Digital Envelope Routines Unsupported Error in Node.js
Problem Statement
The "error:0308010C:digital envelope routines::unsupported" error occurs in Node.js applications when using cryptographic functions with outdated SSL/TLS configurations. This issue commonly appears in projects using webpack, React, Vue.js, Angular, and other JavaScript frameworks.
The error typically manifests with a stack trace showing:
Error: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:67:19)
at Object.createHash (node:crypto:130:10)Root Cause
This error was introduced in Node.js version 17+ when the OpenSSL library was updated to version 3.0. The update removed support for older, less secure cryptographic algorithms like MD4, which were still being used by some build tools and dependencies.
Solutions
Recommended Solutions
1. Update Dependencies
The most secure and recommended approach is to update your dependencies to versions that support modern cryptographic standards:
# Update all packages
npm update
# Force update with security fixes
npm audit fix --forceWARNING
Using npm audit fix --force may introduce breaking changes in complex projects. Test thoroughly after applying this fix.
2. Update React Scripts (React Projects)
For React applications, update react-scripts to version 5 or later:
npm update react-scripts --save3. Webpack Configuration Update
If you're using Webpack directly, configure it to use supported hash algorithms:
// webpack.config.js for Webpack v5
module.exports = {
output: {
hashFunction: 'xxhash64'
}
};// webpack.config.js for Webpack v4
module.exports = {
output: {
hashFunction: 'sha512' // or 'sha256'
}
};Alternative Workarounds
Environment Variable Solution
Temporarily enable the legacy OpenSSL provider:
export NODE_OPTIONS=--openssl-legacy-providerset NODE_OPTIONS=--openssl-legacy-provider$env:NODE_OPTIONS = "--openssl-legacy-provider"Package.json Script Modification
Add the OpenSSL legacy provider to your npm scripts:
{
"scripts": {
"start": "NODE_OPTIONS=--openssl-legacy-provider react-scripts start",
"build": "NODE_OPTIONS=--openssl-legacy-provider react-scripts build"
}
}.npmrc Configuration
Create or modify your .npmrc file in the project root:
node-options="--openssl-legacy-provider"Framework-Specific Solutions
Vue.js Projects
Update your vue.config.js:
// vue.config.js
const crypto = require('crypto');
// MD4 fallback for Node.js 17+
try {
crypto.createHash('md4');
} catch (e) {
console.warn('Crypto "MD4" is not supported anymore by this Node.js version');
const origCreateHash = crypto.createHash;
crypto.createHash = (alg, opts) => {
return origCreateHash(alg === 'md4' ? 'md5' : alg, opts);
};
}
module.exports = {
// your vue config
};Angular Projects
Modify your package.json scripts:
{
"scripts": {
"start": "set NODE_OPTIONS=--openssl-legacy-provider && ng serve -o"
}
}Node Version Management
If you must use an older Node.js version temporarily:
nvm install 16
nvm use 16nvm install 16
nvm use 16DANGER
Downgrading Node.js or using the legacy OpenSSL provider exposes your application to security vulnerabilities. Use these approaches only as temporary solutions while updating your dependencies.
Docker Configuration
For Docker environments, specify a Node.js version 16 base image:
FROM node:16-alpine
# Instead of: FROM node (which pulls latest)Best Practices
- Regularly update dependencies to maintain security compliance
- Use Node.js LTS versions for production applications
- Avoid MD4 algorithm in favor of more secure alternatives
- Run security audits frequently with
npm audit - Test builds with newer Node.js versions during development
Conclusion
The "digital envelope routines unsupported" error indicates that your project relies on outdated cryptographic standards. While temporary workarounds exist, the proper solution is to update your dependencies to use modern, secure cryptographic algorithms supported by current Node.js versions.
Prioritize updating your project dependencies and build tools rather than relying on legacy SSL providers or downgrading Node.js, as these approaches introduce security risks.