diff --git a/cmd/grpcurl/grpcurl.go b/cmd/grpcurl/grpcurl.go
index b0e69a9..5f690b9 100644
--- a/cmd/grpcurl/grpcurl.go
+++ b/cmd/grpcurl/grpcurl.go
@@ -408,12 +408,22 @@ func main() {
 		}
 		var creds credentials.TransportCredentials
 		if !*plaintext {
-			var err error
-			creds, err = grpcurl.ClientTransportCredentials(*insecure, *cacert, *cert, *key)
+			tlsConf, err := grpcurl.ClientTLSConfig(*insecure, *cacert, *cert, *key)
 			if err != nil {
-				fail(err, "Failed to configure transport credentials")
+				fail(err, "Failed to create TLS config")
 			}
 
+			sslKeylogFile := os.Getenv("SSLKEYLOGFILE")
+			if sslKeylogFile != "" {
+				w, err := os.OpenFile(sslKeylogFile, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
+				if err != nil {
+					fail(err, "Could not open SSLKEYLOGFILE %s", sslKeylogFile)
+				}
+				tlsConf.KeyLogWriter = w
+			}
+
+			creds := credentials.NewTLS(tlsConf)
+
 			// can use either -servername or -authority; but not both
 			if *serverName != "" && *authority != "" {
 				if *serverName == *authority {
diff --git a/grpcurl.go b/grpcurl.go
index e627988..8f09aa3 100644
--- a/grpcurl.go
+++ b/grpcurl.go
@@ -508,11 +508,25 @@ func makeTemplate(md *desc.MessageDescriptor, path []*desc.MessageDescriptor) pr
 	return dm
 }
 
-// ClientTransportCredentials builds transport credentials for a gRPC client using the
+// ClientTransportCredentials is a helper function that constructs a TLS config with
+// the given properties (see ClientTLSConfig) and then constructs and returns gRPC
+// transport credentials using that config.
+//
+// Deprecated: Use grpcurl.ClientTLSConfig and credentials.NewTLS instead.
+func ClientTransportCredentials(insecureSkipVerify bool, cacertFile, clientCertFile, clientKeyFile string) (credentials.TransportCredentials, error) {
+	tlsConf, err := ClientTLSConfig(insecureSkipVerify, cacertFile, clientCertFile, clientKeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return credentials.NewTLS(tlsConf), nil
+}
+
+// ClientTLSConfig builds transport-layer config for a gRPC client using the
 // given properties. If cacertFile is blank, only standard trusted certs are used to
 // verify the server certs. If clientCertFile is blank, the client will not use a client
 // certificate. If clientCertFile is not blank then clientKeyFile must not be blank.
-func ClientTransportCredentials(insecureSkipVerify bool, cacertFile, clientCertFile, clientKeyFile string) (credentials.TransportCredentials, error) {
+func ClientTLSConfig(insecureSkipVerify bool, cacertFile, clientCertFile, clientKeyFile string) (*tls.Config, error) {
 	var tlsConf tls.Config
 
 	if clientCertFile != "" {
@@ -542,7 +556,7 @@ func ClientTransportCredentials(insecureSkipVerify bool, cacertFile, clientCertF
 		tlsConf.RootCAs = certPool
 	}
 
-	return credentials.NewTLS(&tlsConf), nil
+	return &tlsConf, nil
 }
 
 // ServerTransportCredentials builds transport credentials for a gRPC server using the