diff --git a/CHANGES b/CHANGES
index 3ba0f1e11c..3ad689b361 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+4.1.0-dev.137 | 2021-01-21 17:29:40 -0800
+
+  * Update SSL consts (Johanna Amann)
+
+    There have been a bunch of mostly TLS 1.3 related changes.
+
 4.1.0-dev.135 | 2021-01-21 16:57:01 -0800
 
   * GH-1352: Added flag to stop processing SMTP headers in attached messages (Jon Oakley)
diff --git a/VERSION b/VERSION
index 02b59fd4c1..7792e8cf8e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.1.0-dev.135
+4.1.0-dev.137
diff --git a/scripts/base/protocols/ssl/consts.zeek b/scripts/base/protocols/ssl/consts.zeek
index 0b642ecdd7..fb11ca22b5 100644
--- a/scripts/base/protocols/ssl/consts.zeek
+++ b/scripts/base/protocols/ssl/consts.zeek
@@ -167,7 +167,7 @@ export {
 	const SSL_EXTENSION_TOKEN_BINDING = 24;
 	const SSL_EXTENSION_CACHED_INFO = 25;
 	const SSL_EXTENSION_SESSIONTICKET_TLS = 35;
-	const SSL_EXTENSION_KEY_SHARE = 40;
+	const SSL_EXTENSION_KEY_SHARE_OLD = 40;
 	const SSL_EXTENSION_PRE_SHARED_KEY = 41;
 	const SSL_EXTENSION_EARLY_DATA = 42;
 	const SSL_EXTENSION_SUPPORTED_VERSIONS = 43;
@@ -176,6 +176,14 @@ export {
 	const SSL_EXTENSION_TICKETEARLYDATAINFO = 46;
 	const SSL_EXTENSION_CERTIFICATE_AUTHORITIES = 47;
 	const SSL_EXTENSION_OID_FILTERS = 48;
+	const SSL_EXTENSION_POST_HANDSHAKE_AUTH = 49;
+	const SSL_EXTENSION_SIGNATURE_ALGORITHMS_CERT = 50;
+	const SSL_EXTENSION_KEY_SHARE = 51;
+	const SSL_EXTENSION_TRANSPARENCY_INFO = 52;
+	const SSL_EXTENSION_CONNECTION_ID = 53;
+	const SSL_EXTENSION_EXTERNAL_ID_HASH = 55;
+	const SSL_EXTENSION_EXTERNAL_SESSION_ID = 56;
+	const SSL_EXTENSION_QUIC_TRANSPORT_PARAMETERS = 57;
 	const SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION = 13172;
 	const SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES = 13175;
 	const SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES = 13180;
@@ -216,15 +224,23 @@ export {
 		[24] = "token_binding", # temporary till 2017-03-06 - draft-ietf-tokbind-negotiation
 		[25] = "cached_info",
 		[35] = "SessionTicket TLS",
-		[40] = "key_share", # new for TLS 1.3; was used for extended_random before. State as of TLS 1.3 draft 16
-		[41] = "pre_shared_key", # new for 1.3, state of draft-16
-		[42] = "early_data", # new for 1.3, state of draft-16
-		[43] = "supported_versions", # new for 1.3, state of draft-16
-		[44] = "cookie", # new for 1.3, state of draft-16
-		[45] = "psk_key_exchange_modes", # new for 1.3, state of draft-18
-		[46] = "TicketEarlyDataInfo", # new for 1.3, state of draft-16
-		[47] = "certificate_authorities", # new for 1.3, state of draft-18
-		[48] = "oid_filters", # new for 1.3, state of draft-18
+		[40] = "key_share_old", # new for TLS 1.3, used in some of the drafts. Did not make it into the RFC. Was used for extended_random before.
+		[41] = "pre_shared_key", # new for 1.3, see RFC 8446
+		[42] = "early_data", # new for 1.3, see RFC 8446
+		[43] = "supported_versions", # new for 1.3, see RFC 8446
+		[44] = "cookie", # new for 1.3, see RFC 8446
+		[45] = "psk_key_exchange_modes", # new for 1.3, see RFC 8446
+		[46] = "TicketEarlyDataInfo", # new for 1.3 drafts, e.g. draft-16. Did not make it into the final RFC
+		[47] = "certificate_authorities", # new for 1.3, see RFC 8446
+		[48] = "oid_filters", # new for 1.3, see RFC 8446
+		[49] = "post_handshake_auth", # new for 1.3, see RFC 8446
+		[50] = "signature_algorithms_cert", # new for 1.3, see RFC 8446
+		[51] = "key_share", # new for 1.3, see RFC 8446
+		[52] = "transparency_info", # temporary - draft-ietf-trans-rfc6962-bis-34
+		[53] = "connection_id", # temporary -d draft-ietf-tls-dtls-connection-id
+		[55] = "external_id_hash", # temporary - RFC-ietf-mmusic-sdp-uks-07
+		[56] = "external_session_id", # temporary - RFC-ietf-mmusic-sdp-uks-07
+		[57] = "quic_transport_parameters", # temporary - draft-ietf-quic-tls-32
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",