Notice: The certificate change is in effect as of August 20, 2018. This page remains published for historical purposes only. Please refer to our troubleshooting certificate errors and TLS deprecation articles for the latest and most comprehensive information and guides.
Maintaining security and trust with our customers is paramount to us. As such, Twilio has two notable security changes coming up for our REST API:
- August 20, 2018: Updating our certificate with our new root authority
- June 2019: Disabling support for TLS 1.0 & 1.1 and weak cipher suites.
Alert: Permanent Shutdown took place on August 11th 2022 for clients with less than 100k requests/month & August 19th 2022 for clients with more than 100k requests/month
Customers running older operating systems or legacy network software may need to upgrade their systems to be compatible with these changes. Making requests to the API using an older version of TLS will result in an "Upgrade Required" error response from the API.
Notice: Twilio projects created after 3/28/2019 are automatically using ONLY TLS v1.2 and following cipher suites:
· ECDHE-RSA-AES128-GCM-SHA256
· ECDHE-ECDSA-AES128-SHA256
· ECDHE-RSA-AES128-SHA256
· ECDHE-ECDSA-AES256-GCM-SHA384
· ECDHE-RSA-AES256-GCM-SHA384
· ECDHE-ECDSA-AES256-SHA384
· ECDHE-RSA-AES256-SHA384
· AES128-GCM-SHA256
· AES128-SHA256
· AES256-GCM-SHA384
· AES256-SHA256
For projects created prior to 3/28/2019, these changes will not take effect until June 26, 2019.
Updating our root authority, August 20, 2018
Twilio has used Thawte, recently acquired by Digicert from Symantec, to sign our TLS/SSL certificates. As a result of this acquisition, Thawte has retired their Certificate Authority certificates and intermediates. Many members of the CA/Browser Forum including Google, Microsoft, and Mozilla will be ceasing trust for certificates signed by the legacy Thawte authority. To remain available and trusted, the Twilio API will be using a new certificate signed by the root authority DigiCert.
The vast majority of customers already support this new root certificate, but you may test your integration with this new certificate until August 20, 2018, by following this procedure: Monitoring Updates to Twilio REST API SSL Certificates.
Tip: If you're seeing certificate-related errors, follow our troubleshooting guide: Troubleshooting Certificate Errors for the REST API.
Disabling TLSv1.0, TLSv1.1 and weak ciphers, June 2019
In order to give ample time to execute the TLS upgrade, we are providing a full year for customers to prepare for the change.
Here are the details of what is being changed:
- Disabling support for TLS 1.0 and 1.1
We will disable TLS 1.0 and 1.1 support from the API. Security best practices strongly advise against the use of TLS 1.0 and 1.1 for secure communications on the web. As a consequence, the Twilio API will no longer support SSL or early TLS before version 1.2.
- Disabling weak cipher suites
To maintain the highest security standard, Twilio's API will disable weak encryption cipher suites from encrypting API requests to Twilio. Current security standards classify some of the cipher suites available for TLS 1.2 as weak. Although there has not been a breach or exploit, the security industry does not recommend their use for encrypting communications on the web.
You may begin testing TLS and cipher changes after August 20, 2018. We will then ensure port 8443 is updated with exclusive support for TLS 1.2 and strong cipher suites, in addition to the new DigiCert root certificate. (If you already tested successfully between May 9, 2018 and June 14, 2018, you do not need to retest.)
We strongly encourage you to test your integration with Twilio using that port to avoid any unexpected problems.
More information about testing your integration with Twilio on port 8443 can be found here: Monitoring Updates to Twilio REST API SSL Certificates.
Additional Questions
If you have additional questions about these changes, please review our FAQ.