What is the difference between APR implementation of SSL and JSSE implementation of SSL on TOMCAT5.5
The difference is that the JDK is using it's own SSL implementation, while the APR it's using what's installed on the computer, i.e. OpenSSL in most cases.
If you have low to medium traffic for https, the Java solution is just fine, but for very heavy loading (e.g. when most pages run on https), the OpenSSL native solution is much better, and it can be recompiled and optimized, so it will run even faster and consume less resources. The main disadvantage of APR+OpenSSL however is that it requires more configuration and tuning + testing, the Java version working simply out-of-the box.
What I usually do, is to always use the default Java SSL solution together with monitoring tools, and if the traffic turns heavy, then, and only then spend the effort to tune the APR solution.
When using APR, Tomcat might use an OpenSSL engine that is vulnerable to the Heartbleed bug (http://heartbleed.com). Then you can simply switch in your server.xml from APR:
<-- Define a APR SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" .../>
To the Java SSL implementation that is not vulnerable by this bug:
<-- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" .../>
Or if you would like to use APR anyways, make sure you use the Tomcat Native library that has been compiled with the OpenSSL version that is not vulnerable to Heartbleed (OpenSSL 1.0.1g or higher) see https://issues.apache.org/bugzilla/show_bug.cgi?id=56363.