diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index f3c01559f..2db46b845 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -5,6 +5,8 @@ ChangeLog for hostapd
 	  internal X.509/TLSv1 implementation
 	* fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer
 	  identity lengths)
+	* fixed internal TLSv1 implementation for abbreviated handshake (used
+	  by EAP-FAST server)
 
 2008-08-10 - v0.6.4
 	* added peer identity into EAP-FAST PAC-Opaque and skip Phase 2
diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c
index dfd0db060..42120c8a8 100644
--- a/src/crypto/tls_internal.c
+++ b/src/crypto/tls_internal.c
@@ -366,8 +366,10 @@ u8 * tls_connection_server_handshake(void *tls_ctx,
 	wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
 		   __func__, in_data, (unsigned long) in_len);
 	out = tlsv1_server_handshake(conn->server, in_data, in_len, out_len);
-	if (out == NULL && tlsv1_server_established(conn->server))
+	if (out == NULL && tlsv1_server_established(conn->server)) {
 		out = os_malloc(1);
+		*out_len = 0;
+	}
 	return out;
 #else /* CONFIG_TLS_INTERNAL_SERVER */
 	return NULL;