Security
   * Fixed an issue in TLS 1.3 server handling of the second ClientHello, after
     sending a HelloRetryRequest message. A man-in-the-middle attacker could
     force a TLS 1.3 session resumption using a ticket to fall back to an
     unintended TLS 1.2 session resumption with an all-zero master secret.
     This could result in client authentication being bypassed and allow client
     impersonation.
     Found and reported by Jaehun Lee, Pohang University of Science and
     Technology (POSTECH).
