My understanding is that typically a TLS library provides a socket interface for the application to write() to, which can be intercepted by an eBPF program.