diff --git a/CHANGES b/CHANGES
index fabb5ce27b..826a3033d0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+3.1.0-dev.460 | 2020-01-29 11:16:15 -0800
+
+  * Skip file analysis for zero-length SSL/TLS data (Jon Siwek, Corelight)
+
 3.1.0-dev.458 | 2020-01-29 12:53:32 +0000
 
   * Add a new supervisor framework that enables Zeek to operate
diff --git a/VERSION b/VERSION
index 143387c9b2..e7666dd4e6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.1.0-dev.458
+3.1.0-dev.460
diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac
index 7c57f31744..d7b2802d0a 100644
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@@ -16,6 +16,12 @@
 			{
 			const bytestring& cert = (*certificates)[i];
 
+			if ( cert.length() <= 0 )
+				{
+				reporter->Weird(bro_analyzer()->Conn(), "zero_length_certificate");
+				continue;
+				}
+
 			ODesc file_handle;
 			file_handle.Add(common.Description());
 			file_handle.Add(i);
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 5e8e31e0b2..583ae33f30 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -303,7 +303,7 @@ refine connection Handshake_Conn += {
 		common.AddRaw("F");
 		bro_analyzer()->Conn()->IDString(&common);
 
-		if ( status_type == 1 ) // ocsp
+		if ( status_type == 1 && response.length() > 0 ) // ocsp
 			{
 			ODesc file_handle;
 			file_handle.Add(common.Description());
@@ -323,6 +323,10 @@ refine connection Handshake_Conn += {
 
 			file_mgr->EndOfFile(file_id);
 			}
+		else if ( response.length() == 0 )
+			{
+			reporter->Weird(bro_analyzer()->Conn(), "SSL_zero_length_stapled_OCSP_message");
+			}
 
 		return true;
 		%}