crypto/tls: GetCertificate called on resumed sessions

[FiloSottile]

GetCertificate is called just before checking the client session ticket. If the ticket is valid and the session is resumed, that call is probably pointless.

Off the top of my head, I can't remember why the server would need to know its own certificate in a resumed session, but there might be something I'm forgetting around renegotiation. Look into it, and if possible move the GetCertificate call after checkForResumption.

[rolandshoemaker]

TLS 1.3 already has this behavior.

In TLS 1.2 during resumption there is a check that the ciphersuite from the resumed session is still acceptable. That check relies on the certificate private key type in order to determine if the suite uses an acceptable key exchange.

Presumably since the key exchange has already happened as long as the cipher is otherwise acceptable it's fine to just ignore whether it contains an acceptable key exchange since the shared secret has already been established and we don't need the cert key for another kex.