crypto/tls: disable earlyData extension in SessionTicket if didHRR

[rbqvq]

Proposal Details

Mainstream browsers do not modify curve preferences.

Therefore, we recommend that session tickets in the HRR path should not include the early-data extension, to avoid potential early-data rejection and unnecessary retransmissions, saving bandwidth.

@golang/security

[gabyhelp]

Related Issues

• crypto/tls: QUIC 0-RTT APIs #60107 (closed)
• crypto/tls: expose `testingOnlyDidHRR` from ConnectionState #74425 (closed)
• crypto/tls: improved 0-RTT QUIC APIs #63691 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}