diff --git a/contrib/src/gnutls/dtls-packet-reordering.patch b/contrib/src/gnutls/dtls-packet-reordering.patch
new file mode 100644
index 0000000000000000000000000000000000000000..24a474aa686650c1ca8e7c8e64e7d8fc8ab023ef
--- /dev/null
+++ b/contrib/src/gnutls/dtls-packet-reordering.patch
@@ -0,0 +1,5 @@
+--- a/lib/gnutls_buffers.c
++++ b/lib/gnutls_buffers.c
+@@ -1033 +1033 @@
+-		    && hsk->end_offset >=
++		    && hsk->end_offset + 1 >=
diff --git a/contrib/src/gnutls/rules.mak b/contrib/src/gnutls/rules.mak
index bdecce51188df196592e9006b813aa4693177b98..58fbd7586f9901e763a56f5f1d77aebcdaa49d25 100644
--- a/contrib/src/gnutls/rules.mak
+++ b/contrib/src/gnutls/rules.mak
@@ -4,7 +4,9 @@ GNUTLS_VERSION := 3.4.10
 GNUTLS_URL := ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-$(GNUTLS_VERSION).tar.xz
 
 PKGS += gnutls
-ifeq ($(call need_pkg,"gnutls >= 3.3.19"),)
+# We need at least the 3.4.10, but DTLS handshake re-ordered packet fix is only available since 3.4.14
+# So we patch the 3.4.10 until official release of 3.4.14
+ifeq ($(call need_pkg,"gnutls >= 3.4.14"),)
 PKGS_FOUND += gnutls
 endif
 
@@ -32,6 +34,7 @@ ifndef HAVE_IOS
 	$(APPLY) $(SRC)/gnutls/mac-keychain-lookup.patch
 endif
 	$(APPLY) $(SRC)/gnutls/format-security.patch
+	$(APPLY) $(SRC)/gnutls/dtls-packet-reordering.patch
 	$(call pkg_static,"lib/gnutls.pc.in")
 	$(UPDATE_AUTOCONFIG)
 	$(MOVE)
diff --git a/contrib/src/nettle/rules.mak b/contrib/src/nettle/rules.mak
index 26d4c0b10a43f522c3d9f7b52a83bc3ada5286ac..888570e3a5d27badb52374cf5c6154790c6b0571 100644
--- a/contrib/src/nettle/rules.mak
+++ b/contrib/src/nettle/rules.mak
@@ -3,9 +3,14 @@
 NETTLE_VERSION := 3.1
 NETTLE_URL := $(GNU)/nettle/nettle-$(NETTLE_VERSION).tar.gz
 
-ifeq ($(call need_pkg,"nettle >= 3.1"),)
-PKGS_FOUND += nettle
-endif
+PKGS += nettle
+
+# TEMPORARY DISABLED
+# Force nettle contrib until gnutls major patches are upstream and released
+# See gnutls rules.mak for more information
+#ifeq ($(call need_pkg,"nettle >= 3.1"),)
+#PKGS_FOUND += nettle
+#endif
 
 $(TARBALLS)/nettle-$(NETTLE_VERSION).tar.gz:
 	$(call download,$(NETTLE_URL))
diff --git a/src/security/tls_session.h b/src/security/tls_session.h
index a702876a8613fbfbb1ca12a587b08bbd327d77b6..b895690f3a0cf1c166723c05095aa08ae9f18409 100644
--- a/src/security/tls_session.h
+++ b/src/security/tls_session.h
@@ -137,7 +137,7 @@ public:
     };
 
     TlsSession(std::shared_ptr<IceTransport> ice, int ice_comp_id, const TlsParams& params,
-               const TlsSessionCallbacks& cbs, bool anonymous=false);
+               const TlsSessionCallbacks& cbs, bool anonymous=true);
     ~TlsSession();
 
     // Returns the TLS session type ('server' or 'client')