I just updated my Mastodon server to the latest version due to a security vulnerability. I got a 500 page and error:0308010C:digital envelope routines::unsupported in the logs from mastodon-web.

I could reproduce by running bin/webpack from the command line. Some searching led me to try Node 16 LTS, but then I get an apparently blank page when I load the site and call to eval() blocked by CSP in the browser console.

The API works normally; this only affects the website.

  • @ZakOP
    link
    English
    2
    edit-2
    1 year ago

    Solved-ish.

    I got webpack to run reliably by replacing its use of md4 with sha256 in these files:

    $ grep -r md4 node_modules/webpack
    node_modules/webpack/lib/ModuleFilenameHelpers.js:      const hash = createHash("md4");
    node_modules/webpack/lib/optimize/ConcatenatedModule.js:                const hash = createHash("md4");
    node_modules/webpack/lib/optimize/SplitChunksPlugin.js:         .createHash("md4")
    node_modules/webpack/lib/NamedModulesPlugin.js: const hash = createHash("md4");
    node_modules/webpack/lib/SourceMapDevToolPlugin.js:                                                             contentHash: createHash("md4")
    node_modules/webpack/lib/WebpackOptionsDefaulter.js:            this.set("output.hashFunction", "md4");
    node_modules/webpack/lib/HashedModuleIdsPlugin.js:                              hashFunction: "md4",
    

    then in `config/initializers/content_security_policy.rb’, I replaced the line

    .script_src :self, assets_host, "'wasm-unsafe-eval'"

    with

    p.script_src :self, assets_host, "'wasm-unsafe-eval' 'unsafe-eval'"

    This seems like way more tinkering with the code and defaults than I should need to keep the server running so I’ll probably dig more later. I hope this post ends up being useful to anyone else having an issue.