diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 3958a90fa2..b8a5fdd275 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -58,6 +58,14 @@ export {
 		## to each connection.  It is not used for logging since it's a
 		## meaningless arbitrary number.
 		analyzer_id:      count            &optional;
+
+		## Flag to indicate if this ssl session has been established
+		## succesfully, or if it was aborted during the handshake.
+		established:  bool &log &default=F;
+
+		## Flag to indicate if this record already has been logged, to
+		## prevent duplicates.
+		logged:  bool  &default=F;
 	};
 
 	## The default root CA bundle.  By default, the mozilla-ca-list.bro
@@ -127,9 +135,13 @@ function undelay_log(info: Info, token: string)
 
 function log_record(info: Info)
 	{
+	if ( info$logged )
+		return;
+
 	if ( ! info?$delay_tokens || |info$delay_tokens| == 0 )
 		{
 		Log::write(SSL::LOG, info);
+		info$logged = T;
 		}
 	else
 		{
@@ -151,6 +163,7 @@ function finish(c: connection)
 	log_record(c$ssl);
 	if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
 		disable_analyzer(c$id, c$ssl$analyzer_id);
+		delete c$ssl$analyzer_id;
 	}
 
 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
@@ -231,6 +244,7 @@ event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priori
 event ssl_established(c: connection) &priority=5
 	{
 	set_session(c);
+	c$ssl$established = T;
 	}
 
 event ssl_established(c: connection) &priority=-5
@@ -238,11 +252,20 @@ event ssl_established(c: connection) &priority=-5
 	finish(c);
 	}
 
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$ssl )
+		# called in case a SSL connection that has not been established terminates
+		finish(c);
+	}
+
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
-	# Check by checking for existence of c$ssl record.
-	if ( c?$ssl && atype == Analyzer::ANALYZER_SSL )
+	if ( atype == Analyzer::ANALYZER_SSL ) 
+		{
+		set_session(c);
 		c$ssl$analyzer_id = aid;
+		}
 	}
 
 event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 280f3a2d32..a877514127 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -160,6 +160,8 @@ refine connection SSL_Conn += {
 		%{
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version));
+		else
+			bro_analyzer()->ProtocolConfirmation();
 
 		if ( ssl_client_hello )
 			{
@@ -198,8 +200,6 @@ refine connection SSL_Conn += {
 		%{
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version));
-		else
-			bro_analyzer()->ProtocolConfirmation();
 
 		if ( ssl_server_hello )
 			{
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
new file mode 100644
index 0000000000..92d7e3a1ab
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-03-04-21-57-58
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
+1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	-	-	-	-	handshake_failure	-	-	F
+#close	2014-03-04-21-57-58
diff --git a/testing/btest/Traces/tls-1.2-handshake-failure.trace b/testing/btest/Traces/tls-1.2-handshake-failure.trace
new file mode 100644
index 0000000000..aecda8cb9b
Binary files /dev/null and b/testing/btest/Traces/tls-1.2-handshake-failure.trace differ
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
new file mode 100644
index 0000000000..9cceca70b1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/tls-1.2-handshake-failure.trace %INPUT
+# @TEST-EXEC: btest-diff ssl.log