A2P 10DLC Campaign Vetting Delays: Twilio cannot approve 10DLC Campaigns ourselves, and must rely on third parties who control our connections to carriers to sign off. These external processes are creating several week delays for our customers. We continue to escalate these issues and are working to reduce delays wherever possible. Further details will be shared in the Campaign Vetting Changes article as they become available.

FAQ: Twilio REST API’s Cipher Suite Security Changes for March 2023

As of March 2023, Twilio has removed the support for old cipher suites on our REST APIs. This guide contains information about what is currently supported, as well as frequently asked questions regarding this change.

Frequently asked questions (FAQs)

Testing Procedures

Additional Concerns

Testing Procedures

How do I test whether the change will affect my environment?

The best way to determine if your environment is affected by the TLS or cipher suite changes is to make a simple HTTP request to the Twilio REST API test endpoint at port 8443 ( https://api.twilio.com:8443/). If the command works successfully, no changes will be necessary for your environment.

Use our test procedures and code snippets to test your system’s compatibility.

Note: It is important that this test be made from your production environment or an identical test environment.

Do I need to test if I’m using one of Twilio’s Helper Libraries?

Yes. The Twilio helper libraries rely on the underlying security components installed on your operating system. While Twilio has tested the helper libraries for compatibility with these changes, your environment may be different.

Learn more about testing your integration with Twilio on port 8443 and review our tips for upgrading, if your tests do not succeed.

How do I force the Twilio helper library to use port 8443?

Please use our provided code snippets to test the Twilio helper libraries on port 8443. Be sure to use the snippet that matches your version of the helper library.

Do I need to test every REST API endpoint and method?

No. You only need to make a single request to the test endpoint on port 8443 to ensure your system can connect over HTTPS using the TLS and cipher suite changes.

Learn more about testing your integration with Twilio on port 8443.

What if I get errors while testing api.twilio.com:8443?

Most likely the errors you receive will be due to having an OpenSSL library version which does not offer support for the changes. To correct this, you should update your operating system’s OpenSSL library and rebuild the dependencies that are failing.

Review all our tips for upgrading your environment.

Which IPs should we allow for connecting to port 8443 in our firewall?

Twilio’s REST API uses dynamic IP addresses. They are selected from a large range of Amazon Web Services (AWS) IP addresses, and are liable to change without advance notice. We recommend you restrict by domain name instead of IP addresses (i.e., api.twilio.com).

Otherwise, you can temporarily allow all outbound HTTPS traffic to port 8443 to perform the tests and then re-implement the block on that port when testing is complete.

Which cipher suites are supported by the REST API with the change?

Once the changes are implemented, the Twilio REST API will only support the following protocols and cipher suites for encrypted communication:

Protocol 1.2: 

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256
AES128-SHA256
AES256-GCM-SHA384
AES256-SHA256

Additional Concerns

Will this affect webhooks or status callbacks from Twilio?

The changes to cipher suites do not affect TwiML webhooks or status callbacks. These changes only apply to requests made to the Twilio REST API.

Learn more about the protocols and ciphers supported by TwiML requests and status callbacks.

I see SSL Certificate Validation is enabled on my account in the Twilio Console. Does that mean I’m already compliant with these security changes?

No. SSL Certificate Validation does not affect requests from your application to the REST API. That setting is only used for TwiML webhooks and status callbacks from Twilio back to your server. Webhooks and callbacks are not affected by these REST API security changes.

I use a cloud-based vendor application to run my Twilio services and I don't have any control over their technology. How do I know if they are affected?

We have already contacted all Twilio accounts who are known to be affected. If you have additional concerns, please contact your vendor directly and reference our published notification of these changes.

How can I be notified automatically of future security changes to the REST API?

At least one month in advance of any REST API security change, we will post the new "to be upgraded" certificate and configuration on port 8443 of all of our API endpoints (e.g., api.twilio.com:8443).

We recommend you test that endpoint on a regular basis to ensure your software can connect with the updated certificate and settings.

Learn more about monitoring Twilio security changes on port 8443.

Further Reading

If you need assistance beyond these resources, please contact our Support Team.

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk