SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Tips for Upgrading Your Environment to Support Twilio REST API’s TLS and Strong Cipher Suite Changes

Starting March 2023, the Twilio REST API will only support connections that use strong cipher suites.

If your environment fails to connect to our test endpoint at https://tls-test.twilio.com, you may need to upgrade your operating system’s security components or network software to be compatible with these changes.

Notice: Twilio projects can only use the following cipher suites to connect to our API:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES256-GCM-SHA384
  • AES256-SHA256

Failure Signatures

These are some common error messages that may indicate your system does not support the security changes:

  • Server aborted the SSL handshake
  • Connection refused
  • Handshake failed
  • Unable to connect to the remote server
  • Connection forcibly closed by the remote host
  • Connection timed out
  • Null response object (RestSharp .NET client)*

Tip:Be sure your network allows outbound HTTPS traffic to https://tls-test.twilio.com when running the tests. If you can reach https://tls-test.twilio.com from a browser, your network is not blocking traffic.

* For the legacy Twilio C#/.NET Helper Library (4.x and lower), failures return as a null response object when there is a low level exception such as SSL negotiation failure. Use Fiddler or similar HTTP debugging tool to view the underlying exception details.

Components to Check

There are a number of components involved in connecting to our REST API that may need to be upgraded or reconfigured to use strong cipher suites:

  • Operating system’s SSL libraries
  • Application server security components
  • Network proxy
  • Firewall

In most cases, you simply need to upgrade your operating system’s SSL libraries to their latest version. In other cases, you need to update the underlying application server components used by your HTTP client or helper library (e.g. cURL PHP).

Note: The Twilio Helper Libraries themselves do not need to be upgraded, but the underlying dependencies that the libraries rely on may need to be updated to a newer version.

In rare cases, you may have a network proxy or firewall that does not support or is not configured correctly for strong cipher suites connections. You’ll need to consult with your network administrator if you suspect that is the issue.

Every environment is different, so we recommend you consult your software package documentation and IT support staff or vendor to thoroughly investigate and upgrade the affected components.

Verifying the Upgrade

Once you’ve made the necessary changes, verify your upgraded system can connect successfully to the same test endpoint on https://tls-test.twilio.com from your production environment, using the same testing procedures.

Our normal REST API endpoint already supports the strong cipher suites, so you can immediately cut over your production traffic once the changes are verified in your environment.

Further Reading

If you need assistance beyond these resources, please contact our Support Team.

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk