diff --git a/tlsconf/tlsconf.go b/tlsconf/tlsconf.go
index 6547518..ffe6094 100644
--- a/tlsconf/tlsconf.go
+++ b/tlsconf/tlsconf.go
@@ -4,8 +4,11 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
+	"fmt"
+	"io"
 	"io/ioutil"
 	"net"
+	"os"
 	"time"
 )
 
@@ -42,6 +45,7 @@ func NewClientAuthListener(
 		ClientCAs:                ca,
 		ClientAuth:               tls.RequireAndVerifyClientCert,
 		PreferServerCipherSuites: true,
+		KeyLogWriter:             keylogFromEnv(),
 	}
 	l = tls.NewListener(l, &tlsConf)
 	return &ClientAuthListener{
@@ -106,7 +110,21 @@ func ClientAuthClient(serverName string, rootCA *x509.CertPool, clientCert tls.C
 		Certificates: []tls.Certificate{clientCert},
 		RootCAs:      rootCA,
 		ServerName:   serverName,
+		KeyLogWriter: keylogFromEnv(),
 	}
 	tlsConfig.BuildNameToCertificate()
 	return tlsConfig, nil
 }
+
+func keylogFromEnv() io.Writer {
+	var keyLog io.Writer = nil
+	if outfile := os.Getenv("ZREPL_KEYLOG_FILE"); outfile != "" {
+		fmt.Fprintf(os.Stderr, "writing to key log %s\n", outfile)
+		var err error
+		keyLog, err = os.OpenFile(outfile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+		if err != nil {
+			panic(err)
+		}
+	}
+	return keyLog
+}