diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..ae96ceb
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,73 @@
+Copyright (c) 2012-2019, International Computer Science Institute
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+(3) Neither the name of the International Computer Science Institute, 
+    nor the names of contributors may be used to endorse or promote products
+		derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+Note that some files in the distribution may carry their own copyright
+notices.
+
+
+==============================================================================
+
+Some trace-files and test-scripts are taken from the Zeek distribution.
+Zeek distribution copyright notice:
+
+==============================================================================
+
+Copyright (c) 1995-2018, The Regents of the University of California
+through the Lawrence Berkeley National Laboratory and the
+International Computer Science Institute. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+(3) Neither the name of the University of California, Lawrence Berkeley
+    National Laboratory, U.S. Dept. of Energy, International Computer
+    Science Institute, nor the names of contributors may be used to endorse
+    or promote products derived from this software without specific prior
+    written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+Note that some files in the distribution may carry their own copyright
+notices.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ac6058f
--- /dev/null
+++ b/README.md
@@ -0,0 +1,22 @@
+# TLS Log Alternative
+
+This package provides a log alternative to the traditional ```ssl.log```, which is provided by Zeek by default. If you load this package, you will get one (or optionally two) additional log files that provide a lot more information about the TLS handshake.
+
+Loading this script by default will create a new ```tls.log``` file. This file contains a lot of low-level details of the handshake. For more details, please see ```tls.zeek``` in ```scripts```, which has documentation for every field. Example log output:
+
+```
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1491407508.244862	C59DC42iW3polXuIef	192.168.6.240	65503	139.162.123.134	13443	32531	771	4866	49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,4866,4867,4865,61,60,53,47,255	-	11,10,35,13,22,23,43,45,40	40	-	--	F	-	0,1,2	29,23,25,24	-	-	-	-	32531,771,770,769	-	1,0	29	29	0	3,3,3,4,5,6,1,1,1,3,1,2,2,2,2	4,5,6,8,8,8,4,5,6,2,2,2,4,5,6
+1491407512.852869	C3tAYa2eYDO4qZFDie	192.168.6.240	65504	139.162.123.134	13443	32531	771	4866	49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,4866,4867,4865,61,60,53,47,255	-	11,10,35,13,22,23,43,45,40,42,41	40,41--	-	F	-	0,1,2	29,23,25,24	-	-	-	-	32531,771,770,769	-	1,0	29	29	0	3,3,3,4,5,6,1,1,1,3,1,2,2,2,2	4,5,6,8,8,8,4,5,6,2,2,2,4,5,6
+```
+
+If you re-define the option ```TLSLog::log_certificates``` to true, you also get a second log file called ```tls_certificates.log```, which contains a base64-encoded version of all certificates that are sent over the wire.
+
+By default, certificate hashes are provided as sha256. If you want to use a different hash algorithm, you can redef ```TLSLog::hash_function``` to a different hash function, e.g. to ```sha1_hash```.
+
+The easiest way to install this pacjage is by using the package manager; just do
+
+```
+zkg install 0xxon/tls-log-alternative
+```
diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek
new file mode 100644
index 0000000..7d96069
--- /dev/null
+++ b/scripts/__load__.zeek
@@ -0,0 +1 @@
+@load ./tls
diff --git a/scripts/tls.zeek b/scripts/tls.zeek
new file mode 100644
index 0000000..3848cb0
--- /dev/null
+++ b/scripts/tls.zeek
@@ -0,0 +1,379 @@
+## This script generates a file called tls.log. The difference from ssl.log is that this
+## is much more focused on logging all kinds of protocol features. This can be interesting
+## for academic purposes - or if one is just interested in more information about specific
+## features used in local TLS traffic.
+
+module TLSLog;
+
+export {
+	## Log identifier for certificate log, as well as for the connection information log
+	redef enum Log::ID += {
+		TLS_CERTIFICATE_LOG,
+		TLS_LOG,
+	};
+
+	## The hash function used for certificate hashes. By default this is sha256; you can use
+	## any other hash function and the hashes in both log files will change
+	option hash_function: function(cert: string): string = sha256_hash;
+
+	## If set to true, a log-file containing all certificates will be greated.
+	option log_certificates: bool = F;
+
+	type CertificateInfo: record {
+		## Timestamp when this certificate was encountered.
+		ts: time &log;
+		## Fingerprint of the certificate - uses chosen algorithm.
+		fp: string &log;
+		## Base64 endoded X.509 certificate.
+		cert: string &log;
+		## Server hosting the certificate.
+		host: addr &log;
+		## Port on the server hosting the certificate
+		host_p: count &log;
+		## Indicates if this certificate was a end-host certificate, or sent as part of a chain
+		host_cert: bool &log &default=F;
+		## Indicates if this certificate was sent from the client
+		client_cert: bool &log &default=F;
+	};
+
+	type TLSInfo: record {
+		## Timestamp when the conenction began.
+		ts: time &log;
+		## Connection uid
+		uid: string &log;
+		## Connection 4-tup;e
+		id: conn_id &log;
+		## Numeric version of the server in the server hello
+		server_version: count &log &optional;
+		## Numeric version of the client in the client hello
+		client_version: count &log &optional;
+		## Cipher that was chosen for the connection
+		cipher: count &log &optional;
+		## Ciphers that were offered by the client for the connection
+		client_ciphers: vector of count  &log &optional;
+		## SNI that was sent by the client
+		sni: vector of string &log &optional;
+		## SSL Client extensions
+		ssl_client_exts: vector of count &log &optional;
+		## SSL server extensions
+		ssl_server_exts: vector of count &log &optional;
+		## Suggested ticket lifetime sent in the session ticket handshake
+		## by the server.
+		ticket_lifetime_hint: count &log &optional;
+		## Hashes of the full certificate chain sent by the server
+		server_certs: vector of string &log &optional;
+		## Hashes of the full certificate chain sent by the server
+		client_certs: vector of string &log &optional;
+		## Set to true if the ssl_established event was seen.
+		ssl_established: bool &log &default=F;
+		## The diffie helman parameter size, when using DH.
+		dh_param_size: count &log &optional;
+		## supported elliptic curve point formats
+		point_formats: vector of count  &log &optional;
+		## The curves supported by the client.
+		client_curves: vector of count  &log &optional;
+		## The curve the server chose when using ECDH.
+		curve: count &log &optional;
+		## Application layer protocol negotiation extension sent by the client.
+		orig_alpn: vector of string &log &optional;
+		## Application layer protocol negotiation extension sent by the server.
+		resp_alpn: vector of string &log &optional;
+		## Alert. If the connection was closed with an TLS alers before being
+		## completely established, this field contains the alert level and description
+		## numbers that were transfered
+		alert: vector of count  &log &optional;
+		## TLS 1.3 supported versions
+		client_supported_versions: vector of count &log &optional;
+		## TLS 1.3 supported versions
+		server_supported_version: count &log &optional;
+		## TLS 1.3 Pre-shared key exchange modes
+		psk_key_exchange_modes: vector of count &log &optional;
+		## Key share groups from client hello
+		client_key_share_groups: vector of count &log &optional;
+		## Selected key share group from server hello
+		server_key_share_group: count &log &optional;
+		## Client supported compression methods
+		client_comp_methods: vector of count &log &optional;
+		## Server chosen compression method
+		comp_method: count;
+		## Client supported signature algorithms
+		sigalgs: vector of count &log &optional;
+		## Client supported hash algorithms
+		hashalgs: vector of count &log &optional;
+	};
+
+	## Event from a manager to workers when encountering a new, cert
+	global tls_cert_add: event(sha: string);
+
+	## Event from workers to the manager when a new intermediate cert
+	## is to be added.
+	global tls_new_cert: event(sha: string);
+}
+
+redef record connection += {
+	tls_conns: TLSInfo &optional;
+};
+
+# We store the hashes of certs here for a short period to prevent relogging.
+global cert_cache: set[string] &create_expire=1hr;
+
+@if ( Cluster::is_enabled() )
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, TLSLog::tls_cert_add);
+	Broker::auto_publish(Cluster::manager_topic, TLSLog::tls_new_cert);
+	}
+@endif
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
+event TLSLog::tls_cert_add(sha: string)
+	{
+	add cert_cache[sha];
+	}
+@endif
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+event TLSLog::tls_new_cert(sha: string)
+	{
+	if ( sha in cert_cache )
+		return;
+
+	add cert_cache[sha];
+	event TLSLog::tls_cert_add(sha);
+	}
+@endif
+
+event zeek_init() &priority=5
+	{
+	Log::create_stream(TLSLog::TLS_CERTIFICATE_LOG, [$columns=CertificateInfo, $path="tls_certificates"]);
+	Log::create_stream(TLSLog::TLS_LOG, [$columns=TLSInfo, $path="tls"]);
+	}
+
+function set_session(c: connection)
+	{
+	if ( ! c?$tls_conns )
+		{
+		local t: TLSInfo;
+		t$ts=network_time();
+		t$uid=c$uid;
+		t$id=c$id;
+		t$ssl_client_exts=vector();
+		t$ssl_server_exts=vector();
+		c$tls_conns = t;
+		}
+	}
+
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
+	{
+	set_session(c);
+	c$tls_conns$client_ciphers = ciphers;
+	c$tls_conns$client_version = version;
+	c$tls_conns$client_comp_methods = comp_methods;
+	}
+
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
+	{
+	set_session(c);
+	c$tls_conns$server_version = version;
+	c$tls_conns$cipher = cipher;
+	c$tls_conns$comp_method = comp_method;
+	}
+
+event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, ticket: string)
+	{
+	set_session(c);
+	c$tls_conns$ticket_lifetime_hint = ticket_lifetime_hint;
+	}
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+	{
+	set_session(c);
+
+	if ( is_orig )
+		c$tls_conns$ssl_client_exts[|c$tls_conns$ssl_client_exts|] = code;
+	else
+		c$tls_conns$ssl_server_exts[|c$tls_conns$ssl_server_exts|] = code;
+	}
+
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
+	{
+	set_session(c);
+	if ( !is_orig )
+		return;
+
+	c$tls_conns$sni = names;
+	}
+
+event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
+	{
+	set_session(c);
+	if ( !is_orig )
+		return;
+
+	c$tls_conns$point_formats = point_formats;
+	}
+
+event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
+	{
+	set_session(c);
+	if ( !is_orig )
+		return;
+
+	c$tls_conns$client_curves = curves;
+	}
+
+event ssl_ecdh_server_params(c: connection, curve: count, point: string)
+	{
+	set_session(c);
+
+	c$tls_conns$curve = curve;
+	}
+
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, names: string_vec)
+	{
+	set_session(c);
+
+	if ( is_orig )
+		c$tls_conns$orig_alpn = names;
+	else
+		c$tls_conns$resp_alpn = names;
+	}
+
+event ssl_alert(c: connection, is_orig: bool, level: count, desc: count)
+	{
+	set_session(c);
+
+	local out: index_vec;
+
+	if ( is_orig )
+		out[0] = 1;
+	else
+		out[0] = 0;
+
+	out[1] = level;
+	out[2] = desc;
+
+	c$tls_conns$alert = out;
+	}
+
+event ssl_established(c: connection)
+	{
+	set_session(c);
+
+	c$tls_conns$ssl_established = T;
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
+	{
+	set_session(c);
+
+	local key_length = |Ys| * 8; # key length in bits
+	c$tls_conns$dh_param_size = key_length;
+	}
+
+event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+	{
+	set_session(c);
+	if ( is_orig )
+		c$tls_conns$client_supported_versions = versions;
+	else
+		c$tls_conns$server_supported_version = versions[0];
+	}
+
+event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
+	{
+	if ( ! is_orig )
+		return;
+
+	set_session(c);
+
+	c$tls_conns$psk_key_exchange_modes = modes;
+	}
+
+event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
+	{
+	set_session(c);
+
+	if ( is_orig )
+		c$tls_conns$client_key_share_groups = curves;
+	else
+		c$tls_conns$server_key_share_group = curves[0];
+	}
+
+event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec)
+	{
+	if ( ! is_orig )
+		return;
+
+	set_session(c);
+
+	local sigalgs: index_vec = vector();
+	local hashalgs: index_vec = vector();
+
+	for ( i in signature_algorithms )
+		{
+		local rec = signature_algorithms[i];
+		sigalgs[|sigalgs|] = rec$SignatureAlgorithm;
+		hashalgs[|hashalgs|] = rec$HashAlgorithm;
+		}
+
+	c$tls_conns$sigalgs = sigalgs;
+	c$tls_conns$hashalgs = hashalgs;
+	}
+
+function log_cert_chain(c: connection, chain: vector of Files::Info, client: bool): vector of string
+	{
+	local out: vector of string = vector();
+	for ( certI in chain )
+		{
+		# Apparently we might have "holes" in some chains (aka certs that OpenSSL cannot parse).
+		# That is kind of a problem, because we cannot really do much in that case.
+		# This was not a problem in older Zeek versions, because we then could still get access
+		# to the actual raw data. But with the new versions, that information is lost when we arrive here.
+		if ( ! chain[certI]?$x509 || ! chain[certI]$x509?$handle )
+			{
+			next;
+			}
+
+		local cert_opaque = chain[certI]$x509$handle;
+		local der_cert = x509_get_certificate_string(cert_opaque);
+		local fp = hash_function(der_cert);
+		out[certI] = fp;
+
+		# Only do the cert tracking if we haven't seen this cert recently.
+		if ( log_certificates && fp !in cert_cache )
+			{
+			local cert_val: CertificateInfo;
+			cert_val$ts = network_time();
+			cert_val$fp = fp;
+			cert_val$cert = encode_base64(der_cert);
+			cert_val$host = c$id$resp_h;
+			cert_val$host_p = port_to_count(c$id$resp_p);
+			cert_val$client_cert = client;
+
+			if ( certI == 0 )
+				cert_val$host_cert = T;
+
+			add cert_cache[cert_val$fp];
+@if ( Cluster::is_enabled() )
+			event TLSLog::tls_new_cert(cert_val$fp);
+@endif
+			Log::write(TLSLog::TLS_CERTIFICATE_LOG, cert_val);
+			}
+		}
+		return out;
+	}
+
+hook SSL::ssl_finishing(c: connection)
+	{
+	if ( ! c?$tls_conns )
+		return;
+
+	if ( c$ssl?$cert_chain )
+		c$tls_conns$server_certs = log_cert_chain(c, c$ssl$cert_chain, F);
+	if ( c$ssl?$client_cert_chain )
+		c$tls_conns$client_certs = log_cert_chain(c, c$ssl$client_cert_chain, T);
+
+	Log::write(TLSLog::TLS_LOG, c$tls_conns);
+	}
+
diff --git a/tests/Baseline/scripts.certificate/tls_certificates.log b/tests/Baseline/scripts.certificate/tls_certificates.log
new file mode 100644
index 0000000..b098f8c
--- /dev/null
+++ b/tests/Baseline/scripts.certificate/tls_certificates.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls_certificates
+#open	2019-10-08-19-49-25
+#fields	ts	fp	cert	host	host_p	host_cert	client_cert
+#types	time	string	string	addr	count	bool	bool
+1398529018.743952	e2fb0771ee6fc0d0e324bc863c02b57921257c86	MIIHPzCCBiegAwIBAgIIHlj9wS3kxwMwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNDA5MTIwNTA4WhcNMTQwNzA4MDAwMDAwWjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3izpQrGZwvH70JAvgzaS+hOUIlx3JNEZnl3gde66I54riDhWRSn56I1dWQVL8DPSOIjoHIHRDb6GYmQVa9CiKBNvof+GGmif3+rG1FBLa2jAkOWxp83ReuJw/oUd3LqgleFDbVQ1MG8+6YGrbhAWDGib/z3k9GSurmP63h6qZuQTZLruQcau0MRnOKbyV9TKPz93dfqetoPcTZ5XrbYP8PmA9L90bV5i9MBZXCEOs/w//SgDYuE6pu0p4fo0RdW4jk5wqRhQlueja5yoUEIU/d4WnsvvJAIG5BoCMY1y8ngbCimDKshG3Hg0PlCoqMwBxPAJrWAB2dA9JnsxSfNxwIDAQABo4IEDDCCBAgwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIIC4gYDVR0RBIIC2TCCAtWCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0gg8qLmdvb2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVvLmNvbYINKi5nc3RhdGljLmNvbYIKKi5ndnQxLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFMSXIDaEplRtz9GCgkXGI4hW+6XYMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAFFTcdvX6AVVhSbNO8pinIArK65sVRHsq6z0UGNvCKuHGL+HajVpzAlCctL4D0xxf/j9O48k504ALPxSxOfthEA04UErkOwuQB/E3Vax9yrniAcVoMDI/393EJCtcXysNca0x/DxbsEukr1ICNmhAmaJa2xS/jhRlc3DeyOUQMqSTFYqvM36ynaper5gDL/V4dDK5hb/jcpzMKFmLJIazcTxz+lIEGtsDRGp6m5Y91M1kQTo4J/nbcIjOTZa4z/M6MT3/NGr9IlKmudqhB51mJnuYTliwRR2hADzRmSfRGsRzBYWUI5N7QlBMxwXex0T89Hdm2lprSaWgSlJTMNiliA=	74.125.239.97	443	T	F
+1398529018.743952	d83c1a7f4d0446bb2081b81a1670f8183451ca24	MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NPVaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtvh8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rEahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZEASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXCDTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5nZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEBBQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjzaHFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwstoWHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx	74.125.239.97	443	T	F
+1398529018.743952	7359755c6df9a0abc3060bce369564c8ec4542a3	MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAwWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrMTjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBOBgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GBAHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrLNhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1Wb8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S	74.125.239.97	443	T	F
+#close	2019-10-08-19-49-25
diff --git a/tests/Baseline/scripts.keyexchange/tls-all.log b/tests/Baseline/scripts.keyexchange/tls-all.log
new file mode 100644
index 0000000..8e49410
--- /dev/null
+++ b/tests/Baseline/scripts.keyexchange/tls-all.log
@@ -0,0 +1,62 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-47-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1398558136.319509	C59DC42iW3polXuIef	192.168.18.50	62277	162.219.2.166	443	771	771	136	136,255	-	35,13,15	65281,35,15	300	b706ad178447821cc60aca1e0cd59697333a6178fd1c73f839fbdfb5b76bc507,cb2db573610f401e8d602917bbbe6ab4162255f208efad909d5440691aa0203c	(empty)	F	1024	-	-	-	-	-	-	-	-	-	-	-	1,0	1,2,3,1,2,3,1,2,3,1,2,3,1,2,3	6,6,6,5,5,5,4,4,4,3,3,3,2,2,2
+#close	2019-10-08-19-47-29
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-47-30
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1398529018.678827	C59DC42iW3polXuIef	192.168.18.50	56981	74.125.239.97	443	771	771	49172	49172,255	-	11,10,35,13,15	65281,11,35	100800	a97a22b691caf62c1623d14abf8a31ac915f14d87f77d8a37c47eb4785b484ad,a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d,3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0	(empty)	F	-	0,1,2	14,13,25,11,12,24,9,10,22,23,8,6,7,20,21,4,5,18,19,1,2,3,15,16,17	23	-	-	-	-	-	-	-	-	1,0	1,2,3,1,2,3,1,2,3,1,2,3,1,2,3	6,6,6,5,5,5,4,4,4,3,3,3,2,2,2
+#close	2019-10-08-19-47-30
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-47-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1170717505.549109	C59DC42iW3polXuIef	192.150.187.164	58868	194.127.84.106	443	769	2	4	57,56,53,51,50,4,5,47,22,19,65279,10,21,18,65278,9,100,98,3,6	-	(empty)	(empty)	-	ddd0218a34972ceab3d200b78959bd2b4c95eadf37399df35bfd68a5b658bc78,ba352de8d8faa0ecfdbeee560fa308fe192023d3b18d83a68845933bebf28360	(empty)	F	-	-	-	-	-	-	-	-	-	-	-	-	(empty)	-	-
+1170717508.697180	C3tAYa2eYDO4qZFDie	192.150.187.164	58869	194.127.84.106	443	769	769	4	57,56,53,51,50,4,5,47,22,19,65279,10,21,18,65278,9,100,98,3,6	-	(empty)	(empty)	-	ddd0218a34972ceab3d200b78959bd2b4c95eadf37399df35bfd68a5b658bc78,ba352de8d8faa0ecfdbeee560fa308fe192023d3b18d83a68845933bebf28360	(empty)	F	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-
+1170717511.722913	CXACkq2V6gr8LgNY04	192.150.187.164	58870	194.127.84.106	443	769	769	4	57,56,53,51,50,4,5,47,22,19,65279,10,21,18,65278,9,100,98,3,6	-	(empty)	(empty)	-	ddd0218a34972ceab3d200b78959bd2b4c95eadf37399df35bfd68a5b658bc78,ba352de8d8faa0ecfdbeee560fa308fe192023d3b18d83a68845933bebf28360	(empty)	F	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-
+#close	2019-10-08-19-47-31
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-47-32
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1512072318.429417	C59DC42iW3polXuIef	192.168.17.58	62987	216.58.192.14	443	770	770	49171	49172,49162,57,56,55,54,136,135,134,133,49167,49157,53,132,49171,49161,51,50,49,48,154,153,152,151,69,68,67,66,49166,49156,47,150,65,7,49169,49159,49164,49154,5,4,49170,49160,22,19,16,13,49165,49155,10,255	-	11,10,35,15	65281,35,11	100800	22a920a5ec03c819b569ed0fa8b7df258e3e7ea11fdd15b83b6fa45f3e863036,9b759d41e3de30f9d2f902027d792b65d950a98bbb6d6d56be7f2528453bf8e9,3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0	(empty)	F	-	0,1,2	23,25,28,27,24,26,22,14,13,11,12,9,10	23	-	-	-	-	-	-	-	-	1,0	-	-
+#close	2019-10-08-19-47-32
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-47-33
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1425932016.520157	C59DC42iW3polXuIef	192.168.6.86	63721	104.236.167.107	4433	65279	65279	49172	49172,49162,57,56,55,54,136,135,134,133,49167,49157,53,132,49171,49161,51,50,49,48,154,153,152,151,69,68,67,66,49166,49156,47,150,65,7,49170,49160,22,19,16,13,49165,49155,10,21,18,15,12,9,20,17,14,11,8,6,255	-	11,10,35,15,11,10,35,15	65281,35,15	0	32e63ffcf5111a3a6337aa00d5186f6d475e962e9400a1dd8ad6eb4a3e177964	(empty)	F	-	0,1,2	14,13,25,28,11,12,27,24,9,10,26,22,23,8,6,7,20,21,4,5,18,19,1,2,3,15,16,17	23	-	-	-	-	-	-	-	-	0	-	-
+#close	2019-10-08-19-47-33
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-47-34
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1512070268.983215	C59DC42iW3polXuIef	192.168.17.58	60934	165.227.57.17	4400	65277	65277	49200	49200,49196,49192,49188,49172,49162,165,163,161,159,107,106,105,104,57,56,55,54,136,135,134,133,49202,49198,49194,49190,49167,49157,157,61,53,132,49199,49195,49191,49187,49171,49161,164,162,160,158,103,64,63,62,51,50,49,48,154,153,152,151,69,68,67,66,49201,49197,49193,49189,49166,49156,156,60,47,150,65,7,49170,49160,22,19,16,13,49165,49155,10,255	-	11,10,35,13,15,11,10,35,13,15	65281,11,35	7200	6f5446a5b23f4e73925de5e6629c09b1c61ed66537d6d8a7818750c9cd0a67d7	(empty)	F	-	0,1,2	23,25,28,27,24,26,22,14,13,11,12,9,10	23	-	-	-	-	-	-	-	-	0	1,2,3,1,2,3,1,2,3,1,2,3,1,2,3	6,6,6,5,5,5,4,4,4,3,3,3,2,2,2
+#close	2019-10-08-19-47-34
diff --git a/tests/Baseline/scripts.tls13-psk/tls_connections_succesfull.log b/tests/Baseline/scripts.tls13-psk/tls_connections_succesfull.log
new file mode 100644
index 0000000..da9e5c6
--- /dev/null
+++ b/tests/Baseline/scripts.tls13-psk/tls_connections_succesfull.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-48-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1555610808.383902	C59DC42iW3polXuIef	192.168.178.80	54220	174.138.9.219	443	771	771	4867	4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,173,171,52398,52397,52396,157,169,52395,172,170,156,168,61,60,49208,49206,183,179,149,145,53,175,141,49207,49205,182,178,148,144,47,174,140,255	-	11,10,35,22,23,13,43,45,51,41	43,51,41	-	-	-	F	-	0,1,2	29,23,30,25,24	-	-	-	-	772,771,770,769	772	1	29	29	0	3,3,3,7,8,9,10,11,4,5,6,1,1,1,3,3,1,1,2,2,2,2,2	4,5,6,8,8,8,8,8,8,8,8,4,5,6,3,2,3,2,3,2,4,5,6
+#close	2019-10-08-19-48-06
diff --git a/tests/Baseline/scripts.tls13-psk/tls_connections_unsuccesful.log b/tests/Baseline/scripts.tls13-psk/tls_connections_unsuccesful.log
new file mode 100644
index 0000000..b188dc4
--- /dev/null
+++ b/tests/Baseline/scripts.tls13-psk/tls_connections_unsuccesful.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-48-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1555611242.926638	C59DC42iW3polXuIef	192.168.178.80	54374	174.138.9.219	443	-	771	-	4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,173,171,52398,52397,52396,157,169,52395,172,170,156,168,61,60,49208,49206,183,179,149,145,53,175,141,49207,49205,182,178,148,144,47,174,140,255	-	11,10,35,22,23,13,43,45,51,41	(empty)	-	-	-	F	-	0,1,2	29,23,30,25,24	-	-	-	0,2,47	772,771,770,769	-	1	29	-	0	3,3,3,7,8,9,10,11,4,5,6,1,1,1,3,3,1,1,2,2,2,2,2	4,5,6,8,8,8,8,8,8,8,8,4,5,6,3,2,3,2,3,2,4,5,6
+#close	2019-10-08-19-48-07
diff --git a/tests/Baseline/scripts.tls13/tls.log b/tests/Baseline/scripts.tls13/tls.log
new file mode 100644
index 0000000..2cf9419
--- /dev/null
+++ b/tests/Baseline/scripts.tls13/tls.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tls
+#open	2019-10-08-19-47-58
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	server_version	client_version	cipher	client_ciphers	sni	ssl_client_exts	ssl_server_exts	ticket_lifetime_hint	server_certs	client_certs	ssl_established	dh_param_size	point_formats	client_curves	curve	orig_alpn	resp_alpn	alert	client_supported_versions	server_supported_version	psk_key_exchange_modes	client_key_share_groups	server_key_share_group	client_comp_methods	sigalgs	hashalgs
+#types	time	string	addr	port	addr	port	count	count	count	vector[count]	vector[string]	vector[count]	vector[count]	count	vector[string]	vector[string]	bool	count	vector[count]	vector[count]	count	vector[string]	vector[string]	vector[count]	vector[count]	count	vector[count]	vector[count]	count	vector[count]	vector[count]	vector[count]
+1491407508.244862	C59DC42iW3polXuIef	192.168.6.240	65503	139.162.123.134	13443	32531	771	4866	49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,4866,4867,4865,61,60,53,47,255	-	11,10,35,13,22,23,43,45,40	40	-	-	-	F	-	0,1,2	29,23,25,24	-	-	-	-	32531,771,770,769	-	1,0	29	29	0	3,3,3,4,5,6,1,1,1,3,1,2,2,2,2	4,5,6,8,8,8,4,5,6,2,2,2,4,5,6
+1491407512.852869	C3tAYa2eYDO4qZFDie	192.168.6.240	65504	139.162.123.134	13443	32531	771	4866	49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,4866,4867,4865,61,60,53,47,255	-	11,10,35,13,22,23,43,45,40,42,41	40,41	-	-	-	F	-	0,1,2	29,23,25,24	-	-	-	-	32531,771,770,769	-	1,0	29	29	0	3,3,3,4,5,6,1,1,1,3,1,2,2,2,2	4,5,6,8,8,8,4,5,6,2,2,2,4,5,6
+#close	2019-10-08-19-47-58
diff --git a/tests/Makefile b/tests/Makefile
new file mode 100644
index 0000000..4cdedac
--- /dev/null
+++ b/tests/Makefile
@@ -0,0 +1,3 @@
+
+test:
+	@btest
diff --git a/tests/Traces/dhe.pcap b/tests/Traces/dhe.pcap
new file mode 100644
index 0000000..d5e034e
Binary files /dev/null and b/tests/Traces/dhe.pcap differ
diff --git a/tests/Traces/dtls1_0.pcap b/tests/Traces/dtls1_0.pcap
new file mode 100644
index 0000000..b07e692
Binary files /dev/null and b/tests/Traces/dtls1_0.pcap differ
diff --git a/tests/Traces/dtls1_2.pcap b/tests/Traces/dtls1_2.pcap
new file mode 100644
index 0000000..a8ce0f9
Binary files /dev/null and b/tests/Traces/dtls1_2.pcap differ
diff --git a/tests/Traces/ecdhe.pcap b/tests/Traces/ecdhe.pcap
new file mode 100644
index 0000000..e37df37
Binary files /dev/null and b/tests/Traces/ecdhe.pcap differ
diff --git a/tests/Traces/nghttp2.pcap b/tests/Traces/nghttp2.pcap
new file mode 100644
index 0000000..042ca6a
Binary files /dev/null and b/tests/Traces/nghttp2.pcap differ
diff --git a/tests/Traces/ssl.v3.trace b/tests/Traces/ssl.v3.trace
new file mode 100644
index 0000000..3bcb972
Binary files /dev/null and b/tests/Traces/ssl.v3.trace differ
diff --git a/tests/Traces/tls13_psk_succesfull.pcap b/tests/Traces/tls13_psk_succesfull.pcap
new file mode 100644
index 0000000..cdf7fcf
Binary files /dev/null and b/tests/Traces/tls13_psk_succesfull.pcap differ
diff --git a/tests/Traces/tls13_psk_unsuccesful.pcap b/tests/Traces/tls13_psk_unsuccesful.pcap
new file mode 100644
index 0000000..194620e
Binary files /dev/null and b/tests/Traces/tls13_psk_unsuccesful.pcap differ
diff --git a/tests/Traces/tls1_1.pcap b/tests/Traces/tls1_1.pcap
new file mode 100644
index 0000000..36ad52c
Binary files /dev/null and b/tests/Traces/tls1_1.pcap differ
diff --git a/tests/btest.cfg b/tests/btest.cfg
new file mode 100644
index 0000000..1faf6cc
--- /dev/null
+++ b/tests/btest.cfg
@@ -0,0 +1,16 @@
+[btest]
+TestDirs    = scripts
+TmpDir      = %(testbase)s/.tmp
+BaselineDir = %(testbase)s/Baseline
+IgnoreDirs  = .tmp
+IgnoreFiles = .DS_Store .*.swp
+
+[environment]
+BRO_SEED_FILE=%(testbase)s/random.seed
+TRACES=%(testbase)s/Traces
+TEST_DIFF_CANONIFIER=%(testbase)s/diff-remove-timestamps
+TZ=UTC
+LC_ALL=C
+TMPDIR=%(testbase)s/.tmp
+BRO_DNS_FAKE=1
+SCRIPTS=%(testbase)s/../scripts/
diff --git a/tests/diff-remove-timestamps b/tests/diff-remove-timestamps
new file mode 100755
index 0000000..44422f6
--- /dev/null
+++ b/tests/diff-remove-timestamps
@@ -0,0 +1,14 @@
+#! /usr/bin/env bash
+#
+# Replace anything which looks like timestamps with XXXs (including the #start/end markers in logs).
+
+# Get us "modern" regexps with sed.
+if [ `uname` == "Linux" ]; then
+   sed="sed -r"
+else
+   sed="sed -E"
+fi
+
+# The first sed uses a "basic" regexp, the 2nd a "modern:.
+sed 's/[0-9]\{10\}\.[0-9]\{2,8\}/XXXXXXXXXX.XXXXXX/g' | \
+$sed 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g'
diff --git a/tests/random.seed b/tests/random.seed
new file mode 100644
index 0000000..783027f
--- /dev/null
+++ b/tests/random.seed
@@ -0,0 +1,21 @@
+1486560331
+1490390561
+0
+600873
+0
+304275279
+3360860527
+3942180025
+3620130767
+758383792
+3191985221
+3961793147
+2423563083
+937192978
+2960763264
+2589560319
+4202983021
+1348123012
+1490103120
+913066842
+996286377
diff --git a/tests/scripts/certificate.zeek b/tests/scripts/certificate.zeek
new file mode 100644
index 0000000..3a8a44c
--- /dev/null
+++ b/tests/scripts/certificate.zeek
@@ -0,0 +1,5 @@
+# @TEST-EXEC: zeek -r $TRACES/ecdhe.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: btest-diff tls_certificates.log
+
+redef TLSLog::hash_function = sha1_hash;
+redef TLSLog::log_certificates = T;
diff --git a/tests/scripts/keyexchange.zeek b/tests/scripts/keyexchange.zeek
new file mode 100644
index 0000000..139bb5a
--- /dev/null
+++ b/tests/scripts/keyexchange.zeek
@@ -0,0 +1,14 @@
+# @TEST-EXEC: zeek -r $TRACES/dhe.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: cat tls.log > tls-all.log
+# @TEST-EXEC: zeek -r $TRACES/ecdhe.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: cat tls.log >> tls-all.log
+# @TEST-EXEC: zeek -r $TRACES/ssl.v3.trace $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: cat tls.log >> tls-all.log
+# @TEST-EXEC: zeek -r $TRACES/tls1_1.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: cat tls.log >> tls-all.log
+# @TEST-EXEC: zeek -r $TRACES/dtls1_0.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: cat tls.log >> tls-all.log
+# @TEST-EXEC: zeek -r $TRACES/dtls1_2.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: cat tls.log >> tls-all.log
+# @TEST-EXEC: btest-diff tls-all.log
+
diff --git a/tests/scripts/tls13-psk.zeek b/tests/scripts/tls13-psk.zeek
new file mode 100644
index 0000000..448529e
--- /dev/null
+++ b/tests/scripts/tls13-psk.zeek
@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -C -r $TRACES/tls13_psk_succesfull.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: mv tls.log tls_connections_succesfull.log
+# @TEST-EXEC: zeek -C -r $TRACES/tls13_psk_unsuccesful.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: mv tls.log tls_connections_unsuccesful.log
+# @TEST-EXEC: btest-diff tls_connections_succesfull.log
+# @TEST-EXEC: btest-diff tls_connections_unsuccesful.log
diff --git a/tests/scripts/tls13.zeek b/tests/scripts/tls13.zeek
new file mode 100644
index 0000000..c3a80b9
--- /dev/null
+++ b/tests/scripts/tls13.zeek
@@ -0,0 +1,2 @@
+# @TEST-EXEC: zeek -C -r $TRACES/nghttp2.pcap $SCRIPTS/tls.zeek %INPUT
+# @TEST-EXEC: btest-diff tls.log
diff --git a/zkg.meta b/zkg.meta
new file mode 100644
index 0000000..d689439
--- /dev/null
+++ b/zkg.meta
@@ -0,0 +1,6 @@
+[package]
+description = "This package generates a file called tls.log. The difference from ssl.log is that it is much more focused on logging all kinds of protocol features. This can be interesting for academic purposes - or if one is just interested in more information about specific features used in local TLS traffic."
+tags = TLS, SSL, X509, Certificates, PKI
+script_dir = scripts
+test_command = cd tests && make
+version = master