Private/AzStackHci.Layer7.Helpers.ps1
|
# //////////////////////////////////////////////////////////////////////////// # Strict Mode v1 (PS 5.1 safe) - surfaces reads of uninitialised variables at runtime. Set-StrictMode -Version 1.0 # Helper function to extract CRL Distribution Point and OCSP responder URLs from # a leaf X509Certificate2. Used when the CRL/OCSP revocation check is offline, so # callers can surface the specific dependency URLs to the user and optionally # append dedicated test rows for them. # # Returns @{ CRL = @(<http urls>); OCSP = @(<http urls>) } (empty arrays if the # certificate has no such extensions). Non-http scheme entries (e.g. ldap://) # are filtered out as they are not applicable for Azure Local. # # This is a private helper for Test-Layer7Connectivity / Get-Layer7CertificateDetails. Function Get-CertRevocationEndpoints { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate ) $result = @{ CRL = @(); OCSP = @() } try { foreach ($ext in $Certificate.Extensions) { if (-not $ext -or -not $ext.Oid) { continue } $oid = $ext.Oid.Value if ($oid -ne $script:CRL_DP_OID -and $oid -ne $script:AIA_OID) { continue } # Format(true) expands the ASN.1 into a human-readable multi-line string # containing 'URL=http://...' or 'URL=ldap://...' lines. $formatted = $ext.Format($true) $urlMatches = [regex]::Matches($formatted, 'URL\s*=\s*(\S+)', 'IgnoreCase') foreach ($m in $urlMatches) { $candidate = ($m.Groups[1].Value).Trim().TrimEnd(',', ';', ')', ']') if ([string]::IsNullOrWhiteSpace($candidate)) { continue } if ($candidate -notmatch '^https?://') { continue } # skip ldap://, etc. if ($oid -eq $script:CRL_DP_OID) { if ($result.CRL -notcontains $candidate) { $result.CRL += $candidate } } else { if ($result.OCSP -notcontains $candidate) { $result.OCSP += $candidate } } } } } catch { Write-Debug "Get-CertRevocationEndpoints: error parsing extensions - $($_.Exception.Message)" } return $result } # //////////////////////////////////////////////////////////////////////////// # Helper function to get certificate details for an endpoint # # Certificate chain validation flow: # 1. If HTTPS: calls Get-AzSHciSslCertificateChain to retrieve the full X509 chain (leaf, intermediate, root) # 2. Validates the leaf certificate using Test-Certificate -Policy SSL # 3. Then validates the leaf certificate against the specific DNS name # 4. If either validation fails: marks as SSL Inspection detected (sets $script:SSLInspectionDetected) # 5. Extracts Subject, Issuer, and Thumbprint for all three chain levels # 6. If HTTP (port 80): skips all cert checks and fills fields with "Port 80 - SSL not required" # 7. If cert retrieval fails: fills fields with "Error retrieving certificates" # # This is a private helper function for Test-Layer7Connectivity Function Get-Layer7CertificateDetails { param ( [Parameter(Mandatory=$true)] [string]$url, [Parameter(Mandatory=$true)] [string]$Layer7Status, [Parameter(Mandatory=$false)] [string]$ReturnLayer7Response = "" ) # Initialize return hashtable $CertDetails = @{ Layer7Status = $Layer7Status ReturnLayer7Response = $ReturnLayer7Response ReturnCertIssuer = "" ReturnCertSubject = "" ReturnCertThumbprint = "" ReturnCertIntIssuer = "" ReturnCertIntSubject = "" ReturnCertIntThumbprint = "" ReturnCertRootIssuer = "" ReturnCertRootSubject = "" ReturnCertRootThumbprint = "" } # Initialised here so the HTTP (port 80) path - which skips the HTTPS cert-retrieval # branch - never leaves these variables undefined when they are read below # ('if ($Certificates)' / 'elseif ($NoCertificatesRequired)') under Set-StrictMode -Version 1.0. $Certificates = $null $NoCertificatesRequired = $false try { # Check if the URL is HTTPS if($url -match "https://"){ # Get the certificate chain for the URL # The function will check for SSL inspection, and return the certificate issuer # The function will return the certificate issuer, thumbprint, and subject. # NOTE: function renamed in v0.6.6 from Get-SslCertificateChain to avoid a name # collision with AzStackHci.EnvironmentChecker (10.2509+) which exports a function # of the same name with a different parameter set. $Certificates = Get-AzSHciSslCertificateChain -url $url -AllowAutoRedirect $false -ErrorAction SilentlyContinue # Retry once if cert retrieval failed (intermittent backend pool server issues can cause TLS handshake timeouts) if(-not $Certificates){ Write-Debug "Certificate retrieval failed for '$url', retrying once..." $Certificates = Get-AzSHciSslCertificateChain -url $url -AllowAutoRedirect $false -ErrorAction SilentlyContinue } } else { # No certificate required for HTTP (port 80) $NoCertificatesRequired = $true Write-Verbose "Port 80: SSL certificate checks not required." } # Get Certificate details if($Certificates){ # Get the certificate chain elements array with bounds safety $chainCerts = $Certificates.ChainElements.Certificate [int]$chainCount = if ($chainCerts) { @($chainCerts).Count } else { 0 } # Check if the certificate chain is not null if($chainCount -gt 0){ Write-Verbose "Certificates Chain found with $chainCount parts" } else { # No certificate found Write-HostAzS "Error: No SSL Certificates found" -ForegroundColor Red } # Leaf certificate (index 0) - only access if chain has at least 1 element if($chainCount -ge 1){ # Check if the certificate subject is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[0].Subject))){ # Set the certificate subject to the variable $CertDetails.ReturnCertSubject = $chainCerts[0].Subject # Check the certificate using Test-Certificate, to check if the certificate is trusted for SSL # Check if the certificate is trusted for SSL if(Test-Certificate -Cert $chainCerts[0] -Policy SSL -ErrorAction SilentlyContinue -ErrorVariable certError -WarningAction SilentlyContinue){ # Certificate is valid for SSL Write-Verbose "Certificate is trusted for SSL: $($CertDetails.ReturnCertSubject)" # Check if the certificate is valid for the URL if(Test-Certificate -Cert $chainCerts[0] -Policy SSL -DNSName (Get-DomainFromURL -url $url).Domain -ErrorAction SilentlyContinue -ErrorVariable certError -WarningAction SilentlyContinue){ # Certificate is a valid for URL Write-Verbose "Certificate is a valid for endpoint: $url" } else { # Certificate is not valid for URL Write-HostAzS "Certificate is not valid for endpoint: $url" -ForegroundColor Red Write-HostAzS "Possible SSL Inspection detected, certificate is not trusted." -ForegroundColor Yellow Write-HostAzS "Returned certificate subject: '$($CertDetails.ReturnCertSubject)'" -ForegroundColor Yellow $CertDetails.Layer7Status = "Failed" $CertDetails.ReturnLayer7Response = $CertDetails.ReturnLayer7Response + " - SSL Inspection detected" $script:SSLInspectionDetected = $true $script:SSLInspectedURLs.Add($url) | Out-Null } } else { # Test-Certificate failed. Distinguish two cases: # (a) Chain is trusted locally but CRL/OCSP endpoint is unreachable -> CRL/OCSP offline (NOT SSL inspection) # (b) Chain is not trusted by local root store -> SSL inspection (or legitimately untrusted cert) # Perform a revocation-independent chain build against the captured leaf to tell them apart. $isRevocationOffline = $false $revNoneChain = $null try { $revNoneChain = [System.Security.Cryptography.X509Certificates.X509Chain]::new() $revNoneChain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::NoCheck $revNoneChain.ChainPolicy.RevocationFlag = [System.Security.Cryptography.X509Certificates.X509RevocationFlag]::EntireChain $null = $revNoneChain.Build($chainCerts[0]) # If revocation-independent build succeeds, failure must be revocation-only if ($revNoneChain.ChainStatus.Count -eq 0) { # Confirm the original certError mentioned a revocation-offline token $certErrorText = ($certError | Out-String) foreach ($token in $script:CERT_CHAIN_STATUS_REVOCATION_OFFLINE) { if ($certErrorText -match [regex]::Escape($token)) { $isRevocationOffline = $true; break } } # Also inspect the revocation-enabled chain's status tokens as a second source of truth if (-not $isRevocationOffline) { $revFullChain = $null try { $revFullChain = [System.Security.Cryptography.X509Certificates.X509Chain]::new() $revFullChain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::Online $revFullChain.ChainPolicy.RevocationFlag = [System.Security.Cryptography.X509Certificates.X509RevocationFlag]::EntireChain $null = $revFullChain.Build($chainCerts[0]) foreach ($cs in $revFullChain.ChainStatus) { if ($script:CERT_CHAIN_STATUS_REVOCATION_OFFLINE -contains $cs.Status.ToString()) { $isRevocationOffline = $true; break } } } catch { Write-Debug "Revocation-enabled chain build failed for '$url': $($_.Exception.Message)" } finally { if ($revFullChain) { $revFullChain.Dispose() } } } } } catch { Write-Debug "Revocation-independent chain build failed for '$url': $($_.Exception.Message)" } finally { if ($revNoneChain) { $revNoneChain.Dispose() } } if ($isRevocationOffline) { # Chain is trusted locally but CRL/OCSP is unreachable — mark as Failed with a distinct response Write-HostAzS "Certificate chain is trusted, but CRL/OCSP revocation check is offline for: $($CertDetails.ReturnCertSubject)" -ForegroundColor Yellow Write-HostAzS "This is NOT SSL Inspection — a CRL/OCSP endpoint used by the CA is unreachable from this host." -ForegroundColor Yellow $CertDetails.Layer7Status = "Failed" $CertDetails.ReturnLayer7Response = $CertDetails.ReturnLayer7Response + " - CRL/OCSP unreachable" if (-not ($script:CRLOfflineURLs -contains $url)) { $script:CRLOfflineURLs.Add($url) | Out-Null } # Extract CRL Distribution Points + OCSP responders from the leaf and # append (deduped) dependency rows to $script:Results so the existing # remaining-URLs loop tests them as first-class endpoints. try { $revEndpoints = Get-CertRevocationEndpoints -Certificate $chainCerts[0] $crlAdded = 0; $ocspAdded = 0 foreach ($crlUrl in $revEndpoints.CRL) { if ($crlAdded -ge $script:CRL_MAX_DP_PER_CERT) { break } Add-CrlDependencyRowToResults -Kind 'CRL' -DependencyURL $crlUrl -ParentURL $url $crlAdded++ } foreach ($ocspUrl in $revEndpoints.OCSP) { if ($ocspAdded -ge $script:CRL_MAX_OCSP_PER_CERT) { break } Add-CrlDependencyRowToResults -Kind 'OCSP' -DependencyURL $ocspUrl -ParentURL $url $ocspAdded++ } # Write the discovered revocation endpoints to the parent's Note so the # HTML/CSV/JSON output clearly links parent -> child row(s). $revSummaryParts = @() if ($revEndpoints.CRL.Count -gt 0) { $revSummaryParts += "CRL: $(($revEndpoints.CRL | Select-Object -First $script:CRL_MAX_DP_PER_CERT) -join ', ')" } if ($revEndpoints.OCSP.Count -gt 0) { $revSummaryParts += "OCSP: $(($revEndpoints.OCSP | Select-Object -First $script:CRL_MAX_OCSP_PER_CERT) -join ', ')" } if ($revSummaryParts.Count -gt 0) { $revSummary = $revSummaryParts -join ' | ' $CertDetails.ReturnLayer7Response = $CertDetails.ReturnLayer7Response + " [$revSummary]" } else { Write-Debug "CRL/OCSP offline for '$url' but no revocation endpoints found in leaf certificate extensions" } } catch { Write-Debug "Error extracting/adding CRL/OCSP dependency rows for '$url': $($_.Exception.Message)" } } else { # Certificate is not valid for SSL Write-HostAzS "Certificate is not trusted for SSL: $($CertDetails.ReturnCertSubject)" -ForegroundColor Red # SSL inspection detected Write-HostAzS "Possible SSL Inspection detected, certificate is not trusted." -ForegroundColor Yellow $CertDetails.Layer7Status = "Failed" $CertDetails.ReturnLayer7Response = $CertDetails.ReturnLayer7Response + " - SSL Inspection detected" $script:SSLInspectionDetected = $true $script:SSLInspectedURLs.Add($url) | Out-Null } } } else { # No certificate subject found $CertDetails.ReturnCertSubject = "No certificate common name found" } # Check if the certificate issuer is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[0].Issuer))){ # Set the certificate issuer to the variable $CertDetails.ReturnCertIssuer = $chainCerts[0].Issuer } else { # No certificate issuer found $CertDetails.ReturnCertIssuer = "No certificate issuer found" } # Check if the certificate thumbprint is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[0].Thumbprint))){ # Set the certificate thumbprint to the variable $CertDetails.ReturnCertThumbprint = $chainCerts[0].Thumbprint } else { # No certificate thumbprint found $CertDetails.ReturnCertThumbprint = "No certificate thumbprint found" } } else { $CertDetails.ReturnCertSubject = "No leaf certificate found in chain" $CertDetails.ReturnCertIssuer = "No leaf certificate found in chain" $CertDetails.ReturnCertThumbprint = "No leaf certificate found in chain" } # Intermediate certificate (index 1) - only access if chain has at least 2 elements if($chainCount -ge 2){ # Check if the intermediate certificate subject is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[1].Subject))){ # Set the certificate issuer to the variable $CertDetails.ReturnCertIntSubject = $chainCerts[1].Subject } else { # No intermediate certificate Subject found $CertDetails.ReturnCertIntSubject = "No intermediate certificate common name found" } # Check if the intermediate certificate issuer is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[1].Issuer))){ # Set the certificate issuer to the variable $CertDetails.ReturnCertIntIssuer = $chainCerts[1].Issuer } else { # No intermediate certificate issuer found $CertDetails.ReturnCertIntIssuer = "No intermediate certificate issuer found" } # Check if the intermediate certificate thumbprint is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[1].Thumbprint))){ # Set the certificate thumbprint to the variable $CertDetails.ReturnCertIntThumbprint = $chainCerts[1].Thumbprint } else { # No intermediate certificate thumbprint found $CertDetails.ReturnCertIntThumbprint = "No intermediate certificate thumbprint found" } } else { $CertDetails.ReturnCertIntSubject = "No intermediate certificate in chain" $CertDetails.ReturnCertIntIssuer = "No intermediate certificate in chain" $CertDetails.ReturnCertIntThumbprint = "No intermediate certificate in chain" } # Root certificate (index 2) - only access if chain has at least 3 elements if($chainCount -ge 3){ # Check if the root certificate subject is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[2].Subject))){ # Set the certificate issuer to the variable $CertDetails.ReturnCertRootSubject = $chainCerts[2].Subject } else { # No root certificate Subject found $CertDetails.ReturnCertRootSubject = "No root certificate common name found" } # Check if the root certificate issuer is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[2].Issuer))){ # Set the certificate issuer to the variable $CertDetails.ReturnCertRootIssuer = $chainCerts[2].Issuer } else { # No root certificate issuer found $CertDetails.ReturnCertRootIssuer = "No root certificate issuer found" } # Check if the root certificate thumbprint is not null if(-not([string]::IsNullOrWhiteSpace($chainCerts[2].Thumbprint))){ # Set the certificate thumbprint to the variable $CertDetails.ReturnCertRootThumbprint = $chainCerts[2].Thumbprint } else { # No root certificate thumbprint found $CertDetails.ReturnCertRootThumbprint = "No root certificate thumbprint found" } } else { $CertDetails.ReturnCertRootSubject = "No root certificate in chain" $CertDetails.ReturnCertRootIssuer = "No root certificate in chain" $CertDetails.ReturnCertRootThumbprint = "No root certificate in chain" } } elseif($NoCertificatesRequired){ # No certificate found, as the port is 80 $CertDetails.ReturnCertIssuer = "Port 80 - SSL not required" $CertDetails.ReturnCertSubject = "Port 80 - SSL not required" $CertDetails.ReturnCertThumbprint = "Port 80 - SSL not required" $CertDetails.ReturnCertIntIssuer = "Port 80 - SSL not required" $CertDetails.ReturnCertIntSubject = "Port 80 - SSL not required" $CertDetails.ReturnCertIntThumbprint = "Port 80 - SSL not required" $CertDetails.ReturnCertRootIssuer = "Port 80 - SSL not required" $CertDetails.ReturnCertRootSubject = "Port 80 - SSL not required" $CertDetails.ReturnCertRootThumbprint = "Port 80 - SSL not required" Write-Verbose "Port 80: SSL certificate checks not required." } else { # No certificate found, but expected $CertDetails.ReturnCertIssuer = "Error retrieving certificates" $CertDetails.ReturnCertSubject = "Error retrieving certificates" $CertDetails.ReturnCertThumbprint = "Error retrieving certificates" $CertDetails.ReturnCertIntIssuer = "Error retrieving certificates" $CertDetails.ReturnCertIntSubject = "Error retrieving certificates" $CertDetails.ReturnCertIntThumbprint = "Error retrieving certificates" $CertDetails.ReturnCertRootIssuer = "Error retrieving certificates" $CertDetails.ReturnCertRootSubject = "Error retrieving certificates" $CertDetails.ReturnCertRootThumbprint = "Error retrieving certificates" Write-HostAzS "Error retrieving certificates..." -ForegroundColor Red } } catch { # Catch any unexpected errors during certificate chain processing Write-HostAzS "Error processing certificate details for '$url': $($_.Exception.Message)" -ForegroundColor Red $CertDetails.ReturnCertIssuer = "Error: $($_.Exception.Message)" $CertDetails.ReturnCertSubject = "Error: $($_.Exception.Message)" $CertDetails.ReturnCertThumbprint = "Error: $($_.Exception.Message)" $CertDetails.ReturnCertIntIssuer = "Error: $($_.Exception.Message)" $CertDetails.ReturnCertIntSubject = "Error: $($_.Exception.Message)" $CertDetails.ReturnCertIntThumbprint = "Error: $($_.Exception.Message)" $CertDetails.ReturnCertRootIssuer = "Error: $($_.Exception.Message)" $CertDetails.ReturnCertRootSubject = "Error: $($_.Exception.Message)" $CertDetails.ReturnCertRootThumbprint = "Error: $($_.Exception.Message)" } return $CertDetails } # //////////////////////////////////////////////////////////////////////////// # Helper function to get certificate details for failed endpoints # This is a private helper function for Test-Layer7Connectivity Function Get-FailedEndpointCertificateDetails { param ( [Parameter(Mandatory=$true)] [string]$url ) # Initialize return hashtable $CertDetails = @{ ReturnCertIssuer = "" ReturnCertSubject = "" ReturnCertThumbprint = "" ReturnCertIntIssuer = "" ReturnCertIntSubject = "" ReturnCertIntThumbprint = "" ReturnCertRootIssuer = "" ReturnCertRootSubject = "" ReturnCertRootThumbprint = "" } # Check if the URL is HTTPS if($url -match "https://"){ # Do not attempt to check the certificate, as the Layer7Status is not "Success" Write-Debug "Unable to check certificates, as Layer7Status is 'Failed'" $CertDetails.ReturnCertIssuer = "Failed - Certificate not checked" $CertDetails.ReturnCertSubject = "Failed - Certificate not checked" $CertDetails.ReturnCertThumbprint = "Failed - Certificate not checked" $CertDetails.ReturnCertIntIssuer = "Failed - Certificate not checked" $CertDetails.ReturnCertIntSubject = "Failed - Certificate not checked" $CertDetails.ReturnCertIntThumbprint = "Failed - Certificate not checked" $CertDetails.ReturnCertRootIssuer = "Failed - Certificate not checked" $CertDetails.ReturnCertRootSubject = "Failed - Certificate not checked" $CertDetails.ReturnCertRootThumbprint = "Failed - Certificate not checked" } else { # No certificate required for HTTP (port 80) $CertDetails.ReturnCertIssuer = "Failed - (But Certificate not required for port 80)" $CertDetails.ReturnCertSubject = "Failed - (But Certificate not required for port 80)" $CertDetails.ReturnCertThumbprint = "Failed - (But Certificate not required for port 80)" $CertDetails.ReturnCertIntIssuer = "Failed - (But Certificate not required for port 80)" $CertDetails.ReturnCertIntSubject = "Failed - (But Certificate not required for port 80)" $CertDetails.ReturnCertIntThumbprint = "Failed - (But Certificate not required for port 80)" $CertDetails.ReturnCertRootIssuer = "Failed - (But Certificate not required for port 80)" $CertDetails.ReturnCertRootSubject = "Failed - (But Certificate not required for port 80)" $CertDetails.ReturnCertRootThumbprint = "Failed - (But Certificate not required for port 80)" } return $CertDetails } # //////////////////////////////////////////////////////////////////////////// # Pure decision predicate for the Auto-mode HEAD->GET fallback in Test-Layer7Connectivity. # Extracted so the fallback decision can be unit-tested deterministically without having to # fabricate a live System.Net.WebException response graph (HttpWebResponse has no usable public # constructor in PS 5.1, so the detection of $IsProtocolError stays inline in the caller and the # resulting boolean is passed in here). Function Test-HeadToGetFallbackRequired { <# .SYNOPSIS Decides whether an Auto-mode HEAD attempt should be retried as GET. .DESCRIPTION Returns $true when ALL of the following hold: - RequestMethod is 'Auto' (HEAD-first with a GET safety net), - a HEAD->GET fallback has not already been attempted for this URL, - this is the first request (RedirectCount -eq 1), not a redirected hop, AND at least one of: - the HEAD attempt returned (405) Method Not Allowed, - the HEAD attempt returned (400) Bad Request, - the HEAD attempt was classified Failed AND came back with an actual HTTP response (IsProtocolError). A HEAD carries no body and frequently omits the Server header, so Get-HttpStatusInterpretation cannot disambiguate a 4xx such as 403 Forbidden; GET returns those, so a GET retry yields an authoritative result. Transport-level failures (connect / DNS / timeout / TLS) are NOT protocol errors and so never trigger a GET retry — GET would fail identically, and those retries are handled elsewhere. .OUTPUTS [bool] #> [OutputType([bool])] param ( [Parameter(Mandatory = $true)] [string]$RequestMethod, [Parameter(Mandatory = $true)] [bool]$HeadFallbackAlreadyTried, [Parameter(Mandatory = $true)] [int]$RedirectCount, [Parameter(Mandatory = $false)] [string]$Layer7Response, [Parameter(Mandatory = $false)] [string]$Layer7Status, [Parameter(Mandatory = $false)] [bool]$IsProtocolError ) if ($RequestMethod -ne 'Auto') { return $false } if ($HeadFallbackAlreadyTried) { return $false } if ($RedirectCount -ne 1) { return $false } if ($Layer7Response -eq '(405) Method Not Allowed') { return $true } if ($Layer7Response -eq '(400) Bad Request') { return $true } if (($Layer7Status -eq 'Failed') -and $IsProtocolError) { return $true } return $false } # //////////////////////////////////////////////////////////////////////////// # Helper function to interpret HTTP status codes and exception responses # This is a private helper function for Test-Layer7Connectivity # It determines whether a failed web request should be treated as "Success" (endpoint reachable) # or "Failed" (endpoint unreachable) based on the response string, server headers, and endpoint URL. # Documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status Function Get-HttpStatusInterpretation { param ( [Parameter(Mandatory=$true)] [string]$Layer7Response, [Parameter(Mandatory=$false)] [object]$IwrError, [Parameter(Mandatory=$false)] [string]$OriginalURL ) # Check if the response is a known value if($Layer7Response -eq "Unable to connect to the remote server"){ # Overwrite the Layer7Status to "Failed". return "Failed" } elseif($Layer7Response -eq "The operation has timed out"){ # Overwrite the Layer7Status to "Failed". return "Failed" } elseif($Layer7Response -like "The remote name could not be resolved*"){ # Overwrite the Layer7Status to "Failed". return "Failed" } elseif($Layer7Response -eq "(400) Bad Request"){ # Request was successful, but it was a bad request return "Success" } elseif($Layer7Response -eq "(401) Unauthorized"){ # Request was successful, but the request was not authorized return "Success" } elseif($Layer7Response -eq "(404) Not Found"){ # Request was successful, but the remote server returned no content from the root of the web server (404 page not found). return "Success" # Exception handling for 403 Forbidden responses } elseif($Layer7Response -eq "(403) Forbidden"){ # Additional connectivity test for 403 Forbidden, to check if the URL is accessible if($($IwrError.ErrorRecord.Exception.Response.Server) -like "Microsoft-IIS*") { # Microsoft IIS Server detected, valid connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Server) -like "Microsoft-HTTPAPI*") { # Microsoft HTTPAPI Server detected, valid connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Server) -like "AkamaiGHost*") { # AkamaiGHost detected, valid connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Server) -like "AkamaiNetStorage*") { # AkamaiNetStorage detected, valid connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Server) -like "Qwilt*") { # Qwilt detected, valid connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Server) -like "AzureContainerRegistry") { # AzureContainerRegistry detected, valid connection return "Success" } elseif(($($IwrError.ErrorRecord.Exception.Response.Server) -eq "nginx") -and ($OriginalURL -eq "tlu.dl.delivery.mp.microsoft.com")) { # Windows Update endpoint 'tlu.dl.delivery.mp.microsoft.com', with Server "nginx" can intermittently return a 403 response # Set status to successful connection return "Success" } elseif(($($IwrError.ErrorRecord.Exception.Response.Server) -like "Amazon*") -and ($OriginalURL -eq "download.hitachivantara.com")) { # SBE endpoint: download.hitachivantara.com detected has Server "AmazonS3" # Set status to successful connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.StatusDescription) -eq "Forbidden - unexpected URL format") { # "Forbidden - unexpected URL format" detected, valid connection # Example URL: tlu.dl.delivery.mp.microsoft.com on port 80, which intermittently changes between "AkamaiGHost" and a null value for "$_.Exception.Response.Server" return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Headers) -contains "x-azure-ref") { # Azure Front Door response detected, valid connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Headers) -contains "X-MSEdge-Ref") { # Microsoft Edge response detected, valid connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Headers) -contains "x-ms-request-id") { # Microsoft Edge response detected, valid connection return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Headers) -contains "Location") { # Additional check for "Location" header in the response # This is used by some Microsoft services to indicate a redirect if($($IwrError.ErrorRecord.Exception.Response.Headers["Location"]) -like "*mscom.errorpage.failover.com*") { # Microsoft web server response detected, valid connection return "Success" } # Location header present but not a known Microsoft redirect - fall through to default Failed return "Failed" } elseif($($IwrError.ErrorRecord.Exception.Response.Server) -like "Zscaler*") { # Zscaler response detected, invalid connection # Known firewall / proxy device intercepting requests # Set status to Failed return "Failed" } elseif($IwrError.Message.ToString().Contains("You do not have permission to view this directory or page using the credentials that you supplied.")){ # Expected response from a couple of endpoints # Response: "403 - Forbidden: Access is denied." # Server Error # Server example: 'https://azurewatsonanalysis-prod.core.windows.net' and key vaults # Response: "403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied." # You do not have permission to view this directory or page using the credentials that you supplied. return "Success" } else { # ////// All other 403 Forbidden responses /////// # Unknown, set Layer7Status to "Failed" return "Failed" } } elseif($Layer7Response -eq "(405) Method Not Allowed"){ # Overwrite the Layer7Status to "Failed". # https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405 if(($($IwrError.ErrorRecord.Exception.Response.Server) -like "Microsoft*")) { # https://dataonsbe.azurewebsites.net/download returns a 405, valid connection return "Success" } else { return "Failed" } } elseif($Layer7Response -eq "(408) Request Timeout"){ # Overwrite the Layer7Status to "Failed". # https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/408 return "Failed" } elseif($Layer7Response -eq "(429) Too Many Requests"){ # Overwrite the Layer7Status to "Success", as this the server is responding with a "429" Too Many Requests # https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429 return "Success" } elseif($Layer7Response -eq "(500) Internal Server Error"){ # The server returned a 500 error, but connectivity to the endpoint was established successfully. # This indicates the endpoint is reachable (firewall/proxy rules are correct), even though the service has an internal error. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500 return "Success" } elseif($Layer7Response -eq "(502) Bad Gateway"){ # Overwrite the Layer7Status to "Failed", another device can respond. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/502 # Additional check for 502 Bad Gateway, to check for "Microsoft-Azure-Application-Gateway/v2" in the response if($($IwrError.ErrorRecord.Exception.Response.Server) -like 'Microsoft-Azure-Application-Gateway*') { Write-Verbose "Azure Application Gateway response detected, valid connection" return "Success" # Additional check for Arc Gateway response } elseif($IwrError.Message.ToString().Contains("Our services aren't available right now") -and (($OriginalURL -like "*.gw.arc.azure.com") -or ($OriginalURL -eq "dp.stackhci.azure.com"))) { Write-Verbose "Azure Front Door response detected, valid connection" return "Success" } elseif($($IwrError.ErrorRecord.Exception.Response.Headers) -contains "x-azure-ref") { # Azure Front Door response detected, valid connection even though the response is 502 Bad Gateway Write-Verbose "Azure Front Door response detected, valid connection" return "Success" } else { return "Failed" } } elseif($Layer7Response -eq "(503) Server Unavailable"){ # Overwrite the Layer7Status to "Success". # 503 status code indicates that the server is not ready to handle the request. # This can be due to the server being overloaded or down for maintenance. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/503 return "Success" # Could not 'Could not establish trust relationship for the SSL/TLS secure channel' } elseif($Layer7Response -like "*Could not establish trust relationship for the SSL/TLS secure channel"){ # Overwrite the Layer7Status to "Failed" return "Failed" # ////// All other / unhandled exceptions treat as Failed ////// } else { # Overwrite the Layer7Status to "Failed" return "Failed" } } # //////////////////////////////////////////////////////////////////////////// # NOTE: A previous helper `Resolve-Layer7Redirect` was removed in v0.6.7 because: # 1. It was never called anywhere in the module (dead code), and # 2. It pushed raw STRINGS into $script:RedirectedResults, but the live redirect # path uses Add-RedirectedUrlToResults (Connectivity.Helpers.ps1) which pushes # properly-shaped [PSCustomObject] entries with .url / .Port / .RowID / etc. # Mixing the two shapes would have broken Phase-4 redirect-URL processing, the # RowID-keyed JSON output, and the parallel-fan-out merge dedupe added in v0.6.7 # (Merge-Layer7WorkerResult). Deleting the dead function eliminates that latent # polymorphism bug. If a future change needs to centralise redirect handling, # extend Add-RedirectedUrlToResults instead. # //////////////////////////////////////////////////////////////////////////// # SIG # Begin signature block # MIInRgYJKoZIhvcNAQcCoIInNzCCJzMCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC7957t1WGpcHR+ # BHnKzbXfubLMo73+5c7hHrKvYUpda6CCDLowggX1MIID3aADAgECAhMzAAACHU0Z # yE7XD1dIAAAAAAIdMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVTMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBD # b2RlIFNpZ25pbmcgUENBIDIwMjQwHhcNMjYwNDE2MTg1OTQzWhcNMjcwNDE1MTg1 # OTQzWjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYD # VQQDExVNaWNyb3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB # DwAwggEKAoIBAQDQvewXxx9gZZFC6Ys1WBay8BJ8kGA4JQnH5CMafqOASlTpK9H8 # o5ZXTXt0caVQTNMUPt445wXYD+dFtaKWTwDn1I52oUSrC9vJin1Gsqt+zyKJL5Dg # 3eQXbQNR61DmMy20GLTIO3SFed9Rfi/ophgCLGFLDR3r0KvHjwMb/jYWS0celV/4 # Lz27LfAekm8v9E5IXaeiXbAUYZKK090n4CVl3JBtbN+9DtI9SNu/yjvozW52/u7R # X/Ttpa/KDlpuokZ+Zcbvmtd9ur9gFLvZzh41o9MsE/clQtdaFWGvuo6Jua/ntpgk # ey3E5/vBFe+MJPG6phdnuo6r57ZudCudiI1bAgMBAAGjggGbMIIBlzAOBgNVHQ8B # Af8EBAMCB4AwHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0O # BBYEFH6QuMwqcPG0hQlQ6c5jCtTTLrVeMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQL # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAxMis1MDc1NTkw # HwYDVR0jBBgwFoAUf1k/VCHarU/vBeXmo9ctBpQSCDEwYAYDVR0fBFkwVzBVoFOg # UYZPaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0 # JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNybDBtBggrBgEFBQcBAQRh # MF8wXQYIKwYBBQUHMAKGUWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMv # Y2VydHMvTWljcm9zb2Z0JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNy # dDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBKTbYOjzwTG/DXGaz9 # s6+fQeaTtDcFmMY+5UyVFCyj7Pv+5i37qfX8lSL/tBIfYQfWsMuBQlfZurJD6r4H # VJ2CeH+1fgiq8dcHdVKoZ3Sa2qXoX3cq9iS8cVb06B7+5/XJ7I0OxHH9fDsvJ3T3 # w5V/ZtAIFmLrl+P0CtG+92uzRsn0nTbdFjOkLMLWPLAU3THohKRlSEMgFJpPkm5n # 5UAZ35xX6FWCrDLsSKb555bTifwa8mJBwdlof0bmfYidH+dxZ1FdDxvLnNl9zeKs # A4kejaaIqqIPguhwAti5Ql7BlTNoJNwxCvBmqW2MQLnCkYN/VVUsR3V2x/rcTNzo # Bf/Z/SpROvdaA2ZOOd1uioXJt3tdLQ7vHpqpib0KfWr/FWXW10q38VxfCnRQBqzb # SuztR7nEMuzX7Ck+B/XaPDXd1qh72+QYyB0Z2VzWmO9zsnb9Uq/dwu8LGeQqnyu6 # 7SDGACvnXii2fb9+US492VTnXSnFKyqwgzUyFMtZK1/sHYTv6bG4TtQUygQxTN+Z # V+aJIlKO2MqZ7bKrAnOzS9m6NgoTdWOq11bTOZwKlIEV/EhV9SWkDmdpR/hPPT2v # 6TEj4F8PT/zHjRezIU5c/DGlt/VhY/pK0XkJtEyMmmS1BMtjU/rqBZVMIm3dnxQs # /TBByr+Cf8Z1r7aifQVQ+WSqzjCCBr0wggSloAMCAQICEzMAAAA5O7Y3Gb8GHWcA # AAAAADkwDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRl # IEF1dGhvcml0eSAyMDExMB4XDTI0MDgwODIwNTQxOFoXDTM2MDMyMjIyMTMwNFow # VzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEo # MCYGA1UEAxMfTWljcm9zb2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAyNDCCAiIwDQYJ # KoZIhvcNAQEBBQADggIPADCCAgoCggIBANgBnB7jOMeqlRYHNa265v4IY9fH8TKh # emHfPINe1gpLaV3dhg324WwH06LcHbpnsBukCDNitryo0dtS/EW6I/yEL/bLSY8h # KpbfQuWusBPr9qazYcDxCW/qnjb5JsI1s8bNOg3bVATvQVL4tcf03aTycsz8QeCd # M0l/yHRObJ9QqazM1r6VPEOJ7LL+uEEb73w6QCuhs89a1uv1zerOYMnsneRRwCbp # yW11IcggU0cRKDDq1pjVJzIbIF6+oiXXbReOsgeI8zu1FyQfK0fVkaya8SmVHQ/t # Of23mZ4W9k0Ri22QW9p3UgSC5OUDktKxxcCmGL6tXLfOGSWHIIV4YrTJTT6PNty5 # REojHJuZHArkF9VnHTERWoTjAzfI3kP+5b4alUdhgAZ7ttOu1bVnXfHaqPYl2rPs # 20ji03LOVWsh/radgE17es5hL+t6lV0eVHrVhsssROWJuz2MXMCt7iw7lFPG9LXK # Gjsmonn2gotGdHIuEg5JnJMJVmixd5LRlkmgYRZKzhxSCwyoGIq0PhaA7Y+VPct5 # pCHkijcIIDm0nlkK+0KyepolcqGm0T/GYQRMhHJlGOOmVQop36wUVUYklUy++vDW # eEgEo4s7hxN6mIbf2MSIQ/iIfMZgJxC69oukMUXCrOC3SkE/xIkgpfl22MM1itkZ # 35nNXkMolU1lAgMBAAGjggFOMIIBSjAOBgNVHQ8BAf8EBAMCAYYwEAYJKwYBBAGC # NxUBBAMCAQAwHQYDVR0OBBYEFH9ZP1Qh2q1P7wXl5qPXLQaUEggxMBkGCSsGAQQB # gjcUAgQMHgoAUwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU # ci06AjGQQ7kUBU7h6qfHMdEjiTQwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2Ny # bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0MjAx # MV8yMDExXzAzXzIyLmNybDBeBggrBgEFBQcBAQRSMFAwTgYIKwYBBQUHMAKGQmh0 # dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0MjAx # MV8yMDExXzAzXzIyLmNydDANBgkqhkiG9w0BAQwFAAOCAgEAFJQfOChP7onn6fLI # MKrSlN1WYKwDFgAddymOUO3FrM8d7B/W/iQ6DxXsDn7D5W4wMwYeLystcEqfkjz4 # NURRgazyMu5yRzQh4LqjA4tStTcJh1opExo7nn5PuPBYnbu0+THSuVHTe0VTTPVh # ily/piFrDo3axQ9P4C+Ol5yet+2gTfekICS5xS+cYfSIvgn0JksVBVMYVI5QFu/q # hnLhsEFEUzG8fvv0hjgkO+lkpV9ty6GkN4vdnd7ya6Q6aR9y34aiM1qmxaxBi6OU # nyNl6fkuun/diTFnYDLTppOkr/mg5WSfCiDVMNCxtj4wPKC5OmHm1DQIt/MNokbb # H3UGsFP1QbzsLocuSqLCvH09Io3fDPTmscR9Y75G4qX7RTX8AdBPo0I6OEojf39z # uFZt0qOHm65YWQE69cZM2ueE1MB05dNNgHK9gTE7zKvK/fg8B2qjW88MT/WF5V5u # vZGtqa9FSL2RazArA+rDPuf6JGYz4HpgMZHB4S6szWSKYBv0VisCzfxgeU+dquXW # 9bd0auYlOB58DPcOYKdc3Se94g+xL4pcEhbB54JOgAkwYTu/9dLeH2pDqeJZAABV # DWRQCaXfO5LgyKwKCLYXpigrZYCjUSBcr+Ve8PFWMhVTQl0v4q8J/AUmQN5W4n10 # 1cY2L4A7GTQG1h32HHAvfQESWP0xghniMIIZ3gIBATBuMFcxCzAJBgNVBAYTAlVT # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jv # c29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMjQCEzMAAAIdTRnITtcPV0gAAAAAAh0w # DQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYK # KwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIJIfcSc+ # UE6T6HT8DyLyIqfZMuiMk4BWMq6MdZSzl/PxMEIGCisGAQQBgjcCAQwxNDAyoBSA # EgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20w # DQYJKoZIhvcNAQEBBQAEggEAXczBpIjWasxYHal9eNbFhNWsAAC01fwTSKF4YnKz # UJWC7aW1ftrQeTxucECZ3EZtlJFP/oLN06JLcD0L4MezezMzrLCVogVUGGKTEhps # 1OhIEnl2J656gPPtjEOyfea2rPmEC210Wrk6HFJEtqYRnQ73vNGsTRmt6jOvCcEO # I3gCvJquf8ODuEqFFRlVcXeBlR5iwW+fP5Fq/PpnDSYWJbFRRG+s/6dZ/MOQRyfH # 8DpI7iDedxUAquNamsNS+cBQJNddSt1XpKmI0IZFZrArV0pHh/xZnn8zfWnOfiLt # wptdHQD65IIRwqPjJz7t01RVW8f7isNwbOEQiomLxjUmN6GCF5QwgheQBgorBgEE # AYI3AwMBMYIXgDCCF3wGCSqGSIb3DQEHAqCCF20wghdpAgEDMQ8wDQYJYIZIAWUD # BAIBBQAwggFSBgsqhkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGEWQoD # ATAxMA0GCWCGSAFlAwQCAQUABCD6lCDNQCRSr1zvuFeLpSnjsqffV91fKN7yjobz # ghS1tAIGajHVeGpDGBMyMDI2MDcwNzE2NTYzMi4zODVaMASAAgH0oIHRpIHOMIHL # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxN # aWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRT # UyBFU046RjAwMi0wNUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0 # YW1wIFNlcnZpY2WgghHqMIIHIDCCBQigAwIBAgITMwAAAiAk4ebgF7m0jgABAAAC # IDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAe # Fw0yNjAyMTkxOTM5NTJaFw0yNzA1MTcxOTM5NTJaMIHLMQswCQYDVQQGEwJVUzET # MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV # TWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmlj # YSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046RjAwMi0wNUUw # LUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDRYY7yr7ijW6CR178uKveIMufu # tWOicxgJwKOce/2GOQceus6ZWfX14i3jNg3JOP7MGJMkOAucwWBwiA8URp+ZYkGj # pVoVkGZsV27WjqLwpf2AwqBsJ/TzqwE7JFFaxup3Ldxj8GjdJymDFRrdVN/pYHoB # FrjD1IkIDu8b1CWn8tgomiKRSY+STvJq99mVkdphMBIUGOegQny8qRd24VME0xi8 # Oomks9Zq9EjDeKHGpvAbXUEQ6m3cROoEPhTE/miweQH9TqJt3IOsqPv3L8urojB7 # 47XBC2y0CDIHlKLcLl3ZG8D7JXKnWTFen3msMPJpcvrQ3zUBVJrH/mI3RxHmCh9p # pDP0uG1+PJwk6H/x+sfoG9hW64xoXkpx6DEfNZNfcXdKbXF28XEXdLNnzo3SLNVy # meQJhNqOSKhnU84QnKmrjEk541JiurlDCkCWO9lUBUMb9x0nyfXUbNRPVLgP+PTM # RdXOowJdYCzCQfN2ZqL0s4YI28F1Dbn7Bgw2E4P1E9unsvMzJHtzhS2Th3TpCfBb # OGalIlF9x/DJZ/ssm/yyzT9YtIFeqmfNxBPTE3aOuh6HxmTICzfYAATvWNhBbo19 # QwsjPeA9JvhqTLC2KUNgrXroGy4eDZo0n7jFYjZkUih1Ty+8E6qEvV2Na6Z5gUyD # 5a+tHGDmq69CmUiHfwIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFNvInOCIhxGA8mY7 # l1g07UHvyNgzMB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1Ud # HwRYMFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3Js # L01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggr # BgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNv # bS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIw # MTAoMSkuY3J0MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgw # DgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQCtKGBto1BSvm4WFI+J # 0NSyVhU1LHL7F3fbjZ2d7F5Kn/FCTBZXpzrDVl63FLRNcIFpnJy4/nlg43r7T5sJ # Pdo4Ms8ADSHQEJnHSu3x9UpjCzREBPi9+nHhvDgRx/1WmBD6gQUZJLOhcN2TxW4K # JyhinMtiBFtkNRZ2vmZ1MAdNXTm5d0Lwk3wzj+/f7VCCTWCXJSoqNa3VU/6sACHI # 97Evbnzg8bd3hxrfz6CcCVuf77egvRHinthJuwSRePP7aVmcevb1nWUIAICdBebH # QOrzNIeWBIQwvcFaS3SFc+49rqrwQOMFDR4FYBzS7b0QeBVxFuLL2iVu4KAHMNUh # LLSD4iKLDFBNTOtTzTlhGvMgG77A1cjeQrDMHa6oReMDeUDqHUrxv8g7IRdIh+h0 # gDLkzN0xIuzli0Bv7JtybGJbV6JxaDF4CzSCIMRpK59nI6iKo4LgnbQBZJW7+6ak # YsKG/pXPlfxNv2InpD10tSCkCvw9kr6W1+NRN+EuZczRgAwWlcK9XJZ3uu/v/oxH # tO7/kmVIs51F9qV6Y2QNXd6tU46YPrK98m2QDys+lvLNimK0e1xZ7Z1GawKohKGv # lLALWDlZQqgHfJ31CB0LlIDI7iLyYTpd2iyKjqskbQiyMtICH+RmH/oCg7JOK0ZA # 3XIMba9aSWgBF3QZ6pG3EGeQqjCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkA # AAAAABUwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRl # IEF1dGhvcml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVow # fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMd # TWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUA # A4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX # 9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1q # UoNEt6aORmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8d # q6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byN # pOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2k # rnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4d # Pf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgS # Uei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8 # QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6Cm # gyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzF # ER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQID # AQABo4IB3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQU # KqdS/mTEmr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1 # GelyMFwGA1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0 # dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0 # bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA # QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbL # j+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1p # Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0w # Ni0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIz # LmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwU # tj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN # 3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU # 5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5 # KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGy # qVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB6 # 2FD+CljdQDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltE # AY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFp # AUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcd # FYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRb # atGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQd # VTNYs6FwZvKhggNNMIICNQIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2Eg # T3BlcmF0aW9uczEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOkYwMDItMDVFMC1E # OTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEw # BwYFKw4DAhoDFQCTGA9vpsJ6glqCLmI0rggGx4YEEqCBgzCBgKR+MHwxCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m # dCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA7fdX5TAiGA8y # MDI2MDcwNzEwNDgwNVoYDzIwMjYwNzA4MTA0ODA1WjB0MDoGCisGAQQBhFkKBAEx # LDAqMAoCBQDt91flAgEAMAcCAQACAgjOMAcCAQACAhJYMAoCBQDt+KllAgEAMDYG # CisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEA # AgMBhqAwDQYJKoZIhvcNAQELBQADggEBAIItnn82ZLJAB8chijpcUpUYepOJztXG # xYu8K0MwIY5ni5LAI9l7p/g0C/Hhcb7VEPqPxk9sxE9y16iZOpcgjpSNIjp70Fu6 # s9bgDwcLn6XHlSqA/tMHH3ADVPOKGoiaEdBRjOZsh5kKEhgYe6qkZ3kmn0coLkFO # frIGAQ6dulpA+SsoHGQ7yiRxHp4+r5M1M8vm9CfmP7UUdVP71VbnEsTOEg1ppNks # xkVSwQH6iW58x9G2OP0E5bITPy59ylYmlBvKu8n9AMDlfK2ncrwjwLqUPFOgfmjm # nJyI8EFFofHPTzgfHIFc+9WS86DoEN/17hC7Why1B1ZYGdBZxbrbwS4xggQNMIIE # CQIBATCBkzB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYw # JAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAiAk4ebg # F7m0jgABAAACIDANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqG # SIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCBIahRY7L9kGkOUCrSWxuzEOkEM6m9C # Wg4pXHlGzV5wFTCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EION7vyOlPA1V # qlEp0QIVGlNd8S5YWBnKj97LuTWHSO2vMIGYMIGApH4wfDELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt # U3RhbXAgUENBIDIwMTACEzMAAAIgJOHm4Be5tI4AAQAAAiAwIgQgwsCYxI/pI2aW # iaAN+9Pb5nkfRxx5hu9hvLrEkr4JXqgwDQYJKoZIhvcNAQELBQAEggIAx/FFJube # 38HVqn20Mb+GVHD9oP4Sl803Jiu2ZkBrIQfKxJjoQYqs8woKCIHlJ9SdktXLvzmb # wX/LyMncBHjvFTj2rPxbzjlBPjkM5rMAzNy9GRjk38s2782UnZQ8K2vne9VtbFAD # IHdpmILjT201OWdMNDoLg8rniOM5hXqJxr6ZFCAJrzxyOYlGgVqE8e7SlHd/A9DQ # XUPN5F8C/GG/TiR1wxFvH2ACykWrBBBD0DO3lLJlBSQD6E+TxBIxRKPWTlCgIbUO # z5ARaYRrbnz9JcFxNrEFjz7D63Gy+8v4esdm3HDfFxMFxyePxB6WxfxFZEAV+scw # HDd7Wa7K0o+DseA8lVl+bR1b15/LJ3kUT787QX5WmpJxUgZcjld1c75Cr2fXOruo # bA5Z92UuxZdnJdgGny1L0kKgljftdbAp2/acDDV2ItFvpx5iI+hNUSibB6wLSpFS # c+XXSyz+ezRx4OJJFlKx1940/g23HZV5waJbxJhZiriQ6YGJLGS6SL8tX9Z8+0Lu # G4Jkb7nQikhdM8O0ipD41JNJmptr+B3tnpgdKrBrQP9geyMFhoPJPlxnMn60vk93 # r1+EkbLggq46JqSMOj4naKdvi+R4F6J5rdI/mWOdV6S8apY/nzwYNHupwc5fvHvc # OVXT7qrAmQvpLnX9cvoYwRQ08VXn4Qop/Hc= # SIG # End signature block |