Framing TLS records violates the protocol specification.
The problem is _connection_write_to_buf_impl(), if it flushes forcely a some bytes from outbuf. For queued cells (in_flushed_some is true), it never plays with outbuf_flushlen. So call for connection_handle_write() triggered only in case of overlapping sets of conditions; If outbuf_flushlen was equal 15360 before cell_destroy (or cell_padding) was appended, then flushes of 15872 bytes to TLS record.
Such behavior can leak a type of the last cell, and a some internal information likes a outbuf's length.
[Automatically added by flyspray2trac: Operating System: All]