Starting June 26, 2019, the Twilio REST API will only support connections that use TLS v1.2 and strong cipher suites.
If your environment fails to connect to our test endpoint on port 8443, you may need to upgrade your operating system’s security components or network software to be compatible with these changes.
Notice: Twilio projects created after 3/28/2019 are automatically using ONLY TLS v1.2 and following cipher suites:
For projects created prior to 3/28/2019, these changes will not take effect until June 26, 2019.
These are some common error messages that may indicate your system does not support the security changes:
- Server aborted the SSL handshake
- Connection refused
- Handshake failed
- Unable to connect to the remote server
- Connection forcibly closed by the remote host
- Connection timed out
- Null response object (RestSharp .NET client)*
Tip: Be sure your network allows outbound HTTPS traffic on port 8443 when running the tests. If you can reach https://api.twilio.com:8443/ from a browser, your network is not blocking traffic.
* For the legacy Twilio C#/.NET Helper Library (4.x and lower), failures return as a null response object when there is a low level exception such as SSL negotiation failure. Use Fiddler or similar HTTP debugging tool to view the underlying exception details.
Components to Check
There are a number of components involved in connecting to our REST API that may need to be upgraded or reconfigured to use TLSv1.2 and strong cipher suites:
- Operating system’s SSL libraries
- Application server security components
- Network proxy
In most cases, you simply need to upgrade your operating system’s SSL libraries to their latest version. In other cases, you need to update the underlying application server components used by your HTTP client or helper library (e.g. cURL PHP).
Note: The Twilio Helper Libraries themselves do not need to be upgraded, but the underlying dependencies that the libraries rely on may need to be updated to a newer version.
In rare cases, you may have a network proxy or firewall that does not support or is not configured correctly for TLSv1.2 connections. You’ll need to consult with your network administrator if you suspect that is the issue.
Every environment is different, so we recommend you consult your software package documentation and IT support staff or vendor to thoroughly investigate and upgrade the affected components.
Verifying the Upgrade
Once you’ve made the necessary changes, verify your upgraded system can connect successfully to the same test endpoint on port 8443 from your production environment, using the same testing procedures.
Our normal REST API endpoint already supports TLSv1.2 and the strong cipher suites, so you can immediately cut over your production traffic once the changes are verified in your environment.
The following resources have been collected from the feedback of other Twilio customers to assist you in this process. However, these solutions have not been verified by Twilio Engineering. We recommend you use caution when considering these solutions and consult your software package documentation and IT support staff or vendor before proceeding.
|Java||Java 6: use an alternative cryptography extension
IBM implementations: override the default SSL protocol
|.NET (Legacy)||Enabling support for TLSv1.2 on various versions of .NET
Enabling support for TLSv1.2 in the .NET Framework 3.5.1
|OpenSSL||Stripe’s guide to upgrading OpenSSL for PHP, Python, Node.js and Ruby|
|PHP||Explicitly set CURLOPT_SSLVERSION for TLSv1.2 in cURL|
- Monitoring Updates to the Twilio REST API Security Settings
- Frequently Asked Questions: Twilio REST API’s TLS and Cipher Suite Security Changes for June 2019
If you need assistance beyond these resources, please contact our Support Team.