This guide explains the best methods for monitoring Twilio Functions security certificate updates.
SSL certificate pinning
Pinning security certificates is risky and error prone. That said, this technique is required for some use cases (for example RSA SecureID SMS Provider configuration).
If you are planning to pin our security certificates, please be aware that these do expire. Users will need to manually update their certificate pinning whenever Twilio makes a security change to the SSL certificates used in Functions.
Can I download a PEM file of the Functions SSL certificate?
Yes. Although we don't recommend pinning certificates, you can download a PEM file using the command line tool OpenSSL.
Here's an example bash script that can be used after you have installed openssl on your operating system:
#!/bin/bash
# replace this variable with your Functions FQDN
HOST=XXXXX-XXXX.twil.io
# Download SSL Certificate
openssl s_client -connect "${HOST}":443 -servername "${HOST}" </dev/null 2>/dev/null | openssl x509 -outform PEM>mycertfile.pem
Monitor for changes
Customers can monitor for any security certificate changes with a simple script to check the certificate against their Functions environment.
- If the request succeeds with
OK
, no further action is required. - If the request does not succeed, further investigation is required to determine the cause and resolve any issues.
#!/bin/bash
# The path to the pinned cert file that you have downloaded
CERT=mycertfile.pm
# Get the Fingerprint from this PEM file
FPRINT=`openssl x509 -noout -in mycertfile.pem -fingerprint`
# Get Fingerprint from Server
SERVER=`openssl s_client -connect "${HOST}":443 -servername "${HOST}" </dev/null 2>/dev/null | openssl x509 -fingerprint -noout`
# Compare the Fingerprints
if [ "$SERVER" = "$FPRINT" ]; then
echo "OK"
exit 0
else
echo "NOK"
exit 1
fi
Notifications
For routine updates to refresh expiring certificates, we will not send out any customer notification. That said, if our security change affects the encryption level, encryption cipher, root chain or root certificate in any way, we will send out notification via email with at least one month’s notice. This procedure will be followed for any type of update to our Twilio Functions security configuration.
It is our goal that this stated policy will help our customers stay operationally excellent, and increase your trust in Twilio.
If you have any questions, please contact Customer Support.