FAQ: Twilio root certificate change and deprecation of TLS v1.0 and v1.1

Updated: June 14, 2018 (changes to the previously published schedule)

Here are some frequently asked questions regarding the upcoming root certificate change and deprecation of TLS v1.0 and v1.1.

Why are TLS v1.0 and v1.1 support being deprecated?

To improve our security posture, we will disable TLS v1.0 and v1.1 support from the API.  Security best practices strongly advise against the use of early TLS for secure communications on the web. As a consequence, the Twilio API will no longer support SSL or early TLS before version 1.2.

When will the changes take effect?

The root certificate will be updated August 15, 2018. TLS and cipher changes will go into effect June 2019 to allow time for affected customers to upgrade and test.

How do I test whether the change will affect my environment?

The best way to determine if your environment is affected by the changes to our certificate root, TLS protocol, or cipher suite support is to simply make a connection to the Twilio API at any endpoint with port 8443 specified in the request -- https://api.twilio.com:8443/.  If the command works successfully, no changes will be necessary for your environment.

It is important that this test be made from your production environment or an identical test environment.  There should be no need to test every endpoint that your system uses as the HTTPS connection is the only change that is being made.

Learn more about testing your integration with Twilio on port 8443.

When can I test?

You can test the new root certificate on port 8443 any time before August 15, 2018.

You can test the TLS and cipher changes on port 8443 after August 15, 2018.

Note: If you already tested successfully between May 9, 2018 and June 14, 2018, you do not need to retest.

Do I need to test if I’m using one of Twilio’s Helper Libraries?

Yes. Every environment is potentially different.  Even though Twilio has tested the helper libraries for compatibility, your environment may be different.  Learn more about testing your integration with Twilio on port 8443.

Which cipher suites are supported by the REST API?

The Twilio REST API Supports the following protocols and cipher suites for encrypted communication:

TLSv1.2:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Will this affect webhooks or status callbacks from Twilio?

This change only applies to requests made to the Twilio REST API. These changes to TLS versions and cipher suites do not affect TwiML webhooks and callbacks. Learn more about the protocols and ciphers supported by TwiML requests and status callbacks.

What do I do if I get errors while testing api.twilio.com:8443?

Most likely, the errors you receive will very likely be due to having an openssl library version which does not offer support for TLSv1.2.  To correct this, you should update your openssl library and re-build the dependencies which are failing. As many companies are engaged with this process, you will likely find specific solutions to any error messages you receive online.

My third-party software requires installing the new certificate chain. Where can I download the new root and intermediary certificates?

We strongly advise that you install the complete Mozilla CA certificate store in your software, not just Twilio’s specific certificate chain. This will ensure you will have no disruption if we make changes to our certificate authority in the future. You can download the current Mozilla CA certificate store in PEM format from curl: https://curl.haxx.se/docs/caextract.html

I use a cloud-based vendor application to run my Twilio services and I don't have any control over their technology. How do I know if they are affected?

We have already contacted all customers who are known to be affected. If you have additional concerns, please contact your vendor directly and reference our published notification of these changes.

How can I be notified automatically of future changes to certificates?

A month in advance of any API SSL certificate change, we will post the new "to be upgraded" SSL certificate on port 8443 of all of our API endpoints (e.g. api.twilio.com:8443).

We recommend you test this endpoint on a regular basis to ensure your software can connect with the updated certificate.

Learn more about monitoring Twilio SSL certificate changes on port 8443.

Have more questions? Submit a request
Powered by Zendesk