diff --git a/CHANGELOG b/CHANGELOG
index 2c102d898..95d6d80e9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -22,6 +22,10 @@ o [NSE][GH#2925][GH#2917][GH#2924] Testing for acceptance of SSH keys for
 o [NSE][GH#2919][GH#2917] Scripts were not able to load SSH public keys.
   from a file. [nnposter]
 
+o [NSE][GH#2928][GH#2640] Encryption/decryption performed by the OpenSSL NSE
+  module did not work correctly when the IV started with a null byte.
+  [nnposter]
+
 o [NSE][GH#2901][GH#2744][GH#2745] Arbitrary separator in stdnse.tohex() is now
   supported. Script smb-protocols now reports SMB dialects correctly.
   [nnposter]
diff --git a/nse_openssl.cc b/nse_openssl.cc
index f1fb85370..29e0385c1 100644
--- a/nse_openssl.cc
+++ b/nse_openssl.cc
@@ -387,10 +387,10 @@ static int l_encrypt(lua_State *L) /** encrypt( string algorithm, string key, st
 
   size_t key_len, iv_len, data_len;
   const unsigned char *key = (unsigned char *) luaL_checklstring( L, 2, &key_len );
-  const unsigned char *iv = (unsigned char *) luaL_optlstring( L, 3, "", &iv_len );
+  const unsigned char *iv = (unsigned char *) luaL_optlstring( L, 3, NULL, &iv_len );
   const unsigned char *data = (unsigned char *) luaL_checklstring( L, 4, &data_len );
   int padding = lua_toboolean( L, 5 );
-  if (iv[0] == '\0')
+  if (!iv_len)
     iv = NULL;
 
 #if HAVE_OPAQUE_STRUCTS
@@ -449,10 +449,10 @@ static int l_decrypt(lua_State *L) /** decrypt( string algorithm, string key, st
 
   size_t key_len, iv_len, data_len;
   const unsigned char *key = (unsigned char *) luaL_checklstring( L, 2, &key_len );
-  const unsigned char *iv = (unsigned char *) luaL_optlstring( L, 3, "", &iv_len );
+  const unsigned char *iv = (unsigned char *) luaL_optlstring( L, 3, NULL, &iv_len );
   const unsigned char *data = (unsigned char *) luaL_checklstring( L, 4, &data_len );
   int padding = lua_toboolean( L, 5 );
-  if (iv[0] == '\0')
+  if (!iv_len)
     iv = NULL;
 
 #if HAVE_OPAQUE_STRUCTS