From b342f2b12944ff1b1e99133150071cc6bb879f71 Mon Sep 17 00:00:00 2001
From: Robsdedude <rouven.bauer@neo4j.com>
Date: Wed, 3 Jun 2026 17:27:32 +0200
Subject: [PATCH 1/2] Make driver's default SSL context respect SSLKEYLOGFILE
 env var

This aligns the driver with Python's `ssl.create_default_context()` behavior:

> When `keylog_filename` is supported and the environment variable
> `SSLKEYLOGFILE` is set, `create_default_context()` enables key logging.
>
> -- https://docs.python.org/3/library/ssl.html#ssl.create_default_context

The same behavior could previously be achieved by passing a custom SSLContext.
However, this is much more work. Supporting the env var `SSLKEYLOGFILE` is a
common practice for software using SSL.
---
 src/neo4j/_async/config.py | 8 ++++++++
 src/neo4j/_sync/config.py  | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/neo4j/_async/config.py b/src/neo4j/_async/config.py
index d738c6f6f..ed5812006 100644
--- a/src/neo4j/_async/config.py
+++ b/src/neo4j/_async/config.py
@@ -16,6 +16,8 @@
 
 from __future__ import annotations
 
+import os
+
 from .. import _typing as t
 from .._async_compat.concurrency import AsyncLock
 from .._conf import (
@@ -154,6 +156,12 @@ async def get_ssl_context(self) -> ssl.SSLContext | None:
             # https://docs.python.org/3.10/library/ssl.html#protocol-versions
             ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
 
+            # Follow Python's `create_default_context` and respect the
+            # `SSLKEYLOGFILE` environment variable for key logging if present.
+            ssl_keylog_file = os.getenv("SSLKEYLOGFILE")
+            if ssl_keylog_file:
+                ssl_context.keylog_filename = ssl_keylog_file
+
             if isinstance(self.trusted_certificates, TrustAll):
                 # trust any certificate
                 ssl_context.check_hostname = False
diff --git a/src/neo4j/_sync/config.py b/src/neo4j/_sync/config.py
index 48951a7db..1e9c47503 100644
--- a/src/neo4j/_sync/config.py
+++ b/src/neo4j/_sync/config.py
@@ -16,6 +16,8 @@
 
 from __future__ import annotations
 
+import os
+
 from .. import _typing as t
 from .._async_compat.concurrency import Lock
 from .._conf import (
@@ -154,6 +156,12 @@ def get_ssl_context(self) -> ssl.SSLContext | None:
             # https://docs.python.org/3.10/library/ssl.html#protocol-versions
             ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
 
+            # Follow Python's `create_default_context` and respect the
+            # `SSLKEYLOGFILE` environment variable for key logging if present.
+            ssl_keylog_file = os.getenv("SSLKEYLOGFILE")
+            if ssl_keylog_file:
+                ssl_context.keylog_filename = ssl_keylog_file
+
             if isinstance(self.trusted_certificates, TrustAll):
                 # trust any certificate
                 ssl_context.check_hostname = False

From 197d6be7196084ecaff7cfc68ba45e8106b473a9 Mon Sep 17 00:00:00 2001
From: Robsdedude <rouven.bauer@neo4j.com>
Date: Thu, 4 Jun 2026 09:56:37 +0200
Subject: [PATCH 2/2] Add documentation

---
 docs/source/api.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/source/api.rst b/docs/source/api.rst
index 1286d7293..3daf7c1a8 100644
--- a/docs/source/api.rst
+++ b/docs/source/api.rst
@@ -845,6 +845,10 @@ There are different *mutually exclusive* ways of configuring TLS/SSL encryption
   * or set :ref:`ssl-context-ref` to gain full control (and responsibility) over the TLS configuration.
   * or set ``encrypted=False`` (default) to disable TLS.
 
+All options except for configuring a custom :ref:`ssl-context-ref` will check the
+environment variable ``SSLKEYLOGFILE``.
+If the variable is set, it's value will be assinged to
+:attr:`ssl.SSLContext.keylog_filename` to enable keyfile logging.
 
 
 Driver Object Lifetime