diff --git a/ssl/bigint.c b/ssl/bigint.c
index 797ca2170..8d52184a8 100644
--- a/ssl/bigint.c
+++ b/ssl/bigint.c
@@ -165,7 +165,7 @@ void bi_permanent(bigint *bi)
 }
 
 /**
- * @brief Take a permanent object and make it elligible for freedom.
+ * @brief Take a permanent object and make it eligible for freedom.
  * @param bi [in]   The bigint to be made back to temporary.
  */
 void bi_depermanent(bigint *bi)
@@ -243,7 +243,7 @@ bigint *bi_clone(BI_CTX *ctx, const bigint *bi)
 }
 
 /**
- * @brief Perform an additon operation between two bigints.
+ * @brief Perform an addition operation between two bigints.
  * @param ctx [in]  The bigint session context.
  * @param bia [in]  A bigint.
  * @param bib [in]  Another bigint.
@@ -1038,7 +1038,7 @@ static void more_comps(bigint *bi, int n)
 
 /*
  * Make a new empty bigint. It may just use an old one if one is available.
- * Otherwise get one of the heap.
+ * Otherwise get one off the heap.
  */
 static bigint *alloc(BI_CTX *ctx, int size)
 {
diff --git a/ssl/crypto.h b/ssl/crypto.h
index 8a79a84f1..dae5a5f3a 100644
--- a/ssl/crypto.h
+++ b/ssl/crypto.h
@@ -269,7 +269,8 @@ typedef void (*hmac_func)(const uint8_t *msg, int length, const uint8_t *key,
 
 typedef struct
 {
-    uint8_t *data;
+    uint8_t *pre_data;	/* include the ssl record bytes */
+    uint8_t *data;	/* the regular ssl data */
     int max_len;
     int index;
 } BUF_MEM;
diff --git a/ssl/crypto_misc.c b/ssl/crypto_misc.c
index 8591aacd9..edfe5bb7c 100644
--- a/ssl/crypto_misc.c
+++ b/ssl/crypto_misc.c
@@ -31,6 +31,8 @@
 #include "wincrypt.h"
 #endif
 
+#define BM_RECORD_OFFSET 	5	/* same as SSL_RECORD_SIZE */
+
 #ifndef WIN32
 static int rng_fd = -1;
 #elif defined(CONFIG_WIN32_USE_CRYPTO_LIB)
@@ -50,8 +52,9 @@ const char * const unsupported_str = "Error: feature not supported\n";
 BUF_MEM buf_new()
 {
     BUF_MEM bm;
-    bm.data = (uint8_t *)malloc(2048); /* should be enough to start with */
-    bm.max_len = 2048;
+    bm.pre_data = (uint8_t *)malloc(2048); /* should be enough to start with */
+    bm.data = bm.pre_data+BM_RECORD_OFFSET; /* some space at the start */
+    bm.max_len = 2048-BM_RECORD_OFFSET;
     bm.index = 0;
     return bm;
 }
@@ -66,7 +69,9 @@ void buf_grow(BUF_MEM *bm, int len)
         return;
     }
 
-    bm->data = (uint8_t *)realloc(bm->data, len+1024); /* just to be sure */
+    /* add 1kB just to be sure */
+    bm->pre_data = (uint8_t *)realloc(bm->pre_data, len+1024+BM_RECORD_OFFSET); 
+    bm->data = bm->pre_data+BM_RECORD_OFFSET;
     bm->max_len = len+1024;
 }
 
@@ -75,7 +80,8 @@ void buf_grow(BUF_MEM *bm, int len)
  */
 void buf_free(BUF_MEM *bm)
 {
-    free(bm->data);
+    free(bm->pre_data);
+    bm->pre_data = NULL;
     bm->data = NULL;
 }
 
diff --git a/ssl/p12.c b/ssl/p12.c
index 2d198dc90..218950998 100644
--- a/ssl/p12.c
+++ b/ssl/p12.c
@@ -192,7 +192,7 @@ static int p8_decrypt(const char *password, const uint8_t *salt, int iter,
 }
 
 /*
- * Take a raw pkcs12 block and the decrypt it and turn it into a certificates
+ * Take a raw pkcs12 block and the decrypt it and turn it into a certificate(s)
  * and keys.
  */
 int pkcs12_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
@@ -390,7 +390,7 @@ static int get_pbe_params(uint8_t *buf, int *offset,
         goto error;
 
     /* we expect pbeWithSHAAnd128BitRC4 (1.2.840.113549.1.12.1.1) 
-       which is the only agorithm we support */
+       which is the only algorithm we support */
     if (len != sizeof(pbeSH1RC4) || 
                     memcmp(&buf[*offset], pbeSH1RC4, sizeof(pbeSH1RC4)))
     {
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 27b1f3903..c314cbc8d 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -354,7 +354,7 @@ EXP_FUNC int STDCALL ssl_verify_cert(SSL *ssl);
  * - SSL_X509_CA_CERT_ORGANIZATION
  * - SSL_X509_CA_CERT_ORGANIZATIONAL_NAME
  * @return The appropriate string (or null if not defined)
- * @note Verification mode must be enabled.
+ * @note Verification build mode must be enabled.
  */
 EXP_FUNC const char * STDCALL ssl_get_cert_dn(SSL *ssl, int component);
 
@@ -388,7 +388,7 @@ EXP_FUNC int STDCALL ssl_renegotiate(SSL *ssl);
  * @param filename [in] The location of a file in DER/PEM format.
  * @param password [in] The password used. Can be null if not required.
  * @return SSL_OK if all ok
- * @note Not available in skeleton mode.
+ * @note Not available in skeleton build mode.
  */
 EXP_FUNC int STDCALL ssl_obj_load(SSLCTX *ssl_ctx, int obj_type, const char *filename, const char *password);
 
diff --git a/ssl/tls1.c b/ssl/tls1.c
index 41484949f..e157147a7 100644
--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@@ -902,7 +902,8 @@ static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt)
  */
 static int send_raw_packet(SSL *ssl, uint8_t protocol)
 {
-    uint8_t rec_buf[SSL_RECORD_SIZE];
+    uint8_t *rec_buf = ssl->bm_buf.pre_data;
+    int pkt_size = SSL_RECORD_SIZE+ssl->bm_buf.index;
     int ret;
 
     rec_buf[0] = protocol;
@@ -911,17 +912,10 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol)
     rec_buf[3] = ssl->bm_buf.index >> 8;
     rec_buf[4] = ssl->bm_buf.index & 0xff;
 
-    DISPLAY_BYTES(ssl, "sending %d bytes", rec_buf, 5, 5);
-    DISPLAY_BYTES(ssl, "sending %d bytes", ssl->bm_buf.data,  
-            ssl->bm_buf.index, ssl->bm_buf.index);
+    DISPLAY_BYTES(ssl, "sending %d bytes", ssl->bm_buf.pre_data, 
+                            pkt_size, pkt_size);
 
-    /* 2 system calls, but what the hell it makes life a lot simpler */
-    ret = SOCKET_WRITE(ssl->client_fd, rec_buf, SSL_RECORD_SIZE);
-
-    if (ret > 0)
-    {
-        ret = SOCKET_WRITE(ssl->client_fd, ssl->bm_buf.data, ssl->bm_buf.index);
-    }
+    ret = SOCKET_WRITE(ssl->client_fd, ssl->bm_buf.pre_data, pkt_size);
 
     SET_SSL_FLAG(SSL_NEED_RECORD);  /* reset for next time */
     ssl->bm_buf.index = 0;