dotCMS · dsilvam · Mar 24, 2026 · Jan 6, 2026
diff --git a/dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh b/dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# FIPS Mode Detection and APR SSL Engine Configuration
+# =====================================================
+# This script automatically detects FIPS-enabled environments and disables the
+# Tomcat Native APR SSL Engine to prevent JVM crashes with OpenSSL 3.x.
+#
+# The Tomcat Native APR library (libtcnative-1) version 1.2.35 is incompatible
+# with OpenSSL 3.x when running in FIPS mode, causing segmentation faults.
+#
+# Configuration Options:
+# ----------------------
+# 1. Automatic FIPS Detection (default behavior):
+#    - The script checks /proc/sys/crypto/fips_enabled
+#    - If FIPS is enabled, CMS_SSL_ENGINE is automatically set to 'off'
+#
+# 2. Manual Override with CMS_DISABLE_APR_SSL:
+#    - Set CMS_DISABLE_APR_SSL=true to disable APR SSL Engine
+#    - Set CMS_DISABLE_APR_SSL=false to enable APR SSL Engine (default)
+#
+# 3. Direct CMS_SSL_ENGINE Control:
+#    - If CMS_SSL_ENGINE is already set, it takes precedence
+#    - This allows users to explicitly control the SSL engine behavior
+#
+# Performance Impact:
+# ------------------
+# - APR SSL Engine enabled: Uses native OpenSSL (better performance)
+# - APR SSL Engine disabled: Uses Java JSSE (comparable performance, better compatibility)
+
+# Check if CMS_SSL_ENGINE is already explicitly set by user
+if [[ -n "${CMS_SSL_ENGINE}" ]]; then
+    echo "[FIPS Detection] CMS_SSL_ENGINE already set to '${CMS_SSL_ENGINE}' - respecting user configuration"
+    return 0
+fi
+
+# Initialize FIPS detection flag
+FIPS_ENABLED=false
+
+# Check if system is running in FIPS mode
+if [[ -f /proc/sys/crypto/fips_enabled ]]; then
+    FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null || echo "0")
+    if [[ "${FIPS_MODE}" == "1" ]]; then
+        FIPS_ENABLED=true
+        echo "[FIPS Detection] System is running in FIPS mode (fips_enabled=1)"
+    fi
+fi
+
+# Check if user explicitly requested to disable APR SSL
+if [[ "${CMS_DISABLE_APR_SSL}" == "true" || "${CMS_DISABLE_APR_SSL}" == "1" ]]; then
+    echo "[FIPS Detection] APR SSL Engine disabled via CMS_DISABLE_APR_SSL environment variable"
+    export CMS_SSL_ENGINE="off"
+elif [[ "${FIPS_ENABLED}" == "true" ]]; then
+    echo "[FIPS Detection] Automatically disabling APR SSL Engine due to FIPS mode"
+    echo "[FIPS Detection] This prevents JVM crashes with OpenSSL 3.x in FIPS environments"
+    echo "[FIPS Detection] Tomcat will use Java JSSE for SSL/TLS instead"
+    export CMS_SSL_ENGINE="off"
+else
+    # Default: Keep APR SSL Engine enabled for performance benefits
+    echo "[FIPS Detection] APR SSL Engine enabled (default) for optimal performance"
+    echo "[FIPS Detection] To disable APR SSL Engine, set CMS_DISABLE_APR_SSL=true or CMS_SSL_ENGINE=off"
+    export CMS_SSL_ENGINE="on"
+fi
+
+echo "[FIPS Detection] Final CMS_SSL_ENGINE value: ${CMS_SSL_ENGINE}"
diff --git a/dotCMS/src/main/docker/original/ROOT/srv/entrypoint.sh b/dotCMS/src/main/docker/original/ROOT/srv/entrypoint.sh
@@ -14,6 +14,7 @@ if [ $exit_status -eq 13 ]; then
     exit 0;
 fi
 
+source /srv/15-detect-fips-and-set-ssl-engine.sh
 source /srv/20-copy-overriden-files.sh
 source /srv/25-generate-dev-ssl-cert.sh
 source /srv/30-override-config-props.sh

diff --git a/dotCMS/src/main/resources/container/tomcat9/conf/server.xml b/dotCMS/src/main/resources/container/tomcat9/conf/server.xml
@@ -2,6 +2,28 @@
 
 <Server port="${CMS_SERVER_PORT:-8005}" shutdown="${CMS_SERVER_SHUTDOWN:-SHUTDOWN}">
   <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!--
+    APR (Apache Portable Runtime) SSL Engine Configuration
+    =======================================================
+    The APR SSL Engine uses Tomcat Native library (libtcnative-1) with native OpenSSL
+    for improved SSL/TLS performance compared to Java JSSE.
+
+    FIPS Mode Auto-Detection:
+    - The container automatically detects FIPS-enabled environments at startup
+    - If FIPS mode is detected, CMS_SSL_ENGINE is automatically set to 'off'
+    - This prevents JVM crashes with OpenSSL 3.x in FIPS environments
+
+    Configuration Options:
+    1. CMS_SSL_ENGINE=on (default): Uses native APR SSL for best performance
+    2. CMS_SSL_ENGINE=off: Uses Java JSSE (required for FIPS/OpenSSL 3.x compatibility)
+    3. CMS_DISABLE_APR_SSL=true: Alternative way to disable APR SSL Engine
+
+    Performance Impact:
+    - APR SSL enabled: Better performance with native OpenSSL
+    - APR SSL disabled: Comparable performance with Java JSSE, better compatibility
+
+    If APR SSL is disabled, Tomcat automatically falls back to Java JSSE.
+  -->
   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="${CMS_SSL_ENGINE:-on}" />
   <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
   <Service name="Catalina">