Over the past couple months, Twilio has been testing additional safeguards and checks around SSL certificate validation. During the week of October 12th 2015, we deployed a change to our HTTP proxies to validate SSL certificates. This feature is enabled by default for all new accounts. We have deployed a change to our Account Portal so developers can choose to enable this validation.
What is the purpose of this safeguard?
The purpose of the certificate validation process is to prevent Man-in-the-Middle attacks on HTTPS connections.
How does this safeguard impact me?
This change impacts customers who use HTTPS endpoints to receive requests from Twilio. If certificate validation is enabled and you are using a self-signed, expired, mis-matched domain or a certificate not issued by a trusted-certificate authority*, HTTP requests to your application from Twilio will fail, which will result in a error notification. Error notifications are available in Monitor under Alerts.
*Twilio considers any Certificate Authority included in the Mozilla Trust Store and Java CA Store to be trusted.
How do I enable this safeguard?
This setting is enabled by default for all new Twilio accounts created after October 2015. We strongly recommend you maintain a valid certificate and enable certificate validation for all production applications.
You can enable or disable this safeguard within the “Account Settings” page under “SSL Certificate Validation.”
To help you debug failures related to certificate validation, we created three new error codes which will be thrown when certificate validation causes an HTTP request to fail.
11235: Certificate Invalid – Domain Mismatch
11236: Certificate Invalid – Certificate Expired
11237: Certificate Invalid – Could not find path to certificate
You can read more about these errors by following the links above to the error reference page or by by selecting “Alerts” under the Monitor product.
What additional resources are available?
You can validate that your endpoint is presenting a valid SSL certificate by pointing this tool from SSL labs at the endpoints you use to communicate with Twilio: https://www.ssllabs.com/ssltest/
As always, you can reach our Support Team at: firstname.lastname@example.org