updating docs to reflect security risks for SSLKEYLOGFILE

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)

INSTALL.md

@@ -1083,7 +1083,10 @@ See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details
 Build with support for the SSLKEYLOGFILE environment variable
 
 When enabled, setting SSLKEYLOGFILE to a file path records the keys exchanged
-during a TLS handshake for use in analysis tools like wireshark.
+during a TLS handshake for use in analysis tools like wireshark.  Note that the
+use of this mechanism allows for decryption of application payloads found in
+captured packets using keys from the key log file.  See Section 3 of 
+[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-thomson-tls-keylogfile/)
 
 ### no-ts
 

doc/man7/openssl-env.pod

@@ -194,7 +194,11 @@ Used to produce the standard format output file for SSL key logging.  Optionally
 set this variable to a filename to log all secrets produced by SSL connections.
 Note, use of the environment variable is predicated on configuring OpenSSL at
 build time with the enable-sslkeylog feature.  The file format standard can be
-found at L<https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/>
+found at L<https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/>.
+Note: the use of B<SSLKEYLOGFILE> poses an explicit security risk.  By recording
+the exchanged keys during an SSL session, it allows any available party with
+read access to the file to decrypt application traffic sent over that session.
+Use of this feature should be restricted to test and debug environments only.
 
 =back