diff --git a/src/internal.c b/src/internal.c
index ac18d46ec..dd83b86ae 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -6686,6 +6686,22 @@ int ProcessReply(WOLFSSL* ssl)
                         }
                     #endif
 
+                    /* Check for duplicate CCS message in DTLS mode.
+                     * DTLS allows for duplicate messages, and it should be
+                     * skipped. */
+                    if (ssl->options.dtls &&
+                        ssl->msgsReceived.got_change_cipher) {
+
+                        WOLFSSL_MSG("Duplicate ChangeCipher msg");
+                        if (ssl->curSize != 1) {
+                            WOLFSSL_MSG("Malicious or corrupted"
+                                        " duplicate ChangeCipher msg");
+                            return LENGTH_ERROR;
+                        }
+                        ssl->buffers.inputBuffer.idx++;
+                        break;
+                    }
+
                     ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
                     if (ret != 0)
                         return ret;