diff --git a/src/detect-tls-cert-validity.c b/src/detect-tls-cert-validity.c
index 08d0122263..742249c152 100644
--- a/src/detect-tls-cert-validity.c
+++ b/src/detect-tls-cert-validity.c
@@ -148,13 +148,13 @@ static int DetectTlsValidityMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx
     if (cert_epoch == 0)
         SCReturnInt(0);
 
-    if (dd->mode == DETECT_TLS_VALIDITY_EQ && cert_epoch == dd->epoch)
+    if ((dd->mode & DETECT_TLS_VALIDITY_EQ) && cert_epoch == dd->epoch)
         ret = 1;
-    else if (dd->mode == DETECT_TLS_VALIDITY_LT && cert_epoch <= dd->epoch)
+    else if ((dd->mode & DETECT_TLS_VALIDITY_LT) && cert_epoch <= dd->epoch)
         ret = 1;
-    else if (dd->mode == DETECT_TLS_VALIDITY_GT && cert_epoch >= dd->epoch)
+    else if ((dd->mode & DETECT_TLS_VALIDITY_GT) && cert_epoch >= dd->epoch)
         ret = 1;
-    else if (dd->mode == DETECT_TLS_VALIDITY_RA &&
+    else if ((dd->mode & DETECT_TLS_VALIDITY_RA) &&
             cert_epoch >= dd->epoch && cert_epoch <= dd->epoch2)
         ret = 1;
 
@@ -315,20 +315,18 @@ static DetectTlsValidityData *DetectTlsValidityParse (char *rawstr)
 
     dd->epoch = 0;
     dd->epoch2 = 0;
-    dd->mode = DETECT_TLS_VALIDITY_EQ;
+    dd->mode = 0;
 
     if (strlen(mode) > 0) {
         if (mode[0] == '<')
-            dd->mode = DETECT_TLS_VALIDITY_LT;
+            dd->mode |= DETECT_TLS_VALIDITY_LT;
         else if (mode[0] == '>')
-            dd->mode = DETECT_TLS_VALIDITY_GT;
-        else
-            dd->mode = DETECT_TLS_VALIDITY_EQ;
+            dd->mode |= DETECT_TLS_VALIDITY_GT;
     }
 
     if (strlen(range) > 0) {
         if (strcmp("<>", range) == 0)
-            dd->mode = DETECT_TLS_VALIDITY_RA;
+            dd->mode |= DETECT_TLS_VALIDITY_RA;
     }
 
     if (strlen(range) != 0 && strlen(mode) != 0) {
@@ -337,6 +335,10 @@ static DetectTlsValidityData *DetectTlsValidityParse (char *rawstr)
         goto error;
     }
 
+    if (dd->mode == 0) {
+        dd->mode |= DETECT_TLS_VALIDITY_EQ;
+    }
+
     /* set the first value */
     dd->epoch = DateStringToEpoch(value1);
     if (dd->epoch == -1)
@@ -344,7 +346,7 @@ static DetectTlsValidityData *DetectTlsValidityParse (char *rawstr)
 
     /* set the second value if specified */
     if (strlen(value2) > 0) {
-        if (dd->mode != DETECT_TLS_VALIDITY_RA) {
+        if (!(dd->mode & DETECT_TLS_VALIDITY_RA)) {
             SCLogError(SC_ERR_INVALID_ARGUMENT,
                 "Multiple tls validity values specified but mode is not range");
             goto error;
diff --git a/src/detect-tls-cert-validity.h b/src/detect-tls-cert-validity.h
index 1589821ab4..382b028ef5 100644
--- a/src/detect-tls-cert-validity.h
+++ b/src/detect-tls-cert-validity.h
@@ -24,10 +24,10 @@
 #ifndef __DETECT_TLS_VALIDITY_H__
 #define __DETECT_TLS_VALIDITY_H__
 
-#define DETECT_TLS_VALIDITY_LT 0
-#define DETECT_TLS_VALIDITY_EQ 1
-#define DETECT_TLS_VALIDITY_GT 2
-#define DETECT_TLS_VALIDITY_RA 3
+#define DETECT_TLS_VALIDITY_EQ (1)    /* equal */
+#define DETECT_TLS_VALIDITY_LT (1<<1) /* less than */
+#define DETECT_TLS_VALIDITY_GT (1<<2) /* greater than */
+#define DETECT_TLS_VALIDITY_RA (1<<3) /* range */
 
 #define DETECT_TLS_TYPE_NOTBEFORE 0
 #define DETECT_TLS_TYPE_NOTAFTER  1