diff --git a/LeaseSet.cpp b/LeaseSet.cpp
index 2b75b463..b62a4598 100644
--- a/LeaseSet.cpp
+++ b/LeaseSet.cpp
@@ -57,13 +57,13 @@ namespace data
 			LogPrint ("LeaseSet verification failed");
 	}	
 
-	std::vector<Lease> LeaseSet::GetNonExpiredLeases () const
+	std::set<Lease> LeaseSet::GetNonExpiredLeases () const
 	{
 		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
-		std::vector<Lease> leases;
+		std::set<Lease> leases;
 		for (auto& it: m_Leases)
 			if (ts < it.endDate)
-				leases.push_back (it);
+				leases.insert (it);
 		return leases;	
 	}	
 
diff --git a/LeaseSet.h b/LeaseSet.h
index 294e32d0..6bcc8122 100644
--- a/LeaseSet.h
+++ b/LeaseSet.h
@@ -4,6 +4,7 @@
 #include <inttypes.h>
 #include <string.h>
 #include <vector>
+#include <set>
 #include "Identity.h"
 
 namespace i2p
@@ -18,6 +19,14 @@ namespace data
 		uint8_t tunnelGateway[32];
 		uint32_t tunnelID;
 		uint64_t endDate;
+
+		bool operator< (const Lease& other) const 
+		{
+			if (endDate != other.endDate)
+				return endDate > other.endDate;
+			else
+				return tunnelID < other.tunnelID; 
+		}	
 	};	
 	
 #pragma pack()	
@@ -34,7 +43,7 @@ namespace data
 			const Identity& GetIdentity () const { return m_Identity; };
 			const IdentHash& GetIdentHash () const { return m_IdentHash; };
 			const std::vector<Lease>& GetLeases () const { return m_Leases; };
-			std::vector<Lease> GetNonExpiredLeases () const;
+			std::set<Lease> GetNonExpiredLeases () const;
 			bool HasExpiredLeases () const;
 			bool HasNonExpiredLeases () const;
 			const uint8_t * GetEncryptionPublicKey () const { return m_EncryptionKey; };
diff --git a/NTCPSession.cpp b/NTCPSession.cpp
index 3e3d551d..e2686248 100644
--- a/NTCPSession.cpp
+++ b/NTCPSession.cpp
@@ -474,7 +474,9 @@ namespace ntcp
 		if (ecode)
         {
 			LogPrint ("Couldn't send msg: ", ecode.message ());
-			Terminate ();
+			// we shouldn't call Terminate () here, because HandleReceive takes care
+			// TODO: 'delete this' statement in Terminate () must be eliminated later
+			// Terminate ();
 		}
 		else
 		{	
diff --git a/SSU.cpp b/SSU.cpp
index 94dbcfb7..5509b96e 100644
--- a/SSU.cpp
+++ b/SSU.cpp
@@ -20,7 +20,7 @@ namespace ssu
 	{
 	}
 
-	void SSUSession::CreateAESKey (uint8_t * pubKey, uint8_t * aesKey) // TODO: move it to base class for NTCP and SSU
+	void SSUSession::CreateAESandMacKey (uint8_t * pubKey, uint8_t * aesKey, uint8_t * macKey)
 	{
 		CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
 		CryptoPP::SecByteBlock secretKey(dh.AgreedValueLength());
@@ -34,9 +34,13 @@ namespace ssu
 		{
 			aesKey[0] = 0;
 			memcpy (aesKey + 1, secretKey, 31);
+			memcpy (macKey, secretKey + 31, 32);
 		}	
-		else	
+		else
+		{	
 			memcpy (aesKey, secretKey, 32);
+			memcpy (macKey, secretKey + 32, 32);
+		}
 	}		
 
 	void SSUSession::ProcessNextMessage (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint)
@@ -172,7 +176,7 @@ namespace ssu
 				SSUHeader * header = (SSUHeader *)buf;
 				if ((header->flag >> 4) == expectedPayloadType)
 				{
-					CreateAESKey (buf + sizeof (SSUHeader), m_SessionKey);	
+					CreateAESandMacKey (buf + sizeof (SSUHeader), m_SessionKey, m_MacKey);	
 					return true;				
 				}
 				else
diff --git a/SSU.h b/SSU.h
index 1dcf536e..2c797804 100644
--- a/SSU.h
+++ b/SSU.h
@@ -63,7 +63,7 @@ namespace ssu
 
 		private:
 
-			void CreateAESKey (uint8_t * pubKey, uint8_t * aesKey); // TODO: shouldn't be here
+			void CreateAESandMacKey (uint8_t * pubKey, uint8_t * aesKey, uint8_t * macKey); 
 
 			void ProcessSessionRequest (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint);
 			void SendSessionRequest ();
@@ -83,7 +83,7 @@ namespace ssu
 			SessionState m_State;	
 			CryptoPP::CBC_Mode<CryptoPP::AES>::Encryption m_Encryption;	
 			CryptoPP::CBC_Mode<CryptoPP::AES>::Decryption m_Decryption;	
-			uint8_t m_SessionKey[32];
+			uint8_t m_SessionKey[32], m_MacKey[32];
 	};
 
 	class SSUServer
diff --git a/Streaming.cpp b/Streaming.cpp
index 5d59b6f0..c7cd9ad3 100644
--- a/Streaming.cpp
+++ b/Streaming.cpp
@@ -173,9 +173,10 @@ namespace stream
 
 		if (!m_OutboundTunnel)
 			m_OutboundTunnel = i2p::tunnel::tunnels.GetNextOutboundTunnel ();
-		if (m_OutboundTunnel)
+		auto leases = m_RemoteLeaseSet->GetNonExpiredLeases ();
+		if (m_OutboundTunnel && !leases.empty ())
 		{
-			auto& lease = m_RemoteLeaseSet->GetLeases ()[0]; // TODO:
+			auto& lease = *leases.begin (); // TODO:
 			m_OutboundTunnel->SendTunnelDataMsg (lease.tunnelGateway, lease.tunnelID, msg);
 		}	
 		else
@@ -209,7 +210,7 @@ namespace stream
 			auto leases = m_RemoteLeaseSet->GetNonExpiredLeases ();
 			if (!leases.empty ())
 			{	
-				auto& lease = leases[0]; // TODO:
+				auto& lease = *leases.begin (); // TODO:
 				m_OutboundTunnel->SendTunnelDataMsg (lease.tunnelGateway, lease.tunnelID, msg);
 				LogPrint ("Quick Ack sent");
 			}	
@@ -252,11 +253,12 @@ namespace stream
 
 			I2NPMessage * msg = i2p::garlic::routing.WrapSingleMessage (m_RemoteLeaseSet, 
 				CreateDataMessage (this, packet, size));
-			if (m_OutboundTunnel)
+			auto leases = m_RemoteLeaseSet->GetNonExpiredLeases ();
+			if (m_OutboundTunnel && !leases.empty ())
 			{
-				auto& lease = m_RemoteLeaseSet->GetLeases ()[0]; // TODO:
+				auto& lease = *leases.begin (); // TODO:
 				m_OutboundTunnel->SendTunnelDataMsg (lease.tunnelGateway, lease.tunnelID, msg);
-				LogPrint ("FIN sent");
+				LogPrint ("FIN sent");	
 			}	
 			else
 				DeleteI2NPMessage (msg);