Here are some frequently asked questions regarding the upcoming deprecation of TLS v1.0, v1.1 and weak cipher suites on Twilio’s REST API.
Notice: Twilio projects created after 3/28/2019 are automatically using ONLY TLS v1.2 and following cipher suites:
For projects created prior to 3/28/2019, these changes will not take effect until June 26, 2019.
Timeline and Process
- When will the changes take effect?
- I already received an email notice. Why am I being contacted again?
- I didn't receive an email. How can I be sure I'm not affected?
- I need more time. Can I get an extension?
- Why are TLS v1.0, v1.1 and weak cipher suites being deprecated?
- How do I test whether the change will affect my environment?
- Do I need to test if I’m using one of Twilio’s Helper Libraries?
- How do I force the Twilio helper library to use port 8443?
- Do I need to test every REST API endpoint and method?
- What if I get errors while testing api.twilio.com:8443?
- Which IPs should we whitelist for connecting to port 8443 in our firewall?
- Which cipher suites will be supported by the REST API after the changes are implemented?
- Will this affect webhooks or status callbacks from Twilio?
- I see SSL Certificate Validation is enabled on my account in the Twilio Console. Does that mean I’m already compliant with these security changes?
- I use a cloud-based vendor application to run my Twilio services and I don't have any control over their technology. How do I know if they are affected?
- How can I be notified automatically of future security changes to the REST API?
Timeline and Process
The TLS and cipher suite changes will be implemented on the Twilio REST API June 26, 2019 at 1:00 PM PDT (20:00 UTC).
You can test the TLS and cipher changes on port 8443 of the REST API after August 20, 2018.
The original announcement was sent to affected customers in May 2018, and we postponed the changes until June 2019. You received an additional notice because our logs have detected recent connections from your account that are incompatible with the upcoming changes.
You will need to perform the recommended tests and upgrade your system to ensure your Twilio service is not interrupted.
If you did not receive an email, your account is not affected. However, you can verify your application will indeed work correctly by following our testing procedures.
You can use those same procedures to test regularly for any upcoming changes to our REST API security settings.
The extension is already in effect, as we have postponed this change a full year from the original date to give customers ample time to make the necessary changes. You must complete your changes by June 2019 to ensure your Twilio service is not interrupted.
Security best practices strongly advise against the use of early TLS for secure communications on the web. As a consequence, the Twilio REST API will no longer support SSL or early TLS before version 1.2. We are also removing weak cipher suites to maintain the highest standard of security for our customers.
The best way to determine if your environment is affected by the TLS or cipher suite changes is to make a simple HTTP request to the Twilio REST API test endpoint at port 8443 ( https://api.twilio.com:8443/). If the command works successfully, no changes will be necessary for your environment.
Use our test procedures and code snippets to test your system’s compatibility.
Note: It is important that this test be made from your production environment or an identical test environment.
Yes. The Twilio helper libraries rely on the underlying security components installed on your operating system. While Twilio has tested the helper libraries for compatibility with these changes, your environment may be different.
Please use our provided code snippets to test the Twilio helper libraries on port 8443. Be sure to use the snippet that matches your version of the helper library.
No. You only need to make a single request to the test endpoint on port 8443 to ensure your system can connect over HTTPS using the TLS and cipher suite changes.
Learn more about testing your integration with Twilio on port 8443.
Most likely the errors you receive will be due to having an OpenSSL library version which does not offer support for TLSv1.2. To correct this, you should update your operating system’s OpenSSL library and rebuild the dependencies that are failing.
Review all our tips for upgrading your environment.
Twilio’s REST API uses dynamic IP addresses. They are selected from a large range of Amazon Web Services (AWS) IP addresses, and are liable to change without advance notice. We recommend you restrict by domain name instead of IP addresses (i.e., api.twilio.com).
Otherwise, you can temporarily allow all outbound HTTPS traffic to port 8443 to perform the tests and then re-implement the block on that port when testing is complete.
Once the changes are implemented, the Twilio REST API will only support the following protocols and cipher suites for encrypted communication:
TLSv1.2: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ECDHE-RSA-AES128-SHA) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ECDHE-RSA-AES128-SHA256) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ECDHE-RSA-AES128-GCM-SHA256) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ECDHE-RSA-AES256-SHA) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ECDHE-RSA-AES256-SHA384) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ECDHE-RSA-AES256-GCM-SHA384)
The changes to TLS versions and cipher suites do not affect TwiML webhooks or status callbacks. These changes only apply to requests made to the Twilio REST API.
Learn more about the protocols and ciphers supported by TwiML requests and status callbacks.
No. SSL Certificate Validation does not affect requests from your application to the REST API. That setting is only used for TwiML webhooks and status callbacks from Twilio back to your server. Webhooks and callbacks are not affected by these REST API security changes.
We have already contacted all Twilio accounts who are known to be affected. If you have additional concerns, please contact your vendor directly and reference our published notification of these changes.
At least one month in advance of any REST API security change, we will post the new "to be upgraded" certificate and configuration on port 8443 of all of our API endpoints (e.g., api.twilio.com:8443).
We recommend you test that endpoint on a regular basis to ensure your software can connect with the updated certificate and settings.
Learn more about monitoring Twilio security changes on port 8443.
- Monitoring Updates to the Twilio REST API Security Settings
- Tips for Upgrading Your Environment to Support Twilio REST API’s TLSv1.2 and Strong Cipher Suite Changes
If you need assistance beyond these resources, please contact our Support Team.