As of March 2023, Twilio has removed the support for old cipher suites on our REST APIs. This guide contains information about what is currently supported, as well as frequently asked questions regarding this change.
Frequently asked questions (FAQs)
- How do I test whether the change will affect my environment?
- Do I need to test if I’m using one of Twilio’s Helper Libraries?
- How do I force the Twilio helper library to use port 8443?
- Do I need to test every REST API endpoint and method?
- What if I get errors while testing api.twilio.com:8443?
- Which IPs should we allow for connecting to port 8443 in our firewall?
- Which cipher suites will be supported by the REST API after the changes are implemented?
- Will this affect webhooks or status callbacks from Twilio?
- I see SSL Certificate Validation is enabled on my account in the Twilio Console. Does that mean I’m already compliant with these security changes?
- I use a cloud-based vendor application to run my Twilio services and I don't have any control over their technology. How do I know if they are affected?
- How can I be notified automatically of future security changes to the REST API?
The best way to determine if your environment is affected by the TLS or cipher suite changes is to make a simple HTTP request to the Twilio REST API test endpoint https://tls-test.twilio.com/. If the command works successfully, no changes will be necessary for your environment.
See our complete guide to Monitoring updates to Twilio REST API security settings for more information on testing with helper libraries and an FAQ.
Yes. The Twilio helper libraries rely on the underlying security components installed on your operating system.
Most likely the errors you receive will be due to having an OpenSSL library version which does not offer support for the changes. To correct this, you should update your operating system’s OpenSSL library and rebuild the dependencies that are failing.
Review all our tips for upgrading your environment.
Once the changes are implemented, the Twilio REST API will only support the following protocols and cipher suites for encrypted communication:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256
The changes to cipher suites do not affect TwiML webhooks or status callbacks. These changes only apply to requests made to the Twilio REST API.
Learn more about the protocols and ciphers supported by TwiML requests and status callbacks.
No. SSL Certificate Validation does not affect requests from your application to the REST API. That setting is only used for TwiML webhooks and status callbacks from Twilio back to your server. Webhooks and callbacks are not affected by these REST API security changes.
We have already contacted all Twilio accounts who are known to be affected. If you have additional concerns, please contact your vendor directly and reference our published notification of these changes.
At least one month in advance of any REST API security change, we will post the new "to be upgraded" certificate and configuration on our test endpoint. We recommend you test that endpoint on a regular basis to ensure your software can connect with the updated certificate and settings.
Learn more about monitoring Twilio security changes.
- Monitoring Updates to the Twilio REST API Security Settings
- Tips for Upgrading Your Environment to Support Twilio REST API’s Strong Cipher Suite Changes
If you need assistance beyond these resources, please contact our Support Team.