fix: Remove Tomcat Native APR library to resolve OpenSSL 3.x crash

[mbiuki]

Summary

Removes the Tomcat Native APR library (libtcnative-1) from all Docker container builds and disables APR SSL Engine by default to prevent JVM segmentation faults when running on systems with OpenSSL 3.x.

Changes Made

1. Removed native library packages from all Dockerfiles:

   • docker/java-base/Dockerfile: Removed libtcnative-1 and libapr1
   • dotCMS/src/main/docker/original/Dockerfile: Removed libtcnative-1 and libapr1
   • docker/dev-env/Dockerfile: Removed libtcnative-1 and libapr1

2. Disabled APR SSL Engine by default:

   • dotCMS/src/main/resources/container/tomcat9/conf/server.xml: Changed SSLEngine default from on to off
   • dotcms-integration/src/test/resources/server.xml: Changed SSLEngine from on to off

Technical Details

The Tomcat Native APR library version 1.2.35 (included with Tomcat 9.0.108) is incompatible with OpenSSL 3.x, causing JVM crashes during startup on modern systems like Ubuntu 24.04+, RHEL 9+, and other distributions that ship with OpenSSL 3.x.

Before this change:

• dotCMS crashed with SIGSEGV (0xb) in libcrypto.so.3 during APR SSL initialization
• Error occurred in org.apache.tomcat.jni.SSL.fipsModeGet() method
• Prevented dotCMS from starting successfully

After this change:

• Tomcat uses pure Java JSSE (Java Secure Socket Extension) for SSL/TLS operations
• No native library dependencies for SSL/TLS functionality
• Eliminates OpenSSL version compatibility issues
• Fully functional and production-ready SSL/TLS support

Testing

• Build succeeds without errors
• Docker containers start successfully
• Integration tests pass
• SSL/TLS connections work correctly using Java JSSE
• No regression in SSL/TLS functionality

Impact

• User Impact: None - Java JSSE provides equivalent SSL/TLS functionality
• Performance: Minimal - Java JSSE performance is comparable to native OpenSSL for typical workloads
• Security: No change - Java JSSE is maintained and certified for production use
• Compatibility: Improved - eliminates OpenSSL version compatibility issues

Environment Variable Override

The APR SSL Engine can still be enabled via environment variable if needed:

CMS_SSL_ENGINE=on

However, this will require the native library to be manually installed and may cause crashes on systems with OpenSSL 3.x.

Fixes #34067

🤖 Generated with Claude Code

[wezell]

We need to maintain the libtcnative functionality by default. It brings performance benefits to a majority of dotCMS installations. Instead of this PR, add a flag that either checks for FIPS enabled environments and disables it or just a configuration flag.

And we can't turn the SSL endpoint off. Do not merge this.

[mbiuki]

Alternative Solution Implemented

Thank you @wezell for the feedback on this PR. You're absolutely right that we should maintain the libtcnative functionality by default for performance benefits.

I've implemented an alternative solution in PR #34213 that addresses all your concerns:

What Changed

Instead of removing the native library entirely, the new approach:

1. Keeps libtcnative installed by default ✅

   • No changes to Dockerfiles
   • Native library remains for optimal performance

2. Automatic FIPS detection ✅

   • Checks /proc/sys/crypto/fips_enabled at container startup
   • Automatically disables APR SSL when FIPS mode is detected

3. Configuration flags ✅

   • CMS_DISABLE_APR_SSL=true for manual control
   • CMS_SSL_ENGINE=on/off for direct override
   • User settings always take precedence

4. SSL endpoints stay enabled ✅

   • Only disables APR library when needed
   • Tomcat automatically falls back to Java JSSE

How It Works

A new script (15-detect-fips-and-set-ssl-engine.sh) runs during container startup:

• Detects FIPS mode automatically
• Sets CMS_SSL_ENGINE=off if FIPS is enabled OR manual disable requested
• Defaults to CMS_SSL_ENGINE=on for optimal performance

Configuration Examples

# Default: Automatic FIPS detection
docker run -p 8080:8080 dotcms/dotcms:latest

# Manual disable
docker run -e CMS_DISABLE_APR_SSL=true -p 8080:8080 dotcms/dotcms:latest

# Direct control
docker run -e CMS_SSL_ENGINE=off -p 8080:8080 dotcms/dotcms:latest

Impact

• ✅ Performance maintained by default (APR SSL enabled)
• ✅ FIPS environments work automatically
• ✅ Flexible configuration options
• ✅ No breaking changes

See PR #34213 for full implementation details.

This approach provides the performance benefits you mentioned while automatically handling FIPS/OpenSSL 3.x compatibility issues.

🤖 Generated with Claude Code