DTLS server side false start before certificate verify and client certificate

Question

In DTLSv1.2 with OpenSSL 1.1.1k I have observed a case of server sending application data after sending a certificate verify request along with server key exchange, server hello done and new session ticket change cipher spec and encrypt handshake message. But it hasn't waited for the client to send its certificate and certificate verify message. I do use ciphers like ECDHE-RSA-AES128-GCM-SHA384 which have forward secrecy enabled and thus false start is possible. But false start as I understand is only that either peer starts sending application data before recieving change cipher spec and encrypt handshake message from the other side, but it cannot do so without verifying remote side certificate which means the encryption begins to remote side before authentication is complete. Is this a vulnerabilty? Please help me understand this scenario.

Answer to specfic case of false start in DTLS without validating client certificate.

Answer 1

Questions about possible vulnerabilities are better placed at the projects itself, here openssl.

I have observed a case of server sending application data after sending a certificate verify request

Then provide a ip capture (tcp-dump/wireshark) and open an issue at the openssl project.

RFC6347 4.2.4 shows the messages exchanged for DTLS 1.2. It requires an ip-capture to see precise what happens in your case.