diff --git a/CMakeLists.txt b/CMakeLists.txt
index 104aab6b..1aa357b0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -71,6 +71,12 @@ set(src
 	src/tls13.c
 )
 
+option(ENABLE_TLS_DEBUG "Enable TLS and TLCP print debug message" OFF)
+if (ENABLE_TLS_DEBUG)
+	add_definitions(-DTLS_DEBUG)
+endif()
+
+
 option(ENABLE_SM3_AVX_BMI2 "Enable SM3 AVX+BMI2 assembly implementation" OFF)
 if (ENABLE_SM3_AVX_BMI2)
 	enable_language(ASM)
diff --git a/src/tlcp.c b/src/tlcp.c
index ac6d649e..feebd58a 100644
--- a/src/tlcp.c
+++ b/src/tlcp.c
@@ -427,24 +427,19 @@ int tlcp_do_connect(TLS_CONNECT *conn)
 	// send CertificateVerify
 	if (conn->client_certs_len) {
 		tls_trace("send CertificateVerify\n");
-		uint8_t sigbuf[2 + SM2_MAX_SIGNATURE_SIZE];
-		memset(sigbuf, 0, 2 + SM2_MAX_SIGNATURE_SIZE);
-		SM3_CTX cert_verify_ctx;
-		uint8_t cert_verify_hash[SM3_DIGEST_SIZE] = {0};
-		memset(&cert_verify_ctx, 0, sizeof(SM3_CTX));
-		memset(cert_verify_hash, 0, SM3_DIGEST_SIZE);
-		memcpy(&cert_verify_ctx, &sm3_ctx, sizeof(sm3_ctx));
-		sm3_finish(&cert_verify_ctx, cert_verify_hash);
-		sm2_sign_init(&sign_ctx, &conn->sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
-		sm2_sign_update(&sign_ctx, cert_verify_hash, SM3_DIGEST_SIZE);
-		if (sm2_sign_finish(&sign_ctx, sigbuf+2, &siglen) != 1) {
+
+		SM3_CTX cert_verify_sm3_ctx = sm3_ctx;
+		uint8_t cert_verify_hash[SM3_DIGEST_SIZE];
+		uint8_t sigbuf[SM2_MAX_SIGNATURE_SIZE];
+
+		sm3_finish(&cert_verify_sm3_ctx, cert_verify_hash);
+		if (sm2_sign_init(&sign_ctx, &conn->sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
+			|| sm2_sign_update(&sign_ctx, cert_verify_hash, SM3_DIGEST_SIZE) != 1
+			|| sm2_sign_finish(&sign_ctx, sigbuf, &siglen) != 1) {
 			error_print();
 			tls_send_alert(conn, TLS_alert_internal_error);
 			goto end;
 		}
-		sigbuf[0] = siglen >> 8;
-		sigbuf[1] = siglen ;
-		siglen += 2;
 		if (tls_record_set_handshake_certificate_verify(record, &recordlen, sigbuf, siglen) != 1) {
 			error_print();
 			tls_send_alert(conn, TLS_alert_internal_error);
@@ -608,6 +603,7 @@ int tlcp_do_accept(TLS_CONNECT *conn)
 
 	// ClientCertificate, CertificateVerify
 	SM2_KEY client_sign_key;
+	SM2_SIGN_CTX verify_ctx;
 	const uint8_t *sig;
 	const int verify_depth = 5;
 	int verify_result;
@@ -834,6 +830,9 @@ int tlcp_do_accept(TLS_CONNECT *conn)
 	// recv CertificateVerify
 	if (client_verify) {
 		tls_trace("recv CertificateVerify\n");
+		SM3_CTX cert_verify_sm3_ctx = sm3_ctx;
+		uint8_t cert_verify_hash[SM3_DIGEST_SIZE];
+
 		if (tls_record_recv(record, &recordlen, conn->sock) != 1
 			|| tls_record_protocol(record) != TLS_protocol_tlcp) {
 			tls_send_alert(conn, TLS_alert_unexpected_message);
@@ -852,16 +851,11 @@ int tlcp_do_accept(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_bad_certificate);
 			goto end;
 		}
-		SM3_CTX cert_verify_ctx;
-		SM2_SIGN_CTX sm2_ctx;
-		uint8_t cert_verify_hash[SM3_DIGEST_SIZE] = {0};
-		memset(&cert_verify_ctx, 0, sizeof(SM3_CTX));
-		memset(cert_verify_hash, 0, SM3_DIGEST_SIZE);
-		memcpy(&cert_verify_ctx, &sm3_ctx, sizeof(sm3_ctx));
-		sm3_finish(&cert_verify_ctx, cert_verify_hash);
-		sm2_verify_init(&sm2_ctx, &client_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH);
-		sm2_verify_update(&sm2_ctx, cert_verify_hash, SM3_DIGEST_SIZE); 
-		if (sm2_verify_finish(&sm2_ctx, sig+2, siglen-2) != 1) { 
+
+		sm3_finish(&cert_verify_sm3_ctx, cert_verify_hash);
+		if (sm2_verify_init(&verify_ctx, &client_sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
+			|| sm2_verify_update(&verify_ctx, cert_verify_hash, SM3_DIGEST_SIZE) != 1
+			|| sm2_verify_finish(&verify_ctx, sig, siglen) != 1) {
 			error_print();
 			tls_send_alert(conn, TLS_alert_decrypt_error);
 			goto end;
diff --git a/src/tls.c b/src/tls.c
index 722c8710..bd094eb2 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -1227,6 +1227,8 @@ int tls_record_set_handshake_certificate_verify(uint8_t *record, size_t *recordl
 	const uint8_t *sig, size_t siglen)
 {
 	int type = TLS_handshake_certificate_verify;
+	uint8_t *p;
+	size_t len = 0;
 
 	if (!record || !recordlen || !sig || !siglen) {
 		error_print();
@@ -1236,7 +1238,9 @@ int tls_record_set_handshake_certificate_verify(uint8_t *record, size_t *recordl
 		error_print();
 		return -1;
 	}
-	tls_record_set_handshake(record, recordlen, type, sig, siglen);
+	p = tls_handshake_data(tls_record_data(record));
+	tls_uint16array_to_bytes(sig, siglen, &p, &len);
+	tls_record_set_handshake(record, recordlen, type, NULL, len);
 	return 1;
 }
 
@@ -1244,12 +1248,14 @@ int tls_record_get_handshake_certificate_verify(const uint8_t *record,
 	const uint8_t **sig, size_t *siglen)
 {
 	int type;
+	const uint8_t *cp;
+	size_t len;
 
 	if (!record || !sig || !siglen) {
 		error_print();
 		return -1;
 	}
-	if (tls_record_get_handshake(record, &type, sig, siglen) != 1) {
+	if (tls_record_get_handshake(record, &type, &cp, &len) != 1) {
 		error_print();
 		return -1;
 	}
@@ -1257,11 +1263,8 @@ int tls_record_get_handshake_certificate_verify(const uint8_t *record,
 		error_print();
 		return -1;
 	}
-	if (*sig == NULL || *siglen == 0) {
-		error_print();
-		return -1;
-	}
-	if (*siglen > TLS_MAX_SIGNATURE_SIZE) {
+	if (tls_uint16array_from_bytes(sig, siglen, &cp, &len) != 1
+		|| tls_length_is_zero(len) != 1) {
 		error_print();
 		return -1;
 	}