diff --git a/common.go b/common.go
index 46bc2aa..28b3d4c 100644
--- a/common.go
+++ b/common.go
@@ -643,10 +643,16 @@ func (c *Config) writeKeyLog(clientRandom, masterSecret []byte) error {
 	if c.KeyLogWriter == nil {
 		return nil
 	}
+	writerMutex.Lock()
 	_, err := fmt.Fprintf(c.KeyLogWriter, "CLIENT_RANDOM %x %x\n", clientRandom, masterSecret)
+	writerMutex.Unlock()
 	return err
 }
 
+// writerMutex protects all KeyLogWriters globally. It is rarely enabled,
+// and is only for debugging, so a global mutex saves space.
+var writerMutex sync.Mutex
+
 // A Certificate is a chain of one or more certificates, leaf first.
 type Certificate struct {
 	Certificate [][]byte