TLS SSL Man In The Middle
A vulnerability exists in the TLS protocol that allows an attacker to
inject arbitrary requests into an TLS stream during renegotiation.
The TLS implementation used by Tomcat varies with connector. The
APR/native connector uses OpenSSL.
The APR/native connector is vulnerable if the OpenSSL version used is
vulnerable. Note: Building with OpenSSL 0.9.8l will disable all
renegotiation and protect against this vulnerability.
From 1.1.18 onwards, client initiated renegotiations are rejected to
provide partial protection against this vulnerability with any OpenSSL
Users should be aware that the impact of disabling renegotiation will
vary with both application and client. In some circumstances disabling
renegotiation may result in some clients being unable to access the