From fc861dbb38dbdfe41f329f1a32f6ea76718f13c0 Mon Sep 17 00:00:00 2001
From: Niclas Klugmann <niclas@klugmann.de>
Date: Wed, 29 Apr 2026 01:36:21 +0200
Subject: [PATCH 1/3] allow option for enabling the SSLKEYLOGFILE environment
 variable

---
 sqlx-core/src/net/tls/mod.rs        |  1 +
 sqlx-core/src/net/tls/tls_rustls.rs |  7 +++++--
 sqlx-mysql/src/connection/tls.rs    |  1 +
 sqlx-mysql/src/options/mod.rs       | 10 ++++++++++
 sqlx-postgres/src/connection/tls.rs |  1 +
 sqlx-postgres/src/options/mod.rs    | 10 ++++++++++
 6 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/sqlx-core/src/net/tls/mod.rs b/sqlx-core/src/net/tls/mod.rs
index 7bb1744189..4750bdfe72 100644
--- a/sqlx-core/src/net/tls/mod.rs
+++ b/sqlx-core/src/net/tls/mod.rs
@@ -60,6 +60,7 @@ impl std::fmt::Display for CertificateInput {
 pub struct TlsConfig<'a> {
     pub accept_invalid_certs: bool,
     pub accept_invalid_hostnames: bool,
+    pub enable_keylog: bool,
     pub hostname: &'a str,
     pub root_cert_path: Option<&'a CertificateInput>,
     pub client_cert_path: Option<&'a CertificateInput>,
diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs
index 1ecbbad519..354b50750c 100644
--- a/sqlx-core/src/net/tls/tls_rustls.rs
+++ b/sqlx-core/src/net/tls/tls_rustls.rs
@@ -13,7 +13,7 @@ use rustls::{
         pem::{self, PemObject},
         CertificateDer, PrivateKeyDer, ServerName, UnixTime,
     },
-    CertificateError, ClientConfig, ClientConnection, Error as TlsError, RootCertStore,
+    CertificateError, ClientConfig, ClientConnection, Error as TlsError, KeyLogFile, RootCertStore,
 };
 
 use crate::error::Error;
@@ -123,7 +123,7 @@ where
         }
     };
 
-    let config = if tls_config.accept_invalid_certs {
+    let mut config = if tls_config.accept_invalid_certs {
         if let Some(user_auth) = user_auth {
             config
                 .dangerous()
@@ -179,6 +179,9 @@ where
                 .with_no_client_auth()
         }
     };
+    if tls_config.enable_keylog {
+        config.key_log = Arc::new(KeyLogFile::new());
+    }
 
     let host = ServerName::try_from(tls_config.hostname.to_owned()).map_err(Error::tls)?;
 
diff --git a/sqlx-mysql/src/connection/tls.rs b/sqlx-mysql/src/connection/tls.rs
index 9034fbd63a..07792d5e9b 100644
--- a/sqlx-mysql/src/connection/tls.rs
+++ b/sqlx-mysql/src/connection/tls.rs
@@ -63,6 +63,7 @@ pub(super) async fn maybe_upgrade<S: Socket>(
         root_cert_path: options.ssl_ca.as_ref(),
         client_cert_path: options.ssl_client_cert.as_ref(),
         client_key_path: options.ssl_client_key.as_ref(),
+        enable_keylog: options.ssl_enable_keylog,
     };
 
     // Request TLS upgrade
diff --git a/sqlx-mysql/src/options/mod.rs b/sqlx-mysql/src/options/mod.rs
index 421bfb700e..83fc10c990 100644
--- a/sqlx-mysql/src/options/mod.rs
+++ b/sqlx-mysql/src/options/mod.rs
@@ -71,6 +71,7 @@ pub struct MySqlConnectOptions {
     pub(crate) ssl_ca: Option<CertificateInput>,
     pub(crate) ssl_client_cert: Option<CertificateInput>,
     pub(crate) ssl_client_key: Option<CertificateInput>,
+    pub(crate) ssl_enable_keylog: bool,
     pub(crate) statement_cache_capacity: usize,
     pub(crate) charset: String,
     pub(crate) collation: Option<String>,
@@ -104,6 +105,7 @@ impl MySqlConnectOptions {
             ssl_ca: None,
             ssl_client_cert: None,
             ssl_client_key: None,
+            ssl_enable_keylog: false,
             statement_cache_capacity: 100,
             log_settings: Default::default(),
             pipes_as_concat: true,
@@ -176,6 +178,14 @@ impl MySqlConnectOptions {
         self
     }
 
+    /// Enables the use of the `SSLKEYLOGFILE`` environment variable to export SSL session keys.
+    /// 
+    /// Only works with the `rustls` SSL backend
+    pub fn ssl_enable_keylog(mut self, enable: bool) -> Self {
+        self.ssl_enable_keylog = enable;
+        self
+    }
+
     /// Sets the name of a file containing a list of trusted SSL Certificate Authorities.
     ///
     /// # Example
diff --git a/sqlx-postgres/src/connection/tls.rs b/sqlx-postgres/src/connection/tls.rs
index a49c9caa8c..0ce21926fb 100644
--- a/sqlx-postgres/src/connection/tls.rs
+++ b/sqlx-postgres/src/connection/tls.rs
@@ -58,6 +58,7 @@ async fn maybe_upgrade<S: Socket>(
         root_cert_path: options.ssl_root_cert.as_ref(),
         client_cert_path: options.ssl_client_cert.as_ref(),
         client_key_path: options.ssl_client_key.as_ref(),
+        enable_keylog: options.ssl_enable_keylog,
     };
 
     tls::handshake(socket, config, SocketIntoBox).await
diff --git a/sqlx-postgres/src/options/mod.rs b/sqlx-postgres/src/options/mod.rs
index 21e6628cae..863073a409 100644
--- a/sqlx-postgres/src/options/mod.rs
+++ b/sqlx-postgres/src/options/mod.rs
@@ -25,6 +25,7 @@ pub struct PgConnectOptions {
     pub(crate) ssl_root_cert: Option<CertificateInput>,
     pub(crate) ssl_client_cert: Option<CertificateInput>,
     pub(crate) ssl_client_key: Option<CertificateInput>,
+    pub(crate) ssl_enable_keylog: bool,
     pub(crate) statement_cache_capacity: usize,
     pub(crate) application_name: Option<String>,
     pub(crate) log_settings: LogSettings,
@@ -92,6 +93,7 @@ impl PgConnectOptions {
                 .ok()
                 .and_then(|v| v.parse().ok())
                 .unwrap_or_default(),
+            ssl_enable_keylog: false,
             statement_cache_capacity: 100,
             application_name: var("PGAPPNAME").ok(),
             extra_float_digits: Some("2".into()),
@@ -225,6 +227,14 @@ impl PgConnectOptions {
         self
     }
 
+    /// Enables the use of the `SSLKEYLOGFILE`` environment variable to export SSL session keys.
+    /// 
+    /// Only works with the `rustls` SSL backend
+    pub fn ssl_enable_keylog(mut self, enable: bool) -> Self {
+        self.ssl_enable_keylog = enable;
+        self
+    }
+
     /// Sets the name of a file containing SSL certificate authority (CA) certificate(s).
     /// If the file exists, the server's certificate will be verified to be signed by
     /// one of these authorities.

From 04a09b22231d36d9827dc44511a1efa298c99347 Mon Sep 17 00:00:00 2001
From: Niclas Klugmann <niclas@klugmann.de>
Date: Wed, 29 Apr 2026 01:57:36 +0200
Subject: [PATCH 2/3] formatting

---
 sqlx-mysql/src/options/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sqlx-mysql/src/options/mod.rs b/sqlx-mysql/src/options/mod.rs
index 83fc10c990..6eac7f8d40 100644
--- a/sqlx-mysql/src/options/mod.rs
+++ b/sqlx-mysql/src/options/mod.rs
@@ -179,7 +179,7 @@ impl MySqlConnectOptions {
     }
 
     /// Enables the use of the `SSLKEYLOGFILE`` environment variable to export SSL session keys.
-    /// 
+    ///
     /// Only works with the `rustls` SSL backend
     pub fn ssl_enable_keylog(mut self, enable: bool) -> Self {
         self.ssl_enable_keylog = enable;

From 19cdf10ca1fc92d59b0fbcf99bc2abf381012b6f Mon Sep 17 00:00:00 2001
From: Niclas Klugmann <niclas@klugmann.de>
Date: Wed, 29 Apr 2026 01:58:37 +0200
Subject: [PATCH 3/3] remove sneaky space

---
 sqlx-postgres/src/options/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sqlx-postgres/src/options/mod.rs b/sqlx-postgres/src/options/mod.rs
index 863073a409..b89a9b34c0 100644
--- a/sqlx-postgres/src/options/mod.rs
+++ b/sqlx-postgres/src/options/mod.rs
@@ -228,7 +228,7 @@ impl PgConnectOptions {
     }
 
     /// Enables the use of the `SSLKEYLOGFILE`` environment variable to export SSL session keys.
-    /// 
+    ///
     /// Only works with the `rustls` SSL backend
     pub fn ssl_enable_keylog(mut self, enable: bool) -> Self {
         self.ssl_enable_keylog = enable;