diff --git a/src/internal.c b/src/internal.c
index b0d0b7f66..49fc511ff 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -6211,7 +6211,10 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_MSG("Duplicate ChangeCipher received");
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_change_cipher = 1;
+            /* DTLS is going to ignore the CCS message if the client key
+             * exchange message wasn't received yet. */
+            if (!ssl->options.dtls)
+                ssl->msgsReceived.got_change_cipher = 1;
 
 #ifndef NO_WOLFSSL_CLIENT
             if (ssl->options.side == WOLFSSL_CLIENT_END) {
@@ -6231,7 +6234,8 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 }
             }
 #endif
-
+            if (ssl->options.dtls)
+                ssl->msgsReceived.got_change_cipher = 1;
             break;
 
         default:
@@ -8028,8 +8032,12 @@ int ProcessReply(WOLFSSL* ssl)
             if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
                 WOLFSSL_MSG("Silently dropping out of order DTLS message");
                 ssl->options.processReply = doProcessInit;
-                ssl->buffers.inputBuffer.length = 0;
-                ssl->buffers.inputBuffer.idx = 0;
+                ssl->buffers.inputBuffer.idx += ssl->curSize;
+
+                ret = DtlsPoolSend(ssl);
+                if (ret != 0)
+                    return ret;
+
                 continue;
             }
 #endif
@@ -8161,31 +8169,33 @@ int ProcessReply(WOLFSSL* ssl)
                         }
                     #endif
 
-#ifdef WOLFSSL_DTLS
-                    /* Check for duplicate CCS message in DTLS mode.
-                     * DTLS allows for duplicate messages, and it should be
-                     * skipped. */
-                    if (ssl->options.dtls &&
-                        ssl->msgsReceived.got_change_cipher) {
-
-                        WOLFSSL_MSG("Duplicate ChangeCipher msg");
-                        ret = DtlsPoolSend(ssl);
-                        if (ret != 0)
-                            return ret;
-
-                        if (ssl->curSize != 1) {
-                            WOLFSSL_MSG("Malicious or corrupted"
-                                        " duplicate ChangeCipher msg");
-                            return LENGTH_ERROR;
-                        }
-                        ssl->buffers.inputBuffer.idx++;
-                        break;
-                    }
-#endif
-
                     ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
-                    if (ret != 0)
-                        return ret;
+                    if (ret != 0) {
+                        if (!ssl->options.dtls) {
+                            return ret;
+                        }
+#ifdef WOLFSSL_DTLS
+                        else {
+                        /* Check for duplicate CCS message in DTLS mode.
+                         * DTLS allows for duplicate messages, and it should be
+                         * skipped. Also skip if out of order. */
+                            if (ret != DUPLICATE_MSG_E && ret != OUT_OF_ORDER_E)
+                                return ret;
+
+                            ret = DtlsPoolSend(ssl);
+                            if (ret != 0)
+                                return ret;
+
+                            if (ssl->curSize != 1) {
+                                WOLFSSL_MSG("Malicious or corrupted"
+                                            " duplicate ChangeCipher msg");
+                                return LENGTH_ERROR;
+                            }
+                            ssl->buffers.inputBuffer.idx++;
+                            break;
+                        }
+#endif /* WOLFSSL_DTLS */
+                    }
 
 #ifdef HAVE_SESSION_TICKET
                     if (ssl->options.side == WOLFSSL_CLIENT_END &&