Skip to content

CentOS 6 and TLS1.2

2019-01-08

Recently it has come to our attention that some CentOS 6 clients, while technically supporting TLS 1.1 and TLS 1.2, still default to TLS 1.0.

This can be remedied by running the following command, which will update the respective packages to the most recently available versions.

$ sudo yum update libcurl curl nss

The following bugs, which were reported in 2015, are addressed by applying the yum update.

https://bugzilla.redhat.com/show_bug.cgi?id=1289205
https://bugzilla.redhat.com/show_bug.cgi?id=1272504

Doing so will ensure YubiCloud clients on CentOS will default, and support, TLS1.2.

This update is strongly recommended to avoid issues on 2019-02-04, when non TLS1.2 connections will be completely rejected, as mentioned in our earlier blog post.

The commands below demonstrate the issue, how the fix is applied, and finally establishing a connection with a TLS1.2-only host. Lines starting with ! denote a comment.

[vagrant@localhost ~]$ cat /etc/centos-release 
CentOS release 6.6 (Final)

! default packages included in official CentOS 6.6 release
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-37.el6_5.3
libcurl.x86_64 7.19.7-37.el6_5.3
nss.x86_64 3.16.1-14.el6 @anaconda-CentOS-201410241409.x86_64/6.6

! fails to negotiate TLS handshake (host supports TLS1.2 only)
[vagrant@localhost ~]$ curl -q -v https://developers.yubico.com

! updating to most recently available
[vagrant@localhost ~]$ sudo yum update libcurl curl nss

! packages are upgraded; curl from -37 -> -53 and nss from 3.16 to 3.36.
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-53.el6_9 @base 
libcurl.x86_64 7.19.7-53.el6_9 @base 
nss.x86_64 3.36.0-9.el6_10 @updates

! works successfully
[vagrant@localhost ~] $ curl -q -v -o/dev/null https://developers.yubico.com

For further information about CentOS, please check the forums at https://www.centos.org/forums/

Deprecating YubiCloud v1 protocol, plain-text requests and old TLS versions

2018-11-26

Starting on December 10th, 2018, support for YubiCloud v1 protocol, plain-text requests and old TLS protocols & ciphers will be deprecated.

On February 4th, 2019 support for such requests will be removed completely.

The vast majority of our clients are not affected by this change.

Changes

– Dropping support for YubiCloud v1 protocol

– Dropping support for plain-text requests (http:// traffic over port 80)

– Dropping support for TLS1.0 and TLS1.1 protocols

– Dropping support for 3DES TLS ciphersuites

Actions

Make sure your YubiCloud client is configured to use https:// and /wsapi/2.0/verify endpoints.

In order to check if your API client supports TLS1.2 and modern ciphersuites, please consult your programming language and operating system manuals. Alternatively you can try to establish a connection with https://mozilla-modern.badssl.com/.

Endpoints

YubiCloud endpoints are available at the following addresses:

https://api.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api2.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api3.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api4.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api5.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=

To ensure high-availability, configure your client to simultaneously issue requests to all five addresses and accept the first successful reply.

In a future YubiCloud protocol version, this client-side complexity will be replaced with a single highly-available endpoint.

Detailed timeline

2018-11-26
Publication date of this blog post.

2018-12-10
Approximately 50% of traffic matching criteria is rejected with an HTTP 410 response status.

2019-02-04
100% traffic matching criteria is rejected with an HTTP 410 response status.

2019-03-04
– Requests for /wsapi/verify, /wsapi/1.0/verify and /wsapi/1.1/verify return an HTTP 404 response status.
– http:// traffic is rejected on the firewall level without any HTTP response code or redirects.
– TLS handshake requires TLS1.2 and ECDHE or AES ciphersuites.

api{2,3,4,5}.yubico.com TLS certificate renewals

2018-11-20

During the next two weeks, the TLS certificates for api 2-5 will be renewed. The certificate for api.yubico.com will remain the same.

No service interruption is expected. If you have pinned the certificate fingerprint (not recommended), you will need to update your hard coded information.

Below is a list showing the endpoint, the new certificate’s sha256 fingerprint and the date it will be enabled.

api2.yubico.com
DE:75:E6:FB:07:13:B1:72:8E:51:70:A5:7E:45:E2:29:CC:10:B5:59:9B:96:0F:2B:23:65:93:DF:A2:34:1A:EE
2018-11-27

api3.yubico.com
93:2D:DF:C0:58:26:EB:1A:8E:58:41:A2:9B:CF:85:4B:6D:71:CA:04:04:DA:30:AF:AE:8F:4B:4B:A5:B7:DE:28
2018-11-29

api4.yubico.com
2C:5C:27:94:1E:CB:C2:96:8D:31:F9:9F:A7:79:FB:B6:07:44:6E:2B:B0:96:6D:8B:E1:12:EC:6D:F3:52:76:7D
2018-12-04

api5.yubico.com
E0:AB:DB:3A:9B:94:D4:D8:2D:E0:E7:19:F3:C5:F4:12:BF:48:6A:67:9F:8F:05:45:DE:0E:EA:89:A5:A7:91:D9
2018-12-06

api.yubico.com TLS certificate renewed

2018-08-16

As mentioned earlier in this post, the TLS certificate for api.yubico.com has been renewed today, Aug 16th, 2018.

If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your configuration.

[2018-08-16] api.yubico.com TLS certificate renewal

2018-08-13

On Thursday 16th August 2018, we will renew the TLS certificate for api.yubico.com

No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.

We will write a new post once the renewal has taken place.

[2018-05-10 06:00:00 UTC] upgrade scheduled downtime

2018-04-23

The hosting provider for upgrade.yubico.com will be performing scheduled maintenance on Thursday May 10th. As a result, https://upgrade.yubico.com/getapikey/ will be down starting at 2018-05-10 06:00:00 UTC. A two hour window is allocated, though the actual downtime should be much less.

For more information please view:
https://status.linode.com/incidents/8dbtk37dwm67

[2018-05-09 12:00:00 UTC] api2 scheduled downtime

2018-04-23

The hosting provider for api2.yubico.com will be performing scheduled maintenance on Wednesday May 9th. As a result, this endpoint will be down starting at 2018-05-09 12:00:00 UTC. A two hour window is allocated, though the actual downtime should be much less.

To avoid interruptions please make sure to have your YubiCloud client configured to use all five endpoints, i.e.:

https://api.yubico.com
https://api2.yubico.com
https://api3.yubico.com
https://api4.yubico.com
https://api5.yubico.com

For more information please view:
https://status.linode.com/incidents/8dbtk37dwm67