Instrumenting Rust TLS with eBPF

eBPF collects telemetry directly from applications and infrastructure. One of the things it does is capture L7 traffic from TLS connections without any code changes, by hooking into TLS libraries and syscalls. Works great for OpenSSL. Works for Go. Then rustls enters the picture and everything stops being obvious. With OpenSSL, everything is nicely wrapped: SSL_write(ssl, plaintext) └─ write(fd, encrypted) SSL_read(ssl, plaintext) └─ read(fd, encrypted) From eBPF’s point of view this is perfect: hook SSL_write, stash plaintext write() fires immediately → same thread → you know the FD same idea for reads Everything happens inside one call. Correlation is trivial. Rustls does things differently Rustls doesn’t own the socket and never calls read or write itself. It works on buffers, and the application (or runtime) is responsible for actually moving bytes over the network. The API reflects that separation pretty clearly: // application writes plaintext into rustls writer .write ( plaintex