Do resuming check as soon as we get a non-resumption msg

src/internal.c

@@ -14766,6 +14766,24 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
     }
 #endif
 
+    if (ssl->options.side == WOLFSSL_CLIENT_END) {
+        switch (type) {
+        case certificate:
+        case server_key_exchange:
+        case certificate_request:
+        case server_hello_done:
+            if (ssl->options.resuming) {
+                /* This can occur when ssl->sessionSecretCb is set. EAP-FAST
+                 * (RFC 4851) allows for detecting server session resumption
+                 * based on the msg received after the ServerHello. */
+                WOLFSSL_MSG("Not resuming as thought");
+                ssl->options.resuming = 0;
+                /* No longer resuming, reset peer authentication state. */
+                ssl->options.peerAuthGood = 0;
+            }
+        }
+    }
+
     switch (type) {
 
     case hello_request:
@@ -14872,12 +14890,6 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 *inOutIdx += MacSize(ssl);
         #endif
         }
-        if (ssl->options.resuming) {
-            WOLFSSL_MSG("Not resuming as thought");
-            ssl->options.resuming = 0;
-            /* CLIENT: No longer resuming, reset peer authentication state. */
-            ssl->options.peerAuthGood = 0;
-        }
         break;
 
     case finished:

src/ssl.c

@@ -12148,6 +12148,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
             /* CLIENT: Fail-safe for Server Authentication. */
             if (!ssl->options.peerAuthGood) {
                 WOLFSSL_MSG("Server authentication did not happen");
+                ssl->error = NO_PEER_VERIFY;
                 return WOLFSSL_FATAL_ERROR;
             }