diff --git a/ci/test.sh b/ci/test.sh
index cd429fdb1f..c5304b4512 100755
--- a/ci/test.sh
+++ b/ci/test.sh
@@ -4,9 +4,6 @@
 # The parallelism level when running tests locally is $1 if provided, else
 # the value of `nproc` if available, otherwise just a single core.
 
-# just for testing, report success
-exit 0
-
 result=0
 BTEST=$(pwd)/auxil/btest/btest
 
diff --git a/cmake_templates/zeek-config.h.in b/cmake_templates/zeek-config.h.in
index 67ab0a5b8e..9130ecc66e 100644
--- a/cmake_templates/zeek-config.h.in
+++ b/cmake_templates/zeek-config.h.in
@@ -244,6 +244,9 @@
 /* Enable/disable ZAM profiling capability */
 #cmakedefine ENABLE_ZAM_PROFILE
 
+/* Enable/disable the Spicy SSL analyzer */
+#cmakedefine ENABLE_SPICY_SSL
+
 /* String with host architecture (e.g., "linux-x86_64") */
 #define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@"
 
diff --git a/configure b/configure
index 40f052a220..3130214e08 100755
--- a/configure
+++ b/configure
@@ -69,6 +69,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --enable-static-broker build Broker statically (ignored if --with-broker is specified)
     --enable-werror        build with -Werror
     --enable-ZAM-profiling build with ZAM profiling enabled (--enable-debug implies this)
+    --enable-spicy-ssl     build with spicy SSL/TLS analyzer (conflicts with --disable-spicy)
     --disable-af-packet    don't include native AF_PACKET support (Linux only)
     --disable-auxtools     don't build or install auxiliary tools
     --disable-broker-tests don't try to build Broker unit tests
@@ -310,6 +311,9 @@ while [ $# -ne 0 ]; do
         --enable-ZAM-profiling)
             append_cache_entry ENABLE_ZAM_PROFILE BOOL true
             ;;
+        --enable-spicy-ssl)
+            append_cache_entry ENABLE_SPICY_SSL BOOL true
+            ;;
         --disable-af-packet)
             append_cache_entry DISABLE_AF_PACKET BOOL true
             ;;
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index a6688a123a..9783784569 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -1,37 +1,39 @@
-add_subdirectory(spicy)
-
-zeek_add_plugin(
-    Zeek
-    SSL
-    SOURCES
-    #    SSL.cc
-    #    DTLS.cc
-    Plugin.cc
-    BIFS
-    #    types.bif
-    #    events.bif
-    functions.bif
-    #    consts.bif
-    #    PAC
-    #    tls-handshake.pac
-    #    tls-handshake-protocol.pac
-    #    tls-handshake-analyzer.pac
-    #    ssl-defs.pac
-    #    proc-certificate.pac
-    #    tls-handshake-signed_certificate_timestamp.pac
-    #    PAC
-    #    ssl.pac
-    #    ssl-dtls-analyzer.pac
-    #    ssl-analyzer.pac
-    #    ssl-dtls-protocol.pac
-    #    ssl-protocol.pac
-    #    ssl-defs.pac
-    #    proc-certificate.pac
-    #    PAC
-    #    dtls.pac
-    #    ssl-dtls-analyzer.pac
-    #    dtls-analyzer.pac
-    #    ssl-dtls-protocol.pac
-    #    dtls-protocol.pac
-    #    ssl-defs.pac)
-)
+if (NOT ENABLE_SPICY_SSL)
+    zeek_add_plugin(
+        Zeek
+        SSL
+        SOURCES
+        SSL.cc
+        DTLS.cc
+        Plugin.cc
+        BIFS
+        types.bif
+        events.bif
+        functions.bif
+        consts.bif
+        PAC
+        tls-handshake.pac
+        tls-handshake-protocol.pac
+        tls-handshake-analyzer.pac
+        ssl-defs.pac
+        proc-certificate.pac
+        tls-handshake-signed_certificate_timestamp.pac
+        PAC
+        ssl.pac
+        ssl-dtls-analyzer.pac
+        ssl-analyzer.pac
+        ssl-dtls-protocol.pac
+        ssl-protocol.pac
+        ssl-defs.pac
+        proc-certificate.pac
+        PAC
+        dtls.pac
+        ssl-dtls-analyzer.pac
+        dtls-analyzer.pac
+        ssl-dtls-protocol.pac
+        dtls-protocol.pac
+        ssl-defs.pac)
+else ()
+    add_subdirectory(spicy)
+    zeek_add_plugin(Zeek SSL SOURCES Plugin.cc BIFS functions.bif)
+endif ()
diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc
index ac35da2299..a807089e3c 100644
--- a/src/analyzer/protocol/ssl/Plugin.cc
+++ b/src/analyzer/protocol/ssl/Plugin.cc
@@ -2,17 +2,23 @@
 
 #include "zeek/plugin/Plugin.h"
 
-// #include "zeek/analyzer/Component.h"
-// #include "zeek/analyzer/protocol/ssl/DTLS.h"
-// #include "zeek/analyzer/protocol/ssl/SSL.h"
+#include "zeek/zeek-config.h"
+
+#ifndef ENABLE_SPICY_SSL
+#include "zeek/analyzer/Component.h"
+#include "zeek/analyzer/protocol/ssl/DTLS.h"
+#include "zeek/analyzer/protocol/ssl/SSL.h"
+#endif
 
 namespace zeek::plugin::detail::Zeek_SSL {
 
 class Plugin : public zeek::plugin::Plugin {
 public:
     zeek::plugin::Configuration Configure() override {
-        // AddComponent(new zeek::analyzer::Component("SSL", zeek::analyzer::ssl::SSL_Analyzer::Instantiate));
-        // AddComponent(new zeek::analyzer::Component("DTLS", zeek::analyzer::dtls::DTLS_Analyzer::Instantiate));
+#ifndef ENABLE_SPICY_SSL
+        AddComponent(new zeek::analyzer::Component("SSL", zeek::analyzer::ssl::SSL_Analyzer::Instantiate));
+        AddComponent(new zeek::analyzer::Component("DTLS", zeek::analyzer::dtls::DTLS_Analyzer::Instantiate));
+#endif
 
         zeek::plugin::Configuration config;
         config.name = "Zeek::SSL";
diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif
index a3b1697ea7..79b47b9634 100644
--- a/src/analyzer/protocol/ssl/functions.bif
+++ b/src/analyzer/protocol/ssl/functions.bif
@@ -1,70 +1,83 @@
 
 %%{
 #include <openssl/x509.h>
-// #include "zeek/analyzer/protocol/ssl/SSL.h"
 #include "zeek/Reporter.h"
+#include "zeek/zeek-config.h"
+
+#ifndef ENABLE_SPICY_SSL
+#include "zeek/analyzer/protocol/ssl/SSL.h"
+#endif
 %%}
 
-# ## Sets if the SSL analyzer should consider the connection established (handshake
-# ## finished successfully).
-# ##
-# ## c: The SSL connection.
-# ##
-# ## Returns: T on success, F on failure.
-# function set_ssl_established%(c: connection%): bool
-# 	%{
-# 	zeek::analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
-# 
-# 	if ( sa )
-# 		{
-# 		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->StartEncryption();
-# 		return zeek::val_mgr->True();
-# 		}
-# 
-# 	return zeek::val_mgr->False();
-# 	%}
-# 
-# ## Set the secret that should be used to derive keys for the connection.
-# ## (For TLS 1.2 this is the pre-master secret).
-# ##
-# ## c: The affected connection
-# ##
-# ## secret: secret to set
-# ##
-# ## Returns: T on success, F on failure.
-# function set_secret%(c: connection, secret: string%): bool
-# 	%{
-# 	analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
-# 
-# 	if ( sa )
-# 		{
-# 		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->SetSecret(*secret);
-# 		return zeek::val_mgr->True();
-# 		}
-# 
-# 	return zeek::val_mgr->False();
-# 	%}
-# 
-# ## Set the decryption keys that should be used to decrypt
-# ## TLS application data in the connection.
-# ##
-# ## c: The affected connection
-# ##
-# ## keys: The key buffer as derived via TLS PRF.
-# ##
-# ## Returns: T on success, F on failure.
-# function set_keys%(c: connection, keys: string%): bool
-# 	%{
-# 	analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
-# 
-# 	if ( sa )
-# 		{
-# 		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->SetKeys(*keys);
-# 		return zeek::val_mgr->True();
-# 		}
-# 
-# 	return zeek::val_mgr->False();
-# 	%}
+## Sets if the SSL analyzer should consider the connection established (handshake
+## finished successfully).
+##
+## c: The SSL connection.
+##
+## Returns: T on success, F on failure.
+function set_ssl_established%(c: connection%): bool
+	%{
+#ifndef ENABLE_SPICY_SSL
+/* not implemented for spicy ssl */
+	zeek::analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
+
+	if ( sa )
+		{
+		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->StartEncryption();
+		return zeek::val_mgr->True();
+		}
+#endif
+
+	return zeek::val_mgr->False();
+	%}
+
+## Set the secret that should be used to derive keys for the connection.
+## (For TLS 1.2 this is the pre-master secret).
+##
+## c: The affected connection
+##
+## secret: secret to set
+##
+## Returns: T on success, F on failure.
+function set_secret%(c: connection, secret: string%): bool
+	%{
+#ifndef ENABLE_SPICY_SSL
+/* not implemented for spicy ssl */
+	analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
+
+	if ( sa )
+		{
+		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->SetSecret(*secret);
+		return zeek::val_mgr->True();
+		}
+#endif
+
+	return zeek::val_mgr->False();
+	%}
+
+## Set the decryption keys that should be used to decrypt
+## TLS application data in the connection.
+##
+## c: The affected connection
+##
+## keys: The key buffer as derived via TLS PRF.
+##
+## Returns: T on success, F on failure.
+function set_keys%(c: connection, keys: string%): bool
+	%{
+#ifndef ENABLE_SPICY_SSL
+/* not implemented for spicy ssl */
+	analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
+
+	if ( sa )
+		{
+		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->SetKeys(*keys);
+		return zeek::val_mgr->True();
+		}
+#endif
+
+	return zeek::val_mgr->False();
+	%}
 
 ## Decodes a DER-encoded distinguished name into an ASCII string,
 ## using the RFC2253 representation