diff --git a/src/messages_server.c b/src/messages_server.c
index 168bb023..84442032 100644
--- a/src/messages_server.c
+++ b/src/messages_server.c
@@ -30,8 +30,6 @@
 #include "messages_server.h"
 #include "netconf.h"
 
-extern struct nc_server_opts server_opts;
-
 API struct nc_server_reply *
 nc_server_reply_ok(void)
 {
diff --git a/src/server_config.c b/src/server_config.c
index 8bce71f3..158d84d7 100644
--- a/src/server_config.c
+++ b/src/server_config.c
@@ -33,8 +33,6 @@
 #include "server_config_p.h"
 #include "session_p.h"
 
-extern struct nc_server_opts server_opts;
-
 /* returns a parent node of 'node' that matches the name 'name' */
 static const struct lyd_node *
 nc_server_config_get_parent(const struct lyd_node *node, const char *name)
diff --git a/src/server_config_ks.c b/src/server_config_ks.c
index b12e2f39..0194c70b 100644
--- a/src/server_config_ks.c
+++ b/src/server_config_ks.c
@@ -27,8 +27,6 @@
 #include "server_config_p.h"
 #include "session_p.h"
 
-extern struct nc_server_opts server_opts;
-
 /**
  * @brief Get the pointer to an asymmetric key structure based on node's location in the YANG data.
  *
diff --git a/src/server_config_ts.c b/src/server_config_ts.c
index b76feef1..62528d75 100644
--- a/src/server_config_ts.c
+++ b/src/server_config_ts.c
@@ -27,8 +27,6 @@
 #include "server_config_p.h"
 #include "session_p.h"
 
-extern struct nc_server_opts server_opts;
-
 /**
  * @brief Get the pointer to a certificate bag structure based on node's location in the YANG data.
  *
diff --git a/src/session.c b/src/session.c
index 155aafca..4b7cfd69 100644
--- a/src/session.c
+++ b/src/session.c
@@ -50,8 +50,6 @@
 /* in milliseconds */
 #define NC_CLOSE_REPLY_TIMEOUT 200
 
-extern struct nc_server_opts server_opts;
-
 void
 nc_timeouttime_get(struct timespec *ts, uint32_t add_ms)
 {
diff --git a/src/session_mbedtls.c b/src/session_mbedtls.c
index e0947b8f..560d85f3 100644
--- a/src/session_mbedtls.c
+++ b/src/session_mbedtls.c
@@ -22,6 +22,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <poll.h>
+#include <pthread.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -1923,3 +1924,91 @@ nc_tls_get_cert_exp_time_wrap(void *cert)
 
     return timegm(&t);
 }
+
+/**
+ * @brief Convert the MbedTLS key export type to a label for the keylog file.
+ *
+ * @param[in] type MbedTLS key export type.
+ * @return Label for the keylog file or NULL if the type is not supported.
+ */
+static const char *
+nc_tls_keylog_type2label(mbedtls_ssl_key_export_type type)
+{
+    switch (type) {
+    case MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET:
+        return "CLIENT_RANDOM";
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+    case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET:
+        return "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
+    case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET:
+        return "SERVER_HANDSHAKE_TRAFFIC_SECRET";
+    case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET:
+        return "CLIENT_TRAFFIC_SECRET_0";
+    case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET:
+        return "SERVER_TRAFFIC_SECRET_0";
+#endif
+    default:
+        return NULL;
+    }
+}
+
+/**
+ * @brief Callback for writing a line in the keylog file.
+ */
+static void
+nc_tls_keylog_write_line(void *UNUSED(p_expkey), mbedtls_ssl_key_export_type type, const unsigned char *secret,
+        size_t secret_len, const unsigned char client_random[32],
+        const unsigned char UNUSED(server_random[32]), mbedtls_tls_prf_types UNUSED(tls_prf_type))
+{
+    size_t linelen, len = 0, i, client_random_len;
+    char buf[256];
+    const char *label;
+
+    if (!server_opts.tls_keylog_file) {
+        return;
+    }
+
+    label = nc_tls_keylog_type2label(type);
+    if (!label) {
+        /* type not supported */
+        return;
+    }
+
+    /* <Label> <space> 0x<ClientRandom> <space> 0x<Secret> */
+    linelen = strlen(label) + 1 + 2 * 32 + 1 + 2 * secret_len + 1;
+    if (linelen > sizeof(buf)) {
+        /* sanity check, should not happen since the max len should be 196 bytes */
+        return;
+    }
+
+    /* write the label */
+    len += sprintf(buf + len, "%s ", label);
+
+    /* write the client random */
+    client_random_len = 32;
+    for (i = 0; i < client_random_len; i++) {
+        len += sprintf(buf + len, "%02x", client_random[i]);
+    }
+    len += sprintf(buf + len, " ");
+
+    /* write the secret */
+    for (i = 0; i < secret_len; i++) {
+        len += sprintf(buf + len, "%02x", secret[i]);
+    }
+
+    len += sprintf(buf + len, "\n");
+    buf[len] = '\0';
+
+    if (len != linelen) {
+        return;
+    }
+
+    fputs(buf, server_opts.tls_keylog_file);
+    fflush(server_opts.tls_keylog_file);
+}
+
+void
+nc_tls_keylog_session_wrap(void *session)
+{
+    mbedtls_ssl_set_export_keys_cb(session, nc_tls_keylog_write_line, NULL);
+}
diff --git a/src/session_openssl.c b/src/session_openssl.c
index c3cb178d..6093a786 100644
--- a/src/session_openssl.c
+++ b/src/session_openssl.c
@@ -21,6 +21,7 @@
 
 #include <ctype.h>
 #include <poll.h>
+#include <pthread.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -1449,3 +1450,45 @@ nc_tls_get_cert_exp_time_wrap(void *cert)
 
     return timegm(&t);
 }
+
+/**
+ * @brief Callback for writing a line in the keylog file.
+ */
+static void
+nc_tls_keylog_write_line(const SSL *UNUSED(ssl), const char *line)
+{
+    size_t linelen;
+    char buf[256];
+
+    if (!server_opts.tls_keylog_file || !line) {
+        return;
+    }
+
+    /* linelen should not exceed 196 bytes, so 256 should be enough */
+    linelen = strlen(line);
+    if (!linelen || (linelen > sizeof(buf) - 2)) {
+        return;
+    }
+
+    memcpy(buf, line, linelen);
+    if (line[linelen - 1] != '\n') {
+        buf[linelen++] = '\n';
+    }
+    buf[linelen] = '\0';
+
+    fputs(buf, server_opts.tls_keylog_file);
+    fflush(server_opts.tls_keylog_file);
+}
+
+void
+nc_tls_keylog_session_wrap(void *session)
+{
+    SSL_CTX *ctx;
+
+    ctx = SSL_get_SSL_CTX(session);
+    if (!ctx) {
+        return;
+    }
+
+    SSL_CTX_set_keylog_callback(ctx, nc_tls_keylog_write_line);
+}
diff --git a/src/session_p.h b/src/session_p.h
index f1101592..e86eb0fc 100644
--- a/src/session_p.h
+++ b/src/session_p.h
@@ -32,6 +32,8 @@
 #include "session_server_ch.h"
 #include "session_wrapper.h"
 
+extern struct nc_server_opts server_opts;
+
 /**
  * Enumeration of diff operation types.
  */
@@ -625,6 +627,8 @@ struct nc_server_opts {
         } *intervals;
         int interval_count;                 /**< Number of intervals. */
     } cert_exp_notif;
+
+    FILE *tls_keylog_file;                      /**< File to log TLS secrets to. */
 #endif
 };
 
@@ -685,6 +689,11 @@ struct nc_server_opts {
  */
 #define NC_CLIENT_MONITORING_LOCK_TIMEOUT 500
 
+/**
+ * TLS key log file environment variable name.
+ */
+#define NC_TLS_KEYLOGFILE_ENV "SSLKEYLOGFILE"
+
 /**
  * @brief Type of the session
  */
diff --git a/src/session_server.c b/src/session_server.c
index 38aad599..f9c8501f 100644
--- a/src/session_server.c
+++ b/src/session_server.c
@@ -795,6 +795,29 @@ nc_server_init_cb_ctx(const struct ly_ctx *ctx)
     }
 }
 
+#ifdef NC_ENABLED_SSH_TLS
+
+/**
+ * @brief Open the keylog file for writing TLS secrets.
+ */
+static void
+nc_server_keylog_file_open(void)
+{
+    char *keylog_file_name;
+
+    keylog_file_name = getenv(NC_TLS_KEYLOGFILE_ENV);
+    if (!keylog_file_name) {
+        return;
+    }
+
+    server_opts.tls_keylog_file = fopen(keylog_file_name, "a");
+    if (!server_opts.tls_keylog_file) {
+        WRN(NULL, "Failed to open keylog file \"%s\".", keylog_file_name);
+    }
+}
+
+#endif
+
 API int
 nc_server_init(void)
 {
@@ -858,6 +881,9 @@ nc_server_init(void)
         ERR(NULL, "%s: failed to init certificate expiration notification thread condition(%s).", __func__, strerror(r));
         goto error;
     }
+
+    /* try to open the keylog file for writing TLS secrets */
+    nc_server_keylog_file_open();
 #endif
 
     return 0;
@@ -917,6 +943,11 @@ nc_server_destroy(void)
     nc_server_config_ts_truststore(NULL, NC_OP_DELETE);
     curl_global_cleanup();
     ssh_finalize();
+
+    /* close the TLS keylog file */
+    if (server_opts.tls_keylog_file) {
+        fclose(server_opts.tls_keylog_file);
+    }
 #endif /* NC_ENABLED_SSH_TLS */
 }
 
diff --git a/src/session_server_ssh.c b/src/session_server_ssh.c
index 153e083a..7214ac36 100644
--- a/src/session_server_ssh.c
+++ b/src/session_server_ssh.c
@@ -47,8 +47,6 @@
 #include "session_p.h"
 #include "session_wrapper.h"
 
-extern struct nc_server_opts server_opts;
-
 /**
  * @brief Stores the private key data as a temporary file.
  *
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
index dcbba7e8..ead84ad3 100644
--- a/src/session_server_tls.c
+++ b/src/session_server_tls.c
@@ -16,6 +16,7 @@
 
 #define _GNU_SOURCE
 
+#include <errno.h>
 #include <poll.h>
 #include <stdint.h>
 #include <stdio.h>
@@ -32,9 +33,6 @@
 #include "session_p.h"
 #include "session_wrapper.h"
 
-struct nc_server_tls_opts tls_ch_opts;
-extern struct nc_server_opts server_opts;
-
 static int
 nc_server_tls_ks_ref_get_cert_key(const char *referenced_key_name, const char *referenced_cert_name,
         char **privkey_data, enum nc_privkey_format *privkey_type, char **cert_data)
@@ -899,6 +897,11 @@ nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opt
         goto fail;
     }
 
+    /* if keylog file is set, log the tls secrets there */
+    if (server_opts.tls_keylog_file) {
+        nc_tls_keylog_session_wrap(session->ti.tls.session);
+    }
+
     /* set session fd */
     nc_tls_set_fd_wrap(session->ti.tls.session, sock, &session->ti.tls.ctx);
 
diff --git a/src/session_wrapper.h b/src/session_wrapper.h
index 729a17ac..107bb679 100644
--- a/src/session_wrapper.h
+++ b/src/session_wrapper.h
@@ -732,4 +732,11 @@ void nc_server_tls_set_cipher_suites_wrap(void *tls_cfg, void *cipher_suites);
  */
 time_t nc_tls_get_cert_exp_time_wrap(void *cert);
 
+/**
+ * @brief Set the session to log TLS secrets for.
+ *
+ * @param[in] session Session to log secrets for.
+ */
+void nc_tls_keylog_session_wrap(void *session);
+
 #endif
diff --git a/tests/test_tls.c b/tests/test_tls.c
index 7fbd354e..98c2bcdb 100644
--- a/tests/test_tls.c
+++ b/tests/test_tls.c
@@ -25,6 +25,8 @@
 
 #include "ln2_test.h"
 
+#define KEYLOG_FILENAME "ln2_test_tls_keylog.txt"
+
 int TEST_PORT = 10050;
 const char *TEST_PORT_STR = "10050";
 
@@ -99,6 +101,64 @@ test_nc_tls_ec_key(void **state)
     }
 }
 
+static void
+check_keylog_file(const char *filename)
+{
+    char buf[256];
+    FILE *f;
+    int cli_random, cli_hs, cli_traffic, srv_hs, srv_traffic;
+
+    cli_random = cli_hs = cli_traffic = srv_hs = srv_traffic = 0;
+
+    f = fopen(filename, "r");
+    assert_non_null(f);
+
+    while (fgets(buf, sizeof(buf), f)) {
+        if (!strncmp(buf, "CLIENT_RANDOM", 13)) {
+            cli_random++;
+        } else if (!strncmp(buf, "CLIENT_HANDSHAKE_TRAFFIC_SECRET", 31)) {
+            cli_hs++;
+        } else if (!strncmp(buf, "CLIENT_TRAFFIC_SECRET_0", 23)) {
+            cli_traffic++;
+        } else if (!strncmp(buf, "SERVER_HANDSHAKE_TRAFFIC_SECRET", 31)) {
+            srv_hs++;
+        } else if (!strncmp(buf, "SERVER_TRAFFIC_SECRET_0", 23)) {
+            srv_traffic++;
+        }
+    }
+
+    fclose(f);
+
+    if (cli_random) {
+        /* tls 1.2 */
+        assert_int_equal(cli_random, 1);
+        assert_int_equal(cli_hs + cli_traffic + srv_hs + srv_traffic, 0);
+    } else {
+        /* tls 1.3 */
+        assert_int_equal(cli_hs + cli_traffic + srv_hs + srv_traffic, 4);
+    }
+}
+
+static void
+test_nc_tls_keylog(void **state)
+{
+    int ret, i;
+    pthread_t tids[2];
+
+    assert_non_null(state);
+
+    ret = pthread_create(&tids[0], NULL, client_thread, *state);
+    assert_int_equal(ret, 0);
+    ret = pthread_create(&tids[1], NULL, ln2_glob_test_server_thread, *state);
+    assert_int_equal(ret, 0);
+
+    for (i = 0; i < 2; i++) {
+        pthread_join(tids[i], NULL);
+    }
+
+    check_keylog_file(KEYLOG_FILENAME);
+}
+
 static void
 test_nc_tls_free_test_data(void *test_data)
 {
@@ -149,12 +209,22 @@ setup_f(void **state)
     return 0;
 }
 
+static int
+keylog_setup_f(void **state)
+{
+    unlink(KEYLOG_FILENAME);
+    setenv("SSLKEYLOGFILE", KEYLOG_FILENAME, 1);
+
+    return setup_f(state);
+}
+
 int
 main(void)
 {
     const struct CMUnitTest tests[] = {
         cmocka_unit_test_setup_teardown(test_nc_tls, setup_f, ln2_glob_test_teardown),
-        cmocka_unit_test_setup_teardown(test_nc_tls_ec_key, setup_f, ln2_glob_test_teardown)
+        cmocka_unit_test_setup_teardown(test_nc_tls_ec_key, setup_f, ln2_glob_test_teardown),
+        cmocka_unit_test_setup_teardown(test_nc_tls_keylog, keylog_setup_f, ln2_glob_test_teardown)
     };
 
     /* try to get ports from the environment, otherwise use the default */