diff --git a/dotCMS/src/main/docker/original/Dockerfile b/dotCMS/src/main/docker/original/Dockerfile index 764caa38c175..c3042474f590 100644 --- a/dotCMS/src/main/docker/original/Dockerfile +++ b/dotCMS/src/main/docker/original/Dockerfile @@ -92,6 +92,19 @@ COPY --from=container-base /java /java COPY --from=container-base /srv /srv COPY --from=container-base /data /data +# Move libtcnative-1 to /srv/native-libs (owned by dotcms user) and leave symlinks +# in /usr/lib. This lets the FIPS detection script remove the library at runtime +# without root access — making the symlinks dangling so dlopen() fails to load it. +RUN set -e; \ + ARCH=$(uname -m); \ + mkdir -p /srv/native-libs; \ + for f in /usr/lib/${ARCH}-linux-gnu/libtcnative-1.so.0*; do \ + [ -e "$f" ] || continue; \ + mv "$f" /srv/native-libs/; \ + ln -sf "/srv/native-libs/$(basename "$f")" "$f"; \ + done; \ + chown -R dotcms:dotcms /srv/native-libs + USER $USER_UID:$USER_GID ENV JAVA_HOME="/java" ENV PATH=$PATH:/java/bin diff --git a/dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh b/dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh index 9056773f8d91..c11c145b9494 100755 --- a/dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh +++ b/dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh @@ -2,17 +2,27 @@ # FIPS Mode Detection and APR SSL Engine Configuration # ===================================================== -# This script automatically detects FIPS-enabled environments and disables the -# Tomcat Native APR SSL Engine to prevent JVM crashes with OpenSSL 3.x. +# This script automatically detects FIPS-enabled environments and prevents +# libtcnative-1 from loading to avoid JVM crashes with OpenSSL 3.x in FIPS mode. # -# The Tomcat Native APR library (libtcnative-1) version 1.2.35 is incompatible -# with OpenSSL 3.x when running in FIPS mode, causing segmentation faults. +# Root cause: libtcnative-1 links against libcrypto.so.3. On a FIPS-enabled kernel, +# OpenSSL 3.x requires the FIPS provider (fips.so) to be present before allowing +# any crypto operation. Ubuntu 24.04 does not ship fips.so, so the first OpenSSL +# crypto call (e.g. EVP_MD_get0_provider for random number generation) segfaults. +# This happens regardless of SSLEngine or AprLifecycleListener configuration because +# setenv.sh sets java.library.path to /usr/lib/-linux-gnu/ and Tomcat auto- +# detects and loads libtcnative-1 from there even without an AprLifecycleListener. +# +# Fix: The Dockerfile moves libtcnative-1.so.0* to /srv/native-libs/ (owned by the +# dotcms user) and leaves symlinks in /usr/lib. When FIPS is detected, this script +# removes the files in /srv/native-libs/, making the symlinks dangling. dlopen() then +# fails to load the library regardless of java.library.path or server.xml config. # # Configuration Options: # ---------------------- # 1. Automatic FIPS Detection (default behavior): # - The script checks /proc/sys/crypto/fips_enabled -# - If FIPS is enabled, CMS_SSL_ENGINE is automatically set to 'off' +# - If FIPS is enabled, libtcnative-1 is removed and CMS_SSL_ENGINE is set to 'off' # # 2. Manual Override with CMS_DISABLE_APR_SSL: # - Set CMS_DISABLE_APR_SSL=true to disable APR SSL Engine @@ -53,6 +63,16 @@ elif [[ "${FIPS_ENABLED}" == "true" ]]; then echo "[FIPS Detection] Automatically disabling APR SSL Engine due to FIPS mode" echo "[FIPS Detection] This prevents JVM crashes with OpenSSL 3.x in FIPS environments" echo "[FIPS Detection] Tomcat will use Java JSSE for SSL/TLS instead" + # Remove libtcnative-1 from /srv/native-libs (writable by dotcms user). + # The Dockerfile placed the library there and left symlinks in /usr/lib. + # Removing the target makes the symlinks dangling so dlopen() cannot load + # the library regardless of java.library.path or server.xml configuration. + if rm -f /srv/native-libs/libtcnative-1.so.0* && \ + ! ls /srv/native-libs/libtcnative-1.so.0* >/dev/null 2>&1; then + echo "[FIPS Detection] libtcnative-1 removed from /srv/native-libs — library cannot be loaded" + else + echo "[FIPS Detection] WARNING: Failed to remove libtcnative-1 from /srv/native-libs — JVM may still crash" + fi export CMS_SSL_ENGINE="off" else # Default: Keep APR SSL Engine enabled for performance benefits