Here are some frequently asked questions regarding the June 20, 2018 root certificate change and deprecation of TLS v1.0 and v1.1.
Why are TLS v1.0 and v1.1 support being deprecated?
To improve our security posture, we will disable TLS v1.0 and v1.1 support from the API. Security best practices strongly advise against the use of early TLS for secure communications on the web. As a consequence, the Twilio API will no longer support SSL or early TLS before version 1.2.
When will the changes take effect?
The changes will be live on the default HTTPS port, 443, on June 20th, 2018.
Can exceptions be made for the June 20 effective date?
No. Disabling TLS v1.0 and v1.1 is a strict requirement imposed by compliance with industry standards, for which Twilio maintains certification to operate.
How do I test whether the change will affect my environment?
The best way to determine if your environment is affected by the changes to our certificate root, TLS protocol, or cipher suite support is to simply make a connection to the Twilio API at any endpoint with port 8443 specified in the request -- https://api.twilio.com:8443/. If the command works successfully, no changes will be necessary for your environment.
It is important that this test be made from your production environment or an identical test environment. There should be no need to test every endpoint that your system uses as the HTTPS connection is the only change that is being made.
Learn more about testing your integration with Twilio on port 8443.
When can I test?
You can test against port 8443 any time before June 20th, 2018.
Do I need to test if I’m using one of Twilio’s Helper Libraries?
Yes. Every environment is potentially different. Even though Twilio has tested the helper libraries for compatibility, your environment may be different. Learn more about testing your integration with Twilio on port 8443.
Which cipher suites are supported by the REST API?
The Twilio REST API Supports the following protocols and cipher suites for encrypted communication:
Will this affect webhooks or status callbacks from Twilio?
This change only applies to requests made to the Twilio REST API. These changes to TLS versions and cipher suites do not affect TwiML webhooks and callbacks. Learn more about the protocols and ciphers supported by TwiML requests and status callbacks.
What do I do if I get errors while testing api.twilio.com:8443?
Most likely, the errors you receive will very likely be due to having an openssl library version which does not offer support for TLSv1.2. To correct this, you should update your openssl library and re-build the dependencies which are failing. As many companies are engaged with this process, you will likely find specific solutions to any error messages you receive online.
My third-party software requires installing the new certificate chain. Where can I download the new root and intermediary certificates?
We strongly advise that you install the complete Mozilla CA certificate store in your software, not just Twilio’s specific certificate chain. This will ensure you will have no disruption if we make changes to our certificate authority in the future. You can download the current Mozilla CA certificate store in PEM format from curl: https://curl.haxx.se/docs/caextract.html
I use a cloud-based vendor application to run my Twilio services and I don't have any control over their technology. How do I know if they are affected?
We have already contacted all customers who are known to be affected. If you have additional concerns, please contact your vendor directly and reference our published notification of these changes.
How can I be notified automatically of future changes to certificates?
A month in advance of any API SSL certificate change, we will post the new "to be upgraded" SSL certificate on port 8443 of all of our API endpoints (e.g. api.twilio.com:8443).
We recommend you test this endpoint on a regular basis to ensure your software can connect with the updated certificate.
Learn more about monitoring Twilio SSL certificate changes on port 8443.