So i dug into code..
In Yubikey.php replace:
$token = new Auth_Yubico($apiID, $signatureKey,1,1);
$token = new Auth_Yubico($apiID, $signatureKey);
Worked for me in my case.. not sure about for others...
That Yubico.php file is a copy of the official Yubico PHP class that I include with my plug-in package which you figured out. Looks like Yubico updated the class a couple of days ago so I'll need to look into updating my installer package for the plug-in.
For one of the past revisions of the plug-in I switched from using a Yubico.php file that was CURL-independent written by a developer in these forums to the official Yubico PHP class which needs CURL installed on the web server. The official PHP class had support for some new more secure ways of connecting to the Yubico authentication server so that is why I made the switch. That line of code in my Yubikey.php file that you were having problems with has those new features enabled with the "1,1" variables you see in the function call. Here is the snippet of code from the Yubico.php class file for this:
* Sets up the object
* @param string $id The client identity
* @param string $key The client MAC key (optional)
* @param boolean $https Flag whether to use https (optional)
* @param boolean $httpsverify Flag whether to use verify HTTPS
* server certificates (optional,
* default true)
* @access public
function Auth_Yubico($id, $key = '', $https = 0, $httpsverify = 1)
So in my code I am hard-coding the "https" and "httpsverify" features to an enabled state. When you don't specify those variables in the function call the Yubico class uses the default settings for those variables which is to not use the "https" feature but do use the "httpsverify" feature. So it sounds like there is something about your web server configuration that doesn't work with the "https" feature enabled.
Thanks for posting your solution to the forum. I suspect someone else will probably run into this problem and changing the Auth_Yubico function call in my Yubikey.php file to how you have it will probably fix the issue. I'll add an option to enable or disable the "https" and "httpsverify" settings in the plug-in settings screen in the next update to my authentication plug-in.