Problem
The Tomcat Native APR library (libtcnative-1) version 1.2.35 is incompatible with OpenSSL 3.x when running in FIPS mode, causing JVM segmentation faults during startup on modern systems (Ubuntu 24.04+, RHEL 9+).
PR #34068 attempted to fix this by removing the native library entirely, but the reviewer (@wezell) requested that we maintain the native library by default for performance benefits and instead add FIPS detection or a configuration flag.
Solution
This fix implements the reviewer's recommendation:
- Keeps native library installed by default - No changes to Dockerfiles; libtcnative-1 remains for performance
- Automatic FIPS detection - Checks
/proc/sys/crypto/fips_enabled at container startup
- Configuration flags - Provides
CMS_DISABLE_APR_SSL and CMS_SSL_ENGINE for manual control
- SSL endpoint stays enabled - Only disables APR library when needed, not SSL itself
Implementation Details
New Files
dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh - FIPS detection script that runs at container startup
FIPS_APR_SSL_FIX.md - Comprehensive documentation with configuration options and troubleshooting
Modified Files
dotCMS/src/main/docker/original/ROOT/srv/entrypoint.sh - Sources the FIPS detection script
dotCMS/src/main/resources/container/tomcat9/conf/server.xml - Added documentation about FIPS auto-detection
Configuration Options
Users have three ways to control APR SSL behavior:
# Option 1: Automatic (default) - FIPS auto-detection
docker run -p 8080:8080 dotcms/dotcms:latest
# Option 2: Manual disable flag
docker run -e CMS_DISABLE_APR_SSL=true -p 8080:8080 dotcms/dotcms:latest
# Option 3: Direct control
docker run -e CMS_SSL_ENGINE=off -p 8080:8080 dotcms/dotcms:latest
Testing Plan
Impact
- User Impact: None for non-FIPS environments - APR SSL remains enabled by default
- Performance: No change - APR SSL still used by default for optimal performance
- Security: Improved - FIPS environments now work automatically without crashes
- Compatibility: Improved - Eliminates OpenSSL 3.x + FIPS crashes
Related Issues
🤖 Generated with Claude Code
Problem
The Tomcat Native APR library (libtcnative-1) version 1.2.35 is incompatible with OpenSSL 3.x when running in FIPS mode, causing JVM segmentation faults during startup on modern systems (Ubuntu 24.04+, RHEL 9+).
PR #34068 attempted to fix this by removing the native library entirely, but the reviewer (@wezell) requested that we maintain the native library by default for performance benefits and instead add FIPS detection or a configuration flag.
Solution
This fix implements the reviewer's recommendation:
/proc/sys/crypto/fips_enabledat container startupCMS_DISABLE_APR_SSLandCMS_SSL_ENGINEfor manual controlImplementation Details
New Files
dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh- FIPS detection script that runs at container startupFIPS_APR_SSL_FIX.md- Comprehensive documentation with configuration options and troubleshootingModified Files
dotCMS/src/main/docker/original/ROOT/srv/entrypoint.sh- Sources the FIPS detection scriptdotCMS/src/main/resources/container/tomcat9/conf/server.xml- Added documentation about FIPS auto-detectionConfiguration Options
Users have three ways to control APR SSL behavior:
Testing Plan
CMS_DISABLE_APR_SSL=true(APR SSL should be disabled)CMS_SSL_ENGINE=off(APR SSL should be disabled)Impact
Related Issues
🤖 Generated with Claude Code