From f2f9d5bbe7a1f2fae7fe189c8f78cd1636bac991 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Fri, 30 Jan 2026 22:38:44 -0600
Subject: [PATCH] src/internal.c: in SanityCheckMsgReceived(), gate "TLS 1.2
 message order check: certificate before CKE" from 5b6f86bc8e on
 !WOLFSSL_NO_CLIENT_AUTH.

---
 src/internal.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index ea3b3f537..74f59faff 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -18083,12 +18083,14 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+#ifndef WOLFSSL_NO_CLIENT_AUTH
             if (!ssl->options.resuming && ssl->options.verifyPeer &&
                     !ssl->options.usingPSK_cipher &&
                     !ssl->options.usingAnon_cipher &&
                     !ssl->msgsReceived.got_certificate) {
                 return OUT_OF_ORDER_E;
             }
+#endif
             if (ssl->msgsReceived.got_certificate_verify||
                     ssl->msgsReceived.got_change_cipher ||
                     ssl->msgsReceived.got_finished) {