diff --git a/CHANGES b/CHANGES
index 3607fe9f3937105a844dcc7082047b4685287815..4eba78a60d153fae81ec25efa486cde7cddf9be0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -418,6 +418,14 @@
 
  Changes between 0.9.8d and 0.9.8e  [XX xxx XXXX]
 
+  *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
+     (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
+     When a point or a seed is encoded in a BIT STRING, we need to
+     prevent the removal of trailing zero bits to get the proper DER
+     encoding.  (By default, crypto/asn1/a_bitstr.c assumes the case
+     of a NamedBitList, for which trailing 0 bits need to be removed.)
+     [Bodo Moeller]
+
   *) Have SSL/TLS server implementation tolerate "mismatched" record
      protocol version while receiving ClientHello even if the
      ClientHello is fragmented.  (The server can't insist on the
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 66ef129293c27557863ca635ae847d3ba23db3d8..ae555398594b8e6c02bd554015853000efeff744 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -529,6 +529,8 @@ static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve)
 				ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
+		curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+		curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT;
 		if (!ASN1_BIT_STRING_set(curve->seed, group->seed, 
 		                         (int)group->seed_len))
 			{
@@ -1291,6 +1293,8 @@ int	i2d_ECPrivateKey(EC_KEY *a, unsigned char **out)
 			goto err;
 			}
 
+		priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+		priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
 		if (!M_ASN1_BIT_STRING_set(priv_key->publicKey, buffer, 
 				buf_len))
 			{