Reset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.

This ensures that it's zeroed even if the SSL object is reused
(as in ssltest.c). It also ensures that it applies to DTLS, too.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit a06cd5d056)

ssl/t1_lib.c

@@ -1513,6 +1513,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 #ifndef OPENSSL_NO_NEXTPROTONEG
 	s->s3->next_proto_neg_seen = 0;
 #endif
+        s->tlsext_ticket_expected = 0;
 
 #ifndef OPENSSL_NO_HEARTBEATS
 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |