diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c

index efb170a..8f85f11 100644

--- a/epan/dissectors/packet-ssl-utils.c

+++ b/epan/dissectors/packet-ssl-utils.c

@@ -1034,6 +1034,7 @@ const value_string tls_hello_extension_types[] = {

     { 13, "signature_algorithms" },  /* RFC 5246 */

     { 14, "use_srtp" },

     { SSL_HND_HELLO_EXT_HEARTBEAT, "Heartbeat" },  /* RFC 6520 */

+    { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET_TYPE, "Extended Master Secret" }, /* https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 */

     { 35, "SessionTicket TLS" },  /* RFC 4507 */

     { SSL_HND_HELLO_EXT_NPN, "next_protocol_negotiation"}, /* http://technotes.googlecode.com/git/nextprotoneg.html */

     { SSL_HND_HELLO_EXT_RENEG_INFO, "renegotiation_info" }, /* RFC 5746 */

diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h

index 1ba1598..5968b8e 100644

--- a/epan/dissectors/packet-ssl-utils.h

+++ b/epan/dissectors/packet-ssl-utils.h

@@ -148,14 +148,15 @@

 #define PCT_ERR_SERVER_AUTH_FAILED     0x05

 #define PCT_ERR_SPECS_MISMATCH         0x06

-#define SSL_HND_HELLO_EXT_SERVER_NAME        0x0

-#define SSL_HND_HELLO_EXT_ELLIPTIC_CURVES    0x000a

-#define SSL_HND_HELLO_EXT_EC_POINT_FORMATS   0x000b

-#define SSL_HND_HELLO_EXT_SIG_HASH_ALGS      0x000d

-#define SSL_HND_HELLO_EXT_HEARTBEAT          0x000f

-#define SSL_HND_HELLO_EXT_RENEG_INFO         0xff01

-#define SSL_HND_HELLO_EXT_NPN                0x3374

-#define SSL_HND_CERT_STATUS_TYPE_OCSP  1

+#define SSL_HND_HELLO_EXT_SERVER_NAME                 0x0

+#define SSL_HND_HELLO_EXT_ELLIPTIC_CURVES             0x000a

+#define SSL_HND_HELLO_EXT_EC_POINT_FORMATS            0x000b

+#define SSL_HND_HELLO_EXT_SIG_HASH_ALGS               0x000d

+#define SSL_HND_HELLO_EXT_HEARTBEAT                   0x000f

+#define SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET_TYPE 0x0017

+#define SSL_HND_HELLO_EXT_RENEG_INFO                  0xff01

+#define SSL_HND_HELLO_EXT_NPN                         0x3374

+#define SSL_HND_CERT_STATUS_TYPE_OCSP                 1

 /*

  * Lookup tables

@@ -211,13 +212,16 @@ typedef struct _StringInfo {

 #define DTLSV1DOT0_VERSION_NOT 0x100

 #define DTLSV1DOT2_VERSION     0xfefd

-#define SSL_CLIENT_RANDOM       (1<<0)

-#define SSL_SERVER_RANDOM       (1<<1)

-#define SSL_CIPHER              (1<<2)

-#define SSL_HAVE_SESSION_KEY    (1<<3)

-#define SSL_VERSION             (1<<4)

-#define SSL_MASTER_SECRET       (1<<5)

-#define SSL_PRE_MASTER_SECRET   (1<<6)

+#define SSL_CLIENT_RANDOM                 (1<<0)

+#define SSL_SERVER_RANDOM                 (1<<1)

+#define SSL_CIPHER                        (1<<2)

+#define SSL_HAVE_SESSION_KEY              (1<<3)

+#define SSL_VERSION                       (1<<4)

+#define SSL_MASTER_SECRET                 (1<<5)

+#define SSL_PRE_MASTER_SECRET             (1<<6)

+#define SSL_CLIENT_EXTENDED_MASTER_SECRET (1<<7)

+#define SSL_SERVER_EXTENDED_MASTER_SECRET (1<<8)

+

 #define SSL_CIPHER_MODE_STREAM  0

 #define SSL_CIPHER_MODE_CBC     1

diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c

index 6f22158..d774929 100644

--- a/epan/dissectors/packet-ssl.c

+++ b/epan/dissectors/packet-ssl.c

@@ -2396,7 +2396,8 @@ dissect_ssl3_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,

 static gint

 dissect_ssl3_hnd_hello_ext(tvbuff_t *tvb,

-                           proto_tree *tree, guint32 offset, guint32 left)

+                           proto_tree *tree, guint32 offset, guint32 left,

+                           gboolean is_client, SslDecryptSession *ssl)

 {

     guint16     extension_length;

     guint16     ext_type;

@@ -2459,6 +2460,10 @@ dissect_ssl3_hnd_hello_ext(tvbuff_t *tvb,

                                 tvb, offset, 1, ENC_BIG_ENDIAN);

             offset += ext_len;

             break;

+        case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET_TYPE:

+            if (ssl)

+                ssl->state |= (is_client ? SSL_CLIENT_EXTENDED_MASTER_SECRET : SSL_SERVER_EXTENDED_MASTER_SECRET);

+            break;

         default:

             proto_tree_add_bytes_format(ext_tree, hf_ssl_handshake_extension_data,

                                         tvb, offset, ext_len, NULL,

@@ -2673,7 +2678,7 @@ dissect_ssl3_hnd_hello_ext_ec_point_formats(tvbuff_t *tvb,

 static void

 dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb, packet_info *pinfo,

        proto_tree *tree, guint32 offset, guint32 length,

-       SslDecryptSession*ssl)

+       SslDecryptSession *ssl)

 {

     /* struct {

      *     ProtocolVersion client_version;

@@ -2798,14 +2803,16 @@ dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb, packet_info *pinfo,

         if (length > offset - start_offset)

         {

             dissect_ssl3_hnd_hello_ext(tvb, tree, offset,

-                                       length - (offset - start_offset));

+                                       length - (offset - start_offset), TRUE,

+                                       ssl);

         }

     }

 }

 static void

 dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,

-                           proto_tree *tree, guint32 offset, guint32 length, SslDecryptSession *ssl)

+                           proto_tree *tree, guint32 offset, guint32 length,

+                           SslDecryptSession *ssl)

 {

     /* struct {

      *     ProtocolVersion server_version;

@@ -2873,7 +2880,8 @@ no_cipher:

         if (length > offset - start_offset)

         {

             dissect_ssl3_hnd_hello_ext(tvb, tree, offset,

-                                       length - (offset - start_offset));

+                                       length - (offset - start_offset), FALSE,

+                                       ssl);

         }

     }

 }