update(network): Add session_tickets config for TLS 1.3

en_US/network/emqx-mqtt-tls.md

@@ -2,7 +2,7 @@
 
 EMQX can establish secure connections via SSL/TLS when accepting the access of an MQTT Client. The SSL/TLS encryption functionality encrypts network connections at the transport layer, enhancing the security of communication data while ensuring its integrity.
 
-This page introduces the funtionalities and advantages of the SSL/TLS connection and how to establish an SSL/TLS connection between the client and EMQX. 
+This page introduces the functionalities and advantages of the SSL/TLS connection and how to establish an SSL/TLS connection between the client and EMQX. 
 
 ## Safety Benefits
 
@@ -42,19 +42,40 @@ EMQX, by default, enables the SSL/TLS listener on port `8883` and sets it for on
 
 ### Enable via Dashboard
 
-1. Go to EMQX Dashboard. Click **Management** -> **Listeners** from the left navigation menu.
+1. Go to the EMQX Dashboard. Click **Management** -> **Listeners** from the left navigation menu.
 
 2. On the **Listeners** page, click **default** from the **Name** column of the SSL listener. 
 
    - **TLS Verify**: Disabled by default for one-way authentication.
-   - **TLS Cert**, **TLS Key** and **CA Cert**: Replace the current certificate files with your private certificate files by clicking the **Reset** button.
+
+   - **Session Tickets**: Enable TLS 1.3 session resumption. Clients can reuse a previously established TLS session during reconnection by presenting encrypted session tickets issued by the server, avoiding a full TLS handshake and reducing latency and CPU usage.
+
+     - **`disabled`**: Disable session tickets (default). A full TLS handshake is performed for every connection.
+     - **`stateless`**: Enable stateless session tickets. The server does not store session state, improving reconnection performance. TLS client certificate information is not available after session resumption, making this option suitable when certificate-based authentication or authorization is not required.
+     - **`stateless_with_cert`**: Enable stateless session tickets with certificate information included. Certificate information remains available after session resumption, suitable for certificate-based authentication (such as mTLS), but with slightly increased network bandwidth usage.
+
+     ::: tip Note
+
+     Session tickets are supported only with TLS 1.3 and only in stateless mode to ensure scalability in clustered environments. EMQX does not support stateful session resumption for TLS 1.2.
+
+     EMQX also does not support client early data (0-RTT). Clients must wait until the TLS handshake is complete before sending MQTT data.
+
+     :::
+
+   - **TLS Cert**, **TLS Key,** and **CA Cert**: Replace the current certificate files with your private certificate files by clicking the **Reset** button.
+
    - **SSL Versions**: All TLS/DTLS versions are supported. The default values are `tlsv1.3` and `tlsv1.2`. If PSK cipher suits are used for PSK authentication, make sure to configure `tlsv1.2` , `tlsv1.1` and `tlsv1` here. For more information on PSK authentication, see [Enable PSK Authentication](./psk-authentication.md).
+
    - **Fail If No Peer Cert**: Used together with **TLS Verify** is enabled. Set to `false` by default.
      - If set to `true`, verification of the client's identity fails if the client sends an empty certificate. The SSL/TLS connection will be rejected.
      - If set to `false`, verification of the client's identity fails only if the client sends an invalid certificate (An empty certificate is considered to be valid). The SSL/TLS connection will be rejected.
+
    - **Intermediate Certificate Depth**: The allowed maximum depth of certification path; the default value is `10`.
+
    - **Key Password**: Type the password if the private key file is password-protected.
+
    - **Enable OCSP Stapling**: Disabled by default; If you need to obtain the revocation status of SSL/TLS certificates, you can enable it by clicking the toggle switch. For more information, see [OCSP Stapling](./ocsp.md).
+
    - **Enable CRL Check**: Disabled by default; If you need to verify whether connecting client certificates are not revoked, you can enable it by clicking the toggle switch. For more information, see [CRL Check](./crl.md).
 
 3. After you complete the editing, click the **Update** button.

zh_CN/network/emqx-mqtt-tls.md

@@ -47,14 +47,35 @@ EMQX 默认在 `8883` 端口启用了 SSL/TLS 监听器并设置其为单向认
 2. 选择名称为 **default**，类型为 **ssl** 的监听器，点击名称进行编辑。TLS/SSL 连接相关的参数如下：
 
    - **验证客户端证书**：默认为不启用，使用单向认证。
+
+   - **会话票据**：用于启用 TLS 1.3 的会话恢复功能。启用后，客户端可在重连时使用服务器签发的加密会话票据恢复之前的 TLS 会话，从而避免完整握手，降低连接延迟和 CPU 开销。
+
+     - `disabled`：禁用（默认值）。每次客户端连接或重连时都会执行完整的 TLS 握手。
+     - `stateless`：启用无状态会话票据。客户端可使用会话票据恢复 TLS 会话，服务器无需保存会话状态，可提升重连性能。但会话恢复后无法获取 TLS 客户端证书信息，适用于不依赖证书进行认证或授权的场景。
+     - `stateless_with_cert`：启用携带证书信息的无状态会话票据。会话恢复后仍可获取证书信息。适用于基于证书进行认证或访问控制（如 mTLS）的场景，但会略微增加网络带宽开销。
+
+     ::: tip 注意
+
+     会话票据仅适用于 TLS 1.3，且仅支持无状态（stateless）机制，以保证在集群环境中的可扩展性。EMQX 不支持 TLS 1.2 的有状态会话恢复。
+
+     此外，EMQX 不支持客户端早期数据（0-RTT），客户端必须在 TLS 握手完成后才能发送 MQTT 数据。
+
+     :::
+
    - **TLS Cert**, **TLS Key** 和 **CA Cert**：点击**重新设置**上传您的私人证书文件以替换当前的证书文件。
+
    - **SSL 版本**:  支持所有 TLS/DTLS 版本。默认设置为 `tlsv1.3` 和 `tlsv1.2`。如果 PSK 验证中使用了 PSK 密码套件，确保在此处设置 `tlsv1.2` ， `tlsv1.1` 和 `tlsv1`。更多关于 PSK 的内容请参阅 [PSK 认证](./psk-authentication.md)。
+
    - **没有证书则 SSL 失败**：在**验证客户端证书**启用时有效，默认设置为 `false`。
      - 如果设置为 `true`，如果客户端发送空证书，则客户端身份验证失败，SSL/TLS 连接将被拒绝。
      - 如果设置为 `false`，只有当客户端发送无效证书时，客户端身份验证失败（空证书被认为是有效证书），SSL/TLS 连接将被拒绝。
+
    - **CA 证书深度**：允许的证书证书链长度， 默认值为 `10`。
+
    - **密钥文件密码**：如果密钥文件由密码保护，则需要输入密码。
+
    - **启用 OCSP Stapling**: 默认为不启用；如需获取 X.509 数字证书的撤销状态，可以点击切换开关。具体可参阅 [OCSP Stapling](./ocsp.md)。
+
    - **启用 CRL 检查**：默认为不启用；如需设置证书吊销列表（CRL）检查功能，可以点击切换开关。具体可参阅 [CRL 检查](./crl.md)。
 
 3. 完成编辑后，点击**更新**。