diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a24351e8b..736eac668 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1044,6 +1044,9 @@ static int ssl_encrypt_buf( ssl_context *ssl )
 
     SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
 
+    SSL_DEBUG_BUF( 4, "before encrypt: output payload",
+                      ssl->out_msg, ssl->out_msglen );
+
     /*
      * Add MAC before encrypt, except for AEAD modes
      */
@@ -1102,9 +1105,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
                             "including %d bytes of padding",
                        ssl->out_msglen, 0 ) );
 
-        SSL_DEBUG_BUF( 4, "before encrypt: output payload",
-                       ssl->out_msg, ssl->out_msglen );
-
         if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
                                    ssl->transform_out->iv_enc,
                                    ssl->transform_out->ivlen,
@@ -1185,9 +1185,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
                             "including %d bytes of padding",
                        ssl->out_msglen, 0 ) );
 
-        SSL_DEBUG_BUF( 4, "before encrypt: output payload",
-                       ssl->out_msg, ssl->out_msglen );
-
         /*
          * Encrypt and authenticate
          */
@@ -1268,9 +1265,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
                             ssl->out_msglen, ssl->transform_out->ivlen,
                             padlen + 1 ) );
 
-        SSL_DEBUG_BUF( 4, "before encrypt: output payload",
-                       ssl->out_iv, ssl->out_msglen );
-
         if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
                                    ssl->transform_out->iv_enc,
                                    ssl->transform_out->ivlen,