public/Set-StgClientCertificate.ps1

function Set-StgClientCertificate {
    <#
    .SYNOPSIS
        Check, configure, and verify site SSL settings for vulnerability 76809, 76851, & 76861.
 
    .DESCRIPTION
        Check, configure, and verify site SSL settings for vulnerability 76809, 76851, & 76861.
 
        Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.
 
    .PARAMETER ComputerName
        The target server.
 
    .PARAMETER Credential
        Login to the target computer using alternative credentials.
 
    .PARAMETER EnableException
        By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
        This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
        Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
 
    .NOTES
        Tags: V-76809, V-76851, V-76861
        Author: Chrissy LeMaire (@cl), netnerds.net
        Copyright: (c) 2020 by Chrissy LeMaire, licensed under MIT
        License: MIT https://opensource.org/licenses/MIT
        Caution: Setting Client Certificates to Required breaks SolarWinds.
 
    .EXAMPLE
        PS C:\> Set-StgClientCertificate -ComputerName web01
 
        Updates specific setting to be compliant on web01
 
    .EXAMPLE
        PS C:\> Set-StgClientCertificate -ComputerName web01 -Credential ad\webadmin
 
        Logs into web01 as ad\webadmin and updates the necessary setting
 
#>

    [CmdletBinding()]
    param (
        [parameter(Mandatory, ValueFromPipeline)]
        [PSFComputer[]]$ComputerName,
        [PSCredential]$Credential,
        [switch]$EnableException
    )
    begin {
        . "$script:ModuleRoot\private\Set-Defaults.ps1"
        $scriptblock = {
            $webnames = (Get-Website).Name
            foreach ($webname in $webnames) {
                #Pre-configuration SSL values for sites
                $filterpath = "system.webserver/security/access"
                Start-Process -FilePath "$env:windir\system32\inetsrv\appcmd.exe" -ArgumentList "unlock", "config", "-section:$filterpath" -Wait
                $preflags = Get-WebConfigurationProperty -Location $webname -Filter $filterpath -Name SSLFlags

                if ($preflags -ne "Ssl,SslNegotiateCert,SslRequireCert" -or $preflags -ne "Ssl,SslNegotiateCert" -or $preflags -ne "Ssl,SslNegotiateCert,Ssl128" -or $preflags -ne "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") {
                    #Set SSL requirements
                    $null = Set-WebConfiguration -Location $webname -Filter "system.webserver/security/access" -Value "Ssl,SslNegotiateCert,Ssl128"
                }

                #Post-configuration SSL values
                $postflags = Get-WebConfigurationProperty -Location $webname -Filter "system.webserver/security/access" -Name SSLFlags

                #Pre-configuration data results
                $preconfig = @(
                    if ($preflags -eq "Ssl" ) {
                        "SSL: Required | Client Certificates: Ignore"
                    } elseif ($preflags -eq "Ssl,SslNegotiateCert" ) {
                        "SSL: Required | Client Certificates: Accept"
                    } elseif ($preflags -eq "Ssl,SslRequireCert" ) {
                        "SSL: Required | Client Certificates: Require"
                    } elseif ($preflags -eq "Ssl,Ssl128" ) {
                        "SSL: Required | Client Certificates: Ignore | SSL: 128"
                    } elseif ($preflags -eq "Ssl,SslNegotiateCert,SslRequireCert" ) {
                        "SSL: Required | Client Certificates: Require"
                    } elseif ($preflags -eq "Ssl,SslNegotiateCert,Ssl128" ) {
                        "SSL: Required | Client Certificates: Accept | SSL: 128"
                    } elseif ($preflags -eq "Ssl,SslRequireCert,Ssl128" -or $preflags -eq "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") {
                        "SSL: Required | Client Certificates: Require | SSL: 128"
                    } elseif ($preflags -eq "SslNegotiateCert" ) {
                        "SSL: Not Required | Client Certificates: Accept"
                    } elseif ($preflags -eq "SslNegotiateCert,SslRequireCert" -or $preflags -eq "SslRequireCert") {
                        "SSL: Not Required | Client Certificates: Require"
                    } elseif ($preflags -eq "SslRequireCert,Ssl128") {
                        "SSL: Not Required | Client Certificates: Require | SSL: 128"
                    } elseif ($preflags -eq "SslNegotiateCert,Ssl128" ) {
                        "SSL: Not Required | Client Certificates: Accept | SSL: 128"
                    } elseif ($preflags -eq "SslNegotiateCert,SslRequireCert,Ssl128" ) {
                        "SSL: Not Required | Client Certificates: Require | SSL: 128"
                    } elseif ($preflags -eq "Ssl128" ) {
                        "SSL: Not Required | Client Certificates: Ignore | SSL: 128"
                    } else {
                        "SSL: Not Required | Client Certificates: Ignore"
                    }
                )

                #Post-configuration data results
                $postconfig = @(
                    if ($postflags -eq "Ssl" ) {
                        "SSL: Required | Client Certificates: Ignore"
                    } elseif ($postflags -eq "Ssl,SslNegotiateCert" ) {
                        "SSL: Required | Client Certificates: Accept"
                    } elseif ($postflags -eq "Ssl,SslRequireCert" ) {
                        "SSL: Required | Client Certificates: Require"
                    } elseif ($postflags -eq "Ssl,Ssl128" ) {
                        "SSL: Required | Client Certificates: Ignore | SSL: 128"
                    } elseif ($postflags -eq "Ssl,SslNegotiateCert,SslRequireCert" ) {
                        "SSL: Required | Client Certificates: Require"
                    } elseif ($postflags -eq "Ssl,SslNegotiateCert,Ssl128" ) {
                        "SSL: Required | Client Certificates: Accept | SSL: 128"
                    } elseif ($postflags -eq "Ssl,SslRequireCert,Ssl128" -or $postflags -eq "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") {
                        "SSL: Required | Client Certificates: Require | SSL: 128"
                    } elseif ($postflags -eq "SslNegotiateCert" ) {
                        "SSL: Not Required | Client Certificates: Accept"
                    } elseif ($postflags -eq "SslNegotiateCert,SslRequireCert" -or $postflags -eq "SslRequireCert") {
                        "SSL: Not Required | Client Certificates: Require"
                    } elseif ($postflags -eq "SslRequireCert,Ssl128") {
                        "SSL: Not Required | Client Certificates: Require | SSL: 128"
                    } elseif ($postflags -eq "SslNegotiateCert,Ssl128" ) {
                        "SSL: Not Required | Client Certificates: Accept | SSL: 128"
                    } elseif ($postflags -eq "SslNegotiateCert,SslRequireCert,Ssl128" ) {
                        "SSL: Not Required | Client Certificates: Require | SSL: 128"
                    } elseif ($postflags -eq "Ssl128" ) {
                        "SSL: Not Required | Client Certificates: Ignore | SSL: 128"
                    } else {
                        "SSL: Not Required | Client Certificates: Ignore"
                    }
                )

                #Check SSL setting compliance
                if ($postconfig -eq "SSL: Required | Client Certificates: Require" -or $postconfig -eq "SSL: Required | Client Certificates: Require | SSL: 128") {
                    $compliant = $true
                } else {
                    $compliant = $false
                }

                [pscustomobject] @{
                    Id           = "V-76861"
                    ComputerName = $env:COMPUTERNAME
                    SiteName     = $webname
                    Before       = $preconfig
                    After        = $postconfig
                    Compliant    = $compliant
                    Notes        = "Configuring the Client Certificates settings to Require breaks SolarWinds Web GUI"
                }
            }

            #Pre-configuration SSL values for server
            $preflags = Get-WebConfigurationProperty -Filter "system.webserver/security/access" -Name SSLFlags

            if ($preflags -ne "Ssl,SslNegotiateCert,SslRequireCert" -or $preflags -ne "Ssl,SslNegotiateCert" -or $preflags -ne "Ssl,SslNegotiateCert,Ssl128" -or $preflags -ne "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") {
                #Set SSL requirements
                $null = Set-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" -Filter "system.webServer/security/access" -Name SSLFlags -Value "Ssl,SslNegotiateCert,Ssl128"
            }

            #Post-configuration SSL values
            $postflags = Get-WebConfigurationProperty -Filter "system.webserver/security/access" -Name SSLFlags

            #Pre-configuration data results
            # should be a switch but it's already written >_<
            $preconfig = @(
                if ($preflags -eq "Ssl" ) {
                    "SSL: Required | Client Certificates: Ignore"
                } elseif ($preflags -eq "Ssl,SslNegotiateCert" ) {
                    "SSL: Required | Client Certificates: Accept"
                } elseif ($preflags -eq "Ssl,SslRequireCert" ) {
                    "SSL: Required | Client Certificates: Require"
                } elseif ($preflags -eq "Ssl,Ssl128" ) {
                    "SSL: Required | Client Certificates: Ignore | SSL: 128"
                } elseif ($preflags -eq "Ssl,SslNegotiateCert,SslRequireCert" ) {
                    "SSL: Required | Client Certificates: Require"
                } elseif ($preflags -eq "Ssl,SslNegotiateCert,Ssl128" ) {
                    "SSL: Required | Client Certificates: Accept | SSL: 128"
                } elseif ($preflags -eq "Ssl,SslRequireCert,Ssl128" -or $preflags -eq "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") {
                    "SSL: Required | Client Certificates: Require | SSL: 128"
                } elseif ($preflags -eq "SslNegotiateCert" ) {
                    "SSL: Not Required | Client Certificates: Accept"
                } elseif ($preflags -eq "SslNegotiateCert,SslRequireCert" -or $preflags -eq "SslRequireCert") {
                    "SSL: Not Required | Client Certificates: Require"
                } elseif ($preflags -eq "SslRequireCert,Ssl128") {
                    "SSL: Not Required | Client Certificates: Require | SSL: 128"
                } elseif ($preflags -eq "SslNegotiateCert,Ssl128" ) {
                    "SSL: Not Required | Client Certificates: Accept | SSL: 128"
                } elseif ($preflags -eq "SslNegotiateCert,SslRequireCert,Ssl128" ) {
                    "SSL: Not Required | Client Certificates: Require | SSL: 128"
                } elseif ($preflags -eq "Ssl128" ) {
                    "SSL: Not Required | Client Certificates: Ignore | SSL: 128"
                } else {
                    "SSL: Not Required | Client Certificates: Ignore"
                }
            )

            # Post-configuration data results
            # should be a switch but it's already written >_<
            $postconfig = @(
                if ($postflags -eq "Ssl" ) {
                    "SSL: Required | Client Certificates: Ignore"
                } elseif ($postflags -eq "Ssl,SslNegotiateCert" ) {
                    "SSL: Required | Client Certificates: Accept"
                } elseif ($postflags -eq "Ssl,SslRequireCert" ) {
                    "SSL: Required | Client Certificates: Require"
                } elseif ($postflags -eq "Ssl,Ssl128" ) {
                    "SSL: Required | Client Certificates: Ignore | SSL: 128"
                } elseif ($postflags -eq "Ssl,SslNegotiateCert,SslRequireCert" ) {
                    "SSL: Required | Client Certificates: Require"
                } elseif ($postflags -eq "Ssl,SslNegotiateCert,Ssl128" ) {
                    "SSL: Required | Client Certificates: Accept | SSL: 128"
                } elseif ($postflags -eq "Ssl,SslRequireCert,Ssl128" -or $postflags -eq "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") {
                    "SSL: Required | Client Certificates: Require | SSL: 128"
                } elseif ($postflags -eq "SslNegotiateCert" ) {
                    "SSL: Not Required | Client Certificates: Accept"
                } elseif ($postflags -eq "SslNegotiateCert,SslRequireCert" -or $postflags -eq "SslRequireCert") {
                    "SSL: Not Required | Client Certificates: Require"
                } elseif ($postflags -eq "SslRequireCert,Ssl128") {
                    "SSL: Not Required | Client Certificates: Require | SSL: 128"
                } elseif ($postflags -eq "SslNegotiateCert,Ssl128" ) {
                    "SSL: Not Required | Client Certificates: Accept | SSL: 128"
                } elseif ($postflags -eq "SslNegotiateCert,SslRequireCert,Ssl128" ) {
                    "SSL: Not Required | Client Certificates: Require | SSL: 128"
                } elseif ($postflags -eq "Ssl128" ) {
                    "SSL: Not Required | Client Certificates: Ignore | SSL: 128"
                } else {
                    "SSL: Not Required | Client Certificates: Ignore"
                }
            )

            #Check SSL setting compliance
            if ($postconfig -eq "SSL: Required | Client Certificates: Require" -or $postconfig -eq "SSL: Required | Client Certificates: Require | SSL: 128") {
                $compliant = $true
            } else {
                $compliant = $false
            }

            [pscustomobject] @{
                Id           = "V-76809", "V-76851"
                ComputerName = $env:COMPUTERNAME
                SiteName     = $env:COMPUTERNAME
                Before       = $preconfig
                After        = $postconfig
                Compliant    = $compliant
                Notes        = "Configuring the Client Certificates settings to Require breaks SolarWinds Web GUI"
            }
        }
    }
    process {
        foreach ($computer in $ComputerName) {
            try {
                Invoke-Command2 -ComputerName $computer -Credential $credential -ScriptBlock $scriptblock |
                    Select-DefaultView -Property Id, ComputerName, SiteName, Before, After, Compliant, Notes |
                    Select-Object -Property * -ExcludeProperty PSComputerName, RunspaceId
            } catch {
                Stop-PSFFunction -Message "Failure on $computer" -ErrorRecord $_
            }
        }
    }
}


# SIG # Begin signature block
# MIIcYgYJKoZIhvcNAQcCoIIcUzCCHE8CAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUJ7s9Dx5gxMvkpoH854reWODc
# pEGggheRMIIFGjCCBAKgAwIBAgIQAsF1KHTVwoQxhSrYoGRpyjANBgkqhkiG9w0B
# AQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD
# VQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFz
# c3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE3MDUwOTAwMDAwMFoXDTIwMDUx
# MzEyMDAwMFowVzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMQ8wDQYD
# VQQHEwZWaWVubmExETAPBgNVBAoTCGRiYXRvb2xzMREwDwYDVQQDEwhkYmF0b29s
# czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI8ng7JxnekL0AO4qQgt
# Kr6p3q3SNOPh+SUZH+SyY8EA2I3wR7BMoT7rnZNolTwGjUXn7bRC6vISWg16N202
# 1RBWdTGW2rVPBVLF4HA46jle4hcpEVquXdj3yGYa99ko1w2FOWzLjKvtLqj4tzOh
# K7wa/Gbmv0Si/FU6oOmctzYMI0QXtEG7lR1HsJT5kywwmgcjyuiN28iBIhT6man0
# Ib6xKDv40PblKq5c9AFVldXUGVeBJbLhcEAA1nSPSLGdc7j4J2SulGISYY7ocuX3
# tkv01te72Mv2KkqqpfkLEAQjXgtM0hlgwuc8/A4if+I0YtboCMkVQuwBpbR9/6ys
# Z+sCAwEAAaOCAcUwggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5Y
# MB0GA1UdDgQWBBRcxSkFqeA3vvHU0aq2mVpFRSOdmjAOBgNVHQ8BAf8EBAMCB4Aw
# EwYDVR0lBAwwCgYIKwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2Ny
# bDMuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0
# dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwG
# A1UdIARFMEMwNwYJYIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
# LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYI
# KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZC
# aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ
# RENvZGVTaWduaW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQAD
# ggEBANuBGTbzCRhgG0Th09J0m/qDqohWMx6ZOFKhMoKl8f/l6IwyDrkG48JBkWOA
# QYXNAzvp3Ro7aGCNJKRAOcIjNKYef/PFRfFQvMe07nQIj78G8x0q44ZpOVCp9uVj
# sLmIvsmF1dcYhOWs9BOG/Zp9augJUtlYpo4JW+iuZHCqjhKzIc74rEEiZd0hSm8M
# asshvBUSB9e8do/7RhaKezvlciDaFBQvg5s0fICsEhULBRhoyVOiUKUcemprPiTD
# xh3buBLuN0bBayjWmOMlkG1Z6i8DUvWlPGz9jiBT3ONBqxXfghXLL6n8PhfppBhn
# daPQO8+SqF5rqrlyBPmRRaTz2GQwggUwMIIEGKADAgECAhAECRgbX9W7ZnVTQ7Vv
# lVAIMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdp
# Q2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0Rp
# Z2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0xMzEwMjIxMjAwMDBaFw0yODEw
# MjIxMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx
# GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xMTAvBgNVBAMTKERpZ2lDZXJ0IFNI
# QTIgQXNzdXJlZCBJRCBDb2RlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
# A4IBDwAwggEKAoIBAQD407Mcfw4Rr2d3B9MLMUkZz9D7RZmxOttE9X/lqJ3bMtdx
# 6nadBS63j/qSQ8Cl+YnUNxnXtqrwnIal2CWsDnkoOn7p0WfTxvspJ8fTeyOU5JEj
# lpB3gvmhhCNmElQzUHSxKCa7JGnCwlLyFGeKiUXULaGj6YgsIJWuHEqHCN8M9eJN
# YBi+qsSyrnAxZjNxPqxwoqvOf+l8y5Kh5TsxHM/q8grkV7tKtel05iv+bMt+dDk2
# DZDv5LVOpKnqagqrhPOsZ061xPeM0SAlI+sIZD5SlsHyDxL0xY4PwaLoLFH3c7y9
# hbFig3NBggfkOItqcyDQD2RzPJ6fpjOp/RnfJZPRAgMBAAGjggHNMIIByTASBgNV
# HRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF
# BQcDAzB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
# Z2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
# Y29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHoweDA6oDig
# NoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9v
# dENBLmNybDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
# QXNzdXJlZElEUm9vdENBLmNybDBPBgNVHSAESDBGMDgGCmCGSAGG/WwAAgQwKjAo
# BggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAKBghghkgB
# hv1sAzAdBgNVHQ4EFgQUWsS5eyoKo6XqcQPAYPkt9mV1DlgwHwYDVR0jBBgwFoAU
# Reuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcNAQELBQADggEBAD7sDVoks/Mi
# 0RXILHwlKXaoHV0cLToaxO8wYdd+C2D9wz0PxK+L/e8q3yBVN7Dh9tGSdQ9RtG6l
# jlriXiSBThCk7j9xjmMOE0ut119EefM2FAaK95xGTlz/kLEbBw6RFfu6r7VRwo0k
# riTGxycqoSkoGjpxKAI8LpGjwCUR4pwUR6F6aGivm6dcIFzZcbEMj7uo+MUSaJ/P
# QMtARKUT8OZkDCUIQjKyNookAv4vcn4c10lFluhZHen6dGRrsutmQ9qzsIzV6Q3d
# 9gEgzpkxYz0IGhizgZtPxpMQBvwHgfqL2vmCSfdibqFT+hKUGIUukpHqaGxEMrJm
# oecYpJpkUe8wggZqMIIFUqADAgECAhADAZoCOv9YsWvW1ermF/BmMA0GCSqGSIb3
# DQEBBQUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX
# BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3Vy
# ZWQgSUQgQ0EtMTAeFw0xNDEwMjIwMDAwMDBaFw0yNDEwMjIwMDAwMDBaMEcxCzAJ
# BgNVBAYTAlVTMREwDwYDVQQKEwhEaWdpQ2VydDElMCMGA1UEAxMcRGlnaUNlcnQg
# VGltZXN0YW1wIFJlc3BvbmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
# ggEBAKNkXfx8s+CCNeDg9sYq5kl1O8xu4FOpnx9kWeZ8a39rjJ1V+JLjntVaY1sC
# SVDZg85vZu7dy4XpX6X51Id0iEQ7Gcnl9ZGfxhQ5rCTqqEsskYnMXij0ZLZQt/US
# s3OWCmejvmGfrvP9Enh1DqZbFP1FI46GRFV9GIYFjFWHeUhG98oOjafeTl/iqLYt
# WQJhiGFyGGi5uHzu5uc0LzF3gTAfuzYBje8n4/ea8EwxZI3j6/oZh6h+z+yMDDZb
# esF6uHjHyQYuRhDIjegEYNu8c3T6Ttj+qkDxss5wRoPp2kChWTrZFQlXmVYwk/PJ
# YczQCMxr7GJCkawCwO+k8IkRj3cCAwEAAaOCAzUwggMxMA4GA1UdDwEB/wQEAwIH
# gDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMIIBvwYDVR0g
# BIIBtjCCAbIwggGhBglghkgBhv1sBwEwggGSMCgGCCsGAQUFBwIBFhxodHRwczov
# L3d3dy5kaWdpY2VydC5jb20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4A
# eQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQA
# ZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUA
# IABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAA
# YQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcA
# cgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIA
# aQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQA
# ZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMAsG
# CWCGSAGG/WwDFTAfBgNVHSMEGDAWgBQVABIrE5iymQftHt+ivlcNK2cCzTAdBgNV
# HQ4EFgQUYVpNJLZJMp1KKnkag0v0HonByn0wfQYDVR0fBHYwdDA4oDagNIYyaHR0
# cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ0EtMS5jcmww
# OKA2oDSGMmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ
# RENBLTEuY3JsMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29j
# c3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdp
# Y2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURDQS0xLmNydDANBgkqhkiG9w0BAQUF
# AAOCAQEAnSV+GzNNsiaBXJuGziMgD4CH5Yj//7HUaiwx7ToXGXEXzakbvFoWOQCd
# 42yE5FpA+94GAYw3+puxnSR+/iCkV61bt5qwYCbqaVchXTQvH3Gwg5QZBWs1kBCg
# e5fH9j/n4hFBpr1i2fAnPTgdKG86Ugnw7HBi02JLsOBzppLA044x2C/jbRcTBu7k
# A7YUq/OPQ6dxnSHdFMoVXZJB2vkPgdGZdA0mxA5/G7X1oPHGdwYoFenYk+VVFvC7
# Cqsc21xIJ2bIo4sKHOWV2q7ELlmgYd3a822iYemKC23sEhi991VUQAOSK2vCUcIK
# SK+w1G7g9BQKOhvjjz3Kr2qNe9zYRDCCBs0wggW1oAMCAQICEAb9+QOWA63qAArr
# Pye7uhswDQYJKoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp
# Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMb
# RGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTIx
# MTExMDAwMDAwMFowYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IElu
# YzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQg
# QXNzdXJlZCBJRCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
# 6IItmfnKwkKVpYBzQHDSnlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5
# tHdJ3InECtqvy15r7a2wcTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIP
# kg5QycaH6zY/2DDD/6b3+6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2x
# QaPtP77blUjE7h6z8rwMK5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9I
# hJtPQLnxTPKvmPv2zkBdXPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcK
# J1Z8D2KkPzIUYJX9BwSiCQIDAQABo4IDejCCA3YwDgYDVR0PAQH/BAQDAgGGMDsG
# A1UdJQQ0MDIGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME
# BggrBgEFBQcDCDCCAdIGA1UdIASCAckwggHFMIIBtAYKYIZIAYb9bAABBDCCAaQw
# OgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVw
# b3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUA
# IABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4A
# cwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQA
# aABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQA
# aABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUA
# bgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkA
# IABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUA
# cgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wCwYJYIZIAYb9bAMV
# MBIGA1UdEwEB/wQIMAYBAf8CAQAweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzAB
# hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9j
# YWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQw
# gYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdp
# Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj
# ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0OBBYEFBUA
# EisTmLKZB+0e36K+Vw0rZwLNMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3z
# bcgPMA0GCSqGSIb3DQEBBQUAA4IBAQBGUD7Jtygkpzgdtlspr1LPUukxR6tWXHvV
# DQtBs+/sdR90OPKyXGGinJXDUOSCuSPRujqGcq04eKx1XRcXNHJHhZRW0eu7NoR3
# zCSl8wQZVann4+erYs37iy2QwsDStZS9Xk+xBdIOPRqpFFumhjFiqKgz5Js5p8T1
# zh14dpQlc+Qqq8+cdkvtX8JLFuRLcEwAiR78xXm8TBJX/l/hHrwCXaj++wc4Tw3G
# XZG5D2dFzdaD7eeSDY2xaYxP+1ngIw/Sqq4AfO6cQg7PkdcntxbuD8O9fAqg7iwI
# VYUiuOsYGk38KiGtSTGDR5V3cdyxG0tLHBCcdxTBnU8vWpUIKRAmMYIEOzCCBDcC
# AQEwgYYwcjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
# A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBB
# c3N1cmVkIElEIENvZGUgU2lnbmluZyBDQQIQAsF1KHTVwoQxhSrYoGRpyjAJBgUr
# DgMCGgUAoHgwGAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMx
# DAYKKwYBBAGCNwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAjBgkq
# hkiG9w0BCQQxFgQURFMIykNJzX3wwoFA648XjmIuc8owDQYJKoZIhvcNAQEBBQAE
# ggEAi9HMMpSCZKJ40bGuf6SsrLCehCu3mREEgm/pHX7LF3gb6RiEs84x6VcNJlMg
# hlIhx/Mx81GdyZEvEGUBN/2HIKdLw/jJ/EuVaMn1EM+LQsz2FomP4zTs6rDGMosH
# pcVkzhE/IkBFyWlEsLusjuZuwNDqV5taew9RbhVnc7IDD5rd75E0OV2pSXpU+RxZ
# Iu0pCnLJ3mh3sMh9eo8zXnsetrIctZIamjAuVNYXtHX6UrCoYT20qGoEwbx28yJN
# 90tQosahiLw1tJnQswJP+Qf4zfzqWdqBImfOwsHjp27gq4KBayHb9GEPltIe5Urv
# wyHkxl/Z3kCPbw/7SQqibmuJE6GCAg8wggILBgkqhkiG9w0BCQYxggH8MIIB+AIB
# ATB2MGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV
# BAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQg
# SUQgQ0EtMQIQAwGaAjr/WLFr1tXq5hfwZjAJBgUrDgMCGgUAoF0wGAYJKoZIhvcN
# AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNDE2MDk0NTUwWjAj
# BgkqhkiG9w0BCQQxFgQUY+/x4Kzy7nXGrWFiKXCkQ8pUcdUwDQYJKoZIhvcNAQEB
# BQAEggEAZ16ywYPrB7l87AsmKLi+dSBLFntL/176eN7Bh86vhLcGkB8YuwXB2E7d
# ktJSt3Aa1WLFfaqA2FMAo90TtlBjPdEfCtqkwJ9QNNLa684jSQF9lLkYYA7xR/0l
# 1MOsvvGItzGsVltbtKyzjFq33+3IkULY1MTE/ZYgKcxwRpDyuIus1FZJgtbXrBQ2
# k30B2qqeYQlPX0d1KQr0c572DtbYEvy0/5tLgYHDFVjkD94mPU8iU+Rfu87nXvyM
# QGoQU2UqfTfS/2uHZ0SI6gunXdIMXwYuO+hkLbqy4m6pEK+fqtR6jFl8r2ZxokXr
# n/v7F205EcElLfbIOIupgfp3Hw8V4g==
# SIG # End signature block