diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 820f5a59e1..f4c0c56b56 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -76,8 +76,6 @@ static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
     return( 0 );
 }
 
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
 /*
  * Start a timer.
  * Passing millisecs = 0 cancels a running timer.
@@ -100,11 +98,15 @@ static int ssl_check_timer( mbedtls_ssl_context *ssl )
         return( -2 );
 
     if( ssl->f_get_timer( ssl->p_timer ) == 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
         return( -1 );
+    }
 
     return( 0 );
 }
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
 /*
  * Double the retransmit timeout value, within the allowed range,
  * returning -1 if the maximum value has already been reached.
@@ -2355,7 +2357,11 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
         while( ssl->in_left < nb_want )
         {
             len = nb_want - ssl->in_left;
-            ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr + ssl->in_left, len );
+
+            if( ssl_check_timer( ssl ) != 0 )
+                ret = MBEDTLS_ERR_SSL_TIMEOUT;
+            else
+                ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr + ssl->in_left, len );
 
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
                            ssl->in_left, nb_want ) );
@@ -4934,6 +4940,8 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
             ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
         else
             ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+
+        ssl_set_timer( ssl, 0 );
     }
 #endif
 
@@ -5050,6 +5058,9 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
 
     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
 
+    /* Cancel any possibly running timer */
+    ssl_set_timer( ssl, 0 );
+
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
     ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
     ssl->renego_records_seen = 0;
@@ -5276,6 +5287,9 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
     ssl->p_timer        = p_timer;
     ssl->f_set_timer    = f_set_timer;
     ssl->f_get_timer    = f_get_timer;
+
+    /* Make sure we start with no timer running */
+    ssl_set_timer( ssl, 0 );
 }
 
 #if defined(MBEDTLS_SSL_SRV_C)
@@ -6056,11 +6070,9 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
 
     if( ssl->in_offt == NULL )
     {
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
         /* Start timer if not already running */
         if( ssl->f_get_timer( ssl->p_timer ) == -1 )
             ssl_set_timer( ssl, ssl->conf->read_timeout );
-#endif
 
         if( ! record_read )
         {
@@ -6218,12 +6230,12 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
 
         ssl->in_offt = ssl->in_msg;
 
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
         /* We're going to return something now, cancel timer,
          * except if handshake (renegotiation) is in progress */
         if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
             ssl_set_timer( ssl, 0 );
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
         /* If we requested renego but received AppData, resend HelloRequest.
          * Do it now, after setting in_offt, to avoid taking this branch
          * again if ssl_write_hello_request() returns WANT_WRITE */