https://docs.zeek.org/en/current/frameworks/tls-decryption.html
As mentioned in the above document:
In principle, it is possible to decrypt live traffic using this approach. When you want to do this, you have to supply the secrets to Zeek as the connections are happening. Note that there are timing constraints here - the secrets should arrive at the Zeek instance that will decrypt the traffic before encrypted application data is exchanged.
I think it is impossible to guarantee that the sslkeylog will arrive in the zeek memory in advance. Instead, we should consider how to delay packet parsing, that is, when decrypting tls packets, we should first determine whether the corresponding sslkeylog exists. If it does not exist, we should delay processing for n seconds
Is there such a design in Zeek now?