@@ -74,10 +74,12 @@
 #define TLS_PROTO_TLS1_1	0x08
 #define TLS_PROTO_TLS1_2	0x10
 #define TLS_PROTO_TLS1_3	0x20
 #define ENABLED(flag, mask)	(((flag) & (mask)) == (mask))
 
+#define SSLKEYLOGFILE		"SSLKEYLOGFILE"
+
 /*
  * Static data structures
  */
 
 #ifndef OPENSSL_NO_DH
@@ -402,10 +404,20 @@
     Tcl_DecrRefCount(cmdPtr);
 
     Tcl_Release((ClientData) statePtr);
     Tcl_Release((ClientData) statePtr->interp);
 }
+
+void KeyLogCallback(const SSL *ssl, const char *line) {
+    char *str = getenv(SSLKEYLOGFILE);
+    FILE *fd;
+    if (str) {
+	fd = fopen(str, "a");
+	fprintf(fd, "%s\n",line);
+	fclose(fd);
+    }
+}
 
 /*
  *-------------------------------------------------------------------
  *
  * PasswordCallback -- 
@@ -1201,10 +1213,14 @@
     ctx = SSL_CTX_new (method);
 
     if (!ctx) {
         return(NULL);
     }
+
+    if (getenv(SSLKEYLOGFILE)) {
+	SSL_CTX_set_keylog_callback(ctx, KeyLogCallback);
+    }
 
 #if !defined(NO_TLS1_3)
     if (proto == TLS_PROTO_TLS1_3) {
         SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
         SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);