NSS Key Log Format
key logging is enabled by setting the environment variable sslkeylogfile to point to a file.
... note: starting with nss 3.24 (used by firefox 48 and 49 only), the sslkeylogfile approach is disabled by default for optimized builds using the makefile (those using gyp via build.sh are not affected).
... distributors can re-enable it at compile time though (using the nss_allow_sslkeylogfile=1 make variable) which is done for the official firefox binaries.

NSS 3.24 release notes
disable (by default) nss support in optimized builds for logging ssl/tls key material to a logfile if the sslkeylogfile environment variable is set.
... to enable the functionality in optimized builds, you must define the symbol nss_allow_sslkeylogfile when building nss.

NSS environment variables
3.11 sslkeylogfile string (file name) key log file.
... before 3.0 nss_allow_sslkeylogfile boolean (1 to enable) enable nss support in optimized builds for logging ssl/tls key material to a logfile if the sslkeylogfile environment variable.

Index
349 sslkey.html no summary!

NSS 3.12.6 release notes
sslkeylogfile key log file.

NSS 3.34 release notes
sslkeylogfile is now supported with tls 1.3, see bug 1287711 for details.

NSS 3.44.1 release notes
many new fips test cases (note: this has increased the source archive by approximately 50 megabytes for this release.) bugs fixed in nss 3.44.1 1554336 - optimize away unneeded loop in mpi.c 1515342 - more thorough input checking (cve-2019-11729) 1540541 - don't unnecessarily strip leading 0's from key material during pkcs11 import (cve-2019-11719) 1515236 - add a sslkeylogfile enable/disable flag at build.sh 1473806 - fix seckey_converttopublickey handling of non-rsa keys 1546477 - updates to testing for fips validation 1552208 - prohibit use of rsassa-pkcs1-v1_5 algorithms in tls 1.3 (cve-2019-11727) 1551041 - unbreak build on gcc < 4.3 big-endian compatibility nss 3.44.1 shared libraries are backward compatible with all older nss 3...