--- a/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java	Fri Nov 18 16:13:39 2011 +0800
+++ b/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java	Fri Nov 18 11:11:11 2011 -0800
@@ -369,6 +369,11 @@
     /* Class and subclass dynamic debugging support */
     private static final Debug debug = Debug.getInstance("ssl");
 
+    /*
+     * Is it the first application record to write?
+     */
+    private boolean isFirstAppOutputRecord = true;
+
     //
     // CONSTRUCTORS AND INITIALIZATION CODE
     //
@@ -802,8 +807,35 @@
         if (connectionState < cs_ERROR) {
             checkSequenceNumber(writeMAC, r.contentType());
         }
+
+        // turn off the flag of the first application record
+        if (isFirstAppOutputRecord &&
+                r.contentType() == Record.ct_application_data) {
+            isFirstAppOutputRecord = false;
+        }
     }
 
+    /*
+     * Need to split the payload except the following cases:
+     *
+     * 1. protocol version is TLS 1.1 or later;
+     * 2. bulk cipher does not use CBC mode, including null bulk cipher suites.
+     * 3. the payload is the first application record of a freshly
+     *    negotiated TLS session.
+     * 4. the CBC protection is disabled;
+     *
+     * More details, please refer to AppOutputStream.write(byte[], int, int).
+     */
+    boolean needToSplitPayload() {
+        writeLock.lock();
+        try {
+            return (protocolVersion.v <= ProtocolVersion.TLS10.v) &&
+                    writeCipher.isCBCMode() && !isFirstAppOutputRecord &&
+                    Record.enableCBCProtection;
+        } finally {
+            writeLock.unlock();
+        }
+    }
 
     /*
      * Read an application data record.  Alerts and handshake
@@ -2031,6 +2063,9 @@
 
         // See comment above.
         oldCipher.dispose();
+
+        // reset the flag of the first application record
+        isFirstAppOutputRecord = true;
     }
 
     /*