diff --git a/configure.ac b/configure.ac
index 25f3decf6..7e96504e8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -6,7 +6,7 @@
 #
 #
 
-AC_INIT([wolfssl],[3.6.9],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com])
+AC_INIT([wolfssl],[3.6.9d],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com])
 
 AC_CONFIG_AUX_DIR([build-aux])
 
diff --git a/scripts/include.am b/scripts/include.am
index 94232516b..4b2c7982a 100644
--- a/scripts/include.am
+++ b/scripts/include.am
@@ -21,9 +21,11 @@ endif
 if !BUILD_IPV6
 dist_noinst_SCRIPTS+= scripts/external.test
 dist_noinst_SCRIPTS+= scripts/google.test
-dist_noinst_SCRIPTS+= scripts/openssl.test
+#dist_noinst_SCRIPTS+= scripts/openssl.test
 endif
 endif
 
 
 EXTRA_DIST +=  scripts/testsuite.pcap
+# leave openssl.test as extra until non bash works
+EXTRA_DIST +=  scripts/openssl.test
diff --git a/src/sniffer.c b/src/sniffer.c
index 273b16694..e1a57ec1f 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -2950,7 +2950,8 @@ static int HaveMoreInput(SnifferSession* session, const byte** sslFrame,
 /* Process Message(s) from sslFrame */
 /* return Number of bytes on success, 0 for no data yet, and -1 on error */
 static int ProcessMessage(const byte* sslFrame, SnifferSession* session,
-                          int sslBytes, byte* data, const byte* end,char* error)
+                          int sslBytes, byte** data, const byte* end,
+                          char* error)
 {
     const byte*       sslBegin = sslFrame;
     const byte*       recordEnd;   /* end of record indicator */
@@ -3076,8 +3077,20 @@ doPart:
                     ret = ssl->buffers.clearOutputBuffer.length;
                     TraceGotData(ret);
                     if (ret) {  /* may be blank message */
-                        XMEMCPY(&data[decoded],
-                               ssl->buffers.clearOutputBuffer.buffer, ret);
+                        byte* tmpData;  /* don't leak on realloc free */
+                        /* add an extra byte at end of allocation in case user
+                         * wants to null terminate plaintext */
+                        tmpData = (byte*)realloc(*data, decoded + ret + 1);
+                        if (tmpData == NULL) {
+                            free(*data);
+                            *data = NULL;
+                            SetError(MEMORY_STR, error, session,
+                                     FATAL_ERROR_STATE);
+                            return -1;
+                        }
+                        *data = tmpData;
+                        XMEMCPY(*data + decoded,
+                                ssl->buffers.clearOutputBuffer.buffer, ret);
                         TraceAddedData(ret, decoded);
                         decoded += ret;
                         ssl->buffers.clearOutputBuffer.length = 0;
@@ -3179,7 +3192,7 @@ static int RemoveFatalSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
 
 /* Passes in an IP/TCP packet for decoding (ethernet/localhost frame) removed */
 /* returns Number of bytes on success, 0 for no data yet, and -1 on error */
-int ssl_DecodePacket(const byte* packet, int length, byte* data, char* error)
+int ssl_DecodePacket(const byte* packet, int length, byte** data, char* error)
 {
     TcpInfo           tcpInfo;
     IpInfo            ipInfo;
diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c
index 0a21e3958..b618eec0c 100755
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@@ -296,7 +296,7 @@ int main(int argc, char** argv)
         packetNumber++;
         if (packet) {
 
-            byte data[65535+16384];  /* may have a partial 16k record cached */
+            byte* data = NULL;
 
             if (header.caplen > 40)  { /* min ip(20) + min tcp(20) */
 				packet        += frame;
@@ -305,7 +305,7 @@ int main(int argc, char** argv)
             else
                 continue;
 
-            ret = ssl_DecodePacket(packet, header.caplen, data, err);
+            ret = ssl_DecodePacket(packet, header.caplen, &data, err);
             if (ret < 0) {
                 printf("ssl_Decode ret = %d, %s\n", ret, err);
                 hadBadPacket = 1;
@@ -313,6 +313,8 @@ int main(int argc, char** argv)
             if (ret > 0) {
                 data[ret] = 0;
 				printf("SSL App Data(%d:%d):%s\n", packetNumber, ret, data);
+                free(data);
+                data = NULL;
             }
         }
         else if (saveFile)
diff --git a/support/wolfssl.pc b/support/wolfssl.pc
index 7116f5acf..74800588c 100644
--- a/support/wolfssl.pc
+++ b/support/wolfssl.pc
@@ -5,6 +5,6 @@ includedir=${prefix}/include
 
 Name: wolfssl
 Description: wolfssl C library.
-Version: 3.6.9
+Version: 3.6.9d
 Libs: -L${libdir} -lwolfssl
 Cflags: -I${includedir}
diff --git a/wolfssl/sniffer.h b/wolfssl/sniffer.h
index 495045d71..5e626d93f 100644
--- a/wolfssl/sniffer.h
+++ b/wolfssl/sniffer.h
@@ -56,7 +56,7 @@ SSL_SNIFFER_API int ssl_SetNamedPrivateKey(const char* name,
 
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_DecodePacket(const unsigned char* packet, int length,
-                                     unsigned char* data, char* error);
+                                     unsigned char** data, char* error);
 
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_Trace(const char* traceFile, char* error);
diff --git a/wolfssl/version.h b/wolfssl/version.h
index b8aa49372..58d1fdd5a 100644
--- a/wolfssl/version.h
+++ b/wolfssl/version.h
@@ -26,7 +26,7 @@
 extern "C" {
 #endif
 
-#define LIBWOLFSSL_VERSION_STRING "3.6.9"
+#define LIBWOLFSSL_VERSION_STRING "3.6.9d"
 #define LIBWOLFSSL_VERSION_HEX 0x03006009
 
 #ifdef __cplusplus