Comment 3 for bug 1866746

12h - 24h or there abouts to ensure PFS.

Reading through the HAProxy docs last night, it seems it's a collection of keys, so we just keep appending to that keyfile with the last few used). Reading elsewhere, we drop the key in place say every 5 mins the job runs to check and update, then after a certain period of time, say 20-30 mins (so key file age), issue the HAProxy reload to make it live. This would then ensure they're all rotated at the same time.

They don't *need* to be in sync. If I read correctly, tickets are already enabled by default with HAProxy (OpenSSL default), but if tickets don't match then the TLS/SSL session is renegotiated (full handshaking).

The thing is, in our set up, we have different content-cache units deployed as different applications based on DC so we can't use juju relations to have it synchronise key generation and rotation. Instead, a juju charm config to drop the updated ticket in place, and a juju action to actually reload HAProxy. Or another idea is an agent or subordinate that talks to a central place for the ticket keys file.