I tried setting the CPPFLAGS environment variable to -DENABLE_SSLKEYLOGFILE=1 before compiling curl but that doesn't seem to have done it. I reinstalled curl and php via homebrew and then ran my command, but nothing got written to the $SSLKEYLOGFILE path

ENABLE_SSLKEYLOGFILE should work for OpenSSL and derivatives BoringSSL and LibreSSL. We only tested it with OpenSSL though. It should be enough to add -DENABLE_SSLKEYLOGFILE. What is your curl -V?

I'm using TLS

curl 7.57.0 (x86_64-apple-darwin17.3.0) libcurl/7.57.0 OpenSSL/1.0.2n zlib/1.2.11 nghttp2/1.29.0
Release-Date: 2017-11-29
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy

I can't reproduce this. I did CPPFLAGS=-DENABLE_SSLKEYLOGFILE ../configure ...
Either make V=1 and check for ENABLE_SSLKEYLOGFILE or in openssl.c put #error in #ifdef SSLKEYLOGFILE section to see if it's actually added, or add some printfs to debug

Looks like homebrew isn't actually building it, and when I build via homebrew it still doesn't take. Is there an ETA to just have it enabled by default in a version coming out soon? I don't need it that bad that it's worth fighting it if it'll be the default soon.

Looks like homebrew isn't actually building it, and when I build via homebrew it still doesn't take. Is there an ETA to just have it enabled by default in a version coming out soon?

No I think I backed away from making it the default because I was concerned about security, or something like that. I would try to find out why it doesn't take when you build curl in homebrew, but that's something you'll have to ask them about.

Enabling SSLKEYLOGFILE support by default should not be a security problem. Browsers already do this.