{
"$type": "site.standard.document",
"canonicalUrl": "https://johnnyreilly.com/posts/node-18-axios-and-unsafe-legacy-renegotiation-disabled",
"description": "With Node.js 18, unsafe TLS legacy renegotiation was disabled. Some APIs still need it and SSL inspection can downgrade TLS. This post shows an Axios workaround.",
"path": "/posts/node-18-axios-and-unsafe-legacy-renegotiation-disabled",
"publishedAt": "2023-03-09T00:00:00.000Z",
"site": "at://did:plc:yy3apqjlms24kso7ahn7lbmb/site.standard.publication/3mova7c4nho2b",
"tags": [
"node.js"
],
"textContent": "Node.js 18 doesn't allow legacy TLS renegotion by default. But some APIs still need it. Also, corporate network traffic network is often subject to SSL inspection and that can manifest as a downgrade in TLS negotiation. Palo Alto Networks SSL Inbound Inspection is an example of an SSL inspector that can downgrade TLS.\n\nThis post shows how to support work around this issue with Axios.\n\n\n\nThe error\n\nIf you have code that uses Node.js and Axios, you may have encountered this error when you upgraded to Node.js 18:\n\nor if you're using the Azure SDK for JavaScript, you may have seen this:\n\nWhy does this happen?\n\nThe source of this error is Node.js 18 disabling unsafe legacy TLS renegotiation. The motivation for this is noble; it's to mitigate CVE-2009-3555.\n\nAlas, there are APIs that still use legacy TLS negotiation. And SSL inspection can make APIs that actually do support modern TLS appear as though they do not. I first encountered this issue when working with the Teams webhook API, and for a while incorrectly thought that the fault was with the API. It was not, it lay with Palo Alto Networks SSL Inbound Inspection.\n\nI subsequently encountered the self same issue with the Azure SDK for JavaScript and in discussion with the team the SSL inspection was identified as a likely cause. We were further able to confirm that SSL inspection was the cause by working with our network team to disable SSL inspection for the API in question. This resolved the issue.\n\nWorking around the issue\n\nBut what say you can't disable SSL inspection? Or what if you're using an API that doesn't support modern TLS negotiation? Well, you can work around the issue by allowing legacy TLS renegotiation.\n\nI found details on how to do this using Axios on Stack Overflow. I kept needing to come back to it again and again, so I wrote this up to make the solution easier for me to find.\n\nSo if you are facing this issue, here's how to work around it with Axios.\n\nThere's not much going on here; we're just telling Axios to use an https agent that allows legacy TLS renegotiation. No more than that. With this approach, you can make Axios requests to APIs that use legacy TLS renegotiation. I'd love to be able to do this with the Fetch API, but I haven't found a way to do that yet.\n\nSummary\n\nNode.js 18 disables unsafe legacy TLS renegotiation by default. This can cause issues with APIs that still use legacy TLS renegotiation. It can also cause issues if your requests are subject to SSL inspection.\n\nThis post demonstrates how to work around the issue with Axios.",
"title": "Node.js 18, Axios and unsafe legacy renegotiation disabled"
}