Twilio root certificate change and deprecation of TLS v1.0, v1.1 on June 20, 2018

Security is very important to us at Twilio.  We value the trust you place in us and work diligently to maintain that trust.  On June 20th, 2018, as part of a company-wide effort to continue to improve our security and compliance, Twilio’s API will be implementing necessary changes to improve encryption for requests.

TLS and Certificate Changes

  • Disable support for TLS v1.0, v1.1
    We will disable TLS v1.0 and v1.1 support from the API.  Security best practices strongly advise against the use of early TLS for secure communications on the web.  As a consequence, the Twilio API will no longer support SSL or early TLS before version 1.2.
  • Disable weak cipher suites
    To maintain the highest security standard, Twilio's API will disable weak encryption cipher suites from encrypting API requests to Twilio. Current security standards classify some of the cipher suites available for TLS 1.2 as weak.  Although there has not been a breach or exploit, the security industry does not recommend their use for encrypting communications on the web. A list of supported cipher suites by TLS version can be found at the end of this article.
  • Update our root authority
    Twilio has used Thawte, recently acquired by Digicert from Symantec, to sign our TLS/SSL certificates.  As a result of this acquisition, Thawte has retired their Certificate Authority certificates and intermediates. Many members of the CA/Browser Forum including Google, Microsoft, and Mozilla will be ceasing trust for certificates signed by the legacy Thawte authority.  To remain available and trusted, the Twilio API will be using a new certificate signed by the root authority DigiCert.

To provide customers with sufficient time to test these changes, the Twilio API has made the updated certificate available on port 8443. We strongly encourage you to test your integration with Twilio in your production environment (or an identical test environment) using that port to avoid any unexpected problems. The new certificate and configuration will be updated on the standard HTTPS port, 443, on June 20th, 2018.  

Learn more about testing your integration with Twilio on port 8443.

Supported Protocols and Cipher Suites

The Twilio REST API Supports the following protocols and cipher suites for encrypted communication:

TLS 1.2:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Note: This change to TLS versions and cipher suites does not affect TwiML webhooks and callbacks. Learn more about the protocols and ciphers supported by TwiML requests and status callbacks.

Additional Questions

If you have additional questions about these changes, please review our FAQ.

Have more questions? Submit a request
Powered by Zendesk