Skip to content

Maintenance on


On Monday, April 15th, 2019 we will perform maintenance on

The service will be unavailable between 11:00 and 13:00 UTC.

[2019-04-02 09:00:00 UTC] Upcoming IP change to


On Tuesday, April 2nd, 2019, the DNS record for will point to new addresses. Details can be found below.

Current IPv4:
Current IPv6: 2a01:4f8:c17:2bfe::2

New IPv4:
New IPv6: 2a01:4f8:c2c:313d::1

Upcoming IP changes to api, api2 and api5


During March 2019, the DNS records for, and
will point to new addresses. Details can be found below. and addresses will remain the same.

[2019-03-12 09:00:00 UTC]

Current IPv4:
Current IPv6: 2001:4801:7824:103:be76:4eff:fe10:77c6

New IPv4:
New IPv6: 2001:4801:7827:102:be76:4eff:fe10:6cd3
[2019-03-19 09:00:00 UTC]

Current IPv4:
Current IPv6: 2a01:7e00::f03c:91ff:fe98:2109

New IPv4:
New IPv6: 2a01:7e00::f03c:91ff:fe82:071b
[2019-03-26 09:00:00 UTC]

Current IPv4:
Current IPv6: 2600:3c01::f03c:91ff:fe37:74ec

New IPv4:
New IPv6: 2600:3c01::f03c:91ff:fe82:0768

YubiCloud no longer accepting v1 protocol, plain-text or old TLS version requests


As mentioned in an earlier blog post, as of today, February 4th 2019, YubiCloud no longer accepts requests using V1 protocol, plain-text (non https) or TLS1.0 or TLS1.1 protocols.

Please see the original blog post for further details and ensure your YubiCloud clients are updated to use YubiCloud protocol V2, https and TLS1.2.

CentOS 6 and TLS1.2


Recently it has come to our attention that some CentOS 6 clients, while technically supporting TLS 1.1 and TLS 1.2, still default to TLS 1.0.

This can be remedied by running the following command, which will update the respective packages to the most recently available versions.

$ sudo yum update libcurl curl nss

The following bugs, which were reported in 2015, are addressed by applying the yum update.

Doing so will ensure YubiCloud clients on CentOS will default, and support, TLS1.2.

This update is strongly recommended to avoid issues on 2019-02-04, when non TLS1.2 connections will be completely rejected, as mentioned in our earlier blog post.

The commands below demonstrate the issue, how the fix is applied, and finally establishing a connection with a TLS1.2-only host. Lines starting with ! denote a comment.

[vagrant@localhost ~]$ cat /etc/centos-release 
CentOS release 6.6 (Final)

! default packages included in official CentOS 6.6 release
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-37.el6_5.3
libcurl.x86_64 7.19.7-37.el6_5.3
nss.x86_64 3.16.1-14.el6 @anaconda-CentOS-201410241409.x86_64/6.6

! fails to negotiate TLS handshake (host supports TLS1.2 only)
[vagrant@localhost ~]$ curl -q -v

! updating to most recently available
[vagrant@localhost ~]$ sudo yum update libcurl curl nss

! packages are upgraded; curl from -37 -> -53 and nss from 3.16 to 3.36.
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-53.el6_9 @base 
libcurl.x86_64 7.19.7-53.el6_9 @base 
nss.x86_64 3.36.0-9.el6_10 @updates

! works successfully
[vagrant@localhost ~] $ curl -q -v -o/dev/null

For further information about CentOS, please check the forums at

Deprecating YubiCloud v1 protocol, plain-text requests and old TLS versions


Starting on December 10th, 2018, support for YubiCloud v1 protocol, plain-text requests and old TLS protocols & ciphers will be deprecated.

On February 4th, 2019 support for such requests will be removed completely.

The vast majority of our clients are not affected by this change.


– Dropping support for YubiCloud v1 protocol

– Dropping support for plain-text requests (http:// traffic over port 80)

– Dropping support for TLS1.0 and TLS1.1 protocols

– Dropping support for 3DES TLS ciphersuites


Make sure your YubiCloud client is configured to use https:// and /wsapi/2.0/verify endpoints.

In order to check if your API client supports TLS1.2 and modern ciphersuites, please consult your programming language and operating system manuals. Alternatively you can try to establish a connection with


YubiCloud endpoints are available at the following addresses:

To ensure high-availability, configure your client to simultaneously issue requests to all five addresses and accept the first successful reply.

In a future YubiCloud protocol version, this client-side complexity will be replaced with a single highly-available endpoint.

Detailed timeline

Publication date of this blog post.

Approximately 50% of traffic matching criteria is rejected with an HTTP 410 response status.

100% traffic matching criteria is rejected with an HTTP 410 response status.

– Requests for /wsapi/verify, /wsapi/1.0/verify and /wsapi/1.1/verify return an HTTP 404 response status.
– http:// traffic is rejected on the firewall level without any HTTP response code or redirects.
– TLS handshake requires TLS1.2 and ECDHE or AES ciphersuites.

api{2,3,4,5} TLS certificate renewals


During the next two weeks, the TLS certificates for api 2-5 will be renewed. The certificate for will remain the same.

No service interruption is expected. If you have pinned the certificate fingerprint (not recommended), you will need to update your hard coded information.

Below is a list showing the endpoint, the new certificate’s sha256 fingerprint and the date it will be enabled.