Public/AzStackHci.SSLInspection.ps1

# ///////////////////////////////////////////////////////////////////
# Strict Mode v1 (PS 5.1 safe) - surfaces reads of uninitialised variables at runtime.
Set-StrictMode -Version 1.0

# Test-AzStackHciSSLInspection function
# Used to check for the presence of SSL Inspection on traffic sent to a specified URL
# ///////////////////////////////////////////////////////////////////
function Test-AzStackHciSSLInspection {
    <#
    .SYNOPSIS
    Function to check for the presence of SSL Inspection on traffic sent to a specified URL.
 
    .PARAMETER url
    The URL to test for SSL Inspection
 
    .DESCRIPTION
    Expects Microsoft or DigiCert certificates to be used for SSL/TLS connections to the specified URL.
    If a different certificate is detected, the script will report that SSL Inspection is present.
    Script checks for redirects and follows them to test further URLs if required.
    Returns $true if SSL Inspection is detected, otherwise $false.
    #>


    [CmdletBinding()]
    [OutputType([bool])]
    param (
        [parameter(Mandatory=$true,HelpMessage="The URL to test for SSL Inspection",Position=0)]
        [System.Uri]$url,

        [Parameter(Mandatory=$false, HelpMessage="Optional switch to prevent console output from the function.")]
        [switch]$NoOutput
    )

    begin {
        # Reset SilentMode at entry — ensures clean state even if a prior call threw while -NoOutput was active
        $script:SilentMode = $false

        # Handle -NoOutput: suppress all console output
        if ($NoOutput.IsPresent) {
            $script:SilentMode = $true
            $VerbosePreference = 'SilentlyContinue'
            $DebugPreference = 'SilentlyContinue'
        }

        # Save the caller's $ErrorActionPreference so we can restore it in end {}.
        # Without this, the 'Stop' preference leaks to the caller's session (C-001).
        $OldErrorActionPreference = $ErrorActionPreference
        $ErrorActionPreference = "Stop"

        Write-HostAzS "`n`t///////////////////////////////////////////////"
        Write-HostAzS "`t Basic SSL Inspection Test for Azure Stack HCI"
        Write-HostAzS "`t///////////////////////////////////////////////`n"

        [bool]$RedirectsComplete = $false
        [bool]$SSLInspectionDetected = $false
        [int]$redirectCount = 0

        Write-HostAzS "Starting SSL Inspection Tests`n"

        Write-HostAzS "Date/Time = $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
        Write-HostAzS "Performing test from hostname: $($env:COMPUTERNAME)`n"
    }

    process {

        try {
        do {
            $redirectCount++
            if ($redirectCount -gt $script:HTTP_MAX_REDIRECTS) {
                Write-HostAzS "Error: Maximum redirect limit ($($script:HTTP_MAX_REDIRECTS)) exceeded. Aborting SSL inspection test." -ForegroundColor Red
                $RedirectsComplete = $true
                break
            }
            $Request = $null
            $Response = $null
            $Request = [System.Net.HttpWebRequest]::Create($url)
            $Request.Method = "GET"
            $Request.AllowAutoRedirect = $False
            $Request.Proxy = [System.Net.WebRequest]::DefaultWebProxy
            Write-HostAzS "Testing SSL/TLS Certificate for endpoint: '$($Request.Address.AbsoluteUri)'"
            try {
                [System.Net.HttpWebResponse]$Response = $Request.GetResponse()    
            }
            catch {
                Write-HostAzS "Error: $($_.Exception.Message)"
                # Make the null-result explicit: the typed assignment above throws before
                # binding, so $Response stays $null and the later `if ($Response)` guard skips it.
                $Response = $null
            }
            try {
            # Check if the certificate subject contains "O=Microsoft" as most SSL inspection appliances will replace the certificate with their own
            if(($Request.ServicePoint.Certificate.Subject).Contains("O=Microsoft")){
                Write-HostAzS -ForegroundColor Green "Expected Certificate Subject Found: `nSubject = $($Request.ServicePoint.Certificate.Subject)"
            } else {
                $SSLInspectionDetected = $true
                Write-HostAzS -ForegroundColor Red "UNKNOWN Certificate Subject Found: `nSubject = '$($Request.ServicePoint.Certificate.Subject)'"
                Write-HostAzS -ForegroundColor Yellow "`tNote: Expected Certificate Contains Subject = 'O=Microsoft'"
            }
            # Check if the certificate issuer contains "O=Microsoft Corporation" or "O=DigiCert Inc" as most SSL inspection appliances will replace the certificate with their own
            if(($Request.ServicePoint.Certificate.Issuer).Contains("O=Microsoft Corporation") -or (($Request.ServicePoint.Certificate.Issuer).Contains("O=DigiCert Inc"))){
                Write-HostAzS -ForegroundColor Green "Expected Certificate Issuer Found: `nCertificate Issuer = $($Request.ServicePoint.Certificate.Issuer)"
            } else {
                $SSLInspectionDetected = $true
                Write-HostAzS -ForegroundColor Red "UNKNOWN Certificate Issuer Found: `nCertificate Issuer = '$($Request.ServicePoint.Certificate.Issuer)'"
                Write-HostAzS -ForegroundColor Yellow "`tNote: Expected Certificate Contains Issuer = 'O=Microsoft Corporation' or 'O=DigiCert Inc'"
            }

            # Root CA thumbprint validation: build the certificate chain and verify the root
            # against a known list of trusted Microsoft/DigiCert root CA thumbprints.
            # This provides a stronger check than string matching alone — a sophisticated
            # MITM could spoof Issuer/Subject strings but not root CA thumbprints.
            try {
                $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($Request.ServicePoint.Certificate)
                $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
                $null = $chain.Build($cert2)
                if ($chain.ChainElements.Count -eq 0) {
                    Write-HostAzS -ForegroundColor Yellow "Warning: Certificate chain is empty — unable to validate root CA thumbprint."
                    throw "Certificate chain contains no elements"
                }
                $rootCert = $chain.ChainElements[$chain.ChainElements.Count - 1].Certificate
                if ($script:TRUSTED_ROOT_CA_THUMBPRINTS -contains $rootCert.Thumbprint) {
                    Write-HostAzS -ForegroundColor Green "Root CA Thumbprint Verified: $($rootCert.Thumbprint) ($($rootCert.Subject))"
                } else {
                    $SSLInspectionDetected = $true
                    Write-HostAzS -ForegroundColor Red "UNKNOWN Root CA Thumbprint: $($rootCert.Thumbprint)"
                    Write-HostAzS -ForegroundColor Red "Root CA Subject: $($rootCert.Subject)"
                    Write-HostAzS -ForegroundColor Yellow "`tNote: Root CA thumbprint does not match any known Microsoft/DigiCert root CAs"
                }
            } catch {
                Write-HostAzS -ForegroundColor Yellow "Warning: Unable to build certificate chain for root CA thumbprint validation: $($_.Exception.Message)"
            }

            # If $Response exists, check if for any redirects to further test required URLs
            if($Response){
                if(-not([string]::IsNullOrWhiteSpace($Response.Headers["Location"]))){
                    Write-HostAzS "Checking Redirected URL, as 'HTTP StatusCode = $($Response.StatusCode)'"
                    $url = $Response.Headers["Location"]
                } else {
                    # No redirects found
                    $RedirectsComplete = $true
                }
            } else {
                # No response found, unable to determine if redirects are required
                $RedirectsComplete = $true
            }
            } finally {
                # Ensure the response is always closed/disposed to prevent socket leaks
                if ($Response) { $Response.Close(); $Response = $null }
            }
            Write-HostAzS ""

        } while (
            $RedirectsComplete -ne $true
        ) # End of do..while loop for redirects
        
        # Note: this test uses both string matching AND root CA thumbprint verification.
        # String matching checks Subject/Issuer for known Microsoft/DigiCert organizations.
        # Thumbprint matching validates the root certificate against known trusted root CA thumbprints
        # from $script:TRUSTED_ROOT_CA_THUMBPRINTS (defined in AzStackHci.Constants.ps1).
        Write-HostAzS -ForegroundColor Yellow "Note: This test verifies certificates by matching Subject/Issuer strings and root CA thumbprints."
        Write-HostAzS -ForegroundColor Yellow "It is not intended to be an exhaustive certificate validity test.`n"

        if($SSLInspectionDetected -eq $true){
            Write-HostAzS -ForegroundColor Red "SSL Inspection Detected!`nCheck your network / proxy server configuration for SSL Inspection - https://learn.microsoft.com/en-us/azure-stack/hci/concepts/firewall-requirements`n"
        } else {
            Write-HostAzS -ForegroundColor Green "No SSL Inspection Detected :-)`n"
        }
        } finally {
            # Restore caller's $ErrorActionPreference even if an exception terminates process {} (C-001)
            $ErrorActionPreference = $OldErrorActionPreference
        }

    } # End of process block

    end {
        if ($NoOutput.IsPresent) { $script:SilentMode = $false }
        Write-HostAzS "SSL Inspection Tests Complete`n"
        # Write-Debug "Completed Test-AzStackHciSSLInspection function"
        return $SSLInspectionDetected
    }

} # End of Test-AzStackHciSSLInspection function

# SIG # Begin signature block
# MIInRQYJKoZIhvcNAQcCoIInNjCCJzICAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBr2hBZCTvPjwiL
# Y9jm7618JTqt7ZrtTzhLqiftudHiuKCCDLowggX1MIID3aADAgECAhMzAAACHU0Z
# yE7XD1dIAAAAAAIdMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVTMR4wHAYD
# VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBD
# b2RlIFNpZ25pbmcgUENBIDIwMjQwHhcNMjYwNDE2MTg1OTQzWhcNMjcwNDE1MTg1
# OTQzWjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
# BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYD
# VQQDExVNaWNyb3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB
# DwAwggEKAoIBAQDQvewXxx9gZZFC6Ys1WBay8BJ8kGA4JQnH5CMafqOASlTpK9H8
# o5ZXTXt0caVQTNMUPt445wXYD+dFtaKWTwDn1I52oUSrC9vJin1Gsqt+zyKJL5Dg
# 3eQXbQNR61DmMy20GLTIO3SFed9Rfi/ophgCLGFLDR3r0KvHjwMb/jYWS0celV/4
# Lz27LfAekm8v9E5IXaeiXbAUYZKK090n4CVl3JBtbN+9DtI9SNu/yjvozW52/u7R
# X/Ttpa/KDlpuokZ+Zcbvmtd9ur9gFLvZzh41o9MsE/clQtdaFWGvuo6Jua/ntpgk
# ey3E5/vBFe+MJPG6phdnuo6r57ZudCudiI1bAgMBAAGjggGbMIIBlzAOBgNVHQ8B
# Af8EBAMCB4AwHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0O
# BBYEFH6QuMwqcPG0hQlQ6c5jCtTTLrVeMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQL
# ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAxMis1MDc1NTkw
# HwYDVR0jBBgwFoAUf1k/VCHarU/vBeXmo9ctBpQSCDEwYAYDVR0fBFkwVzBVoFOg
# UYZPaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0
# JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNybDBtBggrBgEFBQcBAQRh
# MF8wXQYIKwYBBQUHMAKGUWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMv
# Y2VydHMvTWljcm9zb2Z0JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNy
# dDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBKTbYOjzwTG/DXGaz9
# s6+fQeaTtDcFmMY+5UyVFCyj7Pv+5i37qfX8lSL/tBIfYQfWsMuBQlfZurJD6r4H
# VJ2CeH+1fgiq8dcHdVKoZ3Sa2qXoX3cq9iS8cVb06B7+5/XJ7I0OxHH9fDsvJ3T3
# w5V/ZtAIFmLrl+P0CtG+92uzRsn0nTbdFjOkLMLWPLAU3THohKRlSEMgFJpPkm5n
# 5UAZ35xX6FWCrDLsSKb555bTifwa8mJBwdlof0bmfYidH+dxZ1FdDxvLnNl9zeKs
# A4kejaaIqqIPguhwAti5Ql7BlTNoJNwxCvBmqW2MQLnCkYN/VVUsR3V2x/rcTNzo
# Bf/Z/SpROvdaA2ZOOd1uioXJt3tdLQ7vHpqpib0KfWr/FWXW10q38VxfCnRQBqzb
# SuztR7nEMuzX7Ck+B/XaPDXd1qh72+QYyB0Z2VzWmO9zsnb9Uq/dwu8LGeQqnyu6
# 7SDGACvnXii2fb9+US492VTnXSnFKyqwgzUyFMtZK1/sHYTv6bG4TtQUygQxTN+Z
# V+aJIlKO2MqZ7bKrAnOzS9m6NgoTdWOq11bTOZwKlIEV/EhV9SWkDmdpR/hPPT2v
# 6TEj4F8PT/zHjRezIU5c/DGlt/VhY/pK0XkJtEyMmmS1BMtjU/rqBZVMIm3dnxQs
# /TBByr+Cf8Z1r7aifQVQ+WSqzjCCBr0wggSloAMCAQICEzMAAAA5O7Y3Gb8GHWcA
# AAAAADkwDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX
# YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg
# Q29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRl
# IEF1dGhvcml0eSAyMDExMB4XDTI0MDgwODIwNTQxOFoXDTM2MDMyMjIyMTMwNFow
# VzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEo
# MCYGA1UEAxMfTWljcm9zb2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAyNDCCAiIwDQYJ
# KoZIhvcNAQEBBQADggIPADCCAgoCggIBANgBnB7jOMeqlRYHNa265v4IY9fH8TKh
# emHfPINe1gpLaV3dhg324WwH06LcHbpnsBukCDNitryo0dtS/EW6I/yEL/bLSY8h
# KpbfQuWusBPr9qazYcDxCW/qnjb5JsI1s8bNOg3bVATvQVL4tcf03aTycsz8QeCd
# M0l/yHRObJ9QqazM1r6VPEOJ7LL+uEEb73w6QCuhs89a1uv1zerOYMnsneRRwCbp
# yW11IcggU0cRKDDq1pjVJzIbIF6+oiXXbReOsgeI8zu1FyQfK0fVkaya8SmVHQ/t
# Of23mZ4W9k0Ri22QW9p3UgSC5OUDktKxxcCmGL6tXLfOGSWHIIV4YrTJTT6PNty5
# REojHJuZHArkF9VnHTERWoTjAzfI3kP+5b4alUdhgAZ7ttOu1bVnXfHaqPYl2rPs
# 20ji03LOVWsh/radgE17es5hL+t6lV0eVHrVhsssROWJuz2MXMCt7iw7lFPG9LXK
# Gjsmonn2gotGdHIuEg5JnJMJVmixd5LRlkmgYRZKzhxSCwyoGIq0PhaA7Y+VPct5
# pCHkijcIIDm0nlkK+0KyepolcqGm0T/GYQRMhHJlGOOmVQop36wUVUYklUy++vDW
# eEgEo4s7hxN6mIbf2MSIQ/iIfMZgJxC69oukMUXCrOC3SkE/xIkgpfl22MM1itkZ
# 35nNXkMolU1lAgMBAAGjggFOMIIBSjAOBgNVHQ8BAf8EBAMCAYYwEAYJKwYBBAGC
# NxUBBAMCAQAwHQYDVR0OBBYEFH9ZP1Qh2q1P7wXl5qPXLQaUEggxMBkGCSsGAQQB
# gjcUAgQMHgoAUwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU
# ci06AjGQQ7kUBU7h6qfHMdEjiTQwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2Ny
# bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0MjAx
# MV8yMDExXzAzXzIyLmNybDBeBggrBgEFBQcBAQRSMFAwTgYIKwYBBQUHMAKGQmh0
# dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0MjAx
# MV8yMDExXzAzXzIyLmNydDANBgkqhkiG9w0BAQwFAAOCAgEAFJQfOChP7onn6fLI
# MKrSlN1WYKwDFgAddymOUO3FrM8d7B/W/iQ6DxXsDn7D5W4wMwYeLystcEqfkjz4
# NURRgazyMu5yRzQh4LqjA4tStTcJh1opExo7nn5PuPBYnbu0+THSuVHTe0VTTPVh
# ily/piFrDo3axQ9P4C+Ol5yet+2gTfekICS5xS+cYfSIvgn0JksVBVMYVI5QFu/q
# hnLhsEFEUzG8fvv0hjgkO+lkpV9ty6GkN4vdnd7ya6Q6aR9y34aiM1qmxaxBi6OU
# nyNl6fkuun/diTFnYDLTppOkr/mg5WSfCiDVMNCxtj4wPKC5OmHm1DQIt/MNokbb
# H3UGsFP1QbzsLocuSqLCvH09Io3fDPTmscR9Y75G4qX7RTX8AdBPo0I6OEojf39z
# uFZt0qOHm65YWQE69cZM2ueE1MB05dNNgHK9gTE7zKvK/fg8B2qjW88MT/WF5V5u
# vZGtqa9FSL2RazArA+rDPuf6JGYz4HpgMZHB4S6szWSKYBv0VisCzfxgeU+dquXW
# 9bd0auYlOB58DPcOYKdc3Se94g+xL4pcEhbB54JOgAkwYTu/9dLeH2pDqeJZAABV
# DWRQCaXfO5LgyKwKCLYXpigrZYCjUSBcr+Ve8PFWMhVTQl0v4q8J/AUmQN5W4n10
# 1cY2L4A7GTQG1h32HHAvfQESWP0xghnhMIIZ3QIBATBuMFcxCzAJBgNVBAYTAlVT
# MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jv
# c29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMjQCEzMAAAIdTRnITtcPV0gAAAAAAh0w
# DQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYK
# KwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIF16awt+
# mfCEgTZS6suceyO8VQOeyrhHpBhkM4FAOcjBMEIGCisGAQQBgjcCAQwxNDAyoBSA
# EgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20w
# DQYJKoZIhvcNAQEBBQAEggEAi1pg53DCyz2mtFxEdzZxPb/0QWfWnUWBWpmhEyhG
# IMfa26xDP2zvsC3pGInzJjpCljSW4k8DF4ksdp+YJ1c/pmSWRn0SwhFd0DeWYwY0
# Bmf8349pY9DZZefCvZ1ddYjidUjgSXRCz6i7FYKl+LVbtPFE4JRWliVmCJDOm2Gh
# KQZyPtsk46UfGaWQdW/Y04D702A9VWLSmcdFyKXjfcT8sA5z4tte7QCfsJ7oTs8m
# rlVIdIEPkF83Y+4RGWJy5bk5i++rnE/T/sotkfOSMyaGmd9WeR5uW5ZqwMhSm0GK
# 1BUkBfjlnPO+mR5VaKpXtBxqOHHAkvFMbcg9RXI1cys8xKGCF5MwghePBgorBgEE
# AYI3AwMBMYIXfzCCF3sGCSqGSIb3DQEHAqCCF2wwghdoAgEDMQ8wDQYJYIZIAWUD
# BAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoD
# ATAxMA0GCWCGSAFlAwQCAQUABCDOm7dlGztiNcHJWpWCKCb5tQRr+quLBBWNWk9g
# YnD7WwIGajzCfWrlGBIyMDI2MDcwNzE2NTYzMC42N1owBIACAfSggdGkgc4wgcsx
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1p
# Y3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJzAlBgNVBAsTHm5TaGllbGQgVFNT
# IEVTTjpFMDAyLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3Rh
# bXAgU2VydmljZaCCEeowggcgMIIFCKADAgECAhMzAAACKQ7VZCq0l/IaAAEAAAIp
# MA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n
# dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y
# YXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4X
# DTI2MDIxOTE5NDAwN1oXDTI3MDUxNzE5NDAwN1owgcsxCzAJBgNVBAYTAlVTMRMw
# EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
# aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNh
# IE9wZXJhdGlvbnMxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjpFMDAyLTA1RTAt
# RDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCAiIw
# DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ4i0WrjPWgJhKZRmalgOxslYS77
# 7Vttz8zPs9rcjRlfkQ435aKsHQW+caXIVFTKXM7lMldl9TxAU85T3k/VjU5nwn6q
# 4Dkb4BZIE6v/jyxyXSz1EGmqBMyr+VvKoHPgIya9VHZB68CBWnhrWFuY6b0bthZ7
# Lrw3kXmtINhXTAyWDgjLxhG4WBE3Z4GlVe30i8VoWYGdAtl+jbYpncvw9YQdSFdT
# l0s5JmhN+qpD8H515bnoAIyeceM/Fm76zMeFkwtSsxZOCz0nsKfwO16VwqP1oz7R
# mru2RIMcKvCjp4JJ/DdyWS1dFGt2axxxqXxEIOI0UWBmzKnAXZoYAXqSDjX5CX62
# Femc4xQfiY8IAllanTMNajCwr9ijmMcvWlP8CBsvcWgDLhxuE4jg9vV5AUb6NPuy
# RLYX9v5kAJQDUQNnzfQr4G7TLD4WlIbLy2l3WzOTdxRiMinMgbjPegU2aJIk3xh0
# 13hIewRHkOSzlvGIpum+Z+s4Df2NNvsRbZNPvJJaAkhJ+9N7O4uZCxNVLM2y9qlW
# UeETbMGoPDjT2e862K0IVueGFc19q3Nvb4Z/a1fazpgFrXnUIL/z56Ym+96BdtY2
# 53Ni3xwVGibQ9n58lGGEF91KoKqvxB44YnxViWbEVerHVJ0NKRMJKCmyyQapnCH/
# q6YDWDgvvN4YE2eBAgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQUJ01FpIv0BbxC9pDb
# VaNEBco3gzswHwYDVR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYDVR0f
# BFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwv
# TWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwGCCsG
# AQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
# L3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAx
# MCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAO
# BgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAD3BzvaV/9zMOGnT1Pc8
# YAw5CHGX/HTiOkTu3f0V6pBKfZSnoNXOGDCfMKpjc0iEu1Rpat3s3G+uFkNxr4nj
# HO+tFA08d5FCmclV4ezJO7neBMGVQHVNEjo6dm38BWZH2gwn80E6oH535I5vw/Hr
# NGBHCTrawWQ6QHmWKD8MydgR5H9qZb0d2jy9dwqZpr8NtI4AdJ19kW36Koxl82WQ
# Q6fvX9EApM2/hCmr/YWFyMwyZKQiGyEF0FUHRWOaTAV+FVR/lNO4sn2wNHgTIK85
# kncHqDsjDpaNDHJyPCR/OxUxOl+6wnlLB04cvzIY9Zk54+PBrwhJdazqSJUr/pLT
# 8lVvUunGnJgpERCOdT/k55wq3Y5eUd3AVZmvACL3xE9lroQTFxv8sYt/XS00eO7V
# 5OWiFjSPM1lDQEOBK4xmAxT7wQSO0xAwgOeU8YRQ43ssdccfQovQUDTU8RZVkquv
# 8tQ664NM0XPDnjcU8yniCQIgWUp1G5yJHUhc6T5ex7quP20kViBWf7jgEei7ZdB7
# lFffR5/cBBZrSbHIYOonMaxXdfn5s1B4xXzyJa6Uk+rmyCcYb078fX8cfgew71ko
# Zf9asmlCYW5CtM5Hj1eO95oLTFoWYaw2D5GFu0PmpOSf4hIO/DQgn8T9Vc13P/Ja
# CiXqvnTuFPywAy6meGQXa7DUMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJmQAA
# AAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh
# c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD
# b3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUg
# QXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1WjB8
# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk
# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1N
# aWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEBBQAD
# ggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjKNVf2
# AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhgfWpS
# g0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJprx2r
# rPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/dvI2k
# 45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka97aSu
# eik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKRHh09
# /SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9ituqBJR
# 6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyOArxC
# aC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItboKaD
# IV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6bMUR
# HXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6tAgMB
# AAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBQq
# p1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacbUzUZ
# 6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0
# cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRt
# MBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBB
# MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP
# 6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWlj
# cm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2
# LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cu
# bWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMu
# Y3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/qXBS2
# Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6U03d
# mLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVtI1Tk
# eFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis9/kp
# icO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTpkbKp
# W99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0sHrY
# UP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138eW0QB
# jloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJsWkB
# RH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7Fx0V
# iY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0dFtq
# 0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQtB1V
# M1izoXBm8qGCA00wggI1AgEBMIH5oYHRpIHOMIHLMQswCQYDVQQGEwJVUzETMBEG
# A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj
# cm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBP
# cGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046RTAwMi0wNUUwLUQ5
# NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAH
# BgUrDgMCGgMVALe/2JI7bbGhvtnE3l1cISr70i//oIGDMIGApH4wfDELMAkGA1UE
# BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc
# BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0
# IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQELBQACBQDt9xFcMCIYDzIw
# MjYwNzA3MDU0NzA4WhgPMjAyNjA3MDgwNTQ3MDhaMHQwOgYKKwYBBAGEWQoEATEs
# MCowCgIFAO33EVwCAQAwBwIBAAICJX8wBwIBAAICGYEwCgIFAO34YtwCAQAwNgYK
# KwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQAC
# AwGGoDANBgkqhkiG9w0BAQsFAAOCAQEAHB/eKavZx5aLlasTBhsJMYXBtGTn7wOd
# rHs/MdTwHLMkznBGAlbsq6p19apCG4yQFUe56Hm6IAO6jXkuCV0THyPSWZw6qzwe
# xuaiNslEsSbLu4mq97lJr66pbwZN4EnZ22cwgmeobwyxR8tcIWEuz96/4Fl2d/kE
# S3ghbsyu8nsrEOAB/etcTdCk04W45NGSPyiNK/eMJx9fecjNWmVEQAtRX/2+uFv/
# DH23cgpHJFILxic2MgA+5ZqwVF+R0M6oJ8UN4GALNeIfNWXs/pH3XUKuw2hngEnS
# sMth0e2x6Gk+SUt5fuWgz/dNYpDAI45Kfewjtt6Vj4A0ErC2gBp1fjGCBA0wggQJ
# AgEBMIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD
# VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAk
# BgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAACKQ7VZCq0
# l/IaAAEAAAIpMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZI
# hvcNAQkQAQQwLwYJKoZIhvcNAQkEMSIEIMPOUjIPqj5b7erB3bgVuH3jWhbF+VLD
# IoUg5ntL94I3MIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgt8o98SK28P+V
# K8S6bGo+SR44S2CSYoURUy56X2g6upIwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzET
# MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV
# TWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1T
# dGFtcCBQQ0EgMjAxMAITMwAAAikO1WQqtJfyGgABAAACKTAiBCAzwnXs3+c2XFEx
# 8IymQO3onLa8jqnFRKDG8AdYCVGVHTANBgkqhkiG9w0BAQsFAASCAgAKrtvhAeF8
# HcZZIwYE6pn9X3y7194Z+VD/u+hbMmOsBF5cjerr6kaK7IkYyvMVk6uVMx3yunxG
# CMv5x0Iw+hKw4Ty2H9H+l8C3aKO55efjBPHjGfnCbxyfxuuTDi8tDXVh86WknLpi
# F0aHNUgRlEkjTqUbG07GG077diGxgKVm5zOfjvQOe4AByE8xn2y8i5P7TH3RXJRr
# 3R4t+OL9c7tyI4+WNFU5YNM71jBwg0eTi2nDSavKoRZcznu3lfPcqfmBuMzfIHDf
# rXc2j4/FOSbLZ7wj5VmFa3BxBicApcZPG5E2wyjs9yYPd8ek6PJNpD1tiHXedUlj
# 84rv8ysuHICqPTxnEjUvm5eA7jaAjH/MNz00Po5wtH+04/oAgAuvHSnKOU0SM0Bj
# +u1F5ohbENGnT5I8iOuybebvw2Kv6chWbRF2wbPiRrqUbSRai1VSXeCWttcEhNT0
# VeP7HXJ9xAzy5evTy8j+Cy9JnNGn7J/J/kANjyK3u/i6ec+iorLqXJ0ovHtI6h0n
# klBCwlKUbBovJ/X5leL5XMN02h7mws9gzaold1Z5lkXIhZFPa3ao9nG0vRw7Q4d+
# rRaNrpZ9pKXNfTUhSjLgBSefjRfwhjNcJtO5DpSk1RkGOLkBq7edVRYWGrTGvbn+
# ukc/XvcuXoep9Lw+YP52aVbvDWMCQtqHgg==
# SIG # End signature block