diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index bb2cc73a53..afe1d9d4f2 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -81,5 +81,6 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
-# Load heartbleed detection. Only superficially tested, might contain bugs.
-@load policy/protocols/ssl/heartbleed
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 5106552740..f32649403b 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -214,6 +214,8 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
@@ -236,9 +238,21 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
+## This event contains the OCSP response contained in a Certificate Status Request
+## message, when the client requested OCSP stapling and the server supports it. See
+## description in :rfc:`6066`
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## response: OCSP data.
+event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 66224bf45a..e9d29675c3 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -389,6 +389,17 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
+	function proc_certificate_status(rec : SSLRecord, status_type: uint8, response: bytestring) : bool
+		%{
+		 if ( status_type == 1 ) // ocsp
+			{
+			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
+			  bro_analyzer()->Conn(), ${rec.is_orig},
+			  new StringVal(response.length(), (const char*) response.data()));
+			}
+
+		return true;
+		%}
 };
 
 refine typeattr Alert += &let {
@@ -473,3 +484,7 @@ refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
 refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
+
+refine typeattr CertificateStatus += &let {
+	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 857bd01f26..a8b9975eb5 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -341,6 +341,7 @@ type Certificate(rec: SSLRecord) = record {
 
 type CertificateStatus(rec: SSLRecord) = record {
 	status_type: uint8; # 1 = ocsp, everything else is undefined
+	length : uint24;
 	response: bytestring &restofdata;
 };
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
new file mode 100644
index 0000000000..a8735f6d41
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
@@ -0,0 +1 @@
+F, 1995
diff --git a/testing/btest/Traces/tls/ocsp-stapling.trace b/testing/btest/Traces/tls/ocsp-stapling.trace
new file mode 100644
index 0000000000..8b66f7288d
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-stapling.trace differ
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
new file mode 100644
index 0000000000..b50f04a92e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+	{
+	print is_orig, |response|;
+	}