diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index dbe5f2bccd..54ac8548ba 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -103,6 +103,9 @@ export {
 	## Event that can be handled to access the SSL
 	## record as it is sent on to the logging framework.
 	global log_ssl: event(rec: Info);
+
+	# do everything you want to do right before logging here
+	global ssl_finishing: hook(c: connection);
 }
 
 redef record connection += {
@@ -294,11 +297,22 @@ event ssl_established(c: connection) &priority=7
 	c$ssl$established = T;
 	}
 
+event ssl_established(c: connection) &priority=20
+	{
+	hook ssl_finishing(c);
+	}
+
 event ssl_established(c: connection) &priority=-5
 	{
 	finish(c, T);
 	}
 
+event connection_state_remove(c: connection) &priority=20
+	{
+	if ( c?$ssl && ! c$ssl$logged )
+		hook ssl_finishing(c);
+	}
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssl )
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index c50da10380..c2f4e569a2 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -136,17 +136,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result
 	return result;
 	}
 
-# The server issues CCS only after sending the certificates. This should
-# be more robust than using SSL_established, on the off chance that we don't
-# get that event.
-#
-# This is not TLSv1.3 compatible - but we will not have certificates in
-# that case in any way, so it even saves us a few cycles.
-event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3
+hook ssl_finishing(c: connection) &priority=20
 	{
-	if ( is_orig )
-		return;
-
 	# If there aren't any certs we can't very well do certificate validation.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
 	     ! c$ssl$cert_chain[0]?$x509 )
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index 385621afde..bf7d8745bb 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -84,12 +84,9 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log
 	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
 	}
 
-# Priority = 2 will be handled after validation is done
-event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
+# Priority = 19 will be handled after validation is done
+hook ssl_finishing(c: connection) &priority=19
 	{
-	if ( is_orig )
-		return;
-
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
 		return;