public/Set-StgClientCertificate.ps1
|
function Set-StgClientCertificate { <# .SYNOPSIS Check, configure, and verify site SSL settings for vulnerability 76809, 76851, & 76861. .DESCRIPTION Check, configure, and verify site SSL settings for vulnerability 76809, 76851, & 76861. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data. .PARAMETER ComputerName The target server. .PARAMETER Credential Login to the target computer using alternative credentials. .PARAMETER EnableException By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message. This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting. Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch. .NOTES Tags: V-76809, V-76851, V-76861 Author: Chrissy LeMaire (@cl), netnerds.net Copyright: (c) 2020 by Chrissy LeMaire, licensed under MIT License: MIT https://opensource.org/licenses/MIT Caution: Setting Client Certificates to Required breaks SolarWinds. .EXAMPLE PS C:\> Set-StgClientCertificate -ComputerName web01 Updates specific setting to be compliant on web01 .EXAMPLE PS C:\> Set-StgClientCertificate -ComputerName web01 -Credential ad\webadmin Logs into web01 as ad\webadmin and updates the necessary setting #> [CmdletBinding()] param ( [parameter(Mandatory, ValueFromPipeline)] [PSFComputer[]]$ComputerName, [PSCredential]$Credential, [switch]$EnableException ) begin { . "$script:ModuleRoot\private\Set-Defaults.ps1" $scriptblock = { $webnames = (Get-Website).Name foreach ($webname in $webnames) { #Pre-configuration SSL values for sites $filterpath = "system.webserver/security/access" Start-Process -FilePath "$env:windir\system32\inetsrv\appcmd.exe" -ArgumentList "unlock", "config", "-section:$filterpath" -Wait $preflags = Get-WebConfigurationProperty -Location $webname -Filter $filterpath -Name SSLFlags if ($preflags -ne "Ssl,SslNegotiateCert,SslRequireCert" -or $preflags -ne "Ssl,SslNegotiateCert" -or $preflags -ne "Ssl,SslNegotiateCert,Ssl128" -or $preflags -ne "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") { #Set SSL requirements $null = Set-WebConfiguration -Location $webname -Filter "system.webserver/security/access" -Value "Ssl,SslNegotiateCert,Ssl128" } #Post-configuration SSL values $postflags = Get-WebConfigurationProperty -Location $webname -Filter "system.webserver/security/access" -Name SSLFlags #Pre-configuration data results $preconfig = @( if ($preflags -eq "Ssl" ) { "SSL: Required | Client Certificates: Ignore" } elseif ($preflags -eq "Ssl,SslNegotiateCert" ) { "SSL: Required | Client Certificates: Accept" } elseif ($preflags -eq "Ssl,SslRequireCert" ) { "SSL: Required | Client Certificates: Require" } elseif ($preflags -eq "Ssl,Ssl128" ) { "SSL: Required | Client Certificates: Ignore | SSL: 128" } elseif ($preflags -eq "Ssl,SslNegotiateCert,SslRequireCert" ) { "SSL: Required | Client Certificates: Require" } elseif ($preflags -eq "Ssl,SslNegotiateCert,Ssl128" ) { "SSL: Required | Client Certificates: Accept | SSL: 128" } elseif ($preflags -eq "Ssl,SslRequireCert,Ssl128" -or $preflags -eq "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") { "SSL: Required | Client Certificates: Require | SSL: 128" } elseif ($preflags -eq "SslNegotiateCert" ) { "SSL: Not Required | Client Certificates: Accept" } elseif ($preflags -eq "SslNegotiateCert,SslRequireCert" -or $preflags -eq "SslRequireCert") { "SSL: Not Required | Client Certificates: Require" } elseif ($preflags -eq "SslRequireCert,Ssl128") { "SSL: Not Required | Client Certificates: Require | SSL: 128" } elseif ($preflags -eq "SslNegotiateCert,Ssl128" ) { "SSL: Not Required | Client Certificates: Accept | SSL: 128" } elseif ($preflags -eq "SslNegotiateCert,SslRequireCert,Ssl128" ) { "SSL: Not Required | Client Certificates: Require | SSL: 128" } elseif ($preflags -eq "Ssl128" ) { "SSL: Not Required | Client Certificates: Ignore | SSL: 128" } else { "SSL: Not Required | Client Certificates: Ignore" } ) #Post-configuration data results $postconfig = @( if ($postflags -eq "Ssl" ) { "SSL: Required | Client Certificates: Ignore" } elseif ($postflags -eq "Ssl,SslNegotiateCert" ) { "SSL: Required | Client Certificates: Accept" } elseif ($postflags -eq "Ssl,SslRequireCert" ) { "SSL: Required | Client Certificates: Require" } elseif ($postflags -eq "Ssl,Ssl128" ) { "SSL: Required | Client Certificates: Ignore | SSL: 128" } elseif ($postflags -eq "Ssl,SslNegotiateCert,SslRequireCert" ) { "SSL: Required | Client Certificates: Require" } elseif ($postflags -eq "Ssl,SslNegotiateCert,Ssl128" ) { "SSL: Required | Client Certificates: Accept | SSL: 128" } elseif ($postflags -eq "Ssl,SslRequireCert,Ssl128" -or $postflags -eq "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") { "SSL: Required | Client Certificates: Require | SSL: 128" } elseif ($postflags -eq "SslNegotiateCert" ) { "SSL: Not Required | Client Certificates: Accept" } elseif ($postflags -eq "SslNegotiateCert,SslRequireCert" -or $postflags -eq "SslRequireCert") { "SSL: Not Required | Client Certificates: Require" } elseif ($postflags -eq "SslRequireCert,Ssl128") { "SSL: Not Required | Client Certificates: Require | SSL: 128" } elseif ($postflags -eq "SslNegotiateCert,Ssl128" ) { "SSL: Not Required | Client Certificates: Accept | SSL: 128" } elseif ($postflags -eq "SslNegotiateCert,SslRequireCert,Ssl128" ) { "SSL: Not Required | Client Certificates: Require | SSL: 128" } elseif ($postflags -eq "Ssl128" ) { "SSL: Not Required | Client Certificates: Ignore | SSL: 128" } else { "SSL: Not Required | Client Certificates: Ignore" } ) #Check SSL setting compliance if ($postconfig -eq "SSL: Required | Client Certificates: Require" -or $postconfig -eq "SSL: Required | Client Certificates: Require | SSL: 128") { $compliant = $true } else { $compliant = $false } [pscustomobject] @{ Id = "V-76861" ComputerName = $env:COMPUTERNAME SiteName = $webname Before = $preconfig After = $postconfig Compliant = $compliant Notes = "Configuring the Client Certificates settings to Require breaks SolarWinds Web GUI" } } #Pre-configuration SSL values for server $preflags = Get-WebConfigurationProperty -Filter "system.webserver/security/access" -Name SSLFlags if ($preflags -ne "Ssl,SslNegotiateCert,SslRequireCert" -or $preflags -ne "Ssl,SslNegotiateCert" -or $preflags -ne "Ssl,SslNegotiateCert,Ssl128" -or $preflags -ne "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") { #Set SSL requirements $null = Set-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" -Filter "system.webServer/security/access" -Name SSLFlags -Value "Ssl,SslNegotiateCert,Ssl128" } #Post-configuration SSL values $postflags = Get-WebConfigurationProperty -Filter "system.webserver/security/access" -Name SSLFlags #Pre-configuration data results # should be a switch but it's already written >_< $preconfig = @( if ($preflags -eq "Ssl" ) { "SSL: Required | Client Certificates: Ignore" } elseif ($preflags -eq "Ssl,SslNegotiateCert" ) { "SSL: Required | Client Certificates: Accept" } elseif ($preflags -eq "Ssl,SslRequireCert" ) { "SSL: Required | Client Certificates: Require" } elseif ($preflags -eq "Ssl,Ssl128" ) { "SSL: Required | Client Certificates: Ignore | SSL: 128" } elseif ($preflags -eq "Ssl,SslNegotiateCert,SslRequireCert" ) { "SSL: Required | Client Certificates: Require" } elseif ($preflags -eq "Ssl,SslNegotiateCert,Ssl128" ) { "SSL: Required | Client Certificates: Accept | SSL: 128" } elseif ($preflags -eq "Ssl,SslRequireCert,Ssl128" -or $preflags -eq "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") { "SSL: Required | Client Certificates: Require | SSL: 128" } elseif ($preflags -eq "SslNegotiateCert" ) { "SSL: Not Required | Client Certificates: Accept" } elseif ($preflags -eq "SslNegotiateCert,SslRequireCert" -or $preflags -eq "SslRequireCert") { "SSL: Not Required | Client Certificates: Require" } elseif ($preflags -eq "SslRequireCert,Ssl128") { "SSL: Not Required | Client Certificates: Require | SSL: 128" } elseif ($preflags -eq "SslNegotiateCert,Ssl128" ) { "SSL: Not Required | Client Certificates: Accept | SSL: 128" } elseif ($preflags -eq "SslNegotiateCert,SslRequireCert,Ssl128" ) { "SSL: Not Required | Client Certificates: Require | SSL: 128" } elseif ($preflags -eq "Ssl128" ) { "SSL: Not Required | Client Certificates: Ignore | SSL: 128" } else { "SSL: Not Required | Client Certificates: Ignore" } ) # Post-configuration data results # should be a switch but it's already written >_< $postconfig = @( if ($postflags -eq "Ssl" ) { "SSL: Required | Client Certificates: Ignore" } elseif ($postflags -eq "Ssl,SslNegotiateCert" ) { "SSL: Required | Client Certificates: Accept" } elseif ($postflags -eq "Ssl,SslRequireCert" ) { "SSL: Required | Client Certificates: Require" } elseif ($postflags -eq "Ssl,Ssl128" ) { "SSL: Required | Client Certificates: Ignore | SSL: 128" } elseif ($postflags -eq "Ssl,SslNegotiateCert,SslRequireCert" ) { "SSL: Required | Client Certificates: Require" } elseif ($postflags -eq "Ssl,SslNegotiateCert,Ssl128" ) { "SSL: Required | Client Certificates: Accept | SSL: 128" } elseif ($postflags -eq "Ssl,SslRequireCert,Ssl128" -or $postflags -eq "Ssl,SslNegotiateCert,SslRequireCert,Ssl128") { "SSL: Required | Client Certificates: Require | SSL: 128" } elseif ($postflags -eq "SslNegotiateCert" ) { "SSL: Not Required | Client Certificates: Accept" } elseif ($postflags -eq "SslNegotiateCert,SslRequireCert" -or $postflags -eq "SslRequireCert") { "SSL: Not Required | Client Certificates: Require" } elseif ($postflags -eq "SslRequireCert,Ssl128") { "SSL: Not Required | Client Certificates: Require | SSL: 128" } elseif ($postflags -eq "SslNegotiateCert,Ssl128" ) { "SSL: Not Required | Client Certificates: Accept | SSL: 128" } elseif ($postflags -eq "SslNegotiateCert,SslRequireCert,Ssl128" ) { "SSL: Not Required | Client Certificates: Require | SSL: 128" } elseif ($postflags -eq "Ssl128" ) { "SSL: Not Required | Client Certificates: Ignore | SSL: 128" } else { "SSL: Not Required | Client Certificates: Ignore" } ) #Check SSL setting compliance if ($postconfig -eq "SSL: Required | Client Certificates: Require" -or $postconfig -eq "SSL: Required | Client Certificates: Require | SSL: 128") { $compliant = $true } else { $compliant = $false } [pscustomobject] @{ Id = "V-76809", "V-76851" ComputerName = $env:COMPUTERNAME SiteName = $env:COMPUTERNAME Before = $preconfig After = $postconfig Compliant = $compliant Notes = "Configuring the Client Certificates settings to Require breaks SolarWinds Web GUI" } } } process { foreach ($computer in $ComputerName) { try { Invoke-Command2 -ComputerName $computer -Credential $credential -ScriptBlock $scriptblock | Select-DefaultView -Property Id, ComputerName, SiteName, Before, After, Compliant, Notes | Select-Object -Property * -ExcludeProperty PSComputerName, RunspaceId } catch { Stop-PSFFunction -Message "Failure on $computer" -ErrorRecord $_ } } } } # SIG # Begin signature block # MIIcYgYJKoZIhvcNAQcCoIIcUzCCHE8CAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUJ7s9Dx5gxMvkpoH854reWODc # pEGggheRMIIFGjCCBAKgAwIBAgIQAsF1KHTVwoQxhSrYoGRpyjANBgkqhkiG9w0B # AQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD # VQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFz # c3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE3MDUwOTAwMDAwMFoXDTIwMDUx # MzEyMDAwMFowVzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMQ8wDQYD # VQQHEwZWaWVubmExETAPBgNVBAoTCGRiYXRvb2xzMREwDwYDVQQDEwhkYmF0b29s # czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI8ng7JxnekL0AO4qQgt # Kr6p3q3SNOPh+SUZH+SyY8EA2I3wR7BMoT7rnZNolTwGjUXn7bRC6vISWg16N202 # 1RBWdTGW2rVPBVLF4HA46jle4hcpEVquXdj3yGYa99ko1w2FOWzLjKvtLqj4tzOh # K7wa/Gbmv0Si/FU6oOmctzYMI0QXtEG7lR1HsJT5kywwmgcjyuiN28iBIhT6man0 # Ib6xKDv40PblKq5c9AFVldXUGVeBJbLhcEAA1nSPSLGdc7j4J2SulGISYY7ocuX3 # tkv01te72Mv2KkqqpfkLEAQjXgtM0hlgwuc8/A4if+I0YtboCMkVQuwBpbR9/6ys # Z+sCAwEAAaOCAcUwggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5Y # MB0GA1UdDgQWBBRcxSkFqeA3vvHU0aq2mVpFRSOdmjAOBgNVHQ8BAf8EBAMCB4Aw # EwYDVR0lBAwwCgYIKwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2Ny # bDMuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0 # dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwG # A1UdIARFMEMwNwYJYIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3 # LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYI # KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZC # aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ # RENvZGVTaWduaW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQAD # ggEBANuBGTbzCRhgG0Th09J0m/qDqohWMx6ZOFKhMoKl8f/l6IwyDrkG48JBkWOA # QYXNAzvp3Ro7aGCNJKRAOcIjNKYef/PFRfFQvMe07nQIj78G8x0q44ZpOVCp9uVj # sLmIvsmF1dcYhOWs9BOG/Zp9augJUtlYpo4JW+iuZHCqjhKzIc74rEEiZd0hSm8M # asshvBUSB9e8do/7RhaKezvlciDaFBQvg5s0fICsEhULBRhoyVOiUKUcemprPiTD # xh3buBLuN0bBayjWmOMlkG1Z6i8DUvWlPGz9jiBT3ONBqxXfghXLL6n8PhfppBhn # daPQO8+SqF5rqrlyBPmRRaTz2GQwggUwMIIEGKADAgECAhAECRgbX9W7ZnVTQ7Vv # lVAIMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdp # Q2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0Rp # Z2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0xMzEwMjIxMjAwMDBaFw0yODEw # MjIxMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx # GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xMTAvBgNVBAMTKERpZ2lDZXJ0IFNI # QTIgQXNzdXJlZCBJRCBDb2RlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUA # A4IBDwAwggEKAoIBAQD407Mcfw4Rr2d3B9MLMUkZz9D7RZmxOttE9X/lqJ3bMtdx # 6nadBS63j/qSQ8Cl+YnUNxnXtqrwnIal2CWsDnkoOn7p0WfTxvspJ8fTeyOU5JEj # lpB3gvmhhCNmElQzUHSxKCa7JGnCwlLyFGeKiUXULaGj6YgsIJWuHEqHCN8M9eJN # YBi+qsSyrnAxZjNxPqxwoqvOf+l8y5Kh5TsxHM/q8grkV7tKtel05iv+bMt+dDk2 # DZDv5LVOpKnqagqrhPOsZ061xPeM0SAlI+sIZD5SlsHyDxL0xY4PwaLoLFH3c7y9 # hbFig3NBggfkOItqcyDQD2RzPJ6fpjOp/RnfJZPRAgMBAAGjggHNMIIByTASBgNV # HRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF # BQcDAzB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp # Z2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu # Y29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHoweDA6oDig # NoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9v # dENBLmNybDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0 # QXNzdXJlZElEUm9vdENBLmNybDBPBgNVHSAESDBGMDgGCmCGSAGG/WwAAgQwKjAo # BggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAKBghghkgB # hv1sAzAdBgNVHQ4EFgQUWsS5eyoKo6XqcQPAYPkt9mV1DlgwHwYDVR0jBBgwFoAU # Reuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcNAQELBQADggEBAD7sDVoks/Mi # 0RXILHwlKXaoHV0cLToaxO8wYdd+C2D9wz0PxK+L/e8q3yBVN7Dh9tGSdQ9RtG6l # jlriXiSBThCk7j9xjmMOE0ut119EefM2FAaK95xGTlz/kLEbBw6RFfu6r7VRwo0k # riTGxycqoSkoGjpxKAI8LpGjwCUR4pwUR6F6aGivm6dcIFzZcbEMj7uo+MUSaJ/P # QMtARKUT8OZkDCUIQjKyNookAv4vcn4c10lFluhZHen6dGRrsutmQ9qzsIzV6Q3d # 9gEgzpkxYz0IGhizgZtPxpMQBvwHgfqL2vmCSfdibqFT+hKUGIUukpHqaGxEMrJm # oecYpJpkUe8wggZqMIIFUqADAgECAhADAZoCOv9YsWvW1ermF/BmMA0GCSqGSIb3 # DQEBBQUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX # BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3Vy # ZWQgSUQgQ0EtMTAeFw0xNDEwMjIwMDAwMDBaFw0yNDEwMjIwMDAwMDBaMEcxCzAJ # BgNVBAYTAlVTMREwDwYDVQQKEwhEaWdpQ2VydDElMCMGA1UEAxMcRGlnaUNlcnQg # VGltZXN0YW1wIFJlc3BvbmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC # ggEBAKNkXfx8s+CCNeDg9sYq5kl1O8xu4FOpnx9kWeZ8a39rjJ1V+JLjntVaY1sC # SVDZg85vZu7dy4XpX6X51Id0iEQ7Gcnl9ZGfxhQ5rCTqqEsskYnMXij0ZLZQt/US # s3OWCmejvmGfrvP9Enh1DqZbFP1FI46GRFV9GIYFjFWHeUhG98oOjafeTl/iqLYt # WQJhiGFyGGi5uHzu5uc0LzF3gTAfuzYBje8n4/ea8EwxZI3j6/oZh6h+z+yMDDZb # esF6uHjHyQYuRhDIjegEYNu8c3T6Ttj+qkDxss5wRoPp2kChWTrZFQlXmVYwk/PJ # YczQCMxr7GJCkawCwO+k8IkRj3cCAwEAAaOCAzUwggMxMA4GA1UdDwEB/wQEAwIH # gDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMIIBvwYDVR0g # BIIBtjCCAbIwggGhBglghkgBhv1sBwEwggGSMCgGCCsGAQUFBwIBFhxodHRwczov # L3d3dy5kaWdpY2VydC5jb20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4A # eQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQA # ZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUA # IABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAA # YQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcA # cgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIA # aQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQA # ZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMAsG # CWCGSAGG/WwDFTAfBgNVHSMEGDAWgBQVABIrE5iymQftHt+ivlcNK2cCzTAdBgNV # HQ4EFgQUYVpNJLZJMp1KKnkag0v0HonByn0wfQYDVR0fBHYwdDA4oDagNIYyaHR0 # cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ0EtMS5jcmww # OKA2oDSGMmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ # RENBLTEuY3JsMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29j # c3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdp # Y2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURDQS0xLmNydDANBgkqhkiG9w0BAQUF # AAOCAQEAnSV+GzNNsiaBXJuGziMgD4CH5Yj//7HUaiwx7ToXGXEXzakbvFoWOQCd # 42yE5FpA+94GAYw3+puxnSR+/iCkV61bt5qwYCbqaVchXTQvH3Gwg5QZBWs1kBCg # e5fH9j/n4hFBpr1i2fAnPTgdKG86Ugnw7HBi02JLsOBzppLA044x2C/jbRcTBu7k # A7YUq/OPQ6dxnSHdFMoVXZJB2vkPgdGZdA0mxA5/G7X1oPHGdwYoFenYk+VVFvC7 # Cqsc21xIJ2bIo4sKHOWV2q7ELlmgYd3a822iYemKC23sEhi991VUQAOSK2vCUcIK # SK+w1G7g9BQKOhvjjz3Kr2qNe9zYRDCCBs0wggW1oAMCAQICEAb9+QOWA63qAArr # Pye7uhswDQYJKoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp # Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMb # RGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTIx # MTExMDAwMDAwMFowYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IElu # YzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQg # QXNzdXJlZCBJRCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA # 6IItmfnKwkKVpYBzQHDSnlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5 # tHdJ3InECtqvy15r7a2wcTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIP # kg5QycaH6zY/2DDD/6b3+6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2x # QaPtP77blUjE7h6z8rwMK5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9I # hJtPQLnxTPKvmPv2zkBdXPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcK # J1Z8D2KkPzIUYJX9BwSiCQIDAQABo4IDejCCA3YwDgYDVR0PAQH/BAQDAgGGMDsG # A1UdJQQ0MDIGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME # BggrBgEFBQcDCDCCAdIGA1UdIASCAckwggHFMIIBtAYKYIZIAYb9bAABBDCCAaQw # OgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVw # b3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUA # IABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4A # cwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQA # aABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQA # aABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUA # bgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkA # IABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUA # cgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wCwYJYIZIAYb9bAMV # MBIGA1UdEwEB/wQIMAYBAf8CAQAweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzAB # hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9j # YWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQw # gYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdp # Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj # ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0OBBYEFBUA # EisTmLKZB+0e36K+Vw0rZwLNMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3z # bcgPMA0GCSqGSIb3DQEBBQUAA4IBAQBGUD7Jtygkpzgdtlspr1LPUukxR6tWXHvV # DQtBs+/sdR90OPKyXGGinJXDUOSCuSPRujqGcq04eKx1XRcXNHJHhZRW0eu7NoR3 # zCSl8wQZVann4+erYs37iy2QwsDStZS9Xk+xBdIOPRqpFFumhjFiqKgz5Js5p8T1 # zh14dpQlc+Qqq8+cdkvtX8JLFuRLcEwAiR78xXm8TBJX/l/hHrwCXaj++wc4Tw3G # XZG5D2dFzdaD7eeSDY2xaYxP+1ngIw/Sqq4AfO6cQg7PkdcntxbuD8O9fAqg7iwI # VYUiuOsYGk38KiGtSTGDR5V3cdyxG0tLHBCcdxTBnU8vWpUIKRAmMYIEOzCCBDcC # AQEwgYYwcjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBB # c3N1cmVkIElEIENvZGUgU2lnbmluZyBDQQIQAsF1KHTVwoQxhSrYoGRpyjAJBgUr # DgMCGgUAoHgwGAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMx # DAYKKwYBBAGCNwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAjBgkq # hkiG9w0BCQQxFgQURFMIykNJzX3wwoFA648XjmIuc8owDQYJKoZIhvcNAQEBBQAE # ggEAi9HMMpSCZKJ40bGuf6SsrLCehCu3mREEgm/pHX7LF3gb6RiEs84x6VcNJlMg # hlIhx/Mx81GdyZEvEGUBN/2HIKdLw/jJ/EuVaMn1EM+LQsz2FomP4zTs6rDGMosH # pcVkzhE/IkBFyWlEsLusjuZuwNDqV5taew9RbhVnc7IDD5rd75E0OV2pSXpU+RxZ # Iu0pCnLJ3mh3sMh9eo8zXnsetrIctZIamjAuVNYXtHX6UrCoYT20qGoEwbx28yJN # 90tQosahiLw1tJnQswJP+Qf4zfzqWdqBImfOwsHjp27gq4KBayHb9GEPltIe5Urv # wyHkxl/Z3kCPbw/7SQqibmuJE6GCAg8wggILBgkqhkiG9w0BCQYxggH8MIIB+AIB # ATB2MGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV # BAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQg # SUQgQ0EtMQIQAwGaAjr/WLFr1tXq5hfwZjAJBgUrDgMCGgUAoF0wGAYJKoZIhvcN # AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNDE2MDk0NTUwWjAj # BgkqhkiG9w0BCQQxFgQUY+/x4Kzy7nXGrWFiKXCkQ8pUcdUwDQYJKoZIhvcNAQEB # BQAEggEAZ16ywYPrB7l87AsmKLi+dSBLFntL/176eN7Bh86vhLcGkB8YuwXB2E7d # ktJSt3Aa1WLFfaqA2FMAo90TtlBjPdEfCtqkwJ9QNNLa684jSQF9lLkYYA7xR/0l # 1MOsvvGItzGsVltbtKyzjFq33+3IkULY1MTE/ZYgKcxwRpDyuIus1FZJgtbXrBQ2 # k30B2qqeYQlPX0d1KQr0c572DtbYEvy0/5tLgYHDFVjkD94mPU8iU+Rfu87nXvyM # QGoQU2UqfTfS/2uHZ0SI6gunXdIMXwYuO+hkLbqy4m6pEK+fqtR6jFl8r2ZxokXr # n/v7F205EcElLfbIOIupgfp3Hw8V4g== # SIG # End signature block |