urllib3 · sethmlarson · Oct 4, 2020 · Oct 4, 2020
diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
@@ -314,9 +314,11 @@ def create_urllib3_context(
         context.check_hostname = False
 
     # Enable logging of TLS session keys via defacto standard environment variable
-    # 'SSLKEYLOGFILE', if the feature is available (Python 3.8+).
+    # 'SSLKEYLOGFILE', if the feature is available (Python 3.8+). Skip empty values.
     if hasattr(context, "keylog_filename"):
-        context.keylog_filename = os.environ.get("SSLKEYLOGFILE")
+        sslkeylogfile = os.environ.get("SSLKEYLOGFILE")
+        if sslkeylogfile:
+            context.keylog_filename = sslkeylogfile
 
     return context
 

diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py
@@ -719,6 +719,18 @@ def test_sslkeylogfile(self, tmpdir, monkeypatch):
                 keylog_file
             )
 
+    @pytest.mark.parametrize("sslkeylogfile", [None, ""])
+    def test_sslkeylogfile_empty(self, monkeypatch, sslkeylogfile):
+        # Assert that an HTTPS connection doesn't error out when given
+        # no SSLKEYLOGFILE or an empty value (ie 'SSLKEYLOGFILE=')
+        if sslkeylogfile is not None:
+            monkeypatch.setenv("SSLKEYLOGFILE", sslkeylogfile)
+        else:
+            monkeypatch.delenv("SSLKEYLOGFILE", raising=False)
+        with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool:
+            r = pool.request("GET", "/")
+            assert r.status == 200, r.data
+
     def test_alpn_default(self):
         """Default ALPN protocols are sent by default."""
         if not has_alpn() or not has_alpn(ssl.SSLContext):