2 files changed, 16 insertions, 9 deletions

diff --git a/src/tls/session_ticket.cpp b/src/tls/session_ticket.cpp
index 47a8a5c32..273996a16 100644
--- a/src/tls/session_ticket.cpp
+++ b/src/tls/session_ticket.cpp
@@ -35,13 +35,13 @@ New_Session_Ticket::New_Session_Ticket(Record_Writer& writer,
 New_Session_Ticket::New_Session_Ticket(const MemoryRegion<byte>& buf) :
    m_ticket_lifetime_hint(0)
    {
-   if(buf.size() >= 6)
-      {
-      TLS_Data_Reader reader(buf);
+   if(buf.size() < 6)
+      throw Decoding_Error("Session ticket message too short to be valid");
 
-      m_ticket_lifetime_hint = reader.get_u32bit();
-      m_ticket = reader.get_range<byte>(2, 0, 65535);
-      }
+   TLS_Data_Reader reader(buf);
+
+   m_ticket_lifetime_hint = reader.get_u32bit();
+   m_ticket = reader.get_range<byte>(2, 0, 65535);
    }
 
 MemoryVector<byte> New_Session_Ticket::serialize() const
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index a0920fc28..6ec139710 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -217,6 +217,13 @@ void Server::process_handshake_msg(Handshake_Type type,
                                              creds,
                                              state->client_hello);
 
+      SymmetricKey session_ticket_key;
+      try
+         {
+         session_ticket_key = creds.psk("tls-server", "session-ticket", "");
+         }
+      catch(...) {}
+
       if(resuming)
          {
          // resume session
@@ -231,7 +238,7 @@ void Server::process_handshake_msg(Handshake_Type type,
             session_info.fragment_size(),
             secure_renegotiation.supported(),
             secure_renegotiation.for_server_hello(),
-            state->client_hello->supports_session_ticket(),
+            state->client_hello->supports_session_ticket() && session_ticket_key.length() > 0,
             state->client_hello->next_protocol_notification(),
             m_possible_protocols,
             rng);
@@ -259,9 +266,9 @@ void Server::process_handshake_msg(Handshake_Type type,
             {
             try
                {
-               SymmetricKey key = creds.psk("tls-server", "session-ticket", "");
                state->new_session_ticket =
-                  new New_Session_Ticket(writer, state->hash, session_info.encrypt(key, rng));
+                  new New_Session_Ticket(writer, state->hash,
+                                         session_info.encrypt(session_ticket_key, rng));
                }
             catch(...)
                {