Automatically select https (port 443) for V7 enphase devices

Question

Automatically select https (port 443) for V7 enphase devices

dlmcpaul opened this issue 2 years ago · 5 comments

It would be good to auto select HTTPS for enphase devices running the V7 firmware but allow downgrade if required.

Might be difficult since we don't know the version until we fetch the info.xml file.

Maybe try with passed in values and if failure retry with HTTPS?

Answer 1 · 2023-05-18T16:56:01.000Z

I'm on one of the latest versions (D7.3.123) and port 80 is still open. I've verified I can pull down the info.xml file over http (doesn't require any authentication) so it makes sense for a good first step in determining how it proceeds.

Answer 2 · 2023-05-21T13:59:58.000Z

That's good to know. I have a change for this but not yet ready to test with.

Interestingly your version is higher than any I have seen so far.

Answer 3 · 2023-08-17T16:29:37.000Z

The latest is 7.3.130 for North America and 7.6.175 for Europe.
Source: https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-01

I'm working with Enphase to get a new version to fix some further vulnerabilities I discovered, so there will be another version soon. Mine is going to be the guinea pig before they seek for wider release.

RE: Port 80 vs 443, the gateway's NGINX instance will redirect all http to https unless they come from the IQ gateway itself (localhost, as some of the internal APIs consume other APIs) or in the 2 specific exception blocks below :

The HTTP always allowed paths are:

"/info" for backwards compatibility to work out if this is a V7 token Gateway or not.
"/admin/lib/dba" for support tunnel.

And HTTP is also allowed for when the user is accessing these URLs in access point mode:

"/admin/lib/network_display"
and "/admin/lib/wireless_display"

This is different from which URLs require authentication or not, just which will get redirected to HTTPS. Port 80 will be open but only the above criteria will dictate whether anything can be served over it other than a redirect.

I'm in the process of documenting which auth levels are required for which endpoints - and these recently changed, i.e. /stream/meter now (7.0.88 -> 7.6.175+) requires "prov" (3) or above. Owner is a "2", Installers are "6".

Hope this helps,
Matthew

Answer 4 · 2023-08-19T01:05:45.000Z

The HTTP always allowed paths are:

"/info" for backwards compatibility to work out if this is a V7 token Gateway or not.

That is good. I am relying on being able to access /info for autoselecting/detecting v7.

Answer 5 · 2023-09-06T09:15:55.000Z

0.28 release has code to handle autoselection of 443 for the V7 firmware