Public/AzStackHci.SSLInspection.ps1
|
# /////////////////////////////////////////////////////////////////// # Strict Mode v1 (PS 5.1 safe) - surfaces reads of uninitialised variables at runtime. Set-StrictMode -Version 1.0 # Test-AzStackHciSSLInspection function # Used to check for the presence of SSL Inspection on traffic sent to a specified URL # /////////////////////////////////////////////////////////////////// function Test-AzStackHciSSLInspection { <# .SYNOPSIS Function to check for the presence of SSL Inspection on traffic sent to a specified URL. .PARAMETER url The URL to test for SSL Inspection .DESCRIPTION Expects Microsoft or DigiCert certificates to be used for SSL/TLS connections to the specified URL. If a different certificate is detected, the script will report that SSL Inspection is present. Script checks for redirects and follows them to test further URLs if required. Returns $true if SSL Inspection is detected, otherwise $false. #> [CmdletBinding()] [OutputType([bool])] param ( [parameter(Mandatory=$true,HelpMessage="The URL to test for SSL Inspection",Position=0)] [System.Uri]$url, [Parameter(Mandatory=$false, HelpMessage="Optional switch to prevent console output from the function.")] [switch]$NoOutput ) begin { # Reset SilentMode at entry — ensures clean state even if a prior call threw while -NoOutput was active $script:SilentMode = $false # Handle -NoOutput: suppress all console output if ($NoOutput.IsPresent) { $script:SilentMode = $true $VerbosePreference = 'SilentlyContinue' $DebugPreference = 'SilentlyContinue' } # Save the caller's $ErrorActionPreference so we can restore it in end {}. # Without this, the 'Stop' preference leaks to the caller's session (C-001). $OldErrorActionPreference = $ErrorActionPreference $ErrorActionPreference = "Stop" Write-HostAzS "`n`t///////////////////////////////////////////////" Write-HostAzS "`t Basic SSL Inspection Test for Azure Stack HCI" Write-HostAzS "`t///////////////////////////////////////////////`n" [bool]$RedirectsComplete = $false [bool]$SSLInspectionDetected = $false [int]$redirectCount = 0 Write-HostAzS "Starting SSL Inspection Tests`n" Write-HostAzS "Date/Time = $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" Write-HostAzS "Performing test from hostname: $($env:COMPUTERNAME)`n" } process { try { do { $redirectCount++ if ($redirectCount -gt $script:HTTP_MAX_REDIRECTS) { Write-HostAzS "Error: Maximum redirect limit ($($script:HTTP_MAX_REDIRECTS)) exceeded. Aborting SSL inspection test." -ForegroundColor Red $RedirectsComplete = $true break } $Request = $null $Response = $null $Request = [System.Net.HttpWebRequest]::Create($url) $Request.Method = "GET" $Request.AllowAutoRedirect = $False $Request.Proxy = [System.Net.WebRequest]::DefaultWebProxy Write-HostAzS "Testing SSL/TLS Certificate for endpoint: '$($Request.Address.AbsoluteUri)'" try { [System.Net.HttpWebResponse]$Response = $Request.GetResponse() } catch { Write-HostAzS "Error: $($_.Exception.Message)" # Make the null-result explicit: the typed assignment above throws before # binding, so $Response stays $null and the later `if ($Response)` guard skips it. $Response = $null } try { # Check if the certificate subject contains "O=Microsoft" as most SSL inspection appliances will replace the certificate with their own if(($Request.ServicePoint.Certificate.Subject).Contains("O=Microsoft")){ Write-HostAzS -ForegroundColor Green "Expected Certificate Subject Found: `nSubject = $($Request.ServicePoint.Certificate.Subject)" } else { $SSLInspectionDetected = $true Write-HostAzS -ForegroundColor Red "UNKNOWN Certificate Subject Found: `nSubject = '$($Request.ServicePoint.Certificate.Subject)'" Write-HostAzS -ForegroundColor Yellow "`tNote: Expected Certificate Contains Subject = 'O=Microsoft'" } # Check if the certificate issuer contains "O=Microsoft Corporation" or "O=DigiCert Inc" as most SSL inspection appliances will replace the certificate with their own if(($Request.ServicePoint.Certificate.Issuer).Contains("O=Microsoft Corporation") -or (($Request.ServicePoint.Certificate.Issuer).Contains("O=DigiCert Inc"))){ Write-HostAzS -ForegroundColor Green "Expected Certificate Issuer Found: `nCertificate Issuer = $($Request.ServicePoint.Certificate.Issuer)" } else { $SSLInspectionDetected = $true Write-HostAzS -ForegroundColor Red "UNKNOWN Certificate Issuer Found: `nCertificate Issuer = '$($Request.ServicePoint.Certificate.Issuer)'" Write-HostAzS -ForegroundColor Yellow "`tNote: Expected Certificate Contains Issuer = 'O=Microsoft Corporation' or 'O=DigiCert Inc'" } # Root CA thumbprint validation: build the certificate chain and verify the root # against a known list of trusted Microsoft/DigiCert root CA thumbprints. # This provides a stronger check than string matching alone — a sophisticated # MITM could spoof Issuer/Subject strings but not root CA thumbprints. try { $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($Request.ServicePoint.Certificate) $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain $null = $chain.Build($cert2) if ($chain.ChainElements.Count -eq 0) { Write-HostAzS -ForegroundColor Yellow "Warning: Certificate chain is empty — unable to validate root CA thumbprint." throw "Certificate chain contains no elements" } $rootCert = $chain.ChainElements[$chain.ChainElements.Count - 1].Certificate if ($script:TRUSTED_ROOT_CA_THUMBPRINTS -contains $rootCert.Thumbprint) { Write-HostAzS -ForegroundColor Green "Root CA Thumbprint Verified: $($rootCert.Thumbprint) ($($rootCert.Subject))" } else { $SSLInspectionDetected = $true Write-HostAzS -ForegroundColor Red "UNKNOWN Root CA Thumbprint: $($rootCert.Thumbprint)" Write-HostAzS -ForegroundColor Red "Root CA Subject: $($rootCert.Subject)" Write-HostAzS -ForegroundColor Yellow "`tNote: Root CA thumbprint does not match any known Microsoft/DigiCert root CAs" } } catch { Write-HostAzS -ForegroundColor Yellow "Warning: Unable to build certificate chain for root CA thumbprint validation: $($_.Exception.Message)" } # If $Response exists, check if for any redirects to further test required URLs if($Response){ if(-not([string]::IsNullOrWhiteSpace($Response.Headers["Location"]))){ Write-HostAzS "Checking Redirected URL, as 'HTTP StatusCode = $($Response.StatusCode)'" $url = $Response.Headers["Location"] } else { # No redirects found $RedirectsComplete = $true } } else { # No response found, unable to determine if redirects are required $RedirectsComplete = $true } } finally { # Ensure the response is always closed/disposed to prevent socket leaks if ($Response) { $Response.Close(); $Response = $null } } Write-HostAzS "" } while ( $RedirectsComplete -ne $true ) # End of do..while loop for redirects # Note: this test uses both string matching AND root CA thumbprint verification. # String matching checks Subject/Issuer for known Microsoft/DigiCert organizations. # Thumbprint matching validates the root certificate against known trusted root CA thumbprints # from $script:TRUSTED_ROOT_CA_THUMBPRINTS (defined in AzStackHci.Constants.ps1). Write-HostAzS -ForegroundColor Yellow "Note: This test verifies certificates by matching Subject/Issuer strings and root CA thumbprints." Write-HostAzS -ForegroundColor Yellow "It is not intended to be an exhaustive certificate validity test.`n" if($SSLInspectionDetected -eq $true){ Write-HostAzS -ForegroundColor Red "SSL Inspection Detected!`nCheck your network / proxy server configuration for SSL Inspection - https://learn.microsoft.com/en-us/azure-stack/hci/concepts/firewall-requirements`n" } else { Write-HostAzS -ForegroundColor Green "No SSL Inspection Detected :-)`n" } } finally { # Restore caller's $ErrorActionPreference even if an exception terminates process {} (C-001) $ErrorActionPreference = $OldErrorActionPreference } } # End of process block end { if ($NoOutput.IsPresent) { $script:SilentMode = $false } Write-HostAzS "SSL Inspection Tests Complete`n" # Write-Debug "Completed Test-AzStackHciSSLInspection function" return $SSLInspectionDetected } } # End of Test-AzStackHciSSLInspection function # SIG # Begin signature block # MIInRQYJKoZIhvcNAQcCoIInNjCCJzICAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBr2hBZCTvPjwiL # Y9jm7618JTqt7ZrtTzhLqiftudHiuKCCDLowggX1MIID3aADAgECAhMzAAACHU0Z # yE7XD1dIAAAAAAIdMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVTMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBD # b2RlIFNpZ25pbmcgUENBIDIwMjQwHhcNMjYwNDE2MTg1OTQzWhcNMjcwNDE1MTg1 # OTQzWjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYD # VQQDExVNaWNyb3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB # DwAwggEKAoIBAQDQvewXxx9gZZFC6Ys1WBay8BJ8kGA4JQnH5CMafqOASlTpK9H8 # o5ZXTXt0caVQTNMUPt445wXYD+dFtaKWTwDn1I52oUSrC9vJin1Gsqt+zyKJL5Dg # 3eQXbQNR61DmMy20GLTIO3SFed9Rfi/ophgCLGFLDR3r0KvHjwMb/jYWS0celV/4 # Lz27LfAekm8v9E5IXaeiXbAUYZKK090n4CVl3JBtbN+9DtI9SNu/yjvozW52/u7R # X/Ttpa/KDlpuokZ+Zcbvmtd9ur9gFLvZzh41o9MsE/clQtdaFWGvuo6Jua/ntpgk # ey3E5/vBFe+MJPG6phdnuo6r57ZudCudiI1bAgMBAAGjggGbMIIBlzAOBgNVHQ8B # Af8EBAMCB4AwHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0O # BBYEFH6QuMwqcPG0hQlQ6c5jCtTTLrVeMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQL # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAxMis1MDc1NTkw # HwYDVR0jBBgwFoAUf1k/VCHarU/vBeXmo9ctBpQSCDEwYAYDVR0fBFkwVzBVoFOg # UYZPaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0 # JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNybDBtBggrBgEFBQcBAQRh # MF8wXQYIKwYBBQUHMAKGUWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMv # Y2VydHMvTWljcm9zb2Z0JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNy # dDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBKTbYOjzwTG/DXGaz9 # s6+fQeaTtDcFmMY+5UyVFCyj7Pv+5i37qfX8lSL/tBIfYQfWsMuBQlfZurJD6r4H # VJ2CeH+1fgiq8dcHdVKoZ3Sa2qXoX3cq9iS8cVb06B7+5/XJ7I0OxHH9fDsvJ3T3 # w5V/ZtAIFmLrl+P0CtG+92uzRsn0nTbdFjOkLMLWPLAU3THohKRlSEMgFJpPkm5n # 5UAZ35xX6FWCrDLsSKb555bTifwa8mJBwdlof0bmfYidH+dxZ1FdDxvLnNl9zeKs # A4kejaaIqqIPguhwAti5Ql7BlTNoJNwxCvBmqW2MQLnCkYN/VVUsR3V2x/rcTNzo # Bf/Z/SpROvdaA2ZOOd1uioXJt3tdLQ7vHpqpib0KfWr/FWXW10q38VxfCnRQBqzb # SuztR7nEMuzX7Ck+B/XaPDXd1qh72+QYyB0Z2VzWmO9zsnb9Uq/dwu8LGeQqnyu6 # 7SDGACvnXii2fb9+US492VTnXSnFKyqwgzUyFMtZK1/sHYTv6bG4TtQUygQxTN+Z # V+aJIlKO2MqZ7bKrAnOzS9m6NgoTdWOq11bTOZwKlIEV/EhV9SWkDmdpR/hPPT2v # 6TEj4F8PT/zHjRezIU5c/DGlt/VhY/pK0XkJtEyMmmS1BMtjU/rqBZVMIm3dnxQs # /TBByr+Cf8Z1r7aifQVQ+WSqzjCCBr0wggSloAMCAQICEzMAAAA5O7Y3Gb8GHWcA # AAAAADkwDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRl # IEF1dGhvcml0eSAyMDExMB4XDTI0MDgwODIwNTQxOFoXDTM2MDMyMjIyMTMwNFow # VzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEo # MCYGA1UEAxMfTWljcm9zb2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAyNDCCAiIwDQYJ # KoZIhvcNAQEBBQADggIPADCCAgoCggIBANgBnB7jOMeqlRYHNa265v4IY9fH8TKh # emHfPINe1gpLaV3dhg324WwH06LcHbpnsBukCDNitryo0dtS/EW6I/yEL/bLSY8h # KpbfQuWusBPr9qazYcDxCW/qnjb5JsI1s8bNOg3bVATvQVL4tcf03aTycsz8QeCd # M0l/yHRObJ9QqazM1r6VPEOJ7LL+uEEb73w6QCuhs89a1uv1zerOYMnsneRRwCbp # yW11IcggU0cRKDDq1pjVJzIbIF6+oiXXbReOsgeI8zu1FyQfK0fVkaya8SmVHQ/t # Of23mZ4W9k0Ri22QW9p3UgSC5OUDktKxxcCmGL6tXLfOGSWHIIV4YrTJTT6PNty5 # REojHJuZHArkF9VnHTERWoTjAzfI3kP+5b4alUdhgAZ7ttOu1bVnXfHaqPYl2rPs # 20ji03LOVWsh/radgE17es5hL+t6lV0eVHrVhsssROWJuz2MXMCt7iw7lFPG9LXK # Gjsmonn2gotGdHIuEg5JnJMJVmixd5LRlkmgYRZKzhxSCwyoGIq0PhaA7Y+VPct5 # pCHkijcIIDm0nlkK+0KyepolcqGm0T/GYQRMhHJlGOOmVQop36wUVUYklUy++vDW # eEgEo4s7hxN6mIbf2MSIQ/iIfMZgJxC69oukMUXCrOC3SkE/xIkgpfl22MM1itkZ # 35nNXkMolU1lAgMBAAGjggFOMIIBSjAOBgNVHQ8BAf8EBAMCAYYwEAYJKwYBBAGC # NxUBBAMCAQAwHQYDVR0OBBYEFH9ZP1Qh2q1P7wXl5qPXLQaUEggxMBkGCSsGAQQB # gjcUAgQMHgoAUwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU # ci06AjGQQ7kUBU7h6qfHMdEjiTQwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2Ny # bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0MjAx # MV8yMDExXzAzXzIyLmNybDBeBggrBgEFBQcBAQRSMFAwTgYIKwYBBQUHMAKGQmh0 # dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0MjAx # MV8yMDExXzAzXzIyLmNydDANBgkqhkiG9w0BAQwFAAOCAgEAFJQfOChP7onn6fLI # MKrSlN1WYKwDFgAddymOUO3FrM8d7B/W/iQ6DxXsDn7D5W4wMwYeLystcEqfkjz4 # NURRgazyMu5yRzQh4LqjA4tStTcJh1opExo7nn5PuPBYnbu0+THSuVHTe0VTTPVh # ily/piFrDo3axQ9P4C+Ol5yet+2gTfekICS5xS+cYfSIvgn0JksVBVMYVI5QFu/q # hnLhsEFEUzG8fvv0hjgkO+lkpV9ty6GkN4vdnd7ya6Q6aR9y34aiM1qmxaxBi6OU # nyNl6fkuun/diTFnYDLTppOkr/mg5WSfCiDVMNCxtj4wPKC5OmHm1DQIt/MNokbb # H3UGsFP1QbzsLocuSqLCvH09Io3fDPTmscR9Y75G4qX7RTX8AdBPo0I6OEojf39z # uFZt0qOHm65YWQE69cZM2ueE1MB05dNNgHK9gTE7zKvK/fg8B2qjW88MT/WF5V5u # vZGtqa9FSL2RazArA+rDPuf6JGYz4HpgMZHB4S6szWSKYBv0VisCzfxgeU+dquXW # 9bd0auYlOB58DPcOYKdc3Se94g+xL4pcEhbB54JOgAkwYTu/9dLeH2pDqeJZAABV # DWRQCaXfO5LgyKwKCLYXpigrZYCjUSBcr+Ve8PFWMhVTQl0v4q8J/AUmQN5W4n10 # 1cY2L4A7GTQG1h32HHAvfQESWP0xghnhMIIZ3QIBATBuMFcxCzAJBgNVBAYTAlVT # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jv # c29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMjQCEzMAAAIdTRnITtcPV0gAAAAAAh0w # DQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYK # KwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIF16awt+ # mfCEgTZS6suceyO8VQOeyrhHpBhkM4FAOcjBMEIGCisGAQQBgjcCAQwxNDAyoBSA # EgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20w # DQYJKoZIhvcNAQEBBQAEggEAi1pg53DCyz2mtFxEdzZxPb/0QWfWnUWBWpmhEyhG # IMfa26xDP2zvsC3pGInzJjpCljSW4k8DF4ksdp+YJ1c/pmSWRn0SwhFd0DeWYwY0 # Bmf8349pY9DZZefCvZ1ddYjidUjgSXRCz6i7FYKl+LVbtPFE4JRWliVmCJDOm2Gh # KQZyPtsk46UfGaWQdW/Y04D702A9VWLSmcdFyKXjfcT8sA5z4tte7QCfsJ7oTs8m # rlVIdIEPkF83Y+4RGWJy5bk5i++rnE/T/sotkfOSMyaGmd9WeR5uW5ZqwMhSm0GK # 1BUkBfjlnPO+mR5VaKpXtBxqOHHAkvFMbcg9RXI1cys8xKGCF5MwghePBgorBgEE # AYI3AwMBMYIXfzCCF3sGCSqGSIb3DQEHAqCCF2wwghdoAgEDMQ8wDQYJYIZIAWUD # BAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoD # ATAxMA0GCWCGSAFlAwQCAQUABCDOm7dlGztiNcHJWpWCKCb5tQRr+quLBBWNWk9g # YnD7WwIGajzCfWrlGBIyMDI2MDcwNzE2NTYzMC42N1owBIACAfSggdGkgc4wgcsx # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1p # Y3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJzAlBgNVBAsTHm5TaGllbGQgVFNT # IEVTTjpFMDAyLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgU2VydmljZaCCEeowggcgMIIFCKADAgECAhMzAAACKQ7VZCq0l/IaAAEAAAIp # MA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n # dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y # YXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4X # DTI2MDIxOTE5NDAwN1oXDTI3MDUxNzE5NDAwN1owgcsxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNh # IE9wZXJhdGlvbnMxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjpFMDAyLTA1RTAt # RDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCAiIw # DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ4i0WrjPWgJhKZRmalgOxslYS77 # 7Vttz8zPs9rcjRlfkQ435aKsHQW+caXIVFTKXM7lMldl9TxAU85T3k/VjU5nwn6q # 4Dkb4BZIE6v/jyxyXSz1EGmqBMyr+VvKoHPgIya9VHZB68CBWnhrWFuY6b0bthZ7 # Lrw3kXmtINhXTAyWDgjLxhG4WBE3Z4GlVe30i8VoWYGdAtl+jbYpncvw9YQdSFdT # l0s5JmhN+qpD8H515bnoAIyeceM/Fm76zMeFkwtSsxZOCz0nsKfwO16VwqP1oz7R # mru2RIMcKvCjp4JJ/DdyWS1dFGt2axxxqXxEIOI0UWBmzKnAXZoYAXqSDjX5CX62 # Femc4xQfiY8IAllanTMNajCwr9ijmMcvWlP8CBsvcWgDLhxuE4jg9vV5AUb6NPuy # RLYX9v5kAJQDUQNnzfQr4G7TLD4WlIbLy2l3WzOTdxRiMinMgbjPegU2aJIk3xh0 # 13hIewRHkOSzlvGIpum+Z+s4Df2NNvsRbZNPvJJaAkhJ+9N7O4uZCxNVLM2y9qlW # UeETbMGoPDjT2e862K0IVueGFc19q3Nvb4Z/a1fazpgFrXnUIL/z56Ym+96BdtY2 # 53Ni3xwVGibQ9n58lGGEF91KoKqvxB44YnxViWbEVerHVJ0NKRMJKCmyyQapnCH/ # q6YDWDgvvN4YE2eBAgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQUJ01FpIv0BbxC9pDb # VaNEBco3gzswHwYDVR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYDVR0f # BFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwv # TWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwGCCsG # AQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAx # MCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAO # BgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAD3BzvaV/9zMOGnT1Pc8 # YAw5CHGX/HTiOkTu3f0V6pBKfZSnoNXOGDCfMKpjc0iEu1Rpat3s3G+uFkNxr4nj # HO+tFA08d5FCmclV4ezJO7neBMGVQHVNEjo6dm38BWZH2gwn80E6oH535I5vw/Hr # NGBHCTrawWQ6QHmWKD8MydgR5H9qZb0d2jy9dwqZpr8NtI4AdJ19kW36Koxl82WQ # Q6fvX9EApM2/hCmr/YWFyMwyZKQiGyEF0FUHRWOaTAV+FVR/lNO4sn2wNHgTIK85 # kncHqDsjDpaNDHJyPCR/OxUxOl+6wnlLB04cvzIY9Zk54+PBrwhJdazqSJUr/pLT # 8lVvUunGnJgpERCOdT/k55wq3Y5eUd3AVZmvACL3xE9lroQTFxv8sYt/XS00eO7V # 5OWiFjSPM1lDQEOBK4xmAxT7wQSO0xAwgOeU8YRQ43ssdccfQovQUDTU8RZVkquv # 8tQ664NM0XPDnjcU8yniCQIgWUp1G5yJHUhc6T5ex7quP20kViBWf7jgEei7ZdB7 # lFffR5/cBBZrSbHIYOonMaxXdfn5s1B4xXzyJa6Uk+rmyCcYb078fX8cfgew71ko # Zf9asmlCYW5CtM5Hj1eO95oLTFoWYaw2D5GFu0PmpOSf4hIO/DQgn8T9Vc13P/Ja # CiXqvnTuFPywAy6meGQXa7DUMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJmQAA # AAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh # c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUg # QXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1WjB8 # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1N # aWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEBBQAD # ggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjKNVf2 # AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhgfWpS # g0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJprx2r # rPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/dvI2k # 45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka97aSu # eik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKRHh09 # /SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9ituqBJR # 6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyOArxC # aC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItboKaD # IV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6bMUR # HXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6tAgMB # AAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBQq # p1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacbUzUZ # 6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0 # cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRt # MBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBB # MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP # 6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWlj # cm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2 # LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMu # Y3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/qXBS2 # Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6U03d # mLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVtI1Tk # eFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis9/kp # icO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTpkbKp # W99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0sHrY # UP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138eW0QB # jloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJsWkB # RH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7Fx0V # iY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0dFtq # 0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQtB1V # M1izoXBm8qGCA00wggI1AgEBMIH5oYHRpIHOMIHLMQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBP # cGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046RTAwMi0wNUUwLUQ5 # NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAH # BgUrDgMCGgMVALe/2JI7bbGhvtnE3l1cISr70i//oIGDMIGApH4wfDELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQELBQACBQDt9xFcMCIYDzIw # MjYwNzA3MDU0NzA4WhgPMjAyNjA3MDgwNTQ3MDhaMHQwOgYKKwYBBAGEWQoEATEs # MCowCgIFAO33EVwCAQAwBwIBAAICJX8wBwIBAAICGYEwCgIFAO34YtwCAQAwNgYK # KwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQAC # AwGGoDANBgkqhkiG9w0BAQsFAAOCAQEAHB/eKavZx5aLlasTBhsJMYXBtGTn7wOd # rHs/MdTwHLMkznBGAlbsq6p19apCG4yQFUe56Hm6IAO6jXkuCV0THyPSWZw6qzwe # xuaiNslEsSbLu4mq97lJr66pbwZN4EnZ22cwgmeobwyxR8tcIWEuz96/4Fl2d/kE # S3ghbsyu8nsrEOAB/etcTdCk04W45NGSPyiNK/eMJx9fecjNWmVEQAtRX/2+uFv/ # DH23cgpHJFILxic2MgA+5ZqwVF+R0M6oJ8UN4GALNeIfNWXs/pH3XUKuw2hngEnS # sMth0e2x6Gk+SUt5fuWgz/dNYpDAI45Kfewjtt6Vj4A0ErC2gBp1fjGCBA0wggQJ # AgEBMIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAk # BgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAACKQ7VZCq0 # l/IaAAEAAAIpMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZI # hvcNAQkQAQQwLwYJKoZIhvcNAQkEMSIEIMPOUjIPqj5b7erB3bgVuH3jWhbF+VLD # IoUg5ntL94I3MIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgt8o98SK28P+V # K8S6bGo+SR44S2CSYoURUy56X2g6upIwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzET # MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV # TWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1T # dGFtcCBQQ0EgMjAxMAITMwAAAikO1WQqtJfyGgABAAACKTAiBCAzwnXs3+c2XFEx # 8IymQO3onLa8jqnFRKDG8AdYCVGVHTANBgkqhkiG9w0BAQsFAASCAgAKrtvhAeF8 # HcZZIwYE6pn9X3y7194Z+VD/u+hbMmOsBF5cjerr6kaK7IkYyvMVk6uVMx3yunxG # CMv5x0Iw+hKw4Ty2H9H+l8C3aKO55efjBPHjGfnCbxyfxuuTDi8tDXVh86WknLpi # F0aHNUgRlEkjTqUbG07GG077diGxgKVm5zOfjvQOe4AByE8xn2y8i5P7TH3RXJRr # 3R4t+OL9c7tyI4+WNFU5YNM71jBwg0eTi2nDSavKoRZcznu3lfPcqfmBuMzfIHDf # rXc2j4/FOSbLZ7wj5VmFa3BxBicApcZPG5E2wyjs9yYPd8ek6PJNpD1tiHXedUlj # 84rv8ysuHICqPTxnEjUvm5eA7jaAjH/MNz00Po5wtH+04/oAgAuvHSnKOU0SM0Bj # +u1F5ohbENGnT5I8iOuybebvw2Kv6chWbRF2wbPiRrqUbSRai1VSXeCWttcEhNT0 # VeP7HXJ9xAzy5evTy8j+Cy9JnNGn7J/J/kANjyK3u/i6ec+iorLqXJ0ovHtI6h0n # klBCwlKUbBovJ/X5leL5XMN02h7mws9gzaold1Z5lkXIhZFPa3ao9nG0vRw7Q4d+ # rRaNrpZ9pKXNfTUhSjLgBSefjRfwhjNcJtO5DpSk1RkGOLkBq7edVRYWGrTGvbn+ # ukc/XvcuXoep9Lw+YP52aVbvDWMCQtqHgg== # SIG # End signature block |