Session resumption behavior


This is a theoretical question, I have yet to start implementation.

I am building a system where services are talking to each other in TLS. They open a lot of connections therefore I decided to use session resumption to increase system performance. I have a requirement though that we should force renegotiation of connections when the system administrator needs it. This means “dropping” existing tickets. I don’t have control over the clients, so I need to be able to invalidate tickets from the server side. This brings me to the following two questions:

  1. How is mbedtls client side behaves when a session ticket is not accepted by the server? Is it seamlessly resuming in full negotiation or it reports handshake failure?
  2. When I decide to invalidate tickets in the servers, can I change the server keys?