Heroku和Twilio新的SHA2签名证书

Question

About a week ago I got the email below from Twilio letting me know about security updates and the possibility of compatibility issues on applications using older SSL client libraries. My app is hosted on Heroku , is not using a custom domain and piggy-backs on their SSL. This issue isn't an issue for me, is it? Heroku is usually on top of security and up to date on these things but googling I only find info on setting up SSL for custom domains on Heroku. Anyone have any ideas?

Twilio View Online Reminder: Security Certificate Changes

This is a reminder that on December 1, 2015 at 4:30 PM PT, we'll be updating api.twilio.com with a SHA2-signed certificate, a significant improvement in encryption technology. From the official announcement on October 8, 2015: Though the vast majority of applications will not be impacted in any way, there is a possibility that applications using older SSL client libraries may run into compatibility issues. To verify that your application is compatible with the new certificate, we've provided a test API endpoint at api.twilio.com:8443. Please note this endpoint uses a different port from the current default port of 443. Make sure you specify that port in your Twilio SDK.

The validation endpoint will be deprecated on December 1, 2015 when the new SHA2-signed certificate is deployed to the main Twilio API endpoint (port 443). Please let us know at help@twilio.com if you have any questions. We're always listening and we're here to help.

Cheers, Team Twilio

Answer 1

Twilio developer evangelist here.

This warning is not about your domain, but the SSL library on the platform on which you make API requests to Twilio.

Since you posted this question not long before the cut off came and it is now gone, I can't give you advice for testing this before the old certificates are removed. Basically, by now, if you are not seeing any errors in your application that makes calls to the Twilio API, then you are safe.

As you said, Heroku are normally on top of things like this and keep their SSL libraries up to date, so you should have nothing to worry about. I just spun up a dyno and ran some tests and everything seemed to work fine, so I suspect you have nothing to worry about.

If you were to have tested this before the change was made, you could have used the test endpoint on port 8443. In Ruby (I'm not sure what language you're using, but it's a good example anyway) you would do this:

require 'twilio-ruby'
account_sid = "AC123..." # your Twilio account sid
auth_token = "xyzabc..." # your Twilio auth token

client = Twilio::REST::Client.new(account_sid, auth_token, port: 8443)

Then, make any call to the API and check that it works over this port.

client.messages.list

If it does work then you are safe and have nothing to worry about.