diff --git a/src/dtls13.c b/src/dtls13.c
index 725e1d9c1..3591d67b4 100644
--- a/src/dtls13.c
+++ b/src/dtls13.c
@@ -363,11 +363,13 @@ int Dtls13ProcessBufferedMessages(WOLFSSL* ssl)
         if (!msg->ready)
             break;
 
+#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
         ret = MsgCheckEncryption(ssl, msg->type, msg->encrypted);
         if (ret != 0) {
             SendAlert(ssl, alert_fatal, unexpected_message);
             break;
         }
+#endif
 
         /* We may have DTLS <=1.2 msgs stored from before we knew which version
          * we were going to use. Interpret correctly. */
diff --git a/src/internal.c b/src/internal.c
index 16667e78b..60d221f74 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10718,6 +10718,8 @@ int CheckAvailableSize(WOLFSSL *ssl, int size)
     return 0;
 }
 
+#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
+
 int MsgCheckEncryption(WOLFSSL* ssl, byte type, byte encrypted)
 {
 #ifdef WOLFSSL_QUIC
@@ -10952,6 +10954,8 @@ static int MsgCheckBoundary(const WOLFSSL* ssl, byte type,
     return 0;
 }
 
+#endif /* WOLFSSL_DISABLE_EARLY_SANITY_CHECKS */
+
 /**
  * This check is performed as soon as the handshake message type becomes known.
  * These checks can not be delayed and need to be performed when the msg is
@@ -10967,8 +10971,9 @@ static int MsgCheckBoundary(const WOLFSSL* ssl, byte type,
  */
 int EarlySanityCheckMsgReceived(WOLFSSL* ssl, byte type, word32 msgSz)
 {
-    byte version_negotiated = 0;
     int ret = 0;
+#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
+    byte version_negotiated = 0;
 
     WOLFSSL_ENTER("EarlySanityCheckMsgReceived");
 
@@ -10995,6 +11000,11 @@ int EarlySanityCheckMsgReceived(WOLFSSL* ssl, byte type, word32 msgSz)
         SendAlert(ssl, alert_fatal, unexpected_message);
 
     WOLFSSL_LEAVE("EarlySanityCheckMsgReceived", ret);
+#else
+    (void)ssl;
+    (void)type;
+    (void)msgSz;
+#endif
 
     return ret;
 }
@@ -17568,11 +17578,13 @@ int DtlsMsgDrain(WOLFSSL* ssl)
             item->ready && ret == 0) {
         word32 idx = 0;
 
+    #ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
         ret = MsgCheckEncryption(ssl, item->type, item->encrypted);
         if (ret != 0) {
             SendAlert(ssl, alert_fatal, unexpected_message);
             break;
         }
+    #endif
 
     #ifdef WOLFSSL_NO_TLS12
         ret = DoTls13HandShakeMsgType(ssl, item->fullMsg, &idx, item->type,
diff --git a/tests/api.c b/tests/api.c
index 0a128d16a..98e627b94 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -67471,7 +67471,11 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
         }
 
         ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
         ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), OUT_OF_ORDER_E);
+#else
+        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), BUFFER_ERROR);
+#endif
 
         wolfSSL_free(ssl_c);
         ssl_c = NULL;