An icon of a right arrow Back

Twilio Platform | Feb. 02, 2025

Upcoming certificate rotation and ciphersuite list update for all Twilio REST API endpoints

As we previously communicated, starting March 3, 2025, Twilio will rotate the end-user certificate and will update the list of supported cipher suites in all Twilio REST APIs. 

End-user Certificate Rotation

Only the end-user certificate will be renewed, as well as the certificate serial number. The root and intermediate certificates will remain the same. Such updates are common practice and do not impact customers that are using Twilio's services unless you are pinning certificates or are managing them manually. Customers using the official Twilio Helper Libraries should not experience any impact as they are designed to handle certificate rotations.

We highly discourage customers from pinning certificates as it exposes them to potential security risks and can cause downtimes for their services. Twilio customers using pinned certificates have a high probability of failed API Requests. These customers are advised to add the new certificates by March 3, 2025. 

Updates on the Cipher List

All our REST API endpoints will only support the cipher suites listed below. Support for any other cipher suite will be removed from that time:

Supported TLSv1.3 ciphers

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

Supported ECDSA ciphers (TLSv1.2)

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-ECDSA-AES256-SHA384

Supported RSA ciphers (TLSv1.2)

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-CHACHA20-POLY1305

  • ECDHE-RSA-AES256-SHA384

Customers are advised to check that their infrastructure supports at least one of these cipher suites. Customers running older operating systems or legacy network software may need to upgrade their systems to be compatible with these changes.

Test your configuration

The new security configuration is now available on the testing domain ( https://tls-test.twilio.com ). 

For more information on how to test the updated cipher list, we advise you to read https://help.twilio.com/articles/226478767-Monitoring-Updates-to-Twilio-REST-API-Security-Settings

Twilio Platform