diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index f91a11e2b3..4cce5085f4 100644
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -8,6 +8,7 @@ import (
 	"container/list"
 	"crypto"
 	"crypto/rand"
+	"crypto/sha512"
 	"crypto/x509"
 	"fmt"
 	"io"
@@ -347,6 +348,38 @@ type Config struct {
 	CurvePreferences []CurveID
 
 	serverInitOnce sync.Once // guards calling (*Config).serverInit
+
+	// mutex protects sessionTicketKeys
+	mutex sync.RWMutex
+	// sessionTicketKeys contains zero or more ticket keys. If the length
+	// is zero, SessionTicketsDisabled must be true. The first key is used
+	// for new tickets and any subsequent keys can be used to decrypt old
+	// tickets.
+	sessionTicketKeys []ticketKey
+}
+
+// ticketKeyNameLen is the number of bytes of identifier that is prepended to
+// an encrypted session ticket in order to identify the key used to encrypt it.
+const ticketKeyNameLen = 16
+
+// ticketKey is the internal representation of a session ticket key.
+type ticketKey struct {
+	// keyName is an opaque byte string that serves to identify the session
+	// ticket key. It's exposed as plaintext in every session ticket.
+	keyName [ticketKeyNameLen]byte
+	aesKey  [16]byte
+	hmacKey [16]byte
+}
+
+// ticketKeyFromBytes converts from the external representation of a session
+// ticket key to a ticketKey. Externally, session ticket keys are 32 random
+// bytes and this function expands that into sufficient name and key material.
+func ticketKeyFromBytes(b [32]byte) (key ticketKey) {
+	hashed := sha512.Sum512(b[:])
+	copy(key.keyName[:], hashed[:ticketKeyNameLen])
+	copy(key.aesKey[:], hashed[ticketKeyNameLen:ticketKeyNameLen+16])
+	copy(key.hmacKey[:], hashed[ticketKeyNameLen+16:ticketKeyNameLen+32])
+	return key
 }
 
 func (c *Config) serverInit() {
@@ -354,16 +387,51 @@ func (c *Config) serverInit() {
 		return
 	}
 
-	// If the key has already been set then we have nothing to do.
+	alreadySet := false
 	for _, b := range c.SessionTicketKey {
 		if b != 0 {
+			alreadySet = true
+			break
+		}
+	}
+
+	if !alreadySet {
+		if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
+			c.SessionTicketsDisabled = true
 			return
 		}
 	}
 
-	if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
-		c.SessionTicketsDisabled = true
+	c.sessionTicketKeys = []ticketKey{ticketKeyFromBytes(c.SessionTicketKey)}
+}
+
+func (c *Config) ticketKeys() []ticketKey {
+	c.mutex.RLock()
+	// c.sessionTicketKeys is constant once created. SetSessionTicketKeys
+	// will only update it by replacing it with a new value.
+	ret := c.sessionTicketKeys
+	c.mutex.RUnlock()
+	return ret
+}
+
+// SetSessionTicketKeys updates the session ticket keys for a server. The first
+// key will be used when creating new tickets, while all keys can be used for
+// decrypting tickets. It is safe to call this function while the server is
+// running in order to rotate the session ticket keys. The function will panic
+// if keys is empty.
+func (c *Config) SetSessionTicketKeys(keys [][32]byte) {
+	if len(keys) == 0 {
+		panic("tls: keys must have at least one key")
 	}
+
+	newKeys := make([]ticketKey, len(keys))
+	for i, bytes := range keys {
+		newKeys[i] = ticketKeyFromBytes(bytes)
+	}
+
+	c.mutex.Lock()
+	c.sessionTicketKeys = newKeys
+	c.mutex.Unlock()
 }
 
 func (c *Config) rand() io.Reader {
diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
index 4bc99970d5..5fc57b0f17 100644
--- a/src/crypto/tls/handshake_client_test.go
+++ b/src/crypto/tls/handshake_client_test.go
@@ -422,15 +422,38 @@ func TestClientResumption(t *testing.T) {
 		}
 	}
 
-	testResumeState("Handshake", false)
-	testResumeState("Resume", true)
-
-	if _, err := io.ReadFull(serverConfig.rand(), serverConfig.SessionTicketKey[:]); err != nil {
-		t.Fatalf("Failed to invalidate SessionTicketKey")
+	getTicket := func() []byte {
+		return clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).state.sessionTicket
 	}
+	randomKey := func() [32]byte {
+		var k [32]byte
+		if _, err := io.ReadFull(serverConfig.rand(), k[:]); err != nil {
+			t.Fatalf("Failed to read new SessionTicketKey: %s", err)
+		}
+		return k
+	}
+
+	testResumeState("Handshake", false)
+	ticket := getTicket()
+	testResumeState("Resume", true)
+	if !bytes.Equal(ticket, getTicket()) {
+		t.Fatal("first ticket doesn't match ticket after resumption")
+	}
+
+	key2 := randomKey()
+	serverConfig.SetSessionTicketKeys([][32]byte{key2})
+
 	testResumeState("InvalidSessionTicketKey", false)
 	testResumeState("ResumeAfterInvalidSessionTicketKey", true)
 
+	serverConfig.SetSessionTicketKeys([][32]byte{randomKey(), key2})
+	ticket = getTicket()
+	testResumeState("KeyChange", true)
+	if bytes.Equal(ticket, getTicket()) {
+		t.Fatal("new ticket wasn't included while resuming")
+	}
+	testResumeState("KeyChangeFinish", true)
+
 	clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_RC4_128_SHA}
 	testResumeState("DifferentCipherSuite", false)
 	testResumeState("DifferentCipherSuiteRecovers", true)
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 4b668e07ae..e6e0b02428 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -61,6 +61,14 @@ func (c *Conn) serverHandshake() error {
 		if err := hs.establishKeys(); err != nil {
 			return err
 		}
+		// ticketSupported is set in a resumption handshake if the
+		// ticket from the client was encrypted with an old session
+		// ticket key and thus a refreshed ticket should be sent.
+		if hs.hello.ticketSupported {
+			if err := hs.sendSessionTicket(); err != nil {
+				return err
+			}
+		}
 		if err := hs.sendFinished(c.firstFinished[:]); err != nil {
 			return err
 		}
@@ -319,6 +327,7 @@ func (hs *serverHandshakeState) doResumeHandshake() error {
 	// We echo the client's session ID in the ServerHello to let it know
 	// that we're doing a resumption.
 	hs.hello.sessionId = hs.clientHello.sessionId
+	hs.hello.ticketSupported = hs.sessionState.usedOldKey
 	hs.finishedHash.Write(hs.hello.marshal())
 	c.writeRecord(recordTypeHandshake, hs.hello.marshal())
 
diff --git a/src/crypto/tls/testdata/Server-TLSv12-ALPN b/src/crypto/tls/testdata/Server-TLSv12-ALPN
index ca804295da..ee6bb729ee 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-ALPN
+++ b/src/crypto/tls/testdata/Server-TLSv12-ALPN
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 78 01 00 01  74 03 03 73 99 93 cd 3d  |....x...t..s...=|
-00000010  e8 60 23 0d 6a e8 f5 e3  46 ca 38 44 85 ca 79 c8  |.`#.j...F.8D..y.|
-00000020  96 be 94 bd 43 d5 14 2b  20 da 5c 00 00 c4 c0 30  |....C..+ .\....0|
+00000000  16 03 01 01 6b 01 00 01  67 03 03 e4 b0 a0 f0 85  |....k...g.......|
+00000010  a5 8c 96 5d 78 c5 a5 f4  f2 d5 01 68 5c f3 c5 7d  |...]x......h\..}|
+00000020  00 d9 7c 0d b6 ca b4 6c  c0 0e 79 00 00 b6 c0 30  |..|....l..y....0|
 00000030  c0 2c c0 28 c0 24 c0 14  c0 0a 00 a5 00 a3 00 a1  |.,.(.$..........|
 00000040  00 9f 00 6b 00 6a 00 69  00 68 00 39 00 38 00 37  |...k.j.i.h.9.8.7|
 00000050  00 36 00 88 00 87 00 86  00 85 c0 32 c0 2e c0 2a  |.6.........2...*|
@@ -13,16 +13,15 @@
 000000b0  00 3c 00 2f 00 96 00 41  00 07 c0 11 c0 07 c0 0c  |.<./...A........|
 000000c0  c0 02 00 05 00 04 c0 12  c0 08 00 16 00 13 00 10  |................|
 000000d0  00 0d c0 0d c0 03 00 0a  00 15 00 12 00 0f 00 0c  |................|
-000000e0  00 09 00 14 00 11 00 0e  00 0b 00 08 00 06 00 03  |................|
-000000f0  00 ff 01 00 00 87 00 0b  00 04 03 00 01 02 00 0a  |................|
-00000100  00 3a 00 38 00 0e 00 0d  00 19 00 1c 00 0b 00 0c  |.:.8............|
-00000110  00 1b 00 18 00 09 00 0a  00 1a 00 16 00 17 00 08  |................|
-00000120  00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13  |................|
-00000130  00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00  |.............#..|
-00000140  00 0d 00 20 00 1e 06 01  06 02 06 03 05 01 05 02  |... ............|
-00000150  05 03 04 01 04 02 04 03  03 01 03 02 03 03 02 01  |................|
-00000160  02 02 02 03 00 0f 00 01  01 00 10 00 10 00 0e 06  |................|
-00000170  70 72 6f 74 6f 32 06 70  72 6f 74 6f 31           |proto2.proto1|
+000000e0  00 09 00 ff 02 01 00 00  87 00 0b 00 04 03 00 01  |................|
+000000f0  02 00 0a 00 3a 00 38 00  0e 00 0d 00 19 00 1c 00  |....:.8.........|
+00000100  0b 00 0c 00 1b 00 18 00  09 00 0a 00 1a 00 16 00  |................|
+00000110  17 00 08 00 06 00 07 00  14 00 15 00 04 00 05 00  |................|
+00000120  12 00 13 00 01 00 02 00  03 00 0f 00 10 00 11 00  |................|
+00000130  23 00 00 00 0d 00 20 00  1e 06 01 06 02 06 03 05  |#..... .........|
+00000140  01 05 02 05 03 04 01 04  02 04 03 03 01 03 02 03  |................|
+00000150  03 02 01 02 02 02 03 00  0f 00 01 01 00 10 00 10  |................|
+00000160  00 0e 06 70 72 6f 74 6f  32 06 70 72 6f 74 6f 31  |...proto2.proto1|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 42 02 00 00  3e 03 03 00 00 00 00 00  |....B...>.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -77,39 +76,40 @@
 00000320  35 75 71 b5 e5 54 5b 12  2e 8f 09 67 fd a7 24 20  |5uq..T[....g..$ |
 00000330  3e b2 56 1c ce 97 28 5e  f8 2b 2d 4f 9e f1 07 9f  |>.V...(^.+-O....|
 00000340  6c 4b 5b 83 56 e2 32 42  e9 58 b6 d7 49 a6 b5 68  |lK[.V.2B.X..I..h|
-00000350  1a 41 03 56 6b dc 5a 89  04 01 00 80 52 f3 4c 3f  |.A.Vk.Z.....R.L?|
-00000360  c4 82 3c 4f 8f dc f5 33  c5 12 41 80 dc ea f2 84  |..<O...3..A.....|
-00000370  cf e4 50 f6 27 90 bb d0  09 ef 9c 9a 34 58 5c 38  |..P.'.......4X\8|
-00000380  53 27 72 e5 07 86 bb 4d  6c 17 6f 79 60 bd ca cb  |S'r....Ml.oy`...|
-00000390  be 05 f1 0c 46 4b 1f 19  74 67 cd d9 64 2a fa 5f  |....FK..tg..d*._|
-000003a0  b8 47 fb 98 47 a9 1f d5  20 95 19 48 70 1a 1c 57  |.G..G... ..Hp..W|
-000003b0  81 46 2a 8c 56 35 69 48  c9 23 a0 4e 7f f0 c0 fc  |.F*.V5iH.#.N....|
-000003c0  eb 28 8a d3 99 45 39 cc  2b 2a 93 1f c3 0b 68 60  |.(...E9.+*....h`|
-000003d0  91 14 5e 6d be e6 40 19  38 76 d1 4c 16 03 03 00  |..^m..@.8v.L....|
+00000350  1a 41 03 56 6b dc 5a 89  04 01 00 80 b6 f9 b6 2b  |.A.Vk.Z........+|
+00000360  15 b8 ef 70 37 61 64 f3  f3 a5 d9 da ce 13 b5 e1  |...p7ad.........|
+00000370  0b 24 eb 11 a7 df 86 a9  ef 88 ef af 17 7d 02 56  |.$...........}.V|
+00000380  ec 59 32 c9 5c 06 a4 ce  10 c7 6f 6a f3 e0 43 6a  |.Y2.\.....oj..Cj|
+00000390  02 99 f4 7b 14 65 dc a5  a0 af 10 3e a8 40 35 2b  |...{.e.....>.@5+|
+000003a0  c6 a1 31 b6 26 e9 89 0f  06 61 6f 2e 6c f4 70 69  |..1.&....ao.l.pi|
+000003b0  e5 01 80 3d fe 4d 59 ad  cb 2f b8 c1 df 5f 36 f7  |...=.MY../..._6.|
+000003c0  cc a6 31 84 61 c0 e8 c5  95 37 9c e6 0d 2b 78 0c  |..1.a....7...+x.|
+000003d0  45 cf 69 5d fa 3a 8b 31  ea 22 60 31 16 03 03 00  |E.i].:.1."`1....|
 000003e0  04 0e 00 00 00                                    |.....|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 46 10 00 00  42 41 04 e2 86 c1 a0 c0  |....F...BA......|
-00000010  45 9a da 1a 70 a1 3e b6  9c b7 2e ec dd 2b 0a c6  |E...p.>......+..|
-00000020  50 59 95 fe 8e 54 83 06  b6 68 42 60 56 de b2 b3  |PY...T...hB`V...|
-00000030  b9 14 f0 e0 e2 2e a3 7f  ec 01 4d 10 8a 43 ab 33  |..........M..C.3|
-00000040  18 f4 b9 5d 6c ae cd 90  3e f4 64 14 03 03 00 01  |...]l...>.d.....|
-00000050  01 16 03 03 00 28 47 e5  15 81 5b f4 a0 6a 61 d6  |.....(G...[..ja.|
-00000060  df 5e 60 f1 d4 dc 55 45  84 0b ef 56 42 0b 42 1d  |.^`...UE...VB.B.|
-00000070  28 b4 90 a6 2a 47 41 97  3b 91 5c 74 ab 02        |(...*GA.;.\t..|
+00000000  16 03 03 00 46 10 00 00  42 41 04 8d 5a 5d 91 04  |....F...BA..Z]..|
+00000010  79 46 1b f1 12 3f d5 ca  57 18 5f 4d 71 d9 eb f8  |yF...?..W._Mq...|
+00000020  90 f6 ed 75 b9 0c 2b 6e  67 cb 3a ae cc 6d 61 af  |...u..+ng.:..ma.|
+00000030  30 87 1b a6 21 d6 90 16  84 b0 65 3d 7f cc 96 ed  |0...!.....e=....|
+00000040  9e 68 38 e5 10 27 c3 23  48 40 f9 14 03 03 00 01  |.h8..'.#H@......|
+00000050  01 16 03 03 00 28 7b a4  d0 fd 15 36 9b 1f 6e 4f  |.....({....6..nO|
+00000060  a9 d7 61 3f 58 93 5e 1b  10 be a1 8c c9 2f 39 74  |..a?X.^....../9t|
+00000070  23 9a 1e ba 5b 3b e7 f0  32 b7 14 2e ae 0b        |#...[;..2.....|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 72 04 00 00  6e 00 00 00 00 00 68 00  |....r...n.....h.|
-00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 65  |...............e|
-00000020  ea 8b e4 ef ba 19 39 3a  95 90 2b 6d 0d 59 ac 36  |......9:..+m.Y.6|
-00000030  be 71 eb b4 25 51 86 cc  80 43 ea 60 e0 53 30 ba  |.q..%Q...C.`.S0.|
-00000040  3e b9 c3 29 9b 26 94 5a  43 36 d0 65 be a7 f1 06  |>..).&.ZC6.e....|
-00000050  99 e3 c5 d7 f2 59 23 11  c5 99 27 5c 7f 43 94 0e  |.....Y#...'\.C..|
-00000060  b3 35 7a 66 d9 c4 49 53  2a 28 b6 3d e7 0f c5 d5  |.5zf..IS*(.=....|
-00000070  a2 d8 15 a8 3a 88 f7 14  03 03 00 01 01 16 03 03  |....:...........|
-00000080  00 28 00 00 00 00 00 00  00 00 07 2e 75 1d 9a 12  |.(..........u...|
-00000090  9f e9 7e 0b 42 dd 7b 8e  ae 58 ac 49 78 8d fb 3f  |..~.B.{..X.Ix..?|
-000000a0  21 e8 ef 91 3c 02 a6 23  d5 cc 17 03 03 00 25 00  |!...<..#......%.|
-000000b0  00 00 00 00 00 00 01 bb  04 db f2 86 63 96 01 60  |............c..`|
-000000c0  bb f4 68 f9 50 2a f0 15  82 f8 a1 73 bf cd 5f 4d  |..h.P*.....s.._M|
-000000d0  1a 73 67 91 15 03 03 00  1a 00 00 00 00 00 00 00  |.sg.............|
-000000e0  02 02 79 34 67 e2 67 d5  52 59 91 76 90 10 c8 41  |..y4g.g.RY.v...A|
-000000f0  c5 56 c9                                          |.V.|
+00000000  16 03 03 00 82 04 00 00  7e 00 00 00 00 00 78 50  |........~.....xP|
+00000010  46 ad c1 db a8 38 86 7b  2b bb fd d0 c3 42 3e 00  |F....8.{+....B>.|
+00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
+00000030  6f ec 80 83 61 dc ee 0e  43 06 28 f4 47 1a d7 25  |o...a...C.(.G..%|
+00000040  f2 fa 66 d5 81 21 51 81  a8 47 2d a5 db e1 f2 84  |..f..!Q..G-.....|
+00000050  ea 55 da 3e cf 97 fd 7e  63 68 50 e3 2d 48 5a 58  |.U.>...~chP.-HZX|
+00000060  77 36 a2 9f 3f 33 94 65  de 9e e6 65 22 6f 1d c8  |w6..?3.e...e"o..|
+00000070  46 80 2d 0b 83 41 5e c6  20 f6 c3 22 5f bb 7a 9b  |F.-..A^. .."_.z.|
+00000080  28 07 9c 5e b7 30 35 14  03 03 00 01 01 16 03 03  |(..^.05.........|
+00000090  00 28 00 00 00 00 00 00  00 00 4a 1c a6 1e 78 e1  |.(........J...x.|
+000000a0  4c 58 56 f5 6e 78 ae 11  7a dc 93 65 4b 46 6e b8  |LXV.nx..z..eKFn.|
+000000b0  b6 2e 42 bc 71 81 61 3c  14 95 17 03 03 00 25 00  |..B.q.a<......%.|
+000000c0  00 00 00 00 00 00 01 6e  af 22 60 44 9b 18 e7 21  |.......n."`D...!|
+000000d0  d9 c3 8d 48 8c 94 f1 aa  cc 9d a4 11 ba b7 f2 0f  |...H............|
+000000e0  a2 91 e6 50 15 03 03 00  1a 00 00 00 00 00 00 00  |...P............|
+000000f0  02 65 58 88 05 97 4a 2a  72 f5 03 da 53 24 4c b0  |.eX...J*r...S$L.|
+00000100  01 4e 02                                          |.N.|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-ALPN-NoMatch b/src/crypto/tls/testdata/Server-TLSv12-ALPN-NoMatch
index 54f2fe864b..b651b32d39 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-ALPN-NoMatch
+++ b/src/crypto/tls/testdata/Server-TLSv12-ALPN-NoMatch
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 78 01 00 01  74 03 03 ba 93 c5 44 7d  |....x...t.....D}|
-00000010  cf bf e3 d4 ad 9a ff 3a  48 ec 46 11 1a e5 68 87  |.......:H.F...h.|
-00000020  d1 f0 3b 7c da 86 b9 8f  5d a7 59 00 00 c4 c0 30  |..;|....].Y....0|
+00000000  16 03 01 01 6b 01 00 01  67 03 03 5e 66 c4 02 7c  |....k...g..^f..||
+00000010  69 7f ec ce e5 14 b3 60  04 60 2b d3 72 84 c7 a0  |i......`.`+.r...|
+00000020  fe 3e 8e fa 91 cc e8 e3  43 17 c6 00 00 b6 c0 30  |.>......C......0|
 00000030  c0 2c c0 28 c0 24 c0 14  c0 0a 00 a5 00 a3 00 a1  |.,.(.$..........|
 00000040  00 9f 00 6b 00 6a 00 69  00 68 00 39 00 38 00 37  |...k.j.i.h.9.8.7|
 00000050  00 36 00 88 00 87 00 86  00 85 c0 32 c0 2e c0 2a  |.6.........2...*|
@@ -13,16 +13,15 @@
 000000b0  00 3c 00 2f 00 96 00 41  00 07 c0 11 c0 07 c0 0c  |.<./...A........|
 000000c0  c0 02 00 05 00 04 c0 12  c0 08 00 16 00 13 00 10  |................|
 000000d0  00 0d c0 0d c0 03 00 0a  00 15 00 12 00 0f 00 0c  |................|
-000000e0  00 09 00 14 00 11 00 0e  00 0b 00 08 00 06 00 03  |................|
-000000f0  00 ff 01 00 00 87 00 0b  00 04 03 00 01 02 00 0a  |................|
-00000100  00 3a 00 38 00 0e 00 0d  00 19 00 1c 00 0b 00 0c  |.:.8............|
-00000110  00 1b 00 18 00 09 00 0a  00 1a 00 16 00 17 00 08  |................|
-00000120  00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13  |................|
-00000130  00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00  |.............#..|
-00000140  00 0d 00 20 00 1e 06 01  06 02 06 03 05 01 05 02  |... ............|
-00000150  05 03 04 01 04 02 04 03  03 01 03 02 03 03 02 01  |................|
-00000160  02 02 02 03 00 0f 00 01  01 00 10 00 10 00 0e 06  |................|
-00000170  70 72 6f 74 6f 32 06 70  72 6f 74 6f 31           |proto2.proto1|
+000000e0  00 09 00 ff 02 01 00 00  87 00 0b 00 04 03 00 01  |................|
+000000f0  02 00 0a 00 3a 00 38 00  0e 00 0d 00 19 00 1c 00  |....:.8.........|
+00000100  0b 00 0c 00 1b 00 18 00  09 00 0a 00 1a 00 16 00  |................|
+00000110  17 00 08 00 06 00 07 00  14 00 15 00 04 00 05 00  |................|
+00000120  12 00 13 00 01 00 02 00  03 00 0f 00 10 00 11 00  |................|
+00000130  23 00 00 00 0d 00 20 00  1e 06 01 06 02 06 03 05  |#..... .........|
+00000140  01 05 02 05 03 04 01 04  02 04 03 03 01 03 02 03  |................|
+00000150  03 02 01 02 02 02 03 00  0f 00 01 01 00 10 00 10  |................|
+00000160  00 0e 06 70 72 6f 74 6f  32 06 70 72 6f 74 6f 31  |...proto2.proto1|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 35 02 00 00  31 03 03 00 00 00 00 00  |....5...1.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -76,39 +75,40 @@
 00000310  19 51 88 35 75 71 b5 e5  54 5b 12 2e 8f 09 67 fd  |.Q.5uq..T[....g.|
 00000320  a7 24 20 3e b2 56 1c ce  97 28 5e f8 2b 2d 4f 9e  |.$ >.V...(^.+-O.|
 00000330  f1 07 9f 6c 4b 5b 83 56  e2 32 42 e9 58 b6 d7 49  |...lK[.V.2B.X..I|
-00000340  a6 b5 68 1a 41 03 56 6b  dc 5a 89 04 01 00 80 52  |..h.A.Vk.Z.....R|
-00000350  78 35 42 fa 35 a6 19 22  d1 03 f4 ed 65 31 ff fe  |x5B.5.."....e1..|
-00000360  d6 83 d5 db a1 6b 7d 88  2f 53 7a e8 2a cf a7 e4  |.....k}./Sz.*...|
-00000370  83 0f e7 b6 60 60 91 65  ee ce b0 e9 5c bb 8c fd  |....``.e....\...|
-00000380  10 5e c7 17 cb 1b bc db  19 59 23 5d 76 3a f8 87  |.^.......Y#]v:..|
-00000390  d8 2d a7 a2 d8 7b cc e5  f8 82 7c ed bf 08 c4 67  |.-...{....|....g|
-000003a0  c5 f6 a6 5a 2f 9f 59 cb  62 f6 b4 f3 3c d6 f5 dc  |...Z/.Y.b...<...|
-000003b0  20 27 d9 14 36 5c a9 8d  f6 7b c2 db 9f 84 fc 0d  | '..6\...{......|
-000003c0  d3 3a d2 bf 4a 3b 3c 3e  13 eb f9 03 d2 cf 6f 16  |.:..J;<>......o.|
+00000340  a6 b5 68 1a 41 03 56 6b  dc 5a 89 04 01 00 80 b6  |..h.A.Vk.Z......|
+00000350  8d 11 b1 57 9b 22 02 26  1c 03 f3 35 a7 4b 5b 31  |...W.".&...5.K[1|
+00000360  c9 db b4 80 83 10 d2 00  e8 d8 65 95 4a 0d 76 69  |..........e.J.vi|
+00000370  c5 1c fb 01 78 08 c0 08  fc b0 cd 9f 81 e9 e1 8e  |....x...........|
+00000380  a3 55 2d 40 1a 73 e9 7c  90 13 a7 13 0f 90 a1 45  |.U-@.s.|.......E|
+00000390  af 89 e6 7a 6b 88 3a a0  57 13 63 d7 d5 86 5f bd  |...zk.:.W.c..._.|
+000003a0  5a 1a 11 4e 9d 57 27 fe  c9 fc d2 73 bc 28 b1 d5  |Z..N.W'....s.(..|
+000003b0  74 6f 87 34 f1 f4 5b 48  be 4d 0b 4d 3a 51 c5 5d  |to.4..[H.M.M:Q.]|
+000003c0  c4 3c cd ad a8 72 0a 2d  f8 0f 8b 0d 12 2e cf 16  |.<...r.-........|
 000003d0  03 03 00 04 0e 00 00 00                           |........|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 46 10 00 00  42 41 04 f2 52 42 97 0a  |....F...BA..RB..|
-00000010  df a1 e0 cb 4e 5e 3c e5  45 0e de b3 eb 3d cd c2  |....N^<.E....=..|
-00000020  78 77 ff ec 6e 74 c2 e5  9e 89 58 6f 2b bc 41 5b  |xw..nt....Xo+.A[|
-00000030  d5 8f d0 ea ce c6 c9 11  74 0a c1 33 2a 52 c2 30  |........t..3*R.0|
-00000040  73 08 5f 20 f2 0a 45 95  81 a8 eb 14 03 03 00 01  |s._ ..E.........|
-00000050  01 16 03 03 00 28 52 9e  4c 11 49 07 9f b5 4b 2f  |.....(R.L.I...K/|
-00000060  45 79 0c d9 cb ae 45 7d  17 1e c2 5a d3 ea bd 8b  |Ey....E}...Z....|
-00000070  0d 94 b1 40 a2 56 6e a5  f8 a2 5b f8 63 73        |...@.Vn...[.cs|
+00000000  16 03 03 00 46 10 00 00  42 41 04 73 0a f7 32 32  |....F...BA.s..22|
+00000010  5b 54 d6 e6 16 a0 92 bb  80 ec 8d db 02 8f a9 9d  |[T..............|
+00000020  92 3d 20 88 a8 f5 3c 29  a9 81 89 92 aa 62 2a b9  |.= ...<).....b*.|
+00000030  65 ba f1 ec b6 17 45 7b  ff bd 91 f6 55 d5 ce 42  |e.....E{....U..B|
+00000040  dd ea bd d3 72 26 3f 42  9b e5 8a 14 03 03 00 01  |....r&?B........|
+00000050  01 16 03 03 00 28 a1 e8  8e 47 c3 4f d7 f4 e0 9e  |.....(...G.O....|
+00000060  8e ed 74 5c 68 fc 9c 79  59 80 ad ff 75 7d 1f 3e  |..t\h..yY...u}.>|
+00000070  c6 71 13 6d 7b 74 93 e0  2a ed 72 50 82 28        |.q.m{t..*.rP.(|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 72 04 00 00  6e 00 00 00 00 00 68 00  |....r...n.....h.|
-00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 65  |...............e|
-00000020  ea 8b e4 ef ba f6 cb 68  be 7f f0 66 1a c6 3c c6  |.......h...f..<.|
-00000030  ee 5f 60 3a 62 20 c5 e8  ea 99 92 84 c1 45 a1 76  |._`:b .......E.v|
-00000040  7c a7 f2 cd 40 72 9b 38  51 77 f2 ae 54 dd 67 37  ||...@r.8Qw..T.g7|
-00000050  f8 98 43 2e 55 59 23 3b  50 26 87 ca 6b 2d 45 d6  |..C.UY#;P&..k-E.|
-00000060  3c 85 29 f4 52 58 83 98  ae ad a9 64 8b d1 cc 9c  |<.).RX.....d....|
-00000070  88 3f a8 f9 d2 d3 33 14  03 03 00 01 01 16 03 03  |.?....3.........|
-00000080  00 28 00 00 00 00 00 00  00 00 84 6d 6d 57 fb dc  |.(.........mmW..|
-00000090  09 54 c4 9a fc d7 dd 45  f5 c3 57 fd e9 16 76 ab  |.T.....E..W...v.|
-000000a0  a8 85 eb 34 e7 21 30 85  56 ed 17 03 03 00 25 00  |...4.!0.V.....%.|
-000000b0  00 00 00 00 00 00 01 05  62 69 79 cb c0 74 ad 64  |........biy..t.d|
-000000c0  0a 0c 2a 10 2a b7 8e e2  92 6e 12 3b d7 64 df d7  |..*.*....n.;.d..|
-000000d0  4f da 52 c6 15 03 03 00  1a 00 00 00 00 00 00 00  |O.R.............|
-000000e0  02 b9 dc 49 b9 2a 12 58  3a 4b 4c e0 c8 b2 e9 d9  |...I.*.X:KL.....|
-000000f0  dc 48 17                                          |.H.|
+00000000  16 03 03 00 82 04 00 00  7e 00 00 00 00 00 78 50  |........~.....xP|
+00000010  46 ad c1 db a8 38 86 7b  2b bb fd d0 c3 42 3e 00  |F....8.{+....B>.|
+00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
+00000030  6f ec 80 83 61 8c 66 55  28 dd e7 39 69 93 65 58  |o...a.fU(..9i.eX|
+00000040  2d f8 ea 03 85 3f 6c 41  70 94 7b 9c ae 2f 64 59  |-....?lAp.{../dY|
+00000050  f3 3f 24 b6 73 ca c8 b7  37 cb a1 99 74 0b aa a9  |.?$.s...7...t...|
+00000060  36 dd 48 40 1c 33 94 27  94 ad 50 97 70 0d 62 a5  |6.H@.3.'..P.p.b.|
+00000070  59 25 41 73 8d da 23 b0  14 05 e9 28 e4 54 93 35  |Y%As..#....(.T.5|
+00000080  09 82 47 3e bf ec 82 14  03 03 00 01 01 16 03 03  |..G>............|
+00000090  00 28 00 00 00 00 00 00  00 00 d0 5f 0a c1 1c 03  |.(........._....|
+000000a0  fc 10 1b 5c 60 9f 04 8b  53 47 8d 28 e2 85 3c de  |...\`...SG.(..<.|
+000000b0  63 39 22 e6 4b 50 52 23  f4 4a 17 03 03 00 25 00  |c9".KPR#.J....%.|
+000000c0  00 00 00 00 00 00 01 98  89 b4 fc 10 11 b7 54 e7  |..............T.|
+000000d0  8d a5 61 38 f6 9b b7 35  e6 bb b2 d3 48 93 76 3f  |..a8...5....H.v?|
+000000e0  ea ba 9b 65 15 03 03 00  1a 00 00 00 00 00 00 00  |...e............|
+000000f0  02 64 0e 5b 3f 19 64 1e  22 ca 4c 81 43 d6 54 34  |.d.[?.d.".L.C.T4|
+00000100  d9 80 09                                          |...|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-IssueTicket b/src/crypto/tls/testdata/Server-TLSv12-IssueTicket
index e3e62f2242..b20ad95764 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-IssueTicket
+++ b/src/crypto/tls/testdata/Server-TLSv12-IssueTicket
@@ -1,11 +1,11 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 60 01 00 00  5c 03 03 52 cc 57 59 7e  |....`...\..R.WY~|
-00000010  43 5c 3b fd 50 ab 61 3f  64 a4 f9 bd ba 8c 28 e1  |C\;.P.a?d.....(.|
-00000020  f9 a1 45 7e 48 9e 62 af  25 de 0e 00 00 04 00 05  |..E~H.b.%.......|
-00000030  00 ff 01 00 00 2f 00 23  00 00 00 0d 00 22 00 20  |...../.#.....". |
-00000040  06 01 06 02 06 03 05 01  05 02 05 03 04 01 04 02  |................|
-00000050  04 03 03 01 03 02 03 03  02 01 02 02 02 03 01 01  |................|
-00000060  00 0f 00 01 01                                    |.....|
+00000000  16 03 01 00 5f 01 00 00  5b 03 03 01 02 22 4f 51  |...._...[...."OQ|
+00000010  53 d9 c0 f2 4b 61 53 2d  04 cd ab 95 ed 6a 74 8c  |S...KaS-.....jt.|
+00000020  96 00 70 e3 bf d0 5a 03  7a 1e 75 00 00 04 00 05  |..p...Z.z.u.....|
+00000030  00 ff 02 01 00 00 2d 00  23 00 00 00 0d 00 20 00  |......-.#..... .|
+00000040  1e 06 01 06 02 06 03 05  01 05 02 05 03 04 01 04  |................|
+00000050  02 04 03 03 01 03 02 03  03 02 01 02 02 02 03 00  |................|
+00000060  0f 00 01 01                                       |....|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 35 02 00 00  31 03 03 00 00 00 00 00  |....5...1.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -57,31 +57,32 @@
 000002f0  71 99 9b 26 6e 38 50 29  6c 90 a7 bd d9 16 03 03  |q..&n8P)l.......|
 00000300  00 04 0e 00 00 00                                 |......|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 86 10 00 00  82 00 80 6e 2e 79 82 3a  |...........n.y.:|
-00000010  c4 68 72 f5 a2 42 3d 71  f9 ec 22 8c 0b fa f0 82  |.hr..B=q..".....|
-00000020  82 c0 cb fc 52 0a 51 03  04 8c eb 4a 4e 4f b6 49  |....R.Q....JNO.I|
-00000030  ef 94 65 21 3c f7 9d 46  85 6e 35 d5 17 6b ff a3  |..e!<..F.n5..k..|
-00000040  5e 4d c1 36 1a 2f 68 f5  06 d4 2d 73 4f 1c 3b 7b  |^M.6./h...-sO.;{|
-00000050  c1 fa 4e 7e 7c f9 6c 13  a6 f4 3a 43 e9 aa be 22  |..N~|.l...:C..."|
-00000060  85 6f 2f 7c 5b b0 08 e2  86 b2 ae cb a9 12 d8 32  |.o/|[..........2|
-00000070  80 1d e4 2e 5d c3 66 d1  19 e5 89 33 2a 88 24 40  |....].f....3*.$@|
-00000080  2a 6d 6b b5 f1 92 4b 66  06 b8 49 14 03 03 00 01  |*mk...Kf..I.....|
-00000090  01 16 03 03 00 24 16 49  e2 a0 67 31 cf 0d 72 cb  |.....$.I..g1..r.|
-000000a0  ac 16 2c 80 37 71 69 f7  5f c4 d3 00 19 b7 4b fb  |..,.7qi._.....K.|
-000000b0  e5 e9 74 8e 30 b3 1c c5  ae e6                    |..t.0.....|
+00000000  16 03 03 00 86 10 00 00  82 00 80 80 38 a6 b0 01  |............8...|
+00000010  2a 9e cf 11 34 45 e8 6d  f5 1c 44 ef 74 74 61 32  |*...4E.m..D.tta2|
+00000020  71 5f f8 c1 a9 65 2d af  7e 7e 38 84 d3 f2 b9 3d  |q_...e-.~~8....=|
+00000030  76 12 b8 e0 41 7e 25 2a  53 b0 1a c7 8d bd d6 3d  |v...A~%*S......=|
+00000040  a5 8a dd 94 76 80 fc 3e  fd 41 ac 71 c3 ad 0e 1f  |....v..>.A.q....|
+00000050  30 a7 7a 64 e2 f3 f7 c1  1f bc 53 99 35 4e 24 34  |0.zd......S.5N$4|
+00000060  e9 25 20 d0 da 00 30 d4  16 40 5e 78 8e 72 ea 03  |.% ...0..@^x.r..|
+00000070  9e eb ca 89 4e 2f 60 d0  0c 9d 98 44 e0 7c 19 a4  |....N/`....D.|..|
+00000080  ec 0f 6b 67 35 06 08 9c  d9 2d bb 14 03 03 00 01  |..kg5....-......|
+00000090  01 16 03 03 00 24 ca d6  25 be 3b a7 b0 e1 42 3b  |.....$..%.;...B;|
+000000a0  ce ef a5 7e b6 4a d5 74  e1 ca bf 34 6c 67 3b 02  |...~.J.t...4lg;.|
+000000b0  0a f5 e8 e7 d1 a8 a6 2d  cb 02                    |.......-..|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 72 04 00 00  6e 00 00 00 00 00 68 00  |....r...n.....h.|
-00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 65  |...............e|
-00000020  ea 4b d1 ef ba 06 38 1e  e1 88 82 3a cd 03 ac 3b  |.K....8....:...;|
-00000030  39 0a e0 19 fd af 6c 57  30 df 31 6e f7 92 38 4b  |9.....lW0.1n..8K|
-00000040  5d 77 90 39 ff 32 51 f5  ed 12 d7 b0 7c 4d 6c c5  |]w.9.2Q.....|Ml.|
-00000050  76 e4 72 48 3e 59 23 fe  0d 15 df f4 ba ea b9 67  |v.rH>Y#........g|
-00000060  16 23 8f 7d 15 b6 11 f1  ab d7 d4 cd a3 21 82 92  |.#.}.........!..|
-00000070  2a 12 cf 95 f3 60 b2 14  03 03 00 01 01 16 03 03  |*....`..........|
-00000080  00 24 89 ad 87 04 4f 08  dc 2a 71 37 fb f1 95 d1  |.$....O..*q7....|
-00000090  2e 3c c2 6e 0f 38 5d e4  0e c3 f7 27 d0 46 a3 c1  |.<.n.8]....'.F..|
-000000a0  a8 3b 06 ed 96 ec 17 03  03 00 21 30 d4 9f 0b 49  |.;........!0...I|
-000000b0  9f a2 a8 a1 2c 0a 79 93  56 2d 8a ee 85 ed 62 42  |....,.y.V-....bB|
-000000c0  8c 18 fe 7a 09 3a 24 c4  5e ed 7d 2a 15 03 03 00  |...z.:$.^.}*....|
-000000d0  16 a0 24 0a 8b 90 4c fc  99 ba 67 bb 04 1e 59 69  |..$...L...g...Yi|
-000000e0  c2 98 49 b5 00 0b e0                              |..I....|
+00000000  16 03 03 00 82 04 00 00  7e 00 00 00 00 00 78 50  |........~.....xP|
+00000010  46 ad c1 db a8 38 86 7b  2b bb fd d0 c3 42 3e 00  |F....8.{+....B>.|
+00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
+00000030  6f 2c b5 83 61 e8 c1 5d  af d6 da c9 8f df 1e c4  |o,..a..]........|
+00000040  16 47 a0 dd cf 3c 9d 95  11 fe 01 fb 52 5b d0 aa  |.G...<......R[..|
+00000050  56 fb 04 d5 7f 89 31 7d  75 e3 df f4 28 6a fb 1f  |V.....1}u...(j..|
+00000060  76 ee 77 55 0b 33 94 82  e2 ee 73 2f 7f a7 f6 7c  |v.wU.3....s/...||
+00000070  68 25 eb fd 56 5b 89 29  b4 32 b6 92 57 3f c3 f9  |h%..V[.).2..W?..|
+00000080  01 fb 01 25 7f 0f 10 14  03 03 00 01 01 16 03 03  |...%............|
+00000090  00 24 9a 9b 1b 57 2c 86  71 0c 6d 4f 6c 40 a2 98  |.$...W,.q.mOl@..|
+000000a0  7d e3 f5 75 0e 4a b7 82  1c d8 f7 8c 22 a5 5b 34  |}..u.J......".[4|
+000000b0  19 79 12 e2 a4 e6 17 03  03 00 21 53 7a cc 02 0f  |.y........!Sz...|
+000000c0  6d b5 9d 8c ff 4a 2d 29  31 59 38 96 bb 6b a8 93  |m....J-)1Y8..k..|
+000000d0  09 af 38 c7 4d 6e 31 ef  18 d4 59 35 15 03 03 00  |..8.Mn1...Y5....|
+000000e0  16 1e 04 62 d6 6b 6c fc  0b 70 f8 32 d0 11 59 64  |...b.kl..p.2..Yd|
+000000f0  11 71 b0 ab ac 2d 6d                              |.q...-m|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable b/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable
index 30f0026815..e1ac9a61d2 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable
+++ b/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable
@@ -1,11 +1,11 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 60 01 00 00  5c 03 03 54 23 54 02 17  |....`...\..T#T..|
-00000010  f3 53 13 3d 48 88 c3 19  b9 d1 3d 33 7f f5 99 56  |.S.=H.....=3...V|
-00000020  04 71 1b d9 d5 64 8a 0d  4a 54 00 00 00 04 00 05  |.q...d..JT......|
-00000030  00 ff 01 00 00 2f 00 23  00 00 00 0d 00 22 00 20  |...../.#.....". |
-00000040  06 01 06 02 06 03 05 01  05 02 05 03 04 01 04 02  |................|
-00000050  04 03 03 01 03 02 03 03  02 01 02 02 02 03 01 01  |................|
-00000060  00 0f 00 01 01                                    |.....|
+00000000  16 03 01 00 5f 01 00 00  5b 03 03 be c5 99 df f1  |...._...[.......|
+00000010  cc c8 fd d9 4c c5 09 18  5f 59 9a 78 47 ef 00 d5  |....L..._Y.xG...|
+00000020  81 45 3e ac a0 a5 ee d6  d0 8c d8 00 00 04 00 05  |.E>.............|
+00000030  00 ff 02 01 00 00 2d 00  23 00 00 00 0d 00 20 00  |......-.#..... .|
+00000040  1e 06 01 06 02 06 03 05  01 05 02 05 03 04 01 04  |................|
+00000050  02 04 03 03 01 03 02 03  03 02 01 02 02 02 03 00  |................|
+00000060  0f 00 01 01                                       |....|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 35 02 00 00  31 03 03 00 00 00 00 00  |....5...1.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -57,31 +57,32 @@
 000002f0  71 99 9b 26 6e 38 50 29  6c 90 a7 bd d9 16 03 03  |q..&n8P)l.......|
 00000300  00 04 0e 00 00 00                                 |......|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 86 10 00 00  82 00 80 27 e9 a4 f7 e7  |...........'....|
-00000010  df 25 de 84 8c 1f d6 e6  c3 11 28 55 9a c1 91 37  |.%........(U...7|
-00000020  84 f5 ba f8 80 0d ca 50  cb 1e 72 f7 97 6f c2 b2  |.......P..r..o..|
-00000030  04 4d 13 7c e0 6e a0 1f  91 e1 38 1b a2 c0 55 16  |.M.|.n....8...U.|
-00000040  7f 29 fc ed 1c 1a cf 72  14 c3 00 c1 dd 36 36 af  |.).....r.....66.|
-00000050  a6 e4 a8 be ba ec 13 d0  1e d0 1d fd e1 5b 27 fd  |.............['.|
-00000060  9a da 2e 12 c8 b0 b9 c2  b9 76 ec 7f 3c 98 b6 63  |.........v..<..c|
-00000070  bc da f0 07 7a 3d e7 61  f4 2f 12 80 3b f9 3b cc  |....z=.a./..;.;.|
-00000080  05 c8 2f 7e 28 b2 73 bf  97 61 29 14 03 03 00 01  |../~(.s..a).....|
-00000090  01 16 03 03 00 24 17 59  a9 45 53 46 33 96 50 dd  |.....$.Y.ESF3.P.|
-000000a0  3e 23 aa 91 38 f8 56 4a  2f 1a f2 b1 44 9b ce 17  |>#..8.VJ/...D...|
-000000b0  6b 8a 89 76 bc 67 b8 8b  ba 90                    |k..v.g....|
+00000000  16 03 03 00 86 10 00 00  82 00 80 59 1f 86 2f cd  |...........Y../.|
+00000010  b9 8f 0d e8 f9 3a 5b a8  73 2f 33 8b c6 ef 5e e2  |.....:[.s/3...^.|
+00000020  78 93 fa 40 b7 b4 cb e7  3e 35 15 33 24 1d 63 5d  |x..@....>5.3$.c]|
+00000030  dc 8d 45 94 3f 19 ed e0  3a f3 4e 44 62 1d ff ea  |..E.?...:.NDb...|
+00000040  d6 e4 01 b0 26 c5 36 34  78 d1 e6 62 27 62 f0 29  |....&.64x..b'b.)|
+00000050  fd 7d 13 af 59 0a 41 fa  78 42 7d 0d d8 07 79 23  |.}..Y.A.xB}...y#|
+00000060  5e 4e cd 03 b1 3c bb 6d  fb 19 54 49 f1 c7 d7 54  |^N...<.m..TI...T|
+00000070  3e af 11 40 8b 7e 3d 2c  8b e3 02 ad fd 29 88 48  |>..@.~=,.....).H|
+00000080  b1 ed 52 74 50 a7 ef 99  9f af bd 14 03 03 00 01  |..RtP...........|
+00000090  01 16 03 03 00 24 f3 c1  8c ee e7 4d 07 80 c4 c3  |.....$.....M....|
+000000a0  09 87 85 cd 64 46 73 c7  17 4e 9e 90 4c 63 30 35  |....dFs..N..Lc05|
+000000b0  52 f5 10 f6 60 75 fc 93  41 57                    |R...`u..AW|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 72 04 00 00  6e 00 00 00 00 00 68 00  |....r...n.....h.|
-00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 65  |...............e|
-00000020  ea 4b d1 ef ba 2d db 0c  ba 9a d4 20 76 57 c8 ec  |.K...-..... vW..|
-00000030  dc 2d 77 fb fb 3b 93 5f  53 e0 14 4f 90 fb d6 55  |.-w..;._S..O...U|
-00000040  57 8c 8d 0d 25 ea 5d 0d  f2 91 e5 12 22 12 ec 7b  |W...%.]....."..{|
-00000050  5f b6 6e fd 07 59 23 24  fc b1 97 ca ea 56 a5 c2  |_.n..Y#$.....V..|
-00000060  a0 e4 9e 99 64 f2 64 d0  75 7a 46 63 e3 dc 21 ed  |....d.d.uzFc..!.|
-00000070  78 56 e9 e1 ab 66 80 14  03 03 00 01 01 16 03 03  |xV...f..........|
-00000080  00 24 fc 14 68 07 17 1f  df b7 84 cb fd c1 e0 e4  |.$..h...........|
-00000090  f2 1a ea 34 b5 00 7f 70  be c8 1c 0a d6 55 e3 57  |...4...p.....U.W|
-000000a0  50 4e 6d 7d 8a 5d 17 03  03 00 21 24 27 50 40 c1  |PNm}.]....!$'P@.|
-000000b0  c5 bd c7 9f 95 d9 ba 2e  7b 0e db ea a7 31 81 05  |........{....1..|
-000000c0  75 43 b1 63 cf b8 55 92  ef 76 98 a9 15 03 03 00  |uC.c..U..v......|
-000000d0  16 d7 ea 3c 79 e7 a6 2f  61 39 ec 4e 95 86 48 5e  |...<y../a9.N..H^|
-000000e0  75 a0 9e 41 42 89 67                              |u..AB.g|
+00000000  16 03 03 00 82 04 00 00  7e 00 00 00 00 00 78 50  |........~.....xP|
+00000010  46 ad c1 db a8 38 86 7b  2b bb fd d0 c3 42 3e 00  |F....8.{+....B>.|
+00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
+00000030  6f 2c b5 83 61 98 30 ec  c6 53 ac a0 2a a9 72 53  |o,..a.0..S..*.rS|
+00000040  64 7c c5 d5 db 0a 80 d0  1e ea 59 c8 b8 60 ff b9  |d|........Y..`..|
+00000050  3d 06 68 16 cd 60 3b 15  e9 59 c1 a2 18 76 c2 1f  |=.h..`;..Y...v..|
+00000060  fd 77 00 e6 38 33 94 98  69 cb 23 4a 61 d7 fe 1a  |.w..83..i.#Ja...|
+00000070  e7 3a 57 b1 78 c7 c0 d1  03 bb 83 69 72 b9 25 c3  |.:W.x......ir.%.|
+00000080  2f f7 56 2e 95 6f 88 14  03 03 00 01 01 16 03 03  |/.V..o..........|
+00000090  00 24 a6 8c 15 5c ae a0  8c 03 cc d2 2c 45 aa 7a  |.$...\......,E.z|
+000000a0  1d 1a ed 58 f4 92 a2 0d  b0 a4 81 90 e3 a6 0b 09  |...X............|
+000000b0  8f f2 1b 61 c7 f7 17 03  03 00 21 cf 8f 7a 50 bc  |...a......!..zP.|
+000000c0  a9 b6 d2 88 24 21 0b ef  5c e5 1c 34 4a d9 b6 b5  |....$!..\..4J...|
+000000d0  88 c6 14 8c 79 96 c5 0c  31 22 f8 7d 15 03 03 00  |....y...1".}....|
+000000e0  16 e7 69 82 9d e6 54 2d  f9 6d 04 a9 5b 3e bc f9  |..i...T-.m..[>..|
+000000f0  4e 1a 07 04 7a 56 50                              |N...zVP|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-Resume b/src/crypto/tls/testdata/Server-TLSv12-Resume
index c495d4adc6..979ce976d8 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-Resume
+++ b/src/crypto/tls/testdata/Server-TLSv12-Resume
@@ -1,36 +1,37 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 e8 01 00 00  e4 03 03 52 cc 57 59 c3  |...........R.WY.|
-00000010  8b df 97 05 d8 5f 16 22  b4 b1 e7 cb 7d 2f 9b 58  |....._."....}/.X|
-00000020  a3 f4 d7 2c a4 c1 9d 49  ed 4b ba 20 90 da 90 3e  |...,...I.K. ...>|
-00000030  36 19 7a db 56 43 26 f7  dc 42 57 33 22 ed 9d a4  |6.z.VC&..BW3"...|
-00000040  9d 53 da f8 9d 4e 60 66  71 a0 2e 2e 00 04 00 05  |.S...N`fq.......|
-00000050  00 ff 01 00 00 97 00 23  00 68 00 00 00 00 00 00  |.......#.h......|
-00000060  00 00 00 00 00 00 00 00  00 00 65 ea 4b d1 ef ba  |..........e.K...|
-00000070  06 38 1e e1 88 82 3a cd  03 ac 3b 39 0a e0 19 fd  |.8....:...;9....|
-00000080  af 6c 57 30 df 31 6e f7  92 38 4b 5d 77 90 39 ff  |.lW0.1n..8K]w.9.|
-00000090  32 51 f5 ed 12 d7 b0 7c  4d 6c c5 76 e4 72 48 3e  |2Q.....|Ml.v.rH>|
-000000a0  59 23 fe 0d 15 df f4 ba  ea b9 67 16 23 8f 7d 15  |Y#........g.#.}.|
-000000b0  b6 11 f1 ab d7 d4 cd a3  21 82 92 2a 12 cf 95 f3  |........!..*....|
-000000c0  60 b2 00 0d 00 22 00 20  06 01 06 02 06 03 05 01  |`....". ........|
-000000d0  05 02 05 03 04 01 04 02  04 03 03 01 03 02 03 03  |................|
-000000e0  02 01 02 02 02 03 01 01  00 0f 00 01 01           |.............|
+00000000  16 03 01 00 f7 01 00 00  f3 03 03 6a 1a d3 0a d3  |...........j....|
+00000010  e0 34 f9 c4 1b cc 42 bc  0b eb 97 fd 51 b7 77 fd  |.4....B.....Q.w.|
+00000020  50 0a 13 8c b6 ac 8e a1  ba 1f 74 20 fb 19 d1 6a  |P.........t ...j|
+00000030  cf 1c 8b fb 77 97 7b 11  a5 fe 66 dc b8 b6 21 ad  |....w.{...f...!.|
+00000040  8b b4 5f 38 ca 51 ca a3  af 40 84 8b 00 04 00 05  |.._8.Q...@......|
+00000050  00 ff 02 01 00 00 a5 00  23 00 78 50 46 ad c1 db  |........#.xPF...|
+00000060  a8 38 86 7b 2b bb fd d0  c3 42 3e 00 00 00 00 00  |.8.{+....B>.....|
+00000070  00 00 00 00 00 00 00 00  00 00 00 94 6f 2c b5 83  |............o,..|
+00000080  61 e8 c1 5d af d6 da c9  8f df 1e c4 16 47 a0 dd  |a..].........G..|
+00000090  cf 3c 9d 95 11 fe 01 fb  52 5b d0 aa 56 fb 04 d5  |.<......R[..V...|
+000000a0  7f 89 31 7d 75 e3 df f4  28 6a fb 1f 76 ee 77 55  |..1}u...(j..v.wU|
+000000b0  0b 33 94 82 e2 ee 73 2f  7f a7 f6 7c 68 25 eb fd  |.3....s/...|h%..|
+000000c0  56 5b 89 29 b4 32 b6 92  57 3f c3 f9 01 fb 01 25  |V[.).2..W?.....%|
+000000d0  7f 0f 10 00 0d 00 20 00  1e 06 01 06 02 06 03 05  |...... .........|
+000000e0  01 05 02 05 03 04 01 04  02 04 03 03 01 03 02 03  |................|
+000000f0  03 02 01 02 02 02 03 00  0f 00 01 01              |............|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 51 02 00 00  4d 03 03 00 00 00 00 00  |....Q...M.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000020  00 00 00 00 00 00 00 00  00 00 00 20 90 da 90 3e  |........... ...>|
-00000030  36 19 7a db 56 43 26 f7  dc 42 57 33 22 ed 9d a4  |6.z.VC&..BW3"...|
-00000040  9d 53 da f8 9d 4e 60 66  71 a0 2e 2e 00 05 00 00  |.S...N`fq.......|
+00000020  00 00 00 00 00 00 00 00  00 00 00 20 fb 19 d1 6a  |........... ...j|
+00000030  cf 1c 8b fb 77 97 7b 11  a5 fe 66 dc b8 b6 21 ad  |....w.{...f...!.|
+00000040  8b b4 5f 38 ca 51 ca a3  af 40 84 8b 00 05 00 00  |.._8.Q...@......|
 00000050  05 ff 01 00 01 00 14 03  03 00 01 01 16 03 03 00  |................|
-00000060  24 11 12 ff 28 10 14 4c  e5 0e ad a7 fa f3 92 fb  |$...(..L........|
-00000070  13 7d ae f2 b2 4a 6b a1  9e 67 cf a8 f7 8c 6f a0  |.}...Jk..g....o.|
-00000080  6c 30 0e 18 55                                    |l0..U|
+00000060  24 0e 65 19 5e 79 90 4b  40 13 f1 5b 2f ed 0b f5  |$.e.^y.K@..[/...|
+00000070  cc 39 23 24 91 b3 b2 49  f6 9b d5 60 f3 ed bd 2a  |.9#$...I...`...*|
+00000080  31 00 14 5a 8e                                    |1..Z.|
 >>> Flow 3 (client to server)
-00000000  14 03 03 00 01 01 16 03  03 00 24 0d 46 41 8b 24  |..........$.FA.$|
-00000010  36 01 a9 fd 8b ec fc e6  b1 83 96 df 0d 3e 53 54  |6............>ST|
-00000020  58 b8 43 f2 a6 25 5e 1a  ae 19 9e d2 28 44 92     |X.C..%^.....(D.|
+00000000  14 03 03 00 01 01 16 03  03 00 24 72 4d 5d 05 d6  |..........$rM]..|
+00000010  79 93 41 21 a7 86 75 49  50 fe b2 6c a9 38 d7 5e  |y.A!..uIP..l.8.^|
+00000020  b7 f7 33 18 b0 53 ab ab  b7 5b ee 09 e7 83 51     |..3..S...[....Q|
 >>> Flow 4 (server to client)
-00000000  17 03 03 00 21 c4 fb f6  53 bb 3e 04 cc 0b a0 03  |....!...S.>.....|
-00000010  fa 49 96 da b5 8d b2 f2  e5 d8 f3 5c 27 57 4f 9c  |.I.........\'WO.|
-00000020  30 00 34 fc 52 92 15 03  03 00 16 a3 02 7a 50 d2  |0.4.R........zP.|
-00000030  c6 b3 fc 69 8f e4 94 ae  ab 22 ad 05 1d 15 69 b9  |...i....."....i.|
-00000040  a5                                                |.|
+00000000  17 03 03 00 21 1a 35 ab  27 ac db 7f e4 11 f2 b4  |....!.5.'.......|
+00000010  38 f5 3f 5d be 7a 58 74  92 05 a5 9c 8e a8 f2 ca  |8.?].zXt........|
+00000020  cd f0 2e 18 62 57 15 03  03 00 16 33 18 76 93 bb  |....bW.....3.v..|
+00000030  48 86 cc 13 79 ad e2 51  c6 ac 3e 89 2a 4f 05 e1  |H...y..Q..>.*O..|
+00000040  ee                                                |.|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-ResumeDisabled b/src/crypto/tls/testdata/Server-TLSv12-ResumeDisabled
index db833f6555..9cbbd3f073 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-ResumeDisabled
+++ b/src/crypto/tls/testdata/Server-TLSv12-ResumeDisabled
@@ -1,19 +1,20 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 e8 01 00 00  e4 03 03 54 23 54 02 a5  |...........T#T..|
-00000010  10 11 0f 6d e5 2d 2f e8  bb 52 b1 38 3f 65 01 43  |...m.-/..R.8?e.C|
-00000020  36 cc 48 f6 09 22 a1 85  20 28 3c 20 35 8b fe 7a  |6.H..".. (< 5..z|
-00000030  41 3b 59 3a 5d b9 b3 21  f0 62 e9 0d 7b af f5 5d  |A;Y:]..!.b..{..]|
-00000040  fa 65 1a 40 c8 ca cd 74  8c ef d2 fb 00 04 00 05  |.e.@...t........|
-00000050  00 ff 01 00 00 97 00 23  00 68 00 00 00 00 00 00  |.......#.h......|
-00000060  00 00 00 00 00 00 00 00  00 00 65 ea 4b d1 ef ba  |..........e.K...|
-00000070  2d db 0c ba 9a d4 20 76  57 c8 ec dc 2d 77 fb fb  |-..... vW...-w..|
-00000080  3b 93 5f 53 e0 14 4f 90  fb d6 55 57 8c 8d 0d 25  |;._S..O...UW...%|
-00000090  ea 5d 0d f2 91 e5 12 22  12 ec 7b 5f b6 6e fd 07  |.]....."..{_.n..|
-000000a0  59 23 24 fc b1 97 ca ea  56 a5 c2 a0 e4 9e 99 64  |Y#$.....V......d|
-000000b0  f2 64 d0 75 7a 46 63 e3  dc 21 ed 78 56 e9 e1 ab  |.d.uzFc..!.xV...|
-000000c0  66 80 00 0d 00 22 00 20  06 01 06 02 06 03 05 01  |f....". ........|
-000000d0  05 02 05 03 04 01 04 02  04 03 03 01 03 02 03 03  |................|
-000000e0  02 01 02 02 02 03 01 01  00 0f 00 01 01           |.............|
+00000000  16 03 01 00 f7 01 00 00  f3 03 03 c0 99 dc 56 0b  |..............V.|
+00000010  50 7d 49 f8 f3 f7 60 a1  c7 38 e0 90 1f de 78 c3  |P}I...`..8....x.|
+00000020  43 04 0d b4 4c c0 6e 01  40 ec 3a 20 93 7c bd 44  |C...L.n.@.: .|.D|
+00000030  57 52 7d dd 4d db b6 6d  cc d5 44 34 a6 64 87 cb  |WR}.M..m..D4.d..|
+00000040  cb dc 38 d4 33 3a 1a 6f  fc f0 6f 73 00 04 00 05  |..8.3:.o..os....|
+00000050  00 ff 02 01 00 00 a5 00  23 00 78 50 46 ad c1 db  |........#.xPF...|
+00000060  a8 38 86 7b 2b bb fd d0  c3 42 3e 00 00 00 00 00  |.8.{+....B>.....|
+00000070  00 00 00 00 00 00 00 00  00 00 00 94 6f 2c b5 83  |............o,..|
+00000080  61 98 30 ec c6 53 ac a0  2a a9 72 53 64 7c c5 d5  |a.0..S..*.rSd|..|
+00000090  db 0a 80 d0 1e ea 59 c8  b8 60 ff b9 3d 06 68 16  |......Y..`..=.h.|
+000000a0  cd 60 3b 15 e9 59 c1 a2  18 76 c2 1f fd 77 00 e6  |.`;..Y...v...w..|
+000000b0  38 33 94 98 69 cb 23 4a  61 d7 fe 1a e7 3a 57 b1  |83..i.#Ja....:W.|
+000000c0  78 c7 c0 d1 03 bb 83 69  72 b9 25 c3 2f f7 56 2e  |x......ir.%./.V.|
+000000d0  95 6f 88 00 0d 00 20 00  1e 06 01 06 02 06 03 05  |.o.... .........|
+000000e0  01 05 02 05 03 04 01 04  02 04 03 03 01 03 02 03  |................|
+000000f0  03 02 01 02 02 02 03 00  0f 00 01 01              |............|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 31 02 00 00  2d 03 03 00 00 00 00 00  |....1...-.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -65,23 +66,23 @@
 000002f0  6e 38 50 29 6c 90 a7 bd  d9 16 03 03 00 04 0e 00  |n8P)l...........|
 00000300  00 00                                             |..|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 86 10 00 00  82 00 80 ae 02 dd 1f 1a  |................|
-00000010  86 83 f5 2f 82 46 4b 29  58 aa a1 b3 56 8b 4e 40  |.../.FK)X...V.N@|
-00000020  ef 23 65 67 ad 48 e5 e1  fd ae dd bf 68 fd bd a6  |.#eg.H......h...|
-00000030  13 a0 7e 05 ab f7 20 e1  6a 4e d1 37 93 08 1d c9  |..~... .jN.7....|
-00000040  37 e0 b5 34 28 bf 20 45  45 da 0f 7e 51 a7 c6 ae  |7..4(. EE..~Q...|
-00000050  61 6c 07 1b 73 ef da 6e  25 c4 ed be e3 3f da ae  |al..s..n%....?..|
-00000060  cd 3c 17 9c 2e ee fb 47  9d b3 a1 b2 c3 5d e0 83  |.<.....G.....]..|
-00000070  74 20 37 2d 72 d6 d0 4d  58 0e 26 1c 50 22 95 08  |t 7-r..MX.&.P"..|
-00000080  7d e0 5f 86 99 9e 2c 2e  a7 a0 7f 14 03 03 00 01  |}._...,.........|
-00000090  01 16 03 03 00 24 a2 ab  41 25 a5 cf 04 18 1d 98  |.....$..A%......|
-000000a0  88 6c 59 21 86 33 54 f4  35 b4 21 6e a5 29 d5 6e  |.lY!.3T.5.!n.).n|
-000000b0  3d 08 72 b0 af 46 b5 8f  6b 86                    |=.r..F..k.|
+00000000  16 03 03 00 86 10 00 00  82 00 80 5d 49 92 9d 5b  |...........]I..[|
+00000010  41 7a 83 f0 6d 32 de b8  49 00 2d e0 2f f9 f1 12  |Az..m2..I.-./...|
+00000020  0f 49 45 2b 58 fd 1d 72  49 e7 74 74 bc 97 73 f7  |.IE+X..rI.tt..s.|
+00000030  01 a9 10 53 ea 4a b5 5d  09 92 01 62 b7 50 cd 46  |...S.J.]...b.P.F|
+00000040  79 ec 35 08 0d 41 5f 09  41 fa 77 30 48 14 6b fe  |y.5..A_.A.w0H.k.|
+00000050  ca 12 d7 97 61 7a da 52  89 07 52 b0 81 c0 54 35  |....az.R..R...T5|
+00000060  7d 36 6c be 85 45 6b 67  e3 06 55 f7 af 40 d5 7d  |}6l..Ekg..U..@.}|
+00000070  34 bb ee 0c 49 6b fb 0a  c0 ec 04 85 28 4f 15 d7  |4...Ik......(O..|
+00000080  f3 e5 92 86 30 27 e9 15  b7 1d ae 14 03 03 00 01  |....0'..........|
+00000090  01 16 03 03 00 24 64 7a  6c c1 71 df b3 a2 a7 a8  |.....$dzl.q.....|
+000000a0  ea fd 04 d6 7c fc eb a1  18 21 42 f4 ba 09 75 1c  |....|....!B...u.|
+000000b0  f7 00 01 37 cc bb e1 11  c9 ef                    |...7......|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 24 59 20 4d c2 17  |..........$Y M..|
-00000010  8b 3c 9b 33 d9 f9 ef fb  80 18 1f 67 a7 58 12 89  |.<.3.......g.X..|
-00000020  4e 73 0f 2d 7b e6 c4 a6  79 73 01 da 22 e8 54 17  |Ns.-{...ys..".T.|
-00000030  03 03 00 21 36 ca 64 0f  4a 12 a5 50 3d 97 bb 39  |...!6.d.J..P=..9|
-00000040  02 fc ed d1 82 6a 9a 2e  21 79 f6 e1 b3 cc 32 db  |.....j..!y....2.|
-00000050  0f 5d b3 fb a5 15 03 03  00 16 51 f4 be 57 7a df  |.]........Q..Wz.|
-00000060  f1 f2 bd b5 51 5e 45 80  be 0b 9a 0c d1 19 3c 79  |....Q^E.......<y|
+00000000  14 03 03 00 01 01 16 03  03 00 24 c9 e4 67 51 5a  |..........$..gQZ|
+00000010  0a b3 8d 30 c6 e8 f3 df  52 a7 85 b3 e0 5a 64 0a  |...0....R....Zd.|
+00000020  19 96 96 0f 6d a7 1a 74  0d 47 29 a0 d1 db 8f 17  |....m..t.G).....|
+00000030  03 03 00 21 10 7b 5f 4a  b0 d8 25 2d d4 66 76 65  |...!.{_J..%-.fve|
+00000040  3c 03 c8 bd 15 19 d2 fc  19 f0 e6 ac c5 9d 8b 17  |<...............|
+00000050  26 d9 1e 71 4d 15 03 03  00 16 36 16 72 83 f8 79  |&..qM.....6.r..y|
+00000060  4c ca 20 39 4a 0c a4 55  06 79 b6 8a ab cb 9a f2  |L. 9J..U.y......|
diff --git a/src/crypto/tls/ticket.go b/src/crypto/tls/ticket.go
index 0923027c70..7be50ce68c 100644
--- a/src/crypto/tls/ticket.go
+++ b/src/crypto/tls/ticket.go
@@ -22,6 +22,9 @@ type sessionState struct {
 	cipherSuite  uint16
 	masterSecret []byte
 	certificates [][]byte
+	// usedOldKey is true if the ticket from which this session came from
+	// was encrypted with an older key and thus should be refreshed.
+	usedOldKey bool
 }
 
 func (s *sessionState) equal(i interface{}) bool {
@@ -132,20 +135,23 @@ func (s *sessionState) unmarshal(data []byte) bool {
 
 func (c *Conn) encryptTicket(state *sessionState) ([]byte, error) {
 	serialized := state.marshal()
-	encrypted := make([]byte, aes.BlockSize+len(serialized)+sha256.Size)
-	iv := encrypted[:aes.BlockSize]
+	encrypted := make([]byte, ticketKeyNameLen+aes.BlockSize+len(serialized)+sha256.Size)
+	keyName := encrypted[:ticketKeyNameLen]
+	iv := encrypted[ticketKeyNameLen : ticketKeyNameLen+aes.BlockSize]
 	macBytes := encrypted[len(encrypted)-sha256.Size:]
 
 	if _, err := io.ReadFull(c.config.rand(), iv); err != nil {
 		return nil, err
 	}
-	block, err := aes.NewCipher(c.config.SessionTicketKey[:16])
+	key := c.config.ticketKeys()[0]
+	copy(keyName, key.keyName[:])
+	block, err := aes.NewCipher(key.aesKey[:])
 	if err != nil {
 		return nil, errors.New("tls: failed to create cipher while encrypting ticket: " + err.Error())
 	}
-	cipher.NewCTR(block, iv).XORKeyStream(encrypted[aes.BlockSize:], serialized)
+	cipher.NewCTR(block, iv).XORKeyStream(encrypted[ticketKeyNameLen+aes.BlockSize:], serialized)
 
-	mac := hmac.New(sha256.New, c.config.SessionTicketKey[16:32])
+	mac := hmac.New(sha256.New, key.hmacKey[:])
 	mac.Write(encrypted[:len(encrypted)-sha256.Size])
 	mac.Sum(macBytes[:0])
 
@@ -154,14 +160,29 @@ func (c *Conn) encryptTicket(state *sessionState) ([]byte, error) {
 
 func (c *Conn) decryptTicket(encrypted []byte) (*sessionState, bool) {
 	if c.config.SessionTicketsDisabled ||
-		len(encrypted) < aes.BlockSize+sha256.Size {
+		len(encrypted) < ticketKeyNameLen+aes.BlockSize+sha256.Size {
 		return nil, false
 	}
 
-	iv := encrypted[:aes.BlockSize]
+	keyName := encrypted[:ticketKeyNameLen]
+	iv := encrypted[ticketKeyNameLen : ticketKeyNameLen+aes.BlockSize]
 	macBytes := encrypted[len(encrypted)-sha256.Size:]
 
-	mac := hmac.New(sha256.New, c.config.SessionTicketKey[16:32])
+	keys := c.config.ticketKeys()
+	keyIndex := -1
+	for i, candidateKey := range keys {
+		if bytes.Equal(keyName, candidateKey.keyName[:]) {
+			keyIndex = i
+			break
+		}
+	}
+
+	if keyIndex == -1 {
+		return nil, false
+	}
+	key := &keys[keyIndex]
+
+	mac := hmac.New(sha256.New, key.hmacKey[:])
 	mac.Write(encrypted[:len(encrypted)-sha256.Size])
 	expected := mac.Sum(nil)
 
@@ -169,15 +190,15 @@ func (c *Conn) decryptTicket(encrypted []byte) (*sessionState, bool) {
 		return nil, false
 	}
 
-	block, err := aes.NewCipher(c.config.SessionTicketKey[:16])
+	block, err := aes.NewCipher(key.aesKey[:])
 	if err != nil {
 		return nil, false
 	}
-	ciphertext := encrypted[aes.BlockSize : len(encrypted)-sha256.Size]
+	ciphertext := encrypted[ticketKeyNameLen+aes.BlockSize : len(encrypted)-sha256.Size]
 	plaintext := ciphertext
 	cipher.NewCTR(block, iv).XORKeyStream(plaintext, ciphertext)
 
-	state := new(sessionState)
+	state := &sessionState{usedOldKey: keyIndex > 0}
 	ok := state.unmarshal(plaintext)
 	return state, ok
 }