You may encounter an error:0308010C:digital envelope routines unsupported message when attempting to execute commands in newer versions of macOS.
Starting with OpenSSL 3.0, OpenSSL introduces some significant changes to its algorithms, moving the MD4 algorithms into OpenSSL 3.0's legacy provider. A provider in OpenSSL is a collection of algorithms that can be added to an application when required. The legacy provider contains algorithms that are considered outdated and less secure, and it does not load by default.
The simplest way to resolve this error is to modify your command to bring back support for legacy algorithms.
In this example, we'll use the openssl pkcs12 command to parse a PKCS#12 file to a PEM file on macOS Sonoma running OpenSSL 3.1.4.
example:
openssl pkcs12 -in apns.p12 -out apns.pem -nodes
This throws the following error:
Error outputting keys and certificates
409CEAE301000000 :error:0308010C:digital envelope routines:inner_evp_generic_ fetch: unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
To resolve the error, you can bring back support for legacy algorithms in openssl using the -legacy option.
example:
openssl pkcs12 -in apns.p12 -out apns. pem -nodes -legacy
You can permanently have OpenSSL load legacy providers if required. Here's how.
Step One
Check to see which providers are loaded using the following command...
openssl list -providers
Step Two
Find the directory in which your openssl configuration file is located...
openssl version -d
Step Three
Open the configuration file for editing, using the directory information found in the previous command. Enter your administrative password if prompted.
sudo nano /opt/homebrew/etc/openssl@3/openssl.cnf
Step Four
Under the [provider_sect] add the following line:
legacy = legacy_sect
Step Five
Under the [default_sect] uncomment the "activate = 1" line by removing the # symbol
[default_sect]
activate = 1
Step Six
Below that, add the following the new section
[legacy_sect]
activate = 1
Step Seven
Press Control+X to exit the file, then press Y to save your changes.
Hit Return to confirm the file name to write.
Step Eight
You can now verify that legacy providers are loaded with the following command:
openssl list -providers
Step Nine
Finally, try your initial command again to verify that error:0308010C:digital envelope routines unsupported is gone.
Starting with OpenSSL 3.0, OpenSSL introduces some significant changes to its algorithms, moving the MD4 algorithms into OpenSSL 3.0's legacy provider. A provider in OpenSSL is a collection of algorithms that can be added to an application when required. The legacy provider contains algorithms that are considered outdated and less secure, and it does not load by default.
The simplest way to resolve this error is to modify your command to bring back support for legacy algorithms.
FIX ERROR 0308010C
Step One
In this example, we'll use the openssl pkcs12 command to parse a PKCS#12 file to a PEM file on macOS Sonoma running OpenSSL 3.1.4.
example:
openssl pkcs12 -in apns.p12 -out apns.pem -nodes
This throws the following error:
Error outputting keys and certificates
409CEAE301000000 :error:0308010C:digital envelope routines:inner_evp_generic_ fetch: unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Step Two
To resolve the error, you can bring back support for legacy algorithms in openssl using the -legacy option.
example:
openssl pkcs12 -in apns.p12 -out apns. pem -nodes -legacy
PERMANENT FIX
You can permanently have OpenSSL load legacy providers if required. Here's how.
Step One
Check to see which providers are loaded using the following command...
openssl list -providers
Step Two
Find the directory in which your openssl configuration file is located...
openssl version -d
Step Three
Open the configuration file for editing, using the directory information found in the previous command. Enter your administrative password if prompted.
sudo nano /opt/homebrew/etc/openssl@3/openssl.cnf
Step Four
Under the [provider_sect] add the following line:
legacy = legacy_sect
Step Five
Under the [default_sect] uncomment the "activate = 1" line by removing the # symbol
[default_sect]
activate = 1
Step Six
Below that, add the following the new section
[legacy_sect]
activate = 1
Step Seven
Press Control+X to exit the file, then press Y to save your changes.
Hit Return to confirm the file name to write.
Step Eight
You can now verify that legacy providers are loaded with the following command:
openssl list -providers
Step Nine
Finally, try your initial command again to verify that error:0308010C:digital envelope routines unsupported is gone.