SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Monitoring Updates to Twilio Functions Security Certificates

This guide explains the best methods for monitoring Twilio Functions security certificate updates.

SSL certificate pinning

Pinning security certificates is risky and error prone. That said, this technique is required for some use cases (for example RSA SecureID SMS Provider configuration).

If you are planning to pin our security certificates, please be aware that these do expire. Users will need to manually update their certificate pinning whenever Twilio makes a security change to the SSL certificates used in Functions. 

Can I download a PEM file of the Functions SSL certificate?

Yes. Although we don't recommend pinning certificates, you can download a PEM file using the command line tool OpenSSL.

Here's an example bash script that can be used after you have installed openssl on your operating system:

#!/bin/bash

# replace this variable with your Functions FQDN
HOST=XXXXX-XXXX.twil.io

# Download SSL Certificate
openssl s_client -connect "${HOST}":443 -servername "${HOST}" </dev/null 2>/dev/null | openssl x509 -outform PEM>mycertfile.pem

Monitor for changes

Customers can monitor for any security certificate changes with a simple script to check the certificate against their Functions environment.

  • If the request succeeds with OK, no further action is required.
  • If the request does not succeed, further investigation is required to determine the cause and resolve any issues.
#!/bin/bash

# The path to the pinned cert file that you have downloaded
CERT=mycertfile.pm

# Get the Fingerprint from this PEM file
FPRINT=`openssl x509 -noout -in mycertfile.pem -fingerprint`

# Get Fingerprint from Server
SERVER=`openssl s_client -connect "${HOST}":443 -servername "${HOST}" </dev/null 2>/dev/null | openssl x509 -fingerprint -noout`

# Compare the Fingerprints
if [ "$SERVER" = "$FPRINT" ]; then
echo "OK"
exit 0
else
echo "NOK"
exit 1
fi

Notifications

For routine updates to refresh expiring certificates, we will not send out any customer notification. That said, if our security change affects the encryption level, encryption cipher, root chain or root certificate in any way, we will send out notification via email with at least one month’s notice. This procedure will be followed for any type of update to our Twilio Functions security configuration.

It is our goal that this stated policy will help our customers stay operationally excellent, and increase your trust in Twilio.

If you have any questions, please contact Customer Support.

 

Have more questions? Submit a request
Powered by Zendesk