There are already multiple ways to set session tickets but they all require key material. At Cloudflare we want to use a remote Keyless-style system.
I suggest the following interface.
// Wrap returns a session ticket value that can be later passed to Unwrap// to recover the content, usually by encrypting it. The ticket will be sent// to the client to be stored, and will be sent back in plaintext, so it can// be read and modified by an attacker.Wrap(cs*ConnectionState, content byte) (ticket byte, errerror)
// Unwrap returns a session ticket contents. The ticket can't be assumed// to having been generated by Wrap. // If unable to unwrap the ticket, the connection will proceed with a// complete handshake.Unwrap(chi*ClientHelloInfo, ticket byte) (content byte, successbool)
crypto/tls would be responsible of serializing and deserializing the session state.
This works cleanly with TLS 1.3 PSK, too, but I wonder if we will need more stuff in the interface to allow it to do replay protection, too.