+static void
+post_handshake_debug(exim_gnutls_state_st * state)
+{
+debug_printf("gnutls_handshake was successful\n");
+#ifdef SUPPORT_GNUTLS_SESS_DESC
+debug_printf("%s\n", gnutls_session_get_desc(state->session));
+#endif
+#ifdef SUPPORT_GNUTLS_KEYLOG
+if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
+ {
+ gnutls_datum_t c, s;
+ gstring * gc, * gs;
+ /* we only want the client random and the master secret */
+ gnutls_session_get_random(state->session, &c, &s);
+ gnutls_session_get_master_secret(state->session, &s);
+ gc = ddump(&c);
+ gs = ddump(&s);
+ debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
+ }
+else
+ debug_printf("To get keying info for TLS1.3 is hard:\n"
+ " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
+ " add SSLKEYLOGFILE to keep_environment in the exim config\n"
+ " run exim as root\n"
+ " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n");
+#endif
+}
+