neo4j · robsdedude · Jun 3, 2026 · Jun 4, 2026
diff --git a/docs/source/api.rst b/docs/source/api.rst
@@ -845,6 +845,10 @@ There are different *mutually exclusive* ways of configuring TLS/SSL encryption
   * or set :ref:`ssl-context-ref` to gain full control (and responsibility) over the TLS configuration.
   * or set ``encrypted=False`` (default) to disable TLS.
 
+All options except for configuring a custom :ref:`ssl-context-ref` will check the
+environment variable ``SSLKEYLOGFILE``.
+If the variable is set, it's value will be assinged to
+:attr:`ssl.SSLContext.keylog_filename` to enable keyfile logging.
 
 
 Driver Object Lifetime

diff --git a/src/neo4j/_async/config.py b/src/neo4j/_async/config.py
@@ -16,6 +16,8 @@
 
 from __future__ import annotations
 
+import os
+
 from .. import _typing as t
 from .._async_compat.concurrency import AsyncLock
 from .._conf import (
@@ -154,6 +156,12 @@ async def get_ssl_context(self) -> ssl.SSLContext | None:
             # https://docs.python.org/3.10/library/ssl.html#protocol-versions
             ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
 
+            # Follow Python's `create_default_context` and respect the
+            # `SSLKEYLOGFILE` environment variable for key logging if present.
+            ssl_keylog_file = os.getenv("SSLKEYLOGFILE")
+            if ssl_keylog_file:
+                ssl_context.keylog_filename = ssl_keylog_file
+
             if isinstance(self.trusted_certificates, TrustAll):
                 # trust any certificate
                 ssl_context.check_hostname = False

diff --git a/src/neo4j/_sync/config.py b/src/neo4j/_sync/config.py