The server response wasn't setting up the right length for the encrypted part. The client receive side didn't use that field but computed the length another way so it didn't discover the bug. -- These are my opinions. I hate spam.