Use Psiphon-Labs/utls@396869e9

- Fixes crash when resuming a TLS 1.2 session on a uTLS connection
  that lacks SessionTicketExtension.

go.mod

@@ -41,7 +41,7 @@ require (
 	github.com/Psiphon-Labs/goptlib v0.0.0-20200406165125-c0e32a7a3464
 	github.com/Psiphon-Labs/psiphon-tls v0.0.0-20250318183125-2a2fae2db378
 	github.com/Psiphon-Labs/quic-go v0.0.0-20250527153145-79fe45fb83b1
-	github.com/Psiphon-Labs/utls v0.0.0-20250617193811-8e54e1fd2162
+	github.com/Psiphon-Labs/utls v0.0.0-20250623193530-396869e9cd87
 	github.com/armon/go-proxyproto v0.0.0-20180202201750-5b7edb60ff5f
 	github.com/bifurcation/mint v0.0.0-20180306135233-198357931e61
 	github.com/bits-and-blooms/bloom/v3 v3.6.0

go.sum

@@ -26,8 +26,8 @@ github.com/Psiphon-Labs/psiphon-tls v0.0.0-20250318183125-2a2fae2db378 h1:LqI8cx
 github.com/Psiphon-Labs/psiphon-tls v0.0.0-20250318183125-2a2fae2db378/go.mod h1:7ZUnPnWT5z8J8hxfsVjKHYK77Zme/Y0If1b/zeziiJs=
 github.com/Psiphon-Labs/quic-go v0.0.0-20250527153145-79fe45fb83b1 h1:zD7JvZCV8gjvtI0AZmE81Ffc/v7A+qwU1/YfUmN/Flk=
 github.com/Psiphon-Labs/quic-go v0.0.0-20250527153145-79fe45fb83b1/go.mod h1:rONdWgPMbFjyyBai7gB1IBF4pT9r4l0GyiDst5XR1SY=
-github.com/Psiphon-Labs/utls v0.0.0-20250617193811-8e54e1fd2162 h1:j4UAddx21+WL7Koiy+v+XVj64gP0eyGai8Pc2e2pU6E=
-github.com/Psiphon-Labs/utls v0.0.0-20250617193811-8e54e1fd2162/go.mod h1:1vv0gVAzq9e2XYkW8HAKrmtuuZrBdDixQFx5H22KAjI=
+github.com/Psiphon-Labs/utls v0.0.0-20250623193530-396869e9cd87 h1:h/OnQpPMwC7pKN9YQTJ+vQATjchta6kgumJNnkJBq1k=
+github.com/Psiphon-Labs/utls v0.0.0-20250623193530-396869e9cd87/go.mod h1:1vv0gVAzq9e2XYkW8HAKrmtuuZrBdDixQFx5H22KAjI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.1 h1:PR2pgnyFznKEugtsUo0xLdDop5SKXd5Qf5ysW+7XdTA=

vendor/github.com/Psiphon-Labs/utls/u_conn.go

@@ -179,7 +179,21 @@ func (uconn *UConn) uLoadSession() error {
 		if session == nil || err != nil {
 			return err
 		}
+		// [Psiphon] TODO: session should be validated before being used.
 		if session.version == VersionTLS12 {
+			// [Psiphon] SECTION BEGIN
+			// Should not attempt to resume a session ticket if the sessionTicketExt is nil.
+			// In upstream uTLS code, this check is skipped in initSessionTicketExt if
+			// skipResumptionOnNilExtension is true.
+			if uconn.sessionController.sessionTicketExt == nil {
+				return nil
+			}
+			if mutualCipherSuite(uconn.HandshakeState.Hello.CipherSuites, session.cipherSuite) == nil {
+				// The TLS 1.2 cipher suite must match the resumed session.
+				return nil
+			}
+			// [Psiphon] SECTION END
+
 			// We use the session ticket extension for tls 1.2 session resumption
 			uconn.sessionController.initSessionTicketExt(session, hello.sessionTicket)
 			uconn.sessionController.setSessionTicketToUConn()

vendor/modules.txt

@@ -57,7 +57,7 @@ github.com/Psiphon-Labs/quic-go/internal/utils/ringbuffer
 github.com/Psiphon-Labs/quic-go/internal/wire
 github.com/Psiphon-Labs/quic-go/logging
 github.com/Psiphon-Labs/quic-go/quicvarint
-# github.com/Psiphon-Labs/utls v0.0.0-20250617193811-8e54e1fd2162
+# github.com/Psiphon-Labs/utls v0.0.0-20250623193530-396869e9cd87
 ## explicit; go 1.23
 github.com/Psiphon-Labs/utls
 github.com/Psiphon-Labs/utls/byteorder