--- ssl/d1_srvr.c
+++ ssl/d1_srvr.c
@@ -128,6 +128,7 @@
 
 static const SSL_METHOD *dtls1_get_server_method(int ver);
 static int dtls1_send_hello_verify_request(SSL *s);
+static int dtls1_cert_verify_expected(SSL* s);
 
 static const SSL_METHOD *dtls1_get_server_method(int ver)
 	{
@@ -656,11 +657,11 @@ int dtls1_accept(SSL *s)
 
 		case SSL3_ST_SR_CERT_VRFY_A:
 		case SSL3_ST_SR_CERT_VRFY_B:
-
-			s->d1->change_cipher_spec_ok = 1;
-			/* we should decide if we expected this one */
-			ret=ssl3_get_cert_verify(s);
-			if (ret <= 0) goto end;
+			if (dtls1_cert_verify_expected(s))
+				{
+				ret=ssl3_get_cert_verify(s);
+				if (ret <= 0) goto end;
+				}
 #ifndef OPENSSL_NO_SCTP
 			if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
 			    state == SSL_ST_RENEGOTIATE)
@@ -1709,3 +1710,19 @@ int dtls1_send_newsession_ticket(SSL *s)
 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
 	}
 #endif
+
+/* Returns whether the CertificateVerify message is expected */
+int dtls1_cert_verify_expected(SSL* s)
+	{
+	X509 *peer;
+	EVP_PKEY *pkey;
+	int type;
+
+	peer=s->session->peer;
+	if (peer == NULL) return 0;
+	
+	pkey=X509_get_pubkey(peer);
+	type=X509_certificate_type(peer,pkey);
+
+	return (type & EVP_PKT_SIGN) != 0;
+	}