diff -up openssl-1.0.0/ssl/d1_lib.c.dtls1 openssl-1.0.0/ssl/d1_lib.c
--- openssl-1.0.0/ssl/d1_lib.c.dtls1	2009-12-08 12:38:17.000000000 +0100
+++ openssl-1.0.0/ssl/d1_lib.c	2010-04-09 16:29:49.000000000 +0200
@@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s
 		timeleft->tv_usec += 1000000;
 		}
 
+	/* If remaining time is less than 15 ms, set it to 0
+	 * to prevent issues because of small devergences with
+	 * socket timeouts.
+	 */
+	if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000)
+		{
+		memset(timeleft, 0, sizeof(struct timeval));
+		}
+	
+
 	return timeleft;
 	}
 
diff -up openssl-1.0.0/ssl/d1_pkt.c.dtls1 openssl-1.0.0/ssl/d1_pkt.c
--- openssl-1.0.0/ssl/d1_pkt.c.dtls1	2009-10-04 18:52:35.000000000 +0200
+++ openssl-1.0.0/ssl/d1_pkt.c	2010-04-09 16:30:49.000000000 +0200
@@ -667,14 +667,14 @@ again:
 	if (rr->length == 0) goto again;
 
 	/* If this record is from the next epoch (either HM or ALERT),
-	 * buffer it since it cannot be processed at this time. Records
-	 * from the next epoch are marked as received even though they
-	 * are not processed, so as to prevent any potential resource
-	 * DoS attack */
+	 * and a handshake is currently in progress, buffer it since it
+	 * cannot be processed at this time. */
 	if (is_next_epoch)
 		{
-		dtls1_record_bitmap_update(s, bitmap);
-		dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+		if (SSL_in_init(s) || s->in_handshake)
+			{
+			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+			}
 		rr->length = 0;
 		s->packet_length = 0;
 		goto again;
@@ -809,7 +809,7 @@ start:
 		 * buffer the application data for later processing rather
 		 * than dropping the connection.
 		 */
-		dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0);
+		dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
 		rr->length = 0;
 		goto start;
 		}