Skip to content

Deprecating YubiCloud v1 protocol, plain-text requests and old TLS versions

2018-11-26

Starting on December 10th, 2018, support for YubiCloud v1 protocol, plain-text requests and old TLS protocols & ciphers will be deprecated.

On February 4th, 2019 support for such requests will be removed completely.

The vast majority of our clients are not affected by this change.

Changes

– Dropping support for YubiCloud v1 protocol

– Dropping support for plain-text requests (http:// traffic over port 80)

– Dropping support for TLS1.0 and TLS1.1 protocols

– Dropping support for 3DES TLS ciphersuites

Actions

Make sure your YubiCloud client is configured to use https:// and /wsapi/2.0/verify endpoints.

In order to check if your API client supports TLS1.2 and modern ciphersuites, please consult your programming language and operating system manuals. Alternatively you can try to establish a connection with https://mozilla-modern.badssl.com/.

Endpoints

YubiCloud endpoints are available at the following addresses:

https://api.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api2.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api3.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api4.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=
https://api5.yubico.com/wsapi/2.0/verify?id=&otp=&nonce=

To ensure high-availability, configure your client to simultaneously issue requests to all five addresses and accept the first successful reply.

In a future YubiCloud protocol version, this client-side complexity will be replaced with a single highly-available endpoint.

Detailed timeline

2018-11-26
Publication date of this blog post.

2018-12-10
Approximately 50% of traffic matching criteria is rejected with an HTTP 410 response status.

2019-02-04
100% traffic matching criteria is rejected with an HTTP 410 response status.

2019-03-04
– Requests for /wsapi/verify, /wsapi/1.0/verify and /wsapi/1.1/verify return an HTTP 404 response status.
– http:// traffic is rejected on the firewall level without any HTTP response code or redirects.
– TLS handshake requires TLS1.2 and ECDHE or AES ciphersuites.

Comments are closed.