From 1155ccb3e80a95d4294866919c327564cbc1c4e0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Wed, 21 May 2025 01:30:24 +0200
Subject: [PATCH] support SSLKEYLOGFILE

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/radius/eap/protocol/tls/payload.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/internal/outpost/radius/eap/protocol/tls/payload.go b/internal/outpost/radius/eap/protocol/tls/payload.go
index b26e02ea81..ddc6b5747a 100644
--- a/internal/outpost/radius/eap/protocol/tls/payload.go
+++ b/internal/outpost/radius/eap/protocol/tls/payload.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"encoding/binary"
 	"errors"
+	"os"
 	"slices"
 	"time"
 
@@ -156,6 +157,15 @@ func (p *Payload) tlsInit(ctx protocol.Context) {
 	p.st.Context, p.st.ContextCancel = context.WithTimeout(context.Background(), staleConnectionTimeout*time.Second)
 	p.st.Conn = NewBuffConn(p.Data, p.st.Context)
 	cfg := ctx.ProtocolSettings().(Settings).Config.Clone()
+
+	if klp, ok := os.LookupEnv("SSLKEYLOGFILE"); ok {
+		kl, err := os.OpenFile(klp, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
+		if err != nil {
+			panic(err)
+		}
+		cfg.KeyLogWriter = kl
+	}
+
 	cfg.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
 		ctx.Log().Debugf("TLS: ClientHello: %+v\n", chi)
 		p.st.ClientHello = chi