Re: [exim] "Could not negotiate a supported cipher suite" wi…

Etusivu
Poista viesti
Vastaa
Lähettäjä: Viktor Dukhovni
Päiväys:  
Vastaanottaja: exim-users
Aihe: Re: [exim] "Could not negotiate a supported cipher suite" with 2048-bit RSA server key
On Wed, Feb 12, 2014 at 10:55:48PM +0100, Magnus Holmgren wrote:

> However, I upgraded my RSA key from a 1024-bit one to 2048 bits the other day
> because cacert.org requires at least that strong a key. Also, the certificate
> is signed by an intermediate certificate that had to be included in the
> tls_certificate file. Now TLS 1.2 doesn't work. mainlog says "Could not
> negotiate a supported cipher suite" and openssl s_client says (after sending
> the client handshake):


Your leaf certificate is signed with SHA2-512. With TLS 1.2 the
set of digest algorithms used in SSL is negotiated via extensions,
and perhaps when the client does not offer SHA2-512, the server
is unwilling to use a certificate with SHA2-512.

CAcert are really going overboard with SHA2-512, it is way stronger
than RSA-2048, which is at best 128-bits (symmetric equivalent)
strong, and the companion digest should be at best SHA2-256. In
fact SHA1 would for now be a better (more interoperable) choice as
TLS 1.0 and TLS 1.1 do not negotiate digests, and some clients
don't implement any of the SHA-2 algorithms.

Since MTAs don't use public CAs to verify certificates, unless you
have submission users (should be on port 587 not 25, and should
use a separate cert) you don't need a CA-issued certificate at all.

> Disabling TLS 1.2 with e.g. tls_require_ciphers = NORMAL:-VERS-TLS1.2 makes
> the handshake succeed.


There could perhaps be a different problem, maybe even a bug in
GnuTLS TLS 1.2 support. Still SHA2-512 stands out like a sore
thumb.

> You can connect to fw.kibibyte.se:25 and do STARTTLS if you want to see the
> certificates. The above workaround is currently in effect, however.


posttls-finger: Untrusted TLS connection established to fw.kibibyte.se[212.85.79.68]:25: TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 139378 (0x22072)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Validity
            Not Before: Feb 10 21:08:42 2014 GMT
            Not After : Feb 10 21:08:42 2016 GMT
        Subject: CN=*.kibibyte.se
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dd:0e:56:4d:a8:00:04:48:e6:9c:f1:ba:50:92:
                    bd:5b:08:8c:46:f4:2f:e9:9b:e8:fc:19:54:f9:41:
                    ec:bb:22:bb:6b:a5:bd:28:7f:2d:3a:f3:48:d3:fa:
                    62:7b:9d:df:8b:44:5b:3f:e2:18:d8:85:b3:e2:2a:
                    08:3e:66:4b:01:ff:e2:f0:bb:b0:04:53:20:a4:15:
                    10:74:d1:5e:b7:f8:80:ff:6b:38:81:74:97:9d:9e:
                    82:dd:c2:37:a5:c7:21:5e:01:ea:bb:44:ba:b8:d9:
                    fe:90:bd:63:71:92:7a:b1:e2:5f:44:28:f1:c4:aa:
                    74:63:87:2b:0a:c6:fc:44:27:ad:28:8f:8b:2d:ab:
                    16:d9:0f:0a:4f:9a:e6:15:69:ff:bf:d3:88:c2:14:
                    71:95:de:04:3f:1f:25:fd:a1:01:67:28:bd:09:49:
                    89:9a:57:4f:3a:8f:02:93:de:4d:65:36:18:b1:42:
                    69:1c:3f:75:9f:63:6b:bf:fd:0a:f4:33:ed:ae:c2:
                    ba:e2:f3:7c:a4:f0:1d:9b:f0:ed:b9:e7:99:da:77:
                    f4:33:41:55:2e:58:01:64:fb:00:42:8d:7c:b3:2b:
                    40:8a:52:b2:7b:7a:27:c4:b5:27:ba:f8:b6:76:c6:
                    5a:e0:a2:66:21:6f:ee:8e:17:2d:6d:42:59:2d:e3:
                    56:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access: 
                OCSP - URI:http://ocsp.cacert.org/


            X509v3 CRL Distribution Points: 


                Full Name:
                  URI:http://crl.cacert.org/class3-revoke.crl


            X509v3 Subject Alternative Name: 
                DNS:*.kibibyte.se, othername:<unsupported>
    Signature Algorithm: sha512WithRSAEncryption
        5a:ee:82:c6:f1:17:52:bd:b9:55:76:6f:44:4f:d2:8e:d6:fa:
        0a:5b:f3:22:8a:9a:5c:1c:fe:94:11:d4:8e:4a:1e:69:4a:1b:
        c6:58:11:e0:de:af:f6:b5:3b:44:43:9d:cd:d1:62:10:5b:07:
        9f:b9:68:87:af:d9:70:7e:eb:66:dd:79:ad:b6:1c:4c:69:47:
        88:ad:41:79:71:7c:66:47:95:44:32:79:0a:a3:27:88:57:27:
        90:f5:9c:4b:b4:ae:c0:b7:90:2f:4a:e0:b0:f7:19:aa:9e:e3:
        00:9e:64:73:5a:ef:4b:5e:1c:88:60:7e:c9:64:13:c2:bb:c8:
        36:72:4d:95:c3:51:fd:13:73:60:43:f1:4f:c9:2e:b9:bf:1c:
        8f:cb:b0:5d:71:26:5e:9c:b8:63:3d:10:ae:eb:64:a7:ab:ee:
        cd:e3:5c:84:69:b5:2f:f3:31:0e:02:eb:da:6f:8c:94:90:82:
        4e:54:f1:f4:d2:bc:0b:7d:66:ea:6f:36:4a:45:ce:c2:d9:0a:
        e8:69:7d:1a:2a:b6:a3:8d:94:44:9a:91:aa:dd:c9:2d:f5:4f:
        ef:b2:a5:1e:0d:a4:64:97:1d:0e:41:85:36:2b:f6:f3:ef:8c:
        e5:01:4c:54:ed:49:8d:57:53:da:e2:ce:0f:54:0e:62:47:4f:
        d7:00:76:e8:48:1f:13:a6:0d:87:33:ff:1b:ae:b1:55:ac:a8:
        df:c1:f8:10:1b:d4:4e:a5:fb:c7:1f:d7:99:7c:c5:7e:5a:80:
        d1:83:87:07:f3:ce:69:f6:13:88:a5:18:3f:aa:03:12:a4:42:
        e2:64:50:78:ae:b0:bb:c5:8e:1f:fc:0d:1f:c3:6c:a0:ab:56:
        3e:6a:32:9b:c5:87:35:09:8d:c7:2f:06:da:c6:3a:bb:ae:1d:
        84:8f:28:eb:40:2c:d8:78:a5:9a:e1:39:66:b6:26:3a:15:57:
        05:f4:26:c1:bf:a2:ef:94:86:8b:10:a1:40:15:44:43:18:30:
        ac:64:9b:b5:f1:15:ab:a2:03:be:13:9f:53:5e:bb:bb:fe:e8:
        8b:15:27:0c:6e:cd:1b:ad:67:90:44:01:13:15:7e:d3:b7:1c:
        bc:a0:b4:51:fa:26:f2:a8:c0:d3:e2:68:04:d8:a7:65:7a:76:
        d3:28:1c:56:a2:2f:7b:76:78:2c:0b:2c:f9:72:69:47:07:11:
        4d:3d:aa:c0:99:3d:89:07:9b:ed:35:da:a0:8e:b8:90:52:d8:
        07:f7:ec:d8:b5:18:ec:05:51:5b:b3:4e:00:fd:f8:4f:b9:7f:
        b5:5e:b6:39:ea:a0:ee:89:fa:76:2d:4c:f7:c2:60:31:a2:f5:
        54:bd:2e:36:77:0b:ab:b7
-----BEGIN CERTIFICATE-----
MIIE5zCCAs+gAwIBAgIDAiByMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTQwMjEwMjEwODQyWhcNMTYwMjEw
MjEwODQyWjAYMRYwFAYDVQQDFA0qLmtpYmlieXRlLnNlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA3Q5WTagABEjmnPG6UJK9WwiMRvQv6Zvo/BlU+UHs
uyK7a6W9KH8tOvNI0/pie53fi0RbP+IY2IWz4ioIPmZLAf/i8LuwBFMgpBUQdNFe
t/iA/2s4gXSXnZ6C3cI3pcchXgHqu0S6uNn+kL1jcZJ6seJfRCjxxKp0Y4crCsb8
RCetKI+LLasW2Q8KT5rmFWn/v9OIwhRxld4EPx8l/aEBZyi9CUmJmldPOo8Ck95N
ZTYYsUJpHD91n2Nrv/0K9DPtrsK64vN8pPAdm/DtueeZ2nf0M0FVLlgBZPsAQo18
sytAilKye3onxLUnuvi2dsZa4KJmIW/ujhctbUJZLeNWtQIDAQABo4H9MIH6MAwG
A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQGA1UdJQQtMCsGCCsGAQUFBwMC
BggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMDMGCCsGAQUFBwEBBCcw
JTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wOAYDVR0fBDEw
LzAtoCugKYYnaHR0cDovL2NybC5jYWNlcnQub3JnL2NsYXNzMy1yZXZva2UuY3Js
MDUGA1UdEQQuMCyCDSoua2liaWJ5dGUuc2WgGwYIKwYBBQUHCAWgDwwNKi5raWJp
Ynl0ZS5zZTANBgkqhkiG9w0BAQ0FAAOCAgEAWu6CxvEXUr25VXZvRE/Sjtb6Clvz
IoqaXBz+lBHUjkoeaUobxlgR4N6v9rU7REOdzdFiEFsHn7loh6/ZcH7rZt15rbYc
TGlHiK1BeXF8ZkeVRDJ5CqMniFcnkPWcS7SuwLeQL0rgsPcZqp7jAJ5kc1rvS14c
iGB+yWQTwrvINnJNlcNR/RNzYEPxT8kuub8cj8uwXXEmXpy4Yz0Qrutkp6vuzeNc
hGm1L/MxDgLr2m+MlJCCTlTx9NK8C31m6m82SkXOwtkK6Gl9Giq2o42URJqRqt3J
LfVP77KlHg2kZJcdDkGFNiv28++M5QFMVO1JjVdT2uLOD1QOYkdP1wB26EgfE6YN
hzP/G66xVayo38H4EBvUTqX7xx/XmXzFflqA0YOHB/POafYTiKUYP6oDEqRC4mRQ
eK6wu8WOH/wNH8NsoKtWPmoym8WHNQmNxy8G2sY6u64dhI8o60As2HilmuE5ZrYm
OhVXBfQmwb+i75SGixChQBVEQxgwrGSbtfEVq6IDvhOfU167u/7oixUnDG7NG61n
kEQBExV+07ccvKC0Ufom8qjA0+JoBNinZXp20ygcVqIve3Z4LAss+XJpRwcRTT2q
wJk9iQeb7TXaoI64kFLYB/fs2LUY7AVRW7NOAP34T7l/tV62Oeqg7on6di1M98Jg
MaL1VL0uNncLq7c=
-----END CERTIFICATE-----


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 672138 (0xa418a)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@???
        Validity
            Not Before: May 23 17:48:02 2011 GMT
            Not After : May 20 17:48:02 2021 GMT
        Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
                    dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
                    89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
                    24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
                    c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
                    51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
                    8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
                    29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
                    65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
                    ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
                    97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
                    cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
                    85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
                    35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
                    4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
                    0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
                    2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
                    27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
                    5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
                    cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
                    36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
                    d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
                    40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
                    e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
                    df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
                    2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
                    4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
                    ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
                    00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
                    25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
                    c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
                    99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
                    8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
                    74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
                    05:fb:e9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A
            X509v3 Authority Key Identifier: 
                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
                DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@???
                serial:00


            X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access: 
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt


            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.18506
                  CPS: http://www.CAcert.org/index.php?id=10


            Netscape CA Policy Url: 
                http://www.CAcert.org/index.php?id=10
            Netscape Comment: 
                To get your own certificate for FREE, go to http://www.CAcert.org
    Signature Algorithm: sha256WithRSAEncryption
        29:28:85:ae:44:a9:b9:af:a4:79:13:f0:a8:a3:2b:97:60:f3:
        5c:ee:e3:2f:c1:f6:e2:66:a0:11:ae:36:37:3a:76:15:04:53:
        ea:42:f5:f9:ea:c0:15:d8:a6:82:d9:e4:61:ae:72:0b:29:5c:
        90:43:e8:41:b2:e1:77:db:02:13:44:78:47:55:af:58:fc:cc:
        98:f6:45:b9:d1:20:f8:d8:21:07:fe:6d:aa:73:d4:b3:c6:07:
        e9:09:85:cc:3b:f2:b6:be:2c:1c:25:d5:71:8c:39:b5:2e:ea:
        be:18:81:ba:b0:93:b8:0f:e3:e6:d7:26:8c:31:5a:72:03:84:
        52:e6:a6:f5:33:22:45:0a:c8:0b:0d:8a:b8:36:6f:90:09:a1:
        ab:bd:d7:d5:4e:2e:71:a2:d4:ae:fa:a7:54:2b:eb:35:8d:5a:
        b7:54:88:2f:ee:74:9f:ed:48:16:ca:0d:48:d0:94:d3:ac:a4:
        a2:f6:24:df:92:e3:bd:eb:43:40:91:6e:1c:18:8e:56:b4:82:
        12:f3:a9:93:9f:d4:bc:9c:ad:9c:75:ee:5a:97:1b:95:e7:74:
        2d:1c:0f:b0:2c:97:9f:fb:a9:33:39:7a:e7:03:3a:92:8e:22:
        f6:8c:0d:e4:d9:7e:0d:76:18:f7:01:f9:ef:96:96:a2:55:73:
        c0:3c:71:b4:1d:1a:56:43:b7:c3:0a:8d:72:fc:e2:10:09:0b:
        41:ce:8c:94:a0:f9:03:fd:71:73:4b:8a:57:33:e5:8e:74:7e:
        15:01:00:e6:cc:4a:1c:e7:7f:95:19:2d:c5:a5:0c:8b:bb:b5:
        ed:85:b3:5c:d3:df:b8:b9:f2:ca:c7:0d:01:14:ac:70:58:c5:
        8c:8d:33:d4:9d:66:a3:1a:50:95:23:fc:48:e0:06:43:12:d9:
        cd:a7:86:39:2f:36:72:a3:80:10:e4:e1:f3:d1:cb:5b:1a:c0:
        e4:80:9a:7c:13:73:06:4f:db:a3:6b:24:0a:ba:b3:1c:bc:4a:
        78:bb:e5:e3:75:38:a5:48:a7:a2:1e:af:76:d4:5e:f7:38:86:
        56:5a:89:ce:d6:c3:a7:79:b2:52:a0:c6:f1:85:b4:25:8c:f2:
        3f:96:b3:10:d9:8d:6c:57:3b:9f:6f:86:3a:18:82:22:36:c8:
        b0:91:38:db:2a:a1:93:aa:84:3f:f5:27:65:ae:73:d5:c8:d5:
        d3:77:ea:4b:9d:c7:41:bb:c7:c0:e3:a0:3f:e4:7d:a4:8d:73:
        e6:12:4b:df:a1:73:73:73:3a:80:e8:d5:cb:8e:2f:cb:ea:13:
        a7:d6:41:8b:ac:fa:3c:89:d7:24:f5:4e:b4:e0:61:92:b7:f3:
        37:98:c4:be:96:a3:b7:8a
-----BEGIN CERTIFICATE-----
MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
4GGSt/M3mMS+lqO3ig==
-----END CERTIFICATE-----