Tips for Upgrading Your Environment to Support Twilio REST API’s TLS and Strong Cipher Suite Changes

Starting June 26, 2019, the Twilio REST API will only support connections that use TLS v1.2 and strong cipher suites.

If your environment fails to connect to our test endpoint on port 8443, you may need to upgrade your operating system’s security components or network software to be compatible with these changes.

Failure Signatures

These are some common error messages that may indicate your system does not support the security changes:

  • Server aborted the SSL handshake
  • Connection refused
  • Handshake failed
  • Unable to connect to the remote server
  • Connection forcibly closed by the remote host
  • Connection timed out
  • Null response object (RestSharp .NET client)*

Tip: Be sure your network allows outbound HTTPS traffic on port 8443 when running the tests. If you can reach https://api.twilio.com:8443/ from a browser, your network is not blocking traffic.

* For the legacy Twilio C#/.NET Helper Library (4.x and lower), failures return as a null response object when there is a low level exception such as SSL negotiation failure. Use Fiddler or similar HTTP debugging tool to view the underlying exception details.

Components to Check

There are a number of components involved in connecting to our REST API that may need to be upgraded or reconfigured to use TLSv1.2 and strong cipher suites:

  • Operating system’s SSL libraries
  • Application server security components
  • Network proxy
  • Firewall

In most cases, you simply need to upgrade your operating system’s SSL libraries to their latest version. In other cases, you need to update the underlying application server components used by your HTTP client or helper library (e.g. cURL PHP).

Note: The Twilio Helper Libraries themselves do not need to be upgraded, but the underlying dependencies that the libraries rely on may need to be updated to a newer version.

In rare cases, you may have a network proxy or firewall that does not support or is not configured correctly for TLSv1.2 connections. You’ll need to consult with your network administrator if you suspect that is the issue.

Every environment is different, so we recommend you consult your software package documentation and IT support staff or vendor to thoroughly investigate and upgrade the affected components.

Verifying the Upgrade

Once you’ve made the necessary changes, verify your upgraded system can connect successfully to the same test endpoint on port 8443 from your production environment, using the same testing procedures.

Our normal REST API endpoint already supports TLSv1.2 and the strong cipher suites, so you can immediately cut over your production traffic once the changes are verified in your environment.

Additional Resources

The following resources have been collected from the feedback of other Twilio customers to assist you in this process. However, these solutions have not been verified by Twilio Engineering. We recommend you use caution when considering these solutions and consult your software package documentation and IT support staff or vendor before proceeding.

Java Java 6: use an alternative cryptography extension
IBM implementations: override the default SSL protocol
.NET 4.5 ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
.NET 4.0 ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
.NET (Legacy) Enabling support for TLSv1.2 on various versions of .NET
Enabling support for TLSv1.2 in the .NET Framework 3.5.1
OpenSSL Stripe’s guide to upgrading OpenSSL for PHP, Python, Node.js and Ruby
PHP Explicitly set CURLOPT_SSLVERSION for TLSv1.2 in cURL
PowerShell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Further Reading

If you need assistance beyond these resources, please contact our Support Team.

Have more questions? Submit a request
Powered by Zendesk