Skip to content

Deprecating YubiCloud v1 protocol, plain-text requests and old TLS versions

2018-11-26

Starting on December 10th, 2018, support for YubiCloud v1 protocol, plain-text requests and old TLS protocols & ciphers will be deprecated.

On February 4th, 2019 support for such requests will be removed completely.

The vast majority of our clients are not affected by this change.

Changes

– Dropping support for YubiCloud v1 protocol

– Dropping support for plain-text requests (http:// traffic over port 80)

– Dropping support for TLS1.0 and TLS1.1 protocols

– Dropping support for 3DES TLS ciphersuites

Actions

Make sure your YubiCloud client is configured to use https:// and /wsapi/2.0/verify endpoints.

In order to check if your API client supports TLS1.2 and modern ciphersuites, please consult your programming language and operating system manuals. Alternatively you can try to establish a connection with https://mozilla-modern.badssl.com/.

Endpoints

YubiCloud endpoints are available at the following addresses:

https://api.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api2.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api3.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api4.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api5.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=

To ensure high-availability, configure your client to simultaneously issue requests to all five addresses and accept the first successful reply.

In a future YubiCloud protocol version, this client-side complexity will be replaced with a single highly-available endpoint.

Detailed timeline

2018-11-26
Publication date of this blog post.

2018-12-10
Approximately 50% of traffic matching criteria is rejected with an HTTP 410 response status.

2019-02-04
100% traffic matching criteria is rejected with an HTTP 410 response status.

2019-03-04
– Requests for /wsapi/verify, /wsapi/1.0/verify and /wsapi/1.1/verify return an HTTP 404 response status.
– http:// traffic is rejected on the firewall level without any HTTP response code or redirects.
– TLS handshake requires TLS1.2 and ECDHE or AES ciphersuites.

api{2,3,4,5}.yubico.com TLS certificate renewals

2018-11-20

During the next two weeks, the TLS certificates for api 2-5 will be renewed. The certificate for api.yubico.com will remain the same.

No service interruption is expected. If you have pinned the certificate fingerprint (not recommended), you will need to update your hard coded information.

Below is a list showing the endpoint, the new certificate’s sha256 fingerprint and the date it will be enabled.

api2.yubico.com
DE:75:E6:FB:07:13:B1:72:8E:51:70:A5:7E:45:E2:29:CC:10:B5:59:9B:96:0F:2B:23:65:93:DF:A2:34:1A:EE
2018-11-27

api3.yubico.com
93:2D:DF:C0:58:26:EB:1A:8E:58:41:A2:9B:CF:85:4B:6D:71:CA:04:04:DA:30:AF:AE:8F:4B:4B:A5:B7:DE:28
2018-11-29

api4.yubico.com
2C:5C:27:94:1E:CB:C2:96:8D:31:F9:9F:A7:79:FB:B6:07:44:6E:2B:B0:96:6D:8B:E1:12:EC:6D:F3:52:76:7D
2018-12-04

api5.yubico.com
E0:AB:DB:3A:9B:94:D4:D8:2D:E0:E7:19:F3:C5:F4:12:BF:48:6A:67:9F:8F:05:45:DE:0E:EA:89:A5:A7:91:D9
2018-12-06

api.yubico.com TLS certificate renewed

2018-08-16

As mentioned earlier in this post, the TLS certificate for api.yubico.com has been renewed today, Aug 16th, 2018.

If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your configuration.

[2018-08-16] api.yubico.com TLS certificate renewal

2018-08-13

On Thursday 16th August 2018, we will renew the TLS certificate for api.yubico.com

No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.

We will write a new post once the renewal has taken place.

[2018-05-10 06:00:00 UTC] upgrade scheduled downtime

2018-04-23

The hosting provider for upgrade.yubico.com will be performing scheduled maintenance on Thursday May 10th. As a result, https://upgrade.yubico.com/getapikey/ will be down starting at 2018-05-10 06:00:00 UTC. A two hour window is allocated, though the actual downtime should be much less.

For more information please view:
https://status.linode.com/incidents/8dbtk37dwm67

[2018-05-09 12:00:00 UTC] api2 scheduled downtime

2018-04-23

The hosting provider for api2.yubico.com will be performing scheduled maintenance on Wednesday May 9th. As a result, this endpoint will be down starting at 2018-05-09 12:00:00 UTC. A two hour window is allocated, though the actual downtime should be much less.

To avoid interruptions please make sure to have your YubiCloud client configured to use all five endpoints, i.e.:

https://api.yubico.com
https://api2.yubico.com
https://api3.yubico.com
https://api4.yubico.com
https://api5.yubico.com

For more information please view:
https://status.linode.com/incidents/8dbtk37dwm67

[2018-04-27 22:00:00 UTC] api5 scheduled downtime

2018-04-23

The hosting provider for api5.yubico.com will be performing scheduled maintenance this Friday April 27th. As a result, this endpoint will be down starting at 2018-04-27 22:00:00 UTC. A two hour window is allocated, though the actual downtime should be much less.

To avoid interruptions please make sure to have your YubiCloud client configured to use all five endpoints, i.e.:

https://api.yubico.com
https://api2.yubico.com
https://api3.yubico.com
https://api4.yubico.com
https://api5.yubico.com

For more information please view:
https://status.linode.com/incidents/8dbtk37dwm67