Fixed - Node / NPM err_ossl_evp_unsupported error

Introduction

Previously, while working on one of my projects, I found this error that came up when I ran webpack:

err_ossl_evp_unsupported

Or "0308010c:digital envelope routines::unsupported"

What does this error mean? The error err_ossl_evp_unsupported just means that if you are using Node 17+ your main application or a module that the application references uses an algorithm or key size which is not suppored with OpenSSL 3.0.

A common output of the error looks something like the following:

10% building 1/3 modules 2 active ...er/index.js??ref--5-4!/var/www/node_modules/sass-loader/lib/loader.js??ref--5-5!/var/www/resources/sass/app.scssError: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/var/www/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/var/www/node_modules/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/var/www/node_modules/webpack/lib/NormalModule.js:471:10)
    at /var/www/node_modules/webpack/lib/NormalModule.js:503:5
    at /var/www/node_modules/webpack/lib/NormalModule.js:358:12
    at /var/www/node_modules/loader-runner/lib/LoaderRunner.js:373:3
    at iterateNormalLoaders (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
    at iterateNormalLoaders (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:221:10)
    at /var/www/node_modules/loader-runner/lib/LoaderRunner.js:236:3
    at runSyncOrAsync (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:130:11)
    at iterateNormalLoaders (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:232:2)
    at /var/www/node_modules/loader-runner/lib/LoaderRunner.js:186:6
    at runSyncOrAsync (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:130:11)
    at /var/www/node_modules/loader-runner/lib/LoaderRunner.js:178:3
    at loadLoader (/var/www/node_modules/loader-runner/lib/loadLoader.js:47:3)
    at iteratePitchingLoaders (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:169:2)
    at iteratePitchingLoaders (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:165:10)
    at /var/www/node_modules/loader-runner/lib/LoaderRunner.js:188:6
    at runSyncOrAsync (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:124:12)
    at /var/www/node_modules/loader-runner/lib/LoaderRunner.js:178:3
    at loadLoader (/var/www/node_modules/loader-runner/lib/loadLoader.js:47:3)
    at iteratePitchingLoaders (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:169:2)
    at runLoaders (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:365:2)
    at NormalModule.doBuild (/var/www/node_modules/webpack/lib/NormalModule.js:295:3)
    at NormalModule.build (/var/www/node_modules/webpack/lib/NormalModule.js:446:15)
    at Compilation.buildModule (/var/www/node_modules/webpack/lib/Compilation.js:739:10)
    at /var/www/node_modules/webpack/lib/Compilation.js:981:14
    at /var/www/node_modules/webpack/lib/NormalModuleFactory.js:409:6
    at /var/www/node_modules/webpack/lib/NormalModuleFactory.js:155:13
    at AsyncSeriesWaterfallHook.eval [as callAsync] (eval at create (/var/www/node_modules/tapable/lib/HookCodeFactory.js:33:10), <anonymous>:6:1)
    at /var/www/node_modules/webpack/lib/NormalModuleFactory.js:138:29
    at /var/www/node_modules/webpack/lib/NormalModuleFactory.js:346:9
    at processTicksAndRejections (node:internal/process/task_queues:78:11)
node:internal/crypto/hash:67
  this[kHandle] = new _Hash(algorithm, xofLen);
                  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/var/www/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/var/www/node_modules/webpack/lib/NormalModule.js:417:16)
    at /var/www/node_modules/webpack/lib/NormalModule.js:452:10
    at /var/www/node_modules/webpack/lib/NormalModule.js:323:13
    at /var/www/node_modules/loader-runner/lib/LoaderRunner.js:367:11
    at /var/www/node_modules/loader-runner/lib/LoaderRunner.js:233:18
    at context.callback (/var/www/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
    at /var/www/node_modules/babel-loader/lib/index.js:55:103 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

To fix this error, there are a few options that we can try:

1. Using the openssl-legacy-provider flag
2. Upgrade your Webpack version to v5.54.0+
3. Downgrade Node.js version
4. Check packages thats using a deprecated algorithm and upgrade

1. Using the openssl-legacy-provider flag

Based on the Node 17 release nodes (https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V17.md#17.0.0), they included this openssl-legacy-provider flag so that it can be used as workaround.

The flag just tells node that we don’t want to use the tighter algorithm and key size restrictions!

What are these “supported” algorithms and keysizes??

Node.js uses the crypto.createHash(algorithm[, options]) function which is used to generate hash digests for your application, modules.

The algorithm parameter is a string that comes from the supported list of algorithm from OpenSSL 3.0. As an example, the list of algorithms that OpenSSL 3.0 supports can be listed from the command:

openssl list -digest-algorithms

(Note: You can install OpenSSL through this link here: https://wiki.openssl.org/index.php/Binaries)

If you are running your project through NPM and the build task is your main entry point you can do the following:

NODE_OPTIONS='--openssl-legacy-provider' npm run build

Keep in mind that it is not a “parameter” of npm, but a environment variable setting. That is why we use the NODE_OPTIONS in the front!

If you are on Windows, you can set the environment variable as so:

set NODE_OPTIONS=--openssl-legacy-provider

If you are on Mac OSX or Linux distro, set the below command in ~/.bash_profile or ~/.bashrc - this just makes the setting stay after you have logged off!

export NODE_OPTIONS=--openssl-legacy-provider

Package.json specific settings

The following are examples of package.json for specific projects.

If you are on a Angular application, consider using this:

"start": "set NODE_OPTIONS=--openssl-legacy-provider && ng serve -o"

If you are on a React application, consider using this:

"scripts": {
"start": "export SET NODE_OPTIONS=--openssl-legacy-provider && react-scripts start",
"build": "export SET NODE_OPTIONS=--openssl-legacy-provider && react-scripts build"
}

With Vue, and we are also using the Vue Cli

"scripts": {
"serve": "export NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve",
"build": "export NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service build",
"lint": "export NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service lint"
},

2. Upgrade your Webpack version to v5.54.0+

With Webpack 4, it relys on OpenSSL. If we upgrade our webpack version, Webpack v5.54.0+ it comes with a hashing algorithm that does not rely on OpenSSL.

To update Webpack, just do the following steps: First check that you have at least Node.js 10.13.0 (LTS) installed on your machine. Webpack 5 requires this as a minimum!

1. Open up the terminal and go to your root project directory.
2. Run the following command to check your webpack version:

webpack --version

3. The above will print out your webpack version. If your webpack version is 4.x.x or less, we need to update it.
4. Run the following npm install command:

npm install webpack-cli@5.54.0

The above command can be changed to the latest webpack version!

The algorithm that it uses is from a npm package and not from node. We just need to update our webpack.config.js to:

module.exports = {
    output: {
        hashFunction: "xxhash64"
    }
};

Now if you are still keen on using Webpack 4, we can override the algorithm that it uses by updating the webpack.config.js like so:

const crypto = require("crypto");
const crypto_orig_createHash = crypto.createHash;
crypto.createHash = algorithm => crypto_orig_createHash(algorithm == "md4" ? "sha256" : algorithm);

Webpack by default uses the ancient “md4” algorithm which is not supported by OpenSSL - we just change that to “sha256” which is supported!

3. Downgrade Node version

One other option is to downgrade our node 17+ version to node 16+. This should be treated as a last resort and not really fixing the core issue!

If you are on a Mac or Linux distro

You should have installed NVM (Node Version Manager). If you never had before, just run this command in your terminal:

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash

1. Open your project

2. Open the terminal in your project

3. Run the command nvm install 16.13.0 or any older version

4. After the installation is completed, run nvm use 16.13.0

If you are on windows

To uninstall node 17+ to version 16, follow the steps:

1. Open up “Add or Remove Programs”
2. Locate Node.js
3. Click uninstall
4. Go to this url to get node version 16 (https://nodejs.org/download/release/latest-v16.x/)
5. Download and install the above binary
6. Open up you project, clear the node_modules folder and run npm install

4. Check packages thats using a deprecated algorithm and upgrade

One way to get rid of this error, is to check for the packages that you are using that is still using unsupported hash functions.

For example, if you are using babel-loader: 8.2.2 it was using a deprecated hashing function not supported by OpenSSL.

Upgrading to the latest bable-loader (babel-loader: 8.3.0+) will fix the issue.

Fixing for React

If you are working with React, a possible error output could look like this:

spring-boot-react-crud-app\node_modules\react-scripts\scripts\start.js:19
  throw err;
  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (C:\React\spring-boot-react-crud-app\node_modules\webpack\lib\util\createHash.js:135:53)
    at NormalModule._initBuildHash (C:\React\spring-boot-react-crud-app\node_modules\webpack\lib\NormalModule.js:417:16)
    at C:\React\spring-boot-react-crud-app\node_modules\webpack\lib\NormalModule.js:452:10
    at C:\React\spring-boot-react-crud-app\node_modules\webpack\lib\NormalModule.js:323:13
    at C:\React\spring-boot-react-crud-app\node_modules\loader-runner\lib\LoaderRunner.js:367:11
    at C:\React\spring-boot-react-crud-app\node_modules\loader-runner\lib\LoaderRunner.js:233:18
    at context.callback (C:\React\spring-boot-react-crud-app\node_modules\loader-runner\lib\LoaderRunner.js:111:13)
    at C:\React\spring-boot-react-crud-app\node_modules\babel-loader\lib\index.js:59:103 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Node.js v17.0.1

This error can be fixed by the following options:

1. Apply the –openssl-legacy-provider flag to Webpack or the CLI Tool
2. Use an LTS Version of Node JS
3. Upgrade React Script to Version 5+

A more detailed explanation of each of those options are as follows:

1. Apply the –openssl-legacy-provider flag to Webpack or the CLI Tool

When using React Scripts we can pass in the openssl-legacy-provider flag like so:

{
    ...
    "start": "react-scripts --openssl-legacy-provider start".
    ...
}

2. Use an LTS Version of Node JS

Consider downgrading your Node version to 16.16.0 or other LTS versions.

Currently, 18.12.1 is the latest LTS version of Node. You can download it from the Node JS official website or use NVM to install it.

3. Upgrade React Script to Version 5+

We can upgrade React Script cli to version 5+ by doing the following steps:

1. Open the terminal and go to you project folder root.
2. Run the following command to uninstall react scripts:

npm uninstall react-scripts

3. Then we install the latest version with the following command:

npm install react-scripts

Manually change the react script version

Now if you got errors from the above automatic installation, consider using the below steps to clean out and install react-scripts

1. Open up your project folder
2. Open up your package.json and change the react-script version to 5.0.2 (or the latest version)
3. delete the node_modules folder manually or by using the command:

rm –rf node_modules

4. Delete the package.lock.json file by running rm –rf package.lock.json
5. Run npm install

Summary

In this post, we went over the rand error with Webpack err_ossl_evp_unsupported. The err_ossl_evp_unsupported error is caused by using Node 17+ with older packages such as Webpack 4.

Node 17+ versions uses OpenSSL 3.0 which is more strict on the types of has algorithms and key sizes that can be used.

To get around this we have a few options - passing in the openssl-legacy-provider flag for Node to ignore and allow unsupported hash algorithms, upgrade our packages - such as webpack 4 to webpack v5.54.0+, and finally if nothing works, downgrade to a LTS Node.js version such as Node version 16.x

If we are on a React project, consider upgrading the react scripts CLI to the latest version 5+.