diff --git a/.gitignore b/.gitignore
index 25b8b71d8..e40a82164 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 *.lo
 *.la
 *.o
+*.patch
 *.deps
 *.libs
 *.cache
diff --git a/configure.ac b/configure.ac
index 415aab035..c2a0499d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1342,6 +1342,10 @@ AC_ARG_ENABLE([secure-renegotiation],
 
 if test "x$ENABLED_SECURE_RENEGOTIATION" = "xyes"
 then
+    if test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"
+    then
+        AC_MSG_ERROR([cannot enable renegotiation-indication and secure-renegotiation.])
+    fi
     AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SECURE_RENEGOTIATION"
 fi
 
diff --git a/src/internal.c b/src/internal.c
index bdbc3b652..613ca7b0b 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -63,6 +63,10 @@
 CYASSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
 #endif
 
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_RENEGOTIATION_INDICATION)
+    #error Cannot use both secure-renegotiation and renegotiation-indication
+#endif
+
 static int BuildMessage(CYASSL* ssl, byte* output, int outSz,
                         const byte* input, int inSz, int type);
 
@@ -2986,6 +2990,12 @@ int GrowInputBuffer(CYASSL* ssl, int size, int usedLength)
 /* check available size into output buffer, make room if needed */
 int CheckAvailableSize(CYASSL *ssl, int size)
 {
+
+    if (size < 0) {
+        CYASSL_MSG("CheckAvailableSize() called with negative number");
+        return BAD_FUNC_ARG;
+    }
+
     if (ssl->buffers.outputBuffer.bufferSize - ssl->buffers.outputBuffer.length
                                              < (word32)size) {
         if (GrowOutputBuffer(ssl, size) < 0)
@@ -7148,6 +7158,11 @@ int SendData(CYASSL* ssl, const void* data, int sz)
             /* advance sent to previous sent + plain size just sent */
             sent = ssl->buffers.prevSent + ssl->buffers.plainSz;
             CYASSL_MSG("sent write buffered data");
+
+            if (sent > sz) {
+                CYASSL_MSG("error: write() after WANT_WRITE with short size");
+                return ssl->error = BAD_FUNC_ARG;
+            }
         }
     }
 
@@ -10469,6 +10484,10 @@ int DoSessionTicket(CYASSL* ssl,
         ssl->session.ticketLen = 0;
     }
 
+    if (ssl->keys.encryptionOn) {
+        *inOutIdx += ssl->keys.padSz;
+    }
+
     return BuildFinished(ssl, &ssl->verifyHashes, server);
 }
 #endif /* HAVE_SESSION_TICKET */