ERR_OSSL_EVP_UNSUPPORTED
OpenSSL EVPs unsupported algorithms during cryptographic handshakes.
Usually happens because:
- ☑ Legacy Webpack MD4
- ☑ Deprecated Hashing
🔍 Quick Checklist:
What is ERR_OSSL_EVP_UNSUPPORTED?
The ERR_OSSL_EVP_UNSUPPORTED error occurs on Node.js versions 17+ (which incorporate the newer OpenSSL 3.0 library). It triggers when applications or build tools (like older versions of Webpack/Angular) attempt to use deprecated, weak cryptographic algorithms (such as MD4 or MD5) which are disabled by default under OpenSSL 3.0 configurations.
Common Causes
- Legacy Webpack MD4: Older bundlers using weak hashing routines to compile file fingerprints.
- Deprecated Hashing: Node scripts requesting deprecated cryptos (e.g. crypto.createHash('md4')).
| Cause | Frequency |
|---|---|
| Legacy Webpack MD4 | ⭐⭐⭐⭐⭐ |
| Deprecated Hashing | ⭐⭐⭐⭐ |
Common Mistakes
- Using the --openssl-legacy-provider flag in production instead of upgrading dependencies to support secure OpenSSL 3.0 hashing.
How to Fix
Framework-Specific Examples
Setting up the legacy OpenSSL provider option inside project package scripts.
{
"scripts": {
"build": "NODE_OPTIONS=--openssl-legacy-provider next build"
}
}Server Configuration Examples
Adding the legacy OpenSSL option to ecosystem.config.js for PM2 deployments.
module.exports = {
apps: [{
name: 'server',
script: './index.js',
env: {
NODE_OPTIONS: '--openssl-legacy-provider'
}
}]
};Best Practices
- Regularly audit and update node packages to stay compatible with TLS 1.3 and OpenSSL 3.0 rules.
Frequently Asked Questions (FAQ)
Q: Why did my Webpack build start failing with ERR_OSSL_EVP_UNSUPPORTED?
Webpack 4 uses MD4 hashes to generate asset fingerprints. Node.js 17+ upgraded to OpenSSL 3.0, which disables the weak, insecure MD4 algorithm by default.
Q: Is the --openssl-legacy-provider flag safe for production?
It is a temporary workaround. For long-term security, it is highly recommended to upgrade your dependencies to versions that do not rely on deprecated hash functions.
Q: Which Node.js versions throw this error?
Node.js version 17 and above, as they incorporate the newer OpenSSL 3.0 security layer.
Q: How do I set the legacy flag in Windows?
In command prompt: `set NODE_OPTIONS=--openssl-legacy-provider`. In PowerShell: `$env:NODE_OPTIONS="--openssl-legacy-provider"`.