[release-branch.go1.3] crypto/tls: ensure that we don't resume when tickets are disabled
A security bug affects programs that use crypto/tls to implement a TLS server
from Go 1.1 onwards. If the server enables TLS client authentication using
certificates (this is rare) and explicitly sets SessionTicketsDisabled to true
in the tls.Config, then a malicious client can falsely assert ownership of any
client certificate it wishes.
This issue was discovered internally and there is no evidence of exploitation.
Change authored by Adam Langley <agl@golang.org>
https://golang.org/cl/
148080043/