diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h

--- openssl-1.0.1e/ssl/ssl3.h.keying-mitm	2014-06-02 19:48:04.518100562 +0200

+++ openssl-1.0.1e/ssl/ssl3.h	2014-06-02 19:48:04.642103429 +0200

@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st

 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008

 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010

 #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020

+#define SSL3_FLAGS_CCS_OK			0x0080

 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we

  * restart a handshake because of MS SGC and so prevents us

diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c

--- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm	2013-02-11 16:26:04.000000000 +0100

+++ openssl-1.0.1e/ssl/s3_clnt.c	2014-06-02 19:49:57.042701985 +0200

@@ -510,6 +510,7 @@ int ssl3_connect(SSL *s)

 				s->method->ssl3_enc->client_finished_label,

 				s->method->ssl3_enc->client_finished_label_len);

 			if (ret <= 0) goto end;

+			s->s3->flags |= SSL3_FLAGS_CCS_OK;

 			s->state=SSL3_ST_CW_FLUSH;

 			/* clear flags */

@@ -559,6 +560,7 @@ int ssl3_connect(SSL *s)

 		case SSL3_ST_CR_FINISHED_A:

 		case SSL3_ST_CR_FINISHED_B:

+			s->s3->flags |= SSL3_FLAGS_CCS_OK;

 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,

 				SSL3_ST_CR_FINISHED_B);

 			if (ret <= 0) goto end;

@@ -901,6 +903,7 @@ int ssl3_get_server_hello(SSL *s)

 			{

 			s->session->cipher = pref_cipher ?

 				pref_cipher : ssl_get_cipher_by_char(s, p+j);

+			s->s3->flags |= SSL3_FLAGS_CCS_OK;

 			}

 		}

 #endif /* OPENSSL_NO_TLSEXT */

@@ -916,6 +918,7 @@ int ssl3_get_server_hello(SSL *s)

 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

 		goto f_err;

 		}

+	    s->s3->flags |= SSL3_FLAGS_CCS_OK;

 	    s->hit=1;

 	    }

 	else	/* a miss or crap from the other end */

diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c

--- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm	2014-06-02 19:48:04.640103383 +0200

+++ openssl-1.0.1e/ssl/s3_pkt.c	2014-06-02 19:48:04.643103452 +0200

@@ -1298,6 +1298,15 @@ start:

 			goto f_err;

 			}

+		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))

+			{

+			al=SSL_AD_UNEXPECTED_MESSAGE;

+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);

+			goto f_err;

+			}

+

+		s->s3->flags &= ~SSL3_FLAGS_CCS_OK;

+

 		rr->length=0;

 		if (s->msg_callback)

@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s)

 	if (s->s3->tmp.key_block == NULL)

 		{

-		if (s->session == NULL) 

+		if (s->session == NULL || s->session->master_key_length == 0)

 			{

 			/* might happen if dtls1_read_bytes() calls this */

 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);

diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c

--- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm	2014-06-02 19:48:04.630103151 +0200

+++ openssl-1.0.1e/ssl/s3_srvr.c	2014-06-02 19:48:04.643103452 +0200

@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)

 		case SSL3_ST_SR_CERT_VRFY_A:

 		case SSL3_ST_SR_CERT_VRFY_B:

+			s->s3->flags |= SSL3_FLAGS_CCS_OK;

 			/* we should decide if we expected this one */

 			ret=ssl3_get_cert_verify(s);

 			if (ret <= 0) goto end;

@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)

 		case SSL3_ST_SR_FINISHED_A:

 		case SSL3_ST_SR_FINISHED_B:

+			s->s3->flags |= SSL3_FLAGS_CCS_OK;

 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,

 				SSL3_ST_SR_FINISHED_B);

 			if (ret <= 0) goto end;

@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)

 				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;

 #else

 				if (s->s3->next_proto_neg_seen)

+					{

+					s->s3->flags |= SSL3_FLAGS_CCS_OK;

 					s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;

+					}

 				else

 					s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;

 #endif