diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index 2af307f5941..0a0a80dad97 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.94 2026/05/16 08:20:41 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.95 2026/06/06 15:22:25 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1162,3 +1162,28 @@ dtls1_get_message_header(CBS *header, struct hm_header_st *msg_hdr)
 
 	return 1;
 }
+
+int
+dtls12_handshake_msg_built(SSL *s)
+{
+	unsigned long len;
+	uint8_t msg_type;
+	CBS cbs;
+
+	CBS_init(&cbs, s->init_buf->data, s->init_num);
+	if (!CBS_get_u8(&cbs, &msg_type))
+		return 0;
+
+	if (s->init_off != 0)
+		return 0;
+	if (s->init_num < DTLS1_HM_HEADER_LENGTH)
+		return 0;
+
+	len = s->init_num - DTLS1_HM_HEADER_LENGTH;
+
+	dtls1_set_message_header(s, msg_type, len, 0, len);
+
+	dtls1_buffer_message(s, 0);
+
+	return 1;
+}
diff --git a/lib/libssl/dtls_local.h b/lib/libssl/dtls_local.h
index a3d7f886155..9da48d17392 100644
--- a/lib/libssl/dtls_local.h
+++ b/lib/libssl/dtls_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls_local.h,v 1.6 2026/05/25 13:34:58 jsg Exp $ */
+/* $OpenBSD: dtls_local.h,v 1.7 2026/06/06 15:22:25 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -222,6 +222,7 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);
 int dtls1_get_message(SSL *s, int st1, int stn, int mt, long max);
 int dtls1_get_record(SSL *s);
 
+int dtls12_handshake_msg_built(SSL *s);
 __END_HIDDEN_DECLS
 
 #endif /* !HEADER_DTLS_LOCL_H */
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index ee9a695ecd9..df45df47fc0 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.259 2026/06/06 15:08:15 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.260 2026/06/06 15:22:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1209,18 +1209,8 @@ ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
 	s->init_off = 0;
 
 	if (SSL_is_dtls(s)) {
-		unsigned long len;
-		uint8_t msg_type;
-		CBS cbs;
-
-		CBS_init(&cbs, data, outlen);
-		if (!CBS_get_u8(&cbs, &msg_type))
+		if (!dtls12_handshake_msg_built(s))
 			goto err;
-
-		len = outlen - DTLS1_HM_HEADER_LENGTH;
-
-		dtls1_set_message_header(s, msg_type, len, 0, len);
-		dtls1_buffer_message(s, 0);
 	}
 
 	ret = 1;