#*************************************************************************************************************** # This script supports the TLS 1.2 everywhere project # It does the following: # * By default it disables TLS 1.O, TLS 1.1, SSLv2, SSLv3 and Enables TLS1.2 # * The CipherSuite order is set to the SDL approved version. # * The FIPS MinEncryptionLevel is set to 3. # * RC4 is disabled # * A log with a transcript of all actions taken is generated #*************************************************************************************************************** #************************************************ SCRIPT USAGE ************************************************ # .\TLSSettings.ps1 # -SetCipherOrder : Excellence/Min-Bar, default(Excellence), use B to set Min-Bar. (Min-Bar ordering prefers ciphers with smaller key sizes to improve performance over security) # -RebootIfRequired : $true/$false, default($true), use $false to disable auto-reboot (Settings won't take effect until a reboot is completed) # -EnableOlderTlsVersions : $true/$false, default($false), use $true to explicitly Enable TLS1.0, TLS1.1 #*************************************************************************************************************** #***************************TEAM CAN DETERMINE WHAT CIPHER SUITE ORDER IS CHOSEN ****************************** # Option B provides the min-bar configuration (small trade-off: performance over security) # Syntax: .\TLSSettings.ps1 -SetCipherOrder B # if no option is supplied, you will get the opportunity for excellence cipher order (small trade-off: security over performance) # Syntax: .\TLSSettings.ps1 #*************************************************************************************************************** param ( [string]$SetCipherOrder = " ", [bool]$RebootIfRequired = $true, [bool]$EnableOlderTlsVersions = $false ) #******************* FUNCTION THAT ACTUALLY UPDATES KEYS; WILL RETURN REBOOT FLAG IF CHANGES *********************** Function Set-CryptoSetting { param ( $regKeyName, $value, $valuedata, $valuetype ) $restart = $false # Check for existence of registry key, and create if it does not exist If (!(Test-Path -Path $regKeyName)) { New-Item $regKeyName | Out-Null } # Get data of registry value, or null if it does not exist $val = (Get-ItemProperty -Path $regKeyName -Name $value -ErrorAction SilentlyContinue).$value If ($val -eq $null) { # Value does not exist - create and set to desired value New-ItemProperty -Path $regKeyName -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null $restart = $true } Else { # Value does exist - if not equal to desired value, change it If ($val -ne $valuedata) { Set-ItemProperty -Path $regKeyName -Name $value -Value $valuedata $restart = $true } } $restart } #*************************************************************************************************************** #******************* FUNCTION THAT DISABLES RC4 *********************** Function DisableRC4 { $restart = $false $subkeys = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" $ciphers = $subkeys.OpenSubKey("Ciphers", $true) Write-Log -Message "----- Checking the status of RC4 -----" -Logfile $logLocation -Severity Information $RC4 = $false if ($ciphers.SubKeyCount -eq 0) { $k1 = $ciphers.CreateSubKey("RC4 128/128") $k1.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord) $restart = $true $k2 = $ciphers.CreateSubKey("RC4 64/128") $k2.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord) $k3 = $ciphers.CreateSubKey("RC4 56/128") $k3.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord) $k4 = $ciphers.CreateSubKey("RC4 40/128") $k4.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord) Write-Log -Message "RC4 was disabled " -Logfile $logLocation -Severity Information $RC4 = $true } If ($RC4 -ne $true) { Write-Log -Message "There was no change for RC4 " -Logfile $logLocation -Severity Information } $restart } #*************************************************************************************************************** #******************* FUNCTION CHECKS FOR PROBLEMATIC FIPS SETTING AND FIXES IT *********************** Function Test-RegistryValueForFipsSettings { $restart = $false $fipsPath = @( "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp", "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "HKLM:\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" ) $fipsValue = "MinEncryptionLevel" foreach ($path in $fipsPath) { Write-Log -Message "Checking to see if $($path)\$fipsValue exists" -Logfile $logLocation -Severity Information $ErrorActionPreference = "stop" Try { $result = Get-ItemProperty -Path $path | Select-Object -ExpandProperty $fipsValue if ($result -eq 4) { set-itemproperty -Path $path -Name $fipsValue -value 3 Write-Log -Message "Regkey $($path)\$fipsValue was changed from value $result to a value of 3" -Logfile $logLocation -Severity Information $restart = $true } else { Write-Log -Message "Regkey $($path)\$fipsValue left at value $result" -Logfile $logLocation -Severity Information } } Catch [System.Management.Automation.ItemNotFoundException] { Write-Log -Message "Reg path $path was not found" -Logfile $logLocation -Severity Information } Catch [System.Management.Automation.PSArgumentException] { Write-Log -Message "Regkey $($path)\$fipsValue was not found" -Logfile $logLocation -Severity Information } Catch { Write-Log -Message "Error of type $($Error[0].Exception.GetType().FullName) trying to get $($path)\$fipsValue" -Logfile $logLocation -Severity Information } Finally {$ErrorActionPreference = "Continue" } } $restart } #*************************************************************************************************************** #********************************** FUNCTION THAT CREATE LOG DIRECTORY IF IT DOES NOT EXIST ******************************* function CreateLogDirectory { $TARGETDIR = "$env:HOMEDRIVE\Logs" if ( -Not (Test-Path -Path $TARGETDIR ) ) { New-Item -ItemType directory -Path $TARGETDIR | Out-Null } $TARGETDIR = $TARGETDIR + "\" + "TLSSettingsLogFile.csv" return $TARGETDIR } #*************************************************************************************************************** #********************************** FUNCTION THAT LOGS WHAT THE SCRIPT IS DOING ******************************* function Write-Log { [CmdletBinding()] param( [Parameter()] [ValidateNotNullOrEmpty()] [string]$Message, [Parameter()] [ValidateNotNullOrEmpty()] [string]$LogFile, [Parameter()] [ValidateNotNullOrEmpty()] [ValidateSet('Information', 'Warning', 'Error')] [string]$Severity = 'Information' ) [pscustomobject]@{ Time = (Get-Date -f g) Message = $Message Severity = $Severity } | ConvertTo-Csv -NoTypeInformation | Select-Object -Skip 1 | Out-File -Append -FilePath $LogFile } #********************************TLS CipherSuite Settings ******************************************* # CipherSuites for windows OS < 10 function Get-BaseCipherSuitesOlderWindows() { param ( [Parameter(Mandatory=$true, Position=0)][bool] $isExcellenceOrder ) $cipherorder = @() if ($isExcellenceOrder -eq $true) { $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256" } else { $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384" } # Add additional ciphers when EnableOlderTlsVersions flag is set to true if ($EnableOlderTlsVersions) { $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256" $cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384" $cipherorder += "TLS_RSA_WITH_AES_128_GCM_SHA256" $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256" $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA256" $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA" $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA" } return $cipherorder } # Ciphersuites needed for backwards compatibility with Firefox, Chrome # Server 2012 R2 doesn't support TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # Both firefox and chrome negotiate ECDHE_RSA_AES_256_CBC_SHA1, Edge negotiates ECDHE_RSA_AES_256_CBC_SHA384 function Get-BrowserCompatCipherSuitesOlderWindows() { param ( [Parameter(Mandatory=$true, Position=0)][bool] $isExcellenceOrder ) $cipherorder = @() if ($isExcellenceOrder -eq $true) { $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384" # (uses SHA-1) $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256" # (uses SHA-1) } else { $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256" # (uses SHA-1) $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384" # (uses SHA-1) } return $cipherorder } # Ciphersuites for OS versions windows 10 and above function Get-BaseCipherSuitesWin10Above() { param ( [Parameter(Mandatory=$true, Position=0)][bool] $isExcellenceOrder ) $cipherorder = @() if ($isExcellenceOrder -eq $true) { $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" } else { $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" } # Add additional ciphers when EnableOlderTlsVersions flag is set to true if ($EnableOlderTlsVersions) { $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256" $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256" $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256" $cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384" $cipherorder += "TLS_RSA_WITH_AES_128_GCM_SHA256" $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256" $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA256" $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA" $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA" } return $cipherorder } #******************************* TLS Version Settings **************************************************** function Get-RegKeyPathForTls12() { $regKeyPath = @( "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ) return $regKeyPath } function Get-RegKeyPathForTls11() { $regKeyPath = @( "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ) return $regKeyPath } function Get-RegKeypathForTls10() { $regKeyPath = @( "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ) return $regKeyPath } function Get-RegKeyPathForSsl30() { $regKeyPath = @( "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ) return $regKeyPath } function Get-RegKeyPathForSsl20() { $regKeyPath = @( "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client", "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ) return $regKeyPath } #Initialize reboot value to false $reboot = $false #*****************************Create the logfile if not does not exist*************************************** $logLocation = CreateLogDirectory #Start writing to the logs Write-Log -Message "========== Start of logging for a script execution ==========" -Logfile $logLocation -Severity Information $registryPathGoodGuys = @() $registryPathBadGuys = @() # we enable TLS 1.2 and disable SSL 2.0, 3.0 in any case $registryPathGoodGuys += Get-RegKeyPathForTls12 $registryPathBadGuys += Get-RegKeyPathForSsl20 $registryPathBadGuys += Get-RegKeyPathForSsl30 # add TLS 1.0/1.1 to good/bad depending on user's preference # default is adding TLS 1.0/1.1 to bad if ($EnableOlderTlsVersions) { $registryPathGoodGuys += Get-RegKeypathForTls10 $registryPathGoodGuys += Get-RegKeyPathForTls11 Write-Log -Message "Enabling TLS1.2, TLS1.1, TLS1.0. Disabling SSL3.0, SSL2.0" -Logfile $logLocation -Severity Information } else { $registryPathBadGuys += Get-RegKeypathForTls10 $registryPathBadGuys += Get-RegKeyPathForTls11 Write-Log -Message "Enabling TLS1.2. Disabling TLS1.1, TLS1.0, SSL3.0, SSL2.0" -Logfile $logLocation -Severity Information } Write-Log -Message "Check which registry keys exist already and which registry keys need to be created." -Logfile $logLocation -Severity Information #******************* CREATE THE REGISTRY KEYS IF THEY DON'T EXIST******************************** # Check for existence of GoodGuy registry keys, and create if they do not exist For ($i = 0; $i -lt $registryPathGoodGuys.Length; $i = $i + 1) { Write-Log -Message "Checking for existing of key: $($registryPathGoodGuys[$i]) " -Logfile $logLocation -Severity Information If (!(Test-Path -Path $registryPathGoodGuys[$i])) { New-Item $registryPathGoodGuys[$i] | Out-Null Write-Log -Message "Creating key: $($registryPathGoodGuys[$i]) " -Logfile $logLocation -Severity Information } } # Check for existence of BadGuy registry keys, and create if they do not exist For ($i = 0; $i -lt $registryPathBadGuys.Length; $i = $i + 1) { Write-Log -Message "Checking for existing of key: $($registryPathBadGuys[$i]) " -Logfile $logLocation -Severity Information If (!(Test-Path -Path $registryPathBadGuys[$i])) { Write-Log -Message "Creating key: $($registryPathBadGuys[$i]) " -Logfile $logLocation -Severity Information New-Item $registryPathBadGuys[$i] | Out-Null } } #******************* EXPLICITLY DISABLE SSLV2, SSLV3, TLS10 AND TLS11 ******************************** For ($i = 0; $i -lt $registryPathBadGuys.Length; $i = $i + 1) { if ($registryPathBadGuys[$i].Contains("Client") -Or $registryPathBadGuys[$i].Contains("Server")) { Write-Log -Message "Disabling this key: $($registryPathBadGuys[$i]) " -Logfile $logLocation -Severity Information $result = Set-CryptoSetting $registryPathBadGuys[$i].ToString() Enabled 0 DWord $result = Set-CryptoSetting $registryPathBadGuys[$i].ToString() DisabledByDefault 1 DWord $reboot = $reboot -or $result } } #********************************* EXPLICITLY Enable TLS12 **************************************** For ($i = 0; $i -lt $registryPathGoodGuys.Length; $i = $i + 1) { if ($registryPathGoodGuys[$i].Contains("Client") -Or $registryPathGoodGuys[$i].Contains("Server")) { Write-Log -Message "Enabling this key: $($registryPathGoodGuys[$i]) " -Logfile $logLocation -Severity Information $result = Set-CryptoSetting $registryPathGoodGuys[$i].ToString() Enabled 1 DWord $result = Set-CryptoSetting $registryPathGoodGuys[$i].ToString() DisabledByDefault 0 DWord $reboot = $reboot -or $result } } #************************************** Disable RC4 ************************************************ $result = DisableRC4 $reboot = $reboot -or $result #************************************** Set Cipher Suite Order ************************************** Write-Log -Message "----- starting ciphersuite order calculation -----" -Logfile $logLocation -Severity Information $configureExcellenceOrder = $true if ($SetCipherOrder.ToUpper() -eq "B") { $configureExcellenceOrder = $false Write-Host "The min bar cipher suite order was chosen." Write-Log -Message "The min bar cipher suite order was chosen." -Logfile $logLocation -Severity Information } else { Write-Host "The opportunity for excellence cipher suite order was chosen." Write-Log -Message "The opportunity for excellence cipher suite order was chosen." -Logfile $logLocation -Severity Information } $cipherlist = @() if ([Environment]::OSVersion.Version.Major -lt 10) { $cipherlist += Get-BaseCipherSuitesOlderWindows -isExcellenceOrder $configureExcellenceOrder $cipherlist += Get-BrowserCompatCipherSuitesOlderWindows -isExcellenceOrder $configureExcellenceOrder } else { $cipherlist += Get-BaseCipherSuitesWin10Above -isExcellenceOrder $configureExcellenceOrder } $cipherorder = [System.String]::Join(",", $cipherlist) Write-Host "Appropriate ciphersuite order : $cipherorder" Write-Log -Message "Appropriate ciphersuite order : $cipherorder" -Logfile $logLocation -Severity Information $CipherSuiteRegKey = "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" if (!(Test-Path -Path $CipherSuiteRegKey)) { New-Item $CipherSuiteRegKey | Out-Null $reboot = $True Write-Log -Message "Creating key: $($CipherSuiteRegKey) " -Logfile $logLocation -Severity Information } $val = (Get-Item -Path $CipherSuiteRegKey -ErrorAction SilentlyContinue).GetValue("Functions", $null) Write-Log -Message "Previous cipher suite value: $val " -Logfile $logLocation -Severity Information Write-Log -Message "New cipher suite value : $cipherorder " -Logfile $logLocation -Severity Information if ($val -ne $cipherorder) { Write-Log -Message "Cipher suite order needs to be updated. " -Logfile $logLocation -Severity Information Write-Host "The original cipher suite order needs to be updated", `n, $val Set-ItemProperty -Path $CipherSuiteRegKey -Name Functions -Value $cipherorder Write-Log -Message "Cipher suite value was updated. " -Logfile $logLocation -Severity Information $reboot = $True } else { Write-Log -Message "Cipher suite order does not need to be updated. " -Logfile $logLocation -Severity Information Write-Log -Message "Cipher suite value was not updated as there was no change. " -Logfile $logLocation -Severity Information } #****************************** CHECK THE FIPS SETTING WHICH IMPACTS RDP'S ALLOWED CIPHERS ************************** #Check for FipsSettings Write-Log -Message "Checking to see if reg keys exist and if MinEncryptionLevel is set to 4" -Logfile $logLocation -Severity Information $result = Test-RegistryValueForFipsSettings $reboot = $reboot -or $result #************************************** REBOOT ************************************** if ($RebootIfRequired) { Write-Log -Message "You set the RebootIfRequired flag to true. If changes are made, the system will reboot " -Logfile $logLocation -Severity Information # If any settings were changed, reboot If ($reboot) { Write-Log -Message "Rebooting now... " -Logfile $logLocation -Severity Information Write-Log -Message "Using this command: shutdown.exe /r /t 5 /c ""Crypto settings changed"" /f /d p:2:4 " -Logfile $logLocation -Severity Information Write-Host "Rebooting now..." shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4 } Else { Write-Host "Nothing get updated." Write-Log -Message "Nothing get updated. " -Logfile $logLocation -Severity Information } } else { Write-Log -Message "You set the RebootIfRequired flag to false. If changes are made, the system will NOT reboot " -Logfile $logLocation -Severity Information Write-Log -Message "No changes will take effect until a reboot has been completed. " -Logfile $logLocation -Severity Information Write-Log -Message "Script does not include a reboot by design" -Logfile $logLocation -Severity Information } Write-Log -Message "========== End of logging for a script execution ==========" -Logfile $logLocation -Severity Information # SIG # Begin signature block # MIIr5AYJKoZIhvcNAQcCoIIr1TCCK9ECAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAHtlEJwNffjnOP # Sr2t1yq5EfE0ll4GozyZt3UXO9BXKKCCEW4wggh+MIIHZqADAgECAhM2AAACDeKE # D0nu2y38AAIAAAINMA0GCSqGSIb3DQEBCwUAMEExEzARBgoJkiaJk/IsZAEZFgNH # QkwxEzARBgoJkiaJk/IsZAEZFgNBTUUxFTATBgNVBAMTDEFNRSBDUyBDQSAwMTAe # Fw0yNTEwMjMyMzA5MzBaFw0yNjA0MjYyMzE5MzBaMCQxIjAgBgNVBAMTGU1pY3Jv # c29mdCBBenVyZSBDb2RlIFNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK # AoIBAQCpj9ry6z6v08TIeKoxS2+5c928SwYKDXCyPWZHpm3xIHTqBBmlTM1GO7X4 # ap5jj/wroH7TzukJtfLR6Z4rBkjdlocHYJ2qU7ggik1FDeVL1uMnl5fPAB0ETjqt # rk3Lt2xT27XUoNlKfnFcnmVpIaZ6fnSAi2liEhbHqce5qEJbGwv6FiliSJzkmeTK # 6YoQQ4jq0kK9ToBGMmRiLKZXTO1SCAa7B4+96EMK3yKIXnBMdnKhWewBsU+t1LHW # vB8jt8poBYSg5+91Faf9oFDvl5+BFWVbJ9+mYWbOzJ9/ZX1J4yvUoZChaykKGaTl # k51DUoZymsBuatWbJsGzo0d43gMLAgMBAAGjggWKMIIFhjApBgkrBgEEAYI3FQoE # HDAaMAwGCisGAQQBgjdbAQEwCgYIKwYBBQUHAwMwPQYJKwYBBAGCNxUHBDAwLgYm # KwYBBAGCNxUIhpDjDYTVtHiE8Ys+hZvdFs6dEoFgg93NZoaUjDICAWQCAQ4wggJ2 # BggrBgEFBQcBAQSCAmgwggJkMGIGCCsGAQUFBzAChlZodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpaW5mcmEvQ2VydHMvQlkyUEtJQ1NDQTAxLkFNRS5HQkxfQU1F # JTIwQ1MlMjBDQSUyMDAxKDIpLmNydDBSBggrBgEFBQcwAoZGaHR0cDovL2NybDEu # YW1lLmdibC9haWEvQlkyUEtJQ1NDQTAxLkFNRS5HQkxfQU1FJTIwQ1MlMjBDQSUy # MDAxKDIpLmNydDBSBggrBgEFBQcwAoZGaHR0cDovL2NybDIuYW1lLmdibC9haWEv # QlkyUEtJQ1NDQTAxLkFNRS5HQkxfQU1FJTIwQ1MlMjBDQSUyMDAxKDIpLmNydDBS # BggrBgEFBQcwAoZGaHR0cDovL2NybDMuYW1lLmdibC9haWEvQlkyUEtJQ1NDQTAx # LkFNRS5HQkxfQU1FJTIwQ1MlMjBDQSUyMDAxKDIpLmNydDBSBggrBgEFBQcwAoZG # aHR0cDovL2NybDQuYW1lLmdibC9haWEvQlkyUEtJQ1NDQTAxLkFNRS5HQkxfQU1F # JTIwQ1MlMjBDQSUyMDAxKDIpLmNydDCBrQYIKwYBBQUHMAKGgaBsZGFwOi8vL0NO # PUFNRSUyMENTJTIwQ0ElMjAwMSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2Vy # dmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1BTUUsREM9R0JM # P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0 # aG9yaXR5MB0GA1UdDgQWBBS6kl+vZengaA7Cc8nJtd6sYRNA3jAOBgNVHQ8BAf8E # BAMCB4AwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3Jh # dGlvbjEWMBQGA1UEBRMNMjM2MTY3KzUwNjA0MjCCAeYGA1UdHwSCAd0wggHZMIIB # 1aCCAdGgggHNhj9odHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpaW5mcmEvQ1JM # L0FNRSUyMENTJTIwQ0ElMjAwMSgyKS5jcmyGMWh0dHA6Ly9jcmwxLmFtZS5nYmwv # Y3JsL0FNRSUyMENTJTIwQ0ElMjAwMSgyKS5jcmyGMWh0dHA6Ly9jcmwyLmFtZS5n # YmwvY3JsL0FNRSUyMENTJTIwQ0ElMjAwMSgyKS5jcmyGMWh0dHA6Ly9jcmwzLmFt # ZS5nYmwvY3JsL0FNRSUyMENTJTIwQ0ElMjAwMSgyKS5jcmyGMWh0dHA6Ly9jcmw0 # LmFtZS5nYmwvY3JsL0FNRSUyMENTJTIwQ0ElMjAwMSgyKS5jcmyGgb1sZGFwOi8v # L0NOPUFNRSUyMENTJTIwQ0ElMjAwMSgyKSxDTj1CWTJQS0lDU0NBMDEsQ049Q0RQ # LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp # Z3VyYXRpb24sREM9QU1FLERDPUdCTD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0 # P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwHwYDVR0jBBgw # FoAUllGE4Gtve/7YBqvD8oXmKa5q+dQwHwYDVR0lBBgwFgYKKwYBBAGCN1sBAQYI # KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAJKGB9zyDWN/9twAY6qCLnfDCKc/ # PuXoCYI5Snobtv15QHAJwwBJ7mr907EmcwECzMnK2M2auU/OUHjdXYUOG5TV5L7W # xvf0xBqluWldZjvnv2L4mANIOk18KgcSmlhdVHT8AdehHXSs7NMG2di0cPzY+4Ol # 2EJ3nw2JSZimBQdRcoZxDjoCGFmHV8lOHpO2wfhacq0T5NK15yQqXEdT+iRivdhd # i/n26SOuPDa6Y/cCKca3CQloCQ1K6NUzt+P6E8GW+FtvcLza5dAWjJLVvfemwVyl # JFdnqejZPbYBRdNefyLZjFsRTBaxORl6XG3kiz2t6xeFLLRTJgPPATx1S7Awggjo # MIIG0KADAgECAhMfAAAAUeqP9pxzDKg7AAAAAABRMA0GCSqGSIb3DQEBCwUAMDwx # EzARBgoJkiaJk/IsZAEZFgNHQkwxEzARBgoJkiaJk/IsZAEZFgNBTUUxEDAOBgNV # BAMTB2FtZXJvb3QwHhcNMjEwNTIxMTg0NDE0WhcNMjYwNTIxMTg1NDE0WjBBMRMw # EQYKCZImiZPyLGQBGRYDR0JMMRMwEQYKCZImiZPyLGQBGRYDQU1FMRUwEwYDVQQD # EwxBTUUgQ1MgQ0EgMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ # mlIJfQGejVbXKpcyFPoFSUllalrinfEV6JMc7i+bZDoL9rNHnHDGfJgeuRIYO1LY # /1f4oMTrhXbSaYRCS5vGc8145WcTZG908bGDCWr4GFLc411WxA+Pv2rteAcz0eHM # H36qTQ8L0o3XOb2n+x7KJFLokXV1s6pF/WlSXsUBXGaCIIWBXyEchv+sM9eKDsUO # LdLTITHYJQNWkiryMSEbxqdQUTVZjEz6eLRLkofDAo8pXirIYOgM770CYOiZrcKH # K7lYOVblx22pdNawY8Te6a2dfoCaWV1QUuazg5VHiC4p/6fksgEILptOKhx9c+ia # piNhMrHsAYx9pUtppeaFAgMBAAGjggTcMIIE2DASBgkrBgEEAYI3FQEEBQIDAgAC # MCMGCSsGAQQBgjcVAgQWBBQSaCRCIUfL1Gu+Mc8gpMALI38/RzAdBgNVHQ4EFgQU # llGE4Gtve/7YBqvD8oXmKa5q+dQwggEEBgNVHSUEgfwwgfkGBysGAQUCAwUGCCsG # AQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNxQCAQYJKwYBBAGCNxUGBgorBgEEAYI3 # CgMMBgkrBgEEAYI3FQYGCCsGAQUFBwMJBggrBgEFBQgCAgYKKwYBBAGCN0ABAQYL # KwYBBAGCNwoDBAEGCisGAQQBgjcKAwQGCSsGAQQBgjcVBQYKKwYBBAGCNxQCAgYK # KwYBBAGCNxQCAwYIKwYBBQUHAwMGCisGAQQBgjdbAQEGCisGAQQBgjdbAgEGCisG # AQQBgjdbAwEGCisGAQQBgjdbBQEGCisGAQQBgjdbBAEGCisGAQQBgjdbBAIwGQYJ # KwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMBIGA1UdEwEB/wQI # MAYBAf8CAQAwHwYDVR0jBBgwFoAUKV5RXmSuNLnrrJwNp4x1AdEJCygwggFoBgNV # HR8EggFfMIIBWzCCAVegggFToIIBT4YxaHR0cDovL2NybC5taWNyb3NvZnQuY29t # L3BraWluZnJhL2NybC9hbWVyb290LmNybIYjaHR0cDovL2NybDIuYW1lLmdibC9j # cmwvYW1lcm9vdC5jcmyGI2h0dHA6Ly9jcmwzLmFtZS5nYmwvY3JsL2FtZXJvb3Qu # Y3JshiNodHRwOi8vY3JsMS5hbWUuZ2JsL2NybC9hbWVyb290LmNybIaBqmxkYXA6 # Ly8vQ049YW1lcm9vdCxDTj1BTUVSb290LENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl # MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPUFNRSxE # Qz1HQkw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNz # PWNSTERpc3RyaWJ1dGlvblBvaW50MIIBqwYIKwYBBQUHAQEEggGdMIIBmTBHBggr # BgEFBQcwAoY7aHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraWluZnJhL2NlcnRz # L0FNRVJvb3RfYW1lcm9vdC5jcnQwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcmwyLmFt # ZS5nYmwvYWlhL0FNRVJvb3RfYW1lcm9vdC5jcnQwNwYIKwYBBQUHMAKGK2h0dHA6 # Ly9jcmwzLmFtZS5nYmwvYWlhL0FNRVJvb3RfYW1lcm9vdC5jcnQwNwYIKwYBBQUH # MAKGK2h0dHA6Ly9jcmwxLmFtZS5nYmwvYWlhL0FNRVJvb3RfYW1lcm9vdC5jcnQw # gaIGCCsGAQUFBzAChoGVbGRhcDovLy9DTj1hbWVyb290LENOPUFJQSxDTj1QdWJs # aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u # LERDPUFNRSxEQz1HQkw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNl # cnRpZmljYXRpb25BdXRob3JpdHkwDQYJKoZIhvcNAQELBQADggIBAFAQI7dPD+jf # XtGt3vJp2pyzA/HUu8hjKaRpM3opya5G3ocprRd7vdTHb8BDfRN+AD0YEmeDB5HK # QoG6xHPI5TXuIi5sm/LeADbV3C2q0HQOygS/VT+m1W7a/752hMIn+L4ZuyxVeSBp # fwf7oQ4YSZPh6+ngZvBHgfBaVz4O9/wcfw91QDZnTgK9zAh9yRKKls2bziPEnxeO # ZMVNaxyV0v152PY2xjqIafIkUjK6vY9LtVFjJXenVUAmn3WCPWNFC1YTIIHw/mD2 # cTfPy7QA1pT+GPARAKt0bKtq9aCd/Ym0b5tPbpgCiRtzyb7fbNS1dE740re0COE6 # 7YV2wbeo2sXixzvLftH8L7s9xv9wV+G22qyKt6lmKLjFK1yMw4Ni5fMabcgmzRvS # jAcbqgp3tk4a8emaaH0rz8MuuIP+yrxtREPXSqL/C5bzMzsikuDW9xH10graZzSm # PjilzpRfRdu20/9UQmC7eVPZ4j1WNa1oqPHfzET3ChIzJ6Q9G3NPCB+7KwX0OQmK # yv7IDimj8U/GlsHD1z+EF/fYMf8YXG15LamaOAohsw/ywO6SYSreVW+5Y0mzJutn # BC9Cm9ozj1+/4kqksrlhZgR/CSxhFH3BTweH8gP2FEISRtShDZbuYymynY1un+Ry # fiK9+iVTLdD1h/SxyxDpZMtimb4CgJQlMYIZzDCCGcgCAQEwWDBBMRMwEQYKCZIm # iZPyLGQBGRYDR0JMMRMwEQYKCZImiZPyLGQBGRYDQU1FMRUwEwYDVQQDEwxBTUUg # Q1MgQ0EgMDECEzYAAAIN4oQPSe7bLfwAAgAAAg0wDQYJYIZIAWUDBAIBBQCgga4w # GQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisG # AQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIDkL7uzVKsJr3vqgqGpY/7PR1+R8/f82 # CEnScjhUwuBSMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8AcwBvAGYA # dKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEBBQAEggEA # W4jDvneSCXlpvjaolbMrt+LDTd1+exYm1U/Mf2gWrMabkYCnyLywGeVH8fEjZafP # TUfQ5DR4id1oYSZG46jjVrEe56vKZRc1yg3mlfPabl0WPwRNChZ5EGHMHGcbzt2s # B1sKZlp4bI+cmWiS1lYKyfDVgANhIWcFgluKZR4aoDuJqcw8N6qzrOrGnBdxrqco # QNQVrp9RbrgyriZeRAHk8p21uI+xDrCZvR4r4I1a3Emp0mCcXM3fPXXeN9+LznbW # iRcigABluiwyGqSUD5MdIMSbPnO5+x5zrHymGvsEp+NF5Ahl9yLVZQ7qlCZdJEgx # KknM2jsTZuHth+9zYCLJwaGCF5QwgheQBgorBgEEAYI3AwMBMYIXgDCCF3wGCSqG # SIb3DQEHAqCCF20wghdpAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFSBgsqhkiG9w0B # CRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUA # BCDMG72HjUjC8k6xqcC+eiu5v7G8bJ/YQfPglfvRSb9jvAIGaSc6Iu24GBMyMDI1 # MTIwMTE4MjAwNS4yMjhaMASAAgH0oIHRpIHOMIHLMQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBP # cGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046ODYwMy0wNUUwLUQ5 # NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WgghHqMIIH # IDCCBQigAwIBAgITMwAAAgcsETmJzYX7xQABAAACBzANBgkqhkiG9w0BAQsFADB8 # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1N # aWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0yNTAxMzAxOTQyNTJaFw0y # NjA0MjIxOTQyNTJaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMScwJQYD # VQQLEx5uU2hpZWxkIFRTUyBFU046ODYwMy0wNUUwLUQ5NDcxJTAjBgNVBAMTHE1p # Y3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIiMA0GCSqGSIb3DQEBAQUAA4IC # DwAwggIKAoICAQDFP/96dPmcfgODe3/nuFveuBst/JmSxSkOn89ZFytHQm344iLo # PqkVws+CiUejQabKf+/c7KU1nqwAmmtiPnG8zm4Sl9+RJZaQ4Dx3qtA9mdQdS7Ch # f6YUbP4Z++8laNbTQigJoXCmzlV34vmC4zpFrET4KAATjXSPK0sQuFhKr7ltNaMF # GclXSnIhcnScj9QUDVLQpAsJtsKHyHN7cN74aEXLpFGc1I+WYFRxaTgqSPqGRfEf # uQ2yGrAbWjJYOXueeTA1MVKhW8zzSEpfjKeK/t2XuKykpCUaKn5s8sqNbI3bHt/r # E/pNzwWnAKz+POBRbJxIkmL+n/EMVir5u8uyWPl1t88MK551AGVh+2H4ziR14YDx # zyCG924gaonKjicYnWUBOtXrnPK6AS/LN6Y+8Kxh26a6vKbFbzaqWXAjzEiQ8EY9 # K9pYI/KCygixjDwHfUgVSWCyT8Kw7mGByUZmRPPxXONluMe/P8CtBJMpuh8CBWyj # vFfFmOSNRK8ETkUmlTUAR1CIOaeBqLGwscShFfyvDQrbChmhXib4nRMX5U9Yr9d7 # VcYHn6eZJsgyzh5QKlIbCQC/YvhFK42ceCBDMbc+Ot5R6T/Mwce5jVyVCmqXVxWO # aQc4rA2nV7onMOZC6UvCG8LGFSZBnj1loDDLWo/I+RuRok2j/Q4zcMnwkQIDAQAB # o4IBSTCCAUUwHQYDVR0OBBYEFHK1UmLCvXrQCvR98JBq18/4zo0eMB8GA1UdIwQY # MBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1UdHwRYMFYwVKBSoFCGTmh0dHA6 # Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY3Jvc29mdCUyMFRpbWUt # U3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYB # BQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWlj # cm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3J0MAwGA1UdEwEB # /wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDgYDVR0PAQH/BAQDAgeAMA0G # CSqGSIb3DQEBCwUAA4ICAQDju0quPbnix0slEjD7j2224pYOPGTmdDvO0+bNRCNk # ZqUv07P04nf1If3Y/iJEmUaU7w12Fm582ImpD/Kw2ClXrNKLPTBO6nfxvOPGtalp # Al4wqoGgZxvpxb2yEunG4yZQ6EQOpg1dE9uOXoze3gD4Hjtcc75kca8yivowEI+r # hXuVUWB7vog4TGUxKdnDvpk5GSGXnOhPDhdId+g6hRyXdZiwgEa+q9M9Xctz4TGh # DgOKFsYxFhXNJZo9KRuGq6evhtyNduYrkzjDtWS6gW8akR59UhuLGsVq+4AgqEY8 # WlXjQGM2OTkyBnlQLpB8qD7x9jRpY2Cq0OWWlK0wfH/1zefrWN5+be87Sw2TPcIu # dIJn39bbDG7awKMVYDHfsPJ8ZvxgWkZuf6ZZAkph0eYGh3IV845taLkdLOCvw49W # xqha5Dmi2Ojh8Gja5v9kyY3KTFyX3T4C2scxfgp/6xRd+DGOhNVPvVPa/3yRUqY5 # s5UYpy8DnbppV7nQO2se3HvCSbrb+yPyeob1kUfMYa9fE2bEsoMbOaHRgGji8ZPt # /Jd2bPfdQoBHcUOqPwjHBUIcSc7xdJZYjRb4m81qxjma3DLjuOFljMZTYovRiGvE # ML9xZj2pHRUyv+s5v7VGwcM6rjNYM4qzZQM6A2RGYJGU780GQG0QO98w+sucuTVr # fTCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQEL # BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNV # BAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4X # DTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM # 57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm # 95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzB # RMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBb # fowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCO # Mcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYw # XE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW # /aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/w # EPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPK # Z6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2 # BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfH # CBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYB # BAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8v # BO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYM # KwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEF # BQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBW # BgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUH # AQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp # L2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsF # AAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518Jx # Nj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+ # iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2 # pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefw # C2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7 # T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFO # Ry3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhL # mm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3L # wUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5 # m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE # 0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggNNMIICNQIB # ATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEnMCUGA1UE # CxMeblNoaWVsZCBUU1MgRVNOOjg2MDMtMDVFMC1EOTQ3MSUwIwYDVQQDExxNaWNy # b3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEwBwYFKw4DAhoDFQDTvVU/Yj9l # USyeDCaiJ2Da5hUiS6CBgzCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAy # MDEwMA0GCSqGSIb3DQEBCwUAAgUA7NhPuTAiGA8yMDI1MTIwMTE3MzI0MVoYDzIw # MjUxMjAyMTczMjQxWjB0MDoGCisGAQQBhFkKBAExLDAqMAoCBQDs2E+5AgEAMAcC # AQACAgbKMAcCAQACAhPUMAoCBQDs2aE5AgEAMDYGCisGAQQBhFkKBAIxKDAmMAwG # CisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJKoZIhvcNAQEL # BQADggEBAA/Q2Aq6CKFtgyQ9vk9e3fzodHRmWFiMpWQhqlZQYPH24jIjWHytxSTw # jQxqHJx6YXn5dWbvQFKsaQUZNoFi4SibQHGZwijD63EpC29VeME3103CcOciuVnf # vWZrdnIp43IQOMMSDICC0YewkBx1A0gf1ymmDqZ8dezNoU5GD5m6AwOajcb+Ll08 # NZTpLMiJUhTgbwU6ghCySoS3sivBstf3wg2yM8nTaaEX0auN8U4hErhgHp3sQCyj # y7FmYpAIF2vYNUG+uJjsLtSy5qITPaIL2/nNi3vxSBMfY+zonyycxwk9BNbgiSyv # ClY5991HSw1TD9DjEg8T7j7d2fm5bTsxggQNMIIECQIBATCBkzB8MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg # VGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAgcsETmJzYX7xQABAAACBzANBglghkgB # ZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3 # DQEJBDEiBCCJ+SgFEHeve45Gyxer2Xr/lntSEJE1fF06KzBQJn3FETCB+gYLKoZI # hvcNAQkQAi8xgeowgecwgeQwgb0EIC/31NHQds1IZ5sPnv59p+v6BjBDgoDPIwiA # mn0PHqezMIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 # b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh # dGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMA # AAIHLBE5ic2F+8UAAQAAAgcwIgQgFED9mhvREJgUNPywjVopYOIGZVy3TfZ0VYZb # FxTCh74wDQYJKoZIhvcNAQELBQAEggIAOcwFoz1rJJdlx6CpegV9bN9K2VTzULhS # AJVpsDB0PkaG2mI/852K3PuIBqqNlKhp+KpG72ELRp+vHlVg23v83ndJZP20MQau # c6DyWK8V1UNNeslvnmYdLD+XRKTGQhBeU6ADgnzVB0X2Jg5VoRz/IobzOB+pUAUB # Gzb+oq3+mGl6v9ysjaZp7SHNtbVsmXqePCuYDh+vqoRt+sqzPNFURo3qDoXbhwnb # 05ZtFArGsKUVT/uN75taoWVhb3DZAiUwPRvcs3PJIyla0JRYjiKn8wK6Znh08Uwn # hoEOrOMcQ3/5Od00LDrRedOL1tT7OSwOOyI8g1qZOy/4+otiq3Z33YCGd74QfWXq # AF3n5DYUq55ZLMPuXGn24aCbXWWz2ePbE9cZcVSABaBWmWTUq/XEOASKZB053/us # 4Vtu9zmXVW8X9mhjtAr9oeg47ktkQvvNyPHlG7O5wtc0yQ2T0oM8r09eNV4SOfpa # xEqbZX9Ig5IwBHg+LJwL8d/IsNHtniUFqoyk9Evd0EdjDmmWZmnXlYMWU7zF3tca # t3tmelolBSbpPr9qwWpUfFkEWDMVBnYQ/AQ2cUWrWTjYShVje0jkY198PkXhHwHo # xFDiJhX9eAfXR5xXpvyU7CBhQwxQhvqtVFr9opR+1C4rgngfreDbOLRQfMk+YpCV # mpgyvzEncmM= # SIG # End signature block