error:0308010C:digital envelope routines::unsupported — Cause and Fix

Q: How do I fix it quickly without upgrading?

Set the environment variable NODE_OPTIONS=--openssl-legacy-provider before the build, which re-enables the legacy OpenSSL provider. It is a stopgap: it works immediately but keeps you on an old toolchain and re-enables deprecated crypto, so treat it as a bridge to upgrading.

Q: How do I set the flag cross-platform in package.json?

Use cross-env so the same script works on Windows, macOS, and Linux: "start": "cross-env NODE_OPTIONS=--openssl-legacy-provider react-scripts start". Install it with npm install -D cross-env. Setting NODE_OPTIONS inline without cross-env fails on Windows.

Quick answer

Node.js 17+ ships OpenSSL 3, which disabled the legacy MD4 hash that old webpack 4 / Create React App use for module hashing — so the build throws ERR_OSSL_EVP_UNSUPPORTED. The real fix is to upgrade (webpack 5.61+ / react-scripts 5). The quick stopgap is NODE_OPTIONS=--openssl-legacy-provider.

The exact error string

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:69:19)
    at Object.createHash (node:crypto:138:10)
    ...
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'

The giveaway is the call stack: createHash → new Hash. A tool asked OpenSSL for a hash algorithm OpenSSL 3 will not provide by default. In a frontend project that algorithm is almost always MD4, used by webpack to fingerprint modules and chunks.

Why upgrading Node triggered it

Node.js 17 replaced its bundled OpenSSL 1.1.1 with OpenSSL 3.0. OpenSSL 3 moved a set of old, weak algorithms — including MD4 — into a separate "legacy provider" that is not loaded by default. Webpack 4 calls crypto.createHash('md4'), which used to succeed and now throws. Nothing in your code changed; the crypto library underneath Node did.

This is the same class of "Node upgrade broke the build" issue as switching module systems — see Cannot use import statement outside a module — and the principle is the same: align the toolchain with the runtime.

Who hits this: overwhelmingly Webpack 4 and Create React App 4 projects (and tools built on them — older @vue/cli, Storybook 6, some Gatsby setups). Projects on Vite or Webpack 5.61+ generally do not see it. If you are on a modern bundler and still get the error, a nested dependency is pulling in old webpack — check with npm ls webpack.

Fix 1: upgrade the build tool (recommended)

Webpack 5.61+ stopped using MD4 and now uses a hash that works on OpenSSL 3; react-scripts 5 carries that fix for Create React App. Updating is the only option that removes the error without re-enabling deprecated crypto:

# Create React App
npm install react-scripts@latest

# Plain webpack
npm install webpack@latest webpack-cli@latest

# then a clean install so the lockfile matches
rm -rf node_modules package-lock.json
npm install

If a deep dependency still pins old webpack, check its release notes for an OpenSSL-3-compatible version, or use an overrides entry to lift it — the same technique covered in npm ERESOLVE.

Fix 2: the legacy-provider flag (stopgap)

When you can't upgrade right now, re-enable the legacy OpenSSL provider with an environment variable. It works immediately, but it keeps you on an old toolchain and turns deprecated algorithms back on, so treat it as a bridge:

# macOS / Linux (one-off)
export NODE_OPTIONS=--openssl-legacy-provider
npm run build

# Windows PowerShell (one-off)
$env:NODE_OPTIONS = "--openssl-legacy-provider"
npm run build

Fix 3: make the flag cross-platform in package.json

Hard-coding NODE_OPTIONS=... inline breaks on Windows. Install cross-env first (npm install -D cross-env), then wrap the scripts so one definition works everywhere:

{
  "scripts": {
    "start": "cross-env NODE_OPTIONS=--openssl-legacy-provider react-scripts start",
    "build": "cross-env NODE_OPTIONS=--openssl-legacy-provider react-scripts build"
  }
}

What not to do: downgrade Node

Dropping back to Node 16 makes the error disappear, but Node 16 is end-of-life and unsupported, so you trade a build error for missing security updates. Only do this as a very short-term unblock while you plan the upgrade — never as the resting state.

A note on the MD4 hash itself

The algorithm at the centre of this error, MD4, is used here only to name build artifacts — it secures nothing, which is why re-enabling it for a build is low-risk. For any real hashing need (checksums, content fingerprints, integrity checks) use a modern algorithm like SHA-256. You can compute SHA-256/SHA-1/MD5 hashes of text in your browser with the Hash Generator.

Debugging checklist

✓ Is the stack in createHash / new Hash? Then it's the OpenSSL 3 / MD4 issue
✓ Check node -v — 17+ means OpenSSL 3 is in play
✓ Upgrade webpack to 5.61+ or react-scripts to 5 (the real fix)
✓ Can't upgrade yet? Set NODE_OPTIONS=--openssl-legacy-provider
✓ Put it in package.json via cross-env for Windows compatibility
✓ Do a clean node_modules + lockfile reinstall after upgrading
✓ Avoid downgrading to the EOL Node 16 as a permanent fix

Frequently Asked Questions

What does 'error:0308010C:digital envelope routines::unsupported' mean?

It means a build tool asked OpenSSL for a cryptographic algorithm that OpenSSL 3 no longer enables by default — usually the legacy MD4 hash that older webpack uses to fingerprint modules. Node.js 17 and newer ship OpenSSL 3, so the call now fails with ERR_OSSL_EVP_UNSUPPORTED instead of returning a hash.

Why did it start after upgrading Node?

Node 17 upgraded its bundled OpenSSL from 1.1.1 to 3.0. OpenSSL 3 moved old algorithms like MD4 into a "legacy provider" that is off by default. Webpack 4 (and Create React App built on it) used MD4 for hashing, so the same project that built on Node 16 breaks on Node 17+.

What is the proper fix?

Upgrade the build tool. Webpack 5.61+ uses a Node-native hash that works on OpenSSL 3, and react-scripts 5 fixes it for Create React App. Updating webpack/react-scripts (and your other build dependencies) removes the error without weakening crypto. This is the long-term solution.

How do I fix it quickly without upgrading?

Set the environment variable NODE_OPTIONS=--openssl-legacy-provider before the build, which re-enables the legacy OpenSSL provider. It is a stopgap: it works immediately but keeps you on an old toolchain and re-enables deprecated crypto, so treat it as a bridge to upgrading.

How do I set the flag cross-platform in package.json?

Use cross-env so the same script works on Windows, macOS, and Linux: "start": "cross-env NODE_OPTIONS=--openssl-legacy-provider react-scripts start". Install it with npm install -D cross-env. Setting NODE_OPTIONS inline without cross-env fails on Windows.

Is --openssl-legacy-provider safe?

For local development and a build pipeline it is acceptable as a temporary measure — the MD4 hash here is used only to name build artifacts, not to secure anything. But it re-enables deprecated algorithms process-wide, so do not treat it as a permanent fix; upgrade the toolchain so you can drop the flag.

Need a real hash?

Compute SHA-256, SHA-1, or MD5 hashes of any text in your browser — nothing is uploaded to a server.

Hash Generator JSON Formatter All Error References

About the author

Pasindu Ishan is a software developer based in Sri Lanka. He builds privacy-first developer tools at JSON Dev Tools.