From 3ceaaed8ca672bd6965296e5e594d1a8803353ba Mon Sep 17 00:00:00 2001
From: mbiuki <mkarimib@ece.ubc.ca>
Date: Tue, 9 Dec 2025 16:34:41 -0500
Subject: [PATCH] fix: remove Tomcat Native APR library to resolve OpenSSL 3.x
 crash
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removes libtcnative-1 and libapr1 from all Docker container builds and
disables APR SSL Engine by default to prevent JVM segmentation faults
when using OpenSSL 3.x.

Changes:
- Remove libtcnative-1 and libapr1 packages from all Dockerfiles
  (java-base, original, dev-env)
- Change APR SSLEngine default from "on" to "off" in server.xml configs
- Tomcat will now use pure Java JSSE for SSL/TLS operations instead of
  native OpenSSL

This eliminates the compatibility issue between tcnative 1.2.35 and
OpenSSL 3.x that was causing crashes on Ubuntu 24.04+ and other modern
systems. Java's JSSE implementation is fully functional and production-ready.

Fixes #34067

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 docker/dev-env/Dockerfile                                   | 4 ++--
 docker/java-base/Dockerfile                                 | 2 +-
 dotCMS/src/main/docker/original/Dockerfile                  | 2 --
 dotCMS/src/main/resources/container/tomcat9/conf/server.xml | 2 +-
 dotcms-integration/src/test/resources/server.xml            | 2 +-
 5 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/docker/dev-env/Dockerfile b/docker/dev-env/Dockerfile
index f6dd40002a23..1ebfb698d7cf 100644
--- a/docker/dev-env/Dockerfile
+++ b/docker/dev-env/Dockerfile
@@ -34,8 +34,8 @@ RUN chmod 777 /data
 # Installing basic packages
 RUN apt-get update && \
     apt-get upgrade -y && \
-    apt-get install -y --no-install-recommends bash zip unzip wget libtcnative-1\
-    tzdata tini ca-certificates openssl libapr1 libpq-dev curl gnupg\
+    apt-get install -y --no-install-recommends bash zip unzip wget \
+    tzdata tini ca-certificates openssl libpq-dev curl gnupg\
     vim libarchive-tools postgresql-common
 
 
diff --git a/docker/java-base/Dockerfile b/docker/java-base/Dockerfile
index 2f783e5a0d8d..8ff30f568041 100644
--- a/docker/java-base/Dockerfile
+++ b/docker/java-base/Dockerfile
@@ -17,7 +17,7 @@ ENV PATH="$SDKMAN_DIR/bin:$PATH"
 # Installing basic packages and SDKMAN
 RUN apt update && \
     apt upgrade -y && \
-    apt install -y --no-install-recommends zip unzip wget libtcnative-1 tzdata tini ca-certificates openssl libapr1 libpq-dev curl gnupg && \
+    apt install -y --no-install-recommends zip unzip wget tzdata tini ca-certificates openssl libpq-dev curl gnupg && \
     rm -rf /var/lib/apt/lists/* && \
     wget -O - https://get.sdkman.io | bash && \
     bash -c "source $SDKMAN_DIR/bin/sdkman-init.sh && sdk install java ${SDKMAN_JAVA_VERSION} && sdk flush archives" && \
diff --git a/dotCMS/src/main/docker/original/Dockerfile b/dotCMS/src/main/docker/original/Dockerfile
index e51202d7b98a..8d7dce879302 100644
--- a/dotCMS/src/main/docker/original/Dockerfile
+++ b/dotCMS/src/main/docker/original/Dockerfile
@@ -49,12 +49,10 @@ RUN apt update && \
         tini \
         zip \
         unzip \
-        libtcnative-1 \
         tzdata \
         ca-certificates \
         libmimalloc2.0 \
         openssl \
-        libapr1 \
         libpq-dev && \
     rm -rf /var/lib/apt/lists/*
 
diff --git a/dotCMS/src/main/resources/container/tomcat9/conf/server.xml b/dotCMS/src/main/resources/container/tomcat9/conf/server.xml
index ac8cd4527b53..83fa945a9e66 100644
--- a/dotCMS/src/main/resources/container/tomcat9/conf/server.xml
+++ b/dotCMS/src/main/resources/container/tomcat9/conf/server.xml
@@ -2,7 +2,7 @@
 
 <Server port="${CMS_SERVER_PORT:-8005}" shutdown="${CMS_SERVER_SHUTDOWN:-SHUTDOWN}">
   <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="${CMS_SSL_ENGINE:-on}" />
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="${CMS_SSL_ENGINE:-off}" />
   <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
   <Service name="Catalina">
     <Executor
diff --git a/dotcms-integration/src/test/resources/server.xml b/dotcms-integration/src/test/resources/server.xml
index 0e2f7c0abd6a..d25991441112 100644
--- a/dotcms-integration/src/test/resources/server.xml
+++ b/dotcms-integration/src/test/resources/server.xml
@@ -25,7 +25,7 @@
     <Listener className="org.apache.catalina.security.SecurityListener" />
     -->
     <!--APR library loader. Documentation at /docs/apr.html -->
-    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />
     <!-- Prevent memory leaks due to use of particular java/javax APIs-->
     <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
     <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />