YubiCloud issue with some Java clients

Last Thursday, after the upgrade to api.yubico.com, the YubiCloud appeared offline for some Java clients using SSL/TLS. This post tries to explain the cause behind the issue and how we are mitigating it in the future.

As a web server, we are using Apache with SSLHonorCipherOrder on and SSLCipherSuite as follows (in order of preferece; preferred -> less preferred):

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA
DHE-DSS-AES256-SHA256
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA
DHE-DSS-AES128-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
CAMELLIA256-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
CAMELLIA128-SHA
DES-CBC3-SHA

The affected Java clients were negotiating a TLS handshake using DHE. Before the upgrade, this was working fine, as Apache was using a DH prime length of 1024 bits.

However, after the upgrade, Apache’s minimum DH prime length became 2048 bits, as explained here:

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLCertificateFile

This cause Java clients without >1024 bit support to abort the TLS handshake and ultimately fail to send their http requests.

Some of our customers reported the issue to us and as a temporary fix we disabled DHE. This allows the affected clients to use other ciphers (usually AES128-SHA) while clients with better support continue using ECDHE.

This issue took place between 2015-07-09 10:56:43 UTC (when DNS was updated) and 2015-07-09 17:27:13 UTC (when DHE was disabled). It affected only a small percentage of our client base, clients running old Java versions. Since we want to enable DHE to all other clients, we are asking these customers to upgrade to a recent Java which has >1024 bit support.

To mitigate such issues in the future:

1. We started logging SSL/TLS handshakes on our servers, so that issues such as this one are visible to us and can be fixed sooner (in particular, before rolling out such changes across all our YubiCloud endpoints).

2. We updated our Java client to be more verbose and log such errors.

https://github.com/Yubico/yubico-java-client/commit/b13b813177a64c7b8ac0984e1c1634ec373c97a4