A slightly updated answer (since I ran into this problem in different circumstances.)
When you connect to a server using SSL, the first thing the server does is present a certificate which says "I am api.dropbox.com." The certificate has a "subject" and the subject has a "CN" (short for "common name".) The certificate may also have one or more "subjectAltNames". When node.js connects to a server, node.js fetches this certificate, and then verifies that the domain name it thinks it's connecting to (api.dropbox.com) matches either the subject's CN or one of the altnames. Note that, in node 0.10.x, if you connect using an IP, the IP address has to be in the altnames - node.js will not try to verify the IP against the CN.
rejectUnauthorized flag to false will get around this check, but first of all if the server is giving you different credentials than you are expecting, something fishy is going on, and second this will also bypass other checks - it's not a good idea if you're connecting over the Internet.
If you are using node >= 0.11.x, you can also specify a
checkServerIdentity: function(host, cert) function to the tls module, which should return true if you want to allow the connection and false otherwise (although I don't know if
request will proxy this flag through to tls for you.) It can be handy to declare such a function and
console.log(host, cert); to figure out what the heck is going on.