diff --git a/src/apps/rfc5769/rfc5769check.c b/src/apps/rfc5769/rfc5769check.c
index 0dcc1b45..5710f68c 100644
--- a/src/apps/rfc5769/rfc5769check.c
+++ b/src/apps/rfc5769/rfc5769check.c
@@ -52,7 +52,7 @@ static const char* hmacs[]={"HMAC-SHA-1","HMAC-SHA-256","HMAC-SHA-256-128",NULL}
 void print_field5769(const char* name, const void* f0, size_t len);
 void print_field5769(const char* name, const void* f0, size_t len) {
   const unsigned char* f = (const unsigned char*)f0;
-  printf("\nfield %s==>>\n",name);
+  printf("\nfield %s %lu==>>\n",name,(unsigned long)len);
   size_t i;
   for(i = 0;i<len;++i) {
     printf("\\x%x",(unsigned int)f[i]);
@@ -76,13 +76,17 @@ static int check_oauth(void) {
 
 	const char mac_key[33] = "ZksjpweoixXmvn67534m";
 	const size_t mac_key_length=strlen(mac_key);
-	const uint64_t token_timestamp = 1234567890;
+	uint64_t token_timestamp0 = turn_time();
+	const uint64_t token_timestamp = token_timestamp0 << 16;
+	printf("key timestamp: %llu\n",(unsigned long long)token_timestamp);
 	const uint32_t token_lifetime = 3600;
 
 	const char kid[33] = "2783466234";
 	const turn_time_t key_timestamp = 1234567890;
 	const turn_time_t key_lifetime = 3600;
 
+	const char aead_nonce[OAUTH_AEAD_NONCE_SIZE+1] = "h4j3k2l2n4b5";
+
 	for (i_hmacs = 0; hmacs[i_hmacs]; ++i_hmacs) {
 
 		for (i_shas = 0; shas[i_shas]; ++i_shas) {
@@ -98,14 +102,17 @@ static int check_oauth(void) {
 				ot.enc_block.lifetime = token_lifetime;
 
 				oauth_token dot;
+				ns_bzero((&dot),sizeof(dot));
 				oauth_key key;
 				ns_bzero(&key,sizeof(key));
 
 				{
 					oauth_key_data okd;
+					ns_bzero(&okd,sizeof(okd));
 
 					{
 					  oauth_key_data_raw okdr;
+					  ns_bzero(&okdr,sizeof(okdr));
 
 						STRCPY(okdr.kid,kid);
 						STRCPY(okdr.ikm_key,base64encoded_ltp);
@@ -133,9 +140,10 @@ static int check_oauth(void) {
 
 				{
 					encoded_oauth_token etoken;
+					ns_bzero(&etoken,sizeof(etoken));
 
 					if (encode_oauth_token((const u08bits *) server_name, &etoken,
-							&key, &ot) < 0) {
+							&key, &ot, (const u08bits*)aead_nonce) < 0) {
 						fprintf(stderr, "%s: cannot encode oauth token\n",
 								__FUNCTION__);
 						return -1;
diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c
index 4afccee0..6bbd55d5 100644
--- a/src/client/ns_turn_msg.c
+++ b/src/client/ns_turn_msg.c
@@ -2006,11 +2006,14 @@ static int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_t
 		EVP_CIPHER_CTX ctx;
 		EVP_CIPHER_CTX_init(&ctx);
 		EVP_EncryptInit_ex(&ctx, cipher, NULL, (const unsigned char *)key->as_rs_key, NULL);
+		EVP_CIPHER_CTX_set_padding(&ctx,1);
 		int outl=0;
 		my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, orig_field, (int)len);
-		int tmp_outl = 0;
-		EVP_EncryptFinal_ex(&ctx, encoded_field + outl, &tmp_outl);
-		outl += tmp_outl;
+		if(outl % OAUTH_ENC_ALG_BLOCK_SIZE) {
+			int tmp_outl = 0;
+			EVP_EncryptFinal_ex(&ctx, encoded_field + outl, &tmp_outl);
+			outl += tmp_outl;
+		}
 
 		EVP_CIPHER_CTX_cleanup(&ctx);
 
@@ -2089,6 +2092,7 @@ static int decode_oauth_token_normal(const u08bits *server_name, const encoded_o
 		EVP_CIPHER_CTX ctx;
 		EVP_CIPHER_CTX_init(&ctx);
 		EVP_DecryptInit_ex(&ctx, cipher, NULL, (const unsigned char *)key->as_rs_key, NULL);
+		EVP_CIPHER_CTX_set_padding(&ctx,1);
 		int outl=0;
 		my_EVP_DecryptUpdate(&ctx, decoded_field, &outl, encoded_field, (int)encoded_field_size);
 
@@ -2128,7 +2132,7 @@ static void generate_random_nonce(unsigned char *nonce, size_t sz) {
 	}
 }
 
-static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken)
+static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits* nonce0)
 {
 	if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<128)) {
 
@@ -2155,7 +2159,11 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok
 		unsigned char *encoded_field = (unsigned char*)etoken->token;
 
 		unsigned char nonce[OAUTH_AEAD_NONCE_SIZE];
-		generate_random_nonce(nonce, sizeof(nonce));
+		if(nonce0) {
+			ns_bcopy(nonce0,nonce,sizeof(nonce));
+		} else {
+			generate_random_nonce(nonce, sizeof(nonce));
+		}
 
 		EVP_CIPHER_CTX ctx;
 		EVP_CIPHER_CTX_init(&ctx);
@@ -2164,6 +2172,8 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok
 		if(1 != EVP_EncryptInit_ex(&ctx, cipher, NULL, NULL, NULL))
 			return -1;
 
+		EVP_CIPHER_CTX_set_padding(&ctx,1);
+
 		/* Set IV length if default 12 bytes (96 bits) is not appropriate */
 		if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_AEAD_NONCE_SIZE, NULL))
 			return -1;
@@ -2181,6 +2191,8 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok
 		if(1 != my_EVP_EncryptUpdate(&ctx, NULL, &outl, server_name, (int)sn_len))
 			return -1;
 
+		outl=0;
+
 		if(1 != my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, orig_field, (int)len))
 			return -1;
 
@@ -2232,6 +2244,8 @@ static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oau
 		if(1 != EVP_DecryptInit_ex(&ctx, cipher, NULL, NULL, NULL))
 			return -1;
 
+		EVP_CIPHER_CTX_set_padding(&ctx,1);
+
 		/* Set IV length if default 12 bytes (96 bits) is not appropriate */
 		if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_AEAD_NONCE_SIZE, NULL))
 			return -1;
@@ -2285,8 +2299,9 @@ static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oau
 
 #endif
 
-int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken)
+int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits *nonce)
 {
+	UNUSED_ARG(nonce);
 	if(server_name && etoken && key && dtoken) {
 		switch(key->as_rs_alg) {
 		case AES_256_CBC:
@@ -2295,7 +2310,7 @@ int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken,
 #if !defined(TURN_NO_GCM)
 		case AEAD_AES_128_GCM:
 		case AEAD_AES_256_GCM:
-			return encode_oauth_token_aead(server_name, etoken,key,dtoken);
+			return encode_oauth_token_aead(server_name, etoken,key,dtoken,nonce);
 #endif
 		default:
 			fprintf(stderr,"Wrong AS_RS algorithm: %d\n",(int)key->as_rs_alg);
diff --git a/src/client/ns_turn_msg.h b/src/client/ns_turn_msg.h
index 239eb67d..f54c2354 100644
--- a/src/client/ns_turn_msg.h
+++ b/src/client/ns_turn_msg.h
@@ -212,7 +212,7 @@ int is_http_get(const char *s, size_t blen);
 /* OAUTH */
 int convert_oauth_key_data(const oauth_key_data *oakd, oauth_key *key, char *err_msg, size_t err_msg_size);
 int decode_oauth_token(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken);
-int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken);
+int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits *nonce);
 
 ///////////////////////////////////////////////////////////////
 
diff --git a/src/client/ns_turn_msg_defs_new.h b/src/client/ns_turn_msg_defs_new.h
index 965e7979..9da460d3 100644
--- a/src/client/ns_turn_msg_defs_new.h
+++ b/src/client/ns_turn_msg_defs_new.h
@@ -109,6 +109,7 @@ typedef enum _AUTH_ALG AUTH_ALG;
 #define OAUTH_KEY_SIZE (256)
 #define OAUTH_AEAD_NONCE_SIZE (12)
 #define OAUTH_AEAD_TAG_SIZE (16)
+#define OAUTH_ENC_ALG_BLOCK_SIZE (16)
 
 #define OAUTH_DEFAULT_LIFETIME (0)
 #define OAUTH_DEFAULT_TIMESTAMP (turn_time())