diff --git a/CHANGES b/CHANGES
index c280264ec4..279ae4a95d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,14 @@
+8.0.0-dev.551 | 2025-06-26 20:21:31 +0100
+
+  * Spicy SSL analyzer: make record layer version parsing more strict (Johanna Amann, Corelight)
+
+    The Spicy based SSL analyzer was, so far, more permissive with the
+    record layer versions that it would accept.
+
+    This change brings the parsing of record layer versions in line with the
+    binpac based analyzer. This behavioral difference was discovered due to
+    a test that changed with the recent dpd log changes.
+
 8.0.0-dev.548 | 2025-06-26 18:49:31 +0200
 
   * extend script coverage profiling to track whether conditionals evaluate to true/false (Vern Paxson, Corelight)
diff --git a/VERSION b/VERSION
index bbbc048ffb..440b18636d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-8.0.0-dev.548
+8.0.0-dev.551
diff --git a/src/analyzer/protocol/ssl/spicy/SSL.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy
index ee50442cb3..f89b81b191 100644
--- a/src/analyzer/protocol/ssl/spicy/SSL.spicy
+++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy
@@ -740,7 +740,7 @@ type SSL2ClientMasterKey = unit(length: uint16, inout sh: Share) {
 # For TLS-y protocols - determine how to continue
 type TLSRecordFragmentChoice = unit(content_type: uint8, handshakesink: sink&, alertsink: sink&, inout msg: Message, inout sh: Share) {
     # content_type: uint8; # &convert=ContentType($$);
-    version: uint16;
+    version: uint16 &requires=($$ == SSLv3 || $$ == TLSv10 || $$ == TLSv11 || $$ == TLSv12 : "Invalid version in record layer. Version: %s" % $$);
 
     switch (is_dtls_version(self.version)) {
         True -> dtlsfragment: DTLSRecordFragment(content_type, handshakesink, alertsink, msg, sh);
diff --git a/testing/btest/core/pppoe-over-qinq.zeek b/testing/btest/core/pppoe-over-qinq.zeek
index a0a12e490b..26f3cc61b3 100644
--- a/testing/btest/core/pppoe-over-qinq.zeek
+++ b/testing/btest/core/pppoe-over-qinq.zeek
@@ -1,5 +1,2 @@
-# Disable test temporarily - see GH-4547
-# @TEST-REQUIRES: ! have-spicy-ssl
-
 # @TEST-EXEC: zeek -r $TRACES/pppoe-over-qinq.pcap
 # @TEST-EXEC: btest-diff conn.log