fix: Remove Tomcat Native APR library to resolve OpenSSL 3.x crash #34068
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Removes libtcnative-1 and libapr1 from all Docker container builds and disables APR SSL Engine by default to prevent JVM segmentation faults when using OpenSSL 3.x. Changes: - Remove libtcnative-1 and libapr1 packages from all Dockerfiles (java-base, original, dev-env) - Change APR SSLEngine default from "on" to "off" in server.xml configs - Tomcat will now use pure Java JSSE for SSL/TLS operations instead of native OpenSSL This eliminates the compatibility issue between tcnative 1.2.35 and OpenSSL 3.x that was causing crashes on Ubuntu 24.04+ and other modern systems. Java's JSSE implementation is fully functional and production-ready. Fixes #34067 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
mbiuki
added
OKR : Security & Privacy
wezell
requested changes
Dec 9, 2025
Contributor
wezell
left a comment
wezell
left a comment
There was a problem hiding this comment.
We need to maintain the libtcnative functionality by default. It brings performance benefits to a majority of dotCMS installations. Instead of this PR, add a flag that either checks for FIPS enabled environments and disables it or just a configuration flag.
And we can't turn the SSL endpoint off. Do not merge this.
github-project-automation
bot
moved this from Next Sprint
to Done
in dotCMS - Product Planning
6 tasks
mbiuki
added a commit
that referenced
this pull request
Jan 6, 2026
Implements automatic FIPS mode detection to prevent JVM crashes with OpenSSL 3.x while maintaining APR SSL performance benefits by default. This addresses the reviewer feedback on PR #34068, which requested keeping the native library by default and adding FIPS detection or configuration flags instead of removing the library entirely. Changes: - Add 15-detect-fips-and-set-ssl-engine.sh for automatic FIPS detection - Check /proc/sys/crypto/fips_enabled at container startup - Auto-disable APR SSL when FIPS mode is detected - Provide CMS_DISABLE_APR_SSL flag for manual control - Keep native library installed by default for performance - Update server.xml with comprehensive documentation - Add FIPS_APR_SSL_FIX.md with configuration guide Configuration options: 1. Automatic FIPS detection (default behavior) 2. CMS_DISABLE_APR_SSL=true for manual disable 3. CMS_SSL_ENGINE=on/off for direct control Performance impact: None - APR SSL remains enabled by default in non-FIPS environments for optimal performance. Fixes #34212 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
11 tasks
Contributor
Author
Alternative Solution ImplementedThank you @wezell for the feedback on this PR. You're absolutely right that we should maintain the I've implemented an alternative solution in PR #34213 that addresses all your concerns: What ChangedInstead of removing the native library entirely, the new approach:
How It WorksA new script (
Configuration Examples# Default: Automatic FIPS detection
docker run -p 8080:8080 dotcms/dotcms:latest
# Manual disable
docker run -e CMS_DISABLE_APR_SSL=true -p 8080:8080 dotcms/dotcms:latest
# Direct control
docker run -e CMS_SSL_ENGINE=off -p 8080:8080 dotcms/dotcms:latestImpact
See PR #34213 for full implementation details. This approach provides the performance benefits you mentioned while automatically handling FIPS/OpenSSL 3.x compatibility issues. 🤖 Generated with Claude Code |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Removes the Tomcat Native APR library (libtcnative-1) from all Docker container builds and disables APR SSL Engine by default to prevent JVM segmentation faults when running on systems with OpenSSL 3.x.
Changes Made
Removed native library packages from all Dockerfiles:
docker/java-base/Dockerfile: Removedlibtcnative-1andlibapr1dotCMS/src/main/docker/original/Dockerfile: Removedlibtcnative-1andlibapr1docker/dev-env/Dockerfile: Removedlibtcnative-1andlibapr1Disabled APR SSL Engine by default:
dotCMS/src/main/resources/container/tomcat9/conf/server.xml: ChangedSSLEnginedefault fromontooffdotcms-integration/src/test/resources/server.xml: ChangedSSLEnginefromontooffTechnical Details
The Tomcat Native APR library version 1.2.35 (included with Tomcat 9.0.108) is incompatible with OpenSSL 3.x, causing JVM crashes during startup on modern systems like Ubuntu 24.04+, RHEL 9+, and other distributions that ship with OpenSSL 3.x.
Before this change:
SIGSEGV (0xb)inlibcrypto.so.3during APR SSL initializationorg.apache.tomcat.jni.SSL.fipsModeGet()methodAfter this change:
Testing
Impact
Environment Variable Override
The APR SSL Engine can still be enabled via environment variable if needed:
However, this will require the native library to be manually installed and may cause crashes on systems with OpenSSL 3.x.
Fixes #34067
🤖 Generated with Claude Code