diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile
index 1dbe53751f1..c524a224930 100644
--- a/src/lib/libssl/man/Makefile
+++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.73 2021/09/14 14:30:57 schwarze Exp $
+# $OpenBSD: Makefile,v 1.74 2021/10/23 11:41:52 beck Exp $
 
 .include <bsd.own.mk>
 
@@ -32,6 +32,7 @@ MAN =	BIO_f_ssl.3 \
 	SSL_CTX_set_default_passwd_cb.3 \
 	SSL_CTX_set_generate_session_id.3 \
 	SSL_CTX_set_info_callback.3 \
+	SSL_CTX_set_keylog_callback.3 \
 	SSL_CTX_set_max_cert_list.3 \
 	SSL_CTX_set_min_proto_version.3 \
 	SSL_CTX_set_mode.3 \
diff --git a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
new file mode 100644
index 00000000000..023643d8ee2
--- /dev/null
+++ b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
@@ -0,0 +1,44 @@
+.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.1 2021/10/23 11:41:52 beck Exp $
+.\" Copyright (c) 2021, Bob Beck <beck@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 23 2021 $
+.Dt SSL_CTX_SET_KEYLOG_CALLBACK 3
+.Os
+.Sh NAME
+.Nm SSL_CTX_set_keylog_callback ,
+.Nm SSL_CTX_get_keylog_callback
+.Nd set and get the unused key logging callback
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Bd -literal
+typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line)
+.Ed
+.Ft void
+.Fn SSL_CTX_set_keylog_callback "SSL_CTX *ctx" "SSL_CTX_keylog_cb_func cb"
+.Ft SSL_CTX_keylog_cb_func
+.Fn SSL_CTX_get_keylog_callback "const SSL_CTX *ctx"
+.Sh DESCRIPTION
+.Fn SSL_CTX_set_keylog_callback
+sets the TLS key logging callback.
+This callback is never called in LibreSSL.
+.Pp
+.Fn SSL_CTX_set_keylog_callback
+retrieves the previously set TLS key logging callback.
+.Pp
+These functions are provided only for compatibility with OpenSSL.
+.Sh RETURN VALUES
+.Fn SSL_CTX_get_keylog_callback
+returns the previously set TLS key logging callback, or NULL
+if no callback has been set.
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 2a55cf0efb0..09d68beb0b9 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.210 2021/10/15 16:48:46 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.211 2021/10/23 11:41:51 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -505,6 +505,11 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
     int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
 #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
 #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
+typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line);
+#if defined(LIBRESSL_NEW_API)
+void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb);
+SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx);
+#endif
 
 #ifndef LIBRESSL_INTERNAL
 struct ssl_aead_ctx_st;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 0f86238d5e2..cb8c02844c9 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.268 2021/09/10 08:59:56 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.269 2021/10/23 11:41:52 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -770,6 +770,18 @@ int
 	return (s->internal->verify_callback);
 }
 
+void
+SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
+{
+	ctx->internal->keylog_callback = cb;
+}
+
+SSL_CTX_keylog_cb_func
+SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
+{
+	return (ctx->internal->keylog_callback);
+}
+
 int
 SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
 {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 62f874061e7..b41a5d803f2 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.361 2021/10/23 08:34:36 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.362 2021/10/23 11:41:52 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -843,6 +843,7 @@ typedef struct ssl_ctx_internal_st {
 	uint8_t *tlsext_ecpointformatlist; /* our list */
 	size_t tlsext_supportedgroups_length;
 	uint16_t *tlsext_supportedgroups; /* our list */
+	SSL_CTX_keylog_cb_func keylog_callback; /* Unused. For OpenSSL compatibility. */
 } SSL_CTX_INTERNAL;
 
 struct ssl_ctx_st {