SSL test fixes

* fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535
MariaDB · Mar 1, 2019 · 8d47d9e · 8d47d9e
1 parent 20043cf
commit 8d47d9e
Show file tree

Hide file tree

Showing 58 changed files with 760 additions and 1,204 deletions.
diff --git a/mysql-test/disabled.def b/mysql-test/disabled.def
@@ -14,9 +14,6 @@ events_time_zone         : Test is not predictable as it depends on precise timi
 read_many_rows_innodb    : Bug#11748886 2010-11-15 mattiasj report already exists
 mysql_embedded           : Bug#12561297 2011-05-14 Anitha Dependent on PB2 changes - eventum#41836
 #show_explain  : Psergey: random timeout in range-checked-for-each record query.
-ssl_crl_clients_valid    : broken upstream
-ssl_crl                  : broken upstream
-ssl_crl_clrpath          : broken upstream
 innodb-wl5522-debug-zip  : broken upstream
 innodb_bug12902967       : broken upstream
 file_contents            : MDEV-6526 these files are not installed anymore

diff --git a/mysql-test/include/have_openssl.inc b/mysql-test/include/have_openssl.inc
@@ -1,7 +1,4 @@
--- source include/have_ssl_communication.inc
-let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`;
-if (!$crllen)
-{
+if (`SELECT count(*) = 0 FROM information_schema.GLOBAL_VARIABLES WHERE
+      VARIABLE_NAME = 'have_openssl' AND VARIABLE_VALUE = 'YES'`){
   skip Needs OpenSSL;
 }
-
diff --git a/mysql-test/lib/generate-ssl-certs.sh b/mysql-test/lib/generate-ssl-certs.sh
@@ -10,30 +10,49 @@ rm -rf demoCA
 mkdir demoCA demoCA/newcerts
 touch demoCA/index.txt
 echo 01 > demoCA/serial
+echo 01 > demoCA/crlnumber
 
 # CA certificate, self-signed
 openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text
 
 # server certificate signing request and private key. Note the very long subject (for MDEV-7859)
-openssl req -newkey rsa:1024 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
+openssl req -newkey rsa:2048 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
 # convert the key to yassl compatible format
 openssl rsa -in server-key.pem -out server-key.pem
 # sign the server certificate with CA certificate
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem
 
+# server certificate with different validity period (MDEV-7598)
+openssl req -newkey rsa:2048 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl rsa -in server-new-key.pem -out server-new-key.pem
+openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem
+
+# 8K cert
 openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
 openssl rsa -in server8k-key.pem -out server8k-key.pem
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem
-
-openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
-openssl rsa -in client-key.pem -out client-key.pem
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem
 
 # with SubjectAltName, only for OpenSSL 1.0.2+
 cat > demoCA/sanext.conf <<EOF
 subjectAltName=DNS:localhost
 EOF
-openssl req -newkey rsa:1024 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
-openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -infiles demoCA/serversan-req.pem
+openssl req -newkey rsa:2048 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem
+
+# client cert
+openssl req -newkey rsa:2048 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl rsa -in client-key.pem -out client-key.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem
+
+# generate crls
+openssl ca -revoke server-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
+openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out server-cert.crl
+# we only want to have one certificate per CRL. Un-revoke server-cert.crl
+cp demoCA/index.txt.old demoCA/index.txt
+openssl ca -revoke client-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
+openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out client-cert.crl
+
+rm -fv crldir/*
+cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_hash`.r0
 
 rm -rf demoCA
diff --git a/mysql-test/r/ssl-crl-revoked-crl.result b/mysql-test/r/ssl-crl-revoked-crl.result
diff --git a/mysql-test/r/ssl.result b/mysql-test/r/ssl.result
@@ -4,10 +4,10 @@ have_ssl
 1
 SHOW STATUS LIKE 'Ssl_server_not_before';
 Variable_name	Value
-Ssl_server_not_before	Apr 25 20:52:21 2017 GMT
+Ssl_server_not_before	Jan 27 10:11:10 2019 GMT
 SHOW STATUS LIKE 'Ssl_server_not_after';
 Variable_name	Value
-Ssl_server_not_after	Apr 20 20:52:21 2037 GMT
+Ssl_server_not_after	Jan 22 10:11:10 2039 GMT
 drop table if exists t1,t2,t3,t4;
 CREATE TABLE t1 (
 Period smallint(4) unsigned zerofill DEFAULT '0000' NOT NULL,

diff --git a/mysql-test/r/ssl_cert_verify.result b/mysql-test/r/ssl_cert_verify.result
diff --git a/mysql-test/r/ssl_crl.result b/mysql-test/r/ssl_crl.result
@@ -1,23 +1,5 @@
-# test --crl for the client : should connect
+# try logging in with a certificate not in the server's --ssl-crl : should succeed
 Variable_name	Value
-have_openssl	YES
-have_ssl	YES
-ssl_ca	MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
-ssl_capath	
-ssl_cert	MYSQL_TEST_DIR/std_data/crl-server-cert.pem
-ssl_cipher	
-ssl_crl	MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
-ssl_crlpath	
-ssl_key	MYSQL_TEST_DIR/std_data/crl-server-key.pem
-# test --crlpath for the client : should connect
-Variable_name	Value
-have_openssl	YES
-have_ssl	YES
-ssl_ca	MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
-ssl_capath	
-ssl_cert	MYSQL_TEST_DIR/std_data/crl-server-cert.pem
-ssl_cipher	
-ssl_crl	MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
-ssl_crlpath	
-ssl_key	MYSQL_TEST_DIR/std_data/crl-server-key.pem
+Ssl_version	TLS_VERSION
 # try logging in with a certificate in the server's --ssl-crl : should fail
+ERROR 2026 (HY000): SSL connection error: sslv3 alert certificate revoked
diff --git a/mysql-test/r/ssl_crl_clients-valid.result b/mysql-test/r/ssl_crl_clients-valid.result
diff --git a/mysql-test/r/ssl_crl_clients.result b/mysql-test/r/ssl_crl_clients.result
@@ -1,7 +1,13 @@
 # Test clients with and without CRL lists
 ############ Test mysql ##############
 # Test mysql connecting to a server with a certificate revoked by -crl
+ERROR 2026 (HY000): SSL connection error: certificate revoked
 # Test mysql connecting to a server with a certificate revoked by -crlpath
+ERROR 2026 (HY000): SSL connection error: certificate revoked
 ############ Test mysqladmin ##############
 # Test mysqladmin connecting to a server with a certificate revoked by -crl
+mysqladmin: connect to server at 'localhost' failed
+error: 'SSL connection error: certificate revoked'
 # Test mysqladmin connecting to a server with a certificate revoked by -crlpath
+mysqladmin: connect to server at 'localhost' failed
+error: 'SSL connection error: certificate revoked'
diff --git a/mysql-test/r/ssl_crl_clients_valid.result b/mysql-test/r/ssl_crl_clients_valid.result
diff --git a/mysql-test/r/ssl_crl_clrpath.result b/mysql-test/r/ssl_crl_clrpath.result
diff --git a/mysql-test/std_data/ca-cert-verify.pem b/mysql-test/std_data/ca-cert-verify.pem
diff --git a/mysql-test/std_data/cacert.pem b/mysql-test/std_data/cacert.pem
@@ -2,78 +2,78 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            e5:b1:e3:71:e9:6f:a9:e1
+            d0:4d:23:85:ee:59:b3:fa
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB
         Validity
-            Not Before: Apr 25 20:52:21 2017 GMT
-            Not After : Apr 20 20:52:21 2037 GMT
+            Not Before: Jan 27 10:11:10 2019 GMT
+            Not After : Jan 22 10:11:10 2039 GMT
         Subject: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
-                    00:a0:ad:d5:b1:ec:45:6f:d6:33:fc:5a:03:29:14:
-                    f1:8e:78:d5:27:53:79:e0:92:7c:10:3b:79:a0:d7:
-                    b6:9d:a8:5c:4d:fa:68:11:b3:03:9e:ee:5e:20:79:
-                    23:d8:9c:49:34:9c:1d:c4:6e:53:1f:9a:92:1f:08:
-                    c1:15:e2:ad:cf:59:cd:1e:55:84:79:f9:09:ca:36:
-                    8a:50:83:c6:38:48:c6:d3:fa:f6:f2:2a:4f:bd:5d:
-                    60:9d:eb:21:c4:8c:f2:dd:2d:49:10:63:46:47:de:
-                    2d:59:a0:4a:e0:58:e6:c0:ae:d8:d4:5e:9a:f8:f5:
-                    68:1d:ea:80:8a:d6:01:b0:d5:5f:30:4d:88:5a:c5:
-                    1f:81:92:c1:40:54:c8:bb:a6:a1:43:de:81:3c:4b:
-                    79:95:82:bb:52:da:a3:a4:a0:69:ff:7e:00:8c:86:
-                    85:ec:af:03:68:a8:83:48:a0:e4:1d:31:a9:5c:47:
-                    99:9d:3a:3f:b5:3e:12:7c:4d:47:15:72:f1:11:5c:
-                    4a:ef:08:1c:7b:8f:e6:03:06:07:4f:94:21:b0:5e:
-                    27:fa:93:8c:b4:cc:56:34:3b:6d:c4:4a:14:57:b2:
-                    21:1a:3e:2f:c5:9e:47:1a:59:05:22:0e:56:b1:a7:
-                    e8:80:9b:82:c3:54:57:12:05:94:79:a2:03:d9:64:
-                    3c:63
+                    00:e8:0e:a7:84:d3:75:30:06:30:b2:10:b9:d1:88:
+                    36:2b:5e:f8:c8:44:57:cb:67:72:ab:96:95:33:d5:
+                    88:d1:8f:23:50:98:ba:6d:20:00:80:bd:35:d5:c1:
+                    bf:98:49:c4:0a:15:4a:34:a6:21:9b:2e:8c:15:09:
+                    f0:63:81:02:c2:7c:e2:53:e0:f7:a1:1a:40:5e:8f:
+                    41:4a:4c:56:d4:20:f1:d5:a7:c1:53:2e:ff:7e:37:
+                    17:cc:7e:74:bd:e2:22:33:ce:8c:77:62:a4:c5:3f:
+                    44:35:7b:7e:b9:f5:7d:8c:7a:27:58:fd:2c:42:86:
+                    2e:e7:6b:01:99:7b:fe:7d:a7:a1:4f:3e:39:39:54:
+                    1f:61:de:74:66:d1:77:4f:43:1b:66:70:29:85:de:
+                    fc:8f:8e:1b:7b:a2:66:48:26:7f:9b:a6:fd:4a:e4:
+                    dc:eb:ed:bd:f8:e3:f1:57:98:13:6f:f1:a3:2a:e3:
+                    73:bd:8d:7c:6f:4b:59:35:bc:b5:42:3e:99:a7:13:
+                    8d:be:2e:5c:9a:c6:5b:ab:ae:bf:00:e9:c8:ee:05:
+                    22:8e:d5:67:1a:47:9a:6d:9c:f9:42:3e:15:34:f8:
+                    31:ec:b4:7e:d3:92:95:b0:b8:f9:66:f3:bd:1d:31:
+                    2c:b1:90:62:a1:f8:4e:a6:5d:26:22:f0:e1:fe:16:
+                    2b:69
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier: 
-                1C:C7:2B:AA:1B:B1:BB:2E:9A:F4:0F:B1:86:60:57:38:C2:41:05:12
+                CA:71:99:89:F0:72:AB:75:66:BB:65:6A:03:04:72:A5:7B:95:A6:93
             X509v3 Authority Key Identifier: 
-                keyid:1C:C7:2B:AA:1B:B1:BB:2E:9A:F4:0F:B1:86:60:57:38:C2:41:05:12
+                keyid:CA:71:99:89:F0:72:AB:75:66:BB:65:6A:03:04:72:A5:7B:95:A6:93
 
             X509v3 Basic Constraints: 
                 CA:TRUE
     Signature Algorithm: sha256WithRSAEncryption
-         0d:4b:21:52:fa:49:34:56:14:db:83:ae:1c:3d:a7:4d:3e:ea:
-         55:7e:1a:37:7a:65:89:ee:19:05:94:9d:3a:ad:59:c4:38:16:
-         b2:bd:02:ee:5a:a6:7e:e2:b1:21:a3:ad:af:8c:ae:c3:30:71:
-         ad:d7:d2:24:0f:c4:d9:47:80:c5:95:05:1d:7c:8a:49:0a:7d:
-         8b:61:ca:b5:68:3d:3e:4e:f1:c7:45:62:c8:cc:a9:2f:f3:12:
-         f1:3f:92:34:7f:07:ab:d3:ac:ab:af:2d:c9:69:63:8a:b2:e5:
-         35:ea:7d:b8:17:38:72:82:5f:96:3d:dc:8d:e5:11:bb:ae:f3:
-         02:2d:20:77:5c:64:59:18:a6:e7:fa:c7:89:e8:30:12:14:04:
-         40:5b:e9:b1:8f:86:81:b9:0d:6c:b6:fc:98:f9:b7:52:ab:8f:
-         7e:53:c8:a0:05:e4:cd:0d:6b:d2:74:9f:17:7a:a1:c3:76:5e:
-         f3:29:1c:c6:be:56:ab:02:f7:5d:e1:c9:21:27:6d:66:7a:41:
-         29:49:a3:f8:f5:2a:e7:03:2a:7c:52:4b:f5:46:58:45:be:a4:
-         4c:a0:65:37:1d:d8:ac:f8:1f:81:ca:9c:79:f0:ff:22:8c:1d:
-         ce:2b:d0:1e:ce:99:f2:db:fa:66:84:e6:86:6f:19:3b:10:f1:
-         92:ac:57:b2
+         df:fd:74:29:5b:5e:9a:8b:09:02:40:59:73:cb:71:47:3f:97:
+         3d:a9:fd:c4:8c:01:29:c9:86:b8:71:55:ff:72:0e:50:dc:c8:
+         b5:e6:91:41:52:47:21:30:cc:4d:e7:3b:4b:db:55:ea:7d:46:
+         eb:53:e0:b7:1b:80:7c:b1:0c:d3:d1:bc:a0:73:ae:96:1f:fd:
+         05:52:7e:54:d5:03:52:69:7b:34:5f:27:d7:98:da:98:76:73:
+         e6:bb:50:59:2a:94:90:67:03:1c:a4:76:2f:ee:ef:59:60:09:
+         48:33:03:2b:52:ed:83:42:f8:71:19:7f:d8:be:40:ed:20:01:
+         90:3c:7e:1c:8b:d2:9f:f3:2f:09:1f:50:c8:10:e1:8a:d9:a5:
+         49:9c:0b:74:17:b9:2b:68:f6:1e:73:c2:73:10:38:b3:35:e2:
+         87:91:1b:a1:d1:9b:81:9d:1b:32:cc:03:6e:4c:82:95:81:11:
+         42:56:e2:16:2b:22:65:db:40:2c:ca:dc:03:f4:d5:07:cf:f5:
+         13:b2:cf:51:5b:24:cd:c7:d1:9b:42:8e:f9:df:5d:1e:5a:09:
+         a3:4f:a9:0b:f4:21:c5:bb:ff:02:93:67:e8:2d:ee:ab:d9:59:
+         76:03:2c:a1:bd:fb:dc:af:b6:82:94:71:85:53:a8:18:0d:3a:
+         9e:42:eb:59
 -----BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIJAOWx43Hpb6nhMA0GCSqGSIb3DQEBCwUAMFYxDzANBgNV
+MIIDfzCCAmegAwIBAgIJANBNI4XuWbP6MA0GCSqGSIb3DQEBCwUAMFYxDzANBgNV
 BAMMBmNhY2VydDELMAkGA1UEBhMCRkkxETAPBgNVBAgMCEhlbHNpbmtpMREwDwYD
-VQQHDAhIZWxzaW5raTEQMA4GA1UECgwHTWFyaWFEQjAeFw0xNzA0MjUyMDUyMjFa
-Fw0zNzA0MjAyMDUyMjFaMFYxDzANBgNVBAMMBmNhY2VydDELMAkGA1UEBhMCRkkx
+VQQHDAhIZWxzaW5raTEQMA4GA1UECgwHTWFyaWFEQjAeFw0xOTAxMjcxMDExMTBa
+Fw0zOTAxMjIxMDExMTBaMFYxDzANBgNVBAMMBmNhY2VydDELMAkGA1UEBhMCRkkx
 ETAPBgNVBAgMCEhlbHNpbmtpMREwDwYDVQQHDAhIZWxzaW5raTEQMA4GA1UECgwH
-TWFyaWFEQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCt1bHsRW/W
-M/xaAykU8Y541SdTeeCSfBA7eaDXtp2oXE36aBGzA57uXiB5I9icSTScHcRuUx+a
-kh8IwRXirc9ZzR5VhHn5Cco2ilCDxjhIxtP69vIqT71dYJ3rIcSM8t0tSRBjRkfe
-LVmgSuBY5sCu2NRemvj1aB3qgIrWAbDVXzBNiFrFH4GSwUBUyLumoUPegTxLeZWC
-u1Lao6Sgaf9+AIyGheyvA2iog0ig5B0xqVxHmZ06P7U+EnxNRxVy8RFcSu8IHHuP
-5gMGB0+UIbBeJ/qTjLTMVjQ7bcRKFFeyIRo+L8WeRxpZBSIOVrGn6ICbgsNUVxIF
-lHmiA9lkPGMCAwEAAaNQME4wHQYDVR0OBBYEFBzHK6obsbsumvQPsYZgVzjCQQUS
-MB8GA1UdIwQYMBaAFBzHK6obsbsumvQPsYZgVzjCQQUSMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAA1LIVL6STRWFNuDrhw9p00+6lV+Gjd6ZYnuGQWU
-nTqtWcQ4FrK9Au5apn7isSGjra+MrsMwca3X0iQPxNlHgMWVBR18ikkKfYthyrVo
-PT5O8cdFYsjMqS/zEvE/kjR/B6vTrKuvLclpY4qy5TXqfbgXOHKCX5Y93I3lEbuu
-8wItIHdcZFkYpuf6x4noMBIUBEBb6bGPhoG5DWy2/Jj5t1Krj35TyKAF5M0Na9J0
-nxd6ocN2XvMpHMa+VqsC913hySEnbWZ6QSlJo/j1KucDKnxSS/VGWEW+pEygZTcd
-2Kz4H4HKnHnw/yKMHc4r0B7OmfLb+maE5oZvGTsQ8ZKsV7I=
+TWFyaWFEQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOgOp4TTdTAG
+MLIQudGINite+MhEV8tncquWlTPViNGPI1CYum0gAIC9NdXBv5hJxAoVSjSmIZsu
+jBUJ8GOBAsJ84lPg96EaQF6PQUpMVtQg8dWnwVMu/343F8x+dL3iIjPOjHdipMU/
+RDV7frn1fYx6J1j9LEKGLudrAZl7/n2noU8+OTlUH2HedGbRd09DG2ZwKYXe/I+O
+G3uiZkgmf5um/Urk3Ovtvfjj8VeYE2/xoyrjc72NfG9LWTW8tUI+macTjb4uXJrG
+W6uuvwDpyO4FIo7VZxpHmm2c+UI+FTT4Mey0ftOSlbC4+WbzvR0xLLGQYqH4TqZd
+JiLw4f4WK2kCAwEAAaNQME4wHQYDVR0OBBYEFMpxmYnwcqt1ZrtlagMEcqV7laaT
+MB8GA1UdIwQYMBaAFMpxmYnwcqt1ZrtlagMEcqV7laaTMAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAN/9dClbXpqLCQJAWXPLcUc/lz2p/cSMASnJhrhx
+Vf9yDlDcyLXmkUFSRyEwzE3nO0vbVep9RutT4LcbgHyxDNPRvKBzrpYf/QVSflTV
+A1JpezRfJ9eY2ph2c+a7UFkqlJBnAxykdi/u71lgCUgzAytS7YNC+HEZf9i+QO0g
+AZA8fhyL0p/zLwkfUMgQ4YrZpUmcC3QXuSto9h5zwnMQOLM14oeRG6HRm4GdGzLM
+A25MgpWBEUJW4hYrImXbQCzK3AP01QfP9ROyz1FbJM3H0ZtCjvnfXR5aCaNPqQv0
+IcW7/wKTZ+gt7qvZWXYDLKG9+9yvtoKUcYVTqBgNOp5C61k=
 -----END CERTIFICATE-----