> If a site has N haproxy hosts, how should new ticket-keys be > distributed (and processes reloaded) and avoid the race condition of > some hosts using the new keys before those keys are on all hosts?
You distribute the new key to all instances for decryption, but use the penultimate key for encryption instead of the ultimate key: https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/ Regards, Lukas
