diff --git a/src/internal.c b/src/internal.c
index c0644a4e8..a644124fb 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2488,6 +2488,11 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx,
     }
 #endif
 
+    if (ssl->options.handShakeState == HANDSHAKE_DONE && type != hello_request){
+        CYASSL_MSG("HandShake message after handshake complete");
+        return OUT_OF_ORDER_E;
+    }
+
     switch (type) {
 
     case hello_request:
@@ -2889,6 +2894,11 @@ int DoApplicationData(CYASSL* ssl, byte* input, word32* inOutIdx)
     byte        verify[SHA256_DIGEST_SIZE];
     const byte* mac;
 
+    if (ssl->options.handShakeState != HANDSHAKE_DONE) {
+        CYASSL_MSG("Received App data before handshake complete");
+        return OUT_OF_ORDER_E;
+    }
+
     if (ssl->specs.cipher_type == block) {
         if (ssl->options.tls1_1)
             ivExtra = ssl->specs.block_size;