diff --git a/CMakeLists.txt b/CMakeLists.txt
index cf418e907..36dc770d0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -164,6 +164,10 @@ option(LWS_WITH_BORINGSSL "Use BoringSSL replacement for OpenSSL" OFF)
 option(LWS_WITH_CYASSL "Use CyaSSL replacement for OpenSSL. When setting this, you also need to specify LWS_CYASSL_LIBRARIES and LWS_CYASSL_INCLUDE_DIRS" OFF)
 option(LWS_WITH_WOLFSSL "Use wolfSSL replacement for OpenSSL. When setting this, you also need to specify LWS_WOLFSSL_LIBRARIES and LWS_WOLFSSL_INCLUDE_DIRS" OFF)
 option(LWS_SSL_CLIENT_USE_OS_CA_CERTS "SSL support should make use of the OS-installed CA root certs" ON)
+option(LWS_TLS_LOG_PLAINTEXT_RX "For debugging log the received plaintext as soon as decrypted" OFF)
+option(LWS_TLS_LOG_PLAINTEXT_TX "For debugging log the transmitted plaintext just before encryption" OFF)
+
+
 #
 # Event library options (may select multiple, or none for default poll()
 #
diff --git a/cmake/lws_config.h.in b/cmake/lws_config.h.in
index 329218cae..3225afcc4 100644
--- a/cmake/lws_config.h.in
+++ b/cmake/lws_config.h.in
@@ -115,6 +115,8 @@
 #cmakedefine LWS_SHA1_USE_OPENSSL_NAME
 #cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
 #cmakedefine LWS_SSL_SERVER_WITH_ECDH_CERT
+#cmakedefine LWS_TLS_LOG_PLAINTEXT_RX
+#cmakedefine LWS_TLS_LOG_PLAINTEXT_TX
 #cmakedefine LWS_WITH_ABSTRACT
 #cmakedefine LWS_WITH_ACCESS_LOG
 #cmakedefine LWS_WITH_ACME
diff --git a/lib/tls/mbedtls/mbedtls-ssl.c b/lib/tls/mbedtls/mbedtls-ssl.c
index daf515255..16fe2261f 100644
--- a/lib/tls/mbedtls/mbedtls-ssl.c
+++ b/lib/tls/mbedtls/mbedtls-ssl.c
@@ -106,7 +106,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, size_t len)
 		return LWS_SSL_CAPABLE_ERROR;
 	}
 
-#if 0
+#if defined(LWS_TLS_LOG_PLAINTEXT_RX)
 	/*
 	 * If using mbedtls type tls library, this is the earliest point for all
 	 * paths to dump what was received as decrypted data from the tls tunnel
@@ -172,7 +172,7 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, size_t len)
 {
 	int n, m;
 
-#if 0
+#if defined(LWS_TLS_LOG_PLAINTEXT_TX)
 	/*
 	 * If using mbedtls type tls library, this is the last point for all
 	 * paths before sending data into the tls tunnel, where you can dump it
diff --git a/lib/tls/openssl/openssl-ssl.c b/lib/tls/openssl/openssl-ssl.c
index 68c4c6bcd..a593d8768 100644
--- a/lib/tls/openssl/openssl-ssl.c
+++ b/lib/tls/openssl/openssl-ssl.c
@@ -288,7 +288,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, size_t len)
 		/* keep on trucking it seems */
 	}
 
-#if 0
+#if defined(LWS_TLS_LOG_PLAINTEXT_RX)
 	/*
 	 * If using openssl type tls library, this is the earliest point for all
 	 * paths to dump what was received as decrypted data from the tls tunnel
@@ -356,7 +356,8 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, size_t len)
 {
 	int n, m;
 
-#if 0
+
+#if defined(LWS_TLS_LOG_PLAINTEXT_TX)
 	/*
 	 * If using OpenSSL type tls library, this is the last point for all
 	 * paths before sending data into the tls tunnel, where you can dump it