tlsModule/AdfsTlsModule.psm1
#Copyright (c) Microsoft Corporation. All rights reserved. #Licensed under the MIT License. <# .SYNOPSIS Configures ADFS servers for TLS 1.2 security. .DESCRIPTION The Get-ADFSTLSConfiguration cmdlet checks the local server's configuration for TLS and SSL and both writes the results to the console and places the results in a text file for review. .PARAMETER This cmdlet takes no parameters. .EXAMPLE Get-ADFSTLSConfiguration .NOTES Registry items detailed in https://support2.microsoft.com/kb/245030/en-us Offical doc @ https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs #> $global:FormatEnumerationLimit = -1 Function Get-ADFSTLSConfiguration { #function to review the current TLS config of the ADFS server and place results to an output file. #function should return a boolean response for whether only TLS 1.2 is allowed true, else false Write-host "This cmdlet provides a per server test result of what SSL and TLS settings are currently configured per the local servers registry. Each ADFS server in the farm will need the test ran individually." -ForegroundColor Yellow $OutputValues = new-object PSObject $OutputFile = ($pwd.path + '\') + (($env:COMPUTERNAME) + "_ADFS-TLSConfig.txt") $Time = Get-Date "ADFS SSL/TLS Configuration" | Out-file -FilePath $OutputFile -Encoding utf8 (get-wmiobject -class win32_computersystem).Name | Out-file -FilePath $OutputFile -Encoding utf8 -Append $Time | Out-file -FilePath $OutputFile -Encoding utf8 -Append "**********************************************************" | Out-file -FilePath $OutputFile -Encoding utf8 -Append #Read current registry config for SSL and TLS settings. if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client") {$PCT1ClientReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server") {$PCT1ServerReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client") {$SSL2ClientReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server") {$SSL2ServerReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client") {$SSL3ClientReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server") {$SSL3ServerReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client") {$TLS1ClientReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server") {$TLS1ServerReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client") {$TLS11ClientReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server") {$TLS11ServerReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client") {$TLS12ClientReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"} if (Test-path -path Registry::"HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server") {$TLS12ServerReg = Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"} if (($PCT1ClientReg.Enabled -eq 0) -or ($PCT1ClientReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "PCT1 Client Setting" -value "Disabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "PCT1 Client Setting" -value "Enabled (NOT default)"} if (($PCT1ServerReg.Enabled -eq 0) -or ($PCT1ServerReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "PCT1 Server Setting" -value "Disabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "PCT1 Server Setting" -value "Enabled (NOT default)"} if (($SSL2ClientReg.Enabled -eq 1) -or ($SSL2ClientReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "SSL2 Client Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "SSL2 Client Setting" -value "Disabled (NOT default)"} if (($SSL2ServerReg.Enabled -eq 1) -or ($SSL2ServerReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "SSL2 Server Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "SSL2 Server Setting" -value "Disabled (NOT default)"} if (($SSL3ClientReg.Enabled -eq 1) -or ($SSL3ClientReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "SSL3 Client Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "SSL3 Client Setting" -value "Disabled (NOT default) for POODLE"} if (($SSL3ServerReg.Enabled -eq 1) -or ($SSL3ServerReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "SSL3 Server Setting" -value "Enabled (default) - POODLE still possible"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "SSL3 Server Setting" -value "Disabled (NOT Default) for POODLE"} if (($TLS1ClientReg.Enabled -eq 1) -or ($TLS1ClientReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.0 Client Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.0 Client Setting" -value "Disabled (NOT default)"} if (($TLS1ServerReg.Enabled -eq 1) -or ($TLS1ServerReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.0 Server Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.0 Server Setting" -value "Disabled (NOT Default)"} if (($TLS11ClientReg.Enabled -eq 1) -or ($TLS11ClientReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.1 Client Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.1 Client Setting" -value "Disabled (NOT default)"} if (($TLS11ServerReg.Enabled -eq 1) -or ($TLS11ServerReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.1 Server Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.1 Server Setting" -value "Disabled (NOT Default)"} if (($TLS12ClientReg.Enabled -eq 1) -or ($TLS12ClientReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.2 Client Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.2 Client Setting" -value "Disabled (NOT default)"} if (($TLS12ServerReg.Enabled -eq 1) -or ($TLS12ServerReg.Enabled -eq $null)) {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.2 Server Setting" -value "Enabled (default)"} else {add-member -inputobject $OutputValues -membertype noteproperty -name "TLS 1.2 Server Setting" -value "Disabled (NOT Default)"} if ($TLS12ServerReg.enabled -eq 1) {$TLS1dot2 = $true} else {$TLS1dot2 = $false} $OutputValues | Out-file -FilePath $OutputFile -Encoding utf8 -Append If ($TLS1dot2 -ne $true) { Write-host "The computer" ($env:COMPUTERNAME) "is not configured to use only Transport Layer Security 1.2. Run the Set-ADFSTLSConfiguration cmdlet on this server to use TLS 1.2 only." -BackgroundColor Yellow -ForegroundColor Red } If ($TLS1dot2 -eq $true) { Write-host "This ADFS server is already enabled for TLS 1.2 only." -ForegroundColor Green } } <# .SYNOPSIS Configures ADFS servers for TLS 1.2 security. .DESCRIPTION The Set-ADFSTLSConfiguration cmdlet enables TLS 1.2 as client and server (if needed) and turns off TLS SSL, TLS 1.0 and TLS 1.1. .PARAMETER This cmdlet takes no parameters. .EXAMPLE Set-ADFSTLSConfiguration .NOTES Registry items detailed in http://support2.microsoft.com/kb/245030/en-us Offical doc @ https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs #> Function Set-ADFSTLSConfiguration { #enable strong crypto for .Net if (Test-path -path Registry::'HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727') {New-ItemProperty -Path Registry::'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null} if (Test-path -path Registry::"HKLM\SOFTWARE\Microsoft\.NetFramework\v4.0.30319") {New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null} Write-Host '.Net Schannel Use Strong Crypto is enabled.' -ForegroundColor Green #enable TLS 1.2 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null Write-Host 'TLS 1.2 is enabled.' -ForegroundColor Green #SSL 2.0 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Write-Host 'SSL 2.0 has been disabled.' -ForegroundColor Green #disable SSL 3.0 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Write-Host 'SSL 3.0 has been disabled.' -ForegroundColor Green #disable TLS 1.0 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Write-Host 'TLS 1.0 has been disabled.' -ForegroundColor Green #disable TLS 1.1 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Write-Host 'TLS 1.1 has been disabled.' -ForegroundColor Green Write-host 'TLS 1.2 is now the sole SSL/TLS setting allowed on this server.' -ForegroundColor Green Write-host 'WARNING: The server must be rebooted for the SSL and TLS settings to take effect.' -BackgroundColor Red } #Export the appropriate module functions Export-ModuleMember -Function Get-ADFSTLSConfiguration Export-ModuleMember -Function Set-ADFSTLSConfiguration # SIG # Begin signature block # MIIjkgYJKoZIhvcNAQcCoIIjgzCCI38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDn7eKmJSZFF/5H # 1IoYXqRkXiBCu9VsYMg8p+ufedZRhKCCDY0wggYLMIID86ADAgECAhMzAAABXXIc # 0pGxWBxuAAAAAAFdMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMTkwNjA1MTczNDU2WhcNMjAwNjAzMTczNDU2WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDXRzz5YWPX74AM6Us0VX/pXRj2mfg5j9v6pTBCf9K2qMdqq8jyUq3MTwJ1v+Ol # lkeMZHrkVt4EkuSxkHM+vx0crHXssknSA0itEBRAtj1gNYWzS+E9AfbRG2kKJHkV # NbG/PoTemJRErrzfsyqBPlttr9OERi27B9pTs5lUOiVLOUKxnE6YkCqJZd5tHn2Q # 17VErNpDGR+CbR4CujtLIrKuY3tN9CIu4n4Lzag7d3KMpcl/Tl2DFXW9pvQ9QrjT # ecGxfne6RC8lucDMfMSr+GWzauN2iDgwW4UbrBzELzTxekwXF2tYhr4yttK55lQe # WjIbPiGN1+9LisWk5Osm9l0JAgMBAAGjggGKMIIBhjArBgNVHSUEJDAiBgorBgEE # AYI3TBMBBgorBgEEAYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUz+aU1rBrMBb9 # FzXNo21K673hqmAwUAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBP # cGVyYXRpb25zIFB1ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzMxMTArNDU1NTAzMB8G # A1UdIwQYMBaAFEhuZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWG # Q2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BD # QTIwMTFfMjAxMS0wNy0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAC # hkVodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNp # Z1BDQTIwMTFfMjAxMS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B # AQsFAAOCAgEAUnOcYhf4jLfyR6RspdPj0FmICyOVsx3MPpdxa1DigHv3PQhy3AjN # mec7xoIwP+lSrO5qSIjh5wHpzNlcUBidOIFpdzHPGF1InmTHXczi82OXtGX1U09q # OVUFy/P2TvAPyiSM+oQUmNT+UNKnCkSzk5Yxsa54J++bCU6ov3Z5+nCZ+Kb4oyhm # BlFk8ogW0JePiIXERJirMErjmvg8pyM5UXlql+/lCD8CNN7kUTtckPnKmRAjFxMg # EogwBE1WgqLuZmEQjts/I4Rk4jrzxoxCEWT1Y1H42MCP7id363Ay2rhyFEJchyu9 # rtR3n0R04lETRX3D6kgV+14Fc5kD49yaqDahAtD8NE8PMjt8HjoAkFf6XiW3R6+3 # D27Y2Iuxo6Q/nJKWPr0Dq7M8DBz8lXCF3jLInuZ4ByCA/UEjj4I48GHBbXEwUIqq # a3s/29zC+RrikFtukY9Guwx1cnoJF4ekvNPP0AUM9NnXQobWfG22EZhC/NEz65R3 # WNNwHaDE5oQ2WVQfbL+e68Ecx2mSSKPRHtJwOCVKbypUsdYLfY30+n+sVRKd/kIv # mVatChmB2o1esJS7h0Zw6UmofL+whAKEPjf2m0/oQqXkbJamP9gFn1isesc4uPfK # RZ9jN9m82AI3Pf66KNyrsAXWrUdoeeMnPvW7zU+4Oomu7aX55TKc/HEwggd6MIIF # YqADAgECAgphDpDSAAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9v # dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0y # NjA3MDgyMTA5MDlaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u # MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp # b24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZY # IZ9CGypr6VpQqrgGOBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+ # lGAkbK+eSZzpaF7S35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDP # s0S3XdjELgN1q2jzy23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJ # KecNvqATd76UPe/74ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJ # T4Qa8qEvWeSQOy2uM1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qc # D60ZI4TL9LoDho33X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm # 7GEfauEoSZ1fiOIlXdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/b # wBWzvRvUVUvnOaEP6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKer # jt/sW5+v/N2wZuLBl4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHt # bcMojyyPQDdPweGFRInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70 # lrC8RqBsmNLg1oiMCwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYD # VR0OBBYEFEhuZOVQBdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1 # AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaA # FHItOgIxkEO5FAVO4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9j # cmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIw # MTFfMjAxMV8wM18yMi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJo # dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIw # MTFfMjAxMV8wM18yMi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGD # MD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Rv # Y3MvcHJpbWFyeWNwcy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8A # cABvAGwAaQBjAHkAXwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQEL # BQADggIBAGfyhqWY4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFt # g/6+P+gKyju/R6mj82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/Wvj # PgcuKZvmPRul1LUdd5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvt # aPpoLpWgKj8qa1hJYx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+Z # KJeYTQ49C/IIidYfwzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x # 9Cf43iw6IGmYslmJaG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3bl # QCplo8NdUmKGwx1jNpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8U # vmFhtfDcxhsEvt9Bxw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGb # pT9Fdx41xtKiop96eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNo # deav+vyL6wuA6mk7r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uo # zKRdwaGIm1dxVk5IRcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVWzCCFVcC # AQEwgZUwfjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV # BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYG # A1UEAxMfTWljcm9zb2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAV1yHNKR # sVgcbgAAAAABXTANBglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYB # BAGCNwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0B # CQQxIgQgciUIf0k3lm5Gns56a6y72GdCZcxLFIp2d9wYYOn9btMwQgYKKwYBBAGC # NwIBDDE0MDKgFIASAE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWlj # cm9zb2Z0LmNvbTANBgkqhkiG9w0BAQEFAASCAQCLKokgj9HxdmLyC4+Ue7nQSppB # 93OJ2POMFWF6de9PPhCbgw1VGKJnZMgmc/4jfqNIUHPVA903jP1cR7+Ul0dk0DI6 # H8BHNjPNBjTal3JXPDwAuJfob7FbiUKKRqIXn/m/ZNwWXRddruikuBCz1OPFH+I5 # P2wOr7ykp4JNXhxTiRbCixAhOS1RcTl0I0kuClSf8Qt9U/a0MIIIhy4EUiFDl8iS # eUSdFqM8uFi+nNw5eIPSAyDiuuJhPgsw0CCb4yvfP1AX8ZSmGHp8XWSvitwXG0mq # jzI4vNVzSV3ZFE+D2ASW1ZDbLqdTXEa25fYrHXkmdd38H1MN+dzpHhMr3WUhoYIS # 5TCCEuEGCisGAQQBgjcDAwExghLRMIISzQYJKoZIhvcNAQcCoIISvjCCEroCAQMx # DzANBglghkgBZQMEAgEFADCCAVEGCyqGSIb3DQEJEAEEoIIBQASCATwwggE4AgEB # BgorBgEEAYRZCgMBMDEwDQYJYIZIAWUDBAIBBQAEIENrABl8yH1BmEQT5LDS6y/r # IfAHPbKKH6MmdFfOlUPrAgZdQeAiUCUYEzIwMTkwODA2MjIyOTU1LjI1NlowBIAC # AfSggdCkgc0wgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # JTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsT # HVRoYWxlcyBUU1MgRVNOOjNCQkQtRTMzOC1FOUExMSUwIwYDVQQDExxNaWNyb3Nv # ZnQgVGltZS1TdGFtcCBTZXJ2aWNloIIOPDCCBPEwggPZoAMCAQICEzMAAAD0wKpc # c8v+rA8AAAAAAPQwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg # UENBIDIwMTAwHhcNMTgxMDI0MjExNDI1WhcNMjAwMTEwMjExNDI1WjCByjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9z # b2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046 # M0JCRC1FMzM4LUU5QTExJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNl # cnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQY7TeTsdQXJev # kSG86VTj2fDLqFYy7WloMrG9n+/ZwdP03lKNqsBIxcdvhp/aSI25XDvnp01pjiPV # 1ZOBNrEs+fJigxIlTpVrX3+awEFty190WA+yvHSJMYqWj7IKolH7RUEKVkSj4cWn # YiW6HxRRVLVIax0HXh6NX8NpzpSPjPQn3+anbZ3NYGYrzM6ZHsEryFLFsKD7/uSQ # Fv9lA993J5wUTE8fW/uaAlFbw/Epjmel9LAQ/HgBr/7tYm9UPMPX171LfkRb6jE8 # MHOaQQekcBO4bghoEofBT6r54P9GacguULvU7033MGLQhhGNFIF6mb7jauRgKWOJ # jH7rEljtAgMBAAGjggEbMIIBFzAdBgNVHQ4EFgQUnLgfJwcXkbsNIS7ZEufr3IJS # 9agwHwYDVR0jBBgwFoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBL # oEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMv # TWljVGltU3RhUENBXzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggr # BgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNU # aW1TdGFQQ0FfMjAxMC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAK # BggrBgEFBQcDCDANBgkqhkiG9w0BAQsFAAOCAQEAcIPtmx4u2tziOmue9xmTte/l # qMzodrmb2F2RijP5kDxaDnuavWnofNttWRVil4jZzLCZEvQKuVIWvW2gVFSawe7z # t3GzorjeS49nGdzDaVnYRI/baTY24fxF12cEqvNj08PrWNQwhxPuES5xOcDIbIOH # AeG/ddcXXd7OuW5GNxgus95inCcyF/NdCjrSYFTFYZZEM9sDeRomEpdnmWqwj+YL # /Ymux0PEjgVbaE28CBCeoLJ2/chyvJJFp6YW8DIqZUQYRcQRnLYZwomNbx0rL8my # EykDnjw6kiPSdf2PfHBzNzeooTxra+/y3X4KTwy+lcDIPT0X92wDfUsbwBiGYzCC # BnEwggRZoAMCAQICCmEJgSoAAAAAAAIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29m # dCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTEwMDcwMTIxMzY1 # NVoXDTI1MDcwMTIxNDY1NVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAw # ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpHQ28dxGKOiDs/BOX9fp/ # aZRrdFQQ1aUKAIKF++18aEssX8XD5WHCdrc+Zitb8BVTJwQxH0EbGpUdzgkTjnxh # MFmxMEQP8WCIhFRDDNdNuDgIs0Ldk6zWczBXJoKjRQ3Q6vVHgc2/JGAyWGBG8lhH # hjKEHnRhZ5FfgVSxz5NMksHEpl3RYRNuKMYa+YaAu99h/EbBJx0kZxJyGiGKr0tk # iVBisV39dx898Fd1rL2KQk1AUdEPnAY+Z3/1ZsADlkR+79BL/W7lmsqxqPJ6Kgox # 8NpOBpG2iAg16HgcsOmZzTznL0S6p/TcZL2kAcEgCZN4zfy8wMlEXV4WnAEFTyJN # AgMBAAGjggHmMIIB4jAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU1WM6XIox # kPNDe3xGG8UzaFqFbVUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0P # BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9 # lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQu # Y29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3Js # MFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3Nv # ZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwgaAG # A1UdIAEB/wSBlTCBkjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUFBwIBFjFodHRw # Oi8vd3d3Lm1pY3Jvc29mdC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1bHQuaHRtMEAG # CCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5AF8AUwB0AGEA # dABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQAH5ohRDeLG4Jg/gXED # PZ2joSFvs+umzPUxvs8F4qn++ldtGTCzwsVmyWrf9efweL3HqJ4l4/m87WtUVwgr # UYJEEvu5U4zM9GASinbMQEBBm9xcF/9c+V4XNZgkVkt070IQyK+/f8Z/8jd9Wj8c # 8pl5SpFSAK84Dxf1L3mBZdmptWvkx872ynoAb0swRCQiPM/tA6WWj1kpvLb9BOFw # nzJKJ/1Vry/+tuWOM7tiX5rbV0Dp8c6ZZpCM/2pif93FSguRJuI57BlKcWOdeyFt # w5yjojz6f32WapB4pm3S4Zz5Hfw42JT0xqUKloakvZ4argRCg7i1gJsiOCC1JeVk # 7Pf0v35jWSUPei45V3aicaoGig+JFrphpxHLmtgOR5qAxdDNp9DvfYPw4TtxCd9d # dJgiCGHasFAeb73x4QDf5zEHpJM692VHeOj4qEir995yfmFrb3epgcunCaw5u+zG # y9iCtHLNHfS4hQEegPsbiSpUObJb2sgNVZl6h3M7COaYLeqN4DMuEin1wC9UJyH3 # yKxO2ii4sanblrKnQqLJzxlBTeCG+SqaoxFmMNO7dDJL32N79ZmKLxvHIa9Zta7c # RDyXUHHXodLFVeNp3lfB0d4wwP3M5k37Db9dT+mdHhk4L7zPWAUu7w2gUDXa7wkn # HNWzfjUeCLraNtvTX4/edIhJEqGCAs4wggI3AgEBMIH4oYHQpIHNMIHKMQswCQYD # VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe # MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3Nv # ZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjoz # QkJELUUzMzgtRTlBMTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy # dmljZaIjCgEBMAcGBSsOAwIaAxUAmyMx+a+6rCaE0EH3UFeoc6yTGDeggYMwgYCk # fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF # AOD0R5AwIhgPMjAxOTA4MDcwMjM4MDhaGA8yMDE5MDgwODAyMzgwOFowdzA9Bgor # BgEEAYRZCgQBMS8wLTAKAgUA4PRHkAIBADAKAgEAAgIStgIB/zAHAgEAAgIR9jAK # AgUA4PWZEAIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIB # AAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBALJM5i5exWWhVx3N # rSZa/KE7gfa6SkwbXQZ6iYPCPIUaURYK1F7FFAl4Lkmg6SNYDPGQQNO/JIEDwUv7 # mhenmAXkzUHFqMw6tEtm/Uq+f+t61FTFX1WTWaoaBhEEU3m+uPPoU4QoEj1H5DqJ # a7EMpts4EpGWnqCSWAux/aQqBuJ+MYIDDTCCAwkCAQEwgZMwfDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp # bWUtU3RhbXAgUENBIDIwMTACEzMAAAD0wKpcc8v+rA8AAAAAAPQwDQYJYIZIAWUD # BAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0B # CQQxIgQgVvp0zKFD/XQszPFfB8KK+vGEOv9N4Lax8nNPATugpoowgfoGCyqGSIb3 # DQEJEAIvMYHqMIHnMIHkMIG9BCA6By8tCMiCbaETbRxKjjaJems5eLv16IdLu50l # jOIy1zCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u # MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp # b24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAA # 9MCqXHPL/qwPAAAAAAD0MCIEIHba2k8oS9pFv605WOBa8/7b+odBk0M1XcyE54lp # YiZzMA0GCSqGSIb3DQEBCwUABIIBAL861zm3DCAnvHRSjiBDXFBDtjbnti0vfJZA # BiZJb1W63ShpUQnO39sTgQA4K03QjXe5p/rsrKb4Wu6g4ZqBRfDpQaf7jq3hktj1 # Od7odgJR4v3q+hMzarTAY/L60VEnbZn1HLEz09kEi17OfLHd9wqHU1juud3egzBG # 0AOZzBpxqzE6KArAepZfPp7wAZQnXYyvhzXfQr2iL9f45XW8t4hfJTgJWRzYzEl3 # 9jQ9ZLrd7MNMD4PBaxxphzeA5BCihyg9a9/+Lg8EjlEnYt8HzO6BEgTUwFfscSau # gTLgYzXPbFgkTUrjWZmO0uXjNQZmHNpJDmdiuvKl2TcCwlTEZqY= # SIG # End signature block |