FAQ
abbrechen
Vorschläge aktivieren
Mit der automatischen Vorschlagsfunktion können Sie Ihre Suchergebnisse eingrenzen, da während der Eingabe mögliche Treffer angezeigt werden.
Suchergebnisse werden angezeigt für 
Anzeigen  nur  | Stattdessen suchen nach 
Meintest du: 
Anmelden
Neuer Nutzer? Jetzt registrieren

Q&A Viessmann API

Dear developer and smart home enthusiasts,

today, we want to contact you to talk with you about the recent activities that are taking place concerning the interface of the heating systems, also known as the Viessmann API. As most of you might have already received our Email in which we informed you about the upcoming changes concerning the use of the API, we would like to open this thread to continue the discussion openly and transparent with you and pick up on the discussions in this thread. Here is again a brief summary of the main points from our message:

> As Viessmann, it’s in our responsibility to provide our users with reliant and safe products, including features and services around those products

> We are impressed to see your interest in connecting and interacting with your heating system and that you found a solution for your specific use case without a description or support from our side

> However, it challenges us to check and channel the method and frequency of requests to our IoT Services in order to keep those stable and available for all our users

> What is even more important is that for these solutions, we as Viessmann currently cannot guarantee a safe and reliant operation of your heating system

This has the following steps that we have to take:

> In order to keep operation through our API safe and still give you the chance to interact with your system, we limit the use for all applications by setting a threshold for the requests. The limit is set for both a larger (e.g. daily) and a smaller (<15 mins) time scale. Reaching the limit will prevent you to execute any further requests with your account in the specific time frame. So please make sure to adapt the frequency of the requests of your current solution to avoid reaching the limitation.

> We are heavily working on providing a solution for all users that is 1) approved & safe to use, 2) properly explained and 3) gives you the functions and information you need for your specific use case. At the same time, this will also be moment when the solution is in place where we cannot allow any other ways of accessing our API. To make things clear: Your already built and currently used functions will still be able to use, it’s only that you will need a new API client provided through the Portal that can be self-managed by the user himself.

We also received a lot of questions via Mail and also in this forum, which we are going to answer for everyone individually. We also saw that the most common question among the responses was the demand for a local API. This is a reasonable request and we appreciate and take the demand very seriously. However, we will not able to provide you a solution for this in the near future. This feature (as all other features and requests by users) are permanently discussed and evaluated and brought together with all other strategic decisions that Viessmann is taking.

I again would like to encourage everyone to participate in the development and make sure to sign in here to get an early access to the Developer Portal. Also, we are hoping to have a constructive discussion here in this thread. We are really looking forward to work jointly together with you on ideas and co-create future solutions!

P.S.
As stated in the previous thread and in certain Emails we received, we are aware that some users might expect a communication in german from us, as Viessmann is of course a company with German heritage. However, since we are providing climate solutions all over the world and especially programming / APIs is natively described in english, there is no other option than communicating in english first. This has already been greatly explained by @thetrueavatar in the previous thread.

All the best!

Michael Hanna

Viessmann Developer Portal

EDIT:

In order to support you more on adjusting your current solutions according to the current limitation, here is how the threshold works:

We have a rate limit with sliding window. Whenever the first request arrives, we open a time window and count all request in that window. If the number of requests reach the limitation, we block all incoming user requests until the time window ends. Then, with the next user request, a new time window opens.
Currently, we have the following limits active:
120 calls for a time window of 10 minutes
1450 calls for a time window of 24 hours
Please take note that we are taking the right to adjust the limits if seen necessary. Information about adjustment of the threshold will be given with a reasonable amount of time in advance for all affected user.

EDIT2:

For all who experienced a ban after the limitation time frame with a few number of API requests: Our team fixed an issue with the limitation, which is taking effect since today and should solve this problem. We are still analyzing the behavior, but for now it looks ok.

‎16.03.2020 18:37
MichaelHanna
Viessmann
Viessmann
172 ANTWORTEN 172

Ok I get back my account for an 1 hour... I have disabled the cron and did at most 10 call but I'm banned again till tomorow 17h24pm.....

Even with my cron enabled it won't be possible to reach 1450 request in 1h30m... 

So either someone else is using my account, either your count doesn't reset to 0 on the due time....

It's very frustrating while I'm trying to refactor the code of the my api client to reduce load and prevent some of your user to be blocked.... 

‎17.03.2020 19:18
thetrueavatar
Profi III

Hi

Looks like the 24h limit is implemented as a 'moving' window (or however it is called)
Probably still suffering from the high load of the initial 20h or so

Michele

‎17.03.2020 19:26
Als Antwort auf thetrueavatar
ravanimi
Experte

Ok but then the ban must also be a moving window, not a fixed 24 hours...
‎17.03.2020 19:34
Als Antwort auf thetrueavatar
thetrueavatar
Profi III
0 Likes

You could only mitm if you had access to the list of trusted certificate that the Vitoconnect trust and add a mitm CA certificate. Then the mitm server would forge a fake Viessmann's certificate and so allow you to decode ssl. However, I didn't find any way to access to the Vitoconnect with a telent/ssh session and change the certificate "truststore".
‎17.03.2020 19:49
Als Antwort auf didy
thetrueavatar
Profi III
0 Likes

I am not sure if the threshold is working correctly, either. Just was able to open the ViCare app once, but then trying a single(!) login via API in ioBroker resulted in error 429 and so the App is also not working anymore. Quite irritating.
‎17.03.2020 19:55
Als Antwort auf thetrueavatar
Croydon
Profi II

Have you checked if they checking if the certificate is trusted? Or if the vitoconnect accept all certificates
‎17.03.2020 19:57
Als Antwort auf didy
HubertMaier
Profi
0 Likes

Yes that is the "problem". The communication takes place only outgoing to Azure MQTT via port 8883 using TLSv1.2 and client certificate. The hostname that is called has to be something like "xxx.azure-devices.com" or similar, but the client on the Vitoconnect seems to be very strict in checkings.
‎17.03.2020 19:57
Als Antwort auf didy
Croydon
Profi II

Sorry, I reread Michael's explanation and as you say it doesn't fit the behaviour.
Although he speaks of a sliding window but then explains an algo based on a fixed one.
Unless it is a mix, using a sliding window to count the accesses but a fixed one where the block is implemented.

Michele
‎17.03.2020 19:58
Als Antwort auf thetrueavatar
ravanimi
Experte
0 Likes

Kudos for trying this out already 🙂 Normally I would expect that the security checks are on the server side but if it is the client it is bad news. So indeed we might need to invest some effort into the optoling interface, we all have the cable already I suppose 🙂
‎17.03.2020 20:07
Als Antwort auf didy
adorobis
Profi II

Since they are working more than likely on Azure Api Gateway let's just check how to implement this ;-). I will ask tomorow to my colleague who is in charge of the Api Gateway(also Azure) to get more detail about the WAF(Web Application Firewall).
‎17.03.2020 20:08
Als Antwort auf thetrueavatar
thetrueavatar
Profi III


Please allow (optional) local access to the gateway, then this data does not necessarily have to be via your server.
‎17.03.2020 20:11
Als Antwort auf thetrueavatar
Alexander90
Willkommen zurück

@thetrueavatar You might be right, but I am not sure about that. They are using Azure MQTT IoT services for communication of Vitoconnect with their server. But the ips of the app API seem to belong to T-Systems (Telekom), so it might be that those are not routed to Azure at all. I was wrong about that. Checked the wrong ip. The API ip is indeed belonging to Azure, so your findings seem to be right.

‎17.03.2020 20:13
Als Antwort auf thetrueavatar
Croydon
Profi II
0 Likes

Either they are doing certificate pining ie trust directly the leaf certificate not a CA but then certificate as to be renew or have very long validity time. You would have to change the leaf certificate in the vitoconnect code to be able to do a mitm.
Either they are doing classical certificate validation with their own CA signed by a well known Root CA(GlobalSign,VerySign) or Self-Signed. You would have to add a custom CA to the OS to be able to forge the leaf certificate. That's what I did with the ViCare App by adding the mitm CA in the truststore of my smartphone.
I know that some app are using a vpn to do a mitm(packet capture on android) but not quite sure how they are doing.
‎17.03.2020 20:20
Als Antwort auf didy
thetrueavatar
Profi III
0 Likes

MQTT over TLS is working with server and client certificate. As far as I understood Azure requires the client to have a certificate that was issued by the same CA as the server certificate. Also the hostname has to be matching and the ca has to be trusted. So I see no way of doing a MITM for the MQTT connection of the Vitoconnect to Azure as you cannot alter the checks the client does nor alter the Vitoconnect truststore.
‎17.03.2020 20:23
Als Antwort auf didy
Croydon
Profi II
0 Likes

@thetrueavatar @Croydon could you list which calls are being made by your code and how often? Then we can check and see if it makes sense. We will also have a look at the threshold implementation and give you more information here. (@ravanimi also for your notice)
‎17.03.2020 21:07
Als Antwort auf thetrueavatar
MichaelHanna
Viessmann
Viessmann

@MichaelHanna my account was banned yesterday (17.3.2020) at about 17:15. I then disabled all scripts and could open the ViCare app tonight at about 18:00 one time. Then I tried re-enabling the connection through ioBroker, but it failed with error 429 directly after login when calling GET https://api.viessmann-platform.io/general-management/installations … So this was only one or two requests (besides the ViCare App) that triggered the error 429 again. I disabled the ioBroker directly after that, but until now (21:12) the ViCare app still is not able to connect. So the ban is still in place.

What about the suggestion to just enable MQTT to a second (local) server? This should be really easy to implement. Especially compared to a local api etc.

 

‎17.03.2020 21:12
Als Antwort auf thetrueavatar
Croydon
Profi II

Well Before 11 AM 17 marchi I was doing every 5 minutes this list of call:
- active mode
- active program
- outside temperature
- heating burner status
- HotWaterStorageTemperature
- Boiler temperature
- normal program temperature
- reduced program temperature
- slope & shift
- DHW schedule
- Heating scheduleA
- Room temperature
Every call first do an authentication, then do a call to general-management/installations andoperational-data/installations/gateways/gatewayId /devices/device_id/features.
I would say 12 authentication and 24 call to the API every 5 minutes this lead me to be ban today.


HOWEVER, I have disable all of those call on 11 AM this morning(17 march). I got my access back at 17h20 and did some manual call to test my refactoring.
I have done during 30 mintes 2-3 calls to get curve information 10 call to "general-management/installations" and "operational-data/installations/gateways/gatewayId /devices/device_id/features". That's all. And I have being ban again.


The lock is weird. The lock today was release on Tuesday, March 17, 2020 5:20:10.106 PM
The new one was set on Wednesday, March 18, 2020 5:23:42.988 PM
So it took me less than 4 minutes to be blocked !!! Moreover, I didn't test it in this timeframe...


Here is a received message right now:
{"viErrorId":"req-4485c64081604168a4ae9220d192fe8e","statusCode":429,"errorType":"RATE_LIMIT_EXCEEDED","message":"API calls rate limit has been exceeded. Please wait until your limit will renew.","extendedPayload":{"name":"ViCare day limit","requestCountLimit":1450,"clientId":"79742319xxxxxxxxx2a8","userId":"d61aexxxxxxxxxx-xxxx-7a492bb94efb","limitReset":1584548622988}}

 

‎17.03.2020 21:27
Als Antwort auf thetrueavatar
thetrueavatar
Profi III

Hello,

have Vicare accounts been (perma-)banned as result of these limits ?

Users have disabled their Home Assistant Vicare-integration, but the Android app continues to throw an error (not connected to server).

Can this also be addressed please?

‎18.03.2020 8:35
Tommmi
Profi
0 Likes

Hi @Tommmi,
thank you for your response. Accounts have not been perma-banned. After the limitation time frame has passed, you should be able to execute requests again with your account.
We will also have a look at the threshold implementation, since this issue has been stated by different users now. We will give you more information about it in this thread.
Hope this helps.
Best,
Michael
‎18.03.2020 8:42
Als Antwort auf Tommmi
MichaelHanna
Viessmann
Viessmann

@Croydon @thetrueavatar thank you for the explanation. This helps us in investigating the issue. We will check with our developer and keep you updated here.
Best,
Michael
‎18.03.2020 8:46
Als Antwort auf thetrueavatar
MichaelHanna
Viessmann
Viessmann
0 Likes

@MichaelHanna Just for information: I am still banned currently (08:47) and have not made any further requests.
‎18.03.2020 8:47
Als Antwort auf thetrueavatar
Croydon
Profi II
0 Likes

How about suspending this treshold in production environment and do your test in the decicated test/acceptance environment as every professional company does for their IT ? Is that your way to do to test directly in in production ?
‎18.03.2020 8:50
Als Antwort auf Tommmi
thetrueavatar
Profi III

@thetrueavatar:
Thanks for your explanation. I am observing the same (no wonder!). Additionally of course the ViCare App is banned also, do the calls by this app also count?

 

I deactivated all my API calls, in order to see if ViCare is coming back.

‎18.03.2020 8:50
Als Antwort auf thetrueavatar
JueBag
Experte II
0 Likes

ban last 24 hour....
‎18.03.2020 8:50
Als Antwort auf thetrueavatar
thetrueavatar
Profi III
0 Likes

On the Home Assistant forum, users are saying their iOS app are not banned, but their home automation integration is banned, and Android apps also get banned ???
‎18.03.2020 9:04
Als Antwort auf Tommmi
Tommmi
Profi
0 Likes
verwandte Themen
Top-Lösungsautoren
Alle anzeigen

Weitersurfen

abbrechen
Vorschläge aktivieren
Mit der automatischen Vorschlagsfunktion können Sie Ihre Suchergebnisse eingrenzen, da während der Eingabe mögliche Treffer angezeigt werden.
Suchergebnisse werden angezeigt für 
Anzeigen  nur  | Stattdessen suchen nach 
Meintest du: 
Anmelden
Neuer Nutzer? Jetzt registrieren