diff --git a/conn.go b/conn.go
index 2fd64ec..6cc52a5 100644
--- a/conn.go
+++ b/conn.go
@@ -776,6 +776,11 @@ func (c *Conn) readRecord(want recordType) error {
 			c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
 			break
 		}
+		// Handshake messages are not allowed to fragment across the CCS
+		if c.hand.Len() > 0 {
+			c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
+			break
+		}
 		err := c.in.changeCipherSpec()
 		if err != nil {
 			c.in.setErrorLocked(c.sendAlert(err.(alert)))