diff --git a/src/dtls13.c b/src/dtls13.c
index 2b9d1edaa..d1389ded2 100644
--- a/src/dtls13.c
+++ b/src/dtls13.c
@@ -90,8 +90,6 @@ typedef struct Dtls13RecordPlaintextHeader {
 
 /* size of the len field in the unified header */
 #define DTLS13_LEN_SIZE 2
-/* size of the mask used to encrypt/decrypt Record Number  */
-#define DTLS13_RN_MASK_SIZE 16
 /* size of the flags in the unified header */
 #define DTLS13_HDR_FLAGS_SIZE 1
 /* size of the sequence number wher SEQ_LEN_BIT is present */
diff --git a/src/internal.c b/src/internal.c
index 2e746ecdc..15cf3b743 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10176,13 +10176,15 @@ static int GetDtls13RecordHeader(WOLFSSL* ssl, word32* inOutIdx,
     if (ret != 0)
         return ret;
 
-    if (readSize < ssl->dtls13CurRlLength) {
+    if (readSize < ssl->dtls13CurRlLength + DTLS13_RN_MASK_SIZE) {
         /* when using DTLS over a medium that does not guarantee that a full
          * message is received in a single read, we may end up without the full
-         * header */
-        ret = GetInputData(ssl, ssl->dtls13CurRlLength - readSize);
+         * header and minimum ciphertext to decrypt record sequence numbers */
+        ret = GetInputData(ssl, ssl->dtls13CurRlLength + DTLS13_RN_MASK_SIZE);
         if (ret != 0)
             return ret;
+
+        readSize = ssl->buffers.inputBuffer.length - *inOutIdx;
     }
 
     ret = Dtls13ParseUnifiedRecordLayer(ssl,
@@ -10234,11 +10236,8 @@ static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
 #endif
 
 #ifdef WOLFSSL_DTLS13
-    word32 read_size;
     int ret;
 
-    read_size = ssl->buffers.inputBuffer.length - *inOutIdx;
-
     if (Dtls13IsUnifiedHeader(*(ssl->buffers.inputBuffer.buffer + *inOutIdx))) {
 
         /* version 1.3 already negotiated */
@@ -10263,8 +10262,8 @@ static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
 
     /* not a unified header, check that we have at least
      * DTLS_RECORD_HEADER_SZ */
-    if (read_size < DTLS_RECORD_HEADER_SZ) {
-        ret = GetInputData(ssl, DTLS_RECORD_HEADER_SZ - read_size);
+    if (ssl->buffers.inputBuffer.length - *inOutIdx < DTLS_RECORD_HEADER_SZ) {
+        ret = GetInputData(ssl, DTLS_RECORD_HEADER_SZ);
         if (ret != 0)
             return LENGTH_ERROR;
     }
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index d5451b752..a73676e72 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -4640,6 +4640,9 @@ typedef enum EarlyDataState {
 
 #ifdef WOLFSSL_DTLS13
 
+/* size of the mask used to encrypt/decrypt Record Number  */
+#define DTLS13_RN_MASK_SIZE 16
+
 typedef struct Dtls13UnifiedHdrInfo {
     word16 recordLength;
     byte seqLo;