diff --git a/src/session_mbedtls.c b/src/session_mbedtls.c
index e0947b8f..560d85f3 100644
--- a/src/session_mbedtls.c
+++ b/src/session_mbedtls.c
@@ -22,6 +22,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <poll.h>
+#include <pthread.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -1923,3 +1924,91 @@ nc_tls_get_cert_exp_time_wrap(void *cert)
 
     return timegm(&t);
 }
+
+/**
+ * @brief Convert the MbedTLS key export type to a label for the keylog file.
+ *
+ * @param[in] type MbedTLS key export type.
+ * @return Label for the keylog file or NULL if the type is not supported.
+ */
+static const char *
+nc_tls_keylog_type2label(mbedtls_ssl_key_export_type type)
+{
+    switch (type) {
+    case MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET:
+        return "CLIENT_RANDOM";
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+    case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET:
+        return "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
+    case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET:
+        return "SERVER_HANDSHAKE_TRAFFIC_SECRET";
+    case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET:
+        return "CLIENT_TRAFFIC_SECRET_0";
+    case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET:
+        return "SERVER_TRAFFIC_SECRET_0";
+#endif
+    default:
+        return NULL;
+    }
+}
+
+/**
+ * @brief Callback for writing a line in the keylog file.
+ */
+static void
+nc_tls_keylog_write_line(void *UNUSED(p_expkey), mbedtls_ssl_key_export_type type, const unsigned char *secret,
+        size_t secret_len, const unsigned char client_random[32],
+        const unsigned char UNUSED(server_random[32]), mbedtls_tls_prf_types UNUSED(tls_prf_type))
+{
+    size_t linelen, len = 0, i, client_random_len;
+    char buf[256];
+    const char *label;
+
+    if (!server_opts.tls_keylog_file) {
+        return;
+    }
+
+    label = nc_tls_keylog_type2label(type);
+    if (!label) {
+        /* type not supported */
+        return;
+    }
+
+    /* <Label> <space> 0x<ClientRandom> <space> 0x<Secret> */
+    linelen = strlen(label) + 1 + 2 * 32 + 1 + 2 * secret_len + 1;
+    if (linelen > sizeof(buf)) {
+        /* sanity check, should not happen since the max len should be 196 bytes */
+        return;
+    }
+
+    /* write the label */
+    len += sprintf(buf + len, "%s ", label);
+
+    /* write the client random */
+    client_random_len = 32;
+    for (i = 0; i < client_random_len; i++) {
+        len += sprintf(buf + len, "%02x", client_random[i]);
+    }
+    len += sprintf(buf + len, " ");
+
+    /* write the secret */
+    for (i = 0; i < secret_len; i++) {
+        len += sprintf(buf + len, "%02x", secret[i]);
+    }
+
+    len += sprintf(buf + len, "\n");
+    buf[len] = '\0';
+
+    if (len != linelen) {
+        return;
+    }
+
+    fputs(buf, server_opts.tls_keylog_file);
+    fflush(server_opts.tls_keylog_file);
+}
+
+void
+nc_tls_keylog_session_wrap(void *session)
+{
+    mbedtls_ssl_set_export_keys_cb(session, nc_tls_keylog_write_line, NULL);
+}
diff --git a/src/session_openssl.c b/src/session_openssl.c
index c3cb178d..6093a786 100644
--- a/src/session_openssl.c
+++ b/src/session_openssl.c
@@ -21,6 +21,7 @@
 
 #include <ctype.h>
 #include <poll.h>
+#include <pthread.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -1449,3 +1450,45 @@ nc_tls_get_cert_exp_time_wrap(void *cert)
 
     return timegm(&t);
 }
+
+/**
+ * @brief Callback for writing a line in the keylog file.
+ */
+static void
+nc_tls_keylog_write_line(const SSL *UNUSED(ssl), const char *line)
+{
+    size_t linelen;
+    char buf[256];
+
+    if (!server_opts.tls_keylog_file || !line) {
+        return;
+    }
+
+    /* linelen should not exceed 196 bytes, so 256 should be enough */
+    linelen = strlen(line);
+    if (!linelen || (linelen > sizeof(buf) - 2)) {
+        return;
+    }
+
+    memcpy(buf, line, linelen);
+    if (line[linelen - 1] != '\n') {
+        buf[linelen++] = '\n';
+    }
+    buf[linelen] = '\0';
+
+    fputs(buf, server_opts.tls_keylog_file);
+    fflush(server_opts.tls_keylog_file);
+}
+
+void
+nc_tls_keylog_session_wrap(void *session)
+{
+    SSL_CTX *ctx;
+
+    ctx = SSL_get_SSL_CTX(session);
+    if (!ctx) {
+        return;
+    }
+
+    SSL_CTX_set_keylog_callback(ctx, nc_tls_keylog_write_line);
+}
diff --git a/src/session_p.h b/src/session_p.h
index f1101592..c69ff89d 100644
--- a/src/session_p.h
+++ b/src/session_p.h
@@ -625,6 +625,8 @@ struct nc_server_opts {
         } *intervals;
         int interval_count;                 /**< Number of intervals. */
     } cert_exp_notif;
+
+    FILE *tls_keylog_file;                      /**< File to log TLS secrets to. */
 #endif
 };
 
@@ -685,6 +687,11 @@ struct nc_server_opts {
  */
 #define NC_CLIENT_MONITORING_LOCK_TIMEOUT 500
 
+/**
+ * TLS key log file environment variable name.
+ */
+#define NC_TLS_KEYLOGFILE_ENV "SSLKEYLOGFILE"
+
 /**
  * @brief Type of the session
  */
diff --git a/src/session_server.c b/src/session_server.c
index 38aad599..f9c8501f 100644
--- a/src/session_server.c
+++ b/src/session_server.c
@@ -795,6 +795,29 @@ nc_server_init_cb_ctx(const struct ly_ctx *ctx)
     }
 }
 
+#ifdef NC_ENABLED_SSH_TLS
+
+/**
+ * @brief Open the keylog file for writing TLS secrets.
+ */
+static void
+nc_server_keylog_file_open(void)
+{
+    char *keylog_file_name;
+
+    keylog_file_name = getenv(NC_TLS_KEYLOGFILE_ENV);
+    if (!keylog_file_name) {
+        return;
+    }
+
+    server_opts.tls_keylog_file = fopen(keylog_file_name, "a");
+    if (!server_opts.tls_keylog_file) {
+        WRN(NULL, "Failed to open keylog file \"%s\".", keylog_file_name);
+    }
+}
+
+#endif
+
 API int
 nc_server_init(void)
 {
@@ -858,6 +881,9 @@ nc_server_init(void)
         ERR(NULL, "%s: failed to init certificate expiration notification thread condition(%s).", __func__, strerror(r));
         goto error;
     }
+
+    /* try to open the keylog file for writing TLS secrets */
+    nc_server_keylog_file_open();
 #endif
 
     return 0;
@@ -917,6 +943,11 @@ nc_server_destroy(void)
     nc_server_config_ts_truststore(NULL, NC_OP_DELETE);
     curl_global_cleanup();
     ssh_finalize();
+
+    /* close the TLS keylog file */
+    if (server_opts.tls_keylog_file) {
+        fclose(server_opts.tls_keylog_file);
+    }
 #endif /* NC_ENABLED_SSH_TLS */
 }
 
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
index dcbba7e8..0e170314 100644
--- a/src/session_server_tls.c
+++ b/src/session_server_tls.c
@@ -16,6 +16,7 @@
 
 #define _GNU_SOURCE
 
+#include <errno.h>
 #include <poll.h>
 #include <stdint.h>
 #include <stdio.h>
@@ -32,7 +33,6 @@
 #include "session_p.h"
 #include "session_wrapper.h"
 
-struct nc_server_tls_opts tls_ch_opts;
 extern struct nc_server_opts server_opts;
 
 static int
@@ -899,6 +899,11 @@ nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opt
         goto fail;
     }
 
+    /* if keylog file is set, log the tls secrets there */
+    if (server_opts.tls_keylog_file) {
+        nc_tls_keylog_session_wrap(session->ti.tls.session);
+    }
+
     /* set session fd */
     nc_tls_set_fd_wrap(session->ti.tls.session, sock, &session->ti.tls.ctx);
 
diff --git a/src/session_wrapper.h b/src/session_wrapper.h
index 729a17ac..b19a2301 100644
--- a/src/session_wrapper.h
+++ b/src/session_wrapper.h
@@ -69,6 +69,8 @@ struct nc_tls_verify_cb_data {
     void *chain;                        /**< Certificate chain used to verify the client cert. */
 };
 
+extern struct nc_server_opts server_opts;
+
 /**
  * @brief Creates a new TLS session from the given configuration.
  *
@@ -732,4 +734,11 @@ void nc_server_tls_set_cipher_suites_wrap(void *tls_cfg, void *cipher_suites);
  */
 time_t nc_tls_get_cert_exp_time_wrap(void *cert);
 
+/**
+ * @brief Set the session to log TLS secrets for.
+ *
+ * @param[in] session Session to log secrets for.
+ */
+void nc_tls_keylog_session_wrap(void *session);
+
 #endif