     , _task_quota_timer(file_desc::timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC))
     , _id(id)
     , _cpu_stall_detector(internal::make_cpu_stall_detector())
+    , _cpu_profiler(internal::make_cpu_profiler())
     , _cpu_sched(nullptr, 0)
     , _thread_pool(std::make_unique<thread_pool>(seastar::format("syscall-{}", id), _notify_eventfd)) {
     /*
@@ -1046,6 +1051,7 @@ reactor::reactor(std::shared_ptr<seastar::smp> smp, alien::instance& alien, unsi
     sigset_t mask;
     sigemptyset(&mask);
     sigaddset(&mask, internal::cpu_stall_detector::signal_number());
+    sigaddset(&mask, internal::cpu_profiler::signal_number());
     auto r = ::pthread_sigmask(SIG_UNBLOCK, &mask, NULL);
     SEASTAR_ASSERT(r == 0);
     memory::set_reclaim_hook([this] (std::function<void ()> reclaim_fn) {
@@ -1059,6 +1065,7 @@ reactor::~reactor() {
     sigset_t mask;
     sigemptyset(&mask);
     sigaddset(&mask, internal::cpu_stall_detector::signal_number());
+    sigaddset(&mask, internal::cpu_profiler::signal_number());
     auto r = ::pthread_sigmask(SIG_BLOCK, &mask, NULL);
     SEASTAR_ASSERT(r == 0);
 
@@ -1129,6 +1136,189 @@ void reactor::start_handling_signal() {
 
 namespace internal {
 
+posix_timer::posix_timer(timer_cfg cfg, clockid_t clock_id) {
+    struct sigevent sev = {};
+    sev.sigev_notify = SIGEV_THREAD_ID;
+    sev.sigev_signo = cfg.signal_number;
+#ifndef sigev_notify_thread_id
+#define sigev_notify_thread_id _sigev_un._tid
+#endif
+    sev.sigev_notify_thread_id = syscall(SYS_gettid);
+    int err = timer_create(clock_id, &sev, &_timer);
+    if (err) {
+        throw std::system_error(std::error_code(err, std::system_category()));
+    }
+}
+
+posix_timer::~posix_timer() {
+    timer_delete(_timer);
+}
+
+void posix_timer::arm_timer(std::chrono::nanoseconds duration) {
+    auto its = posix::to_relative_itimerspec(duration, 0s);
+    timer_settime(_timer, 0, &its, nullptr);
+}
+
+void posix_timer::disarm_timer() {
+    auto its = posix::to_relative_itimerspec(0s,  0s);
+    timer_settime(_timer, 0, &its, nullptr);
+}
+
+static long
+perf_event_open(struct perf_event_attr* hw_event, pid_t pid, int cpu, int group_fd, unsigned long flags) {
+    return syscall(__NR_perf_event_open, hw_event, pid, cpu, group_fd, flags);
+}
+
+linux_perf_event linux_perf_event::try_make(timer_cfg cfg) {
+    ::perf_event_attr pea = {
+        .type = PERF_TYPE_SOFTWARE,
+        .size = sizeof(pea),
+        .config = PERF_COUNT_SW_TASK_CLOCK, // more likely to work on virtual machines than hardware events
+        .sample_period = 1'000'000'000, // Needs non-zero value or PERF_IOC_PERIOD gets confused
+        .sample_type = PERF_SAMPLE_CALLCHAIN,
+        .disabled = 1,
+        .exclude_callchain_user = 1,  // we're using backtrace() to capture the user callchain
+        .wakeup_events = 1,
+    };
+    unsigned long flags = 0;
+    if (internal::kernel_uname().whitelisted({"3.14"})) {
+        flags |= PERF_FLAG_FD_CLOEXEC;
+    }
+    int fd = perf_event_open(&pea, 0, -1, -1, flags);
+    if (fd == -1) {
+        throw std::system_error(errno, std::system_category(), "perf_event_open() failed");
+    }
+    auto desc = file_desc::from_fd(fd);
+    struct f_owner_ex sig_owner = {
+        .type = F_OWNER_TID,
+        .pid = static_cast<pid_t>(syscall(SYS_gettid)),
+    };
+    auto ret1 = ::fcntl(fd, F_SETOWN_EX, &sig_owner);
+    if (ret1 == -1) {
+        abort();
+    }
+    auto ret2 = ::fcntl(fd, F_SETSIG, cfg.signal_number);
+    if (ret2 == -1) {
+        abort();
+    }
+    auto fd_flags = ::fcntl(fd, F_GETFL);
+    if (fd_flags == -1) {
+        abort();
+    }
+    auto ret3 = ::fcntl(fd, F_SETFL, fd_flags | O_ASYNC);
+    if (ret3 == -1) {
+        abort();
+    }
+
+    return linux_perf_event(std::move(desc));
+}
+
+linux_perf_event::linux_perf_event(file_desc fd) : _fd(std::move(fd)) {
+    void* ret = ::mmap(nullptr, 2*getpagesize(), PROT_READ|PROT_WRITE, MAP_SHARED, _fd.get(), 0);
+    if (ret == MAP_FAILED) {
+        abort();
+    }
+    _mmap = static_cast<struct ::perf_event_mmap_page*>(ret);
+    _data_area = reinterpret_cast<char*>(_mmap) + getpagesize();
+    _data_area_mask = getpagesize() - 1;
+}
+
+linux_perf_event::linux_perf_event(linux_perf_event&& o)
+      : _fd(std::move(o._fd))
+      , _enabled(o._enabled)
+      , _current_period(o._current_period)
+      , _mmap(o._mmap)
+      , _data_area(o._data_area)
+      , _data_area_mask(o._data_area_mask)
+      , _next_signal_time(o._next_signal_time) {
+    o._mmap = nullptr;
+}
+
+linux_perf_event::~linux_perf_event() {
+    if (_mmap != nullptr) {
+        ::munmap(_mmap, 2*getpagesize());
+    }
+}
+
+void linux_perf_event::arm_timer(std::chrono::nanoseconds period) {
+    uint64_t ns =  period / 1ns;
+    _next_signal_time = reactor::now() + period;
+    
+    // clear out any existing records in the ring buffer, so when we get interrupted next time
+    // we have only the stack associated with that interrupt, and so we don't overflow.
+    data_area_reader(*this).skip_all();
+    if (__builtin_expect(_enabled && _current_period == ns, 1)) {
+        // Common case - we're re-arming with the same period, the counter
+        // is already enabled.
+
+        // We want to set the next interrupt to ns from now, and somewhat oddly the
+        // way to do this is PERF_EVENT_IOC_PERIOD, even with the same period as
+        // already configured, see the code at:
+        //
+        // https://elixir.bootlin.com/linux/v5.15.86/source/kernel/events/core.c#L5636
+        //
+        // Ths change is intentional: kernel commit bad7192b842c83e580747ca57104dd51fe08c223
+        // so we can resumably rely on it.
+        _fd.ioctl(PERF_EVENT_IOC_PERIOD, ns);
+
+    } else {
+        // Uncommon case - we're moving from disabled to enabled, or changing
+        // the period. Issue more calls and be careful.
+        _fd.ioctl(PERF_EVENT_IOC_DISABLE, 0); // avoid false alarms while we modify stuff
+        _fd.ioctl(PERF_EVENT_IOC_PERIOD, ns);
+        _fd.ioctl(PERF_EVENT_IOC_RESET, 0);
+        _fd.ioctl(PERF_EVENT_IOC_ENABLE, 0);
+        _enabled = true;
+        _current_period = ns;
+    }
+}
+
+void linux_perf_event::disarm_timer() {
+    _fd.ioctl(PERF_EVENT_IOC_DISABLE, 0);
+    _enabled = false;
+}
+
+bool linux_perf_event::is_spurious_signal() {
+    // If the current time is before the expected signal time, it is
+    // probably a spurious signal. One reason this could occur is that
+    // PERF_EVENT_IOC_PERIOD does not reset the current overflow point
+    // on kernels prior to 3.14 (or 3.7 on Arm).
+    return reactor::now() < _next_signal_time;
+}
+
+void linux_perf_event::kernel_backtrace::read_backtrace(std::function<void (uintptr_t)> fn) {
+    if (_reader.have_data()) {
+        auto nr = _reader.read_u64();
+        for (uint64_t i = 0; i < nr; ++i) {
+            // TODO: the first u64 here will be a non-address token
+            // used by perf to indicate which type of callchain this is.
+            // Should we check that it is PERF_CONTEXT_KERNEL and skip 
+            // outputting that value as it's not an address?
+            // See: https://github.com/torvalds/linux/commit/f9188e023c248d73f
+            fn(uintptr_t(_reader.read_u64()));
+        }
+    }
+}
+
+std::optional<linux_perf_event::kernel_backtrace> linux_perf_event::try_get_kernel_backtrace() {
+    data_area_reader reader(*this);
+    auto current_record = [&] () -> ::perf_event_header {
+        return reader.read_struct<perf_event_header>();
+    };
+
+    while (reader.have_data()) {
+        auto record = current_record();
+
+        if (record.type != PERF_RECORD_SAMPLE) {
+            reader.skip(record.size - sizeof(record));
+        } else {
+            return {kernel_backtrace{std::move(reader)}};
+        }
+    }
+
+    return std::nullopt;
+}
+
 cpu_stall_detector::cpu_stall_detector(cpu_stall_detector_config cfg)
         : _shard_id(this_shard_id()) {
     // glib's backtrace() calls dlopen("libgcc_s.so.1") once to resolve unwind related symbols.
@@ -1146,23 +1336,8 @@ cpu_stall_detector::cpu_stall_detector(cpu_stall_detector_config cfg)
     // note: if something is added here that can, it should take care to destroy _timer.
 }
 
-cpu_stall_detector_posix_timer::cpu_stall_detector_posix_timer(cpu_stall_detector_config cfg) : cpu_stall_detector(cfg) {
-    struct sigevent sev = {};
-    sev.sigev_notify = SIGEV_THREAD_ID;
-    sev.sigev_signo = signal_number();
-#ifndef sigev_notify_thread_id
-#define sigev_notify_thread_id _sigev_un._tid
-#endif
-    sev.sigev_notify_thread_id = syscall(SYS_gettid);
-    int err = timer_create(CLOCK_THREAD_CPUTIME_ID, &sev, &_timer);
-    if (err) {
-        throw std::system_error(std::error_code(err, std::system_category()));
-    }
-}
-
-cpu_stall_detector_posix_timer::~cpu_stall_detector_posix_timer() {
-    timer_delete(_timer);
-}
+cpu_stall_detector_posix_timer::cpu_stall_detector_posix_timer(cpu_stall_detector_config cfg)
+    : cpu_stall_detector(cfg), _timer({signal_number()}) { }
 
 cpu_stall_detector_config
 cpu_stall_detector::get_config() const {
@@ -1231,8 +1406,8 @@ cpu_stall_detector::reset_suppression_state(sched_clock::time_point now) {
 }
 
 void cpu_stall_detector_posix_timer::arm_timer() {
-    auto its = posix::to_relative_itimerspec(_threshold * _report_at + _slack, 0s);
-    timer_settime(_timer, 0, &its, nullptr);
+    std::chrono::nanoseconds dur = _threshold * _report_at + _slack;
+    _timer.arm_timer(dur);
 }
 
 void cpu_stall_detector::start_task_run(sched_clock::time_point now) {
@@ -1253,153 +1428,52 @@ void cpu_stall_detector::end_task_run(sched_clock::time_point now) {
 }
 
 void cpu_stall_detector_posix_timer::start_sleep() {
-    auto its = posix::to_relative_itimerspec(0s,  0s);
-    timer_settime(_timer, 0, &its, nullptr);
+    _timer.disarm_timer();
     _rearm_timer_at = reactor::now();
 }
 
 void cpu_stall_detector::end_sleep() {
 }
 
-static long
-perf_event_open(struct perf_event_attr* hw_event, pid_t pid, int cpu, int group_fd, unsigned long flags) {
-    return syscall(__NR_perf_event_open, hw_event, pid, cpu, group_fd, flags);
-}
-
-cpu_stall_detector_linux_perf_event::cpu_stall_detector_linux_perf_event(file_desc fd, cpu_stall_detector_config cfg)
-        : cpu_stall_detector(cfg), _fd(std::move(fd)) {
-    void* ret = ::mmap(nullptr, 2*getpagesize(), PROT_READ|PROT_WRITE, MAP_SHARED, _fd.get(), 0);
-    if (ret == MAP_FAILED) {
-        abort();
-    }
-    _mmap = static_cast<struct ::perf_event_mmap_page*>(ret);
-    _data_area = reinterpret_cast<char*>(_mmap) + getpagesize();
-    _data_area_mask = getpagesize() - 1;
-}
-
-cpu_stall_detector_linux_perf_event::~cpu_stall_detector_linux_perf_event() {
-    ::munmap(_mmap, 2*getpagesize());
+cpu_stall_detector_linux_perf_event::cpu_stall_detector_linux_perf_event(linux_perf_event perf_event, cpu_stall_detector_config cfg)
+        : cpu_stall_detector(cfg), _perf_event(std::move(perf_event)) {
 }
 
 void
 cpu_stall_detector_linux_perf_event::arm_timer() {
     auto period = _threshold * _report_at + _slack;
-    uint64_t ns =  period / 1ns;
-    _next_signal_time = reactor::now() + period;
-
-    // clear out any existing records in the ring buffer, so when we get interrupted next time
-    // we have only the stack associated with that interrupt, and so we don't overflow.
-    data_area_reader(*this).skip_all();
-    if (__builtin_expect(_enabled && _current_period == ns, 1)) {
-        // Common case - we're re-arming with the same period, the counter
-        // is already enabled.
-
-        // We want to set the next interrupt to ns from now, and somewhat oddly the
-        // way to do this is PERF_EVENT_IOC_PERIOD, even with the same period as
-        // already configured, see the code at:
-        //
-        // https://elixir.bootlin.com/linux/v5.15.86/source/kernel/events/core.c#L5636
-        //
-        // Ths change is intentional: kernel commit bad7192b842c83e580747ca57104dd51fe08c223
-        // so we can resumably rely on it.
-        _fd.ioctl(PERF_EVENT_IOC_PERIOD, ns);
-
-    } else {
-        // Uncommon case - we're moving from disabled to enabled, or changing
-        // the period. Issue more calls and be careful.
-        _fd.ioctl(PERF_EVENT_IOC_DISABLE, 0); // avoid false alarms while we modify stuff
-        _fd.ioctl(PERF_EVENT_IOC_PERIOD, ns);
-        _fd.ioctl(PERF_EVENT_IOC_RESET, 0);
-        _fd.ioctl(PERF_EVENT_IOC_ENABLE, 0);
-        _enabled = true;
-        _current_period = ns;
-    }
+    _perf_event.arm_timer(period);
 }
 
 void
 cpu_stall_detector_linux_perf_event::start_sleep() {
-    _fd.ioctl(PERF_EVENT_IOC_DISABLE, 0);
-    _enabled = false;
+    _perf_event.disarm_timer();
 }
 
 bool
 cpu_stall_detector_linux_perf_event::is_spurious_signal() {
-    // If the current time is before the expected signal time, it is
-    // probably a spurious signal. One reason this could occur is that
-    // PERF_EVENT_IOC_PERIOD does not reset the current overflow point
-    // on kernels prior to 3.14 (or 3.7 on Arm).
-    return reactor::now() < _next_signal_time;
+    return _perf_event.is_spurious_signal();
 }
 
 void
 cpu_stall_detector_linux_perf_event::maybe_report_kernel_trace(backtrace_buffer& buf) {
-    data_area_reader reader(*this);
-    auto current_record = [&] () -> ::perf_event_header {
-        return reader.read_struct<perf_event_header>();
-    };
-
-    while (reader.have_data()) {
-        auto record = current_record();
-
-        if (record.type != PERF_RECORD_SAMPLE) {
-            reader.skip(record.size - sizeof(record));
-            continue;
-        }
+    auto kernel_bt = _perf_event.try_get_kernel_backtrace();
+    if(kernel_bt) {
+        backtrace_buffer buf;
+        buf.append("kernel callstack:");
+
+        kernel_bt->read_backtrace([&] (uintptr_t addr) {
+            buf.append(" 0x");
+            buf.append_hex(addr);
+        });
 
-        auto nr = reader.read_u64();
-        if (nr > 0) {
-            buf.append("kernel callstack:");
-            for (uint64_t i = 0; i < nr; ++i) {
-                buf.append(" 0x");
-                buf.append_hex(uintptr_t(reader.read_u64()));
-            }
-            buf.append("\n");
-        }
-    };
+        buf.append("\n");
+    }
 }
 
 std::unique_ptr<cpu_stall_detector_linux_perf_event>
 cpu_stall_detector_linux_perf_event::try_make(cpu_stall_detector_config cfg) {
-    ::perf_event_attr pea = {
-        .type = PERF_TYPE_SOFTWARE,
-        .size = sizeof(pea),
-        .config = PERF_COUNT_SW_TASK_CLOCK, // more likely to work on virtual machines than hardware events
-        .sample_period = 1'000'000'000, // Needs non-zero value or PERF_IOC_PERIOD gets confused
-        .sample_type = PERF_SAMPLE_CALLCHAIN,
-        .disabled = 1,
-        .exclude_callchain_user = 1,  // we're using backtrace() to capture the user callchain
-        .wakeup_events = 1,
-    };
-    unsigned long flags = 0;
-    if (internal::kernel_uname().whitelisted({"3.14"})) {
-        flags |= PERF_FLAG_FD_CLOEXEC;
-    }
-    int fd = perf_event_open(&pea, 0, -1, -1, flags);
-    if (fd == -1) {
-        throw std::system_error(errno, std::system_category(), "perf_event_open() failed");
-    }
-    auto desc = file_desc::from_fd(fd);
-    struct f_owner_ex sig_owner = {
-        .type = F_OWNER_TID,
-        .pid = static_cast<pid_t>(syscall(SYS_gettid)),
-    };
-    auto ret1 = ::fcntl(fd, F_SETOWN_EX, &sig_owner);
-    if (ret1 == -1) {
-        abort();
-    }
-    auto ret2 = ::fcntl(fd, F_SETSIG, signal_number());
-    if (ret2 == -1) {
-        abort();
-    }
-    auto fd_flags = ::fcntl(fd, F_GETFL);
-    if (fd_flags == -1) {
-        abort();
-    }
-    auto ret3 = ::fcntl(fd, F_SETFL, fd_flags | O_ASYNC);
-    if (ret3 == -1) {
-        abort();
-    }
-    return std::make_unique<cpu_stall_detector_linux_perf_event>(std::move(desc), std::move(cfg));
+    return std::make_unique<cpu_stall_detector_linux_perf_event>(linux_perf_event::try_make({signal_number()}), std::move(cfg));
 }
 
 
@@ -1485,9 +1559,33 @@ bool reactor::test::linux_aio_nowait() {
     return engine()._cfg.aio_nowait_works;
 }
 
+bool reactor::get_cpu_profiler_enabled() {
+    return _cpu_profiler->is_enabled();
+}
+
+void reactor::set_cpu_profiler_enabled(bool b) {
+    _cpu_profiler->update_config({b, _cpu_profiler->period()});
+}
+
+std::chrono::nanoseconds reactor::get_cpu_profiler_period() {
+    return _cpu_profiler->period();
+}
+
+void reactor::set_cpu_profiler_period(std::chrono::nanoseconds ns) {
+    _cpu_profiler->update_config({_cpu_profiler->is_enabled(), ns});
+}
+
+size_t reactor::profiler_results(std::vector<cpu_profiler_trace>& results_buffer) {
+    return _cpu_profiler->results(results_buffer);
+}
+
 void
-reactor::block_notifier(int) {
-    engine()._cpu_stall_detector->on_signal();
+reactor::block_notifier(int signal) {
+    if(signal == internal::cpu_stall_detector::signal_number()) {
+        engine()._cpu_stall_detector->on_signal();
+    } else {
+        engine()._cpu_profiler->on_signal();
+    }
 }
 
 class network_stack_factory {
@@ -1509,6 +1607,11 @@ void reactor::configure(const reactor_options& opts) {
     csdc.oneline = opts.blocked_reactor_report_format_oneline.get_value();
     _cpu_stall_detector->update_config(csdc);
 
+    internal::cpu_profiler_config prof_cfg;
+    prof_cfg.enabled = opts.profiler_enabled.get_value();
+    prof_cfg.period = std::chrono::milliseconds(opts.profiler_sample_period_ms.get_value());
+    _cpu_profiler->update_config(prof_cfg);
+
     if (_cfg.no_poll_aio) {
         _aio_eventfd = pollable_fd(file_desc::eventfd(0, 0));
     }
@@ -2951,8 +3054,7 @@ reactor::wakeup() {
     _sleeping.store(false, std::memory_order_relaxed);
 
     uint64_t one = 1;
-    auto res = ::write(_notify_eventfd.get(), &one, sizeof(one));
-    SEASTAR_ASSERT(res == sizeof(one) && "write(2) failed on _reactor._notify_eventfd");
+    (void)::write(_notify_eventfd.get(), &one, sizeof(one));
 }
 
 void reactor::start_aio_eventfd_loop() {
@@ -2962,7 +3064,7 @@ void reactor::start_aio_eventfd_loop() {
     future<> loop_done = repeat([this] {
         return _aio_eventfd->readable().then([this] {
             char garbage[8];
-            std::ignore = ::read(_aio_eventfd->get_fd(), garbage, 8); // totally uninteresting
+            (void)::read(_aio_eventfd->get_fd(), garbage, 8); // totally uninteresting
             return _stopping ? stop_iteration::yes : stop_iteration::no;
         });
     });
@@ -2977,8 +3079,7 @@ void reactor::stop_aio_eventfd_loop() {
         return;
     }
     uint64_t one = 1;
-    auto res = ::write(_aio_eventfd->get_fd(), &one, 8);
-    SEASTAR_ASSERT(res == 8 && "write(2) failed on _reactor._aio_eventfd");
+    (void)::write(_aio_eventfd->get_fd(), &one, 8);
 }
 
 inline
@@ -3259,11 +3360,25 @@ int reactor::do_run() {
     _task_quota_timer.timerfd_settime(0, its);
     auto& task_quote_itimerspec = its;
 
+    // Ensure that the same signal isn't being used more than once.
+    auto set_signal = [](sigset_t* mask, int s) {
+        SEASTAR_ASSERT(!sigismember(mask, s));
+        sigaddset(mask, s);
+    };
+
+    sigset_t block_mask;
+    sigemptyset(&block_mask);
+    set_signal(&block_mask, internal::cpu_stall_detector::signal_number());
+    set_signal(&block_mask, internal::cpu_profiler::signal_number());
+
     struct sigaction sa_block_notifier = {};
     sa_block_notifier.sa_handler = &reactor::block_notifier;
     sa_block_notifier.sa_flags = SA_RESTART;
+    sa_block_notifier.sa_mask = block_mask;
     auto r = sigaction(internal::cpu_stall_detector::signal_number(), &sa_block_notifier, nullptr);
     SEASTAR_ASSERT(r == 0);
+    r = sigaction(internal::cpu_profiler::signal_number(), &sa_block_notifier, nullptr);
+    SEASTAR_ASSERT(r == 0);
 
     bool idle = false;
 
@@ -3273,6 +3388,7 @@ int reactor::do_run() {
     const noncopyable_function<bool()> pure_check_for_work = [this] () {
         return pure_poll_once() || have_more_tasks();
     };
+    _cpu_profiler->start();
     while (true) {
         _cpu_sched.run_some_tasks();
         if (_stopped) {
@@ -3325,10 +3441,12 @@ int reactor::do_run() {
                         struct itimerspec zero_itimerspec = {};
                         _task_quota_timer.timerfd_settime(0, zero_itimerspec);
                         _cpu_stall_detector->start_sleep();
+                        _cpu_profiler->stop();
 
                         wait_and_process_events();
                         pollers_exit_interrupt_mode();
 
+                        _cpu_profiler->start();
                         _cpu_stall_detector->end_sleep();
                         // We may have slept for a while, so freshen idle_end
                         idle_end = now();
@@ -3342,6 +3460,7 @@ int reactor::do_run() {
             }
         }
     }
+    _cpu_profiler->stop();
     // To prevent ordering issues from rising, destroy the I/O queue explicitly at this point.
     // This is needed because the reactor is destroyed from the thread_local destructors. If
     // the I/O queue happens to use any other infrastructure that is also kept this way (for
@@ -3864,6 +3983,8 @@ reactor_options::reactor_options(program_options::option_group* parent_group)
     , blocked_reactor_notify_ms(*this, "blocked-reactor-notify-ms", 25, "threshold in miliseconds over which the reactor is considered blocked if no progress is made")
     , blocked_reactor_reports_per_minute(*this, "blocked-reactor-reports-per-minute", 5, "Maximum number of backtraces reported by stall detector per minute")
     , blocked_reactor_report_format_oneline(*this, "blocked-reactor-report-format-oneline", true, "Print a simplified backtrace on a single line")
+    , profiler_sample_period_ms(*this, "profiler-sample-period-ms", 100, "Profiler sample rate")
+    , profiler_enabled(*this, "profiler-enabled", false, "Enable the profiler")
     , relaxed_dma(*this, "relaxed-dma", "allow using buffered I/O if DMA is not available (reduces performance)")
     , linux_aio_nowait(*this, "linux-aio-nowait", internal::kernel_uname().whitelisted({"4.13"}), // base version where this works
                 "use the Linux NOWAIT AIO feature, which reduces reactor stalls due to aio (autodetected)")
@@ -3930,6 +4051,12 @@ smp_options::smp_options(program_options::option_group* parent_group)
 {
 }
 
+thread_local metrics::impl::metric_implementations metric_impls;
+
+metrics::impl::metric_implementations& metrics::impl::get_metric_implementations() {
+    return metric_impls;
+}
+
 struct reactor_deleter {
     void operator()(reactor* p) {
         p->~reactor();
@@ -5123,6 +5250,16 @@ future<> destroy_scheduling_supergroup(scheduling_supergroup sg) noexcept {
     });
 }
 
+scheduling_group::stats
+scheduling_group::get_stats() const noexcept {
+    const auto * const tq = engine()._task_queues[_id].get();
+    return {
+        .runtime = tq->_runtime,
+        .waittime = tq->_waittime,
+        .starvetime = tq->_starvetime
+    };
+}
+
 future<scheduling_group>
 create_scheduling_group(sstring name, sstring shortname, float shares, scheduling_supergroup parent) noexcept {
     auto aid = allocate_scheduling_group_id();
diff --git a/src/core/reactor_backend.cc b/src/core/reactor_backend.cc
index 196c67220f3..42c5d994ff8 100644
--- a/src/core/reactor_backend.cc
+++ b/src/core/reactor_backend.cc
@@ -1932,15 +1932,15 @@ reactor_backend_selector reactor_backend_selector::default_backend() {
 
 std::vector<reactor_backend_selector> reactor_backend_selector::available() {
     std::vector<reactor_backend_selector> ret;
+    if (has_enough_aio_nr() && detect_aio_poll()) {
+        ret.push_back(reactor_backend_selector("linux-aio"));
+    }
+    ret.push_back(reactor_backend_selector("epoll"));
 #ifdef SEASTAR_HAVE_URING
     if (detect_io_uring()) {
         ret.push_back(reactor_backend_selector("io_uring"));
     }
 #endif
-    if (has_enough_aio_nr() && detect_aio_poll()) {
-        ret.push_back(reactor_backend_selector("linux-aio"));
-    }
-    ret.push_back(reactor_backend_selector("epoll"));
     return ret;
 }
 
diff --git a/src/core/scollectd.cc b/src/core/scollectd.cc
index a6075ddc3d9..cc6482a56d8 100644
--- a/src/core/scollectd.cc
+++ b/src/core/scollectd.cc
@@ -89,12 +89,12 @@ registration::~registration() {
     unregister();
 }
 
-registration::registration(const type_instance_id& id)
-: _id(id), _impl(seastar::metrics::impl::get_local_impl()) {
+registration::registration(const type_instance_id& id, int handle)
+: _id(id), _impl(seastar::metrics::impl::get_local_impl(handle)) {
 }
 
-registration::registration(type_instance_id&& id)
-: _id(std::move(id)), _impl(seastar::metrics::impl::get_local_impl()) {
+registration::registration(type_instance_id&& id, int handle)
+: _id(std::move(id)), _impl(seastar::metrics::impl::get_local_impl(handle)) {
 }
 
 seastar::metrics::impl::metric_id to_metrics_id(const type_instance_id & id) {
@@ -544,7 +544,7 @@ future<> send_metric(const type_instance_id & id,
     return get_impl().send_metric(id, values);
 }
 
-void configure(const options& opts) {
+void configure(const options& opts, int handle) {
     bool enable = opts.collectd.get_value();
     if (!enable) {
         return;
@@ -553,7 +553,7 @@ void configure(const options& opts) {
     auto period = std::chrono::milliseconds(opts.collectd_poll_period.get_value());
 
     auto host = (opts.collectd_hostname.get_value() == "")
-            ? seastar::metrics::impl::get_local_impl()->get_config().hostname
+            ? seastar::metrics::impl::get_local_impl(handle)->get_config().hostname
             : sstring(opts.collectd_hostname.get_value());
 
     // Now create send loops on each cpu
diff --git a/src/core/signal_mutex.cc b/src/core/signal_mutex.cc
new file mode 100644
index 00000000000..308ef0897f1
--- /dev/null
+++ b/src/core/signal_mutex.cc
@@ -0,0 +1,50 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright (C) 2025 ScyllaDB
+ */
+
+#include <seastar/core/internal/signal_mutex.hh>
+
+namespace seastar::internal {
+
+signal_mutex::guard::~guard() {
+    if (_mutex == nullptr) {
+        return;
+    }
+    // Ensure the subsequent store isn't hoisted by the the
+    // compiler into the critical section it's intended to
+    // protect.
+    std::atomic_signal_fence(std::memory_order_release);
+    _mutex->_mutex.store(false, std::memory_order_relaxed);
+}
+
+std::optional<signal_mutex::guard> signal_mutex::try_lock() {
+    if (!_mutex.load(std::memory_order_relaxed)) {
+        _mutex.store(true, std::memory_order_relaxed);
+        // Ensure that this read-modify-update operation isn't
+        // mixed into the critical section it's intended to protect
+        // by the compiler.
+        std::atomic_signal_fence(std::memory_order_acq_rel);
+        return {guard(this)};
+    }
+
+    return std::nullopt;
+}
+
+} // namespace seastar::internal
diff --git a/src/core/thread_pool.cc b/src/core/thread_pool.cc
index 818cab826ee..8b1084f9bdf 100644
--- a/src/core/thread_pool.cc
+++ b/src/core/thread_pool.cc
@@ -69,8 +69,7 @@ void thread_pool::work(sstring name) {
             std::atomic_thread_fence(std::memory_order_seq_cst);
             if (_main_thread_idle.load(std::memory_order_relaxed)) {
                 uint64_t one = 1;
-                auto res = ::write(_notify_eventfd.get(), &one, 8);
-                SEASTAR_ASSERT(res == 8 && "write(2) failed on _reactor._notify_eventfd");
+                (void)::write(_notify_eventfd.get(), &one, 8);
             }
         }
     }
diff --git a/src/http/client.cc b/src/http/client.cc
index 40088407b5d..1f6b34ee6bd 100644
--- a/src/http/client.cc
+++ b/src/http/client.cc
@@ -24,7 +24,6 @@ module;
 #endif
 
 #include <concepts>
-#include <gnutls/gnutls.h>
 #include <memory>
 #include <optional>
 #include <stdexcept>
@@ -46,7 +45,7 @@ module seastar;
 #endif
 
 namespace seastar {
-logger http_log("http");
+logger http_log("seastar_http_client");
 namespace http {
 namespace internal {
 
@@ -326,7 +325,7 @@ static bool is_retryable_exception(std::exception_ptr ex) {
             std::rethrow_exception(ex);
         } catch (const std::system_error& sys_err) {
             auto code = sys_err.code().value();
-            if (code == EPIPE || code == ECONNABORTED || code == ECONNRESET || code == GNUTLS_E_PREMATURE_TERMINATION) {
+            if (code == EPIPE || code == ECONNABORTED || code == ECONNRESET) {
                 return true;
             }
             try {
diff --git a/src/http/httpd.cc b/src/http/httpd.cc
index ffb67ae4cb0..b6daf3fc043 100644
--- a/src/http/httpd.cc
+++ b/src/http/httpd.cc
@@ -203,11 +203,14 @@ set_request_content(std::unique_ptr<http::request> req, input_stream<char>* cont
     }
 }
 
-void connection::generate_error_reply_and_close(std::unique_ptr<http::request> req, http::reply::status_type status, const sstring& msg) {
+void connection::generate_error_reply_and_close(std::unique_ptr<http::request> req, http::reply::status_type status, const sstring& msg, const sstring &content_type) {
     auto resp = std::make_unique<http::reply>();
     // TODO: Handle HTTP/2.0 when it releases
     resp->set_version(req->_version);
     resp->set_status(status, msg);
+    if (!content_type.empty()) {
+        resp->set_content_type(content_type);
+    }
     resp->done();
     _done = true;
     _replies.push(std::move(resp));
@@ -225,6 +228,7 @@ future<> connection::read_one() {
 
         req->_server_address = this->_server_addr;
         req->_client_address = this->_client_addr;
+        req->listener_idx = _listener_idx;
 
         if (_tls) {
             req->protocol_name = "https";
@@ -293,7 +297,7 @@ future<> connection::read_one() {
                     // before passing the request to handler - when we were parsing chunks
                     auto err_req = std::make_unique<http::request>();
                     err_req->_version = version;
-                    generate_error_reply_and_close(std::move(err_req), e.status(), e.str());
+                    generate_error_reply_and_close(std::move(err_req), e.status(), e.str(), e.content_type());
                 });
             });
         });
@@ -448,10 +452,10 @@ future<> http_server::do_accepts(int which){
 }
 
 future<> http_server::do_accept_one(int which, bool tls) {
-    return _listeners[which].accept().then([this, tls] (accept_result ar) mutable {
+    return _listeners[which].accept().then([this, tls, which] (accept_result ar) mutable {
         auto local_address = ar.connection.local_address();
         auto conn = std::make_unique<connection>(*this, std::move(ar.connection),
-                std::move(ar.remote_address), std::move(local_address), tls);
+                std::move(ar.remote_address), std::move(local_address), tls, which);
         (void)try_with_gate(_task_gate, [conn = std::move(conn)]() mutable {
             return conn->process().handle_exception([conn = std::move(conn)] (std::exception_ptr ex) {
                 hlogger.error("request error: {}", ex);
diff --git a/src/http/routes.cc b/src/http/routes.cc
index 0b3b72a8be3..cb4d44f9ff7 100644
--- a/src/http/routes.cc
+++ b/src/http/routes.cc
@@ -80,10 +80,14 @@ std::unique_ptr<http::reply> routes::exception_reply(std::exception_ptr eptr) {
         }
         std::rethrow_exception(eptr);
     } catch (const redirect_exception& _e) {
-       rep.reset(new http::reply());
-       rep->add_header("Location", _e.url).set_status(_e.status());
+       *rep = _e.to_reply();
     } catch (const base_exception& e) {
-        rep->set_status(e.status(), internal::json_exception(e).to_json());
+        if (e.content_type().size()) {
+            rep->set_status(e.status(), e.str());
+            rep->set_content_type(e.content_type());
+        } else {
+            rep->set_status(e.status(), internal::json_exception(e).to_json());
+        }
     } catch (...) {
         rep->set_status(http::reply::status_type::internal_server_error,
                 internal::json_exception(std::current_exception()).to_json());
@@ -101,6 +105,9 @@ future<std::unique_ptr<http::reply> > routes::handle(const sstring& path, std::u
             handler->verify_mandatory_params(*req);
             auto r =  handler->handle(path, std::move(req), std::move(rep));
             return r.handle_exception(_general_handler);
+        } catch (const redirect_exception& _e) {
+            *rep = _e.to_reply();
+            rep->done("json");
         } catch (...) {
             rep = exception_reply(std::current_exception());
         }
diff --git a/src/net/dns.cc b/src/net/dns.cc
index 5ee7829f309..ccab74a12d9 100644
--- a/src/net/dns.cc
+++ b/src/net/dns.cc
@@ -1086,7 +1086,7 @@ dns_resolver::impl::do_sendv(ares_socket_t fd, const iovec * vec, int len) {
 
         for (;;) {
             // check if we're already writing.
-            if (e.typ == type::tcp && !(e.avail & POLLOUT)) {
+            if (!(e.avail & POLLOUT)) {
                 dns_log.trace("Send already pending {}", fd);
                 errno = EWOULDBLOCK;
                 return -1;
diff --git a/src/net/ossl.cc b/src/net/ossl.cc
new file mode 100644
index 00000000000..e95d1cec087
--- /dev/null
+++ b/src/net/ossl.cc
@@ -0,0 +1,2489 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright 2015 Cloudius Systems
+ * Copyright 2024 Redpanda Data
+ */
+
+// The data flow in the openssl-based seastar tls implementation looks like the following. The session's put/get()
+// methods delegate to openssl functions, which perform the openssl handshake, encryption and decryption, and then they
+// write the raw data into a custom BIO object. This custom BIO object is implemented in this file, it is specific to
+// seastar and it delegates the write/read methods to the seastar::tls::session's data_sink/data_source (which are the
+// interfaces around the underlying seastar connected socket).
+//
+//        +----------------------------+      +-------------------------------------+     +-------------+    +----------------------------+   +------+
+//        |                            |      |                                     |     |             |    |                            |   |      |
+// ------->    seastar::tls::session   +------> SSL_{do_handshake|write_ex|read_ex} +-----> custom BIO  +---->    data_sink/data_source   +--->  OS  |
+//        |                            |      |                                     |     |             |    |      (seastar socket)      |   |      |
+//        +----------------------------+      +-------------------------------------+     +-------------+    +----------------------------+   +------+
+
+#ifdef SEASTAR_MODULE
+module;
+#endif
+
+#include <boost/algorithm/string/trim.hpp>
+#include <fmt/ostream.h>
+#include <fmt/ranges.h>
+#include <openssl/bio.h>
+#include <openssl/core_names.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+#include <openssl/provider.h>
+#include <openssl/rand.h>
+#include <openssl/safestack.h>
+#include <openssl/ssl.h>
+#include <openssl/sslerr.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
+
+#include <cassert>
+#include <chrono>
+#include <functional>
+#include <span>
+#include <system_error>
+#include <unordered_set>
+#include <utility>
+
+#include <seastar/util/assert.hh>
+
+#include <netinet/in.h>
+
+#ifdef SEASTAR_MODULE
+module seastar;
+#else
+#include <seastar/core/gate.hh>
+#include <seastar/core/sstring.hh>
+#include <seastar/core/with_timeout.hh>
+#include <seastar/net/stack.hh>
+#include <seastar/net/tls.hh>
+#include <seastar/util/defer.hh>
+#include <seastar/util/later.hh>
+#include <seastar/util/log.hh>
+
+#include "net/tls-impl.hh"
+#endif
+
+template <> struct fmt::formatter<seastar::tls::session> : public fmt::formatter<string_view> {
+    auto format(const seastar::tls::session& s, fmt::format_context& ctx) const -> decltype(ctx.out());
+};
+
+namespace seastar {
+
+enum class ossl_errc : int{};
+
+}
+
+namespace std {
+
+template<>
+struct is_error_code_enum<seastar::ossl_errc> : true_type {};
+
+}
+
+template<>
+struct fmt::formatter<seastar::ossl_errc> :
+  public fmt::formatter<std::string_view> {
+  /**
+   * Some OpenSSL errors are hard to parse.  This method can be used to provide
+   * an alternative, more readable, error message.
+   */
+  static std::optional<seastar::sstring>
+  alternate_message(seastar::ossl_errc error);
+
+  auto format(seastar::ossl_errc error, fmt::format_context& ctx) const -> decltype(ctx.out());
+};
+
+namespace seastar {
+
+int tls_version_to_ossl(tls::tls_version version) {
+    switch(version) {
+    case tls::tls_version::tlsv1_0:
+        return TLS1_VERSION;
+    case tls::tls_version::tlsv1_1:
+        return TLS1_1_VERSION;
+    case tls::tls_version::tlsv1_2:
+        return TLS1_2_VERSION;
+    case tls::tls_version::tlsv1_3:
+        return TLS1_3_VERSION;
+    }
+
+    __builtin_unreachable();
+}
+
+class ossl_error_category : public std::error_category {
+public:
+    constexpr ossl_error_category() noexcept : std::error_category{} {}
+    const char* name() const noexcept override {
+        return "OpenSSL";
+    }
+    std::string message(int error) const override {
+        return fmt::format("{}", static_cast<ossl_errc>(error));
+    }
+};
+
+const std::error_category& tls::error_category() {
+    static const ossl_error_category ec;
+    return ec;
+}
+
+std::error_code make_error_code(ossl_errc e) {
+    return std::error_code(static_cast<int>(e), tls::error_category());
+}
+
+std::vector<ossl_errc> get_all_ossl_errors() {
+    std::vector<ossl_errc> error_codes;
+    for (auto code = ERR_get_error(); code != 0; code = ERR_get_error()) {
+        error_codes.push_back(static_cast<ossl_errc>(code));
+    }
+
+    return error_codes;
+}
+
+std::system_error make_ossl_error(const std::string & msg, std::vector<ossl_errc> error_codes) {
+    if (error_codes.empty()) {
+        return std::system_error{
+            static_cast<int>(ERR_PACK(ERR_LIB_USER, 0, ERR_R_OPERATION_FAIL)),
+            tls::error_category(),
+            msg};
+    }
+    auto err_code = static_cast<unsigned long>(error_codes.front());
+    if (ERR_LIB_SYS == ERR_GET_LIB(err_code)) {
+        // If the error code belongs to ERR_LIB_SYS, then the error is a system error
+        // Extract the errno using ERR_GET_REASON and throw a std::generic_category
+        return std::system_error(
+            ERR_GET_REASON(err_code),
+            std::generic_category(),
+            fmt::format("{}: {}", msg, error_codes));
+    }
+    return std::system_error(
+        static_cast<int>(err_code),
+        tls::error_category(),
+        fmt::format("{}: {}", msg, error_codes));
+}
+
+std::system_error make_ossl_error(const std::string & msg) {
+    return make_ossl_error(msg, get_all_ossl_errors());
+}
+
+bool contains_ossl_error(const std::vector<ossl_errc> & error_codes, int lib, int reason) {
+    return std::any_of(error_codes.cbegin(), error_codes.cend(), [lib, reason](const ossl_errc & code) {
+        return ERR_GET_LIB(static_cast<unsigned long>(code)) == lib &&
+               ERR_GET_REASON(static_cast<unsigned long>(code)) == reason;
+    });
+}
+
+template<typename T>
+sstring asn1_str_to_str(T* asn1) {
+    const auto len = ASN1_STRING_length(asn1);
+    return sstring(reinterpret_cast<const char*>(ASN1_STRING_get0_data(asn1)), len);
+};
+
+static std::vector<std::byte> extract_x509_serial(X509* cert) {
+    constexpr size_t serial_max = 160;
+    const ASN1_INTEGER *serial_no = X509_get_serialNumber(cert);
+    const size_t serial_size = std::min(serial_max, (size_t)serial_no->length);
+    std::vector<std::byte> serial(
+        reinterpret_cast<std::byte*>(serial_no->data),
+        reinterpret_cast<std::byte*>(serial_no->data + serial_size));
+    return serial;
+}
+
+static time_t extract_x509_expiry(X509* cert) {
+    const ASN1_TIME *not_after = X509_get0_notAfter(cert);
+    if (not_after != nullptr) {
+        tm tm_struct{};
+        ASN1_TIME_to_tm(not_after, &tm_struct);
+        return mktime(&tm_struct);
+    }
+    return -1;
+}
+
+static tls::certificate_data get_der_certificate_data(X509* cert) {
+    tls::certificate_data result;
+    int len = i2d_X509(cert, NULL);
+    if (len > 0) {
+        tls::certificate_data der_encoded_cert(len);
+        auto ptr = der_encoded_cert.data();
+        i2d_X509(cert, &ptr);
+        
+        std::move(der_encoded_cert.begin(), der_encoded_cert.end(),
+                  std::back_inserter(result));
+    }
+    return result;
+}
+
+std::vector<unsigned char> make_ossl_alpn_proto_data(const std::vector<sstring>& protocols) {
+    std::vector<unsigned char> alpn_data;
+    for(const sstring& proto : protocols) {
+        if(proto.empty() || proto.size() > 255) {
+            throw std::invalid_argument(fmt::format("ALPN protocol '{}' is invalid", proto));
+        }
+        alpn_data.push_back(static_cast<unsigned char>(proto.size()));
+        std::copy(proto.begin(), proto.end(),
+                    std::back_inserter(alpn_data));
+    }
+    return alpn_data;
+}
+
+template<typename T, auto fn>
+struct ssl_deleter {
+    void operator()(T* ptr) { fn(ptr); }
+};
+
+// Must define this method as sk_X509_pop_free is a macro
+void X509_pop_free(STACK_OF(X509)* ca) {
+    sk_X509_pop_free(ca, X509_free);
+}
+
+void X509_INFO_pop_free(STACK_OF(X509_INFO)* infos) {
+    sk_X509_INFO_pop_free(infos, X509_INFO_free);
+}
+
+void GENERAL_NAME_pop_free(GENERAL_NAMES* gns) {
+    sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free);
+}
+
+template<typename T, auto fn>
+using ssl_handle = std::unique_ptr<T, ssl_deleter<T, fn>>;
+
+using bio_method_ptr = ssl_handle<BIO_METHOD, BIO_meth_free>;
+using bio_ptr = ssl_handle<BIO, BIO_free>;
+using evp_pkey_ptr = ssl_handle<EVP_PKEY, EVP_PKEY_free>;
+using x509_ptr = ssl_handle<X509, X509_free>;
+using x509_crl_ptr = ssl_handle<X509_CRL, X509_CRL_free>;
+using x509_store_ptr = ssl_handle<X509_STORE, X509_STORE_free>;
+using x509_store_ctx_ptr = ssl_handle<X509_STORE_CTX, X509_STORE_CTX_free>;
+using x509_chain_ptr = ssl_handle<STACK_OF(X509), X509_pop_free>;
+using x509_infos_ptr = ssl_handle<STACK_OF(X509_INFO), X509_INFO_pop_free>;
+using general_names_ptr = ssl_handle<GENERAL_NAMES, GENERAL_NAME_pop_free>;
+using pkcs12 = ssl_handle<PKCS12, PKCS12_free>;
+using ssl_ctx_ptr = ssl_handle<SSL_CTX, SSL_CTX_free>;
+using ssl_ptr = ssl_handle<SSL, SSL_free>;
+using x509_verify_param_ptr = ssl_handle<X509_VERIFY_PARAM, X509_VERIFY_PARAM_free>;
+using ssl_session_ptr = ssl_handle<SSL_SESSION, SSL_SESSION_free>;
+
+/**
+ * The purpose of this structure is to hold the AES and HMAC keys used to encrypt/decrypt TLS 1.3
+ * session tickets given to and presented by, the TLS client.
+ */
+struct session_ticket_keys {
+    std::array<uint8_t, 16> key_name;
+    std::array<uint8_t, 32> aes_key;
+    std::array<uint8_t, 32> hmac_key;
+
+    session_ticket_keys() = default;
+    session_ticket_keys(const session_ticket_keys&) = default;
+    session_ticket_keys(session_ticket_keys&&) = default;
+    session_ticket_keys& operator=(const session_ticket_keys&) = default;
+    session_ticket_keys& operator=(session_ticket_keys&&) = default;
+
+    explicit session_ticket_keys(std::span<const uint8_t> key) {
+        SEASTAR_ASSERT(key.size() == key_name.size() + aes_key.size() + hmac_key.size());
+        std::copy_n(key.begin(), key_name.size(), key_name.begin());
+        std::copy_n(key.begin() + key_name.size(), aes_key.size(), aes_key.begin());
+        std::copy_n(key.begin() + key_name.size() + aes_key.size(), hmac_key.size(), hmac_key.begin());
+    }
+
+    void generate_keys() {
+        generate_key(key_name);
+        generate_key(aes_key);
+        generate_key(hmac_key);
+    }
+
+    ~session_ticket_keys() {
+        clear_key(aes_key);
+        clear_key(hmac_key);
+    }
+
+    std::vector<uint8_t> operator()() const {
+        std::vector<uint8_t> res;
+        res.reserve(key_name.size() + aes_key.size() + hmac_key.size());
+        res.insert(res.end(), key_name.begin(), key_name.end());
+        res.insert(res.end(), aes_key.begin(), aes_key.end());
+        res.insert(res.end(), hmac_key.begin(), hmac_key.end());
+        return res;
+    }
+
+private:
+    /**
+     * This will zeroize the key contents by writing 0xff, then 0x00,
+     * and finally 0xff over the memory that held the key
+     * @tparam N Size of the array
+     * @param key The key to clear
+     */
+    template<std::size_t N>
+    static void clear_key(std::array<uint8_t, N>& key) {
+        // Zeroize sensitive key data
+        OPENSSL_cleanse(key.data(), N);
+    }
+
+    /**
+     * Generates a key
+     * @tparam N The size of the key
+     * @param key The key to generate
+     * @throws ossl_error if unable to generate random data
+     */
+    template<std::size_t N>
+    static void generate_key(std::array<uint8_t, N>& key) {
+        if (RAND_priv_bytes(key.data(), N) <= 0) {
+            throw make_ossl_error("Failed to generate key");
+        }
+    }
+};
+
+// sufficiently large enough to avoid collision with OpenSSL BIO controls
+#define BIO_C_SET_POINTER 1000
+// Index into ex data for SSL structure to fetch a pointer to session
+#define SSL_EX_DATA_SESSION 0
+
+BIO_METHOD* get_method();
+
+void tls::credentials_builder::set_cipher_string(const sstring& cipher_string) {
+    _cipher_string = cipher_string;
+}
+
+void tls::credentials_builder::set_ciphersuites(const sstring& ciphersuites) {
+    _ciphersuites = ciphersuites;
+}
+
+void tls::credentials_builder::enable_server_precedence() {
+    _enable_server_precedence = true;
+}
+
+void tls::credentials_builder::enable_tls_renegotiation() {
+    _enable_tls_renegotiation = true;
+}
+
+void tls::credentials_builder::set_minimum_tls_version(tls_version version) {
+    _min_tls_version.emplace(version);
+}
+
+void tls::credentials_builder::set_maximum_tls_version(tls_version version) {
+    _max_tls_version.emplace(version);
+}
+
+/// TODO: Implement the DH params impl struct
+///
+class tls::dh_params::impl {
+public:
+    explicit impl(level) {}
+    impl(const blob&, x509_crt_format){}
+
+    const EVP_PKEY* get() const { return _pkey.get(); }
+
+    explicit operator const EVP_PKEY*() const { return _pkey.get(); }
+
+private:
+    evp_pkey_ptr _pkey;
+};
+
+tls::dh_params::dh_params(level lvl) : _impl(std::make_unique<impl>(lvl))
+{}
+
+tls::dh_params::dh_params(const blob& b, x509_crt_format fmt)
+        : _impl(std::make_unique<impl>(b, fmt)) {
+}
+
+// TODO(rob) some small amount of code duplication here
+tls::dh_params::~dh_params() = default;
+
+tls::dh_params::dh_params(dh_params&&) noexcept = default;
+tls::dh_params& tls::dh_params::operator=(dh_params&&) noexcept = default;
+
+class tls::certificate_credentials::impl {
+    struct certkey_pair {
+        x509_ptr cert;
+        evp_pkey_ptr key;
+        explicit operator bool() const noexcept {
+            return cert != nullptr && key != nullptr;
+        }
+    };
+
+    static const int credential_store_idx = 0;
+
+public:
+    // This callback is designed to intercept the verification process and to implement an additional
+    // check, returning 0 or -1 will force verification to fail.
+    //
+    // However it has been implemented in this case soley to cache the last observed certificate so
+    // that it may be inspected during the session::verify() method, if desired.
+    //
+    static int verify_callback(int preverify_ok, X509_STORE_CTX* store_ctx) {
+        // Grab the 'this' pointer from the stores generic data cache, it should always exist
+        auto store = X509_STORE_CTX_get0_store(store_ctx);
+        auto credential_impl = static_cast<impl*>(X509_STORE_get_ex_data(store, credential_store_idx));
+        SEASTAR_ASSERT(credential_impl != nullptr);
+        // Store a pointer to the current connection certificate within the impl instance
+        auto cert = X509_STORE_CTX_get_current_cert(store_ctx);
+        X509_up_ref(cert);
+        credential_impl->_last_cert = x509_ptr(cert);
+        return preverify_ok;
+    }
+
+    impl() : _creds([] {
+        auto store = X509_STORE_new();
+        if (store == nullptr) {
+            throw std::bad_alloc();
+        }
+        X509_STORE_set_verify_cb(store, verify_callback);
+        return store;
+    }()) {
+        // The static verify_callback above will use the stored pointer to 'this' to store the last
+        // observed x509 certificate
+        [[maybe_unused]] auto res =
+            X509_STORE_set_ex_data(_creds.get(), credential_store_idx, this);
+        SEASTAR_ASSERT(res == 1);
+    }
+
+
+    // Parses a PEM certificate file that may contain more then one entry, calls the callback provided
+    // passing the associated X509_INFO* argument. The parameter is not retained so the caller must retain
+    // the item before the end of the function call.
+    template<typename LoadFunc>
+    static void iterate_pem_certs(const bio_ptr& cert_bio, LoadFunc fn) {
+        auto infos = x509_infos_ptr(PEM_X509_INFO_read_bio(cert_bio.get(), nullptr, nullptr, nullptr));
+        auto num_elements = sk_X509_INFO_num(infos.get());
+        if (num_elements <= 0) {
+            throw make_ossl_error("Failed to parse PEM cert");
+        }
+        for (auto i=0; i < num_elements; i++) {
+            auto object = sk_X509_INFO_value(infos.get(), i);
+            fn(object);
+        }
+    }
+
+    static x509_ptr parse_x509_cert(const blob& b, x509_crt_format fmt) {
+        bio_ptr cert_bio(BIO_new_mem_buf(b.data(), b.size()));
+        x509_ptr cert;
+        switch(fmt) {
+        case tls::x509_crt_format::PEM:
+            cert = x509_ptr(PEM_read_bio_X509(cert_bio.get(), nullptr, nullptr, nullptr));
+            break;
+        case tls::x509_crt_format::DER:
+            cert = x509_ptr(d2i_X509_bio(cert_bio.get(), nullptr));
+            break;
+        }
+        if (!cert) {
+            throw make_ossl_error("Failed to parse x509 certificate");
+        }
+        return cert;
+    }
+
+    void set_x509_trust(const blob& b, x509_crt_format fmt) {
+        bio_ptr cert_bio(BIO_new_mem_buf(b.data(), b.size()));
+        x509_ptr cert;
+        switch(fmt) {
+        case tls::x509_crt_format::PEM:
+            iterate_pem_certs(cert_bio, [this](X509_INFO* info){
+                if (!info->x509) {
+                    throw make_ossl_error("Failed to parse x509 cert");
+                }
+                X509_STORE_add_cert(*this, info->x509);
+            });
+            break;
+        case tls::x509_crt_format::DER:
+            cert = x509_ptr(d2i_X509_bio(cert_bio.get(), nullptr));
+            if (!cert) {
+                throw make_ossl_error("Failed to parse x509 certificate");
+            }
+            X509_STORE_add_cert(*this, cert.get());
+            break;
+        }
+    }
+
+    void set_x509_crl(const blob& b, x509_crt_format fmt) {
+        bio_ptr cert_bio(BIO_new_mem_buf(b.data(), b.size()));
+        x509_crl_ptr crl;
+        switch(fmt) {
+        case x509_crt_format::PEM:
+            iterate_pem_certs(cert_bio, [this](X509_INFO* info) {
+                if (!info->crl) {
+                    throw make_ossl_error("Failed to parse CRL");
+                }
+                X509_STORE_add_crl(*this, info->crl);
+            });
+            break;
+        case x509_crt_format::DER:
+            crl = x509_crl_ptr(d2i_X509_CRL_bio(cert_bio.get(), nullptr));
+            if (!crl) {
+                throw make_ossl_error("Failed to parse x509 crl");
+            }
+            X509_STORE_add_crl(*this, crl.get());
+            break;
+        }
+
+        enable_crl_checking();
+    }
+
+    void set_x509_key(const blob& cert, const blob& key, x509_crt_format fmt) {
+        x509_ptr x509_cert{nullptr};
+        bio_ptr key_bio(BIO_new_mem_buf(key.data(), key.size()));
+        evp_pkey_ptr pkey;
+        switch(fmt) {
+        case x509_crt_format::PEM:
+            pkey = evp_pkey_ptr(PEM_read_bio_PrivateKey(key_bio.get(), nullptr, nullptr, nullptr));
+            // The provided `cert` blob may contain more than one cert.  We need to be prepared
+            // for this situation.  So we will parse through the blob using `iterate_pem_certs`.
+            // The first cert encountered will be assigned to x509_cert and all subsequent certs
+            // will be added to the X509_STORE's trusted certificates
+            iterate_pem_certs(bio_ptr{BIO_new_mem_buf(cert.data(), cert.size())}, [this, &x509_cert](X509_INFO* info) {
+                if (!info->x509) {
+                    throw make_ossl_error("Failed to parse X.509 certificate in loading key/cert chain");
+                }
+                if (!x509_cert) {
+                    x509_cert = x509_ptr{info->x509};
+                    // By setting x509 to nullptr, the sk_X509_INFO_pop_free function will not
+                    // call X509_free on it.  We have 'transfered' ownership above to the
+                    // x509_cert X509 ptr
+                    info->x509 = nullptr;
+                } else {
+                    X509_STORE_add_cert(*this, info->x509);
+                }
+            });
+            break;
+        case x509_crt_format::DER:
+            pkey = evp_pkey_ptr(d2i_PrivateKey_bio(key_bio.get(), nullptr));
+            // We don't handle a chain of certs when encoded in DER
+            x509_cert = parse_x509_cert(cert, fmt);
+            break;
+        default:
+            __builtin_unreachable();
+        }
+        if (!pkey) {
+            throw make_ossl_error("Error attempting to parse private key");
+        }
+        if (!X509_check_private_key(x509_cert.get(), pkey.get())) {
+            throw make_ossl_error("Failed to verify cert/key pair");
+        }
+        _cert_and_key = certkey_pair{.cert = std::move(x509_cert), .key = std::move(pkey)};
+    }
+
+    void set_simple_pkcs12(const blob& b, x509_crt_format, const sstring& password) {
+        // Load the PKCS12 file
+        bio_ptr bio(BIO_new_mem_buf(b.data(), b.size()));
+        if (auto p12 = pkcs12(d2i_PKCS12_bio(bio.get(), nullptr))) {
+            // Extract the certificate and private key from PKCS12, using provided password
+            EVP_PKEY *pkey = nullptr;
+            X509 *cert = nullptr;
+            STACK_OF(X509) *ca = nullptr;
+            if (!PKCS12_parse(p12.get(), password.c_str(), &pkey, &cert, &ca)) {
+                throw make_ossl_error("Failed to extract cert key pair from pkcs12 file");
+            }
+            // Ensure signature validation checks pass before continuing
+            if (!X509_check_private_key(cert, pkey)) {
+                X509_free(cert);
+                EVP_PKEY_free(pkey);
+                throw make_ossl_error("Failed to verify cert/key pair");
+            }
+            _cert_and_key = certkey_pair{.cert = x509_ptr(cert), .key = evp_pkey_ptr(pkey)};
+
+            // Iterate through all elements in the certificate chain, adding them to the store
+            auto ca_ptr = x509_chain_ptr(ca);
+            if (ca_ptr) {
+                auto num_elements = sk_X509_num(ca_ptr.get());
+                while (num_elements > 0) {
+                    auto e = sk_X509_pop(ca_ptr.get());
+                    X509_STORE_add_cert(*this, e);
+                    // store retains certificate
+                    X509_free(e);
+                    num_elements -= 1;
+                }
+            }
+        } else {
+            throw make_ossl_error("Failed to parse pkcs12 file");
+        }
+    }
+
+    void enable_crl_checking() {
+        if (!std::exchange(_crl_check_flag_set, true)) {
+            x509_verify_param_ptr x509_vfy(X509_VERIFY_PARAM_new());
+
+            if (1 != X509_VERIFY_PARAM_set_flags(
+                    x509_vfy.get(), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL)) {
+                throw make_ossl_error(
+                    "Failed to set X509_V_FLAG_CRL_CHECK flag");
+            }
+
+            if (1 != X509_STORE_set1_param(*this, x509_vfy.get())) {
+                throw make_ossl_error(
+                    "Failed to set verification parameters on X509 store");
+            }
+        }
+    }
+
+    void dh_params(const tls::dh_params&) {}
+
+    std::vector<cert_info> get_x509_info() const {
+        if (_cert_and_key.cert) {
+            return {
+                cert_info{
+                    .serial = extract_x509_serial(_cert_and_key.cert.get()),
+                    .expiry = extract_x509_expiry(_cert_and_key.cert.get())}
+            };
+        }
+        return {};
+    }
+
+    std::vector<cert_info> get_x509_trust_list_info() const {
+        std::vector<cert_info> cert_infos;
+        STACK_OF(X509_OBJECT) *chain = X509_STORE_get0_objects(_creds.get());
+        auto num_elements = sk_X509_OBJECT_num(chain);
+        for (auto i=0; i < num_elements; i++) {
+            auto object = sk_X509_OBJECT_value(chain, i);
+            auto type = X509_OBJECT_get_type(object);
+            if (type == X509_LU_X509) {
+                auto cert = X509_OBJECT_get0_X509(object);
+                cert_infos.push_back(cert_info{
+                        .serial = extract_x509_serial(cert),
+                        .expiry = extract_x509_expiry(cert)});
+            }
+        }
+        return cert_infos;
+    }
+
+    void set_client_auth(client_auth ca) {
+        _client_auth = ca;
+    }
+    client_auth get_client_auth() const {
+        return _client_auth;
+    }
+    void set_session_resume_mode(session_resume_mode m, std::span<const uint8_t> key = {}) {
+        _session_resume_mode = m;
+        if (m != session_resume_mode::NONE) {
+            _session_ticket_keys = {};
+            if (key.empty()) {
+                _session_ticket_keys.generate_keys();
+            } else {
+                _session_ticket_keys = session_ticket_keys(key);
+            }
+            
+        }
+    }
+
+    session_resume_mode get_session_resume_mode() {
+        return _session_resume_mode;
+    }
+
+    const session_ticket_keys & get_session_ticket_keys() const {
+        return _session_ticket_keys;
+    }
+
+    void set_dn_verification_callback(dn_callback cb) {
+        _dn_callback = std::move(cb);
+    }
+
+    void set_enable_certificate_verification(bool enable) {
+        _enable_certificate_verification = enable;
+    }
+
+    void set_cipher_string(const sstring& cipher_string) {
+        _cipher_string = cipher_string;
+    }
+
+    void set_ciphersuites(const sstring& ciphersuites) {
+        _ciphersuites = ciphersuites;
+    }
+
+    void enable_server_precedence() {
+        _enable_server_precedence = true;
+    }
+
+    void enable_tls_renegotiation() {
+        _enable_tls_renegotiation = true;
+    }
+
+    void set_minimum_tls_version(tls_version version) {
+        _min_tls_version.emplace(version);
+    }
+
+    void set_maximum_tls_version(tls_version version) {
+        _max_tls_version.emplace(version);
+    }
+
+    const sstring& get_cipher_string() const noexcept {
+        return _cipher_string;
+    }
+
+    const sstring& get_ciphersuites() const noexcept {
+        return _ciphersuites;
+    }
+
+    bool is_server_precedence_enabled() {
+        return _enable_server_precedence;
+    }
+
+    bool is_tls_renegotiation_enabled() {
+        return _enable_tls_renegotiation;
+    }
+
+    const std::optional<tls_version>& minimum_tls_version() const noexcept {
+        return _min_tls_version;
+    }
+
+    const std::optional<tls_version>& maximum_tls_version() const noexcept {
+        return _max_tls_version;
+    }
+
+    // Returns the certificate of last attempted verification attempt, if there was no attempt,
+    // this will not be updated and will remain stale
+    x509_ptr get_last_cert() const {
+        if (_last_cert != nullptr) {
+            auto cert = _last_cert.get();
+            X509_up_ref(cert);
+            return x509_ptr{cert};
+        }
+        return nullptr;
+    }
+
+    operator X509_STORE*() const { return _creds.get(); }
+
+    const certkey_pair& get_certkey_pair() const {
+        return _cert_and_key;
+    }
+
+    void set_alpn_protocols(const std::vector<sstring>& protocols) {
+        _alpn_protocols = protocols;
+    }
+
+private:
+    friend class certificate_credentials;
+    friend class credentials_builder;
+    friend class session;
+
+    void set_load_system_trust(bool trust) {
+        _load_system_trust = trust;
+    }
+
+    bool need_load_system_trust() const {
+        return _load_system_trust;
+    }
+
+    certkey_pair _cert_and_key;
+    session_ticket_keys _session_ticket_keys;
+    x509_ptr _last_cert;
+    x509_store_ptr _creds;
+    dn_callback _dn_callback;
+    std::optional<tls_version> _min_tls_version;
+    std::optional<tls_version> _max_tls_version;
+    sstring _cipher_string;
+    sstring _ciphersuites;
+
+    client_auth _client_auth = client_auth::NONE;
+    session_resume_mode _session_resume_mode = session_resume_mode::NONE;
+    bool _load_system_trust = false;
+    bool _enable_server_precedence = false;
+    bool _enable_tls_renegotiation = false;
+    bool _crl_check_flag_set = false;
+    bool _enable_certificate_verification = true;
+    std::vector<sstring> _alpn_protocols;
+};
+
+tls::certificate_credentials::certificate_credentials()
+        : _impl(make_shared<impl>()) {
+}
+
+tls::certificate_credentials::~certificate_credentials() {
+}
+
+tls::certificate_credentials::certificate_credentials(
+        certificate_credentials&&) noexcept = default;
+tls::certificate_credentials& tls::certificate_credentials::operator=(
+        certificate_credentials&&) noexcept = default;
+
+void tls::certificate_credentials::set_x509_trust(const blob& b,
+        x509_crt_format fmt) {
+    _impl->set_x509_trust(b, fmt);
+}
+
+void tls::certificate_credentials::set_x509_crl(const blob& b,
+        x509_crt_format fmt) {
+    _impl->set_x509_crl(b, fmt);
+
+}
+void tls::certificate_credentials::set_x509_key(const blob& cert,
+        const blob& key, x509_crt_format fmt) {
+    _impl->set_x509_key(cert, key, fmt);
+}
+
+void tls::certificate_credentials::set_simple_pkcs12(const blob& b,
+        x509_crt_format fmt, const sstring& password) {
+    _impl->set_simple_pkcs12(b, fmt, password);
+}
+
+future<> tls::certificate_credentials::set_system_trust() {
+    _impl->_load_system_trust = true;
+    return make_ready_future<>();
+}
+
+void tls::certificate_credentials::set_cipher_string(const sstring& cipher_string) {
+    _impl->set_cipher_string(cipher_string);
+}
+
+void tls::certificate_credentials::set_ciphersuites(const sstring& ciphersuites) {
+    _impl->set_ciphersuites(ciphersuites);
+}
+
+void tls::certificate_credentials::enable_server_precedence() {
+    _impl->enable_server_precedence();
+}
+
+void tls::certificate_credentials::enable_tls_renegotiation() {
+    _impl->enable_tls_renegotiation();
+}
+
+void tls::certificate_credentials::set_minimum_tls_version(tls_version version) {
+    _impl->set_minimum_tls_version(version);
+}
+
+void tls::certificate_credentials::set_maximum_tls_version(tls_version version) {
+    _impl->set_maximum_tls_version(version);
+}
+
+void tls::certificate_credentials::set_dn_verification_callback(dn_callback cb) {
+    _impl->set_dn_verification_callback(std::move(cb));
+}
+
+void tls::certificate_credentials::set_enable_certificate_verification(bool enable) {
+    _impl->set_enable_certificate_verification(enable);
+}
+
+std::optional<std::vector<cert_info>> tls::certificate_credentials::get_cert_info() const noexcept {
+    if (_impl == nullptr) {
+        return std::nullopt;
+    }
+
+    try {
+        auto result = _impl->get_x509_info();
+        return result;
+    } catch (...) {
+        return std::nullopt;
+    }
+}
+
+std::optional<std::vector<cert_info>> tls::certificate_credentials::get_trust_list_info() const noexcept {
+    if (_impl == nullptr) {
+        return std::nullopt;
+    }
+
+    try {
+        auto result = _impl->get_x509_trust_list_info();
+        return result;
+    } catch (...) {
+        return std::nullopt;
+    }
+}
+
+void tls::certificate_credentials::enable_load_system_trust() {
+    _impl->_load_system_trust = true;
+}
+
+void tls::certificate_credentials::set_client_auth(client_auth ca) {
+    _impl->set_client_auth(ca);
+}
+
+void tls::certificate_credentials::set_session_resume_mode(session_resume_mode m, std::span<const uint8_t> key) {
+    _impl->set_session_resume_mode(m, key);
+}
+
+void tls::certificate_credentials::set_alpn_protocols(const std::vector<sstring>& protocols) {
+    _impl->set_alpn_protocols(protocols);
+}
+
+tls::server_credentials::server_credentials()
+    : server_credentials(dh_params{})
+{}
+
+tls::server_credentials::server_credentials(shared_ptr<dh_params> dh)
+    : server_credentials(*dh)
+{}
+
+tls::server_credentials::server_credentials(const dh_params& dh) {
+    _impl->dh_params(dh);
+}
+
+tls::server_credentials::server_credentials(server_credentials&&) noexcept = default;
+tls::server_credentials& tls::server_credentials::operator=(
+        server_credentials&&) noexcept = default;
+
+void tls::server_credentials::set_client_auth(client_auth ca) {
+    _impl->set_client_auth(ca);
+}
+
+void tls::server_credentials::set_session_resume_mode(session_resume_mode m) {
+    _impl->set_session_resume_mode(m);
+}
+
+void tls::server_credentials::set_alpn_protocols(const std::vector<sstring>& protocols) {
+    _impl->set_alpn_protocols(protocols);
+}
+
+namespace tls {
+
+std::vector<uint8_t> generate_session_ticket_key() {
+    session_ticket_keys keys;
+    keys.generate_keys();
+    return keys();
+}
+
+int session_ticket_cb(SSL * s, unsigned char key_name[16],
+                      unsigned char iv[EVP_MAX_IV_LENGTH],
+                      EVP_CIPHER_CTX * ctx, EVP_MAC_CTX *hctx, int enc);
+
+/**
+ * Session wraps an OpenSSL SSL session and context,
+ * and is the actual conduit for an TLS/SSL data flow.
+ *
+ * We use a connected_socket and its sink/source
+ * for IO. Note that we need to keep ownership
+ * of these, since we handle handshake etc.
+ *
+ * The implmentation below relies on OpenSSL, for the gnutls implementation
+ * see tls.cc and the CMake option 'Seastar_USE_OPENSSL'
+ */
+class session : public enable_shared_from_this<session>, public session_impl {
+public:
+    using buf_type = temporary_buffer<char>;
+    using frag_iter = net::fragment*;
+
+    static int select_alpn_protocol(SSL *ssl, const unsigned char **out,
+                        unsigned char *outlen, const unsigned char *client_protos,
+                        unsigned int client_proto_len, void* configured_protocols) {
+        const std::vector<unsigned char>& server_protos = *reinterpret_cast<std::vector<unsigned char>*>(configured_protocols);
+
+        auto result =  SSL_select_next_proto(const_cast<unsigned char **>(out), 
+            outlen, server_protos.data(), server_protos.size(), 
+            client_protos, client_proto_len);
+        if(result == OPENSSL_NPN_NEGOTIATED) {
+            return SSL_TLSEXT_ERR_OK;
+        } else if(result == OPENSSL_NPN_NO_OVERLAP) {
+            *outlen = 0;
+            *out = nullptr;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        } else {
+            *outlen = 0;
+            *out = nullptr;
+            return SSL_TLSEXT_ERR_NOACK;
+        }
+    }
+
+    session(session_type t, shared_ptr<tls::certificate_credentials> creds,
+            std::unique_ptr<net::connected_socket_impl> sock, tls_options options = {})
+      : _sock(std::move(sock))
+      , _local_address(fmt::to_string(_sock->local_address()))
+      , _remote_address(fmt::to_string(_sock->remote_address()))
+      , _creds(creds->_impl)
+      , _in(_sock->source())
+      , _out(_sock->sink())
+      , _in_sem(1)
+      , _out_sem(1)
+      , _options(std::move(options))
+      , _output_pending(make_ready_future<>())
+      , _ctx(make_ssl_context(t))
+      , _ssl([this]() {
+          auto ssl = SSL_new(_ctx.get());
+          if (!ssl) {
+              throw make_ossl_error("Failed to create SSL session");
+          }
+          return ssl;
+      }())
+      , _type(t) {
+        if (1 != SSL_set_ex_data(_ssl.get(), SSL_EX_DATA_SESSION, this)) {
+            throw make_ossl_error("Failed to set EX data for SSL session");
+        }
+        bio_ptr in_bio(BIO_new(get_method()));
+        bio_ptr out_bio(BIO_new(get_method()));
+        if (!in_bio || !out_bio) {
+            throw std::runtime_error("Failed to create BIOs");
+        }
+        if (1 != BIO_ctrl(in_bio.get(), BIO_C_SET_POINTER, 0, this)) {
+            throw make_ossl_error("Failed to set bio ptr to in bio");
+        }
+        if (1 != BIO_ctrl(out_bio.get(), BIO_C_SET_POINTER, 0, this)) {
+            throw make_ossl_error("Failed to set bio ptr to out bio");
+        }
+        // SSL_set_bio transfers ownership of the read and write bios to the SSL
+        // instance
+        SSL_set_bio(_ssl.get(), in_bio.release(), out_bio.release());
+
+        if (_type == session_type::SERVER) {
+            SSL_set_accept_state(_ssl.get());
+        } else {
+            if (!_options.server_name.empty()) {
+                SSL_set_tlsext_host_name(
+                  _ssl.get(), _options.server_name.c_str());
+            }
+            SSL_set_connect_state(_ssl.get());
+        }
+
+        if (_type == session_type::CLIENT && !_options.session_resume_data.empty()) {
+            auto data_ptr = std::as_const(_options.session_resume_data).data();
+            long data_size = _options.session_resume_data.size();
+            auto sess = ssl_session_ptr(d2i_SSL_SESSION(nullptr, &data_ptr, data_size));
+            if (!sess) {
+                throw make_ossl_error("Failed to decode SSL_SESSION data for session resumption");
+            }
+            if (1 != SSL_set_session(_ssl.get(), sess.get())) {
+                throw make_ossl_error("Failed to set SSL_SESSION on SSL for session resumption");
+            }
+        }
+        _options.session_resume_data.clear();
+    }
+
+    session(session_type t, shared_ptr<certificate_credentials> creds,
+            connected_socket sock,
+            tls_options options = {})
+            : session(t, std::move(creds), net::get_impl::get(std::move(sock)), options) {}
+
+    ~session() {
+        SEASTAR_ASSERT(_output_pending.available());
+    }
+
+    const char * get_type_string() const {
+        return _type == session_type::CLIENT ? "Client": "Server";
+    }
+
+    // This function waits for the _output_pending future to resolve
+    // If an error occurs, it is saved off into _error and returned
+    future<> wait_for_output() {
+        tls_log.trace("{} wait_for_output", *this);
+        return std::exchange(_output_pending, make_ready_future())
+          .handle_exception([this](auto ep) {
+              tls_log.debug("{} wait_for_output error: {}", *this, ep);
+              _error = ep;
+              return make_exception_future(ep);
+          });
+    }
+
+    template<std::derived_from<std::exception> T>
+    future<>
+    handle_output_error(T err) {
+        _error = std::make_exception_ptr(err);
+        return wait_for_output().then_wrapped([this, err](auto f) {
+            try {
+                f.get();
+                // output was ok/done, just generate error exception
+                return make_exception_future(_error);
+            } catch(...) {
+                std::throw_with_nested(err);
+            }
+        });
+    }
+
+    // Helper function for handling the SSL errors in do_put
+    future<stop_iteration> handle_do_put_ssl_err(const int ssl_err) {
+        switch(ssl_err) {
+        case SSL_ERROR_ZERO_RETURN:
+            // Indicates a hang up somewhere
+            // Mark _eof, ensure any output pending items complete,
+            // and stop iteration
+            _eof = true;
+            return wait_for_output().then([] {
+                return stop_iteration::yes;
+            });
+        case SSL_ERROR_WANT_READ:
+            // Wait for any outstanding writes to complete and then
+            // wait for input data to be available
+            return wait_for_output().then([this] {
+                return wait_for_input().then([] {
+                    return stop_iteration::no;
+                });
+            });
+        case SSL_ERROR_NONE:
+            // Should not have been reached in this situation
+            // Continue iteration
+            // Fallthrough as NONE and WANT_WRITE are handled the same
+            [[fallthrough]];
+        case SSL_ERROR_WANT_WRITE:
+            return wait_for_output().then([] {
+                return stop_iteration::no;
+            });
+        case SSL_ERROR_SYSCALL:
+        {
+            auto err = make_ossl_error("System error encountered during SSL write");
+            return handle_output_error(std::move(err)).then([] {
+                return stop_iteration::yes;
+            });
+        }
+        case SSL_ERROR_SSL: {
+            auto error_codes = get_all_ossl_errors();
+            if (contains_ossl_error(error_codes, ERR_LIB_SSL, SSL_R_UNEXPECTED_EOF_WHILE_READING)) {
+                // Probably shouldn't happen during a write, but
+                // let's handle this gracefully
+                _eof = true;
+                return make_ready_future<stop_iteration>(stop_iteration::yes);
+            }
+            auto err = make_ossl_error(
+                "Error occurred during SSL write", std::move(error_codes));
+            return handle_output_error(std::move(err)).then([] {
+                return stop_iteration::yes;
+            });
+        }
+        default:
+        {
+            // Some other unhandled situation
+            auto err = std::runtime_error(
+                "Unknown error encountered during SSL write");
+            return handle_output_error(std::move(err)).then([] {
+                return stop_iteration::yes;
+            });
+        }
+        }
+    }
+
+    // Called post locking of the _out_sem
+    // This function takes and holds the sempahore units for _out_sem and
+    // will attempt to send the provided packet.  If a renegotiation is needed
+    // any unprocessed part of the packet is returned.
+    future<> do_put(net::packet p) {
+        tls_log.trace("{} do_put", *this);
+        SEASTAR_ASSERT(_output_pending.available());
+        return do_with(std::move(p),
+            [this](net::packet& p) {
+                // This do_until runs until either a renegotiation occurs or the packet is empty
+                return do_until(
+                    [this, &p] { return eof() || p.len() == 0;},
+                    [this, &p]() mutable {
+                        std::string_view frag_view =
+                            {p.fragments().begin()->base, p.fragments().begin()->size};
+                        return repeat([this, frag_view, &p]() mutable {
+                            if (frag_view.empty()) {
+                                return make_ready_future<stop_iteration>(stop_iteration::yes);
+                            }
+                            size_t bytes_written = 0;
+                            auto write_rc = SSL_write_ex(
+                                _ssl.get(), frag_view.data(), frag_view.size(), &bytes_written);
+                            tls_log.trace("{} do_put: SSL_write_ex: {}", *this, write_rc);
+                            if (write_rc != 1) {
+                                const auto ssl_err = SSL_get_error(_ssl.get(), write_rc);
+                                tls_log.trace("{} do_put: SSL_get_error: {}", *this, ssl_err);
+                                return handle_do_put_ssl_err(ssl_err);
+                            } else {
+                                tls_log.trace("{} do_put: bytes_written: {}", *this, bytes_written);
+                                frag_view.remove_prefix(bytes_written);
+                                p.trim_front(bytes_written);
+                                return wait_for_output().then([] {
+                                    return stop_iteration::no;
+                                });
+                            }
+                        });
+                    }
+                );
+            }
+        );
+    }
+
+    // Used to push unencrypted data through OpenSSL, which will
+    // encrypt it and then place it into the output bio.
+    future<> put(net::packet p) override {
+        tls_log.trace("{} put", *this);
+        constexpr size_t openssl_max_record_size = 16 * 1024;
+        if (_error) {
+            return make_exception_future(_error);
+        }
+        if (_shutdown) {
+            return make_exception_future<>(
+              std::system_error(EPIPE, std::system_category()));
+        }
+        if (!connected()) {
+            tls_log.trace("{} put: not connected, performing handshake", *this);
+            return handshake().then(
+              [this, p = std::move(p)]() mutable { return put(std::move(p)); });
+        }
+
+        // We want to make sure that we write to the underlying bio with as large
+        // packets as possible. This is because eventually this translates to a
+        // sendmsg syscall. Further it results in larger TLS records which makes
+        // encryption/decryption faster. Hence to avoid cases where we would do
+        // an extra syscall for something like a 100 bytes header we linearize the
+        // packet if it's below the max TLS record size.
+        if (p.nr_frags() > 1 && p.len() <= openssl_max_record_size) {
+            p.linearize();
+        }
+        return with_semaphore(_out_sem, 1, [this, p = std::move(p)]() mutable {
+            return do_put(std::move(p));
+        });
+    }
+
+    // Called after locking the _in_sem and _out_sem semaphores.
+    // This function will walk through the handshake with a remote peer
+    // If EOF is encountered, ENOTCONN is thrown
+    future<> do_handshake() {
+        tls_log.trace("{} do_handshake", *this);
+        if (eof()) {
+            tls_log.trace("{} do_handshake: eof encountered", *this);
+            // if we have experienced and eof, set the error and return
+            // GnuTLS will probably return GNUTLS_E_PREMATURE_TERMINATION
+            // from gnutls_handshake in this situation.
+            _error = std::make_exception_ptr(std::system_error(
+              ENOTCONN,
+              std::system_category(),
+              "EOF encountered during handshake"));
+            return make_exception_future(_error);
+        } else if (connected()) {
+            tls_log.trace("{} do_handshake: already connected", *this);
+            return make_ready_future<>();
+        }
+        return do_until(
+            [this] { return connected() || eof(); },
+            [this] {
+                try {
+                    auto n = SSL_do_handshake(_ssl.get());
+                    tls_log.trace("{} do_handshake: SSL_do_handshake: {}", *this, n);
+                    if (n <= 0) {
+                        auto ssl_error = SSL_get_error(_ssl.get(), n);
+                        tls_log.trace("{} do_handshake: SSL_get_error: {}", *this, ssl_error);
+                        switch(ssl_error) {
+                        case SSL_ERROR_NONE:
+                        // probably shouldn't have gotten here
+                            break;
+                        case SSL_ERROR_ZERO_RETURN:
+                            // peer has closed
+                            _eof = true;
+                            break;
+                        case SSL_ERROR_WANT_WRITE:
+                            return wait_for_output();
+                        case SSL_ERROR_WANT_READ:
+                            return wait_for_output().then([this] {
+                                return wait_for_input();
+                            });
+                        case SSL_ERROR_SYSCALL:
+                        {
+                            auto err = make_ossl_error("System error during handshake");
+                            return handle_output_error(std::move(err));
+                        }
+                        case SSL_ERROR_SSL:
+                        {
+                            auto error_codes = get_all_ossl_errors();
+                            tls_log.debug("{} do_handshake: errors: {}", *this, error_codes);
+                            if (contains_ossl_error(error_codes, ERR_LIB_SSL, SSL_R_UNEXPECTED_EOF_WHILE_READING)) {
+                                // peer has closed
+                                _eof = true;
+                                return make_ready_future<>();
+                            }
+
+                            if (contains_ossl_error(error_codes, ERR_LIB_SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE) ||
+                                contains_ossl_error(error_codes, ERR_LIB_SSL, SSL_R_CERTIFICATE_VERIFY_FAILED) ||
+                                contains_ossl_error(error_codes, ERR_LIB_SSL, SSL_R_NO_CERTIFICATES_RETURNED)) {
+                                verify();
+                                // Verify may throw, but if not fall through and make a generic error
+                            }
+                            auto err = make_ossl_error("Failed to establish SSL handshake", std::move(error_codes));
+                            return handle_output_error(std::move(err));
+                        }
+                        default:
+                            auto err = std::runtime_error(
+                            "Unknown error encountered during handshake");
+                            return handle_output_error(std::move(err));
+                        }
+                    } else {
+                        if (_type == session_type::CLIENT
+                            || _creds->get_client_auth() != client_auth::NONE) {
+                            verify();
+                        }
+                        return wait_for_output();
+                    }
+                } catch(...) {
+                    return make_exception_future<>(std::current_exception());
+                }
+                return make_ready_future<>();
+            }
+        );
+    }
+
+    // This function will attempt to pull data off of the _in stream
+    // if there isn't already data needing to be processed first.
+    future<> wait_for_input() {
+        tls_log.trace("{} wait_for_input", *this);
+        // If we already have data, then it needs to be processed
+        if (!_input.empty()) {
+            tls_log.trace("{} wait_for_input: input not empty", *this);
+            return make_ready_future();
+        }
+        return _in.get()
+          .then([this](buf_type buf) {
+              // Set EOF if it's empty
+              tls_log.debug("{} wait_for_input: buffer is {}empty", *this, buf.empty() ? "": "not ");
+              _eof |= buf.empty();
+              _input = std::move(buf);
+          })
+          .handle_exception([this](auto ep) {
+              tls_log.debug("{} wait_for_input: exception: {}", *this, ep);
+              _error = ep;
+              return make_exception_future(ep);
+          });
+    }
+
+    // Called after locking the _in_sem semaphore
+    // This function attempts to pull unencrypted data off of the
+    // SSL session using SSL_read.  If ther eis no data, then
+    // we will call perform_pull and wait for data to arrive.
+    future<buf_type> do_get() {
+        tls_log.trace("{} do_get", *this);
+        // Data is available to be pulled of the SSL session if there is pending
+        // data on the SSL session or there is data in the in_bio() which SSL reads
+        // from
+        auto data_to_pull = (BIO_ctrl_pending(in_bio()) + SSL_pending(_ssl.get())) > 0;
+        auto f = make_ready_future<>();
+        if (!data_to_pull) {
+            tls_log.trace("{} do_get: no data to pull, waiting for input", *this);
+            // If nothing is in the SSL buffers then we may have to wait for
+            // data to come in
+            f = wait_for_input();
+        }
+        return f.then([this] {
+            if (eof()) {
+                return make_ready_future<buf_type>();
+            }
+            auto avail = BIO_ctrl_pending(in_bio()) + SSL_pending(_ssl.get());
+            tls_log.trace("{} do_get: available: {}", *this, avail);
+            buf_type buf(avail);
+            size_t bytes_read = 0;
+            auto read_result = SSL_read_ex(
+              _ssl.get(), buf.get_write(), avail, &bytes_read);
+            tls_log.trace("{} do_get: SSL_read_ex: {}", *this, read_result);
+            tls_log.trace("{} do_get: SSL_read_ex bytes_ready: {}", *this, bytes_read);
+            if (read_result != 1) {
+                const auto ssl_err = SSL_get_error(_ssl.get(), read_result);
+                tls_log.trace("{} do_get: SSL_get_error: {}", *this, ssl_err);
+                switch (ssl_err) {
+                case SSL_ERROR_ZERO_RETURN:
+                    // Remote end has closed
+                    _eof = true;
+                    [[fallthrough]];
+                case SSL_ERROR_NONE:
+                    // well we shouldn't be here at all
+                    return make_ready_future<buf_type>();
+                case SSL_ERROR_WANT_WRITE:
+                    // OpenSSL needs to send data over the wire before it can read
+                    return wait_for_output().then([this] { return do_get(); });
+                case SSL_ERROR_WANT_READ:
+                    // OpenSSL needs to read data off of the write to process
+                    // SSL_read.  Send any data waiting to go out and then wait for input
+                    return wait_for_output().then([this] {
+                        return wait_for_input().then([this] {
+                            return do_get();
+                        });
+                    });
+                case SSL_ERROR_SYSCALL:
+                    if (ERR_peek_error() == 0) {
+                        // SSL_get_error
+                        // (https://www.openssl.org/docs/man3.0/man3/SSL_get_error.html)
+                        // states that on OpenSSL versions prior to 3.0, an
+                        // SSL_ERROR_SYSCALL with nothing on the stack and errno
+                        // == 0 indicates EOF but future versions should report
+                        // SSL_ERROR_SSL with SSL_R_UNEXPECTED_EOF_WHILE_READING
+                        // on the stack.  However we are seeing situations on
+                        // OpenSSL versions 3.0.9 and 3.0.14 where SSL_ERROR_SYSCALL
+                        // is returned and errno == 0 and the stack is empty.
+                        // We will treat this as EOF
+                        _eof = true;
+                        return make_ready_future<buf_type>();
+                    }
+                    _error = std::make_exception_ptr(
+                        make_ossl_error("System error during SSL read"));
+                    return make_exception_future<buf_type>(_error);
+                case SSL_ERROR_SSL:
+                    {
+                        auto error_codes = get_all_ossl_errors();
+                        if (contains_ossl_error(error_codes, ERR_LIB_SSL, SSL_R_UNEXPECTED_EOF_WHILE_READING)) {
+                            // in this situation, the remote end hung up
+                            _eof = true;
+                            return make_ready_future<buf_type>();
+                        }
+                        _error = std::make_exception_ptr(
+                          make_ossl_error(
+                            "Failure during processing SSL read", std::move(error_codes)));
+                        return make_exception_future<buf_type>(_error);
+                    }
+                default:
+                    _error = std::make_exception_ptr(std::runtime_error(
+                      "Unexpected error condition during SSL read"));
+                    return make_exception_future<buf_type>(_error);
+                }
+            } else {
+                buf.trim(bytes_read);
+                return make_ready_future<buf_type>(std::move(buf));
+            }
+        });
+    }
+
+    // Called by user applications to pull data off of the TLS session
+    future<buf_type> get() override {
+        tls_log.trace("{} get", *this);
+        if (_error) {
+            return make_exception_future<buf_type>(_error);
+        }
+        if (_shutdown || eof()) {
+            return make_ready_future<buf_type>(buf_type());
+        }
+        if (!connected()) {
+            tls_log.trace("{} get: not connected, performing handshake", *this);
+            return handshake().then([this] { return get(); });
+        }
+        return with_semaphore(_in_sem, 1, [this] {
+            return do_get();
+        });
+    }
+
+    // Performs shutdown
+    future<> do_shutdown() {
+        tls_log.trace("{} do_shutdown", *this);
+        if (_error || !connected()) {
+            tls_log.trace("{} do_shutdown: error exists or not connected", *this);
+            return make_ready_future();
+        }
+
+        auto res = SSL_shutdown(_ssl.get());
+        tls_log.trace("{} do_shutdown: SSL_shutdown: {}", *this, res);
+        if (res == 1) {
+            return wait_for_output();
+        } else if (res == 0) {
+            return yield().then([this] { return do_shutdown(); });
+        } else {
+            auto ssl_err = SSL_get_error(_ssl.get(), res);
+            tls_log.trace("{} do_shutdown: SSL_get_error: {}", *this, ssl_err);
+            switch (ssl_err) {
+            case SSL_ERROR_NONE:
+                // this is weird, yield and try again
+                return yield().then([this] { return do_shutdown(); });
+            case SSL_ERROR_ZERO_RETURN:
+                // Looks like the other end is done, so let's just assume we're
+                // done as well
+                return wait_for_output();
+            case SSL_ERROR_WANT_READ:
+            case SSL_ERROR_WANT_WRITE:
+                return wait_for_output().then([this, ssl_err] {
+                    // In neither case do we actually want to pull data off of the socket (yet)
+                    // If we initiate the shutdown, then we just send the shutdown alert and wait
+                    // for EOF (outside of this function)
+                    if (ssl_err == SSL_ERROR_WANT_READ) {
+                        return make_ready_future();
+                    } else {
+                        return do_shutdown();
+                    }
+                });
+            case SSL_ERROR_SYSCALL:
+            {
+                auto err = make_ossl_error("System error during shutdown");
+                return handle_output_error(std::move(err));
+            }
+            case SSL_ERROR_SSL:
+            {
+                auto error_codes = get_all_ossl_errors();
+                if (contains_ossl_error(error_codes, ERR_LIB_SSL, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY)) {
+                    // This may have resulted in a race condition where we receive a packet immediately after
+                    // sending out the close notify alert.  In this situation, retry shutdown silently
+                    return yield().then([this] { return do_shutdown(); });
+                }
+                auto err = make_ossl_error(
+                    "Error occurred during SSL shutdown", std::move(error_codes));
+                return handle_output_error(std::move(err));
+            }
+            default:
+            {
+                auto err = std::runtime_error(
+                  "Unknown error occurred during SSL shutdown");
+                return handle_output_error(std::move(err));
+            }
+            }
+        }
+    }
+
+    void verify() {
+        tls_log.trace("{} verify", *this);
+        if (!_creds->_enable_certificate_verification) {
+            tls_log.debug("{} verify: certificate verification disabled, skipping", *this);
+            return;
+        }
+        // A success return code (0) does not signify if a cert was presented or not, that
+        // must be explicitly queried via SSL_get_peer_certificate
+        auto res = SSL_get_verify_result(_ssl.get());
+        tls_log.trace("{} verify: SSL_get_verify_result: {}", *this, res);
+        if (res != X509_V_OK) {
+            auto stat_cstr(X509_verify_cert_error_string(res));
+            auto dn = extract_dn_information(is_verification_error::yes);
+            if (dn) {
+                sstring stat_str{stat_cstr};
+                boost::algorithm::trim(stat_str);
+                throw verification_error(fmt::format(
+                    R"|({} (Issuer=["{}"], Subject=["{}"]))|",
+                    stat_str,
+                    dn->issuer,
+                    dn->subject));
+            }
+            throw verification_error(stat_cstr);
+        } else if (SSL_get0_peer_certificate(_ssl.get()) == nullptr) {
+            tls_log.trace("{} verify: No peer certificate", *this);
+            // If a peer certificate was not presented,
+            // SSL_get_verify_result will return X509_V_OK:
+            // https://www.openssl.org/docs/man3.0/man3/SSL_get_verify_result.html
+            if (
+              _type == session_type::SERVER
+              && _creds->get_client_auth() == client_auth::REQUIRE) {
+                throw verification_error("no certificate presented by peer");
+            }
+            return;
+        }
+
+        if (_creds->_dn_callback) {
+            auto dn = extract_dn_information();
+            SEASTAR_ASSERT(dn.has_value());
+            _creds->_dn_callback(
+              _type, std::move(dn->subject), std::move(dn->issuer));
+        }
+    }
+
+    bool eof() const {
+        return _eof;
+    }
+
+    bool connected() const {
+        return SSL_is_init_finished(_ssl.get());
+    }
+
+    // This function waits for eof() to occur on the input stream
+    // Unless wait_for_eof_on_shutdown is false
+    future<> wait_for_eof() {
+        tls_log.trace("{} wait_for_eof", *this);
+        if (!_options.wait_for_eof_on_shutdown) {
+            // Seastar option to allow users to just bypass EOF waiting
+            return make_ready_future();
+        }
+        return with_semaphore(_in_sem, 1, [this] {
+            if (_error || !connected()) {
+                return make_ready_future();
+            }
+            return do_until(
+                [this] { return eof(); },
+                [this] { return do_get().discard_result(); });
+        }).finally([this] {
+            tls_log.trace("{} wait_for_eof: complete", *this);
+        });
+    }
+
+    // This function is called to kick off the handshake.  It will obtain
+    // locks on the _in_sem and _out_sem semaphores and start the handshake.
+    future<> handshake() {
+        tls_log.trace("{} handshake", *this);
+        if (_creds->need_load_system_trust()) {
+            if (!SSL_CTX_set_default_verify_paths(_ctx.get())) {
+                throw make_ossl_error(
+                  "Could not load system trust");
+            }
+            _creds->set_load_system_trust(false);
+        }
+
+        return with_semaphore(_in_sem, 1, [this] {
+            return with_semaphore(_out_sem, 1, [this] {
+                return do_handshake().handle_exception([this](auto ep) {
+                    if (!_error) {
+                        _error = ep;
+                    }
+                    return make_exception_future<>(_error);
+                });
+            });
+        });
+    }
+
+    future<> shutdown() {
+        tls_log.trace("{} shutdown", *this);
+        // first, make sure any pending write is done.
+        // bye handshake is a flush operation, but this
+        // allows us to not pay extra attention to output state
+        //
+        // we only send a simple "bye" alert packet. Then we
+        // read from input until we see EOF. Any other reader
+        // before us will get it instead of us, and mark _eof = true
+        // in which case we will be no-op. This is performed all
+        // within do_shutdown
+        return with_semaphore(_out_sem, 1, [this] {
+                                return do_shutdown();
+                              }).then([this] {
+                                return wait_for_eof();
+                              }).finally([me = shared_from_this()]{});
+        // note moved finally clause above. It is theorethically possible
+        // that we could complete do_shutdown just before the close calls
+        // below, get pre-empted, have "close()" finish, get freed, and
+        // then call wait_for_eof on stale pointer.
+    }
+
+    void close() noexcept override {
+        tls_log.trace("{} close", *this);
+        // only do once.
+        if (!std::exchange(_shutdown, true)) {
+            tls_log.trace("{} close: performing shutdown", *this);
+            // running in background. try to bye-handshake us nicely, but after 10s we forcefully close.
+            engine().run_in_background(with_timeout(
+              timer<>::clock::now() + std::chrono::seconds(10), shutdown())
+              .finally([this] {
+                  _eof = true;
+                  return _in.close();
+              }).finally([this] {
+                  return _out.close();
+              }).finally([this] {
+                  // make sure to wait for handshake attempt to leave semaphores. Must be in same order as
+                  // handshake aqcuire, because in worst case, we get here while a reader is attempting
+                  // re-handshake.
+                  return with_semaphore(_in_sem, 1, [this] {
+                      return with_semaphore(_out_sem, 1, [] { });
+                  });
+              }).handle_exception([me = shared_from_this()](std::exception_ptr){
+              }).discard_result());
+        }
+    }
+    // helper for sink
+    future<> flush() noexcept override {
+        return with_semaphore(_out_sem, 1, [this] { return _out.flush(); });
+    }
+
+    seastar::net::connected_socket_impl& socket() const override {
+        return *_sock;
+    }
+
+    future<std::optional<session_dn>> get_distinguished_name(dn_format format) override {
+        using result_t = std::optional<session_dn>;
+        if (_error) {
+            return make_exception_future<result_t>(_error);
+        }
+        if (_shutdown) {
+            return make_exception_future<result_t>(
+              std::system_error(ENOTCONN, std::system_category()));
+        }
+        if (!connected()) {
+            return handshake().then(
+              [this, format]() mutable { return get_distinguished_name(format); });
+        }
+        result_t dn = extract_dn_information(is_verification_error::no, format);
+        return make_ready_future<result_t>(std::move(dn));
+    }
+
+    future<std::vector<subject_alt_name>> get_alt_name_information(
+      std::unordered_set<subject_alt_name_type> types) override {
+        using result_t = std::vector<subject_alt_name>;
+
+        if (_error) {
+            return make_exception_future<result_t>(_error);
+        }
+        if (_shutdown) {
+            return make_exception_future<result_t>(
+              std::system_error(ENOTCONN, std::system_category()));
+        }
+        if (!connected()) {
+            return handshake().then([this, types = std::move(types)]() mutable {
+                return get_alt_name_information(std::move(types));
+            });
+        }
+
+        const auto peer_cert = get_peer_certificate();
+        if (!peer_cert) {
+            return make_ready_future<result_t>();
+        }
+        return make_ready_future<result_t>(
+          do_get_alt_name_information(peer_cert, types));
+    }
+
+    template<typename Func, typename... Args>
+    auto state_checked_access(Func&& f, Args&& ...args) {
+        using future_type = typename futurize<std::invoke_result_t<Func, Args...>>::type;
+        using result_t = typename future_type::value_type;
+        if (_error) {
+            return make_exception_future<result_t>(_error);
+        }
+        if (_shutdown) {
+            return make_exception_future<result_t>(std::system_error(ENOTCONN, std::system_category()));
+        }
+        if (!connected()) {
+            return handshake().then([this, f = std::move(f), ...args = std::forward<Args>(args)]() mutable {
+                return session::state_checked_access(std::move(f), std::forward<Args>(args)...);
+            });
+        }
+        return futurize_invoke(f, std::forward<Args>(args)...);
+    }
+
+    future<sstring> get_cipher_suite() override {
+        return state_checked_access([this] {
+            const SSL_CIPHER* cipher = SSL_get_current_cipher(_ssl.get());
+            const char* iana_name = SSL_CIPHER_standard_name(cipher);
+            return sstring{iana_name ? iana_name : SSL_CIPHER_get_name(cipher)};
+        });
+    }
+
+    future<sstring> get_protocol_version() override {
+        return state_checked_access([this] {
+            int ver = SSL_version(_ssl.get());
+            switch (ver) {
+                case TLS1_3_VERSION: return sstring{"TLS1.3"};
+                case TLS1_2_VERSION: return sstring{"TLS1.2"};
+                case TLS1_1_VERSION: return sstring{"TLS1.1"};
+                case TLS1_VERSION:   return sstring{"TLS1.0"};
+                case SSL3_VERSION:   return sstring{"SSL3.0"};
+                default: return sstring{SSL_get_version(_ssl.get())};
+            }
+        });
+    }
+
+    future<bool> is_resumed() override {
+        return state_checked_access([this] {
+            return SSL_session_reused(_ssl.get()) == 1;
+        });
+    }
+
+    future<session_data> get_session_resume_data() override {
+        return state_checked_access([this] {
+            // get0 does not increment reference counter so no clean up necessary
+            auto sess = SSL_get0_session(_ssl.get());
+            if (!sess || 0 == SSL_SESSION_is_resumable(sess)) {
+                return session_data{};
+            }
+            auto len = i2d_SSL_SESSION(sess, nullptr);
+            if (len == 0) {
+                return session_data{};
+            }
+            session_data data(len);
+            auto data_ptr = data.data();
+            i2d_SSL_SESSION(sess, &data_ptr);
+            return data;
+        });
+    }
+
+    const sstring& local_address() const noexcept {
+        return _local_address;
+    }
+
+    const sstring& remote_address() const noexcept {
+        return _remote_address;
+    }
+
+private:
+    std::vector<subject_alt_name> do_get_alt_name_information(const x509_ptr &peer_cert,
+                                                              const std::unordered_set<subject_alt_name_type> &types) const {
+        int ext_idx = X509_get_ext_by_NID(
+          peer_cert.get(), NID_subject_alt_name, -1);
+        if (ext_idx < 0) {
+            return {};
+        }
+        auto ext = X509_get_ext(peer_cert.get(), ext_idx);
+        if (!ext) {
+            return {};
+        }
+        auto names = general_names_ptr(static_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ext)));
+        if (!names) {
+            return {};
+        }
+        int num_names = sk_GENERAL_NAME_num(names.get());
+        std::vector<subject_alt_name> alt_names;
+        alt_names.reserve(num_names);
+
+        for (auto i = 0; i < num_names; i++) {
+            GENERAL_NAME* name = sk_GENERAL_NAME_value(names.get(), i);
+            if (auto known_t = field_to_san_type(name)) {
+                if (types.empty() || types.count(known_t->type)) {
+                    alt_names.push_back(std::move(*known_t));
+                }
+            }
+        }
+        return alt_names;
+    }
+
+    std::optional<subject_alt_name> field_to_san_type(GENERAL_NAME* name) const {
+        subject_alt_name san;
+        switch(name->type) {
+            case GEN_IPADD:
+            {
+                san.type = subject_alt_name_type::ipaddress;
+                const auto* data = ASN1_STRING_get0_data(name->d.iPAddress);
+                const auto size = ASN1_STRING_length(name->d.iPAddress);
+                if (size == sizeof(::in_addr)) {
+                    ::in_addr addr;
+                    memcpy(&addr, data, size);
+                    san.value = net::inet_address(addr);
+                } else if (size == sizeof(::in6_addr)) {
+                    ::in6_addr addr;
+                    memcpy(&addr, data, size);
+                    san.value = net::inet_address(addr);
+                } else {
+                    throw std::runtime_error(fmt::format("Unexpected size: {} for ipaddress alt name value", size));
+                }
+                break;
+            }
+            case GEN_EMAIL:
+            {
+                san.type = subject_alt_name_type::rfc822name;
+                san.value = asn1_str_to_str(name->d.rfc822Name);
+                break;
+            }
+            case GEN_URI:
+            {
+                san.type = subject_alt_name_type::uri;
+                san.value = asn1_str_to_str(name->d.uniformResourceIdentifier);
+                break;
+            }
+            case GEN_DNS:
+            {
+                san.type = subject_alt_name_type::dnsname;
+                san.value = asn1_str_to_str(name->d.dNSName);
+                break;
+            }
+            case GEN_OTHERNAME:
+            {
+                san.type = subject_alt_name_type::othername;
+                san.value = asn1_str_to_str(name->d.dNSName);
+                break;
+            }
+            case GEN_DIRNAME:
+            {
+                san.type = subject_alt_name_type::dn;
+                auto dirname = get_dn_string(name->d.directoryName);
+                if (!dirname) {
+                    throw std::runtime_error("Expected non null value for SAN dirname");
+                }
+                san.value = std::move(*dirname);
+                break;
+            }
+            default:
+                return std::nullopt;
+        }
+        return san;
+    }
+
+    x509_ptr get_peer_certificate() const {
+        return x509_ptr{SSL_get1_peer_certificate(_ssl.get())};
+    }
+
+    future<std::vector<certificate_data>> get_peer_certificate_chain() override {
+        return state_checked_access([this] {
+            std::vector<certificate_data> res;
+            if(_type == session_type::SERVER) {
+                // obtain peer certificate if the method is called on the server side
+                auto peer_cert = get_peer_certificate();
+                if (peer_cert) {
+                    auto data = get_der_certificate_data(peer_cert.get());
+                    if(!data.empty()) {
+                        res.emplace_back(std::move(data));
+                    }
+                }
+            }
+            auto chain = SSL_get_peer_cert_chain(_ssl.get());
+            if (chain == nullptr) {
+                return res;
+            }
+            for (int i = 0; i < sk_X509_num(chain); ++i) {
+                X509 *cert = sk_X509_value(chain, i);
+                auto data = get_der_certificate_data(cert);
+                if(!data.empty()) {
+                    res.emplace_back(std::move(data));
+                }
+            }
+            return res;
+        });
+    }
+
+    future<std::optional<sstring>> get_selected_alpn_protocol() override {
+        return state_checked_access([this]() -> std::optional<sstring> {
+            const unsigned char *data = nullptr;
+            unsigned int len = 0;
+            SSL_get0_alpn_selected(_ssl.get(), &data, &len);
+            if(len > 0) {
+                return std::make_optional<sstring>(reinterpret_cast<const char*>(data), len);
+            }
+            return std::nullopt;
+        });
+    }
+
+    using is_verification_error = bool_class<struct is_verification_error_tag>;
+
+    std::optional<session_dn> extract_dn_information(is_verification_error verification_error = is_verification_error::no, dn_format format = dn_format::legacy) const {
+        const auto peer_cert = [this, verification_error]{
+            if (verification_error) {
+                // If we are attempting to get a DN from a cert that failed verification, then
+                // SSL_get1_peer_certificate will not return any certificate.  Instead we will
+                // rely on the verification callback to track certs and it should be looking at
+                // the cert that failed verification
+                return _creds->get_last_cert();
+            } else {
+                return get_peer_certificate();
+            }
+        }();
+        if (!peer_cert) {
+            return std::nullopt;
+        }
+        auto subject = get_dn_string(X509_get_subject_name(peer_cert.get()), format);
+        auto issuer = get_dn_string(X509_get_issuer_name(peer_cert.get()), format);
+        if (!subject || !issuer) {
+            throw make_ossl_error(
+              "error while extracting certificate DN strings");
+        }
+        return session_dn{
+          .subject = std::move(*subject), .issuer = std::move(*issuer)};
+    }
+
+    ssl_ctx_ptr make_ssl_context(session_type type) {
+        auto ssl_ctx = ssl_ctx_ptr(SSL_CTX_new(TLS_method()));
+        if (!ssl_ctx) {
+            throw make_ossl_error(
+              "Failed to initialize SSL context");
+        }
+        const auto& ck_pair = _creds->get_certkey_pair();
+        if (type == session_type::SERVER) {
+            if (!ck_pair) {
+                throw make_ossl_error(
+                  "Cannot start session without cert/key pair for server");
+            }
+            switch (_creds->get_client_auth()) {
+            case client_auth::NONE:
+            default:
+                SSL_CTX_set_verify(ssl_ctx.get(), SSL_VERIFY_NONE, nullptr);
+                break;
+            case client_auth::REQUEST:
+                SSL_CTX_set_verify(ssl_ctx.get(), SSL_VERIFY_PEER, nullptr);
+                break;
+            case client_auth::REQUIRE:
+                SSL_CTX_set_verify(
+                  ssl_ctx.get(),
+                  SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+                  nullptr);
+                break;
+            }
+
+            auto options = SSL_OP_ALL;
+            if (_creds->is_server_precedence_enabled()) {
+                options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+            }
+
+            if (_creds->is_tls_renegotiation_enabled()) {
+                options |= SSL_OP_ALLOW_CLIENT_RENEGOTIATION;
+            }
+
+            SSL_CTX_set_options(ssl_ctx.get(), options);
+
+            switch(_creds->get_session_resume_mode()) {
+                case session_resume_mode::NONE:
+                    SSL_CTX_set_session_cache_mode(ssl_ctx.get(), SSL_SESS_CACHE_OFF);
+                    break;
+                case session_resume_mode::TLS13_SESSION_TICKET:
+                    // By default, SSL contexts have server size cache enabled
+                    if (1 != SSL_CTX_set_tlsext_ticket_key_evp_cb(ssl_ctx.get(), &session_ticket_cb)) {
+                        throw make_ossl_error("Failed to set session ticket callback function");
+                    }
+                    break;
+            }
+        } else {
+            if (_creds->is_server_precedence_enabled()) {
+                SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
+            }
+        }
+
+        auto& min_tls_version = _creds->minimum_tls_version();
+        auto& max_tls_version = _creds->maximum_tls_version();
+
+        if (min_tls_version.has_value()) {
+            if (!SSL_CTX_set_min_proto_version(ssl_ctx.get(),
+                tls_version_to_ossl(*min_tls_version))) {
+                throw make_ossl_error(
+                    fmt::format("Failed to set minimum TLS version to {}",
+                        *min_tls_version));
+            }
+        }
+
+        if (max_tls_version.has_value()) {
+            if (!SSL_CTX_set_max_proto_version(ssl_ctx.get(),
+                tls_version_to_ossl(*max_tls_version))) {
+                    throw make_ossl_error(
+                        fmt::format("Failed to set maximum TLS version to {}",
+                            *max_tls_version));
+            }
+        }
+
+        auto get_security_level = [&ssl_ctx]() {
+            // If 3.0.0 <= OpenSSL Version < 3.1.0 then:
+            // TLS1.0 is disabled at level 3 and TLS1.1 is disabled at level4
+            // If 3.1.0 <= OpenSSL Version, then TLS1.0 and 1.2 are disabled at level 1
+            #if OPENSSL_VERSION_NUMBER >= 0x30000000 && OPENSSL_VERSION_NUMBER < 0x30100000
+            // To get around the unused capture error
+            (void)ssl_ctx;
+            // Going above level 1 prevents the use of 1k RSA keys.
+            // To maintain key compatability between OpenSSL versions,
+            // only return 1 when using OpenSSL version 3.0
+            return 1;
+            #elif OPENSSL_VERSION_NUMBER >= 0x30100000
+            auto min_version = SSL_CTX_get_min_proto_version(ssl_ctx.get());
+            switch(min_version) {
+                case SSL3_VERSION:
+                case TLS1_VERSION:
+                case TLS1_1_VERSION:
+                case DTLS1_VERSION:
+                    return 0;
+                default:
+                    return 1;
+            }
+            #else
+            #error "Unsupported OpenSSL Version"
+            #endif
+        };
+
+        SSL_CTX_set_security_level(ssl_ctx.get(), get_security_level());
+
+        // Servers must supply both certificate and key, clients may
+        // optionally use these
+        if (ck_pair) {
+            if (!SSL_CTX_use_cert_and_key(
+                  ssl_ctx.get(),
+                  ck_pair.cert.get(),
+                  ck_pair.key.get(),
+                  nullptr,
+                  1)) {
+                throw make_ossl_error(
+                  "Failed to load cert/key pair");
+            }
+        }
+        // Increments the reference count of *_creds, now should have a
+        // total ref count of two, will be deallocated when both OpenSSL and
+        // the certificate_manager call X509_STORE_free
+        SSL_CTX_set1_cert_store(ssl_ctx.get(), *_creds);
+
+        if (!_creds->get_cipher_string().empty()) {
+            if (SSL_CTX_set_cipher_list(ssl_ctx.get(),
+                    _creds->get_cipher_string().c_str()) != 1) {
+                throw make_ossl_error(
+                    fmt::format(
+                        "Failed to set cipher string '{}'", _creds->get_cipher_string()));
+            }
+        }
+
+        if (!_creds->get_ciphersuites().empty()) {
+            if (SSL_CTX_set_ciphersuites(ssl_ctx.get(), _creds->get_ciphersuites().c_str()) != 1) {
+                throw make_ossl_error(
+                    fmt::format(
+                        "Failed to set ciphersuites '{}'", _creds->get_ciphersuites()));
+            }
+        }
+        const auto& alpn_protocols = type == session_type::CLIENT ? _options.alpn_protocols : _creds->_alpn_protocols;
+        // ALPN setup
+        if(!alpn_protocols.empty()) {
+            // Build the ALPN protocol data in the format expected by OpenSSL
+            // The format is a sequence of length-prefixed strings
+            _alpn_protocols = make_ossl_alpn_proto_data(alpn_protocols);
+            if(type == session_type::CLIENT) {
+                auto err = SSL_CTX_set_alpn_protos(ssl_ctx.get(),
+                    _alpn_protocols.data(), _alpn_protocols.size());
+                if (err != 0) {
+                    throw make_ossl_error(fmt::format("Failed to set ALPN protocols - error: {}", err));
+                }
+            } else {
+                SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), select_alpn_protocol, &_alpn_protocols);
+            }
+        }
+
+
+        return ssl_ctx;
+    }
+
+    static std::optional<sstring> get_dn_string(X509_NAME* name, dn_format format = dn_format::legacy) {
+        auto out = bio_ptr(BIO_new(BIO_s_mem()));
+        unsigned long flags = [](dn_format format) {
+            switch(format) {
+            case dn_format::rfc2253:
+                return XN_FLAG_RFC2253;
+            case dn_format::legacy:
+                return ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS;
+            }
+            __builtin_unreachable();
+        }(format);
+        if (-1 == X509_NAME_print_ex(out.get(), name, 0, flags)) {
+            return std::nullopt;
+        }
+        char* bio_ptr = nullptr;
+        auto len = BIO_get_mem_data(out.get(), &bio_ptr);
+        if (len < 0) {
+            throw make_ossl_error("Failed to allocate DN string");
+        }
+        return sstring(bio_ptr, len);
+    }
+
+    size_t in_avail() const { return _input.size(); }
+
+    BIO* in_bio() { return SSL_get_rbio(_ssl.get()); }
+    BIO* out_bio() { return SSL_get_wbio(_ssl.get()); }
+
+private:
+    std::unique_ptr<net::connected_socket_impl> _sock;
+    sstring _local_address;
+    sstring _remote_address;
+    shared_ptr<tls::certificate_credentials::impl> _creds;
+    data_source _in;
+    data_sink _out;
+    std::exception_ptr _error;
+
+    semaphore _in_sem;
+    semaphore _out_sem;
+    tls_options _options;
+
+    future<> _output_pending;
+    buf_type _input;
+    // ALPN protocols in OPENSSL format
+    // This is a sequence of length-prefixed strings, where the first byte is the length
+    // of the first string, followed by the string data, then the length of the second string,
+    // followed by the second string data, and so on.
+    std::vector<unsigned char> _alpn_protocols;
+    ssl_ctx_ptr _ctx;
+    ssl_ptr _ssl;
+    session_type _type;
+    bool _eof = false;
+    bool _shutdown = false;
+
+    friend int bio_write_ex(BIO* b, const char * data, size_t dlen, size_t * written);
+    friend int bio_read_ex(BIO* b, char * data, size_t dlen, size_t *readbytes);
+    friend long bio_ctrl(BIO * b, int ctrl, long num, void * data);
+    friend int session_ticket_cb(SSL*, unsigned char[16], unsigned char[EVP_MAX_IV_LENGTH],
+                                 EVP_CIPHER_CTX*, EVP_MAC_CTX*, int);
+};
+
+// The following callback function is used whenever session tickets are generated or received by
+// the TLS server.  If TLS session resumption is enabled, then an AES and HMAC key are
+// generated and stored within the certificate_credentials (which is stored within the TLS session).
+// The call back uses these keys to initialize the encryption and MAC operations for both encryption (enc = 1)
+// and decryption (enc = 0).  Because the key lives with the certificate_credentials which is passed
+// to every instance of an SSL session, the same key can be used over and over again to encrypt/decrypt
+// session tickets across multiple instances of server sessions.  For more information see:
+// https://docs.openssl.org/3.0/man3/SSL_CTX_set_tlsext_ticket_key_cb/
+int session_ticket_cb(SSL * s, unsigned char key_name[16],
+                      unsigned char iv[EVP_MAX_IV_LENGTH],
+                      EVP_CIPHER_CTX * ctx, EVP_MAC_CTX *hctx, int enc) {
+    auto * sess = static_cast<const session *>(SSL_get_ex_data(s, SSL_EX_DATA_SESSION));
+    std::span<unsigned char, 16> key_name_span(key_name, 16);
+    const auto & gen_key_name = sess->_creds->get_session_ticket_keys().key_name;
+    const auto & aes_key = sess->_creds->get_session_ticket_keys().aes_key;
+    auto hmac_key_ptr = sess->_creds->get_session_ticket_keys().hmac_key.data();
+    auto hmac_key_size = sess->_creds->get_session_ticket_keys().hmac_key.size();
+    OSSL_PARAM params[3];
+    params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
+                                                  const_cast<unsigned char *>(hmac_key_ptr),
+                                                  hmac_key_size);
+    params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
+                                                 const_cast<char *>("sha256"), 0);
+    params[2] = OSSL_PARAM_construct_end();
+
+    if (enc) {
+        if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0) {
+            return -1;
+        }
+
+        std::copy(gen_key_name.begin(), gen_key_name.end(), key_name_span.begin());
+
+        if (EVP_EncryptInit_ex2(ctx, EVP_aes_256_cbc(), aes_key.data(), iv, nullptr) == 0) {
+            return -1;
+        }
+
+        if (EVP_MAC_CTX_set_params(hctx, params) == 0) {
+            return -1;
+        }
+
+        return 1;
+    } else {
+        if (!std::equal(key_name_span.begin(), key_name_span.end(), gen_key_name.begin())) {
+            return 0;
+        }
+        if (EVP_MAC_CTX_set_params(hctx, params) == 0) {
+            return -1;
+        }
+
+        if (EVP_DecryptInit_ex2(ctx, EVP_aes_256_cbc(), aes_key.data(), iv, nullptr) == 0) {
+            return -1;
+        }
+        return 1;
+    }
+}
+
+
+tls::session* unwrap_bio_ptr(void * ptr) {
+    return static_cast<tls::session*>(ptr);
+}
+
+tls::session* unwrap_bio_ptr(BIO * b) {
+    return unwrap_bio_ptr(BIO_get_data(b));
+}
+
+/// The 'ioctl' for BIO
+long bio_ctrl(BIO * b, int ctrl, long num, void * data) {
+    if (BIO_get_init(b) <= 0 && ctrl != BIO_C_SET_POINTER) {
+        return 0;
+    }
+
+    auto session = unwrap_bio_ptr(b);
+
+    switch(ctrl) {
+    case BIO_C_SET_POINTER:
+        if (BIO_get_init(b) <= 0) {
+            BIO_set_data(b, data);
+            BIO_set_init(b, 1);
+            return 1;
+        } else {
+            return 0;
+        }
+    case BIO_CTRL_GET_CLOSE:
+        return BIO_get_shutdown(b);
+    case BIO_CTRL_SET_CLOSE:
+        BIO_set_shutdown(b, static_cast<int>(num));
+        break;
+
+    case BIO_CTRL_DUP:
+    case BIO_CTRL_FLUSH:
+        return 1;
+    case BIO_CTRL_EOF:
+        return BIO_test_flags(b, BIO_FLAGS_IN_EOF) != 0;
+    case BIO_CTRL_PENDING:
+        return static_cast<long>(session->_input.size());
+    case BIO_CTRL_WPENDING:
+        return session->_output_pending.available() ? 0 : 1;
+    default:
+        return 0;
+    }
+
+    return 0;
+}
+
+/// This is called when the BIO is created
+///
+/// It is important for this to be set, even if it doesn't do anything
+/// because the BIO init flag won't get automatically set to '1'.
+int bio_create(BIO*) {
+    return 1;
+}
+
+/// Handles writes to the BIO
+///
+/// This function will attempt to call _out.put() and store the future in
+/// _output_pending.  If _output_pending has not yet resolved, return '0'
+/// and set the retry write flag.
+int bio_write_ex(BIO* b, const char * data, size_t dlen, size_t * written) {
+    auto session = unwrap_bio_ptr(b);
+    tls_log.trace("{} bio_write_ex: dlen {}", *session, dlen);
+    BIO_clear_retry_flags(b);
+
+    if (!session->_output_pending.available()) {
+        tls_log.trace("{} bio_write_ex: nothing pending in output", *session);
+        BIO_set_retry_write(b);
+        return 0;
+    }
+
+    try {
+        size_t n;
+
+        if (!session->_output_pending.failed()) {
+            scattered_message<char> msg;
+            msg.append(std::string_view(data, dlen));
+            n = msg.size();
+            session->_output_pending = session->_out.put(std::move(msg).release());
+            tls_log.trace("{} bio_write_ex: Appended {} bytes to output pending", *session, n);
+        }
+
+        if (session->_output_pending.failed()) {
+            tls_log.debug("{} bio_write_ex: output pending has error", *session);
+            std::rethrow_exception(session->_output_pending.get_exception());
+        }
+
+        if (written != nullptr) {
+            *written = n;
+        }
+
+        return 1;
+    } catch(const std::system_error & e) {
+        tls_log.debug("{} bio_write_ex: system error occurred: {}", *session, e.what());
+        ERR_raise_data(ERR_LIB_SYS, e.code().value(), e.what());
+        session->_output_pending = make_exception_future<>(std::current_exception());
+    } catch(...) {
+        tls_log.debug("{} bio_write_ex: unknown error occurred", *session);
+        ERR_raise(ERR_LIB_SYS, EIO);
+        session->_output_pending = make_exception_future<>(std::current_exception());
+    }
+
+    return 0;
+}
+
+/// Handles reading data from the BIO
+///
+/// This will check to see if EOF has been reached and set the EOF
+/// flag if EOF has been reached.  It will set the retry read flag
+/// if no data is available, otherwise it will copy data off of
+/// the _input buffer and return it to the caller.
+int bio_read_ex(BIO* b, char * data, size_t dlen, size_t *readbytes) {
+    auto session = unwrap_bio_ptr(b);
+    tls_log.trace("{} bio_read_ex: dlen: {}", *session, dlen);
+    BIO_clear_retry_flags(b);
+    if (session->eof()) {
+        tls_log.trace("{} bio_read_ex: eof", *session);
+        BIO_set_flags(b, BIO_FLAGS_IN_EOF);
+        return 0;
+    }
+
+    if (session->_input.empty()) {
+        tls_log.trace("{} bio_read_ex: input empty", *session);
+        BIO_set_retry_read(b);
+        return 0;
+    }
+
+    auto n = std::min(dlen, session->_input.size());
+    memcpy(data, session->_input.get(), n);
+    session->_input.trim_front(n);
+    if (readbytes != nullptr) {
+        *readbytes = n;
+    }
+
+    tls_log.trace("{} bio_read_ex: read {} bytes from input", *session, n);
+    return 1;
+}
+
+/// This function creates the custom BIO method
+bio_method_ptr create_bio_method() {
+    auto new_index = BIO_get_new_index();
+    if (new_index == -1) {
+        throw make_ossl_error("Failed to obtain new BIO index");
+    }
+    bio_method_ptr meth(BIO_meth_new(new_index, "SS-OSSL"));
+    if (!meth) {
+        throw make_ossl_error("Failed to create new BIO method");
+    }
+
+    if (1 != BIO_meth_set_create(meth.get(), bio_create)) {
+        throw make_ossl_error("Failed to set the BIO creation method");
+    }
+
+    if (1 != BIO_meth_set_ctrl(meth.get(), bio_ctrl)) {
+        throw make_ossl_error("Failed to set BIO control method");
+    }
+
+    if (1 != BIO_meth_set_write_ex(meth.get(), bio_write_ex)) {
+        throw make_ossl_error("Failed to set BIO write_ex method");
+    }
+
+    if (1 != BIO_meth_set_read_ex(meth.get(), bio_read_ex)) {
+        throw make_ossl_error("Failed to set BIO read_ex method");
+    }
+
+    return meth;
+}
+
+} // namespace tls
+
+BIO_METHOD* get_method() {
+    static thread_local bio_method_ptr method_ptr = [] {
+        return tls::create_bio_method();
+    }();
+
+    return method_ptr.get();
+}
+
+future<connected_socket> tls::wrap_client(shared_ptr<certificate_credentials> cred, connected_socket&& s, sstring name) {
+    tls_options options{.server_name = std::move(name)};
+    return wrap_client(std::move(cred), std::move(s), std::move(options));
+}
+
+future<connected_socket> tls::wrap_client(shared_ptr<certificate_credentials> cred, connected_socket&& s, tls_options options) {
+    session_ref sess(seastar::make_shared<session>(session_type::CLIENT, std::move(cred), std::move(s),  options));
+    connected_socket sock(std::make_unique<tls_connected_socket_impl>(std::move(sess)));
+    return make_ready_future<connected_socket>(std::move(sock));
+}
+
+future<connected_socket> tls::wrap_server(shared_ptr<server_credentials> cred, connected_socket&& s) {
+    session_ref sess(seastar::make_shared<session>(session_type::SERVER, std::move(cred), std::move(s)));
+    connected_socket sock(std::make_unique<tls_connected_socket_impl>(std::move(sess)));
+    return make_ready_future<connected_socket>(std::move(sock));
+}
+
+} // namespace seastar
+
+auto fmt::formatter<seastar::tls::session>::format(
+    const seastar::tls::session& s, fmt::format_context& ctx) const -> decltype(ctx.out()) {
+
+    return fmt::format_to(ctx.out(), "{}:{}:{} -",
+        s.get_type_string(), s.local_address(), s.remote_address());
+}
+
+const int seastar::tls::ERROR_UNKNOWN_COMPRESSION_ALGORITHM = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
+const int seastar::tls::ERROR_UNKNOWN_CIPHER_TYPE = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_TYPE);
+const int seastar::tls::ERROR_INVALID_SESSION = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_INVALID_SESSION_ID);
+const int seastar::tls::ERROR_UNEXPECTED_HANDSHAKE_PACKET = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD);
+const int seastar::tls::ERROR_UNKNOWN_CIPHER_SUITE = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_PROTOCOL);
+const int seastar::tls::ERROR_UNKNOWN_ALGORITHM = ERR_PACK(
+  ERR_LIB_RSA, 0, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+const int seastar::tls::ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+const int seastar::tls::ERROR_SAFE_RENEGOTIATION_FAILED = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_MISMATCH);
+const int seastar::tls::ERROR_UNSAFE_RENEGOTIATION_DENIED = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+const int seastar::tls::ERROR_UNKNOWN_SRP_USERNAME = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_INVALID_SRP_USERNAME);
+const int seastar::tls::ERROR_PREMATURE_TERMINATION = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING);
+// System errors are not ERR_PACK'ed like other errors but instead
+// are OR'ed with ((unsigned int)INT_MAX + 1)
+const int seastar::tls::ERROR_PUSH = int(ERR_SYSTEM_FLAG | EPIPE);
+const int seastar::tls::ERROR_PULL = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_READ_BIO_NOT_SET);
+const int seastar::tls::ERROR_UNEXPECTED_PACKET = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE);
+const int seastar::tls::ERROR_UNSUPPORTED_VERSION = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_SSL_VERSION);
+const int seastar::tls::ERROR_NO_CIPHER_SUITES = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_AVAILABLE);
+const int seastar::tls::ERROR_DECRYPTION_FAILED = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED);
+const int seastar::tls::ERROR_MAC_VERIFY_FAILED = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+const int seastar::tls::ERROR_WRONG_VERSION_NUMBER = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_WRONG_VERSION_NUMBER);
+const int seastar::tls::ERROR_HTTP_REQUEST = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_HTTP_REQUEST);
+const int seastar::tls::ERROR_HTTPS_PROXY_REQUEST = ERR_PACK(
+  ERR_LIB_SSL, 0, SSL_R_HTTPS_PROXY_REQUEST);
+
+std::optional<seastar::sstring> fmt::formatter<seastar::ossl_errc>::alternate_message(seastar::ossl_errc error) {
+    switch(static_cast<int>(error)) {
+    case seastar::tls::ERROR_WRONG_VERSION_NUMBER:
+        return "Wrong SSL Version number: ensure client is configured to use TLS";
+    case seastar::tls::ERROR_HTTP_REQUEST:
+        return "Received HTTP request on HTTPS server";
+    case seastar::tls::ERROR_HTTPS_PROXY_REQUEST:
+        return "Received HTTPS proxy request";
+    }
+
+    return std::nullopt;
+}
+
+auto fmt::formatter<seastar::ossl_errc>::format(seastar::ossl_errc error, fmt::format_context& ctx) const -> decltype(ctx.out()) {
+    if (auto alternate = alternate_message(error); alternate.has_value()) {
+        return fmt::format_to(ctx.out(), "{}", alternate.value());
+    }
+    constexpr size_t error_buf_size = 256;
+    // Buffer passed to ERR_error_string must be at least 256 bytes large
+    // https://www.openssl.org/docs/man3.0/man3/ERR_error_string_n.html
+    std::array<char, error_buf_size> buf{};
+    ERR_error_string_n(
+        static_cast<unsigned long>(error), buf.data(), buf.size());
+    // ERR_error_string_n does include the terminating null character
+    return fmt::format_to(ctx.out(), "{}", buf.data());
+}
diff --git a/src/net/posix-stack.cc b/src/net/posix-stack.cc
index 97ed9497e19..c41665c0974 100644
--- a/src/net/posix-stack.cc
+++ b/src/net/posix-stack.cc
@@ -230,7 +230,7 @@ static void shutdown_socket_fd(pollable_fd& fd, int how) noexcept {
         // EBADF (invalid file descriptor) -- irretrievable
         fd.shutdown(how);
     } catch (...) {
-        on_internal_error(seastar_logger, seastar::format("socket shutdown({}, {}) failed: {}", fd.get_file_desc().fdinfo(), how, std::current_exception()));
+        on_internal_error(seastar_logger, ::seastar::format("socket shutdown({}, {}) failed: {}", fd.get_file_desc().fdinfo(), how, std::current_exception()));
     }
 }
 
@@ -946,7 +946,7 @@ class posix_datagram : public datagram_impl {
     virtual socket_address get_dst() override { return _dst; }
     virtual uint16_t get_dst_port() override {
         if (_dst.family() != AF_INET && _dst.family() != AF_INET6) {
-            throw std::runtime_error(format("get_dst_port() called on non-IP address: {}", _dst));
+            throw std::runtime_error(::seastar::format("get_dst_port() called on non-IP address: {}", _dst));
         }
         return _dst.port();
     }
diff --git a/src/net/tls-impl.cc b/src/net/tls-impl.cc
new file mode 100644
index 00000000000..1f09f0ffcca
--- /dev/null
+++ b/src/net/tls-impl.cc
@@ -0,0 +1,831 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright 2015 Cloudius Systems
+ */
+
+#ifdef SEASTAR_MODULE
+module;
+#endif
+
+#include <chrono>
+#include <filesystem>
+#include <unordered_set>
+
+#include <sys/stat.h>
+
+#ifdef SEASTAR_USE_GNUTLS
+#include <gnutls/gnutls.h>
+#endif
+
+#include <any>
+#include <boost/range/iterator_range.hpp>
+#include <boost/range/adaptor/map.hpp>
+
+#include <fmt/core.h>
+#include <fmt/ostream.h>
+
+#ifdef SEASTAR_MODULE
+module seastar;
+#else
+#include <seastar/net/tls.hh>
+#include <seastar/core/file.hh>
+#include <seastar/core/future.hh>
+#include <seastar/core/fsnotify.hh>
+#include <seastar/core/thread.hh>
+#include <seastar/core/reactor.hh>
+
+#include "net/tls-impl.hh"
+#endif
+
+namespace seastar {
+
+namespace {
+
+tls::reload_callback_ex wrap_reload_callback(tls::reload_callback_with_creds cb) {
+    return [cb{std::move(cb)}](const tls::credentials_builder& builder,
+                               const std::unordered_set<sstring> &files,
+                               std::exception_ptr ep) {
+         auto creds = builder.build_certificate_credentials();
+         return futurize_invoke(cb, files, *creds, ep, builder.get_trust_file_blob());
+    };
+}
+
+}
+
+logger tls::tls_log("seastar-tls");
+
+std::unique_ptr<net::connected_socket_impl> net::get_impl::get(connected_socket s) {
+    return std::move(s._csi);
+}
+
+net::connected_socket_impl* net::get_impl::maybe_get_ptr(connected_socket& s) {
+    if (s._csi) {
+        return s._csi.get();
+    }
+    return nullptr;
+}
+
+tls::session_ref::~session_ref() {
+    // This is not super pretty. But we take some care to only own sessions
+    // through session_ref, and we need to initiate shutdown on "last owner",
+    // since we cannot revive the session in destructor.
+    if (_session && _session.use_count() == 1) {
+        _session->close();
+    }
+}
+
+// Helper
+struct file_info {
+    sstring filename;
+    std::chrono::system_clock::time_point modified;
+};
+
+struct file_result {
+    temporary_buffer<char> buf;
+    file_info file;
+    operator temporary_buffer<char>&&() && {
+        return std::move(buf);
+    }
+};
+
+static future<file_result> read_fully(const sstring& name, const sstring& what) {
+    return open_file_dma(name, open_flags::ro).then([name = name](file f) mutable {
+        return do_with(std::move(f), [name = std::move(name)](file& f) mutable {
+            return f.stat().then([&f, name = std::move(name)](struct stat s) mutable {
+                return f.dma_read_bulk<char>(0, s.st_size).then([s, name = std::move(name)](temporary_buffer<char> buf) mutable {
+                    return file_result{ std::move(buf), file_info{
+                        std::move(name), std::chrono::system_clock::from_time_t(s.st_mtim.tv_sec) +
+                            std::chrono::duration_cast<std::chrono::system_clock::duration>(std::chrono::nanoseconds(s.st_mtim.tv_nsec))
+                    } };
+                });
+            }).finally([&f]() {
+                return f.close();
+            });
+        });
+    }).handle_exception([name = name, what = what](std::exception_ptr ep) -> future<file_result> {
+       try {
+           std::rethrow_exception(std::move(ep));
+       } catch (...) {
+           std::throw_with_nested(std::runtime_error(sstring("Could not read ") + what + " " + name));
+       }
+    });
+}
+
+future<tls::dh_params> tls::dh_params::from_file(
+        const sstring& filename, x509_crt_format fmt) {
+    return read_fully(filename, "dh parameters").then([fmt](temporary_buffer<char> buf) {
+        return make_ready_future<dh_params>(dh_params(blob(buf.get()), fmt));
+    });
+}
+
+future<> tls::abstract_credentials::set_x509_trust_file(
+        const sstring& cafile, x509_crt_format fmt) {
+    return read_fully(cafile, "trust file").then([this, fmt](temporary_buffer<char> buf) {
+        set_x509_trust(blob(buf.get(), buf.size()), fmt);
+    });
+}
+
+future<> tls::abstract_credentials::set_x509_crl_file(
+        const sstring& crlfile, x509_crt_format fmt) {
+    return read_fully(crlfile, "crl file").then([this, fmt](temporary_buffer<char> buf) {
+        set_x509_crl(blob(buf.get(), buf.size()), fmt);
+    });
+}
+
+future<> tls::abstract_credentials::set_x509_key_file(
+        const sstring& cf, const sstring& kf, x509_crt_format fmt) {
+    return read_fully(cf, "certificate file").then([this, fmt, kf = kf](temporary_buffer<char> buf) {
+        return read_fully(kf, "key file").then([this, fmt, buf = std::move(buf)](temporary_buffer<char> buf2) {
+                    set_x509_key(blob(buf.get(), buf.size()), blob(buf2.get(), buf2.size()), fmt);
+                });
+    });
+}
+
+future<> tls::abstract_credentials::set_simple_pkcs12_file(
+        const sstring& pkcs12file, x509_crt_format fmt,
+        const sstring& password) {
+    return read_fully(pkcs12file, "pkcs12 file").then([this, fmt, password = password](temporary_buffer<char> buf) {
+        set_simple_pkcs12(blob(buf.get(), buf.size()), fmt, password);
+    });
+}
+
+static const sstring dh_level_key = "dh_level";
+static const sstring x509_trust_key = "x509_trust";
+static const sstring x509_crl_key = "x509_crl";
+static const sstring x509_key_key = "x509_key";
+static const sstring pkcs12_key = "pkcs12";
+static const sstring system_trust = "system_trust";
+
+using buffer_type = std::basic_string<tls::blob::value_type, tls::blob::traits_type, std::allocator<tls::blob::value_type>>;
+
+struct x509_simple {
+    buffer_type data;
+    tls::x509_crt_format format;
+    file_info file;
+};
+
+struct x509_key {
+    buffer_type cert;
+    buffer_type key;
+    tls::x509_crt_format format;
+    file_info cert_file;
+    file_info key_file;
+};
+
+struct pkcs12_simple {
+    buffer_type data;
+    tls::x509_crt_format format;
+    sstring password;
+    file_info file;
+};
+
+void tls::credentials_builder::set_dh_level(dh_params::level level) {
+    _blobs.emplace(dh_level_key, level);
+}
+
+void tls::credentials_builder::set_x509_trust(const blob& b, x509_crt_format fmt) {
+    _blobs.emplace(x509_trust_key, x509_simple{ std::string(b), fmt });
+}
+
+void tls::credentials_builder::set_x509_crl(const blob& b, x509_crt_format fmt) {
+    _blobs.emplace(x509_crl_key, x509_simple{ std::string(b), fmt });
+}
+
+void tls::credentials_builder::set_x509_key(const blob& cert, const blob& key, x509_crt_format fmt) {
+    _blobs.emplace(x509_key_key, x509_key { std::string(cert), std::string(key), fmt });
+}
+
+void tls::credentials_builder::set_simple_pkcs12(const blob& b, x509_crt_format fmt, const sstring& password) {
+    _blobs.emplace(pkcs12_key, pkcs12_simple{std::string(b), fmt, password });
+}
+
+static buffer_type to_buffer(const temporary_buffer<char>& buf) {
+    return buffer_type(buf.get(), buf.get() + buf.size());
+}
+
+future<> tls::credentials_builder::set_x509_trust_file(const sstring& cafile, x509_crt_format fmt) {
+    return read_fully(cafile, "trust file").then([this, fmt](file_result f) {
+        _blobs.emplace(x509_trust_key, x509_simple{ to_buffer(f.buf), fmt, std::move(f.file) });
+    });
+}
+
+future<> tls::credentials_builder::set_x509_crl_file(const sstring& crlfile, x509_crt_format fmt) {
+    return read_fully(crlfile, "crl file").then([this, fmt](file_result f) {
+        _blobs.emplace(x509_crl_key, x509_simple{ to_buffer(f.buf), fmt, std::move(f.file) });
+    });
+}
+
+future<> tls::credentials_builder::set_x509_key_file(const sstring& cf, const sstring& kf, x509_crt_format fmt) {
+    return read_fully(cf, "certificate file").then([this, fmt, kf = kf](file_result cf) {
+        return read_fully(kf, "key file").then([this, fmt, cf = std::move(cf)](file_result kf) {
+            _blobs.emplace(x509_key_key, x509_key{ to_buffer(cf.buf), to_buffer(kf.buf), fmt, std::move(cf.file), std::move(kf.file) });
+        });
+    });
+}
+
+future<> tls::credentials_builder::set_simple_pkcs12_file(const sstring& pkcs12file, x509_crt_format fmt, const sstring& password) {
+    return read_fully(pkcs12file, "pkcs12 file").then([this, fmt, password = password](file_result f) {
+        _blobs.emplace(pkcs12_key, pkcs12_simple{ to_buffer(f.buf), fmt, password, std::move(f.file) });
+    });
+}
+
+future<> tls::credentials_builder::set_system_trust() {
+    // TODO / Caveat:
+    // We cannot actually issue a loading of system trust here,
+    // because we have no actual tls context.
+    // And we probably _don't want to get into the guessing game
+    // of where the system trust cert chains are, since this is
+    // super distro dependent, and usually compiled into the library.
+    // Pretent it is raining, and just set a flag.
+    // Leave the function returning future, so if we change our
+    // minds and want to do explicit loading, we can...
+    _blobs.emplace(system_trust, true);
+    return make_ready_future();
+}
+
+void tls::credentials_builder::set_client_auth(client_auth auth) {
+    _client_auth = auth;
+}
+
+void tls::credentials_builder::set_session_resume_mode(session_resume_mode m) {
+    _session_resume_mode = m;
+    if (m != session_resume_mode::NONE) {
+        _session_resume_key = generate_session_ticket_key();
+    }
+}
+
+template<typename Blobs, typename Visitor>
+static void visit_blobs(Blobs& blobs, Visitor&& visitor) {
+    auto visit = [&](const sstring& key, auto* vt) {
+        auto tr = blobs.equal_range(key);
+        for (auto& p : boost::make_iterator_range(tr.first, tr.second)) {
+            auto* v = std::any_cast<std::decay_t<decltype(*vt)>>(&p.second);
+            visitor(key, *v);
+        }
+    };
+    visit(x509_trust_key, static_cast<x509_simple*>(nullptr));
+    visit(x509_crl_key, static_cast<x509_simple*>(nullptr));
+    visit(x509_key_key, static_cast<x509_key*>(nullptr));
+    visit(pkcs12_key, static_cast<pkcs12_simple*>(nullptr));
+}
+
+void tls::credentials_builder::apply_to(certificate_credentials& creds) const {
+    // Could potentially be templated down, but why bother...
+    visit_blobs(_blobs, make_visitor(
+        [&](const sstring& key, const x509_simple& info) {
+            if (key == x509_trust_key) {
+                creds.set_x509_trust(info.data, info.format);
+            } else if (key == x509_crl_key) {
+                creds.set_x509_crl(info.data, info.format);
+            }
+        },
+        [&](const sstring&, const x509_key& info) {
+            creds.set_x509_key(info.cert, info.key, info.format);
+        },
+        [&](const sstring&, const pkcs12_simple& info) {
+            creds.set_simple_pkcs12(info.data, info.format, info.password);
+        }
+    ));
+
+    // TODO / Caveat:
+    // We cannot do this immediately, because we are not a continuation, and
+    // potentially blocking calls are a no-no.
+    // Doing this detached would be indeterministic, so set a flag in
+    // credentials, and do actual loading in first handshake (see session)
+    if (_blobs.count(system_trust)) {
+        creds.enable_load_system_trust();
+    }
+
+#ifdef SEASTAR_USE_GNUTLS
+    if (!_priority.empty()) {
+        creds.set_priority_string(_priority);
+    }
+#endif
+
+#ifdef SEASTAR_USE_OPENSSL
+    if (!_cipher_string.empty()) {
+        creds.set_cipher_string(_cipher_string);
+    }
+
+    if (!_ciphersuites.empty()) {
+        creds.set_ciphersuites(_ciphersuites);
+    }
+
+    if (_enable_server_precedence) {
+        creds.enable_server_precedence();
+    }
+
+    if (_enable_tls_renegotiation) {
+        creds.enable_tls_renegotiation();
+    }
+
+    if (_min_tls_version.has_value()) {
+        creds.set_minimum_tls_version(*_min_tls_version);
+    }
+
+    if (_max_tls_version.has_value()) {
+        creds.set_maximum_tls_version(*_max_tls_version);
+    }
+#endif
+
+    creds.set_client_auth(_client_auth);
+    creds.set_session_resume_mode(_session_resume_mode, std::span{_session_resume_key.begin(), _session_resume_key.end()});
+
+    if (!_alpn_protocols.empty()) {
+        creds.set_alpn_protocols(_alpn_protocols);
+    }
+}
+
+shared_ptr<tls::certificate_credentials> tls::credentials_builder::build_certificate_credentials() const {
+    auto creds = make_shared<certificate_credentials>();
+    apply_to(*creds);
+    return creds;
+}
+
+shared_ptr<tls::server_credentials> tls::credentials_builder::build_server_credentials() const {
+    auto i = _blobs.find(dh_level_key);
+    if (i == _blobs.end()) {
+#if GNUTLS_VERSION_NUMBER < 0x030600 && SEASTAR_USE_GNUTLS
+        throw std::invalid_argument("No DH level set");
+#else
+        auto creds = make_shared<server_credentials>();
+        apply_to(*creds);
+        return creds;
+#endif
+    }
+    auto creds = make_shared<server_credentials>(dh_params(std::any_cast<dh_params::level>(i->second)));
+    apply_to(*creds);
+    return creds;
+}
+
+using namespace std::chrono_literals;
+
+class tls::reloadable_credentials_base {
+public:
+    using delay_type = std::chrono::milliseconds;
+    static inline constexpr delay_type default_tolerance = 500ms;
+
+    class reloading_builder
+        : public credentials_builder
+        , public enable_shared_from_this<reloading_builder>
+    {
+    public:
+        using time_point = std::chrono::system_clock::time_point;
+
+        reloading_builder(credentials_builder b, reload_callback_ex cb, reloadable_credentials_base* creds, delay_type delay)
+            : credentials_builder(std::move(b))
+            , _cb(std::move(cb))
+            , _creds(creds)
+            , _delay(delay)
+        {}
+        future<> init() {
+            std::vector<future<>> futures;
+            visit_blobs(_blobs, make_visitor(
+                [&](const sstring&, const x509_simple& info) {
+                    _all_files.emplace(info.file.filename);
+                },
+                [&](const sstring&, const x509_key& info) {
+                    _all_files.emplace(info.cert_file.filename);
+                    _all_files.emplace(info.key_file.filename);
+                },
+                [&](const sstring&, const pkcs12_simple& info) {
+                    _all_files.emplace(info.file.filename);
+                }
+            ));
+            return parallel_for_each(_all_files, [this](auto& f) {
+                if (!f.empty()) {
+                    return add_watch(f).discard_result();
+                }
+                return make_ready_future<>();
+            }).finally([me = shared_from_this()] {});
+        }
+        void start() {
+            // run the loop in a thread. makes code almost readable.
+            (void)async(std::bind(&reloading_builder::run, this)).finally([me = shared_from_this()] {});
+        }
+        void run() {
+            while (_creds) {
+                try {
+                    auto events = _fsn.wait().get();
+                    if (events.empty() && _creds == nullptr) {
+                        return;
+                    }
+                    rebuild(events);
+                    _timer.cancel();
+                } catch (...) {
+                    if (!_timer.armed()) {
+                        _timer.set_callback([this, ep = std::current_exception()]() mutable {
+                            do_callback(std::move(ep));
+                        });
+                        _timer.arm(_delay);
+                    }
+                }
+            }
+        }
+        void detach() {
+            _creds = nullptr;
+            _cb = {};
+            _fsn.shutdown();
+            _timer.cancel();
+        }
+
+    private:
+        using fsnotifier = experimental::fsnotifier;
+
+        // called from seastar::thread
+        void rebuild(const std::vector<fsnotifier::event>& events) {
+            for (auto& e : events) {
+                // don't use at. We could be getting two events for
+                // same watch (mod + delete), but we only need to care
+                // about one...
+                auto i = _watches.find(e.id);
+                if (i != _watches.end()) {
+                    auto& filename = i->second.second;
+                    // only add actual file watches to
+                    // query set. If this was a directory
+                    // watch, the file should already be
+                    // in there.
+                    if (_all_files.count(filename)) {
+                        _files[filename] = e.mask;
+                    }
+                    _watches.erase(i);
+                }
+            }
+            auto num_changed = 0;
+
+            auto maybe_reload = [&](const sstring& filename, buffer_type& dst) {
+                if (filename.empty() || !_files.count(filename)) {
+                    return;
+                }
+                // #756
+                // first, add a watch to nearest parent dir we
+                // can find. If user deleted folders, we could end
+                // up looking at modifications to root.
+                // The idea is that should adding a watch to actual file
+                // fail (deleted file/folder), we wait for changes to closest
+                // parent. When this happens, we will retry all files
+                // that have not been successfully replaced (and maybe more),
+                // repeating the process. At some point, we hopefully
+                // get new, current data.
+                add_dir_watch(filename);
+                // #756 add watch _first_. File could change while we are
+                // reading this.
+                try {
+                    add_watch(filename).get();
+                } catch (...) {
+                    // let's just assume if this happens, it's because the file or folder was deleted.
+                    // just ignore for now, and hope the dir watch will tell us when it is back...
+                    return;
+                }
+                temporary_buffer<char> buf = read_fully(filename, "reloading").get();
+                dst = to_buffer(buf);
+                ++num_changed;
+            };
+            visit_blobs(_blobs, make_visitor(
+                [&](const sstring&, x509_simple& info) {
+                    maybe_reload(info.file.filename, info.data);
+                },
+                [&](const sstring&, x509_key& info) {
+                    maybe_reload(info.cert_file.filename, info.cert);
+                    maybe_reload(info.key_file.filename, info.key);
+                },
+                [&](const sstring&, pkcs12_simple& info) {
+                    maybe_reload(info.file.filename, info.data);
+                }
+            ));
+            // only try this if anything was in fact successfully loaded.
+            // if files were missing, or pairs incomplete, we can just skip.
+            if (num_changed == 0) {
+                return;
+            }
+            try {
+                // force rebuilding session resume mode key if
+                // enabled. should not reuse sessions across certificate
+                // change (should not work anyway)
+                set_session_resume_mode(_session_resume_mode);
+                if (_creds) {
+                    _creds->rebuild(*this);
+                }
+            } catch (...) {
+                if (std::any_of(_files.begin(), _files.end(), [](auto& p) { return p.second == fsnotifier::flags::ignored; })) {
+                    // if any file in the reload set was deleted - i.e. we have not seen a "closed" yet - assume
+                    // this is a spurious reload and we'd better wait for next event - hopefully a "closed" -
+                    // and try again
+                    return;
+                }
+                throw;
+            }
+            // if we got here, all files loaded, all watches were created,
+            // and gnutls was ok with the content. success.
+            do_callback();
+            on_success();
+        }
+        void on_success() {
+            _files.clear();
+            // remove all directory watches, since we've successfully
+            // reloaded -> the file watches themselves should suffice now
+            auto i = _watches.begin();
+            auto e = _watches.end();
+            while (i != e) {
+                if (!_all_files.count(i->second.second)) {
+                    i = _watches.erase(i);
+                    continue;
+                }
+                ++i;
+            }
+        }
+        void do_callback(std::exception_ptr ep = {}) {
+            if (_cb && !_files.empty() && _creds) {
+                _cb(*this, boost::copy_range<std::unordered_set<sstring>>(_files | boost::adaptors::map_keys), std::move(ep)).get();
+            }
+        }
+        // called from seastar::thread
+        fsnotifier::watch_token add_dir_watch(const sstring& filename) {
+            auto dir = std::filesystem::path(filename).parent_path();
+            for (;;) {
+                try {
+                    return add_watch(dir.native(), fsnotifier::flags::create_child | fsnotifier::flags::move).get();
+                } catch (...) {
+                    auto parent = dir.parent_path();
+                    if (parent.empty() || dir == parent) {
+                        throw;
+                    }
+                    dir = std::move(parent);
+                    continue;
+                }
+            }
+        }
+        future<fsnotifier::watch_token> add_watch(const sstring& filename, fsnotifier::flags flags = fsnotifier::flags::close_write|fsnotifier::flags::delete_self) {
+            return _fsn.create_watch(filename, flags).then([this, filename = filename](fsnotifier::watch w) {
+                auto t = w.token();
+                // we might create multiple watches for same token in case of dirs, avoid deleting previously
+                // created one
+                if (_watches.count(t)) {
+                    w.release();
+                } else {
+                    _watches.emplace(t, std::make_pair(std::move(w), filename));
+                }
+                return t;
+            });
+        }
+
+        reload_callback_ex _cb;
+        reloadable_credentials_base* _creds;
+        fsnotifier _fsn;
+        std::unordered_map<fsnotifier::watch_token, std::pair<fsnotifier::watch, sstring>> _watches;
+        std::unordered_map<sstring, fsnotifier::flags> _files;
+        std::unordered_set<sstring> _all_files;
+        timer<> _timer;
+        delay_type _delay;
+    };
+    reloadable_credentials_base(credentials_builder builder, reload_callback_ex cb, delay_type delay = default_tolerance)
+        : _builder(seastar::make_shared<reloading_builder>(std::move(builder), std::move(cb), this, delay))
+    {
+        _builder->start();
+    }
+    future<> init() {
+        return _builder->init();
+    }
+    virtual ~reloadable_credentials_base() {
+        _builder->detach();
+    }
+    virtual void rebuild(const credentials_builder&) = 0;
+private:
+    shared_ptr<reloading_builder> _builder;
+};
+
+template<typename Base>
+class tls::reloadable_credentials : public Base, public tls::reloadable_credentials_base {
+public:
+    reloadable_credentials(credentials_builder builder, reload_callback_ex cb, Base b, delay_type delay = default_tolerance)
+        : Base(std::move(b))
+        , tls::reloadable_credentials_base(std::move(builder), std::move(cb), delay)
+    {}
+    void rebuild(const credentials_builder&) override;
+};
+
+template<>
+void tls::reloadable_credentials<tls::certificate_credentials>::rebuild(const credentials_builder& builder) {
+    builder.rebuild(*this);
+}
+
+template<>
+void tls::reloadable_credentials<tls::server_credentials>::rebuild(const credentials_builder& builder) {
+    builder.rebuild(*this);
+}
+
+void tls::credentials_builder::rebuild(certificate_credentials& creds) const {
+    auto tmp = build_certificate_credentials();
+    creds._impl = std::move(tmp->_impl);
+}
+
+void tls::credentials_builder::rebuild(server_credentials& creds) const {
+    auto tmp = build_server_credentials();
+    creds._impl = std::move(tmp->_impl);
+}
+
+future<shared_ptr<tls::certificate_credentials>> tls::credentials_builder::build_reloadable_certificate_credentials(reload_callback_ex cb, std::optional<std::chrono::milliseconds> tolerance) const {
+    auto creds = seastar::make_shared<reloadable_credentials<tls::certificate_credentials>>(*this, std::move(cb), std::move(*build_certificate_credentials()), tolerance.value_or(reloadable_credentials_base::default_tolerance));
+    return creds->init().then([creds] {
+        return make_ready_future<shared_ptr<tls::certificate_credentials>>(creds);
+    });
+}
+
+
+future<shared_ptr<tls::server_credentials>> tls::credentials_builder::build_reloadable_server_credentials(reload_callback_ex cb, std::optional<std::chrono::milliseconds> tolerance) const {
+    auto creds = seastar::make_shared<reloadable_credentials<tls::server_credentials>>(*this, std::move(cb), std::move(*build_server_credentials()), tolerance.value_or(reloadable_credentials_base::default_tolerance));
+    return creds->init().then([creds] {
+        return make_ready_future<shared_ptr<tls::server_credentials>>(creds);
+    });
+}
+
+future<shared_ptr<tls::certificate_credentials>> tls::credentials_builder::build_reloadable_certificate_credentials(reload_callback cb, std::optional<std::chrono::milliseconds> tolerance) const {
+    return build_reloadable_certificate_credentials([cb = std::move(cb)](const credentials_builder&, const std::unordered_set<sstring>& files, std::exception_ptr p) {
+        cb(files, p);
+        return make_ready_future<>();
+    }, tolerance);
+}
+future<shared_ptr<tls::server_credentials>> tls::credentials_builder::build_reloadable_server_credentials(reload_callback cb, std::optional<std::chrono::milliseconds> tolerance) const {
+    return build_reloadable_server_credentials([cb = std::move(cb)](const credentials_builder&, const std::unordered_set<sstring>& files, std::exception_ptr p) {
+        cb(files, p);
+        return make_ready_future<>();
+    }, tolerance);
+}
+future<shared_ptr<tls::certificate_credentials>> tls::credentials_builder::build_reloadable_certificate_credentials(reload_callback_with_creds cb, std::optional<std::chrono::milliseconds> tolerance) const {
+    return build_reloadable_certificate_credentials(wrap_reload_callback(std::move(cb)), tolerance);
+}
+
+future<shared_ptr<tls::server_credentials>> tls::credentials_builder::build_reloadable_server_credentials(reload_callback_with_creds cb, std::optional<std::chrono::milliseconds> tolerance) const {
+    return build_reloadable_server_credentials(wrap_reload_callback(std::move(cb)), tolerance);
+}
+
+std::optional<tls::blob> tls::credentials_builder::get_trust_file_blob() const {
+    if (auto i = _blobs.find(x509_trust_key); i != _blobs.end()) {
+        return std::make_optional<tls::blob>(std::any_cast<const x509_simple&>(i->second).data);
+    }
+    return std::nullopt;
+}
+
+data_source tls::tls_connected_socket_impl::source() {
+    return data_source(std::make_unique<source_impl>(_session));
+}
+
+data_sink tls::tls_connected_socket_impl::sink() {
+    return data_sink(std::make_unique<sink_impl>(_session));
+}
+
+future<connected_socket> tls::connect(shared_ptr<certificate_credentials> cred, socket_address sa, sstring name) {
+    tls_options options{.server_name = std::move(name)};
+    return connect(std::move(cred), std::move(sa), std::move(options));
+}
+
+future<connected_socket> tls::connect(shared_ptr<certificate_credentials> cred, socket_address sa, socket_address local, sstring name) {
+    tls_options options{.server_name = std::move(name)};
+    return connect(std::move(cred), std::move(sa), std::move(local), std::move(options));
+}
+
+future<connected_socket> tls::connect(shared_ptr<certificate_credentials> cred, socket_address sa, tls_options options) {
+    return engine().connect(sa).then([cred = std::move(cred), options = std::move(options)](connected_socket s) mutable {
+        return wrap_client(std::move(cred), std::move(s), std::move(options));
+    });
+}
+
+future<connected_socket> tls::connect(shared_ptr<certificate_credentials> cred, socket_address sa, socket_address local, tls_options options) {
+    return engine().connect(sa, local).then([cred = std::move(cred), options = std::move(options)](connected_socket s) mutable {
+        return wrap_client(std::move(cred), std::move(s), std::move(options));
+    });
+}
+
+socket tls::socket(shared_ptr<certificate_credentials> cred, sstring name) {
+    tls_options options{.server_name = std::move(name)};
+    return tls::socket(std::move(cred), std::move(options));
+}
+
+socket tls::socket(shared_ptr<certificate_credentials> cred, tls_options options) {
+    return ::seastar::socket(std::make_unique<tls_socket_impl>(std::move(cred), std::move(options)));
+}
+
+server_socket tls::listen(shared_ptr<server_credentials> creds, socket_address sa, listen_options opts) {
+    return listen(std::move(creds), seastar::listen(sa, opts));
+}
+
+server_socket tls::listen(shared_ptr<server_credentials> creds, server_socket ss) {
+    server_socket ssls(std::make_unique<server_session>(creds, std::move(ss)));
+    return server_socket(std::move(ssls));
+}
+
+static tls::tls_connected_socket_impl* get_tls_socket(connected_socket& socket) {
+    auto impl = net::get_impl::maybe_get_ptr(socket);
+    if (impl == nullptr) {
+        // the socket is not yet created or moved from
+        throw std::system_error(ENOTCONN, std::system_category());
+    }
+    auto tls_impl = dynamic_cast<tls::tls_connected_socket_impl*>(impl);
+    if (!tls_impl) {
+        // bad cast here means that we're dealing with wrong socket type
+        throw std::invalid_argument("Not a TLS socket");
+    }
+    return tls_impl;
+}
+
+future<std::optional<session_dn>> tls::get_dn_information(connected_socket& socket, dn_format format) {
+    return get_tls_socket(socket)->get_distinguished_name(format);
+}
+
+future<std::vector<tls::subject_alt_name>> tls::get_alt_name_information(connected_socket& socket, std::unordered_set<subject_alt_name_type> types) {
+    return get_tls_socket(socket)->get_alt_name_information(std::move(types));
+}
+
+future<std::vector<tls::certificate_data>> tls::get_peer_certificate_chain(connected_socket& socket) {
+    return get_tls_socket(socket)->get_peer_certificate_chain();
+}
+
+future<bool> tls::check_session_is_resumed(connected_socket& socket) {
+    return get_tls_socket(socket)->check_session_is_resumed();
+}
+
+future<tls::session_data> tls::get_session_resume_data(connected_socket& socket) {
+    return get_tls_socket(socket)->get_session_resume_data();
+}
+
+future<std::optional<sstring>> tls::get_selected_alpn_protocol(connected_socket& socket) {
+    return get_tls_socket(socket)->get_selected_alpn_protocol();
+}
+
+future<sstring> tls::get_cipher_suite(connected_socket& socket) {
+    return get_tls_socket(socket)->get_cipher_suite();
+}
+
+future<sstring> tls::get_protocol_version(connected_socket& socket) {
+    return get_tls_socket(socket)->get_protocol_version();
+}
+
+std::string_view tls::format_as(subject_alt_name_type type) {
+    switch (type) {
+        case subject_alt_name_type::dnsname:
+            return "DNS";
+        case subject_alt_name_type::rfc822name:
+            return "EMAIL";
+        case subject_alt_name_type::uri:
+            return "URI";
+        case subject_alt_name_type::ipaddress:
+            return "IP";
+        case subject_alt_name_type::othername:
+            return "OTHERNAME";
+        case subject_alt_name_type::dn:
+            return "DIRNAME";
+        default:
+            return "UNKNOWN";
+    }
+}
+
+std::string_view tls::format_as(tls_version version) {
+    switch(version) {
+    case tls::tls_version::tlsv1_0:
+        return "TLSv1.0";
+    case tls::tls_version::tlsv1_1:
+        return "TLSv1.1";
+    case tls::tls_version::tlsv1_2:
+        return "TLSv1.2";
+    case tls::tls_version::tlsv1_3:
+        return "TLSv1.3";
+    }
+
+    __builtin_unreachable();
+}
+
+std::ostream& tls::operator<<(std::ostream& os, const tls_version & version) {
+    return os << format_as(version);
+}
+
+std::ostream& tls::operator<<(std::ostream& os, subject_alt_name_type type) {
+    return os << format_as(type);
+}
+
+std::ostream& tls::operator<<(std::ostream& os, const subject_alt_name::value_type& v) {
+    fmt::print(os, "{}", v);
+    return os;
+}
+
+std::ostream& tls::operator<<(std::ostream& os, const subject_alt_name& a) {
+    fmt::print(os, "{}", a);
+    return os;
+}
+
+}
diff --git a/src/net/tls-impl.hh b/src/net/tls-impl.hh
new file mode 100644
index 00000000000..fb1d30c4136
--- /dev/null
+++ b/src/net/tls-impl.hh
@@ -0,0 +1,242 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright 2015 Cloudius Systems
+ */
+#pragma once
+
+#include <seastar/core/sstring.hh>
+#include <seastar/core/file.hh>
+#include <seastar/net/tls.hh>
+#include <seastar/net/stack.hh>
+#include <seastar/core/reactor.hh>
+namespace seastar {
+
+class net::get_impl {
+public:
+    static std::unique_ptr<connected_socket_impl> get(connected_socket s);
+
+    static connected_socket_impl* maybe_get_ptr(connected_socket& s);
+};
+
+namespace tls {
+
+extern logger tls_log;
+
+std::vector<uint8_t> generate_session_ticket_key();
+
+class session_impl {
+public:
+    virtual future<> put(net::packet) = 0;
+    virtual future<> flush() noexcept = 0;
+    virtual future<temporary_buffer<char>> get() = 0;
+    virtual void close() = 0;
+    virtual future<std::optional<session_dn>> get_distinguished_name(dn_format) = 0;
+    virtual seastar::net::connected_socket_impl & socket() const = 0;
+    virtual future<std::vector<subject_alt_name>> get_alt_name_information(std::unordered_set<subject_alt_name_type>) = 0;
+    virtual future<bool> is_resumed() = 0;
+    virtual future<session_data> get_session_resume_data() = 0;
+    virtual future<std::vector<certificate_data>> get_peer_certificate_chain() = 0;
+    virtual future<std::optional<sstring>> get_selected_alpn_protocol() = 0;
+    virtual future<sstring> get_cipher_suite() = 0;
+    virtual future<sstring> get_protocol_version() = 0;
+};
+
+struct session_ref {
+    session_ref() = default;
+    session_ref(shared_ptr<session_impl> session)
+                    : _session(std::move(session)) {
+    }
+    session_ref(session_ref&&) = default;
+    session_ref(const session_ref&) = default;
+    ~session_ref();
+
+    session_ref& operator=(session_ref&&) = default;
+    session_ref& operator=(const session_ref&) = default;
+
+    shared_ptr<session_impl> _session;
+};
+
+class tls_connected_socket_impl : public net::connected_socket_impl, public session_ref {
+public:
+    tls_connected_socket_impl(session_ref&& sess)
+        : session_ref(std::move(sess))
+    {}
+
+    class source_impl;
+    class sink_impl;
+
+    using net::connected_socket_impl::source;
+    data_source source() override;
+    data_sink sink() override;
+
+    void shutdown_input() override {
+        _session->close();
+    }
+    void shutdown_output() override {
+        _session->close();
+    }
+    void set_nodelay(bool nodelay) override {
+        _session->socket().set_nodelay(nodelay);
+    }
+    bool get_nodelay() const override {
+        return _session->socket().get_nodelay();
+    }
+    void set_keepalive(bool keepalive) override {
+        _session->socket().set_keepalive(keepalive);
+    }
+    bool get_keepalive() const override {
+        return _session->socket().get_keepalive();
+    }
+    void set_keepalive_parameters(const net::keepalive_params& p) override {
+        _session->socket().set_keepalive_parameters(p);
+    }
+    net::keepalive_params get_keepalive_parameters() const override {
+        return _session->socket().get_keepalive_parameters();
+    }
+    void set_sockopt(int level, int optname, const void* data, size_t len) override {
+        _session->socket().set_sockopt(level, optname, data, len);
+    }
+    int get_sockopt(int level, int optname, void* data, size_t len) const override {
+        return _session->socket().get_sockopt(level, optname, data, len);
+    }
+    socket_address local_address() const noexcept override {
+        return _session->socket().local_address();
+    }
+    socket_address remote_address() const noexcept override {
+        return _session->socket().remote_address();
+    }
+    future<std::optional<session_dn>> get_distinguished_name(dn_format format) {
+        return _session->get_distinguished_name(format);
+    }
+    future<std::vector<subject_alt_name>> get_alt_name_information(std::unordered_set<subject_alt_name_type> types) {
+        return _session->get_alt_name_information(std::move(types));
+    }
+    future<std::vector<certificate_data>> get_peer_certificate_chain() {
+        return _session->get_peer_certificate_chain();
+    }
+    future<> wait_input_shutdown() override {
+        return _session->socket().wait_input_shutdown();
+    }
+    future<bool> check_session_is_resumed() {
+        return _session->is_resumed();
+    }
+    future<session_data> get_session_resume_data() {
+        return _session->get_session_resume_data();
+    }
+    future<std::optional<sstring>> get_selected_alpn_protocol() {
+        return _session->get_selected_alpn_protocol();
+    }
+    future<sstring> get_cipher_suite() const {
+        return _session->get_cipher_suite();
+    }
+    future<sstring> get_protocol_version() const {
+        return _session->get_protocol_version();
+    }
+};
+
+
+class tls_connected_socket_impl::source_impl: public data_source_impl, public session_ref {
+public:
+    using session_ref::session_ref;
+private:
+    future<temporary_buffer<char>> get() override {
+        return _session->get();
+    }
+    future<> close() override {
+        _session->close();
+        return make_ready_future<>();
+    }
+};
+
+// Note: source/sink, and by extension, the in/out streams
+// produced, cannot exist outside the direct life span of
+// the connected_socket itself. This is consistent with
+// other sockets in seastar, though I am than less fond of it...
+class tls_connected_socket_impl::sink_impl: public data_sink_impl, public session_ref {
+public:
+    using session_ref::session_ref;
+private:
+    future<> flush() override {
+        return _session->flush();
+    }
+    using data_sink_impl::put;
+    future<> put(net::packet p) override {
+        return _session->put(std::move(p));
+    }
+    future<> close() override {
+        _session->close();
+        return make_ready_future<>();
+    }
+};
+
+class server_session : public net::server_socket_impl {
+public:
+    server_session(shared_ptr<server_credentials> creds, server_socket sock)
+            : _creds(std::move(creds)), _sock(std::move(sock)) {
+    }
+    future<accept_result> accept() override {
+        // We're not actually doing anything very SSL until we get
+        // an actual connection. Then we create a "server" session
+        // and wrap it up after handshaking.
+        return _sock.accept().then([this](accept_result ar) {
+            return wrap_server(_creds, std::move(ar.connection)).then([addr = std::move(ar.remote_address)](connected_socket s) {
+                return make_ready_future<accept_result>(accept_result{std::move(s), addr});
+            });
+        });
+    }
+    void abort_accept() override  {
+        _sock.abort_accept();
+    }
+    socket_address local_address() const override {
+        return _sock.local_address();
+    }
+private:
+
+    shared_ptr<server_credentials> _creds;
+    server_socket _sock;
+};
+
+class tls_socket_impl : public net::socket_impl {
+    shared_ptr<certificate_credentials> _cred;
+    tls_options _options;
+    ::seastar::socket _socket;
+public:
+    tls_socket_impl(shared_ptr<certificate_credentials> cred, tls_options options)
+            : _cred(cred), _options(std::move(options)), _socket(make_socket()) {
+    }
+    virtual future<connected_socket> connect(socket_address sa, socket_address local, transport proto = transport::TCP) override {
+        return _socket.connect(sa, local, proto).then([cred = std::move(_cred), options = std::move(_options)](connected_socket s) mutable {
+            return wrap_client(cred, std::move(s), std::move(options));
+        });
+    }
+    void set_reuseaddr(bool reuseaddr) override {
+      _socket.set_reuseaddr(reuseaddr);
+    }
+    bool get_reuseaddr() const override {
+      return _socket.get_reuseaddr();
+    }
+    virtual void shutdown() override {
+        _socket.shutdown();
+    }
+};
+
+} // namespace tls
+
+
+}
diff --git a/src/net/tls.cc b/src/net/tls.cc
index 06c8636e36f..a04df561a84 100644
--- a/src/net/tls.cc
+++ b/src/net/tls.cc
@@ -45,6 +45,7 @@ module;
 
 #include <fmt/core.h>
 #include <fmt/ostream.h>
+#include <seastar/util/defer.hh>
 
 #ifdef SEASTAR_MODULE
 module seastar;
@@ -61,27 +62,15 @@ module seastar;
 #include <seastar/core/with_timeout.hh>
 #include <seastar/net/tls.hh>
 #include <seastar/net/stack.hh>
+#include <seastar/util/defer.hh>
 #include <seastar/util/std-compat.hh>
 #include <seastar/util/variant_utils.hh>
 #include <seastar/core/fsnotify.hh>
+#include "net/tls-impl.hh"
 #endif
 
 namespace seastar {
 
-class net::get_impl {
-public:
-    static std::unique_ptr<connected_socket_impl> get(connected_socket s) {
-        return std::move(s._csi);
-    }
-
-    static connected_socket_impl* maybe_get_ptr(connected_socket& s) {
-        if (s._csi) {
-            return s._csi.get();
-        }
-        return nullptr;
-    }
-};
-
 class blob_wrapper: public gnutls_datum_t {
 public:
     blob_wrapper(const tls::blob& in)
@@ -113,43 +102,6 @@ class gnutlsobj {
     }
 };
 
-// Helper
-struct file_info {
-    sstring filename;
-    std::chrono::system_clock::time_point modified;
-};
-
-struct file_result {
-    temporary_buffer<char> buf;
-    file_info file;
-    operator temporary_buffer<char>&&() && {
-        return std::move(buf);
-    }
-};
-
-static future<file_result> read_fully(const sstring& name, const sstring& what) {
-    return open_file_dma(name, open_flags::ro).then([name = name](file f) mutable {
-        return do_with(std::move(f), [name = std::move(name)](file& f) mutable {
-            return f.stat().then([&f, name = std::move(name)](struct stat s) mutable {
-                return f.dma_read_bulk<char>(0, s.st_size).then([s, name = std::move(name)](temporary_buffer<char> buf) mutable {
-                    return file_result{ std::move(buf), file_info{
-                        std::move(name), std::chrono::system_clock::from_time_t(s.st_mtim.tv_sec) +
-                            std::chrono::duration_cast<std::chrono::system_clock::duration>(std::chrono::nanoseconds(s.st_mtim.tv_nsec))
-                    } };
-                });
-            }).finally([&f]() {
-                return f.close();
-            });
-        });
-    }).handle_exception([name = name, what = what](std::exception_ptr ep) -> future<file_result> {
-       try {
-           std::rethrow_exception(std::move(ep));
-       } catch (...) {
-           std::throw_with_nested(std::runtime_error(sstring("Could not read ") + what + " " + name));
-       }
-    });
-}
-
 // Note: we are not using gnutls++ interfaces, mainly because we
 // want to keep _our_ interface reasonably non-gnutls (well...)
 // and once we get to this level, their abstractions don't help
@@ -178,6 +130,15 @@ static void gtls_chk(int res) {
     }
 }
 
+static std::vector<std::byte> extract_x509_serial(gnutls_x509_crt_t cert) {
+    constexpr size_t serial_max = 128;
+    size_t serial_size{serial_max};
+    std::vector<std::byte> serial(serial_size);
+    gtls_chk(gnutls_x509_crt_get_serial(cert, serial.data(), &serial_size));
+    serial.resize(serial_size);
+    return serial;
+}
+
 namespace {
 
 // helper for gnutls-functions for receiving a string
@@ -203,6 +164,10 @@ static auto get_gtls_string = [](auto func, auto... args) noexcept {
 
 }
 
+void tls::credentials_builder::set_priority_string(const sstring& prio) {
+    _priority = prio;
+}
+
 class tls::dh_params::impl : gnutlsobj {
     static gnutls_sec_param_t to_gnutls_level(level l) {
         switch (l) {
@@ -287,13 +252,6 @@ tls::dh_params::~dh_params() {
 tls::dh_params::dh_params(dh_params&&) noexcept = default;
 tls::dh_params& tls::dh_params::operator=(dh_params&&) noexcept = default;
 
-future<tls::dh_params> tls::dh_params::from_file(
-        const sstring& filename, x509_crt_format fmt) {
-    return read_fully(filename, "dh parameters").then([fmt](temporary_buffer<char> buf) {
-        return make_ready_future<dh_params>(dh_params(blob(buf.get()), fmt));
-    });
-}
-
 class tls::x509_cert::impl : gnutlsobj {
 public:
     impl()
@@ -330,13 +288,6 @@ tls::x509_cert::x509_cert(const blob& b, x509_crt_format fmt)
         : x509_cert(::seastar::make_shared<impl>(b, fmt)) {
 }
 
-future<tls::x509_cert> tls::x509_cert::from_file(
-        const sstring& filename, x509_crt_format fmt) {
-    return read_fully(filename, "x509 certificate").then([fmt](temporary_buffer<char> buf) {
-        return make_ready_future<x509_cert>(x509_cert(blob(buf.get()), fmt));
-    });
-}
-
 // wrapper for gnutls_datum, with raii free
 struct gnutls_datum : public gnutls_datum_t {
     gnutls_datum(size_t s) {
@@ -419,6 +370,49 @@ class tls::certificate_credentials::impl: public gnutlsobj {
                 gnutls_certificate_set_x509_simple_pkcs12_mem(_creds, &w,
                         gnutls_x509_crt_fmt_t(fmt), password.c_str()));
     }
+    std::vector<cert_info> get_x509_info() const {
+        gnutls_x509_crt_t *crt_list{};
+        unsigned int crt_list_size{};
+        gtls_chk(gnutls_certificate_get_x509_crt(*this, 0, &crt_list, &crt_list_size));
+        auto cleanup = defer([&crt_list, crt_list_size]() noexcept {
+            for (unsigned int i = 0; i < crt_list_size; ++i) {
+                gnutls_x509_crt_deinit(crt_list[i]);
+            }
+            gnutls_free(crt_list);
+        });
+
+        std::vector<cert_info> result;
+        result.reserve(crt_list_size);
+
+        for (unsigned int i = 0; i < crt_list_size; ++i) {
+            cert_info info = {
+                .serial = extract_x509_serial(crt_list[i]),
+                .expiry = gnutls_x509_crt_get_expiration_time(crt_list[i]),
+            };
+            result.emplace_back(std::move(info));
+        }
+        return result;
+    }
+    std::vector<cert_info> get_x509_trust_list_info() const {
+        gnutls_x509_trust_list_t tlist{};
+        gnutls_certificate_get_trust_list(*this, &tlist);
+        gnutls_x509_trust_list_iter_t iter{};
+        gnutls_x509_crt_t cert{};
+
+        // Size not known up front
+        std::vector<cert_info> result;
+        while (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE !=
+               gnutls_x509_trust_list_iter_get_ca(tlist, &iter, &cert)) {
+            cert_info info = {
+                .serial = extract_x509_serial(cert),
+                .expiry = gnutls_x509_crt_get_expiration_time(cert),
+            };
+            result.emplace_back(std::move(info));
+            gnutls_x509_crt_deinit(cert);
+        }
+
+        return result;
+    }
     void dh_params(const tls::dh_params& dh) {
 #if GNUTLS_VERSION_NUMBER >= 0x030506
         auto sec_param = dh._impl->sec_param();
@@ -489,7 +483,7 @@ class tls::certificate_credentials::impl: public gnutlsobj {
     }
 
 private:
-    friend class credentials_builder;
+    friend class certificate_credentials;
     friend class session;
 
     bool need_load_system_trust() const {
@@ -549,37 +543,6 @@ void tls::certificate_credentials::set_simple_pkcs12(const blob& b,
     _impl->set_simple_pkcs12(b, fmt, password);
 }
 
-future<> tls::abstract_credentials::set_x509_trust_file(
-        const sstring& cafile, x509_crt_format fmt) {
-    return read_fully(cafile, "trust file").then([this, fmt](temporary_buffer<char> buf) {
-        set_x509_trust(blob(buf.get(), buf.size()), fmt);
-    });
-}
-
-future<> tls::abstract_credentials::set_x509_crl_file(
-        const sstring& crlfile, x509_crt_format fmt) {
-    return read_fully(crlfile, "crl file").then([this, fmt](temporary_buffer<char> buf) {
-        set_x509_crl(blob(buf.get(), buf.size()), fmt);
-    });
-}
-
-future<> tls::abstract_credentials::set_x509_key_file(
-        const sstring& cf, const sstring& kf, x509_crt_format fmt) {
-    return read_fully(cf, "certificate file").then([this, fmt, kf = kf](temporary_buffer<char> buf) {
-        return read_fully(kf, "key file").then([this, fmt, buf = std::move(buf)](temporary_buffer<char> buf2) {
-                    set_x509_key(blob(buf.get(), buf.size()), blob(buf2.get(), buf2.size()), fmt);
-                });
-    });
-}
-
-future<> tls::abstract_credentials::set_simple_pkcs12_file(
-        const sstring& pkcs12file, x509_crt_format fmt,
-        const sstring& password) {
-    return read_fully(pkcs12file, "pkcs12 file").then([this, fmt, password = password](temporary_buffer<char> buf) {
-        set_simple_pkcs12(blob(buf.get(), buf.size()), fmt, password);
-    });
-}
-
 future<> tls::certificate_credentials::set_system_trust() {
     return _impl->set_system_trust();
 }
@@ -596,523 +559,86 @@ void tls::certificate_credentials::set_enable_certificate_verification(bool enab
     _impl->set_enable_certificate_verification(enable);
 }
 
-tls::server_credentials::server_credentials()
-#if GNUTLS_VERSION_NUMBER < 0x030600
-    : server_credentials(dh_params{})
-#endif
-{}
-
-tls::server_credentials::server_credentials(shared_ptr<dh_params> dh)
-    : server_credentials(*dh)
-{}
-
-tls::server_credentials::server_credentials(const dh_params& dh) {
-    _impl->dh_params(dh);
+void tls::certificate_credentials::enable_load_system_trust() {
+    _impl->_load_system_trust = true;
 }
 
-tls::server_credentials::server_credentials(server_credentials&&) noexcept = default;
-tls::server_credentials& tls::server_credentials::operator=(
-        server_credentials&&) noexcept = default;
-
-void tls::server_credentials::set_client_auth(client_auth ca) {
+void tls::certificate_credentials::set_client_auth(client_auth ca) {
     _impl->set_client_auth(ca);
 }
 
-void tls::server_credentials::set_session_resume_mode(session_resume_mode m) {
-    _impl->set_session_resume_mode(m);
+void tls::certificate_credentials::set_session_resume_mode(session_resume_mode m, std::span<const uint8_t> key) {
+    _impl->set_session_resume_mode(m, key);
 }
 
-void tls::server_credentials::set_alpn_protocols(const std::vector<sstring>& protocols) {
+void tls::certificate_credentials::set_alpn_protocols(const std::vector<sstring> & protocols) {
     _impl->set_alpn_protocols(protocols);
 }
 
-static const sstring dh_level_key = "dh_level";
-static const sstring x509_trust_key = "x509_trust";
-static const sstring x509_crl_key = "x509_crl";
-static const sstring x509_key_key = "x509_key";
-static const sstring pkcs12_key = "pkcs12";
-static const sstring system_trust = "system_trust";
-
-using buffer_type = std::basic_string<tls::blob::value_type, tls::blob::traits_type, std::allocator<tls::blob::value_type>>;
-
-struct x509_simple {
-    buffer_type data;
-    tls::x509_crt_format format;
-    file_info file;
-};
-
-struct x509_key {
-    buffer_type cert;
-    buffer_type key;
-    tls::x509_crt_format format;
-    file_info cert_file;
-    file_info key_file;
-};
-
-struct pkcs12_simple {
-    buffer_type data;
-    tls::x509_crt_format format;
-    sstring password;
-    file_info file;
-};
-
-void tls::credentials_builder::set_dh_level(dh_params::level level) {
-    _blobs.emplace(dh_level_key, level);
-}
-
-void tls::credentials_builder::set_x509_trust(const blob& b, x509_crt_format fmt) {
-    _blobs.emplace(x509_trust_key, x509_simple{ std::string(b), fmt });
-}
-
-void tls::credentials_builder::set_x509_crl(const blob& b, x509_crt_format fmt) {
-    _blobs.emplace(x509_crl_key, x509_simple{ std::string(b), fmt });
-}
-
-void tls::credentials_builder::set_x509_key(const blob& cert, const blob& key, x509_crt_format fmt) {
-    _blobs.emplace(x509_key_key, x509_key { std::string(cert), std::string(key), fmt });
-}
-
-void tls::credentials_builder::set_simple_pkcs12(const blob& b, x509_crt_format fmt, const sstring& password) {
-    _blobs.emplace(pkcs12_key, pkcs12_simple{std::string(b), fmt, password });
-}
-
-static buffer_type to_buffer(const temporary_buffer<char>& buf) {
-    return buffer_type(buf.get(), buf.get() + buf.size());
-}
-
-future<> tls::credentials_builder::set_x509_trust_file(const sstring& cafile, x509_crt_format fmt) {
-    return read_fully(cafile, "trust file").then([this, fmt](file_result f) {
-        _blobs.emplace(x509_trust_key, x509_simple{ to_buffer(f.buf), fmt, std::move(f.file) });
-    });
-}
-
-future<> tls::credentials_builder::set_x509_crl_file(const sstring& crlfile, x509_crt_format fmt) {
-    return read_fully(crlfile, "crl file").then([this, fmt](file_result f) {
-        _blobs.emplace(x509_crl_key, x509_simple{ to_buffer(f.buf), fmt, std::move(f.file) });
-    });
-}
-
-future<> tls::credentials_builder::set_x509_key_file(const sstring& cf, const sstring& kf, x509_crt_format fmt) {
-    return read_fully(cf, "certificate file").then([this, fmt, kf = kf](file_result cf) {
-        return read_fully(kf, "key file").then([this, fmt, cf = std::move(cf)](file_result kf) {
-            _blobs.emplace(x509_key_key, x509_key{ to_buffer(cf.buf), to_buffer(kf.buf), fmt, std::move(cf.file), std::move(kf.file) });
-        });
-    });
-}
-
-future<> tls::credentials_builder::set_simple_pkcs12_file(const sstring& pkcs12file, x509_crt_format fmt, const sstring& password) {
-    return read_fully(pkcs12file, "pkcs12 file").then([this, fmt, password = password](file_result f) {
-        _blobs.emplace(pkcs12_key, pkcs12_simple{ to_buffer(f.buf), fmt, password, std::move(f.file) });
-    });
-}
-
-future<> tls::credentials_builder::set_system_trust() {
-    // TODO / Caveat:
-    // We cannot actually issue a loading of system trust here,
-    // because we have no actual tls context.
-    // And we probably _don't want to get into the guessing game
-    // of where the system trust cert chains are, since this is
-    // super distro dependent, and usually compiled into the library.
-    // Pretent it is raining, and just set a flag.
-    // Leave the function returning future, so if we change our
-    // minds and want to do explicit loading, we can...
-    _blobs.emplace(system_trust, true);
-    return make_ready_future();
-}
-
-void tls::credentials_builder::set_client_auth(client_auth auth) {
-    _client_auth = auth;
-}
-
-void tls::credentials_builder::set_priority_string(const sstring& prio) {
-    _priority = prio;
-}
-
-void tls::credentials_builder::set_session_resume_mode(session_resume_mode m) {
-    _session_resume_mode = m;
-    if (m != session_resume_mode::NONE) {
-        gnutls_datum key;
-        gtls_chk(gnutls_session_ticket_key_generate(&key));
-        _session_resume_key.assign(key.data, key.data + key.size);
+std::optional<std::vector<cert_info>> tls::certificate_credentials::get_cert_info() const noexcept {
+    if (_impl == nullptr) {
+        return std::nullopt;
     }
-}
-
-void tls::credentials_builder::set_alpn_protocols(const std::vector<sstring>& protocols) {
-    _alpn_protocols = protocols;
-}
-
-template<typename Blobs, typename Visitor>
-static void visit_blobs(Blobs& blobs, Visitor&& visitor) {
-    auto visit = [&](const sstring& key, auto* vt) {
-        auto tr = blobs.equal_range(key);
-        for (auto& p : boost::make_iterator_range(tr.first, tr.second)) {
-            auto* v = std::any_cast<std::decay_t<decltype(*vt)>>(&p.second);
-            visitor(key, *v);
-        }
-    };
-    visit(x509_trust_key, static_cast<x509_simple*>(nullptr));
-    visit(x509_crl_key, static_cast<x509_simple*>(nullptr));
-    visit(x509_key_key, static_cast<x509_key*>(nullptr));
-    visit(pkcs12_key, static_cast<pkcs12_simple*>(nullptr));
-}
 
-void tls::credentials_builder::apply_to(certificate_credentials& creds) const {
-    // Could potentially be templated down, but why bother...
-    visit_blobs(_blobs, make_visitor(
-        [&](const sstring& key, const x509_simple& info) {
-            if (key == x509_trust_key) {
-                creds.set_x509_trust(info.data, info.format);
-            } else if (key == x509_crl_key) {
-                creds.set_x509_crl(info.data, info.format);
-            }
-        },
-        [&](const sstring&, const x509_key& info) {
-            creds.set_x509_key(info.cert, info.key, info.format);
-        },
-        [&](const sstring&, const pkcs12_simple& info) {
-            creds.set_simple_pkcs12(info.data, info.format, info.password);
-        }
-    ));
-
-    // TODO / Caveat:
-    // We cannot do this immediately, because we are not a continuation, and
-    // potentially blocking calls are a no-no.
-    // Doing this detached would be indeterministic, so set a flag in
-    // credentials, and do actual loading in first handshake (see session)
-    if (_blobs.count(system_trust)) {
-        creds._impl->_load_system_trust = true;
+    try {
+        auto result = _impl->get_x509_info();
+        return result;
+    } catch (...) {
+        return std::nullopt;
     }
+}
 
-    if (!_priority.empty()) {
-        creds.set_priority_string(_priority);
+std::optional<std::vector<cert_info>> tls::certificate_credentials::get_trust_list_info() const noexcept {
+    if (_impl == nullptr) {
+        return std::nullopt;
     }
 
-    creds._impl->set_client_auth(_client_auth);
-    // Note: this causes server session key rotation on cert reload
-    creds._impl->set_session_resume_mode(_session_resume_mode, std::span{_session_resume_key.begin(), _session_resume_key.end()});
-
-    if (!_alpn_protocols.empty()) {
-        creds._impl->set_alpn_protocols(_alpn_protocols);
+    try {
+        auto result = _impl->get_x509_trust_list_info();
+        return result;
+    } catch (...) {
+        return std::nullopt;
     }
 }
 
-shared_ptr<tls::certificate_credentials> tls::credentials_builder::build_certificate_credentials() const {
-    auto creds = make_shared<certificate_credentials>();
-    apply_to(*creds);
-    return creds;
-}
-
-shared_ptr<tls::server_credentials> tls::credentials_builder::build_server_credentials() const {
-    auto i = _blobs.find(dh_level_key);
-    if (i == _blobs.end()) {
+tls::server_credentials::server_credentials()
 #if GNUTLS_VERSION_NUMBER < 0x030600
-        throw std::invalid_argument("No DH level set");
-#else
-        auto creds = make_shared<server_credentials>();
-        apply_to(*creds);
-        return creds;
+    : server_credentials(dh_params{})
 #endif
-    }
-    auto creds = make_shared<server_credentials>(dh_params(std::any_cast<dh_params::level>(i->second)));
-    apply_to(*creds);
-    return creds;
-}
-
-using namespace std::chrono_literals;
-
-class tls::reloadable_credentials_base {
-public:
-    using delay_type = std::chrono::milliseconds;
-    static inline constexpr delay_type default_tolerance = 500ms;
-
-    class reloading_builder
-        : public credentials_builder
-        , public enable_shared_from_this<reloading_builder>
-    {
-    public:
-        using time_point = std::chrono::system_clock::time_point;
-
-        reloading_builder(credentials_builder b, reload_callback_ex cb, reloadable_credentials_base* creds, delay_type delay)
-            : credentials_builder(std::move(b))
-            , _cb(std::move(cb))
-            , _creds(creds)
-            , _delay(delay)
-        {}
-        future<> init() {
-            std::vector<future<>> futures;
-            visit_blobs(_blobs, make_visitor(
-                [&](const sstring&, const x509_simple& info) {
-                    _all_files.emplace(info.file.filename);
-                },
-                [&](const sstring&, const x509_key& info) {
-                    _all_files.emplace(info.cert_file.filename);
-                    _all_files.emplace(info.key_file.filename);
-                },
-                [&](const sstring&, const pkcs12_simple& info) {
-                    _all_files.emplace(info.file.filename);
-                }
-            ));
-            return parallel_for_each(_all_files, [this](auto& f) {
-                if (!f.empty()) {
-                    return add_watch(f).discard_result();
-                }
-                return make_ready_future<>();
-            }).finally([me = shared_from_this()] {});
-        }
-        void start() {
-            // run the loop in a thread. makes code almost readable.
-            (void)async(std::bind(&reloading_builder::run, this)).finally([me = shared_from_this()] {});
-        }
-        void run() {
-            while (_creds) {
-                try {
-                    auto events = _fsn.wait().get();
-                    if (events.empty() && _creds == nullptr) {
-                        return;
-                    }
-                    rebuild(events);
-                    _timer.cancel();
-                } catch (...) {
-                    if (!_timer.armed()) {
-                        _timer.set_callback([this, ep = std::current_exception()]() mutable {
-                            do_callback(std::move(ep));
-                        });
-                        _timer.arm(_delay);
-                    }
-                }
-            }
-        }
-        void detach() {
-            _creds = nullptr;
-            _cb = {};
-            _fsn.shutdown();
-            _timer.cancel();
-        }
-    private:
-        using fsnotifier = experimental::fsnotifier;
-
-        // called from seastar::thread
-        void rebuild(const std::vector<fsnotifier::event>& events) {
-            for (auto& e : events) {
-                // don't use at. We could be getting two events for
-                // same watch (mod + delete), but we only need to care
-                // about one...
-                auto i = _watches.find(e.id);
-                if (i != _watches.end()) {
-                    auto& filename = i->second.second;
-                    // only add actual file watches to
-                    // query set. If this was a directory
-                    // watch, the file should already be
-                    // in there.
-                    if (_all_files.count(filename)) {
-                        _files[filename] = e.mask;
-                    }
-                    _watches.erase(i);
-                }
-            }
-            auto num_changed = 0;
-
-            auto maybe_reload = [&](const sstring& filename, buffer_type& dst) {
-                if (filename.empty() || !_files.count(filename)) {
-                    return;
-                }
-                // #756
-                // first, add a watch to nearest parent dir we
-                // can find. If user deleted folders, we could end
-                // up looking at modifications to root.
-                // The idea is that should adding a watch to actual file
-                // fail (deleted file/folder), we wait for changes to closest
-                // parent. When this happens, we will retry all files
-                // that have not been successfully replaced (and maybe more),
-                // repeating the process. At some point, we hopefully
-                // get new, current data.
-                add_dir_watch(filename);
-                // #756 add watch _first_. File could change while we are
-                // reading this.
-                try {
-                    add_watch(filename).get();
-                } catch (...) {
-                    // let's just assume if this happens, it's because the file or folder was deleted.
-                    // just ignore for now, and hope the dir watch will tell us when it is back...
-                    return;
-                }
-                temporary_buffer<char> buf = read_fully(filename, "reloading").get();
-                dst = to_buffer(buf);
-                ++num_changed;
-            };
-            visit_blobs(_blobs, make_visitor(
-                [&](const sstring&, x509_simple& info) {
-                    maybe_reload(info.file.filename, info.data);
-                },
-                [&](const sstring&, x509_key& info) {
-                    maybe_reload(info.cert_file.filename, info.cert);
-                    maybe_reload(info.key_file.filename, info.key);
-                },
-                [&](const sstring&, pkcs12_simple& info) {
-                    maybe_reload(info.file.filename, info.data);
-                }
-            ));
-            // only try this if anything was in fact successfully loaded.
-            // if files were missing, or pairs incomplete, we can just skip.
-            if (num_changed == 0) {
-                return;
-            }
-            try {
-                // force rebuilding session resume mode key if
-                // enabled. should not reuse sessions across certificate
-                // change (should not work anyway)
-                set_session_resume_mode(_session_resume_mode);
-                if (_creds) {
-                    _creds->rebuild(*this);
-                }
-            } catch (...) {
-                if (std::any_of(_files.begin(), _files.end(), [](auto& p) { return p.second == fsnotifier::flags::ignored; })) {
-                    // if any file in the reload set was deleted - i.e. we have not seen a "closed" yet - assume
-                    // this is a spurious reload and we'd better wait for next event - hopefully a "closed" -
-                    // and try again
-                    return;
-                }
-                throw;
-            }
-            // if we got here, all files loaded, all watches were created,
-            // and gnutls was ok with the content. success.
-            do_callback();
-            on_success();
-        }
-        void on_success() {
-            _files.clear();
-            // remove all directory watches, since we've successfully
-            // reloaded -> the file watches themselves should suffice now
-            auto i = _watches.begin();
-            auto e = _watches.end();
-            while (i != e) {
-                if (!_all_files.count(i->second.second)) {
-                    i = _watches.erase(i);
-                    continue;
-                }
-                ++i;
-            }
-        }
-        void do_callback(std::exception_ptr ep = {}) {
-            if (_cb && !_files.empty()) {
-                _cb(*this, boost::copy_range<std::unordered_set<sstring>>(_files | boost::adaptors::map_keys), std::move(ep)).get();
-            }
-        }
-        // called from seastar::thread
-        fsnotifier::watch_token add_dir_watch(const sstring& filename) {
-            auto dir = std::filesystem::path(filename).parent_path();
-            for (;;) {
-                try {
-                    return add_watch(dir.native(), fsnotifier::flags::create_child | fsnotifier::flags::move).get();
-                } catch (...) {
-                    auto parent = dir.parent_path();
-                    if (parent.empty() || dir == parent) {
-                        throw;
-                    }
-                    dir = std::move(parent);
-                    continue;
-                }
-            }
-        }
-        future<fsnotifier::watch_token> add_watch(const sstring& filename, fsnotifier::flags flags = fsnotifier::flags::close_write|fsnotifier::flags::delete_self) {
-            return _fsn.create_watch(filename, flags).then([this, filename = filename](fsnotifier::watch w) {
-                auto t = w.token();
-                // we might create multiple watches for same token in case of dirs, avoid deleting previously
-                // created one
-                if (_watches.count(t)) {
-                    w.release();
-                } else {
-                    _watches.emplace(t, std::make_pair(std::move(w), filename));
-                }
-                return t;
-            });
-        }
-
-        reload_callback_ex _cb;
-        reloadable_credentials_base* _creds;
-        fsnotifier _fsn;
-        std::unordered_map<fsnotifier::watch_token, std::pair<fsnotifier::watch, sstring>> _watches;
-        std::unordered_map<sstring, fsnotifier::flags> _files;
-        std::unordered_set<sstring> _all_files;
-        timer<> _timer;
-        delay_type _delay;
-    };
-    reloadable_credentials_base(credentials_builder builder, reload_callback_ex cb, delay_type delay = default_tolerance)
-        : _builder(seastar::make_shared<reloading_builder>(std::move(builder), std::move(cb), this, delay))
-    {
-        _builder->start();
-    }
-    future<> init() {
-        return _builder->init();
-    }
-    virtual ~reloadable_credentials_base() {
-        _builder->detach();
-    }
-    virtual void rebuild(const credentials_builder&) = 0;
-private:
-    shared_ptr<reloading_builder> _builder;
-};
-
-template<typename Base>
-class tls::reloadable_credentials : public Base, public tls::reloadable_credentials_base {
-public:
-    reloadable_credentials(credentials_builder builder, reload_callback_ex cb, Base b, delay_type delay = default_tolerance)
-        : Base(std::move(b))
-        , tls::reloadable_credentials_base(std::move(builder), std::move(cb), delay)
-    {}
-    void rebuild(const credentials_builder&) override;
-};
+{}
 
-template<>
-void tls::reloadable_credentials<tls::certificate_credentials>::rebuild(const credentials_builder& builder) {
-    builder.rebuild(*this);
-}
+tls::server_credentials::server_credentials(shared_ptr<dh_params> dh)
+    : server_credentials(*dh)
+{}
 
-template<>
-void tls::reloadable_credentials<tls::server_credentials>::rebuild(const credentials_builder& builder) {
-    builder.rebuild(*this);
+tls::server_credentials::server_credentials(const dh_params& dh) {
+    _impl->dh_params(dh);
 }
 
-void tls::credentials_builder::rebuild(certificate_credentials& creds) const {
-    auto tmp = build_certificate_credentials();
-    creds._impl = std::move(tmp->_impl);
-}
+tls::server_credentials::server_credentials(server_credentials&&) noexcept = default;
+tls::server_credentials& tls::server_credentials::operator=(
+        server_credentials&&) noexcept = default;
 
-void tls::credentials_builder::rebuild(server_credentials& creds) const {
-    auto tmp = build_server_credentials();
-    creds._impl = std::move(tmp->_impl);
+void tls::server_credentials::set_client_auth(client_auth ca) {
+    _impl->set_client_auth(ca);
 }
 
-future<shared_ptr<tls::certificate_credentials>> tls::credentials_builder::build_reloadable_certificate_credentials(reload_callback_ex cb, std::optional<std::chrono::milliseconds> tolerance) const {
-    auto creds = seastar::make_shared<reloadable_credentials<tls::certificate_credentials>>(*this, std::move(cb), std::move(*build_certificate_credentials()), tolerance.value_or(reloadable_credentials_base::default_tolerance));
-    return creds->init().then([creds] {
-        return make_ready_future<shared_ptr<tls::certificate_credentials>>(creds);
-    });
+void tls::server_credentials::set_session_resume_mode(session_resume_mode m) {
+    _impl->set_session_resume_mode(m);
 }
 
-future<shared_ptr<tls::server_credentials>> tls::credentials_builder::build_reloadable_server_credentials(reload_callback_ex cb, std::optional<std::chrono::milliseconds> tolerance) const {
-    auto creds = seastar::make_shared<reloadable_credentials<tls::server_credentials>>(*this, std::move(cb), std::move(*build_server_credentials()), tolerance.value_or(reloadable_credentials_base::default_tolerance));
-    return creds->init().then([creds] {
-        return make_ready_future<shared_ptr<tls::server_credentials>>(creds);
-    });
+void tls::server_credentials::set_alpn_protocols(const std::vector<sstring>& protocols) {
+    _impl->set_alpn_protocols(protocols);
 }
 
-future<shared_ptr<tls::certificate_credentials>> tls::credentials_builder::build_reloadable_certificate_credentials(reload_callback cb, std::optional<std::chrono::milliseconds> tolerance) const {
-    return build_reloadable_certificate_credentials([cb = std::move(cb)](const credentials_builder&, const std::unordered_set<sstring>& files, std::exception_ptr p) {
-        cb(files, p);
-        return make_ready_future<>();
-    }, tolerance);
-}
+namespace tls {
 
-future<shared_ptr<tls::server_credentials>> tls::credentials_builder::build_reloadable_server_credentials(reload_callback cb, std::optional<std::chrono::milliseconds> tolerance) const {
-    return build_reloadable_server_credentials([cb = std::move(cb)](const credentials_builder&, const std::unordered_set<sstring>& files, std::exception_ptr p) {
-        cb(files, p);
-        return make_ready_future<>();
-    }, tolerance);
+std::vector<uint8_t> generate_session_ticket_key() {
+    gnutls_datum key;
+    gtls_chk(gnutls_session_ticket_key_generate(&key));
+    return {key.data, key.data + key.size};
 }
 
-namespace tls {
-
 /**
  * Session wraps gnutls session, and is the
  * actual conduit for an TLS/SSL data flow.
@@ -1122,7 +648,7 @@ namespace tls {
  * of these, since we handle handshake etc.
  *
  */
-class session : public enable_lw_shared_from_this<session> {
+class session : public enable_shared_from_this<session>, public session_impl {
 public:
     enum class type
         : uint32_t {
@@ -1212,6 +738,10 @@ class session : public enable_lw_shared_from_this<session> {
         SEASTAR_ASSERT(_output_pending.available());
     }
 
+    const char * get_type_string() const {
+        return _type == type::CLIENT ? "Client": "Server";
+    }
+
     typedef temporary_buffer<char> buf_type;
 
     sstring cert_status_to_string(gnutls_certificate_type_t type, unsigned int status) {
@@ -1424,7 +954,7 @@ class session : public enable_lw_shared_from_this<session> {
         }
     }
 
-    future<temporary_buffer<char>> get() {
+    future<temporary_buffer<char>> get() override {
         if (_error) {
             return make_exception_future<temporary_buffer<char>>(_error);
         }
@@ -1516,7 +1046,7 @@ class session : public enable_lw_shared_from_this<session> {
             });
         });
     }
-    future<> put(net::packet p) {
+    future<> put(net::packet p) override {
         if (_error) {
             return make_exception_future<>(_error);
         }
@@ -1678,7 +1208,7 @@ class session : public enable_lw_shared_from_this<session> {
         // below, get pre-empted, have "close()" finish, get freed, and
         // then call wait_for_eof on stale pointer.
     }
-    void close() noexcept {
+    void close() noexcept override {
         // only do once.
         if (!std::exchange(_shutdown, true)) {
             auto me = shared_from_this();
@@ -1705,13 +1235,13 @@ class session : public enable_lw_shared_from_this<session> {
         }
     }
     // helper for sink
-    future<> flush() noexcept {
+    future<> flush() noexcept override {
         return with_semaphore(_out_sem, 1, [this] {
             return _out.flush();
         });
     }
 
-    seastar::net::connected_socket_impl& socket() const {
+    seastar::net::connected_socket_impl& socket() const override {
         return *_sock;
     }
 
@@ -1736,12 +1266,12 @@ class session : public enable_lw_shared_from_this<session> {
         return futurize_invoke(f, std::forward<Args>(args)...);
     }
 
-    future<bool> is_resumed() {
+    future<bool> is_resumed() override {
         return state_checked_access([this] {
             return gnutls_session_is_resumed(*this) != 0;
         });
     }
-    future<session_data> get_session_resume_data() {
+    future<session_data> get_session_resume_data() override {
         return state_checked_access([this] {
             /**
              * Session ticket data is not available just because handshake
@@ -1762,12 +1292,13 @@ class session : public enable_lw_shared_from_this<session> {
             return session_data(tmp.data, tmp.data + tmp.size);
         });
     }
-    future<std::optional<session_dn>> get_distinguished_name() {
+    future<std::optional<session_dn>> get_distinguished_name(dn_format) override {
+        // Ignoring parameter as GnuTLS does not provide a mechanism to change the format
         return state_checked_access([this] {
             return extract_dn_information();
         });
     }
-    future<std::vector<subject_alt_name>> get_alt_name_information(std::unordered_set<subject_alt_name_type> types) {
+    future<std::vector<subject_alt_name>> get_alt_name_information(std::unordered_set<subject_alt_name_type> types) override {
         return state_checked_access([this](std::unordered_set<subject_alt_name_type> types) {
             std::vector<subject_alt_name> res;
 
@@ -1844,7 +1375,7 @@ class session : public enable_lw_shared_from_this<session> {
         }, std::move(types));
     }
 
-    future<std::vector<certificate_data>> get_peer_certificate_chain() {
+    future<std::vector<certificate_data>> get_peer_certificate_chain() override {
         return state_checked_access([this] {
             unsigned int list_size = 0;
             const gnutls_datum_t* client_cert_list = gnutls_certificate_get_peers(*this, &list_size);
@@ -1860,7 +1391,7 @@ class session : public enable_lw_shared_from_this<session> {
         });
     }
 
-    future<std::optional<sstring>> get_selected_alpn_protocol() {
+    future<std::optional<sstring>> get_selected_alpn_protocol() override {
         return state_checked_access([this]() -> std::optional<sstring> {
             gnutls_datum_t selected_proto_datum = { nullptr, 0 };
             int rv = gnutls_alpn_get_selected_protocol(*this, &selected_proto_datum);
@@ -1873,13 +1404,13 @@ class session : public enable_lw_shared_from_this<session> {
 
     struct session_ref;
 
-    future<sstring> get_cipher_suite() {
+    future<sstring> get_cipher_suite() override {
         return state_checked_access([this] {
             return sstring(gnutls_ciphersuite_get(*this));
         });
     }
 
-    future<sstring> get_protocol_version() {
+    future<sstring> get_protocol_version() override {
         return state_checked_access([this]() {
             return sstring(gnutls_protocol_get_name(gnutls_protocol_get_version(*this)));
         });
@@ -1939,236 +1470,6 @@ class session : public enable_lw_shared_from_this<session> {
     std::unique_ptr<std::remove_pointer_t<gnutls_session_t>, void(*)(gnutls_session_t)> _session;
 };
 
-struct session::session_ref {
-    session_ref() = default;
-    session_ref(lw_shared_ptr<session> session)
-                    : _session(std::move(session)) {
-    }
-    session_ref(session_ref&&) = default;
-    session_ref(const session_ref&) = default;
-    ~session_ref() {
-        // This is not super pretty. But we take some care to only own sessions
-        // through session_ref, and we need to initiate shutdown on "last owner",
-        // since we cannot revive the session in destructor.
-        if (_session && _session.use_count() == 1) {
-            _session->close();
-        }
-    }
-
-    session_ref& operator=(session_ref&&) = default;
-    session_ref& operator=(const session_ref&) = default;
-
-    lw_shared_ptr<session> _session;
-};
-
-class tls_connected_socket_impl : public net::connected_socket_impl, public session::session_ref {
-public:
-    tls_connected_socket_impl(session_ref&& sess)
-        : session_ref(std::move(sess))
-    {}
-
-    class source_impl;
-    class sink_impl;
-
-    using net::connected_socket_impl::source;
-    data_source source() override;
-    data_sink sink() override;
-
-    void shutdown_input() override {
-        _session->close();
-    }
-    void shutdown_output() override {
-        _session->close();
-    }
-    void set_nodelay(bool nodelay) override {
-        _session->socket().set_nodelay(nodelay);
-    }
-    bool get_nodelay() const override {
-        return _session->socket().get_nodelay();
-    }
-    void set_keepalive(bool keepalive) override {
-        _session->socket().set_keepalive(keepalive);
-    }
-    bool get_keepalive() const override {
-        return _session->socket().get_keepalive();
-    }
-    void set_keepalive_parameters(const net::keepalive_params& p) override {
-        _session->socket().set_keepalive_parameters(p);
-    }
-    net::keepalive_params get_keepalive_parameters() const override {
-        return _session->socket().get_keepalive_parameters();
-    }
-    void set_sockopt(int level, int optname, const void* data, size_t len) override {
-        _session->socket().set_sockopt(level, optname, data, len);
-    }
-    int get_sockopt(int level, int optname, void* data, size_t len) const override {
-        return _session->socket().get_sockopt(level, optname, data, len);
-    }
-    socket_address local_address() const noexcept override {
-        return _session->socket().local_address();
-    }
-    socket_address remote_address() const noexcept override {
-        return _session->socket().remote_address();
-    }
-    future<std::optional<session_dn>> get_distinguished_name() {
-        return _session->get_distinguished_name();
-    }
-    future<std::vector<subject_alt_name>> get_alt_name_information(std::unordered_set<subject_alt_name_type> types) {
-        return _session->get_alt_name_information(std::move(types));
-    }
-    future<std::vector<certificate_data>> get_peer_certificate_chain() {
-        return _session->get_peer_certificate_chain();
-    }
-    future<> wait_input_shutdown() override {
-        return _session->socket().wait_input_shutdown();
-    }
-    future<bool> check_session_is_resumed() {
-        return _session->is_resumed();
-    }
-    future<session_data> get_session_resume_data() {
-        return _session->get_session_resume_data();
-    }
-    future<std::optional<sstring>> get_selected_alpn_protocol() {
-        return _session->get_selected_alpn_protocol();
-    }
-    future<sstring> get_cipher_suite() const {
-        return _session->get_cipher_suite();
-    }
-    future<sstring> get_protocol_version() const {
-        return _session->get_protocol_version();
-    }
-};
-
-
-class tls_connected_socket_impl::source_impl: public data_source_impl, public session::session_ref {
-public:
-    using session_ref::session_ref;
-private:
-    future<temporary_buffer<char>> get() override {
-        return _session->get();
-    }
-    future<> close() override {
-        _session->close();
-        return make_ready_future<>();
-    }
-};
-
-// Note: source/sink, and by extension, the in/out streams
-// produced, cannot exist outside the direct life span of
-// the connected_socket itself. This is consistent with
-// other sockets in seastar, though I am than less fond of it...
-class tls_connected_socket_impl::sink_impl: public data_sink_impl, public session::session_ref {
-public:
-    using session_ref::session_ref;
-private:
-    future<> flush() override {
-        return _session->flush();
-    }
-    using data_sink_impl::put;
-    future<> put(net::packet p) override {
-        return _session->put(std::move(p));
-    }
-    future<> close() override {
-        _session->close();
-        return make_ready_future<>();
-    }
-    bool can_batch_flushes() const noexcept override { return true; }
-    void on_batch_flush_error() noexcept override {
-        _session->close();
-    }
-};
-
-class server_session : public net::server_socket_impl {
-public:
-    server_session(shared_ptr<server_credentials> creds, server_socket sock)
-            : _creds(std::move(creds)), _sock(std::move(sock)) {
-    }
-    future<accept_result> accept() override {
-        // We're not actually doing anything very SSL until we get
-        // an actual connection. Then we create a "server" session
-        // and wrap it up after handshaking.
-        return _sock.accept().then([this](accept_result ar) {
-            return wrap_server(_creds, std::move(ar.connection)).then([addr = std::move(ar.remote_address)](connected_socket s) {
-                return make_ready_future<accept_result>(accept_result{std::move(s), addr});
-            });
-        });
-    }
-    void abort_accept() override  {
-        _sock.abort_accept();
-    }
-    socket_address local_address() const override {
-        return _sock.local_address();
-    }
-private:
-
-    shared_ptr<server_credentials> _creds;
-    server_socket _sock;
-};
-
-class tls_socket_impl : public net::socket_impl {
-    shared_ptr<certificate_credentials> _cred;
-    tls_options _options;
-    ::seastar::socket _socket;
-public:
-    tls_socket_impl(shared_ptr<certificate_credentials> cred, tls_options options)
-            : _cred(cred), _options(std::move(options)), _socket(make_socket()) {
-    }
-    virtual future<connected_socket> connect(socket_address sa, socket_address local, transport proto = transport::TCP) override {
-        return _socket.connect(sa, local, proto).then([cred = std::move(_cred), options = std::move(_options)](connected_socket s) mutable {
-            return wrap_client(cred, std::move(s), std::move(options));
-        });
-    }
-    void set_reuseaddr(bool reuseaddr) override {
-      _socket.set_reuseaddr(reuseaddr);
-    }
-    bool get_reuseaddr() const override {
-      return _socket.get_reuseaddr();
-    }
-    virtual void shutdown() override {
-        _socket.shutdown();
-    }
-};
-
-}
-
-data_source tls::tls_connected_socket_impl::source() {
-    return data_source(std::make_unique<source_impl>(_session));
-}
-
-data_sink tls::tls_connected_socket_impl::sink() {
-    return data_sink(std::make_unique<sink_impl>(_session));
-}
-
-
-future<connected_socket> tls::connect(shared_ptr<certificate_credentials> cred, socket_address sa, sstring name) {
-    tls_options options{.server_name = std::move(name)};
-    return connect(std::move(cred), std::move(sa), std::move(options));
-}
-
-future<connected_socket> tls::connect(shared_ptr<certificate_credentials> cred, socket_address sa, socket_address local, sstring name) {
-    tls_options options{.server_name = std::move(name)};
-    return connect(std::move(cred), std::move(sa), std::move(local), std::move(options));
-}
-
-future<connected_socket> tls::connect(shared_ptr<certificate_credentials> cred, socket_address sa, tls_options options) {
-    return engine().connect(sa).then([cred = std::move(cred), options = std::move(options)](connected_socket s) mutable {
-        return wrap_client(std::move(cred), std::move(s), std::move(options));
-    });
-}
-
-future<connected_socket> tls::connect(shared_ptr<certificate_credentials> cred, socket_address sa, socket_address local, tls_options options) {
-    return engine().connect(sa, local).then([cred = std::move(cred), options = std::move(options)](connected_socket s) mutable {
-        return wrap_client(std::move(cred), std::move(s), std::move(options));
-    });
-}
-
-socket tls::socket(shared_ptr<certificate_credentials> cred, sstring name) {
-    tls_options options{.server_name = std::move(name)};
-    return tls::socket(std::move(cred), std::move(options));
-}
-
-socket tls::socket(shared_ptr<certificate_credentials> cred, tls_options options) {
-    return ::seastar::socket(std::make_unique<tls_socket_impl>(std::move(cred), std::move(options)));
 }
 
 future<connected_socket> tls::wrap_client(shared_ptr<certificate_credentials> cred, connected_socket&& s, sstring name) {
@@ -2177,106 +1478,17 @@ future<connected_socket> tls::wrap_client(shared_ptr<certificate_credentials> cr
 }
 
 future<connected_socket> tls::wrap_client(shared_ptr<certificate_credentials> cred, connected_socket&& s, tls_options options) {
-    session::session_ref sess(make_lw_shared<session>(session::type::CLIENT, std::move(cred), std::move(s),  options));
+    session_ref sess(seastar::make_shared<session>(session::type::CLIENT, std::move(cred), std::move(s),  options));
     connected_socket sock(std::make_unique<tls_connected_socket_impl>(std::move(sess)));
     return make_ready_future<connected_socket>(std::move(sock));
 }
 
 future<connected_socket> tls::wrap_server(shared_ptr<server_credentials> cred, connected_socket&& s) {
-    session::session_ref sess(make_lw_shared<session>(session::type::SERVER, std::move(cred), std::move(s)));
+    session_ref sess(seastar::make_shared<session>(session::type::SERVER, std::move(cred), std::move(s)));
     connected_socket sock(std::make_unique<tls_connected_socket_impl>(std::move(sess)));
     return make_ready_future<connected_socket>(std::move(sock));
 }
 
-server_socket tls::listen(shared_ptr<server_credentials> creds, socket_address sa, listen_options opts) {
-    return listen(std::move(creds), seastar::listen(sa, opts));
-}
-
-server_socket tls::listen(shared_ptr<server_credentials> creds, server_socket ss) {
-    server_socket ssls(std::make_unique<server_session>(creds, std::move(ss)));
-    return server_socket(std::move(ssls));
-}
-
-static tls::tls_connected_socket_impl* get_tls_socket(connected_socket& socket) {
-    auto impl = net::get_impl::maybe_get_ptr(socket);
-    if (impl == nullptr) {
-        // the socket is not yet created or moved from
-        throw std::system_error(ENOTCONN, std::system_category());
-    }
-    auto tls_impl = dynamic_cast<tls::tls_connected_socket_impl*>(impl);
-    if (!tls_impl) {
-        // bad cast here means that we're dealing with wrong socket type
-        throw std::invalid_argument("Not a TLS socket");
-    }
-    return tls_impl;
-}
-
-future<std::optional<session_dn>> tls::get_dn_information(connected_socket& socket) {
-    return get_tls_socket(socket)->get_distinguished_name();
-}
-
-future<std::vector<tls::subject_alt_name>> tls::get_alt_name_information(connected_socket& socket, std::unordered_set<subject_alt_name_type> types) {
-    return get_tls_socket(socket)->get_alt_name_information(std::move(types));
-}
-
-future<std::vector<tls::certificate_data>> tls::get_peer_certificate_chain(connected_socket& socket) {
-    return get_tls_socket(socket)->get_peer_certificate_chain();
-}
-
-future<bool> tls::check_session_is_resumed(connected_socket& socket) {
-    return get_tls_socket(socket)->check_session_is_resumed();
-}
-
-future<tls::session_data> tls::get_session_resume_data(connected_socket& socket) {
-    return get_tls_socket(socket)->get_session_resume_data();
-}
-
-future<std::optional<sstring>> tls::get_selected_alpn_protocol(connected_socket& socket) {
-    return get_tls_socket(socket)->get_selected_alpn_protocol();
-}
-
-future<sstring> tls::get_cipher_suite(connected_socket& socket) {
-    return get_tls_socket(socket)->get_cipher_suite();
-}
-
-future<sstring> tls::get_protocol_version(connected_socket& socket) {
-    return get_tls_socket(socket)->get_protocol_version();
-}
-
-std::string_view tls::format_as(subject_alt_name_type type) {
-    switch (type) {
-        case subject_alt_name_type::dnsname:
-            return "DNS";
-        case subject_alt_name_type::rfc822name:
-            return "EMAIL";
-        case subject_alt_name_type::uri:
-            return "URI";
-        case subject_alt_name_type::ipaddress:
-            return "IP";
-        case subject_alt_name_type::othername:
-            return "OTHERNAME";
-        case subject_alt_name_type::dn:
-            return "DIRNAME";
-        default:
-            return "UNKNOWN";
-    }
-}
-
-std::ostream& tls::operator<<(std::ostream& os, subject_alt_name_type type) {
-    return os << format_as(type);
-}
-
-std::ostream& tls::operator<<(std::ostream& os, const subject_alt_name::value_type& v) {
-    fmt::print(os, "{}", v);
-    return os;
-}
-
-std::ostream& tls::operator<<(std::ostream& os, const subject_alt_name& a) {
-    fmt::print(os, "{}", a);
-    return os;
-}
-
-
 }
 
 const int seastar::tls::ERROR_UNKNOWN_COMPRESSION_ALGORITHM = GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
diff --git a/src/rpc/rpc.cc b/src/rpc/rpc.cc
index 194f22885e1..ef404219a78 100644
--- a/src/rpc/rpc.cc
+++ b/src/rpc/rpc.cc
@@ -91,7 +91,7 @@ T make_shard_local_buffer_copy(foreign_ptr<std::unique_ptr<T>> org) {
         newbufs.reserve(orgbufs.size());
         deleter d = make_object_deleter(std::move(org));
         for (auto&& b : orgbufs) {
-            newbufs.emplace_back(b.get_write(), b.size(), d.share());
+            newbufs.push_back(temporary_buffer<char>(b.get_write(), b.size(), d.share()));
         }
         buf.bufs = std::move(newbufs);
     }
diff --git a/src/seastar.cc b/src/seastar.cc
index c4b1f0c7d52..51dafc838f6 100644
--- a/src/seastar.cc
+++ b/src/seastar.cc
@@ -121,7 +121,11 @@ module;
 #include <fmt/ostream.h>
 #include <fmt/ranges.h>
 #include <fmt/printf.h>
+#ifdef SEASTAR_USE_OPENSSL
+#include <openssl/evp.h>
+#else
 #include <gnutls/crypto.h>
+#endif
 #ifdef SEASTAR_HAVE_HWLOC
 #include <hwloc.h>
 #endif
@@ -345,6 +349,7 @@ module : private;
 #include <seastar/net/virtio.hh>
 
 #include "net/native-stack-impl.hh"
+#include "net/tls-impl.hh"
 
 #include <seastar/http/url.hh>
 #include <seastar/http/internal/content_source.hh>
diff --git a/src/util/backtrace.cc b/src/util/backtrace.cc
index d561c344646..0765384685e 100644
--- a/src/util/backtrace.cc
+++ b/src/util/backtrace.cc
@@ -94,6 +94,18 @@ frame decorate(uintptr_t addr) noexcept {
     return {&so, addr - so.begin};
 }
 
+#ifndef SEASTAR_BACKTRACE_UNIMPLEMENTED
+int guarded_backtrace(void **array, int size) noexcept {
+    static thread_local internal::signal_mutex mux{};
+    // ::backtrace isn't re-entrant so avoid calling it concurrently from the same thread.
+    if (auto guard_opt = mux.try_lock(); guard_opt.has_value()) {
+        return ::backtrace(array, size);
+    }
+
+    return 0;
+}
+#endif
+
 simple_backtrace current_backtrace_tasklocal() noexcept {
     simple_backtrace::vector_type v;
     backtrace([&] (frame f) {
diff --git a/src/websocket/common.cc b/src/websocket/common.cc
index c1d56f3852a..4203ade68c7 100644
--- a/src/websocket/common.cc
+++ b/src/websocket/common.cc
@@ -24,8 +24,15 @@
 #include <seastar/core/when_all.hh>
 #include <seastar/util/assert.hh>
 #include <seastar/util/defer.hh>
+
+#ifdef SEASTAR_USE_OPENSSL
+#include <openssl/evp.h>
+#elif defined(SEASTAR_USE_GNUTLS)
 #include <gnutls/crypto.h>
 #include <gnutls/gnutls.h>
+#else
+#error "Unknown cryptographic provider"
+#endif
 
 namespace seastar::experimental::websocket {
 
@@ -130,15 +137,42 @@ future<> connection::read_one() {
 
 std::string sha1_base64(std::string_view source) {
     unsigned char hash[20];
+#ifdef SEASTAR_USE_OPENSSL
+    unsigned int hash_size = sizeof(hash);
+    auto md_ptr = EVP_MD_fetch(nullptr, "SHA1", nullptr);
+    if (!md_ptr) {
+        throw websocket::exception("Failed to fetch SHA-1 algorithm from OpenSSL");
+    }
+
+    auto free_evp_md_ptr =
+        defer([&]() noexcept  { EVP_MD_free(md_ptr); });
+
+    SEASTAR_ASSERT(hash_size == static_cast<unsigned int>(EVP_MD_get_size(md_ptr)));
+
+    if (1 != EVP_Digest(source.data(), source.size(), hash, &hash_size, md_ptr, nullptr)) {
+        throw websocket::exception("Failed to perform SHA-1 digest in OpenSSL");
+    }
+#elif defined(SEASTAR_USE_GNUTLS)
     SEASTAR_ASSERT(sizeof(hash) == gnutls_hash_get_len(GNUTLS_DIG_SHA1));
     if (int ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, source.data(), source.size(), hash);
         ret != GNUTLS_E_SUCCESS) {
         throw websocket::exception(fmt::format("gnutls_hash_fast: {}", gnutls_strerror(ret)));
     }
+#else
+#error "Unknown cryptographic provider"
+#endif
     return encode_base64(std::string_view(reinterpret_cast<const char*>(hash), sizeof(hash)));
 }
 
 std::string encode_base64(std::string_view source) {
+#ifdef SEASTAR_USE_OPENSSL
+    const auto encode_capacity = [](size_t input_size) {
+        return (((4 * input_size) / 3) + 3) & ~0x3U;
+    };
+    auto base64_encoded = uninitialized_string<std::string>(encode_capacity(source.size()));
+    EVP_EncodeBlock(reinterpret_cast<unsigned char *>(base64_encoded.data()), reinterpret_cast<const unsigned char *>(source.data()), source.size());
+    return base64_encoded;
+#elif defined(SEASTAR_USE_GNUTLS)
     gnutls_datum_t src_data{
         .data = reinterpret_cast<uint8_t*>(const_cast<char*>(source.data())),
         .size = static_cast<unsigned>(source.size())
@@ -150,6 +184,9 @@ std::string encode_base64(std::string_view source) {
     auto free_encoded_data = defer([&] () noexcept { gnutls_free(encoded_data.data); });
     // base64_encoded.data is "unsigned char *"
     return std::string(reinterpret_cast<const char*>(encoded_data.data), encoded_data.size);
+#else
+#error "Unknown cryptographic provider"
+#endif
 }
 
 }
diff --git a/tests/perf/linux_perf_event.cc b/tests/perf/linux_perf_event.cc
index b4c76c0014e..54c38aa64c4 100644
--- a/tests/perf/linux_perf_event.cc
+++ b/tests/perf/linux_perf_event.cc
@@ -62,8 +62,7 @@ linux_perf_event::read() {
         return 0;
     }
     uint64_t ret;
-    auto res = ::read(_fd, &ret, sizeof(ret));
-    SEASTAR_ASSERT(res == sizeof(ret) && "read(2) failed on perf_event fd");
+    (void)::read(_fd, &ret, sizeof(ret));
     return ret;
 }
 
diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt
index 2ecd66ec28f..6aa1585cde2 100644
--- a/tests/unit/CMakeLists.txt
+++ b/tests/unit/CMakeLists.txt
@@ -370,6 +370,9 @@ seastar_add_test (lowres_clock
 seastar_add_test (metrics
   SOURCES metrics_test.cc)
 
+seastar_add_test (metrics_family_replication
+  SOURCES metric_family_replication_test.cc)
+
 seastar_add_test (net_config
   KIND BOOST
   SOURCES net_config_test.cc)
@@ -378,6 +381,10 @@ seastar_add_test (noncopyable_function
   KIND BOOST
   SOURCES noncopyable_function_test.cc)
 
+seastar_add_test (cpu_profiler_alloc
+  KIND BOOST
+  SOURCES cpu_profiler_alloc_test.cc)
+
 seastar_add_test (output_stream
   SOURCES output_stream_test.cc)
 
@@ -438,6 +445,9 @@ seastar_add_test (sstring
 seastar_add_test (stall_detector
   SOURCES stall_detector_test.cc)
 
+seastar_add_test (cpu_profiler
+  SOURCES cpu_profiler_test.cc)
+
 seastar_add_test (stream_reader
   SOURCES stream_reader_test.cc)
 
@@ -468,10 +478,6 @@ seastar_add_test (source_location
 seastar_add_test (shared_token_bucket
   SOURCES shared_token_bucket_test.cc)
 
-seastar_add_test (prometheus_http
-  SOURCES
-    prometheus_http_test.cc)
-
 function(seastar_add_certgen name)
   cmake_parse_arguments(CERT
     ""
@@ -571,12 +577,11 @@ function(seastar_add_certgen name)
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
   )
   add_custom_command(OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/${CERT_CAROOT}"
-    COMMAND ${OPENSSL} req -x509 -new -nodes -key ${CERT_CAPRIVKEY} -days ${CERT_DAYS} -config ${CERT_NAME}.cfg -out ${CERT_CAROOT}
+    COMMAND ${OPENSSL} req -x509 -new -nodes -key ${CERT_CAPRIVKEY} -days ${CERT_DAYS} -config ${CERT_NAME}.cfg -out ${CERT_CAROOT} -extensions v3_ca
     DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/${CERT_CAPRIVKEY}" "${CMAKE_CURRENT_BINARY_DIR}/${CERT_NAME}.cfg"
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
   )
 
-
   add_custom_command(OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/${CERT_CERT}"
     COMMAND ${OPENSSL} x509 -req -in ${CERT_REQ} -CA ${CERT_CAROOT} -CAkey ${CERT_CAPRIVKEY} -CAcreateserial -out ${CERT_CERT} -days ${CERT_DAYS} -extensions req_ext -extfile ${CERT_NAME}.cfg
     DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/${CERT_REQ}"  "${CMAKE_CURRENT_BINARY_DIR}/${CERT_CAROOT}" "${CMAKE_CURRENT_BINARY_DIR}/${CERT_NAME}.cfg"
@@ -665,7 +670,7 @@ function(seastar_gen_mtls_certs)
   seastar_sign_cert("mtls_server"
     CA ${cert_ca}
     SERIAL_NUM 1
-    COMMON_NAME "redpanda.com")
+    COMMON_NAME "server.org")
   # client1 certificates
   seastar_sign_cert("mtls_client1"
     CA ${cert_ca}
diff --git a/tests/unit/cpu_profiler_alloc_test.cc b/tests/unit/cpu_profiler_alloc_test.cc
new file mode 100644
index 00000000000..2e601ac5cfd
--- /dev/null
+++ b/tests/unit/cpu_profiler_alloc_test.cc
@@ -0,0 +1,66 @@
+/* This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright (C) 2023 ScyllaDB Ltd.
+ */
+
+#include <chrono>
+#define BOOST_TEST_MODULE core
+
+#include <boost/test/unit_test.hpp>
+
+#include <string_view>
+#include <concepts>
+#include <seastar/core/internal/cpu_profiler.hh>
+#include <seastar/core/memory.hh>
+#include <seastar/core/smp.hh>
+
+template <typename Func>
+requires (std::is_invocable_v<Func>)
+void check_function_allocation(const char *name, size_t expected_allocs, Func f) {
+  auto before = seastar::memory::stats();
+  f();
+  auto after = seastar::memory::stats();
+
+  BOOST_TEST_INFO("After function: " << name);
+  BOOST_REQUIRE_EQUAL(expected_allocs, after.mallocs() - before.mallocs());
+}
+
+class cpu_profiler_test : public seastar::internal::cpu_profiler {
+public:
+  cpu_profiler_test(seastar::internal::cpu_profiler_config cfg)
+      : seastar::internal::cpu_profiler(cfg) {}
+
+  virtual ~cpu_profiler_test() override = default;
+  virtual void arm_timer(std::chrono::nanoseconds) override {
+    // noop
+  }
+  virtual void disarm_timer() override {
+    // noop
+  }
+};
+
+BOOST_AUTO_TEST_CASE(signal_handler_doesnt_alloc) {
+  cpu_profiler_test profiler(seastar::internal::cpu_profiler_config{
+      true, std::chrono::milliseconds(1)});
+  profiler.start();
+  check_function_allocation("cpu_profiler_on_signal", 0, [&profiler] {
+    for (int i = 0; i < 1'000'000; i++) {
+      profiler.on_signal();
+    }
+  });
+}
diff --git a/tests/unit/cpu_profiler_test.cc b/tests/unit/cpu_profiler_test.cc
new file mode 100644
index 00000000000..92734977d8d
--- /dev/null
+++ b/tests/unit/cpu_profiler_test.cc
@@ -0,0 +1,391 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright (C) 2023 ScyllaDB Ltd.
+ */
+
+#include <atomic>
+#include <chrono>
+#include <cstddef>
+
+#include <seastar/core/internal/cpu_profiler.hh>
+#include <seastar/core/internal/stall_detector.hh>
+#include <seastar/core/loop.hh>
+#include <seastar/core/reactor.hh>
+#include <seastar/core/scheduling.hh>
+#include <seastar/core/thread_cputime_clock.hh>
+#include <seastar/core/with_scheduling_group.hh>
+#include <seastar/testing/test_case.hh>
+#include <seastar/testing/thread_test_case.hh>
+#include <seastar/util/backtrace.hh>
+#include <seastar/util/defer.hh>
+#include <seastar/util/later.hh>
+
+#include "stall_detector_test_utilities.hh"
+
+#include <sys/mman.h>
+
+#include <boost/test/tools/old/interface.hpp>
+
+#ifdef SEASTAR_BACKTRACE_UNIMPLEMENTED
+
+// If backtrace is not implemented, we cannot test the profiler.
+// empty test case to satisfy the requirement that there is at least one test case
+SEASTAR_THREAD_TEST_CASE(simple_case) {
+}
+
+#else
+
+namespace {
+
+// If true, the acceptable thresholds are greatly increased "close enough"
+// checks, which can reduce the flakiness on heavily loaded or otherwise
+// unpredictable systems. If false, the thresholds are much stricter and
+// should be used for more deterministic systems.
+// We default to true to avoid flakes in CI, but when running locally you
+// can consider setting this to false to get a more accurate picture of
+// the profiler's behavior.
+constexpr bool use_loose_thresholds = true;
+
+struct temporary_profiler_settings {
+    std::chrono::nanoseconds prev_ns;
+    bool prev_enabled;
+
+    temporary_profiler_settings(bool enable, std::chrono::nanoseconds ns) {
+        prev_ns = engine().get_cpu_profiler_period();
+        prev_enabled = engine().get_cpu_profiler_enabled();
+
+        engine().set_cpu_profiler_period(ns);
+        engine().set_cpu_profiler_enabled(enable);
+    }
+
+    ~temporary_profiler_settings() {
+        engine().set_cpu_profiler_period(prev_ns);
+        engine().set_cpu_profiler_enabled(prev_enabled);
+    }
+};
+
+// If we set a timer to fire in N ms we can expect it to fire between N and (N + E) ms from
+// when it was set. Where E is some fixed error that arises from how granular a given timer
+// is. Therefore over a given period of time, M, if the timer is continously reset every
+// time it fires we can expect the timer to fire between M/N and M/(N+E) times.
+//
+// The function below takes this error into account and allows the actual samples taken
+// to be slightly less than the expect number of samples if there was no error.
+bool close_to_expected(size_t actual_size, size_t expected_size) {
+
+    constexpr double allowed_dev = 0.15;
+
+    size_t lower_bound, upper_bound;
+
+    if (use_loose_thresholds) {
+        // widen the thresholds a lot
+        lower_bound = round(pow(1 - allowed_dev, 4)) * expected_size;
+        upper_bound = round(pow(1 + allowed_dev, 4)) * expected_size;
+    } else {
+        lower_bound = round((1 - allowed_dev) * expected_size);
+        upper_bound = round((1 + allowed_dev) * expected_size);
+    }
+
+    BOOST_TEST_INFO("actual_size: " << actual_size << ", lower_bound " << lower_bound << ", upper_bound " << upper_bound);
+
+    return actual_size <= upper_bound && actual_size >= lower_bound;
+}
+
+// If loose thresholds are enabled, this call maps to close_to_exepected, otherwise
+// it does an exact equality check.
+void maybe_exact(size_t actual, size_t expected, auto message) {
+    BOOST_TEST_INFO(message);
+    if (use_loose_thresholds) {
+        close_to_expected(actual, expected);
+    } else {
+        BOOST_REQUIRE_EQUAL(actual, expected);
+    }
+}
+
+/*
+ * Get the current profile results and dropped count. If sg_in_main is true, also validates that
+ * the sg associated with the profile is always main, as we expect unless some SG have been
+ * created explicitly.
+ */
+std::pair<std::vector<cpu_profiler_trace>, size_t> get_profile_and_dropped(bool sg_is_main = true) {
+    std::vector<cpu_profiler_trace> results;
+    auto dropped = engine().profiler_results(results);
+
+    for (auto& result: results) {
+        BOOST_CHECK(result.sg == default_scheduling_group());
+    }
+
+    return {results, dropped};
+}
+
+
+// get profile and validate results
+std::vector<cpu_profiler_trace> get_profile() {
+    return get_profile_and_dropped().first;
+}
+
+}
+
+
+
+SEASTAR_THREAD_TEST_CASE(config_case) {
+    // Ensure that repeatedly configuring the profiler results
+    // in expected behavior.
+    {
+        temporary_profiler_settings cp_0{true, 10ms};
+        temporary_profiler_settings cp_1{true, 20ms};
+        temporary_profiler_settings cp_2{false, 30ms};
+        temporary_profiler_settings cp_3{true, 10ms};
+        temporary_profiler_settings cp_4{true, 100ms};
+
+        spin_some_cooperatively(120*10ms);
+
+        auto results = get_profile();
+        BOOST_REQUIRE(close_to_expected(results.size(), 12));
+    }
+
+    spin_some_cooperatively(128*10ms);
+    auto results = get_profile();
+    BOOST_REQUIRE_EQUAL(results.size(), 0);
+}
+
+SEASTAR_THREAD_TEST_CASE(simple_case) {
+    temporary_profiler_settings cp{true, 100ms};
+
+    spin_some_cooperatively(120*10ms);
+
+    auto [results, dropped_samples] = get_profile_and_dropped();
+    BOOST_REQUIRE(close_to_expected(results.size(), 12));
+    BOOST_REQUIRE_EQUAL(dropped_samples, 0);
+}
+
+SEASTAR_THREAD_TEST_CASE(overwrite_case) {
+    // Ensure that older samples are being overridden in
+    // the cases where we can't collect results fast enough.
+    temporary_profiler_settings cp{true, 10ms};
+
+    spin_some_cooperatively(256*10ms);
+
+    auto [results, dropped_samples] = get_profile_and_dropped();
+    // 128 is the maximum number of samples the profiler can
+    // retain.
+    BOOST_REQUIRE_EQUAL(results.size(), 128);
+    BOOST_REQUIRE(dropped_samples > 0);
+}
+
+SEASTAR_THREAD_TEST_CASE(mixed_case) {
+    // Ensure that the profiler and cpu_stall_detector don't effect
+    // the functioning of the other.
+    std::atomic<unsigned> reports{};
+    temporary_stall_detector_settings tsds(10ms, [&] { ++reports; });
+    temporary_profiler_settings cp{true, 100ms};
+
+    unsigned nr = 10;
+    for (unsigned i = 0; i < nr; ++i) {
+        spin_some_cooperatively(100ms);
+        spin(20ms);
+    }
+
+    maybe_exact(reports, 5, "reports");
+    auto results = get_profile();
+    BOOST_REQUIRE(close_to_expected(results.size(), 12));
+}
+
+SEASTAR_THREAD_TEST_CASE(spin_in_kernel) {
+    // Check that we are correctly sampling the kernel stack.
+    temporary_profiler_settings cp{true, 10ms};
+
+    spin_some_cooperatively(100ms, [] { mmap_populate(128 * 1024); });
+
+    auto results = get_profile();
+    int count = 0;
+    for(auto& result : results) {
+        if(result.kernel_backtrace.size() > 0){
+            count++;
+        }
+    }
+
+    // There is no way to ensure every result has a kernel callstack.
+    // And if we're using the posix timer then no callstacks will be
+    // sampled. So we can't have an assertion here.
+    testlog.info("sampled {} kernel callstacks", count);
+
+    BOOST_REQUIRE(results.size() > 0);
+}
+
+SEASTAR_THREAD_TEST_CASE(signal_mutex_basic) {
+    // A very basic test that ensures the signal_mutex
+    // can't be re-locked after it's already been acquired.
+    internal::signal_mutex mutex;
+
+    {
+        auto guard_opt_1 = mutex.try_lock();
+        BOOST_REQUIRE(guard_opt_1.has_value());
+
+        auto guard_opt_2 = mutex.try_lock();
+        BOOST_REQUIRE(!guard_opt_2.has_value());
+    }
+
+    auto guard_opt_3 = mutex.try_lock();
+    BOOST_REQUIRE(guard_opt_3.has_value());
+}
+
+namespace {
+void random_exception_catcher(int p, int a);
+
+[[gnu::noinline]] void
+random_exception_thrower(int a) {
+  static thread_local std::random_device rd;
+  static thread_local std::mt19937 gen(rd());
+  std::uniform_int_distribution<> d(1, 100);
+
+  a -= 1;
+
+  if (a <= 0) {
+    throw std::invalid_argument("noop");
+  }
+
+  random_exception_catcher(d(gen), a);
+}
+
+[[gnu::noinline]] void random_exception_catcher(int p, int a) {
+  static thread_local std::random_device rd;
+  static thread_local std::mt19937 gen(rd());
+  std::uniform_int_distribution<> d(1, 100);
+
+  try {
+    random_exception_thrower(a);
+  } catch (...) {
+    int r = d(gen);
+    if (r > p) {
+      throw;
+    }
+  }
+}
+
+} // namespace
+
+SEASTAR_THREAD_TEST_CASE(exception_handler_case) {
+
+  // disable for now, CORE-9144
+  return;
+  // Ensure that exception unwinding doesn't cause any issues
+  // while profiling.
+  temporary_profiler_settings cp{true, 1us};
+
+  std::random_device rd;
+  std::mt19937 gen(rd());
+  std::uniform_int_distribution<> d(1, 100);
+  for (int a = 0; a < 10000; a++) {
+    random_exception_catcher(100, d(gen));
+  }
+
+  auto [results, dropped_samples] = get_profile_and_dropped();
+  BOOST_REQUIRE_EQUAL(results.size(), 128);
+  BOOST_REQUIRE(dropped_samples > 0);
+}
+
+SEASTAR_THREAD_TEST_CASE(manually_disable) {
+  // Ensure that manually disabling the profile backtracing works
+  seastar::internal::scoped_disable_profile_temporarily profiling_disabled;
+  temporary_profiler_settings cp{true, 10us};
+
+  spin_some_cooperatively(100ms);
+
+  auto [_, dropped_samples] = get_profile_and_dropped();
+  BOOST_REQUIRE(dropped_samples > 0);
+}
+
+SEASTAR_THREAD_TEST_CASE(config_thrashing) {
+
+  // disable for now, CORE-9144
+  return;
+  // Ensure that fast config changes leave the profiler in a valid
+  // state.
+  temporary_profiler_settings cp{true, 1us};
+
+  std::random_device rd;
+  std::mt19937 gen(rd());
+  std::uniform_int_distribution<> d(1, 100);
+
+  for (int a = 0; a < 100; a++) {
+    int r = d(gen);
+    temporary_profiler_settings cp_0{r % 2 == 0, std::chrono::microseconds(r)};
+    spin_some_cooperatively(1us);
+  }
+
+  auto results = get_profile();
+  BOOST_REQUIRE(results.size() > 0);
+}
+
+SEASTAR_THREAD_TEST_CASE(scheduling_group_test) {
+
+    [[maybe_unused]] auto sg_a = create_scheduling_group("sg_a", 200).get();
+    [[maybe_unused]] auto sg_b = create_scheduling_group("sg_b", 200).get();
+
+    auto destoy_groups = defer([&]() noexcept {
+        destroy_scheduling_group(sg_b).get();
+        destroy_scheduling_group(sg_a).get();
+    });
+
+    temporary_profiler_settings cp{true, 100ms};
+
+    auto fut_a = with_scheduling_group(sg_a, [] {
+        return spin_some_cooperatively_coro(2100ms);
+    });
+
+    with_scheduling_group(sg_b, [] {
+        return spin_some_cooperatively_coro(2100ms);
+    }).get();
+
+    std::move(fut_a).get();
+
+    std::vector<cpu_profiler_trace> results;
+    auto dropped_samples = engine().profiler_results(results);
+
+    size_t count_a = 0, count_b = 0, count_main = 0;
+    for (auto& r : results) {
+        if (r.sg == sg_a) {
+            ++count_a;
+        } else if (r.sg == sg_b) {
+            ++count_b;
+        } else if (r.sg == default_scheduling_group()) {
+            // this happens when the profiler triggers during non-task
+            // work, such as in the reactor pollers
+            ++count_main;
+        } else {
+            BOOST_TEST_FAIL("unexpected SG: " << r.sg.name());
+        }
+    }
+
+    // We expect a and b to be a 1:1 ratio, though we accept large
+    // variance since this is random sampling of two "randomly" scheduled
+    // groups so we don't really have the same guarantees we do in the
+    // single group case where we expect sort of +/- 1 due to the way we
+    // calculate the sampling intervals.
+    // Nominally the split is 10/10/0 for a/b/main, but we just look for
+    // at least 1 event in each to avoid flakiness.
+    BOOST_CHECK_GT(count_a + count_b, 10);
+    BOOST_CHECK_GT(count_a, 0);
+    BOOST_CHECK_GT(count_b, 0);
+    BOOST_CHECK_LT(count_main, 10);
+    BOOST_CHECK_LT(dropped_samples, 10);
+}
+
+#endif
diff --git a/tests/unit/metric_family_replication_test.cc b/tests/unit/metric_family_replication_test.cc
new file mode 100644
index 00000000000..2e105c1ae82
--- /dev/null
+++ b/tests/unit/metric_family_replication_test.cc
@@ -0,0 +1,96 @@
+#include <seastar/core/metrics.hh>
+#include <seastar/core/metrics_api.hh>
+#include <seastar/core/metrics_registration.hh>
+#include <seastar/testing/test_case.hh>
+#include <seastar/testing/test_runner.hh>
+#include <seastar/testing/thread_test_case.hh>
+
+namespace sm = seastar::metrics;
+namespace smi = seastar::metrics::impl;
+
+bool metric_family_exists(int handle, const seastar::sstring& name) {
+    return smi::get_value_map(handle).contains(name);
+}
+
+void assert_metric_families_equivalent(int source, int destination,
+                                       const seastar::sstring& name) {
+    const auto& source_value_map = smi::get_value_map(source);
+    const auto& destination_value_map = smi::get_value_map(destination);
+
+    BOOST_REQUIRE(source_value_map.contains(name));
+    BOOST_REQUIRE(destination_value_map.contains(name));
+
+    const auto& source_family = source_value_map.at(name);
+    const auto& destination_family = destination_value_map.at(name);
+    for (const auto& [labels, source_metric]: source_family) {
+        auto replica_iter = destination_family.find(labels.labels());
+        BOOST_REQUIRE(replica_iter != destination_family.end());
+        
+        const auto& replica_metric = replica_iter->second;
+        BOOST_REQUIRE(source_metric->get_id() == replica_metric->get_id());
+
+        auto source_current_value = source_metric->get_function()().i();
+        auto replica_current_value = replica_metric->get_function()().i();
+        BOOST_REQUIRE(source_current_value == replica_current_value);
+    }
+}
+
+SEASTAR_THREAD_TEST_CASE(replicate_metrics_test) {
+    int foo_handle = sm::default_handle();
+    sm::metric_groups foo(foo_handle);
+    foo.add_group("a", {
+        sm::make_gauge(
+            "gauge",
+            [] { return 0; })});
+
+    int bar_handle = sm::default_handle() + 1;
+    int baz_handle = sm::default_handle() + 2;
+    sm::replicate_metric_families(foo_handle, {
+            {"a_gauge", bar_handle},
+            {"a_gauge", baz_handle}
+    }).get();
+
+    assert_metric_families_equivalent(foo_handle, bar_handle, "a_gauge");
+    assert_metric_families_equivalent(foo_handle, baz_handle, "a_gauge");
+}
+
+SEASTAR_THREAD_TEST_CASE(replicate_same_metric_test) {
+    int foo_handle = sm::default_handle();
+
+    sm::metric_groups foo(foo_handle);
+    foo.add_group("a", {
+        sm::make_gauge(
+            "x",
+            [] { return 0; },
+            sm::description("a_x_description"),
+            {sm::label("id")("1")}),
+        sm::make_gauge(
+            "x",
+            [] { return 0; },
+            sm::description("a_x_description"),
+            {sm::label("id")("2")}),
+        sm::make_gauge(
+            "y",
+            [] { return 0; },
+            sm::description("a_y_description"),
+            {sm::label("id")("1")}),
+    });
+
+    int bar_handle = sm::default_handle() + 1;
+    sm::metric_groups bar(bar_handle);
+
+    // Test that subsequent attempts to replicate the same metric
+    // family are ignored.
+    sm::replicate_metric_families(foo_handle, {{"a_x", bar_handle}}).get();
+    assert_metric_families_equivalent(foo_handle, bar_handle, "a_x");
+    sm::replicate_metric_families(foo_handle, {{"a_x", bar_handle}}).get();
+    assert_metric_families_equivalent(foo_handle, bar_handle, "a_x");
+
+
+    // Ensure that when the set of replicated metric families is changed
+    // the replicas that are not in the new set are removed.
+    sm::replicate_metric_families(foo_handle, {{"a_y", bar_handle}}).get();
+    assert_metric_families_equivalent(foo_handle, bar_handle, "a_y");
+
+    BOOST_REQUIRE(metric_family_exists(bar_handle, "a_y"));
+}
diff --git a/tests/unit/stall_detector_test.cc b/tests/unit/stall_detector_test.cc
index f28a41ca3cb..8ba07f1c924 100644
--- a/tests/unit/stall_detector_test.cc
+++ b/tests/unit/stall_detector_test.cc
@@ -35,59 +35,7 @@
 #include <sys/mman.h>
 
 #ifndef SEASTAR_DEBUG
-
-using namespace seastar;
-using namespace std::chrono_literals;
-
-static seastar::logger testlog("testlog");
-
-class temporary_stall_detector_settings {
-    std::chrono::milliseconds _old_threshold;
-    std::function<void ()> _old_report;
-public:
-    /**
-     * Temporarily (until destructor) overload the stall detector threshold and reporting function.
-     *
-     * Also resets the reported stalls counter to zero, so the next backtraces will not be supressed.
-     */
-    temporary_stall_detector_settings(std::chrono::duration<double> threshold, std::function<void ()> report = {})
-            : _old_threshold(engine().get_blocked_reactor_notify_ms())
-            , _old_report(reactor::test::get_stall_detector_report_function()) {
-        engine().update_blocked_reactor_notify_ms(std::chrono::duration_cast<std::chrono::milliseconds>(threshold));
-        reactor::test::set_stall_detector_report_function(std::move(report));
-    }
-
-    ~temporary_stall_detector_settings() {
-        engine().update_blocked_reactor_notify_ms(_old_threshold);
-        reactor::test::set_stall_detector_report_function(std::move(_old_report));
-    }
-};
-
-using void_fn = std::function<void()>;
-
-void spin(std::chrono::duration<double> how_much, void_fn body = []{}) {
-    auto end = internal::cpu_stall_detector::clock_type::now() + how_much;
-    while (internal::cpu_stall_detector::clock_type::now() < end) {
-        body(); // spin!
-    }
-}
-
-static void spin_user_hires(std::chrono::duration<double> how_much) {
-    auto end = std::chrono::high_resolution_clock::now() + how_much;
-    while (std::chrono::high_resolution_clock::now() < end) {
-
-    }
-}
-
-void spin_some_cooperatively(std::chrono::duration<double> how_much, void_fn body = []{}) {
-    auto end = std::chrono::steady_clock::now() + how_much;
-    while (std::chrono::steady_clock::now() < end) {
-        spin(200us, body);
-        if (need_preempt()) {
-            thread::yield();
-        }
-    }
-}
+#include "stall_detector_test_utilities.hh"
 
 SEASTAR_THREAD_TEST_CASE(normal_case) {
     std::atomic<unsigned> reports{};
@@ -131,46 +79,11 @@ SEASTAR_THREAD_TEST_CASE(no_poll_no_stall) {
     BOOST_REQUIRE_EQUAL(reports, 0);
 }
 
-// Triggers stalls by spinning with a specify "body" function
-// which takes most of the spin time.
-static void test_spin_with_body(const char* what, void_fn body) {
-    // The !count_stacks mode outputs stall notification to stderr as usual
-    // and do not assert anything, but are intended for diagnosing
-    // stall problems by inspecting the output. We expect the userspace
-    // spin test to show no kernel callstack, and the kernel test to
-    // show kernel backtraces in the mmap or munmap path, but this is
-    // not exact since neither test spends 100% of its time in the
-    // selected mode (of course, kernel stacks only appear if the
-    // perf-based stall detected could be enabled).
-    //
-    // Then the count_stacks mode tests that the right number of stacks
-    // were output.
-    for (auto count_stacks : {false, true}) {
-        testlog.info("Starting spin test: {}", what);
-        std::atomic<unsigned> reports{};
-        std::function<void()> reporter = count_stacks ? std::function<void()>{[&]{ ++reports; }} : nullptr;
-        temporary_stall_detector_settings tsds(10ms, std::move(reporter));
-        constexpr unsigned nr = 5;
-        for (unsigned i = 0; i < nr; ++i) {
-            spin_some_cooperatively(100ms, body);
-            spin(20ms, body);
-        }
-        testlog.info("Ending spin test: {}", what);
-        BOOST_CHECK_EQUAL(reports, count_stacks ? 5 : 0);
-    }
-}
-
 SEASTAR_THREAD_TEST_CASE(spin_in_userspace) {
     // a body which spends almost all of its time in userspace
     test_spin_with_body("userspace", [] { spin_user_hires(1ms); });
 }
 
-static void mmap_populate(size_t len) {
-    void *p = mmap(nullptr, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, 0, 0);
-    BOOST_REQUIRE(p != MAP_FAILED);
-    BOOST_REQUIRE(munmap(p, len) == 0);
-}
-
 SEASTAR_THREAD_TEST_CASE(spin_in_kernel) {
     // a body which spends almost all of its time in the kernel
     // doing 128K mmaps
diff --git a/tests/unit/stall_detector_test_utilities.hh b/tests/unit/stall_detector_test_utilities.hh
new file mode 100644
index 00000000000..48fa5055f4a
--- /dev/null
+++ b/tests/unit/stall_detector_test_utilities.hh
@@ -0,0 +1,140 @@
+/*
+ * This file is open source software, licensed to you under the terms
+ * of the Apache License, Version 2.0 (the "License").  See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.  You may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright (C) 2023 ScyllaDB Ltd.
+ */
+
+#pragma once
+
+#include <cstddef>
+#include <seastar/core/internal/stall_detector.hh>
+#include <seastar/core/reactor.hh>
+#include "seastar/core/scheduling.hh"
+#include "seastar/core/thread.hh"
+#include "seastar/coroutine/maybe_yield.hh"
+#include <seastar/core/thread_cputime_clock.hh>
+#include <seastar/core/loop.hh>
+#include <seastar/util/later.hh>
+#include <atomic>
+#include <chrono>
+#include <sys/mman.h>
+#include <boost/test/tools/old/interface.hpp>
+
+namespace {
+
+using namespace seastar;
+using namespace std::chrono_literals;
+
+static seastar::logger testlog("testlog");
+
+class temporary_stall_detector_settings {
+    std::chrono::milliseconds _old_threshold;
+    std::function<void ()> _old_report;
+public:
+    /**
+     * Temporarily (until destructor) overload the stall detector threshold and reporting function.
+     *
+     * Also resets the reported stalls counter to zero, so the next backtraces will not be supressed.
+     */
+    temporary_stall_detector_settings(std::chrono::duration<double> threshold, std::function<void ()> report = {})
+            : _old_threshold(engine().get_blocked_reactor_notify_ms())
+            , _old_report(reactor::test::get_stall_detector_report_function()) {
+        engine().update_blocked_reactor_notify_ms(std::chrono::duration_cast<std::chrono::milliseconds>(threshold));
+        reactor::test::set_stall_detector_report_function(std::move(report));
+    }
+
+    ~temporary_stall_detector_settings() {
+        engine().update_blocked_reactor_notify_ms(_old_threshold);
+        reactor::test::set_stall_detector_report_function(std::move(_old_report));
+    }
+};
+
+using void_fn = std::function<void()>;
+
+void spin(std::chrono::duration<double> how_much, void_fn body = []{}) {
+    auto end = internal::cpu_stall_detector::clock_type::now() + how_much;
+    while (internal::cpu_stall_detector::clock_type::now() < end) {
+        body(); // spin!
+    }
+}
+
+// Function unused in debug mode
+[[maybe_unused]] void spin_user_hires(std::chrono::duration<double> how_much) {
+    auto end = std::chrono::high_resolution_clock::now() + how_much;
+    while (std::chrono::high_resolution_clock::now() < end) {
+
+    }
+}
+
+void spin_some_cooperatively(std::chrono::duration<double> how_much, void_fn body = []{}) {
+    auto end = std::chrono::steady_clock::now() + how_much;
+    while (std::chrono::steady_clock::now() < end) {
+        spin(200us, body);
+        if (need_preempt()) {
+            thread::yield();
+        }
+    }
+}
+
+[[maybe_unused]]
+future<> spin_some_cooperatively_coro(std::chrono::duration<double> how_much, void_fn body = []{}) {
+    auto end = std::chrono::steady_clock::now() + how_much;
+    while (std::chrono::steady_clock::now() < end) {
+        // fmt::print("GC: {}\n", current_scheduling_group().name());
+        spin(200us, body);
+        co_await coroutine::maybe_yield();
+    }
+}
+
+
+// Triggers stalls by spinning with a specify "body" function
+// which takes most of the spin time.
+inline void test_spin_with_body(const char* what, void_fn body) {
+    // The !count_stacks mode outputs stall notification to stderr as usual
+    // and do not assert anything, but are intended for diagnosing
+    // stall problems by inspecting the output. We expect the userspace
+    // spin test to show no kernel callstack, and the kernel test to
+    // show kernel backtraces in the mmap or munmap path, but this is
+    // not exact since neither test spends 100% of its time in the
+    // selected mode (of course, kernel stacks only appear if the
+    // perf-based stall detected could be enabled).
+    //
+    // Then the count_stacks mode tests that the right number of stacks
+    // were output.
+    for (auto count_stacks : {false, true}) {
+        testlog.info("Starting spin test: {}", what);
+        std::atomic<unsigned> reports{};
+        std::function<void()> reporter = count_stacks ? std::function<void()>{[&]{ ++reports; }} : nullptr;
+        temporary_stall_detector_settings tsds(10ms, std::move(reporter));
+        constexpr unsigned nr = 5;
+        for (unsigned i = 0; i < nr; ++i) {
+            spin_some_cooperatively(100ms, body);
+            spin(20ms, body);
+        }
+        testlog.info("Ending spin test: {}", what);
+        BOOST_CHECK_EQUAL(reports, count_stacks ? 5 : 0);
+    }
+}
+
+inline void mmap_populate(size_t len) {
+    void *p = mmap(nullptr, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, 0, 0);
+    BOOST_REQUIRE(p != MAP_FAILED);
+    BOOST_REQUIRE(munmap(p, len) == 0);
+}
+
+} // namespace
diff --git a/tests/unit/tls_test.cc b/tests/unit/tls_test.cc
index 911def2ca6d..6082e062e9d 100644
--- a/tests/unit/tls_test.cc
+++ b/tests/unit/tls_test.cc
@@ -48,7 +48,9 @@
 #include "loopback_socket.hh"
 #include "tmpdir.hh"
 
+#ifdef SEASTAR_USE_GNUTLS
 #include <gnutls/gnutls.h>
+#endif
 
 #if 0
 
@@ -170,6 +172,16 @@ SEASTAR_TEST_CASE(test_x509_client_with_builder_system_trust_multiple,
 
 SEASTAR_TEST_CASE(test_x509_client_with_system_trust_and_priority_strings,
                   *enable_if_with_networking()) {
+#ifdef SEASTAR_USE_OPENSSL
+    static std::vector<sstring> prios( {
+        "PSK-CHACHA20-POLY1305",
+        "DHE-PSK-AES128-GCM-SHA256",
+        "ECDHE-RSA-AES128-GCM-SHA256",
+        "RSA-PSK-AES128-CBC-SHA",
+        "ECDHE-ECDSA-AES256-GCM-SHA384",
+        "AES128-GCM-SHA256"
+    });
+#elif defined(SEASTAR_USE_GNUTLS)
     static std::vector<sstring> prios( {
         "NORMAL:+ARCFOUR-128", // means normal ciphers plus ARCFOUR-128.
         "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE", // means that only secure ciphers are enabled, SSL3.0 is disabled, and libz compression enabled.
@@ -181,23 +193,49 @@ SEASTAR_TEST_CASE(test_x509_client_with_system_trust_and_priority_strings,
         "SECURE128:-VERS-TLS1.0:+COMP-DEFLATE",
         "SECURE128:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2"
     });
+#else
+#error "Unknown cryptographic provider"
+#endif
     return do_for_each(prios, [](const sstring & prio) {
         tls::credentials_builder b;
         (void)b.set_system_trust();
+#ifdef SEASTAR_USE_OPENSSL
+        b.set_cipher_string(prio);
+#elif defined(SEASTAR_USE_GNUTLS)
         b.set_priority_string(prio);
+#else
+#error "Unknown cryptographic provider"
+#endif
         return connect_to_ssl_google(b.build_certificate_credentials());
     });
 }
 
 SEASTAR_TEST_CASE(test_x509_client_with_system_trust_and_priority_strings_fail,
                   *enable_if_with_networking()) {
+#ifdef SEASTAR_USE_OPENSSL
+    static std::vector<sstring> prios( {
+        "RSA-MD5-AES256-CBC-SHA"
+    });
+#elif defined(SEASTAR_USE_GNUTLS)
     static std::vector<sstring> prios( { "NONE",
         "NONE:+CURVE-SECP256R1"
     });
+#else
+#error "Unknown cryptographic provider"
+#endif
     return do_for_each(prios, [](const sstring & prio) {
         tls::credentials_builder b;
         (void)b.set_system_trust();
+
+#ifdef SEASTAR_USE_OPENSSL
+        b.set_cipher_string(prio);
+        b.set_minimum_tls_version(tls::tls_version::tlsv1_0);
+        b.set_maximum_tls_version(tls::tls_version::tlsv1_1);
+#elif defined(SEASTAR_USE_GNUTLS)
         b.set_priority_string(prio);
+#else
+#error "Unknown cryptographic provider"
+#endif
         try {
             return connect_to_ssl_google(b.build_certificate_credentials()).then([] {
                 BOOST_FAIL("Expected exception");
@@ -357,6 +395,16 @@ SEASTAR_THREAD_TEST_CASE(test_x509_client_with_builder_multiple) {
 }
 
 SEASTAR_THREAD_TEST_CASE(test_x509_client_with_priority_strings) {
+#ifdef SEASTAR_USE_OPENSSL
+    static std::vector<sstring> prios( {
+        "PSK-CHACHA20-POLY1305",
+        "DHE-PSK-AES128-GCM-SHA256",
+        "ECDHE-RSA-AES128-GCM-SHA256",
+        "RSA-PSK-AES128-CBC-SHA",
+        "ECDHE-ECDSA-AES256-GCM-SHA384",
+        "AES128-GCM-SHA256"
+    });
+#elif defined(SEASTAR_USE_GNUTLS)
     static std::vector<sstring> prios( {
         "NORMAL:+ARCFOUR-128", // means normal ciphers plus ARCFOUR-128.
         "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE", // means that only secure ciphers are enabled, SSL3.0 is disabled, and libz compression enabled.
@@ -368,26 +416,126 @@ SEASTAR_THREAD_TEST_CASE(test_x509_client_with_priority_strings) {
         "SECURE128:-VERS-TLS1.0:+COMP-DEFLATE",
         "SECURE128:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2"
     });
+#else
+#error "Unknown cryptographic provider"
+#endif
     tls::credentials_builder b;
     https_server server;
     b.set_x509_trust_file(server.cert(), tls::x509_crt_format::PEM).get();
     auto addr = server.addr();
     do_for_each(prios, [&b, addr](const sstring& prio) {
+#ifdef SEASTAR_USE_OPENSSL
+        b.set_cipher_string(prio);
+#elif defined(SEASTAR_USE_GNUTLS)
         b.set_priority_string(prio);
+#else
+#error "Unknown cryptographic provider"
+#endif
         return connect_to_ssl_addr(b.build_certificate_credentials(), addr);
     }).get();
 }
 
 SEASTAR_THREAD_TEST_CASE(test_x509_client_with_priority_strings_fail) {
+#ifdef SEASTAR_USE_OPENSSL
+    static std::vector<sstring> prios( {
+        "RSA-MD5-AES256-CBC-SHA"
+    });
+#elif defined(SEASTAR_USE_GNUTLS)
     static std::vector<sstring> prios( { "NONE",
         "NONE:+CURVE-SECP256R1"
     });
+#else
+#error "Unknown cryptographic provider"
+#endif
+    tls::credentials_builder b;
+    https_server server;
+    b.set_x509_trust_file(server.cert(), tls::x509_crt_format::PEM).get();
+    auto addr = server.addr();
+    do_for_each(prios, [&b, addr](const sstring& prio) {
+#ifdef SEASTAR_USE_OPENSSL
+        b.set_cipher_string(prio);
+        b.set_minimum_tls_version(tls::tls_version::tlsv1_0);
+        b.set_maximum_tls_version(tls::tls_version::tlsv1_1);
+#elif defined(SEASTAR_USE_GNUTLS)
+        b.set_priority_string(prio);
+#else
+#error "Unknown cryptographic provider"
+#endif
+        try {
+            return connect_to_ssl_addr(b.build_certificate_credentials(), addr).then([] {
+                BOOST_FAIL("Expected exception");
+            }).handle_exception([](auto ep) {
+                // ok.
+            });
+        } catch (...) {
+            // also ok
+        }
+        return make_ready_future<>();
+    }).get();
+}
+
+SEASTAR_THREAD_TEST_CASE(test_x509_client_tls13) {
+#ifdef SEASTAR_USE_OPENSSL
+    static std::vector<sstring> prios({
+        "TLS_AES_128_GCM_SHA256",
+        "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256",
+    });
+#elif defined(SEASTAR_USE_GNUTLS)
+    static std::vector<sstring> prios({
+        "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM",
+        "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM",
+        "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305"
+    });
+#else
+#error "Unknown cryptographic provider"
+#endif
+    tls::credentials_builder b;
+    https_server server;
+    b.set_x509_trust_file(server.cert(), tls::x509_crt_format::PEM).get();
+    auto addr = server.addr();
+    do_for_each(prios, [&b, addr](const sstring& prio) {
+        BOOST_TEST_CHECKPOINT("Checking priority string " << prio);
+#ifdef SEASTAR_USE_OPENSSL
+        b.set_ciphersuites(prio);
+        b.set_minimum_tls_version(tls::tls_version::tlsv1_3);
+        b.set_maximum_tls_version(tls::tls_version::tlsv1_3);
+#elif defined(SEASTAR_USE_GNUTLS)
+        b.set_priority_string(prio);
+#else
+#error "Unknown cryptographic provider"
+#endif
+        return connect_to_ssl_addr(b.build_certificate_credentials(), addr);
+    }).get();
+}
+
+SEASTAR_THREAD_TEST_CASE(test_x509_client_tls13_fail) {
+#ifdef SEASTAR_USE_OPENSSL
+    static std::vector<sstring> prios({
+        "TLS_AES_128_CCM_8_SHA256"
+    });
+#elif defined(SEASTAR_USE_GNUTLS)
+    static std::vector<sstring> prios({
+        "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM-8"
+    });
+#else
+#error "Unknown cryptographic provider"
+#endif
     tls::credentials_builder b;
     https_server server;
     b.set_x509_trust_file(server.cert(), tls::x509_crt_format::PEM).get();
     auto addr = server.addr();
     do_for_each(prios, [&b, addr](const sstring& prio) {
+        BOOST_TEST_CHECKPOINT("Checking priority string " << prio);
+#ifdef SEASTAR_USE_OPENSSL
+        b.set_ciphersuites(prio);
+        b.set_minimum_tls_version(tls::tls_version::tlsv1_3);
+        b.set_maximum_tls_version(tls::tls_version::tlsv1_3);
+#elif defined(SEASTAR_USE_GNUTLS)
         b.set_priority_string(prio);
+#else
+#error "Unknown cryptographic provider"
+#endif
         try {
             return connect_to_ssl_addr(b.build_certificate_credentials(), addr).then([] {
                 BOOST_FAIL("Expected exception");
@@ -712,7 +860,7 @@ SEASTAR_TEST_CASE(test_simple_x509_client_server_again) {
     return run_echo_test(message, 20, certfile("catest.pem"), "test.scylladb.org");
 }
 
-#if GNUTLS_VERSION_NUMBER >= 0x030600
+#if GNUTLS_VERSION_NUMBER >= 0x030600 || SEASTAR_USE_OPENSSL
 // Test #769 - do not set dh_params in server certs - let gnutls negotiate.
 SEASTAR_TEST_CASE(test_simple_server_default_dhparams) {
     return run_echo_test(message, 20, certfile("catest.pem"), "test.scylladb.org",
@@ -978,8 +1126,12 @@ SEASTAR_THREAD_TEST_CASE(test_reload_certificates) {
             }
 
             try {
-                f2.get();
-                BOOST_FAIL("should not reach");
+                auto res = f2.get();
+                // If the server completes sending data to the client
+                // during the handshake before the client has fully
+                // closed its connection, then the get() call will
+                // succeed by return an empty buffer indicating EOF
+                BOOST_REQUIRE(res.size() == 0);
             } catch (...) {
                 // ok
             }
@@ -1022,6 +1174,71 @@ SEASTAR_THREAD_TEST_CASE(test_reload_certificates) {
     }
 }
 
+SEASTAR_THREAD_TEST_CASE(test_reload_certificates_with_creds) {
+    tmpdir tmp;
+
+    namespace fs = std::filesystem;
+
+    // copy the wrong certs. We don't trust these
+    // blocking calls, but this is a test and seastar does not have a copy
+    // util and I am lazy...
+    fs::copy_file(certfile("other.crt"), tmp.path() / "test.crt");
+    fs::copy_file(certfile("other.key"), tmp.path() / "test.key");
+
+    auto cert = (tmp.path() / "test.crt").native();
+    auto key = (tmp.path() / "test.key").native();
+    std::unordered_set<sstring> changed;
+    promise<> p;
+
+    tls::credentials_builder b;
+    b.set_x509_key_file(cert, key, tls::x509_crt_format::PEM).get();
+    b.set_dh_level();
+
+    auto certs = b.build_reloadable_server_credentials([&](const std::unordered_set<sstring> &files,
+                                                           const tls::certificate_credentials &creds,
+                                                           std::exception_ptr ep,
+                                                           std::optional<tls::blob> trust_file_contents) {
+        if (ep) {
+            return;
+        }
+
+        changed.insert(files.begin(), files.end());
+        if (changed.count(cert) && changed.count(key)) {
+            p.set_value();
+        }
+
+        auto certs_info = creds.get_cert_info();
+        auto trust_list_info = creds.get_trust_list_info();
+
+        BOOST_CHECK(certs_info.has_value() && !certs_info.value().empty());
+        BOOST_CHECK(trust_list_info.has_value() && trust_list_info.value().empty());
+        BOOST_CHECK(!trust_file_contents.has_value());
+
+    }).get();
+
+    BOOST_CHECK(certs != nullptr);
+
+    auto certs_info = certs->get_cert_info();
+    auto trust_list_info = certs->get_trust_list_info();
+
+    BOOST_CHECK(certs_info.has_value() && !certs_info.value().empty());
+    BOOST_CHECK(trust_list_info.has_value());
+    BOOST_CHECK(!b.get_trust_file_blob().has_value());
+
+    // copy the right (trusted) certs over the old ones.
+    fs::copy_file(certfile("test.crt"), tmp.path() / "test0.crt");
+    fs::copy_file(certfile("test.key"), tmp.path() / "test0.key");
+
+    rename_file((tmp.path() / "test0.crt").native(), (tmp.path() / "test.crt").native()).get();
+    rename_file((tmp.path() / "test0.key").native(), (tmp.path() / "test.key").native()).get();
+
+    p.get_future().get();
+
+    // confirm that we did indeed reload some credentials
+    BOOST_CHECK(!changed.empty());
+
+}
+
 SEASTAR_THREAD_TEST_CASE(test_reload_broken_certificates) {
     tmpdir tmp;
 
@@ -1406,6 +1623,17 @@ SEASTAR_THREAD_TEST_CASE(test_dn_name_handling) {
         fout.get();
 
         auto dn = fdn.get();
+        BOOST_REQUIRE(dn.has_value());
+        BOOST_REQUIRE_EQUAL(dn->subject, fmt::format("C=GB,ST=London,L=London,O=Redpanda Data,OU=Core,CN={}", id));
+        BOOST_REQUIRE_EQUAL(dn->issuer, "C=GB,ST=London,L=London,O=Redpanda Data,OU=Core,CN=redpanda.com");
+
+#ifdef SEASTAR_USE_OPENSSL
+        dn = tls::get_dn_information(s.connection, tls::dn_format::rfc2253).get();
+        BOOST_REQUIRE(dn.has_value());
+        BOOST_REQUIRE_EQUAL(dn->subject, fmt::format("CN={},OU=Core,O=Redpanda Data,L=London,ST=London,C=GB", id));
+        BOOST_REQUIRE_EQUAL(dn->issuer, "CN=redpanda.com,OU=Core,O=Redpanda Data,L=London,ST=London,C=GB");
+#endif
+
         auto client_id = fin.get();
 
         in.close().get();
@@ -1547,8 +1775,11 @@ SEASTAR_THREAD_TEST_CASE(test_peer_certificate_chain_handling) {
 
         auto ders = {read_file(certfile("test.crt.der"))};
 
-        BOOST_REQUIRE(std::ranges::equal(scrts, ders));
-        BOOST_REQUIRE(std::ranges::equal(ccrts, ders));
+        // We need to take the first certificate from the chain as there is a 
+        // difference between the OpensSSL and GnuTLS, OpenSSL cert chain always 
+        // contains the server certifacate.
+        BOOST_REQUIRE(std::ranges::equal(std::views::take(ccrts,1), ders));
+        BOOST_REQUIRE(std::ranges::equal(std::views::take(scrts,1), ders));
     }
 }
 
@@ -1614,7 +1845,11 @@ static void do_test_tls13_session_tickets(bool reset_server) {
     b.set_x509_key_file(certfile("test.crt"), certfile("test.key"), tls::x509_crt_format::PEM).get();
     b.set_x509_trust_file(certfile("catest.pem"), tls::x509_crt_format::PEM).get();
     b.set_session_resume_mode(tls::session_resume_mode::TLS13_SESSION_TICKET);
+#ifdef SEASTAR_USE_OPENSSL
+    b.set_minimum_tls_version(tls::tls_version::tlsv1_3);
+#else
     b.set_priority_string("SECURE128:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.3");
+#endif
 
     auto creds = b.build_certificate_credentials();
     auto serv = b.build_server_credentials();
@@ -1747,7 +1982,13 @@ SEASTAR_THREAD_TEST_CASE(test_tls13_session_tickets_invalidated_by_reload) {
     b.set_x509_key_file(cert, key, tls::x509_crt_format::PEM).get();
     b.set_x509_trust_file(certfile("catest.pem"), tls::x509_crt_format::PEM).get();
     b.set_session_resume_mode(tls::session_resume_mode::TLS13_SESSION_TICKET);
+#ifdef SEASTAR_USE_OPENSSL
+    b.set_minimum_tls_version(tls::tls_version::tlsv1_3);
+#elif defined(SEASTAR_USE_GNUTLS)
     b.set_priority_string("SECURE128:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.3");
+#else
+#error "Unknowing cryptographic provider"
+#endif
 
     auto creds = b.build_certificate_credentials();
     auto serv = b.build_reloadable_server_credentials([&p](const std::unordered_set<sstring>&, std::exception_ptr) {
@@ -1931,8 +2172,12 @@ SEASTAR_THREAD_TEST_CASE(test_reload_certificates_with_only_shard0_notify) {
             }
 
             try {
-                f2.get();
-                BOOST_FAIL("should not reach");
+                auto res = f2.get();
+                // If the server completes sending data to the client
+                // during the handshake before the client has fully
+                // closed its connection, then the get() call will
+                // succeed by return an empty buffer indicating EOF
+                BOOST_REQUIRE(res.size() == 0);
             } catch (...) {
                 // ok
             }