SR OS supports key rollover via HelloRequest messages as detailed in RFC 5246, section 7.4.1.1. Some applications have a longer live time than other applications, in which case SR OS can use a timer that prompts the HelloRequest negotiation for the symmetric key rollover. This timer is configurable using CLI.
If an application does not support the HelloRequest message, the no tls-re-negotiate-timer command should be configured under the config>system>security>tls context. For example, the gRPC application does not support HelloRequest messages.
When no tls-re-negotiate-timer is configured, the HelloRequest message is not generated, and symmetric keys are not renegotiated.