ERR_OSSL_EVP_UNSUPPORTED

Node.js ErrorSecurity ErrorCommonLast updated: June 28, 2026Tested on:Node.js v20 LTSNPM v10.2June 2026

OpenSSL EVPs unsupported algorithms during cryptographic handshakes.

ERR_OSSL_EVP_UNSUPPORTED Quick Fix⏱️ Est. Fix Time: 3 minutes

Usually happens because:

  • Legacy Webpack MD4
  • Deprecated Hashing

🔍 Quick Checklist:

What is ERR_OSSL_EVP_UNSUPPORTED?

The ERR_OSSL_EVP_UNSUPPORTED error occurs on Node.js versions 17+ (which incorporate the newer OpenSSL 3.0 library). It triggers when applications or build tools (like older versions of Webpack/Angular) attempt to use deprecated, weak cryptographic algorithms (such as MD4 or MD5) which are disabled by default under OpenSSL 3.0 configurations.

Common Causes

  • Legacy Webpack MD4: Older bundlers using weak hashing routines to compile file fingerprints.
  • Deprecated Hashing: Node scripts requesting deprecated cryptos (e.g. crypto.createHash('md4')).
CauseFrequency
Legacy Webpack MD4⭐⭐⭐⭐⭐
Deprecated Hashing⭐⭐⭐⭐

Common Mistakes

  • Using the --openssl-legacy-provider flag in production instead of upgrading dependencies to support secure OpenSSL 3.0 hashing.

How to Fix

1Upgrade Build Dependencies: Upgrade Webpack to version 5+ to resolve legacy MD4 dependency issues.
2Legacy SSL Flag: Run Node using the --openssl-legacy-provider environment flag.
3Pin Node Version: Stay on Node v16 if legacy compatibility is strictly mandatory.

Framework-Specific Examples

Setting up the legacy OpenSSL provider option inside project package scripts.

package.json legacy scripts config Example
{
  "scripts": {
    "build": "NODE_OPTIONS=--openssl-legacy-provider next build"
  }
}

Server Configuration Examples

Adding the legacy OpenSSL option to ecosystem.config.js for PM2 deployments.

PM2 Process Config Config
module.exports = {
  apps: [{
    name: 'server',
    script: './index.js',
    env: {
      NODE_OPTIONS: '--openssl-legacy-provider'
    }
  }]
};

Best Practices

  • Regularly audit and update node packages to stay compatible with TLS 1.3 and OpenSSL 3.0 rules.

Frequently Asked Questions (FAQ)

Q: Why did my Webpack build start failing with ERR_OSSL_EVP_UNSUPPORTED?

Webpack 4 uses MD4 hashes to generate asset fingerprints. Node.js 17+ upgraded to OpenSSL 3.0, which disables the weak, insecure MD4 algorithm by default.

Q: Is the --openssl-legacy-provider flag safe for production?

It is a temporary workaround. For long-term security, it is highly recommended to upgrade your dependencies to versions that do not rely on deprecated hash functions.

Q: Which Node.js versions throw this error?

Node.js version 17 and above, as they incorporate the newer OpenSSL 3.0 security layer.

Q: How do I set the legacy flag in Windows?

In command prompt: `set NODE_OPTIONS=--openssl-legacy-provider`. In PowerShell: `$env:NODE_OPTIONS="--openssl-legacy-provider"`.

Still having this problem?

Didn't solve your problem?

SuggestRequest Error