====== UPMC Certificates ======
UPMC man in the middle's https traffic.
You might get the error on the terminal (from e.g. ''curl'')
> SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain

or this message in firefox
> Software is Preventing Firefox From Safely Connecting to This Site
===== Firefox =====

Download [[http://upmccrl.upmc.com/CDP/UPMC-ROOT-CA.crt|UPMC-ROOT-CA.crt]] and import into Firefox like (instructions copied from [[https://docs.titanhq.com/en/3834-importing-ssl-certificate-in-mozilla-firefox.html|here]])

  - top right hamberger menu
  - options
  - scroll to ''Privacy & Security'' 's ''Certificates'' Section
  - Click ''View Certificates...''
  - ''Authorities'' and ''Import''

===== Terminal =====
for CLI and terminal programs, you can accept the certificate across the system.

To allow UPMC's cert in the SSL chain on debian, run:
<code>
  # as root
  cd /usr/local/share/ca-certificates/
  cert_loc=http://upmccrl.upmc.com/CDP/
  for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA; do
     wget "$cert_loc/$crt.crt" -O "$crt.crt-der"
     # added 20230707
     openssl x509 -in $crt.crt-der -out $crt.crt -outform PEM
  done
  update-ca-certificates
</code>

===== Legacy =====

Newer (2023) ssl libraries packaged in debian are ahead of what UPMC's certs/network supports.

> ss1.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled

See https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled

Downgrade security with a custom SSL config:

<code>
export OPENSSL_CONF="/opt/ni_tools/slacktheme_bot/openssl.conf"
</code>

where conf looks like
<code>
openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation
</code>

==== Python ====

newer ''urllib3'' may also cause problems with legacy certs. (UNCONFIRMED 20240117)
<code>
pip install urllib3==1.26.12
</code>

For python virtual enviornments, you may also want to manually append certificates to ''cacert.pem'' bundled with ''certifi''
<code>
pycert=$(python -c 'import certifi,os; print(os.readlink(os.path.dirname(certifi.__file__)+"/cacert.pem"))')

cat $newcert_pem >> $pycert
</code>

(Will note: ''cirtifi'' munged also useful for mitmproxy)