It was quite annoying that, after upgrading node.js from v16 to v20, one of my old scripts stopped working and was throwing AxiosError: Request failed with status code 403. I knew it was the node version because, as soon as I switch back to node v16, the problem disappears.
After hours of debugging, it turns out to be the term !CAMELLIA (i.e. don’t use Camellia-based algorithm) in node’s default cipher list, probably introduced after v18. It wasn’t clear to me why the remote endpoint requires such algorithm, but as soon as I remove the term everything was working again.
const agent = new https.Agent({
// Note it is almost the same as node v20's default cipher list except without `!CAMELLIA`
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP'
})
// Override the http.agent with ours
axios.post("https://the-picky-endpoint.com", {}, { httpsAgent: agent })
Finally! Onwards!
