diff --git a/gnutls/PKGBUILD b/gnutls/PKGBUILD
index 880f781166..aa1264fc34 100644
--- a/gnutls/PKGBUILD
+++ b/gnutls/PKGBUILD
@@ -4,7 +4,7 @@
 
 pkgname=gnutls
 pkgver=3.8.1
-pkgrel=1
+pkgrel=2
 pkgdesc="A library which provides a secure layer over a reliable transport layer"
 arch=(x86_64 powerpc64le powerpc64 powerpc riscv64)
 license=('GPL3' 'LGPL2.1')
@@ -15,9 +15,13 @@ depends=('glibc' 'gcc-libs' 'gmp' 'libtasn1' 'readline' 'zlib' 'nettle'
 makedepends=('tpm2-tss')
 checkdepends=('net-tools' 'tpm2-tools')
 optdepends=('tpm2-tss: support for TPM2 wrapped keys')
-source=(https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/${pkgname}-${pkgver}.tar.xz{,.sig})
+backup=(etc/gnutls/config
+        etc/modules-load.d/gnutls.conf)
+source=(https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/${pkgname}-${pkgver}.tar.xz{,.sig}
+        config)
 sha256sums=('ba8b9e15ae20aba88f44661978f5b5863494316fe7e722ede9d069fe6294829c'
-            'SKIP')
+            'SKIP'
+            '22e614510fe52defe8c233ce3e5ead2205739fd967657ce3176ca121f3c562b5')
 validpgpkeys=('462225C3B46F34879FC8496CD605848ED7E69871') # "Daiki Ueno <ueno@unixuser.org>"
 #validpgpkeys=('5D46CB0F763405A7053556F47A75A648B3F9220C') # "Zoltan Fridrich <zfridric@redhat.com>"
 
@@ -30,8 +34,8 @@ build() {
 	--with-zstd \
 	--with-tpm2 \
 	--enable-openssl-compatibility \
-	--with-default-trust-store-pkcs11="pkcs11:"
-#	--enable-ktls \ # breaks testsuite
+	--with-default-trust-store-pkcs11="pkcs11:" \
+	--enable-ktls
   sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
   make
 }
@@ -48,6 +52,14 @@ package() {
   cd ${pkgname}-${pkgver}
   make DESTDIR="${pkgdir}" install
 
+  # prepare to load tls module required for ktls
+  install -dm755 "$pkgdir"/etc/modules-load.d
+  echo "#tls" > "$pkgdir"/etc/modules-load.d/gnutls.conf
+
+  # disable ktls by default for now
+  install -dm755 "$pkgdir"/etc/gnutls
+  install -Dm644 "${srcdir}"/config  "$pkgdir"/etc/gnutls/config
+
   # lots of .png files are put into infodir and are gzipped by makepkg! this needs to be fixed by using !zipman
   # gzip -9 all files in infodir and manpages manually
   find "$pkgdir/usr/share/info" -name '*.info*' -exec gzip -n -9 {} \;
diff --git a/gnutls/config b/gnutls/config
new file mode 100644
index 0000000000..69c29a3bea
--- /dev/null
+++ b/gnutls/config
@@ -0,0 +1,9 @@
+# https://gnutls.org/manual/html_node/Enabling_002fDisabling-system_002facceleration-protocols.html#Enabling-KTLS
+#
+# GnuTLS is built with -–enable-ktls configuration, KTLS is disabled by default.
+# This can be enabled by setting ktls = true in [global] section.
+#
+
+[global]
+ktls = false
+#ktls = true