ERR_OSSL_EVP_UNSUPPORTED Webpack Build Error
Problem Statement
The ERR_OSSL_EVP_UNSUPPORTED error occurs when Webpack's build process attempts to use the MD4 hashing algorithm, which has been deprecated and removed from recent versions of OpenSSL (starting with OpenSSL 3.0). This error typically appears when using Node.js version 17+ and manifests as:
Error: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:67:19)The error stems from Webpack's default use of MD4 for hash generation, which is no longer supported by modern OpenSSL versions in Node.js 17 and above.
Solutions
1. Update Webpack Configuration (Recommended)
If you're using Webpack 5.54.0 or later, the most straightforward solution is to configure Webpack to use a different hashing algorithm:
module.exports = {
output: {
hashFunction: "sha256" // or "xxhash64" if available
}
};Supported algorithms include any from Node.js's crypto.createHash method, such as:
"sha256""sha512""xxhash64"(Webpack 5.54.0+)
2. Use the OpenSSL Legacy Provider (Temporary Workaround)
For cases where you can't modify the Webpack configuration, you can enable OpenSSL's legacy provider:
macOS/Linux:
export NODE_OPTIONS=--openssl-legacy-providerWindows (Command Prompt):
set NODE_OPTIONS=--openssl-legacy-providerWindows (PowerShell):
$env:NODE_OPTIONS = "--openssl-legacy-provider"In package.json scripts:
{
"scripts": {
"build": "NODE_OPTIONS=--openssl-legacy-provider webpack",
"dev": "NODE_OPTIONS=--openssl-legacy-provider webpack serve"
}
}WARNING
This is a temporary workaround and not recommended for production use, as it re-enables deprecated cryptographic algorithms.
3. Downgrade Node.js Version
If compatibility is critical and other solutions aren't feasible, downgrading to Node.js 16 LTS (Long-Term Support) version can resolve the issue:
# Using nvm (Node Version Manager)
nvm install 16.13.0
nvm use 16.13.0TIP
Node.js 16 includes OpenSSL 1.1.1, which supports the MD4 algorithm that Webpack uses by default.
4. Update Webpack and Dependencies
Ensure you're using the latest version of Webpack and related tools, as many have been updated to handle this issue:
npm update webpack --latestSpecific framework solutions:
- Next.js: Update to v11.1.3-canary.89 or later
- Vue.js: Ensure you're using compatible versions of Vue CLI and related packages
5. Docker-Specific Solution
If using Docker, specify a Node.js 16 base image:
FROM node:16-alpine # Instead of just: FROM nodeTechnical Explanation
The error occurs because:
- Webpack historically used MD4 as its default hashing algorithm
- OpenSSL 3.0 (shipped with Node.js 17+) removed support for MD4
- Webpack attempts to create MD4 hashes through Node.js's crypto module
- Node.js's crypto module relies on OpenSSL, which now rejects MD4 operations
INFO
MD4 was developed in 1990 and has been considered cryptographically broken for years, which is why modern OpenSSL versions no longer support it.
Framework-Specific Implementations
React Scripts
For projects using react-scripts, you can modify the Webpack configuration indirectly by adding this to your scripts:
{
"scripts": {
"start": "react-scripts --openssl-legacy-provider start"
}
}Laravel Mix
Add the OpenSSL legacy provider to your package.json:
{
"scripts": {
"dev": "NODE_OPTIONS=--openssl-legacy-provider npm run development",
"production": "NODE_OPTIONS=--openssl-legacy-provider npm run production"
}
}Next.js
Next.js has addressed this in newer versions, but for older versions:
{
"scripts": {
"dev": "NODE_OPTIONS=--openssl-legacy-provider next dev"
}
}Verification
After applying any solution, verify it works by running your build command:
npm run buildThe build should complete without the ERR_OSSL_EVP_UNSUPPORTED error.
Best Practices
- Prefer configuration changes over environment variable workarounds
- Keep Webpack and dependencies updated to benefit from official fixes
- Test thoroughly after making changes to ensure build integrity
- Consider security implications when using the legacy OpenSSL provider
The hashFunction configuration approach is generally recommended as it provides a permanent solution without compromising cryptographic security standards.