diff --git a/api/next/67516.txt b/api/next/67516.txt
new file mode 100644
index 0000000000..a9b6007d06
--- /dev/null
+++ b/api/next/67516.txt
@@ -0,0 +1 @@
+pkg crypto/tls, type ConnectionState struct, CurveID CurveID #67516
diff --git a/doc/next/6-stdlib/99-minor/crypto/tls/67516.md b/doc/next/6-stdlib/99-minor/crypto/tls/67516.md
new file mode 100644
index 0000000000..3790533d16
--- /dev/null
+++ b/doc/next/6-stdlib/99-minor/crypto/tls/67516.md
@@ -0,0 +1,2 @@
+The new [ConnectionState.CurveID] field exposes the key exchange mechanism used
+to establish the connection.
diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index f2dde9754b..dd6f1dac73 100644
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -247,6 +247,11 @@ type ConnectionState struct {
 	// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_AES_128_GCM_SHA256).
 	CipherSuite uint16
 
+	// CurveID is the key exchange mechanism used for the connection. The name
+	// refers to elliptic curves for legacy reasons, see [CurveID]. If a legacy
+	// RSA key exchange is used, this value is zero.
+	CurveID CurveID
+
 	// NegotiatedProtocol is the application protocol negotiated with ALPN.
 	NegotiatedProtocol string
 
@@ -304,10 +309,6 @@ type ConnectionState struct {
 
 	// testingOnlyDidHRR is true if a HelloRetryRequest was sent/received.
 	testingOnlyDidHRR bool
-
-	// testingOnlyCurveID is the selected CurveID, or zero if an RSA exchanges
-	// is performed.
-	testingOnlyCurveID CurveID
 }
 
 // ExportKeyingMaterial returns length bytes of exported key material in a new
diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
index 8163328d3f..1276665a2f 100644
--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
@@ -1633,8 +1633,7 @@ func (c *Conn) connectionStateLocked() ConnectionState {
 	state.NegotiatedProtocol = c.clientProtocol
 	state.DidResume = c.didResume
 	state.testingOnlyDidHRR = c.didHRR
-	// c.curveID is not set on TLS 1.0–1.2 resumptions. Fix that before exposing it.
-	state.testingOnlyCurveID = c.curveID
+	state.CurveID = c.curveID
 	state.NegotiatedProtocolIsMutual = true
 	state.ServerName = c.serverName
 	state.CipherSuite = c.cipherSuite
diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index 1b6d672875..ce48ec4fe6 100644
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -271,6 +271,7 @@ func (c *Conn) clientHandshake(ctx context.Context) (err error) {
 	// This may be a renegotiation handshake, in which case some fields
 	// need to be reset.
 	c.didResume = false
+	c.curveID = 0
 
 	hello, keyShareKeys, ech, err := c.makeClientHello()
 	if err != nil {
@@ -958,10 +959,11 @@ func (hs *clientHandshakeState) processServerHello() (bool, error) {
 	c.verifiedChains = hs.session.verifiedChains
 	c.ocspResponse = hs.session.ocspResponse
 	// Let the ServerHello SCTs override the session SCTs from the original
-	// connection, if any are provided
+	// connection, if any are provided.
 	if len(c.scts) == 0 && len(hs.session.scts) != 0 {
 		c.scts = hs.session.scts
 	}
+	c.curveID = hs.session.curveID
 
 	return true, nil
 }
diff --git a/src/crypto/tls/handshake_messages_test.go b/src/crypto/tls/handshake_messages_test.go
index e4112bfc3e..aafb889b30 100644
--- a/src/crypto/tls/handshake_messages_test.go
+++ b/src/crypto/tls/handshake_messages_test.go
@@ -424,11 +424,13 @@ func (*SessionState) Generate(rand *rand.Rand, size int) reflect.Value {
 	if rand.Intn(10) > 5 && s.EarlyData {
 		s.alpnProtocol = string(randomBytes(rand.Intn(10), rand))
 	}
-	if s.isClient {
-		if isTLS13 {
+	if isTLS13 {
+		if s.isClient {
 			s.useBy = uint64(rand.Int63())
 			s.ageAdd = uint32(rand.Int63() & math.MaxUint32)
 		}
+	} else {
+		s.curveID = CurveID(rand.Intn(30000) + 1)
 	}
 	return reflect.ValueOf(s)
 }
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index bb3d3065e2..6321606e6d 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -539,6 +539,7 @@ func (hs *serverHandshakeState) checkForResumption() error {
 	c.extMasterSecret = sessionState.extMasterSecret
 	hs.sessionState = sessionState
 	hs.suite = suite
+	c.curveID = sessionState.curveID
 	c.didResume = true
 	return nil
 }
diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go
index f533023afb..2c75b78eb1 100644
--- a/src/crypto/tls/handshake_server_test.go
+++ b/src/crypto/tls/handshake_server_test.go
@@ -736,7 +736,7 @@ func (test *serverTest) run(t *testing.T, write bool) {
 		t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts))
 	}
 
-	if test.validate != nil {
+	if test.validate != nil && !t.Failed() {
 		if err := test.validate(connState); err != nil {
 			t.Fatalf("validate callback returned error: %s", err)
 		}
diff --git a/src/crypto/tls/testdata/Server-TLSv10-ExportKeyingMaterial b/src/crypto/tls/testdata/Server-TLSv10-ExportKeyingMaterial
index b3d0f7d05b..114ec3708e 100644
--- a/src/crypto/tls/testdata/Server-TLSv10-ExportKeyingMaterial
+++ b/src/crypto/tls/testdata/Server-TLSv10-ExportKeyingMaterial
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 55 01 00 00  51 03 01 e0 8d 7b f2 8d  |....U...Q....{..|
-00000010  45 9f c5 40 1b be 81 05  a1 83 82 c1 54 4a c7 1c  |E..@........TJ..|
-00000020  f1 f8 d5 6c 7a ff 93 81  e2 a2 ba 00 00 04 c0 14  |...lz...........|
+00000000  16 03 01 00 55 01 00 00  51 03 01 fb 2f 2f 8e 61  |....U...Q...//.a|
+00000010  23 39 d1 13 76 62 4e f8  d5 40 82 a3 89 78 bf fe  |#9..vbN..@...x..|
+00000020  31 e9 60 d5 e1 e2 1c 54  7a bc 0b 00 00 04 c0 14  |1.`....Tz.......|
 00000030  00 ff 01 00 00 24 00 0b  00 04 03 00 01 02 00 0a  |.....$..........|
 00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 23  |...............#|
 00000050  00 00 00 16 00 00 00 17  00 00                    |..........|
@@ -51,42 +51,42 @@
 000002a0  fa e7 16 03 01 00 aa 0c  00 00 a6 03 00 1d 20 2f  |.............. /|
 000002b0  e5 7d a3 47 cd 62 43 15  28 da ac 5f bb 29 07 30  |.}.G.bC.(.._.).0|
 000002c0  ff f6 84 af c4 cf c2 ed  90 99 5f 58 cb 3b 74 00  |.........._X.;t.|
-000002d0  80 3d ff b7 ad d5 15 4f  10 6e 8a d2 ad 8a 6b 1b  |.=.....O.n....k.|
-000002e0  9d 6c f2 92 99 c7 d7 d8  07 d5 c7 77 09 22 41 4f  |.l.........w."AO|
-000002f0  7f ca 3e 8c 22 ba 2b f2  75 5f 47 c9 7e 0c 03 5d  |..>.".+.u_G.~..]|
-00000300  1a 66 c3 c8 f3 76 f0 f6  fa 03 40 3a 9b e7 2b 35  |.f...v....@:..+5|
-00000310  bc c7 5e 62 a6 97 8a 1a  17 e3 13 4c 1f 88 39 2a  |..^b.......L..9*|
-00000320  5b cc 9c 65 df 27 1e b3  26 d7 46 3e 76 a9 ae 71  |[..e.'..&.F>v..q|
-00000330  11 4d d6 10 b4 2e 30 37  a1 b4 ff 46 91 77 c7 4c  |.M....07...F.w.L|
-00000340  f9 8e e3 96 88 d2 1e c5  9d fb a1 be c6 ef 5d f0  |..............].|
-00000350  52 16 03 01 00 04 0e 00  00 00                    |R.........|
+000002d0  80 ca 44 f4 0f ef d9 cb  a9 88 61 a3 b4 f2 1b 9c  |..D.......a.....|
+000002e0  e9 a1 c2 c7 84 58 0e 3e  ee 95 21 52 61 be 80 64  |.....X.>..!Ra..d|
+000002f0  46 17 d5 c7 71 7c 43 41  70 2d 84 9a 49 1c bf 34  |F...q|CAp-..I..4|
+00000300  f4 05 1a 0f 9c 00 c5 2d  64 37 84 34 5e d7 5c 06  |.......-d7.4^.\.|
+00000310  50 99 f9 d5 a0 19 4b 2d  aa 67 e4 17 c7 b4 23 26  |P.....K-.g....#&|
+00000320  94 a1 cd e0 cb b1 33 9b  e6 c6 a3 a7 25 93 87 7e  |......3.....%..~|
+00000330  37 ee 9c a0 42 b6 fd 60  59 02 4b 17 4a 4d f3 f2  |7...B..`Y.K.JM..|
+00000340  2d 2a e7 8d 96 41 86 43  0a 7b 4e fc c0 7d 38 f6  |-*...A.C.{N..}8.|
+00000350  f6 16 03 01 00 04 0e 00  00 00                    |..........|
 >>> Flow 3 (client to server)
-00000000  16 03 01 00 25 10 00 00  21 20 01 39 8b 2b 21 99  |....%...! .9.+!.|
-00000010  fd fc b8 20 f1 51 97 c7  85 13 05 64 55 41 6b c4  |... .Q.....dUAk.|
-00000020  1a 5e d5 b2 7c 8b 31 08  0f 78 14 03 01 00 01 01  |.^..|.1..x......|
-00000030  16 03 01 00 30 d8 3b e6  9f f8 a8 b2 6b 8b fb 89  |....0.;.....k...|
-00000040  71 3b 55 cd c3 c9 78 3c  45 1b 8d 5f 70 4f bd 64  |q;U...x<E.._pO.d|
-00000050  a9 d1 c0 4d ce 34 e1 f9  d2 90 c9 49 b0 1f a3 76  |...M.4.....I...v|
-00000060  bd f4 78 d0 43                                    |..x.C|
+00000000  16 03 01 00 25 10 00 00  21 20 31 ff 4d ee 06 0b  |....%...! 1.M...|
+00000010  de ce ed 73 65 16 9e d5  f5 d6 dd 79 bf 08 28 77  |...se......y..(w|
+00000020  39 7b 3a 49 f0 3d 94 48  24 03 14 03 01 00 01 01  |9{:I.=.H$.......|
+00000030  16 03 01 00 30 26 b8 c3  f1 3a 49 50 d6 cf c3 83  |....0&...:IP....|
+00000040  66 57 f0 8b 63 61 14 75  d4 34 fc ba 22 7f 41 15  |fW..ca.u.4..".A.|
+00000050  30 40 56 35 7c f8 ad 5a  81 c2 11 a9 67 91 f7 2a  |0@V5|..Z....g..*|
+00000060  4c 07 13 60 dc                                    |L..`.|
 >>> Flow 4 (server to client)
-00000000  16 03 01 00 83 04 00 00  7f 00 00 00 00 00 79 00  |..............y.|
+00000000  16 03 01 00 85 04 00 00  81 00 00 00 00 00 7b 00  |..............{.|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000020  6d 2d 70 97 51 ed 14 ef  68 ca 42 c5 4c 71 8e 74  |m-p.Q...h.B.Lq.t|
-00000030  d4 83 d6 4a 5b 69 f8 af  61 3a 98 83 19 d5 7c 60  |...J[i..a:....|`|
-00000040  4a 1e f4 b7 26 b8 99 b5  45 6f a3 8d 97 63 5f 1b  |J...&...Eo...c_.|
-00000050  ab f4 84 59 db ce 99 ce  b8 6a 23 d5 15 49 38 16  |...Y.....j#..I8.|
-00000060  7e 51 5c e5 15 c0 58 7d  c0 ee 59 1b e4 6e 1f c8  |~Q\...X}..Y..n..|
-00000070  fc d4 2c 33 ed 0a 2b e0  78 04 64 4b 56 e4 af 61  |..,3..+.x.dKV..a|
-00000080  c6 b5 7d f5 a0 86 9f e3  14 03 01 00 01 01 16 03  |..}.............|
-00000090  01 00 30 73 2b f0 16 d3  a8 02 b3 73 98 5e 4e a0  |..0s+......s.^N.|
-000000a0  ca 5b c4 50 fb 5a 92 11  43 97 e9 e3 16 9f 08 0a  |.[.P.Z..C.......|
-000000b0  56 73 e6 44 67 70 aa 3d  bb c1 36 c8 63 1c 2b 51  |Vs.Dgp.=..6.c.+Q|
-000000c0  1f 3b 81 17 03 01 00 20  4c 93 10 5c 01 e2 63 12  |.;..... L..\..c.|
-000000d0  97 6b e1 89 fb e7 14 cf  ec 70 d1 fe 6f ea 8b 09  |.k.......p..o...|
-000000e0  63 5f 8c 8a 9e b5 ac b8  17 03 01 00 30 a1 ad dd  |c_..........0...|
-000000f0  92 ac a8 6e 77 ed c2 ed  59 b6 a8 41 ad 45 59 8c  |...nw...Y..A.EY.|
-00000100  4e 1d 16 36 57 e6 2f 47  3d 10 0f 36 04 00 b0 c1  |N..6W./G=..6....|
-00000110  a7 94 25 8e 77 1e 69 20  41 6c c0 9d 26 15 03 01  |..%.w.i Al..&...|
-00000120  00 20 c5 83 26 5d 20 cb  16 7e 27 63 d7 96 aa 96  |. ..&] ..~'c....|
-00000130  37 19 2a 7a 18 d4 85 08  25 32 85 d5 b5 e3 4e 9b  |7.*z....%2....N.|
-00000140  98 f5                                             |..|
+00000020  6d 2d 70 97 51 ed 14 ef  68 ca 42 c5 4c ed db 91  |m-p.Q...h.B.L...|
+00000030  26 40 46 a4 da 9a 13 33  d7 75 7c e0 2f 98 9f 5a  |&@F....3.u|./..Z|
+00000040  9c a9 12 db 59 ba 75 b2  a1 cb cf f9 75 05 c3 55  |....Y.u.....u..U|
+00000050  04 ee 2a 61 94 99 df 73  b3 0b 81 68 f3 49 38 16  |..*a...s...h.I8.|
+00000060  7e 51 5c e5 15 c0 58 7d  52 07 a3 db 42 00 b3 4c  |~Q\...X}R...B..L|
+00000070  77 09 cd 17 5f c1 da 85  f3 09 46 d6 e9 ae 7c e8  |w..._.....F...|.|
+00000080  3f 6a 74 38 f9 e7 de 23  0d 90 14 03 01 00 01 01  |?jt8...#........|
+00000090  16 03 01 00 30 fa 7e 6e  18 87 06 c8 26 ae a0 34  |....0.~n....&..4|
+000000a0  1a 58 05 9e 0c 47 60 93  8c 83 15 98 ad ee de 62  |.X...G`........b|
+000000b0  53 6f 1b 44 90 45 d9 22  0b e3 d8 25 32 75 68 ae  |So.D.E."...%2uh.|
+000000c0  c4 39 b9 05 93 17 03 01  00 20 ac 7a ac 04 59 6a  |.9....... .z..Yj|
+000000d0  75 a3 26 96 49 c8 f3 ef  39 a6 1f 07 20 d2 e6 bf  |u.&.I...9... ...|
+000000e0  b8 06 69 55 97 6c c4 68  01 b9 17 03 01 00 30 8b  |..iU.l.h......0.|
+000000f0  67 6e 9a ea 62 2c dc eb  aa 9b 57 e4 5f 82 14 c6  |gn..b,....W._...|
+00000100  11 d2 44 e7 5a 9d 13 c0  3e 38 de a7 82 33 44 8e  |..D.Z...>8...3D.|
+00000110  10 c2 20 c8 6b d2 af 12  b5 44 84 17 a9 2a ec 15  |.. .k....D...*..|
+00000120  03 01 00 20 56 39 68 ce  01 c1 52 dd 21 cb 65 a0  |... V9h...R.!.e.|
+00000130  5d 28 00 d6 7f f0 c1 38  51 51 98 4f cb 13 5a 41  |](.....8QQ.O..ZA|
+00000140  7b 34 be f8                                       |{4..|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-ALPN b/src/crypto/tls/testdata/Server-TLSv12-ALPN
index ccd4a086a6..6ee4bc8086 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-ALPN
+++ b/src/crypto/tls/testdata/Server-TLSv12-ALPN
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 9d 01 00 00  99 03 03 f7 12 13 92 75  |...............u|
-00000010  34 ab f3 e8 a2 19 2d 3c  0c 8b 9e c3 e8 22 7e d8  |4.....-<....."~.|
-00000020  66 f9 08 88 70 9b cc 37  95 43 a7 00 00 04 cc a8  |f...p..7.C......|
+00000000  16 03 01 00 9d 01 00 00  99 03 03 4c 3c dd 9a 33  |...........L<..3|
+00000010  a3 3d c3 9d 54 4c a8 e7  d4 2d 20 59 11 bc 48 71  |.=..TL...- Y..Hq|
+00000020  bc 5d 6b 24 fd 97 a2 30  4a 2f c8 00 00 04 cc a8  |.]k$...0J/......|
 00000030  00 ff 01 00 00 6c 00 0b  00 04 03 00 01 02 00 0a  |.....l..........|
 00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 23  |...............#|
 00000050  00 00 00 10 00 10 00 0e  06 70 72 6f 74 6f 32 06  |.........proto2.|
@@ -57,35 +57,35 @@
 000002b0  03 03 00 ac 0c 00 00 a8  03 00 1d 20 2f e5 7d a3  |........... /.}.|
 000002c0  47 cd 62 43 15 28 da ac  5f bb 29 07 30 ff f6 84  |G.bC.(.._.).0...|
 000002d0  af c4 cf c2 ed 90 99 5f  58 cb 3b 74 08 04 00 80  |......._X.;t....|
-000002e0  2a 3d 85 27 96 fe 41 e2  5a cc 39 dd 8a 8e 64 73  |*=.'..A.Z.9...ds|
-000002f0  ef 98 04 5c ac d2 8f 5e  55 b8 37 da 10 68 33 b8  |...\...^U.7..h3.|
-00000300  63 83 e1 c9 9a e6 3a e9  c9 20 cc 57 58 e2 ba bc  |c.....:.. .WX...|
-00000310  e3 ac ab aa 08 e2 1e 6f  66 90 d7 66 c5 73 60 0d  |.......of..f.s`.|
-00000320  19 4f eb 99 9d d1 b1 91  36 80 b9 20 aa f5 d9 c8  |.O......6.. ....|
-00000330  44 a7 99 c9 a6 4d 2c ff  ca 4d 84 f2 a5 bf 02 c5  |D....M,..M......|
-00000340  61 77 7e 4a e6 7c dd bf  48 fc a6 53 fb c4 d3 dd  |aw~J.|..H..S....|
-00000350  e6 20 b9 74 90 82 4a 3a  73 0a 81 74 07 a3 23 fe  |. .t..J:s..t..#.|
+000002e0  82 9a 38 98 24 59 07 8b  a9 7e d3 9f c3 70 8d 87  |..8.$Y...~...p..|
+000002f0  2d 1b 53 f3 36 96 4a 07  83 80 1e 62 23 b4 79 c9  |-.S.6.J....b#.y.|
+00000300  93 48 0a 54 ad 03 5e 71  c3 69 d9 b7 be 93 c0 e8  |.H.T..^q.i......|
+00000310  13 bd 10 67 b1 ea 8f f0  72 ed e1 54 b1 e5 a8 ca  |...g....r..T....|
+00000320  c7 b2 ac 2e 14 ab 6a 84  2b 97 e6 8f 68 1c e9 83  |......j.+...h...|
+00000330  73 70 24 40 99 f7 86 2a  c7 08 1f bc bd df a2 24  |sp$@...*.......$|
+00000340  75 33 81 29 18 69 d5 5e  93 91 63 62 ee e9 8f b6  |u3.).i.^..cb....|
+00000350  fc d1 00 5d b2 b5 cc 5f  c9 83 8d fd f8 dd 7a cd  |...]..._......z.|
 00000360  16 03 03 00 04 0e 00 00  00                       |.........|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 25 10 00 00  21 20 d1 bb f1 17 6c 41  |....%...! ....lA|
-00000010  8f 14 84 d2 98 99 30 0c  8a 00 4c 39 37 15 f5 be  |......0...L97...|
-00000020  81 8d 08 e0 11 c1 f7 65  43 0b 14 03 03 00 01 01  |.......eC.......|
-00000030  16 03 03 00 20 ab 15 bb  47 30 42 c9 7d 45 f8 5d  |.... ...G0B.}E.]|
-00000040  21 79 3b 4d 5e a9 99 f5  7d f3 4e 7e ba b9 9b 30  |!y;M^...}.N~...0|
-00000050  b6 14 4d ba f9                                    |..M..|
+00000000  16 03 03 00 25 10 00 00  21 20 61 d8 61 58 30 ba  |....%...! a.aX0.|
+00000010  44 5b 31 35 e3 4e 92 87  d0 10 0c 83 96 98 b5 73  |D[15.N.........s|
+00000020  31 40 7a fd 78 8a cf b4  af 53 14 03 03 00 01 01  |1@z.x....S......|
+00000030  16 03 03 00 20 14 80 2b  46 28 9e a8 1b d5 9a bd  |.... ..+F(......|
+00000040  6c da 22 62 a9 7d d8 c1  e5 d7 63 6f 26 3f ca 1c  |l."b.}....co&?..|
+00000050  5e 53 8b 3c f3                                    |^S.<.|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 83 04 00 00  7f 00 00 00 00 00 79 00  |..............y.|
+00000000  16 03 03 00 85 04 00 00  81 00 00 00 00 00 7b 00  |..............{.|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000020  6f 2d 7c 2b 51 ed 14 ef  68 ca 42 c5 4c f3 5c b9  |o-|+Q...h.B.L.\.|
-00000030  84 7d 30 9e 2f 9d 4d 0e  59 b4 28 fd 17 10 cd 1e  |.}0./.M.Y.(.....|
-00000040  1c d3 2c 5e d9 dc db 26  d0 b9 00 4b 0a 13 54 90  |..,^...&...K..T.|
-00000050  f2 7b 68 75 6b 00 34 66  9e 43 29 06 16 49 38 16  |.{huk.4f.C)..I8.|
-00000060  7e 51 5c e5 15 c0 58 7d  52 0b 16 21 d8 2c e8 c8  |~Q\...X}R..!.,..|
-00000070  8e 3a f6 aa fa 21 45 4a  17 02 67 7d 93 1c 95 88  |.:...!EJ..g}....|
-00000080  36 a5 19 53 74 74 81 e1  14 03 03 00 01 01 16 03  |6..Stt..........|
-00000090  03 00 20 3d 66 04 37 0c  40 cc 20 2c 1c 16 ba 05  |.. =f.7.@. ,....|
-000000a0  d6 7b 40 04 27 40 6f cc  d7 af 68 fb 32 49 6c 4f  |.{@.'@o...h.2IlO|
-000000b0  f3 01 bf 17 03 03 00 1d  99 10 78 bc fa 7e 8a 86  |..........x..~..|
-000000c0  4c b8 e4 7c e2 79 70 eb  ad 33 44 e1 ab 7a c9 ae  |L..|.yp..3D..z..|
-000000d0  47 fe 39 50 d1 15 03 03  00 12 9e 9a be b0 55 c3  |G.9P..........U.|
-000000e0  3a 5f 5c e0 4b 8f 4f 81  52 d3 89 09              |:_\.K.O.R...|
+00000020  6f 2d 7c 2b 51 ed 14 ef  68 ca 42 c5 4c a3 4e 47  |o-|+Q...h.B.L.NG|
+00000030  75 8d 90 24 a8 60 43 a8  3b 00 81 b1 1d 41 ce bf  |u..$.`C.;....A..|
+00000040  ec 75 e9 32 6b 9b 21 9f  0f 56 27 b2 e5 9e 9a 01  |.u.2k.!..V'.....|
+00000050  aa c7 63 81 8b 90 45 fa  64 75 96 e3 c8 49 38 16  |..c...E.du...I8.|
+00000060  7e 51 5c e5 15 c0 58 7d  52 07 32 1b 54 23 7f 75  |~Q\...X}R.2.T#.u|
+00000070  8a 30 1c 6a 94 57 27 7d  06 25 05 b7 ae ce 5c a4  |.0.j.W'}.%....\.|
+00000080  58 21 47 f2 04 bc 3a f1  6d 20 14 03 03 00 01 01  |X!G...:.m ......|
+00000090  16 03 03 00 20 94 0c cf  54 2b fb 49 26 19 d4 06  |.... ...T+.I&...|
+000000a0  0e b6 71 b5 d9 24 f6 d1  99 36 78 1c 96 b4 12 e0  |..q..$...6x.....|
+000000b0  20 5a 2a a7 ad 17 03 03  00 1d 19 36 ef 7d 53 24  | Z*........6.}S$|
+000000c0  0c 5e 48 24 c6 ad 91 ca  44 0d 2e fb 10 fd 58 2f  |.^H$....D.....X/|
+000000d0  86 5c be c6 64 01 c6 15  03 03 00 12 26 94 16 38  |.\..d.......&..8|
+000000e0  6c 23 4e 29 03 96 c6 6a  a8 af 32 0b 2e 9e        |l#N)...j..2...|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-ALPN-Fallback b/src/crypto/tls/testdata/Server-TLSv12-ALPN-Fallback
index 070201253d..a453fcc522 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-ALPN-Fallback
+++ b/src/crypto/tls/testdata/Server-TLSv12-ALPN-Fallback
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 a6 01 00 00  a2 03 03 ea e2 1b 90 0e  |................|
-00000010  91 d5 9f b2 c6 ee 72 37  19 f5 14 cd ca a9 ca 03  |......r7........|
-00000020  98 c4 2e d4 85 05 4a a5  02 e1 4b 00 00 04 cc a8  |......J...K.....|
+00000000  16 03 01 00 a6 01 00 00  a2 03 03 74 b9 ce 14 2f  |...........t.../|
+00000010  85 a9 93 bf 60 4e 5c 5c  6e 47 34 cf b8 27 f8 dc  |....`N\\nG4..'..|
+00000020  b1 5b a8 eb e0 fa da a0  1b b6 9c 00 00 04 cc a8  |.[..............|
 00000030  00 ff 01 00 00 75 00 0b  00 04 03 00 01 02 00 0a  |.....u..........|
 00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 23  |...............#|
 00000050  00 00 00 10 00 19 00 17  06 70 72 6f 74 6f 33 08  |.........proto3.|
@@ -56,35 +56,35 @@
 000002a0  fa e7 16 03 03 00 ac 0c  00 00 a8 03 00 1d 20 2f  |.............. /|
 000002b0  e5 7d a3 47 cd 62 43 15  28 da ac 5f bb 29 07 30  |.}.G.bC.(.._.).0|
 000002c0  ff f6 84 af c4 cf c2 ed  90 99 5f 58 cb 3b 74 08  |.........._X.;t.|
-000002d0  04 00 80 85 e9 a6 5c 79  bc db ed 97 fb 30 ca fd  |......\y.....0..|
-000002e0  32 13 19 3f da 6f fd c1  11 74 fe e9 6f 60 ec 7e  |2..?.o...t..o`.~|
-000002f0  48 7e 17 33 9b 8d 2a c2  82 e0 18 38 f3 0f 20 27  |H~.3..*....8.. '|
-00000300  81 0f c9 47 bf 5f 2b 2f  65 1c 6b e3 b7 72 85 46  |...G._+/e.k..r.F|
-00000310  5c 15 dc fd e6 be cf 50  51 62 f5 d9 17 e2 e8 bf  |\......PQb......|
-00000320  08 7f 37 71 91 88 83 7f  e3 90 66 66 c4 d8 60 25  |..7q......ff..`%|
-00000330  53 f7 9f 44 20 89 48 ff  c2 3b 6d 21 e5 8c dc e5  |S..D .H..;m!....|
-00000340  42 ea d8 14 93 96 2f 53  24 66 e7 bb e7 2c 1f 92  |B...../S$f...,..|
-00000350  90 80 23 16 03 03 00 04  0e 00 00 00              |..#.........|
+000002d0  04 00 80 22 97 55 0d 4c  fe 5e 4e 45 b7 9b b2 f8  |...".U.L.^NE....|
+000002e0  29 c7 7a 33 b5 e0 06 92  4f b3 6e 67 ad 4e 69 20  |).z3....O.ng.Ni |
+000002f0  e5 82 b6 93 84 52 05 fd  99 d1 94 67 e4 7d bc 1d  |.....R.....g.}..|
+00000300  f7 16 d7 24 95 61 db ed  92 16 11 ee c1 c5 6f 82  |...$.a........o.|
+00000310  8e 6b 10 69 31 d2 17 1a  6f 25 a0 d5 4b 7e c9 ba  |.k.i1...o%..K~..|
+00000320  13 3e c4 94 46 63 e2 6e  c6 ca d0 e4 09 5a 2a 39  |.>..Fc.n.....Z*9|
+00000330  12 c0 fc 37 14 4e a8 1f  74 4e 44 86 1a 29 d4 a0  |...7.N..tND..)..|
+00000340  5f e5 0a 22 6c 09 78 29  be 33 a5 2c d9 b3 5f ec  |_.."l.x).3.,.._.|
+00000350  f1 5e 87 16 03 03 00 04  0e 00 00 00              |.^..........|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 25 10 00 00  21 20 e8 d1 46 5e 70 b5  |....%...! ..F^p.|
-00000010  34 1c 6f cd be f0 86 24  2a d6 55 ae 97 de 52 0c  |4.o....$*.U...R.|
-00000020  67 10 a0 02 ed ae f8 47  aa 52 14 03 03 00 01 01  |g......G.R......|
-00000030  16 03 03 00 20 52 cf 5d  07 bb bc e8 86 d4 f4 3e  |.... R.].......>|
-00000040  49 51 a7 1d f5 df 10 c4  5a 77 37 ba 68 3d 4e c5  |IQ......Zw7.h=N.|
-00000050  11 ac 67 b7 e2                                    |..g..|
+00000000  16 03 03 00 25 10 00 00  21 20 a4 f2 f3 f8 81 68  |....%...! .....h|
+00000010  6f 8d d5 2c 93 fe ee cf  f6 28 ae 06 9f 81 fa 0d  |o..,.....(......|
+00000020  ac 31 2b cf 05 4e cb a0  b3 14 14 03 03 00 01 01  |.1+..N..........|
+00000030  16 03 03 00 20 ca 3e f2  cd 68 42 34 26 61 40 29  |.... .>..hB4&a@)|
+00000040  dd 71 e1 52 b7 0e ec 1f  77 8e 1d 1b 95 dd 07 4f  |.q.R....w......O|
+00000050  c4 4d d8 02 83                                    |.M...|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 83 04 00 00  7f 00 00 00 00 00 79 00  |..............y.|
+00000000  16 03 03 00 85 04 00 00  81 00 00 00 00 00 7b 00  |..............{.|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000020  6f 2d 7c 2b 51 ed 14 ef  68 ca 42 c5 4c 26 1d 23  |o-|+Q...h.B.L&.#|
-00000030  c4 90 54 85 8b 21 f5 0d  e8 48 f2 5f 4e 6b f1 25  |..T..!...H._Nk.%|
-00000040  e8 46 8a e5 3c 09 57 df  dd 37 a7 57 c5 a5 28 5a  |.F..<.W..7.W..(Z|
-00000050  21 83 2a 98 4b a5 44 aa  5b cc 30 e9 62 49 38 16  |!.*.K.D.[.0.bI8.|
-00000060  7e 51 5c e5 15 c0 58 7d  a4 aa c5 93 39 bb e2 b6  |~Q\...X}....9...|
-00000070  4f c4 3e 1e 03 dc 46 b1  f3 0d d2 61 6c 1e c5 e1  |O.>...F....al...|
-00000080  8f 18 2a 3c 85 83 c4 33  14 03 03 00 01 01 16 03  |..*<...3........|
-00000090  03 00 20 63 76 4f b3 77  4d 63 6c eb 73 f3 b2 ec  |.. cvO.wMcl.s...|
-000000a0  b8 49 3e c5 81 d5 53 0c  96 77 2f 3f 52 d0 e1 5b  |.I>...S..w/?R..[|
-000000b0  62 fa 0b 17 03 03 00 1d  2f 60 09 31 db e9 c5 23  |b......./`.1...#|
-000000c0  98 5c 46 23 a6 58 80 66  7d 50 84 f1 42 b8 65 65  |.\F#.X.f}P..B.ee|
-000000d0  77 2d d2 e4 be 15 03 03  00 12 b7 e8 e1 13 04 68  |w-.............h|
-000000e0  d5 21 c8 98 db 1b 1c 6e  4f b5 0b 9c              |.!.....nO...|
+00000020  6f 2d 7c 2b 51 ed 14 ef  68 ca 42 c5 4c 23 bb 4f  |o-|+Q...h.B.L#.O|
+00000030  57 15 7b bb 5c 23 ff bd  b0 3b c9 ce d7 8e b9 d8  |W.{.\#...;......|
+00000040  b6 35 dd 0b 5b fd 3f bf  c6 c9 74 86 d4 4e 1c 22  |.5..[.?...t..N."|
+00000050  fb 4e ea 39 16 d3 9d 08  c8 08 c8 94 c7 49 38 16  |.N.9.........I8.|
+00000060  7e 51 5c e5 15 c0 58 7d  52 07 e6 23 d9 47 91 c4  |~Q\...X}R..#.G..|
+00000070  55 a3 14 46 22 5a 68 ec  70 f1 cd 8b e0 36 5d 20  |U..F"Zh.p....6] |
+00000080  bb 33 6b d2 cc e0 bc 81  f6 ba 14 03 03 00 01 01  |.3k.............|
+00000090  16 03 03 00 20 06 6c 46  46 01 02 e9 42 de 4a dc  |.... .lFF...B.J.|
+000000a0  4b 55 15 6d e4 2c da 02  67 af 08 f1 15 f6 5a 72  |KU.m.,..g.....Zr|
+000000b0  0b 70 d3 28 ba 17 03 03  00 1d 5b 4f 16 d3 78 dd  |.p.(......[O..x.|
+000000c0  fb cb 38 70 cc dc 26 36  99 ad 67 e3 dc 2b c8 62  |..8p..&6..g..+.b|
+000000d0  1f a1 ad 3b e2 fd d7 15  03 03 00 12 e4 ca da 87  |...;............|
+000000e0  78 97 b2 b3 27 0f 3e 1a  97 8d ab fc 7c b9        |x...'.>.....|.|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-ALPN-NotConfigured b/src/crypto/tls/testdata/Server-TLSv12-ALPN-NotConfigured
index 79f0748af4..97d300d76b 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-ALPN-NotConfigured
+++ b/src/crypto/tls/testdata/Server-TLSv12-ALPN-NotConfigured
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 9d 01 00 00  99 03 03 19 26 ad 3f c0  |............&.?.|
-00000010  d6 a0 cc ac 9b 2a 91 d3  1a d5 96 78 5f 7c 3f e0  |.....*.....x_|?.|
-00000020  23 08 75 a1 ca cb aa da  d7 c8 0b 00 00 04 cc a8  |#.u.............|
+00000000  16 03 01 00 9d 01 00 00  99 03 03 23 13 3f 28 85  |...........#.?(.|
+00000010  56 f7 0f d1 b4 ee 5f 18  a0 58 8c c5 83 a4 13 24  |V....._..X.....$|
+00000020  9b 53 29 6e 28 35 a8 8c  0e 07 2a 00 00 04 cc a8  |.S)n(5....*.....|
 00000030  00 ff 01 00 00 6c 00 0b  00 04 03 00 01 02 00 0a  |.....l..........|
 00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 23  |...............#|
 00000050  00 00 00 10 00 10 00 0e  06 70 72 6f 74 6f 32 06  |.........proto2.|
@@ -56,35 +56,35 @@
 000002a0  fa e7 16 03 03 00 ac 0c  00 00 a8 03 00 1d 20 2f  |.............. /|
 000002b0  e5 7d a3 47 cd 62 43 15  28 da ac 5f bb 29 07 30  |.}.G.bC.(.._.).0|
 000002c0  ff f6 84 af c4 cf c2 ed  90 99 5f 58 cb 3b 74 08  |.........._X.;t.|
-000002d0  04 00 80 4f 9e 64 41 a6  8a 41 ab 9c c8 09 3e 94  |...O.dA..A....>.|
-000002e0  ee d2 9b ad 1b 3e a9 3c  7b 43 96 95 eb 4d b5 04  |.....>.<{C...M..|
-000002f0  1a 5f 0c b2 b3 a6 2c a4  e6 78 a8 b8 d5 6c 7f d0  |._....,..x...l..|
-00000300  16 e8 56 31 e0 4a 69 d3  6b 27 18 a3 4e f5 d1 6a  |..V1.Ji.k'..N..j|
-00000310  36 15 b5 fc 4d 15 50 90  a0 30 b9 49 3d ac 8c 84  |6...M.P..0.I=...|
-00000320  d2 15 31 70 df e5 a6 97  d0 64 f7 1d 8a a1 87 4d  |..1p.....d.....M|
-00000330  3c ee da 69 20 e4 31 67  ca f2 c0 09 ee 13 7c 78  |<..i .1g......|x|
-00000340  d6 c2 c0 39 e0 b8 00 52  a9 bf d0 99 e0 b0 66 70  |...9...R......fp|
-00000350  46 ae 62 16 03 03 00 04  0e 00 00 00              |F.b.........|
+000002d0  04 00 80 66 f8 99 59 3a  3a 64 36 75 11 53 eb 34  |...f..Y::d6u.S.4|
+000002e0  1d d7 56 1b fb 73 58 63  69 2d 3d b5 d0 05 ce 4d  |..V..sXci-=....M|
+000002f0  6d 6e 49 46 c2 ad 91 43  de b3 63 12 4b e6 e2 c8  |mnIF...C..c.K...|
+00000300  59 09 09 45 f2 b8 1e 95  71 b2 38 60 78 36 c5 46  |Y..E....q.8`x6.F|
+00000310  15 85 66 4b 83 e2 6f 07  df 3e 87 60 eb 85 2d 01  |..fK..o..>.`..-.|
+00000320  c4 ae 50 b8 0e e5 19 b4  1d a4 90 af 97 b7 87 9e  |..P.............|
+00000330  cb 3a 13 1f ec 78 6c d9  5d 14 03 b7 4b 8b 8d 92  |.:...xl.]...K...|
+00000340  06 cf a3 dc 59 30 36 0f  7f 24 11 ca b8 ff 46 4b  |....Y06..$....FK|
+00000350  0c 4e c2 16 03 03 00 04  0e 00 00 00              |.N..........|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 25 10 00 00  21 20 b0 1a 5b c3 55 5f  |....%...! ..[.U_|
-00000010  0b b8 f3 69 ba 4f 49 93  05 0f b1 f1 d7 6b 6c 0c  |...i.OI......kl.|
-00000020  98 d0 22 78 0c ad 15 6b  24 5b 14 03 03 00 01 01  |.."x...k$[......|
-00000030  16 03 03 00 20 9d aa 3f  17 b3 16 88 d5 44 3d 03  |.... ..?.....D=.|
-00000040  3c 3c 8d 92 f1 2f e4 38  cc 42 20 2f ef 6a 29 c6  |<<.../.8.B /.j).|
-00000050  5c ca 44 81 f6                                    |\.D..|
+00000000  16 03 03 00 25 10 00 00  21 20 16 8d 5b 4a f7 e1  |....%...! ..[J..|
+00000010  c0 dd 5d e2 82 7d 4e c6  ef 66 ef 87 50 85 bf 0d  |..]..}N..f..P...|
+00000020  b5 3f 03 cc 64 f4 48 93  79 27 14 03 03 00 01 01  |.?..d.H.y'......|
+00000030  16 03 03 00 20 2c 69 26  7b 1b 84 2b 1d 33 43 cf  |.... ,i&{..+.3C.|
+00000040  95 c5 72 d6 7a 88 8f f9  aa 82 72 f4 02 c5 6e aa  |..r.z.....r...n.|
+00000050  a9 f7 f0 b9 44                                    |....D|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 83 04 00 00  7f 00 00 00 00 00 79 00  |..............y.|
+00000000  16 03 03 00 85 04 00 00  81 00 00 00 00 00 7b 00  |..............{.|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000020  6f 2d 7c 2b 51 ed 14 ef  68 ca 42 c5 4c 9a f3 2b  |o-|+Q...h.B.L..+|
-00000030  7a 66 76 26 4f 73 12 14  ef a1 f4 8c c2 08 03 42  |zfv&Os.........B|
-00000040  4d d5 f9 d7 ab 31 78 51  f3 f4 94 49 5f 9d bf 23  |M....1xQ...I_..#|
-00000050  b2 11 7b ac 42 df 71 1a  37 db 64 99 a0 49 38 16  |..{.B.q.7.d..I8.|
-00000060  7e 51 5c e5 15 c0 58 7d  2d 89 ac 0d 05 31 27 ae  |~Q\...X}-....1'.|
-00000070  85 ff 27 56 24 4c 26 b3  bc 6c f6 20 80 dd bd ba  |..'V$L&..l. ....|
-00000080  a3 34 c2 32 a8 58 1b b9  14 03 03 00 01 01 16 03  |.4.2.X..........|
-00000090  03 00 20 74 e1 8a e6 a6  02 0d f7 e1 28 3a f4 c4  |.. t........(:..|
-000000a0  a6 8c 32 81 84 85 ec 58  6a 10 8a 6d c4 cc 10 3a  |..2....Xj..m...:|
-000000b0  32 3e df 17 03 03 00 1d  fd a8 94 23 3e 5d 96 b1  |2>.........#>]..|
-000000c0  68 a6 24 55 bf 29 08 93  c7 7b 9b 05 fc 0b 97 ff  |h.$U.)...{......|
-000000d0  7c 93 b0 34 82 15 03 03  00 12 43 9f 44 e4 63 e7  ||..4......C.D.c.|
-000000e0  3c 30 a5 da 9f 58 ac 01  e4 e2 a7 30              |<0...X.....0|
+00000020  6f 2d 7c 2b 51 ed 14 ef  68 ca 42 c5 4c 2e ba 80  |o-|+Q...h.B.L...|
+00000030  92 a2 2f 66 80 b9 56 b8  7b be 8f 7f 3e f1 92 8d  |../f..V.{...>...|
+00000040  bf a9 6d 23 58 04 c5 70  85 af a7 db e4 0f e5 87  |..m#X..p........|
+00000050  6e aa a1 58 2a 7c 3f 9b  15 36 ac a3 00 49 38 16  |n..X*|?..6...I8.|
+00000060  7e 51 5c e5 15 c0 58 7d  52 07 ff f3 10 e5 6f 3a  |~Q\...X}R.....o:|
+00000070  6f e9 dd 79 00 6d 46 a8  9d a3 6c 3b 1b 39 da 98  |o..y.mF...l;.9..|
+00000080  5a 36 f1 64 1f a6 4b f8  2b ff 14 03 03 00 01 01  |Z6.d..K.+.......|
+00000090  16 03 03 00 20 d1 e3 4a  cc 06 f0 a9 b6 f7 66 2d  |.... ..J......f-|
+000000a0  3d 07 70 e2 93 39 a1 2a  c2 72 f3 e7 b3 ca a0 77  |=.p..9.*.r.....w|
+000000b0  ff cf 9b 0f 2f 17 03 03  00 1d 4b e5 61 b4 4c 6b  |..../.....K.a.Lk|
+000000c0  b0 ca 5e e4 96 7b f2 18  9a c2 19 b2 be c2 39 8b  |..^..{........9.|
+000000d0  ee 88 e7 53 27 3a 8d 15  03 03 00 12 2a 21 52 fc  |...S':......*!R.|
+000000e0  3b ae 6e fb ac 9c 42 bc  1a 7d 6b 8d 84 5d        |;.n...B..}k..]|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-ExportKeyingMaterial b/src/crypto/tls/testdata/Server-TLSv12-ExportKeyingMaterial
index ff8d63568d..a670f05d58 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-ExportKeyingMaterial
+++ b/src/crypto/tls/testdata/Server-TLSv12-ExportKeyingMaterial
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 89 01 00 00  85 03 03 ad 13 87 9e b3  |................|
-00000010  c7 71 bb bf be e3 b9 80  3f 17 bf 41 37 95 22 e6  |.q......?..A7.".|
-00000020  f2 98 a9 15 62 1d 65 06  69 ea 53 00 00 04 c0 14  |....b.e.i.S.....|
+00000000  16 03 01 00 89 01 00 00  85 03 03 ba bc af a2 f7  |................|
+00000010  a2 a0 19 81 f0 3b c0 76  56 10 e6 95 ce ab 89 82  |.....;.vV.......|
+00000020  d5 27 b3 78 69 f2 d3 5b  2d 97 77 00 00 04 c0 14  |.'.xi..[-.w.....|
 00000030  00 ff 01 00 00 58 00 0b  00 04 03 00 01 02 00 0a  |.....X..........|
 00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 23  |...............#|
 00000050  00 00 00 16 00 00 00 17  00 00 00 0d 00 30 00 2e  |.............0..|
@@ -54,43 +54,43 @@
 000002a0  fa e7 16 03 03 00 ac 0c  00 00 a8 03 00 1d 20 2f  |.............. /|
 000002b0  e5 7d a3 47 cd 62 43 15  28 da ac 5f bb 29 07 30  |.}.G.bC.(.._.).0|
 000002c0  ff f6 84 af c4 cf c2 ed  90 99 5f 58 cb 3b 74 08  |.........._X.;t.|
-000002d0  04 00 80 41 24 c2 f9 e8  40 21 47 3c ab 8e 99 5e  |...A$...@!G<...^|
-000002e0  0e 08 27 86 6c 29 ae 36  ed 21 18 23 67 cc f7 d5  |..'.l).6.!.#g...|
-000002f0  3f e2 2c 48 2f 3d 47 e5  af d5 61 86 0f 91 69 30  |?.,H/=G...a...i0|
-00000300  cf 84 56 f2 d3 c1 9a a3  a1 a2 c8 ef 4d 33 de 12  |..V.........M3..|
-00000310  d6 46 55 5b c6 6a 65 a5  36 b5 51 5b db 04 25 aa  |.FU[.je.6.Q[..%.|
-00000320  1c af a0 b0 2d ee db 00  c5 ad 1b 94 d3 90 11 86  |....-...........|
-00000330  10 83 35 41 65 9e a4 2c  a9 ee 37 ac d4 cc 05 76  |..5Ae..,..7....v|
-00000340  92 59 f9 51 68 79 6d 9e  5f eb 80 47 3a 7c e0 74  |.Y.Qhym._..G:|.t|
-00000350  ac f5 36 16 03 03 00 04  0e 00 00 00              |..6.........|
+000002d0  04 00 80 59 86 4b 13 6a  34 c5 bd 82 a9 ae d8 bf  |...Y.K.j4.......|
+000002e0  7b 9b f2 c2 0a aa 81 99  25 d8 14 68 32 49 00 ab  |{.......%..h2I..|
+000002f0  b0 18 4e 05 50 31 0e 25  f3 db 5f 93 45 13 a4 3e  |..N.P1.%.._.E..>|
+00000300  38 76 a1 0d d8 87 0f 85  81 0c af cb cd e8 43 cd  |8v............C.|
+00000310  67 01 f2 15 e0 7e 11 44  2a 8d ba 12 33 94 01 c9  |g....~.D*...3...|
+00000320  81 bd 99 0d 9f 84 04 a0  7c 0f 24 dd 79 34 53 ba  |........|.$.y4S.|
+00000330  fa ae 32 16 0c 30 6c f0  76 5d 75 c1 ba d9 35 86  |..2..0l.v]u...5.|
+00000340  b0 94 2f 1f 35 7f 1c 1f  92 10 c5 88 55 cc 2c 5b  |../.5.......U.,[|
+00000350  89 b3 58 16 03 03 00 04  0e 00 00 00              |..X.........|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 25 10 00 00  21 20 d2 ed 26 ce 1f 5d  |....%...! ..&..]|
-00000010  50 b8 f4 19 fc 63 e2 b6  3d 7d 39 54 c2 c1 61 a9  |P....c..=}9T..a.|
-00000020  2a 82 d8 e3 a9 2f 22 8c  b2 18 14 03 03 00 01 01  |*..../".........|
-00000030  16 03 03 00 40 82 78 f0  1e e6 03 20 67 66 4e d6  |....@.x.... gfN.|
-00000040  93 25 69 9e 38 c6 dd 17  92 02 18 7f 5f 9c 9c f0  |.%i.8......._...|
-00000050  a3 f7 45 d3 ba 82 e3 01  38 e5 4f cf 8b 0e 77 6e  |..E.....8.O...wn|
-00000060  91 99 83 e0 f1 3d e8 a1  39 d4 ea b3 2e 1c 67 59  |.....=..9.....gY|
-00000070  c5 5d 83 30 dc                                    |.].0.|
+00000000  16 03 03 00 25 10 00 00  21 20 7b e4 41 19 92 fc  |....%...! {.A...|
+00000010  73 0d 4b 88 2d bd e2 a1  f3 6a ad 5b 8c 10 9b 9e  |s.K.-....j.[....|
+00000020  46 7a c0 81 96 03 0b 4c  03 7d 14 03 03 00 01 01  |Fz.....L.}......|
+00000030  16 03 03 00 40 e5 e4 11  bd 7c 54 b8 be 80 44 82  |....@....|T...D.|
+00000040  03 22 51 7f f5 de 92 20  7d 34 b0 9a 7b 17 ce 12  |."Q.... }4..{...|
+00000050  b4 75 44 9b 37 b1 cd 1f  0c f8 86 4c 75 d9 1e 75  |.uD.7......Lu..u|
+00000060  d3 7e bf 6e 3e 9d be 3b  c1 47 11 6d f1 09 10 2e  |.~.n>..;.G.m....|
+00000070  d0 0d cd 1f 26                                    |....&|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 83 04 00 00  7f 00 00 00 00 00 79 00  |..............y.|
+00000000  16 03 03 00 85 04 00 00  81 00 00 00 00 00 7b 00  |..............{.|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000020  6f 2d 70 97 51 ed 14 ef  68 ca 42 c5 4c ff 6b a2  |o-p.Q...h.B.L.k.|
-00000030  3e f9 07 a9 91 ad 0d c7  23 bd 7f 04 cf 4d a0 eb  |>.......#....M..|
-00000040  58 e0 e1 37 73 d3 cc 4b  e2 7f 6d 3a 2e 47 b5 b4  |X..7s..K..m:.G..|
-00000050  60 dd e6 9a ea 30 1e 6e  7a e7 8e 84 ca 49 38 16  |`....0.nz....I8.|
-00000060  7e 51 5c e5 15 c0 58 7d  a2 ba e2 ca 90 24 11 ea  |~Q\...X}.....$..|
-00000070  53 9c 7d cb 47 13 91 cf  f6 05 f0 2f db 57 1a 40  |S.}.G....../.W.@|
-00000080  57 b0 d4 97 8e 23 7e f5  14 03 03 00 01 01 16 03  |W....#~.........|
-00000090  03 00 40 00 00 00 00 00  00 00 00 00 00 00 00 00  |..@.............|
-000000a0  00 00 00 72 43 0e f2 f3  bb e8 6d 3b f2 ff 96 53  |...rC.....m;...S|
-000000b0  12 36 07 e0 f0 17 35 e7  52 87 a3 12 7b 53 d4 83  |.6....5.R...{S..|
-000000c0  cc d2 d3 06 4b e2 3a fc  38 4f a7 75 d8 3c 6a a4  |....K.:.8O.u.<j.|
-000000d0  b7 5f e8 17 03 03 00 40  00 00 00 00 00 00 00 00  |._.....@........|
-000000e0  00 00 00 00 00 00 00 00  7d b5 ce 35 23 2a ba 64  |........}..5#*.d|
-000000f0  0d 4e cc 9d 53 37 84 1d  6d c5 b0 ae a6 64 76 82  |.N..S7..m....dv.|
-00000100  4d 80 97 1e 16 5f 0a 85  72 be 27 41 a3 e0 45 35  |M...._..r.'A..E5|
-00000110  6e d4 c0 41 e5 99 8c 19  15 03 03 00 30 00 00 00  |n..A........0...|
-00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 c9 f3 4e  |...............N|
-00000130  91 b6 c2 c0 a5 cf 21 6b  ed 58 d9 cf 9c 9b ff 0a  |......!k.X......|
-00000140  6c 62 73 de f8 c3 39 22  2e d3 c6 45 9d           |lbs...9"...E.|
+00000020  6f 2d 70 97 51 ed 14 ef  68 ca 42 c5 4c e2 2f 01  |o-p.Q...h.B.L./.|
+00000030  02 b4 98 0b ab 81 e1 03  a3 a3 58 3e ea 75 9a 4c  |..........X>.u.L|
+00000040  72 93 e7 50 f9 17 7b 90  0d 70 e7 b8 5c 7b 93 81  |r..P..{..p..\{..|
+00000050  66 e1 64 b0 a9 25 34 84  bc 49 42 f5 13 49 38 16  |f.d..%4..IB..I8.|
+00000060  7e 51 5c e5 15 c0 58 7d  52 07 da 2f 56 e0 05 62  |~Q\...X}R../V..b|
+00000070  16 1e 0c 62 76 cc b5 ff  25 a1 c3 2e 1f 28 71 29  |...bv...%....(q)|
+00000080  9c d0 c1 0a 05 dd 22 57  7a 19 14 03 03 00 01 01  |......"Wz.......|
+00000090  16 03 03 00 40 00 00 00  00 00 00 00 00 00 00 00  |....@...........|
+000000a0  00 00 00 00 00 9a 9d 01  bc db e5 21 c2 d2 f8 d8  |...........!....|
+000000b0  b8 c1 86 87 fc b6 79 df  69 be d2 97 cd 69 76 9d  |......y.i....iv.|
+000000c0  04 95 7f d4 e8 c7 78 52  c0 d1 ac bc 55 08 57 a7  |......xR....U.W.|
+000000d0  9c 28 d4 7b df 17 03 03  00 40 00 00 00 00 00 00  |.(.{.....@......|
+000000e0  00 00 00 00 00 00 00 00  00 00 81 f0 80 62 50 04  |.............bP.|
+000000f0  7f 86 ee f1 73 46 b0 c3  c1 0d 92 ab dd 4f b9 2a  |....sF.......O.*|
+00000100  58 4f 17 9f be 60 ff 8b  1a d6 e3 94 aa dc 8b 60  |XO...`.........`|
+00000110  d8 2b 4c c8 5a 69 18 74  65 49 15 03 03 00 30 00  |.+L.Zi.teI....0.|
+00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 18  |................|
+00000130  36 4f 05 fe ab 47 92 6e  48 42 4f 06 c4 f3 e1 70  |6O...G.nHBO....p|
+00000140  c6 66 00 1d aa 84 6b 2b  d4 23 37 c9 42 fb 6d     |.f....k+.#7.B.m|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-IssueTicket b/src/crypto/tls/testdata/Server-TLSv12-IssueTicket
index ee29358610..b05669d073 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-IssueTicket
+++ b/src/crypto/tls/testdata/Server-TLSv12-IssueTicket
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 71 01 00 00  6d 03 03 bf f8 80 5d 1b  |....q...m.....].|
-00000010  ea 95 cb 32 3b 8f ff 5e  f9 4d 58 7d dc a4 50 cc  |...2;..^.MX}..P.|
-00000020  68 4d 40 98 11 af f3 e4  d7 31 43 00 00 04 00 2f  |hM@......1C..../|
+00000000  16 03 01 00 71 01 00 00  6d 03 03 ae 71 d4 07 74  |....q...m...q..t|
+00000010  03 93 b0 1f 88 72 ef d2  54 61 44 34 5f 3f ea 16  |.....r..TaD4_?..|
+00000020  32 41 11 a9 00 9b 59 ba  50 a8 ab 00 00 04 00 2f  |2A....Y.P....../|
 00000030  00 ff 01 00 00 40 00 23  00 00 00 16 00 00 00 17  |.....@.#........|
 00000040  00 00 00 0d 00 30 00 2e  04 03 05 03 06 03 08 07  |.....0..........|
 00000050  08 08 08 09 08 0a 08 0b  08 04 08 05 08 06 04 01  |................|
@@ -52,39 +52,39 @@
 00000290  fe 3d 13 60 84 5c 21 d3  3b e9 fa e7 16 03 03 00  |.=.`.\!.;.......|
 000002a0  04 0e 00 00 00                                    |.....|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 86 10 00 00  82 00 80 35 d7 dd 48 68  |...........5..Hh|
-00000010  17 8c 9b 02 75 0c 6b 76  17 0a e1 f8 06 c0 d7 1d  |....u.kv........|
-00000020  bf a5 97 d2 59 0f c9 90  4a f0 6f 40 dc e7 30 c4  |....Y...J.o@..0.|
-00000030  75 ab 74 9c 32 48 a4 84  3c 40 a0 bd 03 aa 09 2b  |u.t.2H..<@.....+|
-00000040  b2 4c 80 82 17 b8 3d 27  16 9a b7 90 66 f2 10 4e  |.L....='....f..N|
-00000050  41 7e 78 24 de 27 91 f9  e9 bc bf 15 3a 35 1b ae  |A~x$.'......:5..|
-00000060  28 9e e1 09 f0 7a 4d 66  7e de d1 43 bf f5 e4 09  |(....zMf~..C....|
-00000070  a7 21 cb 0e 1d 59 6d a0  a6 41 44 58 f4 ab ac 6a  |.!...Ym..ADX...j|
-00000080  98 db 25 e3 57 ee 94 87  85 51 ea 14 03 03 00 01  |..%.W....Q......|
-00000090  01 16 03 03 00 40 c9 64  79 e7 15 1d 30 15 95 89  |.....@.dy...0...|
-000000a0  b1 9b 12 42 69 4b 22 20  54 5a aa b6 71 02 1c 3f  |...BiK" TZ..q..?|
-000000b0  7c b5 66 07 b5 1f 55 96  3f ce 47 1f 66 52 d8 6b  ||.f...U.?.G.fR.k|
-000000c0  65 71 c0 4e 0b 7e 55 e0  f5 af 42 29 af 2b 1d 0e  |eq.N.~U...B).+..|
-000000d0  e6 96 cd 7b fc d3                                 |...{..|
+00000000  16 03 03 00 86 10 00 00  82 00 80 1a 4a c4 37 68  |............J.7h|
+00000010  6a c0 28 f1 ea ea 14 20  fe c3 b6 61 28 67 75 7b  |j.(.... ...a(gu{|
+00000020  74 e0 6b ab 2c dd c8 13  0a be d6 71 a1 13 96 5a  |t.k.,......q...Z|
+00000030  bf 89 2e 6e 6a 61 24 ca  d4 88 3f f8 20 ed 20 1f  |...nja$...?. . .|
+00000040  0a 9c 11 9b 96 e1 cd d8  38 42 05 be b8 6e e5 fe  |........8B...n..|
+00000050  54 c8 93 b8 56 67 01 97  a0 bc 37 33 7c 40 f7 77  |T...Vg....73|@.w|
+00000060  5d 8b 63 bc 3f 7b e3 e9  0a b0 13 06 12 6e 8e 1c  |].c.?{.......n..|
+00000070  7c e7 ed 99 6d c3 5a 93  92 d2 4a fe fa d9 10 1c  ||...m.Z...J.....|
+00000080  76 e2 9e d7 d4 cd c7 b9  7a 40 54 14 03 03 00 01  |v.......z@T.....|
+00000090  01 16 03 03 00 40 ac 11  71 60 db b6 db b9 db fb  |.....@..q`......|
+000000a0  09 20 8d 00 e9 69 25 15  f9 14 8f 08 7a 6c 8c 29  |. ...i%.....zl.)|
+000000b0  0d f4 9b d3 ca c8 c8 f3  11 0a 85 d6 c2 cc 60 a7  |..............`.|
+000000c0  8c a3 32 06 08 15 bd 84  a0 4f 17 b9 6b 9b 6a 7c  |..2......O..k.j||
+000000d0  23 9d 74 22 7f fd                                 |#.t"..|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 83 04 00 00  7f 00 00 00 00 00 79 00  |..............y.|
+00000000  16 03 03 00 85 04 00 00  81 00 00 00 00 00 7b 00  |..............{.|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000020  6f 2d b0 ac 51 ed 14 ef  68 ca 42 c5 4c 85 f6 26  |o-..Q...h.B.L..&|
-00000030  0d a4 ad a8 f5 14 64 4f  b9 c3 fb 1e 55 c1 1f c7  |......dO....U...|
-00000040  31 57 72 68 db 03 37 a8  c9 07 f4 ca 62 6c 5c f3  |1Wrh..7.....bl\.|
-00000050  8b 5a 3d 76 dd 63 ea 68  61 6b a1 2d 95 49 38 16  |.Z=v.c.hak.-.I8.|
-00000060  7e 51 5c e5 15 c0 58 7d  c5 67 4a 6f 64 b6 79 1a  |~Q\...X}.gJod.y.|
-00000070  41 9b b1 33 15 38 74 92  5c a5 48 c3 f2 94 bb 33  |A..3.8t.\.H....3|
-00000080  ec af cf d7 e7 c9 3e 35  14 03 03 00 01 01 16 03  |......>5........|
-00000090  03 00 40 00 00 00 00 00  00 00 00 00 00 00 00 00  |..@.............|
-000000a0  00 00 00 19 51 7c 1c a3  80 34 e1 81 30 3f f9 a4  |....Q|...4..0?..|
-000000b0  a0 97 97 fd 94 fb ab e8  80 48 25 7b 83 ca 38 61  |.........H%{..8a|
-000000c0  34 95 d0 52 6f 09 ad 4f  74 35 c5 3d e8 bb aa 5d  |4..Ro..Ot5.=...]|
-000000d0  d0 fc 85 17 03 03 00 40  00 00 00 00 00 00 00 00  |.......@........|
-000000e0  00 00 00 00 00 00 00 00  e7 19 f9 fd 10 7c 17 04  |.............|..|
-000000f0  2d ce 5f a6 41 33 3d 05  b0 29 91 ff a0 a5 76 52  |-._.A3=..)....vR|
-00000100  e1 b9 ba 6a ca d3 79 60  11 ac 43 b5 30 f7 15 dc  |...j..y`..C.0...|
-00000110  6f b1 d2 b2 00 85 43 40  15 03 03 00 30 00 00 00  |o.....C@....0...|
-00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 19 99 8a  |................|
-00000130  4c 18 e0 03 cc 27 7a be  2c e5 d2 16 95 f6 a4 6e  |L....'z.,......n|
-00000140  11 d3 1d f4 01 52 2b fc  98 04 b1 0b 31           |.....R+.....1|
+00000020  6f 2d b0 ac 51 ed 14 ef  68 ca 42 c5 4c 52 2e 96  |o-..Q...h.B.LR..|
+00000030  6b e5 cc b4 0c ee 82 5b  c1 57 52 8e dd 26 c8 58  |k......[.WR..&.X|
+00000040  27 01 5f ec 58 a0 5c ad  74 e8 82 b7 ab 86 71 25  |'._.X.\.t.....q%|
+00000050  aa ed ec ef 69 5f 7e 1d  f2 58 30 13 75 49 38 16  |....i_~..X0.uI8.|
+00000060  7e 51 5c e5 15 c0 58 7d  52 1a 43 47 27 99 9d 0f  |~Q\...X}R.CG'...|
+00000070  e0 4c f4 3b e0 b0 76 ae  e6 5d a4 a0 34 38 8b b0  |.L.;..v..]..48..|
+00000080  3a ba 26 90 a3 dd c2 dc  26 98 14 03 03 00 01 01  |:.&.....&.......|
+00000090  16 03 03 00 40 00 00 00  00 00 00 00 00 00 00 00  |....@...........|
+000000a0  00 00 00 00 00 55 e7 9a  32 83 32 d1 01 6e 0e 5a  |.....U..2.2..n.Z|
+000000b0  dd 72 c5 f9 90 24 6b da  73 d9 ed 39 b8 d5 f6 93  |.r...$k.s..9....|
+000000c0  e0 f0 3e 20 db d0 0c 8a  b0 10 78 1e 08 fb 47 44  |..> ......x...GD|
+000000d0  27 74 30 c4 73 17 03 03  00 40 00 00 00 00 00 00  |'t0.s....@......|
+000000e0  00 00 00 00 00 00 00 00  00 00 0a ae 7e 4e c4 37  |............~N.7|
+000000f0  65 b9 bf 66 a5 c5 5d a2  bc 76 7a db c9 cd 0b 85  |e..f..]..vz.....|
+00000100  de 86 e4 94 2c f2 87 1f  7a 4b 31 b7 4d 77 18 8a  |....,...zK1.Mw..|
+00000110  6d 5e af d0 eb 87 bf d9  c5 e3 15 03 03 00 30 00  |m^............0.|
+00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 9f  |................|
+00000130  8a 39 93 10 94 78 d1 dc  81 07 b6 1a 1a c3 96 c1  |.9...x..........|
+00000140  28 d3 30 eb 3d 1a d3 d6  d8 3a d2 33 ec ed 6c     |(.0.=....:.3..l|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable b/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable
index 20ce3c3cc8..a86d19c35a 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable
+++ b/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 71 01 00 00  6d 03 03 a1 ba 69 29 39  |....q...m....i)9|
-00000010  b5 fc c7 90 90 54 35 be  5a ad 4a e2 b2 3d b9 01  |.....T5.Z.J..=..|
-00000020  f0 48 fd 77 b5 9e bc 89  f5 d4 df 00 00 04 00 2f  |.H.w.........../|
+00000000  16 03 01 00 71 01 00 00  6d 03 03 9d 49 68 d2 e5  |....q...m...Ih..|
+00000010  4a 77 05 39 fb b6 c2 e8  79 b8 cd e7 42 dd f5 29  |Jw.9....y...B..)|
+00000020  4f 24 92 27 bf 94 95 89  8a 0c 5f 00 00 04 00 2f  |O$.'......_..../|
 00000030  00 ff 01 00 00 40 00 23  00 00 00 16 00 00 00 17  |.....@.#........|
 00000040  00 00 00 0d 00 30 00 2e  04 03 05 03 06 03 08 07  |.....0..........|
 00000050  08 08 08 09 08 0a 08 0b  08 04 08 05 08 06 04 01  |................|
@@ -52,39 +52,39 @@
 00000290  fe 3d 13 60 84 5c 21 d3  3b e9 fa e7 16 03 03 00  |.=.`.\!.;.......|
 000002a0  04 0e 00 00 00                                    |.....|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 86 10 00 00  82 00 80 cc 4e 62 e0 bf  |............Nb..|
-00000010  21 65 dc f2 57 fb fe 6e  e4 cc de b4 1f aa af 52  |!e..W..n.......R|
-00000020  a4 e0 0e 1b fa 8b 23 4b  d9 e2 4b 62 6a 26 80 f7  |......#K..Kbj&..|
-00000030  15 82 ba 44 4a 18 b8 97  ca a1 79 4b 11 59 90 7d  |...DJ.....yK.Y.}|
-00000040  ea 89 7c f9 6b 5f 29 c7  ca 32 bf 3b 53 b2 bb bb  |..|.k_)..2.;S...|
-00000050  77 0a 5c 1f c2 d8 20 cf  59 19 4e a0 ff ef ca ca  |w.\... .Y.N.....|
-00000060  25 39 ac c7 64 b9 e8 68  09 f2 49 96 8e 49 c7 4c  |%9..d..h..I..I.L|
-00000070  cd ff 28 6f d8 0d d3 7a  ae 7a 51 9e 04 70 8a 59  |..(o...z.zQ..p.Y|
-00000080  8c 05 61 c9 2b bd e1 05  5a 12 63 14 03 03 00 01  |..a.+...Z.c.....|
-00000090  01 16 03 03 00 40 ac 30  bb 83 2f e2 a1 98 a3 c5  |.....@.0../.....|
-000000a0  9c e3 55 36 70 a0 10 fc  53 7e 2d ae f1 02 d7 04  |..U6p...S~-.....|
-000000b0  1f 4e 5d ed 33 29 99 04  54 8e 51 74 d5 2a 73 21  |.N].3)..T.Qt.*s!|
-000000c0  4f bf 8b 0c 04 b2 f2 d4  3e a7 f6 ee 8b fb 3a 0b  |O.......>.....:.|
-000000d0  86 27 7c a7 bb 32                                 |.'|..2|
+00000000  16 03 03 00 86 10 00 00  82 00 80 2b 09 f3 6c 39  |...........+..l9|
+00000010  25 51 ab 73 c9 5d e4 de  bb b3 7d 8e 40 96 df f9  |%Q.s.]....}.@...|
+00000020  28 24 82 47 21 40 2d cb  bd 7d a5 2a 89 91 7d e0  |($.G!@-..}.*..}.|
+00000030  4c 92 ca 8f 2c 2d be 93  d1 a2 00 ef 3a 4b 6b de  |L...,-......:Kk.|
+00000040  e9 ab 38 0b 19 21 35 5d  fb 06 b1 1f dd 75 db d6  |..8..!5].....u..|
+00000050  6b 16 7e 1e 32 ef 58 11  78 ef 6e 7f cc 1f cd 8e  |k.~.2.X.x.n.....|
+00000060  57 01 96 eb 06 bf 09 10  99 ed 3c 35 94 9f 03 66  |W.........<5...f|
+00000070  a4 e1 96 22 eb f5 cd 28  1f 4e 2c b9 2c 48 29 bf  |..."...(.N,.,H).|
+00000080  b3 43 c1 b9 f0 aa 2b 29  47 a4 38 14 03 03 00 01  |.C....+)G.8.....|
+00000090  01 16 03 03 00 40 75 ac  e5 40 a2 19 82 90 ef 25  |.....@u..@.....%|
+000000a0  9c 3b c2 95 fb 58 b9 c8  72 2c b3 94 d5 23 e9 f6  |.;...X..r,...#..|
+000000b0  0d 03 2e 24 54 73 c3 5b  0d 84 2d 5b 12 f6 f9 5a  |...$Ts.[..-[...Z|
+000000c0  59 6d ea 80 5e b6 ab 34  5f 57 98 fb 2c c8 e2 d0  |Ym..^..4_W..,...|
+000000d0  3e fb 32 4c b1 93                                 |>.2L..|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 83 04 00 00  7f 00 00 00 00 00 79 00  |..............y.|
+00000000  16 03 03 00 85 04 00 00  81 00 00 00 00 00 7b 00  |..............{.|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000020  6f 2d b0 ac 51 ed 14 ef  68 ca 42 c5 4c fa 53 68  |o-..Q...h.B.L.Sh|
-00000030  d9 20 e9 d9 c1 9c 90 3b  f2 e6 57 af 04 e5 db 6b  |. .....;..W....k|
-00000040  36 0b b5 b8 e2 a5 a4 bf  52 31 80 32 b9 da d9 32  |6.......R1.2...2|
-00000050  36 e7 31 d3 22 78 12 ae  7a 80 ac fa 6d 49 38 16  |6.1."x..z...mI8.|
-00000060  7e 51 5c e5 15 c0 58 7d  d6 77 d5 17 1b d9 a8 74  |~Q\...X}.w.....t|
-00000070  be 93 25 54 84 a7 1a 93  1f 20 a4 49 eb 26 e7 8e  |..%T..... .I.&..|
-00000080  d3 0f cf 9c 75 cc 6f 36  14 03 03 00 01 01 16 03  |....u.o6........|
-00000090  03 00 40 00 00 00 00 00  00 00 00 00 00 00 00 00  |..@.............|
-000000a0  00 00 00 eb f1 52 79 ff  b8 6c 9c 23 f3 22 bc 96  |.....Ry..l.#."..|
-000000b0  2a bc e7 73 05 32 4b 2e  e4 5e 31 97 62 86 cc 12  |*..s.2K..^1.b...|
-000000c0  ae 22 77 92 37 5d 82 41  57 48 aa f4 0a f3 94 30  |."w.7].AWH.....0|
-000000d0  5d 06 7b 17 03 03 00 40  00 00 00 00 00 00 00 00  |].{....@........|
-000000e0  00 00 00 00 00 00 00 00  8f 8d a7 06 a7 d6 52 5a  |..............RZ|
-000000f0  b9 66 5e ef e3 8d 1d 91  d0 6d 30 29 92 4e 6a 81  |.f^......m0).Nj.|
-00000100  f4 77 97 06 de a8 c8 d1  4c 6b 15 07 1f 9b 59 6d  |.w......Lk....Ym|
-00000110  cb 4f 23 20 58 aa 22 21  15 03 03 00 30 00 00 00  |.O# X."!....0...|
-00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 06 55 3d  |..............U=|
-00000130  42 f5 12 b2 66 aa af 00  91 5e b8 31 ae 19 0e 35  |B...f....^.1...5|
-00000140  a2 d7 a6 e7 0c 3c 2b 95  62 69 d7 a0 81           |.....<+.bi...|
+00000020  6f 2d b0 ac 51 ed 14 ef  68 ca 42 c5 4c ba fa 12  |o-..Q...h.B.L...|
+00000030  47 15 bc 82 f4 35 e2 0f  0f 2b d3 02 30 a7 c3 bb  |G....5...+..0...|
+00000040  48 06 b7 80 c5 21 70 95  bf fd e5 fa d8 aa ee 9c  |H....!p.........|
+00000050  d6 10 79 3b f9 e6 9e 21  21 bd e9 50 ba 49 38 16  |..y;...!!..P.I8.|
+00000060  7e 51 5c e5 15 c0 58 7d  52 1a 2e ee ae e1 df 6c  |~Q\...X}R......l|
+00000070  d2 82 e8 11 4b d9 3a b4  ed 46 56 6a 8e cd 4b 70  |....K.:..FVj..Kp|
+00000080  37 5c 82 fc ef d7 ff 38  65 e6 14 03 03 00 01 01  |7\.....8e.......|
+00000090  16 03 03 00 40 00 00 00  00 00 00 00 00 00 00 00  |....@...........|
+000000a0  00 00 00 00 00 8a 27 b1  df e3 23 8d 5e a8 06 e0  |......'...#.^...|
+000000b0  3b 70 3a 8a f2 36 09 e5  0b 91 03 0c ab c7 6b 2c  |;p:..6........k,|
+000000c0  ee 8d fd b3 d1 3b 0b d6  08 45 af 26 40 ad c7 fd  |.....;...E.&@...|
+000000d0  8f fa fa f6 c0 17 03 03  00 40 00 00 00 00 00 00  |.........@......|
+000000e0  00 00 00 00 00 00 00 00  00 00 c0 62 b3 b3 3d 17  |...........b..=.|
+000000f0  5d 7f a6 7d 7b eb ea 35  f5 46 3c 69 94 a0 37 ca  |]..}{..5.F<i..7.|
+00000100  e1 68 4b e9 aa ba f9 dd  bc 2d b7 a4 8f 3f 9f 34  |.hK......-...?.4|
+00000110  8b c9 0f a9 02 6f c3 23  18 1e 15 03 03 00 30 00  |.....o.#......0.|
+00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 9b  |................|
+00000130  4c 82 81 0a 30 16 5b d6  cb cb 76 9d c4 5d 2e ad  |L...0.[...v..]..|
+00000140  48 67 b0 0f f1 27 24 47  eb 61 65 61 fc f1 aa     |Hg...'$G.aea...|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-Resume b/src/crypto/tls/testdata/Server-TLSv12-Resume
index cd0a1240b2..2aac24b1a5 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-Resume
+++ b/src/crypto/tls/testdata/Server-TLSv12-Resume
@@ -1,54 +1,55 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 0a 01 00 01  06 03 03 2d b6 ca ea 39  |...........-...9|
-00000010  59 17 86 df 90 2f 73 e0  a0 5c 6e 28 09 78 69 d6  |Y..../s..\n(.xi.|
-00000020  30 06 b7 7b 17 a9 79 30  2a d8 57 20 c5 5c ed 86  |0..{..y0*.W .\..|
-00000030  15 f4 3b c8 d2 5f 7a 80  2a 6a cd 40 c2 da 6f a8  |..;.._z.*j.@..o.|
-00000040  cd d7 e7 bf 48 bd fb a1  e9 4b 9b a9 00 04 00 2f  |....H....K...../|
-00000050  00 ff 01 00 00 b9 00 23  00 79 00 00 00 00 00 00  |.......#.y......|
+00000000  16 03 01 01 0c 01 00 01  08 03 03 a6 8e 75 2d a5  |.............u-.|
+00000010  52 ef 15 c3 e3 42 53 88  55 21 76 a9 8c 44 e8 df  |R....BS.U!v..D..|
+00000020  f4 1c 40 08 1a 35 46 4b  6d 4f ff 20 e3 91 5e 82  |..@..5FKmO. ..^.|
+00000030  58 5e 5a 37 a7 16 d8 fe  96 0e 2c 45 13 ac 4f 30  |X^Z7......,E..O0|
+00000040  96 a3 17 a2 16 49 00 d6  8e b6 6a 4d 00 04 00 2f  |.....I....jM.../|
+00000050  00 ff 01 00 00 bb 00 23  00 7b 00 00 00 00 00 00  |.......#.{......|
 00000060  00 00 00 00 00 00 00 00  00 00 94 6f 2d b0 ac 51  |...........o-..Q|
-00000070  ed 14 ef 68 ca 42 c5 4c  85 f6 26 0d a4 ad a8 f5  |...h.B.L..&.....|
-00000080  14 64 4f b9 c3 fb 1e 55  c1 1f c7 31 57 72 68 db  |.dO....U...1Wrh.|
-00000090  03 37 a8 c9 07 f4 ca 62  6c 5c f3 8b 5a 3d 76 dd  |.7.....bl\..Z=v.|
-000000a0  63 ea 68 61 6b a1 2d 95  49 38 16 7e 51 5c e5 15  |c.hak.-.I8.~Q\..|
-000000b0  c0 58 7d c5 67 4a 6f 64  b6 79 1a 41 9b b1 33 15  |.X}.gJod.y.A..3.|
-000000c0  38 74 92 5c a5 48 c3 f2  94 bb 33 ec af cf d7 e7  |8t.\.H....3.....|
-000000d0  c9 3e 35 00 16 00 00 00  17 00 00 00 0d 00 30 00  |.>5...........0.|
-000000e0  2e 04 03 05 03 06 03 08  07 08 08 08 09 08 0a 08  |................|
-000000f0  0b 08 04 08 05 08 06 04  01 05 01 06 01 03 03 02  |................|
-00000100  03 03 01 02 01 03 02 02  02 04 02 05 02 06 02     |...............|
+00000070  ed 14 ef 68 ca 42 c5 4c  52 2e 96 6b e5 cc b4 0c  |...h.B.LR..k....|
+00000080  ee 82 5b c1 57 52 8e dd  26 c8 58 27 01 5f ec 58  |..[.WR..&.X'._.X|
+00000090  a0 5c ad 74 e8 82 b7 ab  86 71 25 aa ed ec ef 69  |.\.t.....q%....i|
+000000a0  5f 7e 1d f2 58 30 13 75  49 38 16 7e 51 5c e5 15  |_~..X0.uI8.~Q\..|
+000000b0  c0 58 7d 52 1a 43 47 27  99 9d 0f e0 4c f4 3b e0  |.X}R.CG'....L.;.|
+000000c0  b0 76 ae e6 5d a4 a0 34  38 8b b0 3a ba 26 90 a3  |.v..]..48..:.&..|
+000000d0  dd c2 dc 26 98 00 16 00  00 00 17 00 00 00 0d 00  |...&............|
+000000e0  30 00 2e 04 03 05 03 06  03 08 07 08 08 08 09 08  |0...............|
+000000f0  0a 08 0b 08 04 08 05 08  06 04 01 05 01 06 01 03  |................|
+00000100  03 02 03 03 01 02 01 03  02 02 02 04 02 05 02 06  |................|
+00000110  02                                                |.|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 59 02 00 00  55 03 03 00 00 00 00 00  |....Y...U.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000020  00 00 00 44 4f 57 4e 47  52 44 01 20 c5 5c ed 86  |...DOWNGRD. .\..|
-00000030  15 f4 3b c8 d2 5f 7a 80  2a 6a cd 40 c2 da 6f a8  |..;.._z.*j.@..o.|
-00000040  cd d7 e7 bf 48 bd fb a1  e9 4b 9b a9 00 2f 00 00  |....H....K.../..|
+00000020  00 00 00 44 4f 57 4e 47  52 44 01 20 e3 91 5e 82  |...DOWNGRD. ..^.|
+00000030  58 5e 5a 37 a7 16 d8 fe  96 0e 2c 45 13 ac 4f 30  |X^Z7......,E..O0|
+00000040  96 a3 17 a2 16 49 00 d6  8e b6 6a 4d 00 2f 00 00  |.....I....jM./..|
 00000050  0d 00 23 00 00 ff 01 00  01 00 00 17 00 00 16 03  |..#.............|
-00000060  03 00 83 04 00 00 7f 00  00 00 00 00 79 00 00 00  |............y...|
+00000060  03 00 85 04 00 00 81 00  00 00 00 00 7b 00 00 00  |............{...|
 00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 94 6f 2d  |..............o-|
-00000080  b0 ac 51 ed 14 ef 68 ca  42 c5 4c 85 f6 26 0d a4  |..Q...h.B.L..&..|
-00000090  ad a8 f5 14 64 4f b9 c3  fb 1e 55 c1 1f c7 31 57  |....dO....U...1W|
-000000a0  72 68 db 03 37 a8 c9 07  f4 ca 62 6c 5c f3 8b 5a  |rh..7.....bl\..Z|
-000000b0  3d 76 dd 63 ea 68 61 6b  a1 2d 95 49 38 16 7e 51  |=v.c.hak.-.I8.~Q|
-000000c0  5c e5 15 c0 58 7d c5 67  4a 6f 64 b6 79 1a 41 9b  |\...X}.gJod.y.A.|
-000000d0  b1 33 15 38 74 92 5c a5  48 c3 f2 94 bb 33 ec af  |.3.8t.\.H....3..|
-000000e0  cf d7 e7 c9 3e 35 14 03  03 00 01 01 16 03 03 00  |....>5..........|
-000000f0  40 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |@...............|
-00000100  00 47 68 3a 66 5b d6 ed  b7 60 a9 fb e8 37 d6 9d  |.Gh:f[...`...7..|
-00000110  a6 b9 4d d5 f3 9f 0f c6  3c 21 6e d5 80 08 a8 34  |..M.....<!n....4|
-00000120  34 da a3 1f b0 20 28 e4  2f 2b 6b c6 3e dc ac 6b  |4.... (./+k.>..k|
-00000130  40                                                |@|
+00000080  b0 ac 51 ed 14 ef 68 ca  42 c5 4c 52 2e 96 6b e5  |..Q...h.B.LR..k.|
+00000090  cc b4 0c ee 82 5b c1 57  52 8e dd 26 c8 58 27 01  |.....[.WR..&.X'.|
+000000a0  5f ec 58 a0 5c ad 74 e8  82 b7 ab 86 71 25 aa ed  |_.X.\.t.....q%..|
+000000b0  ec ef 69 5f 7e 1d f2 58  30 13 75 49 38 16 7e 51  |..i_~..X0.uI8.~Q|
+000000c0  5c e5 15 c0 58 7d 52 1a  43 47 27 99 9d 0f e0 4c  |\...X}R.CG'....L|
+000000d0  f4 3b e0 b0 76 ae e6 5d  a4 a0 34 38 8b b0 3a ba  |.;..v..]..48..:.|
+000000e0  26 90 a3 dd c2 dc 26 98  14 03 03 00 01 01 16 03  |&.....&.........|
+000000f0  03 00 40 00 00 00 00 00  00 00 00 00 00 00 00 00  |..@.............|
+00000100  00 00 00 fb 6c 2b 7d a1  a6 a1 aa 6f 38 3f e2 8a  |....l+}....o8?..|
+00000110  09 da 48 94 ce 2a 70 70  8c d3 5d bd 8c e5 74 fc  |..H..*pp..]...t.|
+00000120  91 05 dc 9e f1 2d a6 db  3c d6 06 50 b7 9d 4d 8b  |.....-..<..P..M.|
+00000130  b7 d4 06                                          |...|
 >>> Flow 3 (client to server)
-00000000  14 03 03 00 01 01 16 03  03 00 40 46 34 b3 97 54  |..........@F4..T|
-00000010  20 5b 95 f3 22 f8 a1 89  c8 95 93 ba 7b a4 a8 8f  | [..".......{...|
-00000020  46 a8 d6 c1 b3 ac f0 e0  49 3d 8d e4 1c ac b8 a4  |F.......I=......|
-00000030  01 21 5e d8 f0 f5 10 10  f7 de 8b 33 9d 94 cf f6  |.!^........3....|
-00000040  f2 9b 39 22 5c e6 c0 5e  b4 1d cd                 |..9"\..^...|
+00000000  14 03 03 00 01 01 16 03  03 00 40 b0 47 45 3b 24  |..........@.GE;$|
+00000010  ae 4b 98 d6 cc 37 28 ab  3b ea 7e 6b bc 1f ed a5  |.K...7(.;.~k....|
+00000020  bb 67 e2 5e 72 bf d5 28  90 dc 1b 98 87 2c 49 c6  |.g.^r..(.....,I.|
+00000030  90 73 45 3f 1b 8c a2 c5  50 84 48 09 41 e1 ea 52  |.sE?....P.H.A..R|
+00000040  9e 17 ad 8f d6 cd cd 16  7a 90 64                 |........z.d|
 >>> Flow 4 (server to client)
 00000000  17 03 03 00 40 00 00 00  00 00 00 00 00 00 00 00  |....@...........|
-00000010  00 00 00 00 00 5c bc 45  06 2e d3 7b 30 99 a6 af  |.....\.E...{0...|
-00000020  64 0e 63 93 73 6f 0a e7  a4 1d ac 94 25 11 a5 63  |d.c.so......%..c|
-00000030  8d b2 44 aa 98 44 f8 b5  51 ea 2c fb 26 99 f6 a4  |..D..D..Q.,.&...|
-00000040  2c f8 15 c3 90 15 03 03  00 30 00 00 00 00 00 00  |,........0......|
-00000050  00 00 00 00 00 00 00 00  00 00 c6 58 8e 7c 97 de  |...........X.|..|
-00000060  3b b8 39 cd 7b 1d 67 77  27 da 93 39 52 a7 81 9b  |;.9.{.gw'..9R...|
-00000070  ab 5a bc e9 00 1a 64 3a  ca f5                    |.Z....d:..|
+00000010  00 00 00 00 00 a6 e7 61  5a 2b 01 ce 94 48 d2 09  |.......aZ+...H..|
+00000020  13 a5 90 a8 58 47 8d fd  ab 69 85 fa 42 00 3d 99  |....XG...i..B.=.|
+00000030  d1 fd 16 88 0b 2a 43 92  54 e7 55 2e dd 70 86 e1  |.....*C.T.U..p..|
+00000040  f1 c5 5c c8 1e 15 03 03  00 30 00 00 00 00 00 00  |..\......0......|
+00000050  00 00 00 00 00 00 00 00  00 00 ba 42 cf 74 9f 00  |...........B.t..|
+00000060  4a 76 d5 cf 48 23 ed 4a  42 62 be 1a 35 d2 8c d2  |Jv..H#.JBb..5...|
+00000070  ee 86 2f 3a f5 4d 96 64  f7 b8                    |../:.M.d..|
diff --git a/src/crypto/tls/ticket.go b/src/crypto/tls/ticket.go
index 06aec5aa63..dbbcef7637 100644
--- a/src/crypto/tls/ticket.go
+++ b/src/crypto/tls/ticket.go
@@ -44,20 +44,21 @@ type SessionState struct {
 	//           case 0: Empty;
 	//           case 1: opaque alpn<1..2^8-1>;
 	//       };
-	//       select (SessionState.type) {
-	//           case server: Empty;
-	//           case client: struct {
-	//               select (SessionState.version) {
-	//                   case VersionTLS10..VersionTLS12: Empty;
-	//                   case VersionTLS13: struct {
-	//                       uint64 use_by;
-	//                       uint32 age_add;
-	//                   };
+	//       select (SessionState.version) {
+	//           case VersionTLS10..VersionTLS12: uint16 curve_id;
+	//           case VersionTLS13: select (SessionState.type) {
+	//               case server: Empty;
+	//               case client: struct {
+	//                   uint64 use_by;
+	//                   uint32 age_add;
 	//               };
 	//           };
 	//       };
 	//   } SessionState;
 	//
+	// The format can be extended backwards-compatibly by adding new fields at
+	// the end. Otherwise, a new SessionStateType must be used, as different Go
+	// versions may share the same session ticket encryption key.
 
 	// Extra is ignored by crypto/tls, but is encoded by [SessionState.Bytes]
 	// and parsed by [ParseSessionState].
@@ -97,6 +98,9 @@ type SessionState struct {
 	useBy  uint64 // seconds since UNIX epoch
 	ageAdd uint32
 	ticket []byte
+
+	// TLS 1.0–1.2 only fields.
+	curveID CurveID
 }
 
 // Bytes encodes the session, including any private fields, so that it can be
@@ -161,11 +165,13 @@ func (s *SessionState) Bytes() ([]byte, error) {
 			b.AddBytes([]byte(s.alpnProtocol))
 		})
 	}
-	if s.isClient {
-		if s.version >= VersionTLS13 {
+	if s.version >= VersionTLS13 {
+		if s.isClient {
 			addUint64(&b, s.useBy)
 			b.AddUint32(s.ageAdd)
 		}
+	} else {
+		b.AddUint16(uint16(s.curveID))
 	}
 	return b.Bytes()
 }
@@ -187,7 +193,6 @@ func ParseSessionState(data []byte) (*SessionState, error) {
 	var extra cryptobyte.String
 	if !s.ReadUint16(&ss.version) ||
 		!s.ReadUint8(&typ) ||
-		(typ != 1 && typ != 2) ||
 		!s.ReadUint16(&ss.cipherSuite) ||
 		!readUint64(&s, &ss.createdAt) ||
 		!readUint8LengthPrefixed(&s, &ss.secret) ||
@@ -205,6 +210,14 @@ func ParseSessionState(data []byte) (*SessionState, error) {
 		}
 		ss.Extra = append(ss.Extra, e)
 	}
+	switch typ {
+	case 1:
+		ss.isClient = false
+	case 2:
+		ss.isClient = true
+	default:
+		return nil, errors.New("tls: unknown session encoding")
+	}
 	switch extMasterSecret {
 	case 0:
 		ss.extMasterSecret = false
@@ -229,6 +242,9 @@ func ParseSessionState(data []byte) (*SessionState, error) {
 		ss.activeCertHandles = append(ss.activeCertHandles, c)
 		ss.peerCertificates = append(ss.peerCertificates, c.cert)
 	}
+	if ss.isClient && len(ss.peerCertificates) == 0 {
+		return nil, errors.New("tls: no server certificates in client session")
+	}
 	ss.ocspResponse = cert.OCSPStaple
 	ss.scts = cert.SignedCertificateTimestamps
 	var chainList cryptobyte.String
@@ -266,24 +282,16 @@ func ParseSessionState(data []byte) (*SessionState, error) {
 		}
 		ss.alpnProtocol = string(alpn)
 	}
-	if isClient := typ == 2; !isClient {
-		if !s.Empty() {
+	if ss.version >= VersionTLS13 {
+		if ss.isClient {
+			if !s.ReadUint64(&ss.useBy) || !s.ReadUint32(&ss.ageAdd) {
+				return nil, errors.New("tls: invalid session encoding")
+			}
+		}
+	} else {
+		if !s.ReadUint16((*uint16)(&ss.curveID)) {
 			return nil, errors.New("tls: invalid session encoding")
 		}
-		return ss, nil
-	}
-	ss.isClient = true
-	if len(ss.peerCertificates) == 0 {
-		return nil, errors.New("tls: no server certificates in client session")
-	}
-	if ss.version < VersionTLS13 {
-		if !s.Empty() {
-			return nil, errors.New("tls: invalid session encoding")
-		}
-		return ss, nil
-	}
-	if !s.ReadUint64(&ss.useBy) || !s.ReadUint32(&ss.ageAdd) || !s.Empty() {
-		return nil, errors.New("tls: invalid session encoding")
 	}
 	return ss, nil
 }
@@ -303,6 +311,7 @@ func (c *Conn) sessionState() *SessionState {
 		isClient:          c.isClient,
 		extMasterSecret:   c.extMasterSecret,
 		verifiedChains:    c.verifiedChains,
+		curveID:           c.curveID,
 	}
 }
 
diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go
index 76a9a222a9..37bc358c06 100644
--- a/src/crypto/tls/tls_test.go
+++ b/src/crypto/tls/tls_test.go
@@ -1149,9 +1149,7 @@ func TestConnectionStateMarshal(t *testing.T) {
 }
 
 func TestConnectionState(t *testing.T) {
-	skipFIPS(t) // Test certificates not FIPS compatible.
-
-	issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
+	issuer, err := x509.ParseCertificate(testRSA2048CertificateIssuer)
 	if err != nil {
 		panic(err)
 	}
@@ -1163,9 +1161,133 @@ func TestConnectionState(t *testing.T) {
 	var scts = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")}
 	var ocsp = []byte("dummy ocsp")
 
-	for _, v := range []uint16{VersionTLS12, VersionTLS13} {
+	checkConnectionState := func(t *testing.T, cs ConnectionState, version uint16, isClient bool) {
+		if cs.Version != version {
+			t.Errorf("got Version %x, expected %x", cs.Version, version)
+		}
+
+		if !cs.HandshakeComplete {
+			t.Errorf("got HandshakeComplete %v, expected true", cs.HandshakeComplete)
+		}
+
+		if cs.DidResume {
+			t.Errorf("got DidResume %v, expected false", cs.DidResume)
+		}
+
+		if cs.CipherSuite == 0 {
+			t.Errorf("got zero CipherSuite")
+		}
+
+		if cs.CurveID == 0 {
+			t.Errorf("got zero CurveID")
+		}
+
+		if cs.NegotiatedProtocol != alpnProtocol {
+			t.Errorf("got ALPN protocol %q, expected %q", cs.NegotiatedProtocol, alpnProtocol)
+		}
+
+		if !cs.NegotiatedProtocolIsMutual {
+			t.Errorf("got NegotiatedProtocolIsMutual %v, expected true", cs.NegotiatedProtocolIsMutual)
+		}
+
+		if cs.ServerName != serverName {
+			t.Errorf("got ServerName %q, expected %q", cs.ServerName, serverName)
+		}
+
+		if len(cs.PeerCertificates) != 1 {
+			t.Errorf("got %d PeerCertificates, expected %d", len(cs.PeerCertificates), 1)
+		} else if !bytes.Equal(cs.PeerCertificates[0].Raw, testRSA2048Certificate) {
+			t.Errorf("got PeerCertificates %x, expected %x", cs.PeerCertificates[0].Raw, testRSA2048Certificate)
+		}
+
+		if len(cs.VerifiedChains) != 1 {
+			t.Errorf("got %d long verified chain, expected %d", len(cs.VerifiedChains), 1)
+		} else if len(cs.VerifiedChains[0]) != 2 {
+			t.Errorf("got %d verified chain, expected %d", len(cs.VerifiedChains[0]), 2)
+		} else if !bytes.Equal(cs.VerifiedChains[0][0].Raw, testRSA2048Certificate) {
+			t.Errorf("got verified chain[0][0] %x, expected %x", cs.VerifiedChains[0][0].Raw, testRSA2048Certificate)
+		} else if !bytes.Equal(cs.VerifiedChains[0][1].Raw, testRSA2048CertificateIssuer) {
+			t.Errorf("got verified chain[0][1] %x, expected %x", cs.VerifiedChains[0][1].Raw, testRSA2048CertificateIssuer)
+		}
+
+		// Only TLS 1.3 supports OCSP and SCTs on client certs.
+		if isClient || version == VersionTLS13 {
+			if len(cs.SignedCertificateTimestamps) != 2 {
+				t.Errorf("got %d SCTs, expected %d", len(cs.SignedCertificateTimestamps), 2)
+			} else if !bytes.Equal(cs.SignedCertificateTimestamps[0], scts[0]) {
+				t.Errorf("got SCTs %x, expected %x", cs.SignedCertificateTimestamps[0], scts[0])
+			} else if !bytes.Equal(cs.SignedCertificateTimestamps[1], scts[1]) {
+				t.Errorf("got SCTs %x, expected %x", cs.SignedCertificateTimestamps[1], scts[1])
+			}
+			if !bytes.Equal(cs.OCSPResponse, ocsp) {
+				t.Errorf("got OCSP %x, expected %x", cs.OCSPResponse, ocsp)
+			}
+		} else {
+			if cs.SignedCertificateTimestamps != nil {
+				t.Errorf("got %d SCTs, expected nil", len(cs.SignedCertificateTimestamps))
+			}
+			if cs.OCSPResponse != nil {
+				t.Errorf("got OCSP %x, expected nil", cs.OCSPResponse)
+			}
+		}
+
+		if version == VersionTLS13 {
+			if cs.TLSUnique != nil {
+				t.Errorf("got TLSUnique %x, expected nil", cs.TLSUnique)
+			}
+		} else {
+			if cs.TLSUnique == nil {
+				t.Errorf("got nil TLSUnique")
+			}
+		}
+	}
+
+	compareConnectionStates := func(t *testing.T, cs1, cs2 ConnectionState) {
+		if cs1.Version != cs2.Version {
+			t.Errorf("Version mismatch: %x != %x", cs1.Version, cs2.Version)
+		}
+		if cs1.HandshakeComplete != cs2.HandshakeComplete {
+			t.Errorf("HandshakeComplete mismatch: %v != %v", cs1.HandshakeComplete, cs2.HandshakeComplete)
+		}
+		// DidResume is expected to be different.
+		if cs1.CipherSuite != cs2.CipherSuite {
+			t.Errorf("CipherSuite mismatch: %x != %x", cs1.CipherSuite, cs2.CipherSuite)
+		}
+		if cs1.CurveID != cs2.CurveID {
+			t.Errorf("CurveID mismatch: %s != %s", cs1.CurveID, cs2.CurveID)
+		}
+		if cs1.NegotiatedProtocol != cs2.NegotiatedProtocol {
+			t.Errorf("NegotiatedProtocol mismatch: %q != %q", cs1.NegotiatedProtocol, cs2.NegotiatedProtocol)
+		}
+		if cs1.NegotiatedProtocolIsMutual != cs2.NegotiatedProtocolIsMutual {
+			t.Errorf("NegotiatedProtocolIsMutual mismatch: %v != %v", cs1.NegotiatedProtocolIsMutual, cs2.NegotiatedProtocolIsMutual)
+		}
+		if cs1.ServerName != cs2.ServerName {
+			t.Errorf("ServerName mismatch: %q != %q", cs1.ServerName, cs2.ServerName)
+		}
+		if !reflect.DeepEqual(cs1.PeerCertificates, cs2.PeerCertificates) {
+			t.Errorf("PeerCertificates mismatch")
+		}
+		if !reflect.DeepEqual(cs1.VerifiedChains, cs2.VerifiedChains) {
+			t.Errorf("VerifiedChains mismatch")
+		}
+		if !reflect.DeepEqual(cs1.SignedCertificateTimestamps, cs2.SignedCertificateTimestamps) {
+			t.Errorf("SignedCertificateTimestamps mismatch: %x != %x", cs1.SignedCertificateTimestamps, cs2.SignedCertificateTimestamps)
+		}
+		if !bytes.Equal(cs1.OCSPResponse, cs2.OCSPResponse) {
+			t.Errorf("OCSPResponse mismatch: %x != %x", cs1.OCSPResponse, cs2.OCSPResponse)
+		}
+		// TLSUnique is expected to be different.
+	}
+
+	for _, v := range []uint16{VersionTLS10, VersionTLS12, VersionTLS13} {
+		if !isFIPSVersion(v) && fips140tls.Required() {
+			t.Skipf("skipping test in FIPS 140-3 mode for non-FIPS version %x", v)
+		}
 		var name string
 		switch v {
+		case VersionTLS10:
+			name = "TLSv10"
 		case VersionTLS12:
 			name = "TLSv12"
 		case VersionTLS13:
@@ -1173,93 +1295,46 @@ func TestConnectionState(t *testing.T) {
 		}
 		t.Run(name, func(t *testing.T) {
 			config := &Config{
-				Time:         testTime,
-				Rand:         zeroSource{},
-				Certificates: make([]Certificate, 1),
-				MaxVersion:   v,
-				RootCAs:      rootCAs,
-				ClientCAs:    rootCAs,
-				ClientAuth:   RequireAndVerifyClientCert,
-				NextProtos:   []string{alpnProtocol},
-				ServerName:   serverName,
+				Time:               testTime,
+				Certificates:       make([]Certificate, 1),
+				MinVersion:         v,
+				MaxVersion:         v,
+				RootCAs:            rootCAs,
+				ClientCAs:          rootCAs,
+				ClientAuth:         RequireAndVerifyClientCert,
+				NextProtos:         []string{alpnProtocol},
+				ServerName:         serverName,
+				ClientSessionCache: NewLRUClientSessionCache(1),
 			}
-			config.Certificates[0].Certificate = [][]byte{testRSACertificate}
-			config.Certificates[0].PrivateKey = testRSAPrivateKey
+			config.Certificates[0].Certificate = [][]byte{testRSA2048Certificate}
+			config.Certificates[0].PrivateKey = testRSA2048PrivateKey
 			config.Certificates[0].SignedCertificateTimestamps = scts
 			config.Certificates[0].OCSPStaple = ocsp
 
 			ss, cs, err := testHandshake(t, config, config)
 			if err != nil {
-				t.Fatalf("Handshake failed: %v", err)
+				t.Fatalf("handshake failed: %v", err)
 			}
 
-			if ss.Version != v || cs.Version != v {
-				t.Errorf("Got versions %x (server) and %x (client), expected %x", ss.Version, cs.Version, v)
-			}
+			t.Run("Client", func(t *testing.T) { checkConnectionState(t, cs, v, true) })
+			t.Run("Server", func(t *testing.T) { checkConnectionState(t, ss, v, false) })
 
-			if !ss.HandshakeComplete || !cs.HandshakeComplete {
-				t.Errorf("Got HandshakeComplete %v (server) and %v (client), expected true", ss.HandshakeComplete, cs.HandshakeComplete)
-			}
+			t.Run("Resume", func(t *testing.T) {
+				// TODO: test changing parameters between original and resumed
+				// connection when the protocol allows it.
 
-			if ss.DidResume || cs.DidResume {
-				t.Errorf("Got DidResume %v (server) and %v (client), expected false", ss.DidResume, cs.DidResume)
-			}
-
-			if ss.CipherSuite == 0 || cs.CipherSuite == 0 {
-				t.Errorf("Got invalid cipher suite: %v (server) and %v (client)", ss.CipherSuite, cs.CipherSuite)
-			}
-
-			if ss.NegotiatedProtocol != alpnProtocol || cs.NegotiatedProtocol != alpnProtocol {
-				t.Errorf("Got negotiated protocol %q (server) and %q (client), expected %q", ss.NegotiatedProtocol, cs.NegotiatedProtocol, alpnProtocol)
-			}
-
-			if !cs.NegotiatedProtocolIsMutual {
-				t.Errorf("Got false NegotiatedProtocolIsMutual on the client side")
-			}
-			// NegotiatedProtocolIsMutual on the server side is unspecified.
-
-			if ss.ServerName != serverName {
-				t.Errorf("Got server name %q, expected %q", ss.ServerName, serverName)
-			}
-			if cs.ServerName != serverName {
-				t.Errorf("Got server name on client connection %q, expected %q", cs.ServerName, serverName)
-			}
-
-			if len(ss.PeerCertificates) != 1 || len(cs.PeerCertificates) != 1 {
-				t.Errorf("Got %d (server) and %d (client) peer certificates, expected %d", len(ss.PeerCertificates), len(cs.PeerCertificates), 1)
-			}
-
-			if len(ss.VerifiedChains) != 1 || len(cs.VerifiedChains) != 1 {
-				t.Errorf("Got %d (server) and %d (client) verified chains, expected %d", len(ss.VerifiedChains), len(cs.VerifiedChains), 1)
-			} else if len(ss.VerifiedChains[0]) != 2 || len(cs.VerifiedChains[0]) != 2 {
-				t.Errorf("Got %d (server) and %d (client) long verified chain, expected %d", len(ss.VerifiedChains[0]), len(cs.VerifiedChains[0]), 2)
-			}
-
-			if len(cs.SignedCertificateTimestamps) != 2 {
-				t.Errorf("Got %d SCTs, expected %d", len(cs.SignedCertificateTimestamps), 2)
-			}
-			if !bytes.Equal(cs.OCSPResponse, ocsp) {
-				t.Errorf("Got OCSPs %x, expected %x", cs.OCSPResponse, ocsp)
-			}
-			// Only TLS 1.3 supports OCSP and SCTs on client certs.
-			if v == VersionTLS13 {
-				if len(ss.SignedCertificateTimestamps) != 2 {
-					t.Errorf("Got %d client SCTs, expected %d", len(ss.SignedCertificateTimestamps), 2)
+				ss1, cs1, err := testHandshake(t, config, config)
+				if err != nil {
+					t.Fatalf("handshake failed: %v", err)
 				}
-				if !bytes.Equal(ss.OCSPResponse, ocsp) {
-					t.Errorf("Got client OCSPs %x, expected %x", ss.OCSPResponse, ocsp)
-				}
-			}
 
-			if v == VersionTLS13 {
-				if ss.TLSUnique != nil || cs.TLSUnique != nil {
-					t.Errorf("Got TLSUnique %x (server) and %x (client), expected nil in TLS 1.3", ss.TLSUnique, cs.TLSUnique)
+				if !cs1.DidResume || !ss1.DidResume {
+					t.Errorf("DidResume is false")
 				}
-			} else {
-				if ss.TLSUnique == nil || cs.TLSUnique == nil {
-					t.Errorf("Got TLSUnique %x (server) and %x (client), expected non-nil", ss.TLSUnique, cs.TLSUnique)
-				}
-			}
+
+				t.Run("Client", func(t *testing.T) { compareConnectionStates(t, cs, cs1) })
+				t.Run("Server", func(t *testing.T) { compareConnectionStates(t, ss, ss1) })
+			})
 		})
 	}
 }
@@ -1997,18 +2072,18 @@ func TestHandshakeMLKEM(t *testing.T) {
 				t.Fatal(err)
 			}
 			if test.expectMLKEM {
-				if ss.testingOnlyCurveID != X25519MLKEM768 {
-					t.Errorf("got CurveID %v (server), expected %v", ss.testingOnlyCurveID, X25519MLKEM768)
+				if ss.CurveID != X25519MLKEM768 {
+					t.Errorf("got CurveID %v (server), expected %v", ss.CurveID, X25519MLKEM768)
 				}
-				if cs.testingOnlyCurveID != X25519MLKEM768 {
-					t.Errorf("got CurveID %v (client), expected %v", cs.testingOnlyCurveID, X25519MLKEM768)
+				if cs.CurveID != X25519MLKEM768 {
+					t.Errorf("got CurveID %v (client), expected %v", cs.CurveID, X25519MLKEM768)
 				}
 			} else {
-				if ss.testingOnlyCurveID == X25519MLKEM768 {
-					t.Errorf("got CurveID %v (server), expected not X25519MLKEM768", ss.testingOnlyCurveID)
+				if ss.CurveID == X25519MLKEM768 {
+					t.Errorf("got CurveID %v (server), expected not X25519MLKEM768", ss.CurveID)
 				}
-				if cs.testingOnlyCurveID == X25519MLKEM768 {
-					t.Errorf("got CurveID %v (client), expected not X25519MLKEM768", cs.testingOnlyCurveID)
+				if cs.CurveID == X25519MLKEM768 {
+					t.Errorf("got CurveID %v (client), expected not X25519MLKEM768", cs.CurveID)
 				}
 			}
 			if test.expectHRR {