diff --git a/src/internal.c b/src/internal.c
index fbdbb13a0..e7d67ff85 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -15157,6 +15157,7 @@ int ProcessReply(WOLFSSL* ssl)
                     }
                     else {
 #ifdef WOLFSSL_TLS13
+                        ssl->msgsReceived.got_change_cipher = 0;
                         ret = DoTls13HandShakeMsg(ssl,
                                             ssl->buffers.inputBuffer.buffer,
                                             &ssl->buffers.inputBuffer.idx,
@@ -15219,6 +15220,13 @@ int ProcessReply(WOLFSSL* ssl)
                             return UNKNOWN_RECORD_TYPE;
                         }
                         ssl->buffers.inputBuffer.idx++;
+                        if (!ssl->msgsReceived.got_change_cipher) {
+                            ssl->msgsReceived.got_change_cipher = 1;
+                        }
+                        else {
+                            SendAlert(ssl, alert_fatal, illegal_parameter);
+                            return UNKNOWN_RECORD_TYPE;
+                        }
                         break;
                     }
     #endif