Historically there have been security issues associated with TLS renegotiation. This page describes the renegotiation behaviour of the Tomcat Native library.

Client initiated renegotiation

Client initiated renegotiation is disabled. This behaviour is hard-coded and cannot be changed.

Unsafe legacy negotiation

Support for unsafe legacy negotiation depends on OpenSSL. Unsafe legacy renegotiation is disabled by default and will not be allowed unless the OpenSSL configuration option SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set.