Skip to content

Upcoming IP changes to api, api2 and api5

2019-03-07

During March 2019, the DNS records for api.yubico.com, api2.yubico.com and api5.yubico.com
will point to new addresses. Details can be found below.

api3.yubico.com and api4.yubico.com addresses will remain the same.

[2019-03-12 09:00:00 UTC] api.yubico.com

Current IPv4: 23.253.41.154
Current IPv6: 2001:4801:7824:103:be76:4eff:fe10:77c6

New IPv4: 104.130.204.190
New IPv6: 2001:4801:7827:102:be76:4eff:fe10:6cd3
[2019-03-19 09:00:00 UTC] api5.yubico.com

Current IPv4: 109.74.193.72
Current IPv6: 2a01:7e00::f03c:91ff:fe98:2109

New IPv4: 109.237.24.116
New IPv6: 2a01:7e00::f03c:91ff:fe82:071b
[2019-03-26 09:00:00 UTC] api2.yubico.com

Current IPv4: 45.79.101.81
Current IPv6: 2600:3c01::f03c:91ff:fe37:74ec

New IPv4: 50.116.2.229
New IPv6: 2600:3c01::f03c:91ff:fe82:0768

YubiCloud no longer accepting v1 protocol, plain-text or old TLS version requests

2019-02-04

As mentioned in an earlier blog post, as of today, February 4th 2019, YubiCloud no longer accepts requests using V1 protocol, plain-text (non https) or TLS1.0 or TLS1.1 protocols.

Please see the original blog post for further details and ensure your YubiCloud clients are updated to use YubiCloud protocol V2, https and TLS1.2.

CentOS 6 and TLS1.2

2019-01-08

Recently it has come to our attention that some CentOS 6 clients, while technically supporting TLS 1.1 and TLS 1.2, still default to TLS 1.0.

This can be remedied by running the following command, which will update the respective packages to the most recently available versions.

$ sudo yum update libcurl curl nss

The following bugs, which were reported in 2015, are addressed by applying the yum update.

https://bugzilla.redhat.com/show_bug.cgi?id=1289205
https://bugzilla.redhat.com/show_bug.cgi?id=1272504

Doing so will ensure YubiCloud clients on CentOS will default, and support, TLS1.2.

This update is strongly recommended to avoid issues on 2019-02-04, when non TLS1.2 connections will be completely rejected, as mentioned in our earlier blog post.

The commands below demonstrate the issue, how the fix is applied, and finally establishing a connection with a TLS1.2-only host. Lines starting with ! denote a comment.

[vagrant@localhost ~]$ cat /etc/centos-release 
CentOS release 6.6 (Final)

! default packages included in official CentOS 6.6 release
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-37.el6_5.3
libcurl.x86_64 7.19.7-37.el6_5.3
nss.x86_64 3.16.1-14.el6 @anaconda-CentOS-201410241409.x86_64/6.6

! fails to negotiate TLS handshake (host supports TLS1.2 only)
[vagrant@localhost ~]$ curl -q -v https://developers.yubico.com

! updating to most recently available
[vagrant@localhost ~]$ sudo yum update libcurl curl nss

! packages are upgraded; curl from -37 -> -53 and nss from 3.16 to 3.36.
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-53.el6_9 @base 
libcurl.x86_64 7.19.7-53.el6_9 @base 
nss.x86_64 3.36.0-9.el6_10 @updates

! works successfully
[vagrant@localhost ~] $ curl -q -v -o/dev/null https://developers.yubico.com

For further information about CentOS, please check the forums at https://www.centos.org/forums/

Deprecating YubiCloud v1 protocol, plain-text requests and old TLS versions

2018-11-26

Starting on December 10th, 2018, support for YubiCloud v1 protocol, plain-text requests and old TLS protocols & ciphers will be deprecated.

On February 4th, 2019 support for such requests will be removed completely.

The vast majority of our clients are not affected by this change.

Changes

– Dropping support for YubiCloud v1 protocol

– Dropping support for plain-text requests (http:// traffic over port 80)

– Dropping support for TLS1.0 and TLS1.1 protocols

– Dropping support for 3DES TLS ciphersuites

Actions

Make sure your YubiCloud client is configured to use https:// and /wsapi/2.0/verify endpoints.

In order to check if your API client supports TLS1.2 and modern ciphersuites, please consult your programming language and operating system manuals. Alternatively you can try to establish a connection with https://mozilla-modern.badssl.com/.

Endpoints

YubiCloud endpoints are available at the following addresses:

https://api.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api2.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api3.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api4.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api5.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=

To ensure high-availability, configure your client to simultaneously issue requests to all five addresses and accept the first successful reply.

In a future YubiCloud protocol version, this client-side complexity will be replaced with a single highly-available endpoint.

Detailed timeline

2018-11-26
Publication date of this blog post.

2018-12-10
Approximately 50% of traffic matching criteria is rejected with an HTTP 410 response status.

2019-02-04
100% traffic matching criteria is rejected with an HTTP 410 response status.

2019-03-04
– Requests for /wsapi/verify, /wsapi/1.0/verify and /wsapi/1.1/verify return an HTTP 404 response status.
– http:// traffic is rejected on the firewall level without any HTTP response code or redirects.
– TLS handshake requires TLS1.2 and ECDHE or AES ciphersuites.

api{2,3,4,5}.yubico.com TLS certificate renewals

2018-11-20

During the next two weeks, the TLS certificates for api 2-5 will be renewed. The certificate for api.yubico.com will remain the same.

No service interruption is expected. If you have pinned the certificate fingerprint (not recommended), you will need to update your hard coded information.

Below is a list showing the endpoint, the new certificate’s sha256 fingerprint and the date it will be enabled.

api2.yubico.com
DE:75:E6:FB:07:13:B1:72:8E:51:70:A5:7E:45:E2:29:CC:10:B5:59:9B:96:0F:2B:23:65:93:DF:A2:34:1A:EE
2018-11-27

api3.yubico.com
93:2D:DF:C0:58:26:EB:1A:8E:58:41:A2:9B:CF:85:4B:6D:71:CA:04:04:DA:30:AF:AE:8F:4B:4B:A5:B7:DE:28
2018-11-29

api4.yubico.com
2C:5C:27:94:1E:CB:C2:96:8D:31:F9:9F:A7:79:FB:B6:07:44:6E:2B:B0:96:6D:8B:E1:12:EC:6D:F3:52:76:7D
2018-12-04

api5.yubico.com
E0:AB:DB:3A:9B:94:D4:D8:2D:E0:E7:19:F3:C5:F4:12:BF:48:6A:67:9F:8F:05:45:DE:0E:EA:89:A5:A7:91:D9
2018-12-06

api.yubico.com TLS certificate renewed

2018-08-16

As mentioned earlier in this post, the TLS certificate for api.yubico.com has been renewed today, Aug 16th, 2018.

If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your configuration.

[2018-08-16] api.yubico.com TLS certificate renewal

2018-08-13

On Thursday 16th August 2018, we will renew the TLS certificate for api.yubico.com

No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.

We will write a new post once the renewal has taken place.