diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig
index 2603441d9a..d1cfb85423 100644
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@@ -3,7 +3,7 @@ signature dpd_tls_server {
   # SSL3 / TLS Server hello.
   payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/
   tcp-state responder
-  enable "ssl"
+  enable "tls"
 }
 
 signature dpd_tls_client {
@@ -11,12 +11,12 @@ signature dpd_tls_client {
   # SSL3 / TLS Client hello.
   payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/
   tcp-state originator
-  enable "ssl"
+  enable "tls"
 }
 
-signature dpd_dtls_client {
-  ip-proto == udp
-	# Client hello.
-	payload /^\x16\xfe[\xff\xfd]\x00\x00\x00\x00\x00\x00\x00...\x01...........\xfe[\xff\xfd].*/
-	enable "dtls"
-}
+# signature dpd_dtls_client {
+#   ip-proto == udp
+# 	# Client hello.
+# 	payload /^\x16\xfe[\xff\xfd]\x00\x00\x00\x00\x00\x00\x00...\x01...........\xfe[\xff\xfd].*/
+# 	enable "dtls"
+# }
diff --git a/src/analyzer/protocol/tls/CMakeLists.txt b/src/analyzer/protocol/tls/CMakeLists.txt
index aeb55469af..f897f8cb40 100644
--- a/src/analyzer/protocol/tls/CMakeLists.txt
+++ b/src/analyzer/protocol/tls/CMakeLists.txt
@@ -4,5 +4,4 @@ spicy_add_analyzer(
   SOURCES
 		TLS.spicy
 		TLS.evt
-		zeek_TLS.spicy
 )
diff --git a/src/analyzer/protocol/tls/TLS.evt b/src/analyzer/protocol/tls/TLS.evt
index 37e3f18a27..a0012006a2 100644
--- a/src/analyzer/protocol/tls/TLS.evt
+++ b/src/analyzer/protocol/tls/TLS.evt
@@ -2,72 +2,74 @@ protocol analyzer TLS over TCP:
 	parse with TLS::Message,
 	port 443/tcp;
 
-import Zeek_TLS;
+import TLS;
+import zeek;
+import spicy;
 
 on TLS::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods);
 
 on TLS::ServerHello -> event ssl_server_hello($conn, self.server_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suite, self.compression_method);
 
-# on TLS::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, $is_orig, self.elliptic_curve_list);
-# 
-# on TLS::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, $is_orig, self.ec_point_format_list);
-# 
-# on TLS::ServerNameList -> event ssl_extension_server_name($conn, $is_orig, Zeek_TLS::convert_server_names(self));
-# 
-# on TLS::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
-# 
-# on TLS::RecordFragment::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
-# 
-# on TLS::RecordFragment::ccs if ( msg.context().ccs_seen == 2 ) -> event ssl_established($conn);
-# 
-# on TLS::Handshake_message -> event ssl_handshake_message($conn, $is_orig, self.msg_type, self.length);
-# 
-# on TLS::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, $is_orig, Zeek_TLS::convert_signature_algorithms(self));
-# 
-# on TLS::ServerHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.keyshare.namedgroup,));
-# 
-# on TLS::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.namedgroup,));
-# 
-# on TLS::ClientHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, Zeek_TLS::convert_clienthellokeyshare(self));
-# 
-# on TLS::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, $is_orig, Zeek_TLS::convert_identities(self.identities), Zeek_TLS::convert_binders(self.binders));
-# 
-# on TLS::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, $is_orig, self.selected_identity);
-# 
-# on TLS::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
-# 
-# on TLS::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
-# 
-# on TLS::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
-# 
-# on TLS::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
-# 
-# # just use nonsense values for no algorithm. Same as in the old analyzer
-# on TLS::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
-# 
-# on TLS::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
-# 
-# on TLS::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
-# 
-# on TLS::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
-# 
-# on TLS::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, $is_orig, Zeek_TLS::convert_protocol_name_list(self));
-# 
-# on TLS::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, $is_orig, self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
-# 
-# on TLS::SupportedVersions -> event ssl_extension_supported_versions($conn, $is_orig, self.versions);
-# 
-# on TLS::OneSupportedVersion -> event ssl_extension_supported_versions($conn, $is_orig, vector<uint16>(self.version,));
-# 
-# on TLS::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, $is_orig, self.modes);
-# 
-# on TLS::Alert_message -> event ssl_alert($conn, $is_orig, self.level, self.description);
-# 
-# on TLS::Heartbeat -> event ssl_heartbeat($conn, $is_orig, length, self.tpe, self.payload_length, self.data);
-# 
-# on TLS::RecordFragment::appdata if ( msg.encrypted == False ) -> event ssl_plaintext_data($conn, $is_orig, self.version, self.content_type, self.length);
-# 
-# on TLS::RecordFragment::appdata if ( msg.encrypted == True ) -> event ssl_encrypted_data($conn, $is_orig, self.version, self.content_type, self.length);
-# 
-# on TLS::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
-# 
+on TLS::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, $is_orig, self.elliptic_curve_list);
+
+on TLS::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, $is_orig, self.ec_point_format_list);
+
+on TLS::ServerNameList -> event ssl_extension_server_name($conn, $is_orig, TLS::convert_server_names(self));
+
+on TLS::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
+
+on TLS::RecordFragment::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
+
+on TLS::RecordFragment::ccs if ( msg.context().ccs_seen == 2 ) -> event ssl_established($conn);
+
+on TLS::Handshake_message -> event ssl_handshake_message($conn, $is_orig, self.msg_type, self.length);
+
+on TLS::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, $is_orig, TLS::convert_signature_algorithms(self));
+
+on TLS::ServerHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.keyshare.namedgroup,));
+
+on TLS::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.namedgroup,));
+
+on TLS::ClientHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, TLS::convert_clienthellokeyshare(self));
+
+on TLS::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, $is_orig, TLS::convert_identities(self.identities), TLS::convert_binders(self.binders));
+
+on TLS::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, $is_orig, self.selected_identity);
+
+on TLS::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
+
+on TLS::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
+
+on TLS::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
+
+on TLS::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
+
+# just use nonsense values for no algorithm. Same as in the old analyzer
+on TLS::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
+
+on TLS::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
+
+on TLS::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
+
+on TLS::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
+
+on TLS::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, $is_orig, TLS::convert_protocol_name_list(self));
+
+on TLS::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, $is_orig, self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
+
+on TLS::SupportedVersions -> event ssl_extension_supported_versions($conn, $is_orig, self.versions);
+
+on TLS::OneSupportedVersion -> event ssl_extension_supported_versions($conn, $is_orig, vector<uint16>(self.version,));
+
+on TLS::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, $is_orig, self.modes);
+
+on TLS::Alert_message -> event ssl_alert($conn, $is_orig, self.level, self.description);
+
+on TLS::Heartbeat -> event ssl_heartbeat($conn, $is_orig, length, self.tpe, self.payload_length, self.data);
+
+on TLS::RecordFragment::appdata if ( msg.encrypted == False ) -> event ssl_plaintext_data($conn, $is_orig, self.version, self.content_type, self.length);
+
+on TLS::RecordFragment::appdata if ( msg.encrypted == True ) -> event ssl_encrypted_data($conn, $is_orig, self.version, self.content_type, self.length);
+
+on TLS::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
+
diff --git a/src/analyzer/protocol/tls/TLS.spicy b/src/analyzer/protocol/tls/TLS.spicy
index e031bf32d3..7a645dbc6f 100644
--- a/src/analyzer/protocol/tls/TLS.spicy
+++ b/src/analyzer/protocol/tls/TLS.spicy
@@ -14,6 +14,7 @@ type HandshakeType = enum {
   hello_request = 0,
   client_hello = 1,
   server_hello = 2,
+  hello_verify_request = 3, #DTLS
   NewSessionTicket = 4,
   certificate = 11,
   server_key_exchange = 12,
@@ -22,7 +23,8 @@ type HandshakeType = enum {
   certificate_verify = 15,
   client_key_exchange = 16,
   finished = 20,
-  certificate_status = 22
+  certificate_url = 21, # RFC 3546
+  certificate_status = 22 # RFC 3546
 };
 
 type Extensions = enum {
@@ -515,9 +517,22 @@ type TLSCiphers = enum {
   TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE,
   TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF,
   # draft-agl-tls-chacha20poly1305-02
-  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13,
-  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14,
-  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15
+  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC13,
+  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC14,
+  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC15,
+  # RFC 7905
+  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8,
+  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9,
+  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAA,
+  TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAB,
+  TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAC,
+  TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD,
+  TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE,
+  # draft-ietf-tls-ecdhe-psk-aead-05
+  TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xD001,
+  TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = 0xD002,
+  TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = 0xD003,
+  TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = 0xD004
 };
 
 type Share = unit {
@@ -555,6 +570,7 @@ type RecordFragment = unit(handshakesink: sink, alertsink: sink, inout msg: Mess
     ContentType::application_data -> appdata : bytes &size=self.length;
     ContentType::change_cipher_spec -> ccs : bytes &size=self.length;
     ContentType::heartbeat -> hn: Heartbeat(self.length);
+    ContentType::alert -> :bytes &size=self.length -> alertsink;
     * -> unhandled : bytes &size=self.length;
   };
 
@@ -612,9 +628,10 @@ type Handshake_message = unit(inout msg: Message) {
     HandshakeType::client_hello -> client_hello: ClientHello(self.length, msg);
     HandshakeType::server_hello_done,
     HandshakeType::hello_request -> : bytes &size=self.length; # Fixme: alert if length != 0
+    HandshakeType::hello_verify_request -> hello_verify_request: HelloVerifyRequest;
     HandshakeType::server_hello -> server_hello: ServerHello(self.length, msg);
     HandshakeType::certificate -> certificate: Certificate;
-    # HandshakeType::certificate_request -> certificate_request: CertificateRequest(version);
+    HandshakeType::certificate_request -> certificate_request: CertificateRequest(msg);
     HandshakeType::certificate_verify -> : bytes &size=self.length; # opaque encrypted data
     HandshakeType::client_key_exchange -> client_key_exchange: ClientKeyExchange(msg, self.length);
     HandshakeType::server_key_exchange -> server_key_exchange: ServerKeyExchange(msg, self.length);
@@ -634,6 +651,28 @@ type Handshake_message = unit(inout msg: Message) {
   }
 };
 
+type CertificateRequest = unit(msg: Message) {
+  certificate_types_len: uint8;
+  certificate_types: uint8[self.certificate_types_len];
+  switch ( uses_signature_and_hashalgorithm(msg) ) {
+    True -> supported_signature_algorithms: SignatureAlgorithms;
+    False -> : bytes &size=0;
+  };
+  certificate_authorities_len: uint16;
+  certificate_authorities: CertificateAuthority[] &size=self.certificate_authorities_len;
+};
+
+type CertificateAuthority = unit {
+  certificate_authority_len: uint16;
+  certificate_authority: bytes &size=self.certificate_authority_len;
+};
+
+type HelloVerifyRequest = unit {
+  version: uint16;
+  cookie_length: uint8;
+  cookie: bytes &size=self.cookie_length;
+};
+
 type CertificateStatus = unit {
   status_type: uint8;
   length: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network);
@@ -940,8 +979,14 @@ type ServerKeyExchange = unit(msg: Message, len: uint64) {
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+    TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
+    TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
     TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-    TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+    TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
+    TLSCiphers::TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
+    TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256,
+    TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
       -> ecdhe_server_key_exchange : EcdheServerKeyExchange(len, msg);
 
     # ECDH-anon suites
@@ -1029,7 +1074,9 @@ type ServerKeyExchange = unit(msg: Message, len: uint64) {
     TLSCiphers::TLS_DHE_PSK_WITH_AES_256_CCM,
     TLSCiphers::TLS_PSK_DHE_WITH_AES_128_CCM_8,
     TLSCiphers::TLS_PSK_DHE_WITH_AES_256_CCM_8,
-    TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
+    TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    TLSCiphers::TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
       -> dhe_server_key_exchange : DheServerKeyExchange(msg);
 
     # DH-anon suites
@@ -1203,47 +1250,24 @@ type ClientKeyExchange = unit(msg: Message, len: uint64) {
       -> rsa_client_key_exchange: RsaClientKeyExchange(len);
 
     #ECHDE
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_NULL_SHA,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-    TLSCiphers::TLS_ECDH_RSA_WITH_NULL_SHA,
-    TLSCiphers::TLS_ECDH_RSA_WITH_RC4_128_SHA,
-    TLSCiphers::TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
-    TLSCiphers::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
-    TLSCiphers::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
     TLSCiphers::TLS_ECDHE_RSA_WITH_NULL_SHA,
     TLSCiphers::TLS_ECDHE_RSA_WITH_RC4_128_SHA,
     TLSCiphers::TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
     TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-    TLSCiphers::TLS_ECDH_ANON_WITH_NULL_SHA,
-    TLSCiphers::TLS_ECDH_ANON_WITH_RC4_128_SHA,
-    TLSCiphers::TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
-    TLSCiphers::TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
-    TLSCiphers::TLS_ECDH_ANON_WITH_AES_256_CBC_SHA,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
     TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
     TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
-    TLSCiphers::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
-    TLSCiphers::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
     TLSCiphers::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
     TLSCiphers::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-    TLSCiphers::TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
-    TLSCiphers::TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
     TLSCiphers::TLS_ECDHE_PSK_WITH_RC4_128_SHA,
     TLSCiphers::TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
     TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
@@ -1255,46 +1279,36 @@ type ClientKeyExchange = unit(msg: Message, len: uint64) {
     TLSCiphers::TLS_ECDHE_PSK_WITH_NULL_SHA384,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
     TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
     TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
-    TLSCiphers::TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
-    TLSCiphers::TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
     TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
     TLSCiphers::TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
-    TLSCiphers::TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
-    TLSCiphers::TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
     TLSCiphers::TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
     TLSCiphers::TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
     TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
     TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
-    TLSCiphers::TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
-    TLSCiphers::TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
-    TLSCiphers::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
     TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
     TLSCiphers::TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
-    TLSCiphers::TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
-    TLSCiphers::TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
     TLSCiphers::TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
     TLSCiphers::TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
     TLSCiphers::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+    TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
+    TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
     TLSCiphers::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-    TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+    TLSCiphers::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
+    TLSCiphers::TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
+    TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256,
+    TLSCiphers::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
       -> ecdh_client_key_exchange : EcdhClientKeyExchange(len);
 
     # DHE suites
@@ -1373,7 +1387,9 @@ type ClientKeyExchange = unit(msg: Message, len: uint64) {
     TLSCiphers::TLS_DHE_PSK_WITH_AES_256_CCM,
     TLSCiphers::TLS_PSK_DHE_WITH_AES_128_CCM_8,
     TLSCiphers::TLS_PSK_DHE_WITH_AES_256_CCM_8,
+    TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD,
     TLSCiphers::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    TLSCiphers::TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
     # DH-anon suites
     TLSCiphers::TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
     TLSCiphers::TLS_DH_ANON_WITH_RC4_128_MD5,
@@ -1432,3 +1448,89 @@ type SingleCertificate = unit {
   length: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network);
   cert: bytes &size=self.length; # certificates, forward to whatever
 };
+
+
+# Conversion and Zeek related functions
+
+import zeek;
+
+public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
+  local out: vector<bytes>;
+
+  for ( i in snl.server_name_list )
+    out.push_back(i.host_name);
+
+  return out;
+}
+
+public function convert_signature_algorithms(sa: TLS::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
+  local out: vector<tuple<uint8, uint8>>;
+  for ( i in sa.supported_signature_algorithms )
+    out.push_back(tuple(i.hash, i.signature));
+
+  return out;
+}
+
+public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vector<uint16> {
+  local out: vector<uint16>;
+
+  for ( i in ks.keyshares )
+    out.push_back(i.namedgroup);
+
+  return out;
+}
+
+public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
+  local out: vector<bytes>;
+
+  for ( i in bi.binders )
+    out.push_back(i.binder);
+
+  return out;
+}
+
+public function convert_identities(id: TLS::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
+  local out: vector<tuple<bytes, uint32>>;
+  for ( i in id.identities )
+    out.push_back(tuple(i.identity, i.obfuscated_ticket_age));
+  return out;
+}
+
+public function convert_protocol_name_list(pns: TLS::ProtocolNameList) : vector<bytes> {
+  local out: vector<bytes>;
+  for ( i in pns.protocol_name_list )
+    out.push_back(i.name);
+  return out;
+}
+
+on TLS::ClientHello::%done {
+  spicy::accept_input();
+}
+
+on TLS::ClientHello::%error {
+  spicy::decline_input("error while parsing TLS client hello");
+}
+
+on TLS::ServerHello::%done {
+  spicy::accept_input();
+}
+
+on TLS::ServerHello::%error {
+  spicy::decline_input("error while parsing TLS server hello");
+}
+
+on TLS::Certificate::%done {
+  local first: bool = True;
+  for ( i in self.certificate_list )
+    {
+    if ( first )
+			zeek::file_begin("application/x-x509-user-cert");
+		else
+			zeek::file_begin("application/x-x509-ca-cert");
+		zeek::file_data_in(i.cert);
+    zeek::file_end();
+    first = False;
+    }
+}
+
+
diff --git a/src/analyzer/protocol/tls/zeek_TLS.spicy b/src/analyzer/protocol/tls/zeek_TLS.spicy
deleted file mode 100644
index 0ef1e0576f..0000000000
--- a/src/analyzer/protocol/tls/zeek_TLS.spicy
+++ /dev/null
@@ -1,83 +0,0 @@
-module Zeek_TLS;
-
-import TLS;
-import zeek;
-
-public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
-  local out: vector<bytes>;
-
-  for ( i in snl.server_name_list )
-    out.push_back(i.host_name);
-
-  return out;
-}
-
-public function convert_signature_algorithms(sa: TLS::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
-  local out: vector<tuple<uint8, uint8>>;
-  for ( i in sa.supported_signature_algorithms )
-    out.push_back(tuple(i.hash, i.signature));
-
-  return out;
-}
-
-public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vector<uint16> {
-  local out: vector<uint16>;
-
-  for ( i in ks.keyshares )
-    out.push_back(i.namedgroup);
-
-  return out;
-}
-
-public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
-  local out: vector<bytes>;
-
-  for ( i in bi.binders )
-    out.push_back(i.binder);
-
-  return out;
-}
-
-public function convert_identities(id: TLS::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
-  local out: vector<tuple<bytes, uint32>>;
-  for ( i in id.identities )
-    out.push_back(tuple(i.identity, i.obfuscated_ticket_age));
-  return out;
-}
-
-public function convert_protocol_name_list(pns: TLS::ProtocolNameList) : vector<bytes> {
-  local out: vector<bytes>;
-  for ( i in pns.protocol_name_list )
-    out.push_back(i.name);
-  return out;
-}
-
-on TLS::ClientHello::%done {
-  zeek::confirm_protocol();
-}
-
-# on TLS::ClientHello::%error {
-#   zeek::reject_protocol("error while parsing TLS client hello");
-# }
-# 
-# on TLS::ServerHello::%done {
-#   zeek::confirm_protocol();
-# }
-# 
-# on TLS::ServerHello::%error {
-#   zeek::reject_protocol("error while parsing TLS server hello");
-# }
-# 
-# on TLS::Certificate::%done {
-#   local first: bool = True;
-#   for ( i in self.certificate_list )
-#     {
-#     if ( first )
-# 			zeek::file_begin("application/x-x509-user-cert");
-# 		else
-# 			zeek::file_begin("application/x-x509-ca-cert");
-# 		zeek::file_data_in(i.cert);
-#     zeek::file_end();
-#     first = False;
-#     }
-# }