diff --git a/policy/protocols/ssl/new-base.bro b/policy/protocols/ssl/new-base.bro
new file mode 100644
index 0000000000..5aaa8499b9
--- /dev/null
+++ b/policy/protocols/ssl/new-base.bro
@@ -0,0 +1,73 @@
+
+
+module SSL;
+
+export {
+	
+	## This is the root CA bundle.  By default it is Mozilla's full trusted
+	## root CA list.
+	# TODO: move the mozilla_root_certs setting into the mozilla file.
+	#print mozilla_root_certs;
+	const root_certs: table[string] of string = {} &redef;
+	#const root_certs: table[string] of string = {} &redef;
+	
+	
+	## This is where you can define root certificates that you want to validate
+	## against servers.  For example, you may have a policy that states that 
+	## all local certificates must be signed by a specific signing authority.
+	## If you specify your local networks with only the specific authority
+	## or authorities your policy stipulates here, certificates signed by any
+	## other key will not validate.  By default, all servers are validated 
+	## against the full ``root_certs`` bundle.
+	#const server_validation: table[subnet] of table[string] of string =
+	#	{ [0.0.0.0/0] = root_certs } &redef;
+
+	## This is where you can define root certificates that you want to validate
+	## against clients.  This is still doing validation against the server
+	## certificate chain, but this allows you to define a restricted 
+	## list of signing certificate that clients should be seen connecting to. 
+	## For example, you may have a tightly controlled network
+	## that you **never** want to establish SSL sessions using anything other
+	## than certificates signed by a very select list of certificate
+	## authorities.  You can define the networks in this variable along with
+	## key signing certificates with which they should be allowed to establish
+	## SSL connections.  By default, all client connections are validated 
+	## against the full ``root_certs`` bundle.
+	#const client_validation: table[subnet] of table[string] of string =
+	#	{ [0.0.0.0/0] = root_certs } &redef;
+}
+
+@load mozilla-root-certs
+
+
+redef capture_filters += {
+	["ssl"] = "tcp port 443",
+	["nntps"] = "tcp port 563",
+	["imap4-ssl"] = "tcp port 585",
+	["sshell"] = "tcp port 614",
+	["ldaps"] = "tcp port 636",
+	["ftps-data"] = "tcp port 989",
+	["ftps"] = "tcp port 990",
+	["telnets"] = "tcp port 992",
+	["imaps"] = "tcp port 993",
+	["ircs"] = "tcp port 994",
+	["pop3s"] = "tcp port 995"
+};
+
+global ssl_ports = {
+	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
+	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp,
+} &redef;
+
+redef dpd_config += {
+	[[ANALYZER_SSL]] = [$ports = ssl_ports]
+};
+
+	
+#redef SSL::client_validation += table(
+#	[128.146.0.0/16] = table(
+#		["LOCAL_DER_CERT"] = "ADFADFWEAFASDFASDFA",  
+#		["LOCAL_DER_CERT2"] = "ADFADFWEAFASDFASDFA" )
+#		#["DER_CERT_1"]     = SSL::root_certs["DER_CERT_1"],
+#		#["LOCAL_DER_CERT"] = "ADFADFWEAFASDFASDFA"},
+#);
diff --git a/policy/protocols/ssl-ciphers.bro b/policy/protocols/ssl/ssl-ciphers.bro
similarity index 100%
rename from policy/protocols/ssl-ciphers.bro
rename to policy/protocols/ssl/ssl-ciphers.bro
diff --git a/policy/protocols/ssl-errors.bro b/policy/protocols/ssl/ssl-errors.bro
similarity index 100%
rename from policy/protocols/ssl-errors.bro
rename to policy/protocols/ssl/ssl-errors.bro
diff --git a/policy/protocols/ssl.bro b/policy/protocols/ssl/ssl.bro
similarity index 100%
rename from policy/protocols/ssl.bro
rename to policy/protocols/ssl/ssl.bro
diff --git a/policy/protocols/ssl/validate.bro b/policy/protocols/ssl/validate.bro
new file mode 100644
index 0000000000..0c5161b326
--- /dev/null
+++ b/policy/protocols/ssl/validate.bro
@@ -0,0 +1,40 @@
+SL;
+
+# To grab and format a PEM (ascii armored) certificate....
+# curl "http://www.icsi.berkeley.edu/certs/icsicert.crt" | openssl x509 -outform DER | hexdump -e '2/1 "%02X"' | sed -E 's/(..)/\\x\1/g'
+
+redef SSL::root_certs += {
+	["ICSI CA"] = "\x30\x82\x04\xF6\x30\x82\x03\xDE\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xB2\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x49\x43\x53\x49\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x31\x30\x2F\x06\x03\x55\x04\x0A\x13\x28\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x43\x6F\x6D\x70\x75\x74\x65\x72\x20\x53\x63\x69\x65\x6E\x63\x65\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x65\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x43\x61\x6C\x69\x66\x6F\x72\x6E\x69\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x65\x72\x6B\x65\x6C\x65\x79\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x63\x61\x40\x49\x43\x53\x49\x2E\x42\x65\x72\x6B\x65\x6C\x65\x79\x2E\x45\x44\x55\x30\x1E\x17\x0D\x30\x34\x30\x37\x32\x38\x30\x31\x35\x32\x34\x35\x5A\x17\x0D\x31\x32\x31\x30\x31\x34\x30\x31\x35\x32\x34\x35\x5A\x30\x81\xB2\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x49\x43\x53\x49\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x31\x30\x2F\x06\x03\x55\x04\x0A\x13\x28\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x43\x6F\x6D\x70\x75\x74\x65\x72\x20\x53\x63\x69\x65\x6E\x63\x65\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x65\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x43\x61\x6C\x69\x66\x6F\x72\x6E\x69\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x65\x72\x6B\x65\x6C\x65\x79\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x63\x61\x40\x49\x43\x53\x49\x2E\x42\x65\x72\x6B\x65\x6C\x65\x79\x2E\x45\x44\x55\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xEA\xD1\xD9\x7C\x49\xF3\xE6\xB8\x7E\xC9\xF0\xB2\x36\xB2\x77\xFF\x9B\x0B\x49\x4B\x0A\xAA\xF2\xA5\xFE\xE1\xFA\x68\x1C\x89\x9B\x58\x7B\x32\x6C\x7E\x85\x2B\x91\x7C\xBA\xCD\x73\x65\xD2\xA9\xA2\xCB\xAD\xAA\x3B\x21\x1C\x7B\xBE\x65\xA5\x0B\x8F\x23\xA8\x98\x7E\xB5\x8D\x09\xC7\x65\x54\x8F\x35\x4D\x5B\xF9\x61\x62\x05\xCE\x36\x6F\xC2\xDB\xAF\x77\x49\xED\xA6\xD3\x1E\xA7\x59\x89\xEA\xA6\xAF\xA2\x7E\xCD\x9C\x66\xAD\xCF\xD3\xFA\x53\xE9\x52\x44\xBB\x53\x82\x1E\x86\x11\xA5\xF8\x85\x0B\xEB\xCE\xBA\x46\x7B\x09\xDD\x93\x0D\x52\x58\x82\xD3\xE0\x75\x8F\x7D\x4B\x4C\x5D\xD3\xE4\xAD\xB9\x32\x70\xAC\xE3\x24\xB1\xFC\xE2\x6E\x4D\xB4\x93\xFF\x67\xE9\xB1\xFC\x2C\x09\x8F\x09\x89\x4B\x52\x65\x3C\x45\xBA\x3F\x12\xC4\x3F\x7F\x58\xA4\xC7\x06\x0C\x03\x9D\x6D\x18\x17\x0C\x47\x2B\xFC\xEE\x48\x46\x82\x93\xBB\x20\x10\x23\xFF\x9D\x5F\x83\x15\x8B\x79\x64\xF9\x65\x8E\x45\x14\xCC\xC8\x40\xBE\x23\x35\x98\xBF\x7C\x2A\x02\x11\x85\xAF\x6B\xD2\xC5\x6C\x31\xF0\xC0\xE1\xBA\x8B\xE8\x0C\x9F\xB2\x43\x9D\x8F\xFC\xC5\xB7\xE5\x9C\xF0\x23\x37\x8B\x06\xA0\x99\x39\x97\x02\x03\x01\x00\x01\xA3\x82\x01\x13\x30\x82\x01\x0F\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB5\xF1\x90\xC7\x7D\xE4\x3E\xCB\x2D\x32\x62\x88\x9A\xD6\xAB\x52\xBE\xA0\xC5\x7B\x30\x81\xDF\x06\x03\x55\x1D\x23\x04\x81\xD7\x30\x81\xD4\x80\x14\xB5\xF1\x90\xC7\x7D\xE4\x3E\xCB\x2D\x32\x62\x88\x9A\xD6\xAB\x52\xBE\xA0\xC5\x7B\xA1\x81\xB8\xA4\x81\xB5\x30\x81\xB2\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x49\x43\x53\x49\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x31\x30\x2F\x06\x03\x55\x04\x0A\x13\x28\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x43\x6F\x6D\x70\x75\x74\x65\x72\x20\x53\x63\x69\x65\x6E\x63\x65\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x65\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x43\x61\x6C\x69\x66\x6F\x72\x6E\x69\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x65\x72\x6B\x65\x6C\x65\x79\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x63\x61\x40\x49\x43\x53\x49\x2E\x42\x65\x72\x6B\x65\x6C\x65\x79\x2E\x45\x44\x55\x82\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x82\x01\x01\x00\x2D\xAB\xD8\x86\x41\x6C\xB0\xEF\xE4\x33\x15\xFF\x4C\xC9\x6B\x59\x58\xF7\xF9\x36\xBB\x22\x4A\xC7\x24\x40\x85\xAD\x85\xED\xA1\xF3\x62\x70\xDD\xDA\x79\x2F\x79\x57\xB0\x28\xC7\x2A\x1F\x0E\xD1\x92\xE3\x6E\xE4\xFD\xEB\x1F\xCA\x84\xEE\xFC\xA9\x49\x80\x84\x9B\x04\x9C\xE5\x31\x50\xE1\x31\xC2\x82\xE7\xCC\xF6\xE1\xC1\xAF\x53\x8C\xE3\x73\xF2\xE1\x22\xC7\x3B\x33\xEC\x60\xBE\x61\x00\xA0\x02\xFE\xF1\x66\x4D\x82\xE5\xD0\x79\x2F\xDD\xB3\xF0\xCF\x2C\x7C\x75\x8F\x84\xC6\xE6\x05\xBC\xA2\xDA\x1B\xFB\xD2\x6E\x74\xFB\x3F\xDA\xEA\x6C\xA6\xFA\x58\xF1\x81\xDA\x00\xCD\xBF\x1D\x62\xEF\xF1\x11\x45\xC5\xA1\x2D\x0F\x7F\x62\xFC\xBC\x8C\xCB\x12\x67\xC1\x3D\x14\x3D\xA6\xC6\x9E\x7A\x98\x86\x90\x4B\x86\x04\x96\xA3\x42\xAE\xC5\x9F\x3B\x2C\xC2\xF1\x68\xC0\x5F\x52\x1E\x0D\xA5\x43\x18\xF3\x26\x9E\xEA\x5E\xBB\xF3\x50\xDF\x03\x0C\x7A\xD1\xE0\x10\x29\x70\x91\x55\x6F\x24\x12\x22\x79\x0F\xB6\x59\xBA\x15\x4C\x5F\x62\xDB\x8B\xD0\x62\xDC\xEF\x69\xCC\x60\xD2\x29\x67\x97\xDD\xA4\x0A\xC1\xDC\xE6\x7A\xF1\x29\xB5\x6F\x9E\x9F\x91\xF3\x60\x32\x0C\xAD\x99\x77\xB2"
+};
+
+redef record connection += {
+	cert:     string &optional;
+	cert_chain:    vector of string &default=vector();
+};
+
+event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string)
+	{
+	print "==================";
+	print cert;
+	print fmt("chain index: %d", chain_idx);
+	print fmt("chain length: %d", chain_len);
+	
+	if ( chain_idx == 0 )
+		{
+		print "saving primary cert";
+		c$cert = der_cert;
+		}
+	else
+		{
+		print "adding cert to chain";
+		c$cert_chain[|c$cert_chain|] = der_cert;
+		}
+
+	if ( chain_idx == chain_len-1 || chain_len == 1 )
+		{
+		local result = x509_err2str(x509_verify(c$cert, c$cert_chain, root_certs));
+		print fmt("verifying cert... %s", result);
+		}
+	}
+
+
diff --git a/policy/utils.bro b/policy/utils.bro
deleted file mode 100644
index dbd13e98b5..0000000000
--- a/policy/utils.bro
+++ /dev/null
@@ -1,2 +0,0 @@
-@load utils/pattern
-@load utils/numbers
\ No newline at end of file