core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon dotCMS

fix: Remove Tomcat Native APR library to resolve OpenSSL 3.x crash

Open mbiuki opened this issue 1 month ago • 0 comments

Summary

Removes the Tomcat Native APR library (libtcnative-1) from all Docker container builds and disables APR SSL Engine by default to prevent JVM segmentation faults when running on systems with OpenSSL 3.x.

Changes Made

  1. Removed native library packages from all Dockerfiles:

    • docker/java-base/Dockerfile: Removed libtcnative-1 and libapr1
    • dotCMS/src/main/docker/original/Dockerfile: Removed libtcnative-1 and libapr1
    • docker/dev-env/Dockerfile: Removed libtcnative-1 and libapr1

  2. Disabled APR SSL Engine by default:

    • dotCMS/src/main/resources/container/tomcat9/conf/server.xml: Changed SSLEngine default from on to off
    • dotcms-integration/src/test/resources/server.xml: Changed SSLEngine from on to off

Technical Details

The Tomcat Native APR library version 1.2.35 (included with Tomcat 9.0.108) is incompatible with OpenSSL 3.x, causing JVM crashes during startup on modern systems like Ubuntu 24.04+, RHEL 9+, and other distributions that ship with OpenSSL 3.x.

Before this change:

  • dotCMS crashed with SIGSEGV (0xb) in libcrypto.so.3 during APR SSL initialization
  • Error occurred in org.apache.tomcat.jni.SSL.fipsModeGet() method
  • Prevented dotCMS from starting successfully

After this change:

  • Tomcat uses pure Java JSSE (Java Secure Socket Extension) for SSL/TLS operations
  • No native library dependencies for SSL/TLS functionality
  • Eliminates OpenSSL version compatibility issues
  • Fully functional and production-ready SSL/TLS support

Testing

  • [ ] Build succeeds without errors
  • [ ] Docker containers start successfully
  • [ ] Integration tests pass
  • [ ] SSL/TLS connections work correctly using Java JSSE
  • [ ] No regression in SSL/TLS functionality

Impact

  • User Impact: None - Java JSSE provides equivalent SSL/TLS functionality
  • Performance: Minimal - Java JSSE performance is comparable to native OpenSSL for typical workloads
  • Security: No change - Java JSSE is maintained and certified for production use
  • Compatibility: Improved - eliminates OpenSSL version compatibility issues

Environment Variable Override

The APR SSL Engine can still be enabled via environment variable if needed:

CMS_SSL_ENGINE=on

However, this will require the native library to be manually installed and may cause crashes on systems with OpenSSL 3.x.

Fixes #34067

🤖 Generated with Claude Code

mbiuki avatar Dec 09 '25 21:12 mbiuki