add host_override to parent.config and other sni name fixes

include/proxy/ParentSelection.h

@@ -167,6 +167,7 @@ class ParentRecord : public ControlBase
   int                             max_unavailable_server_retries     = 1;
   int                             secondary_mode                     = 1;
   bool                            ignore_self_detect                 = false;
+  bool                            host_override                      = false;
   ParentHashAlgorithm             consistent_hash_algorithm          = ParentHashAlgorithm::SIPHASH24;
   uint64_t                        consistent_hash_seed0              = 0;
   uint64_t                        consistent_hash_seed1              = 0;
@@ -242,6 +243,20 @@ struct ParentResult {
     return is_api_result() ? ParentRetry_t::NONE : rec->parent_retry;
   }
 
+  bool
+  host_override() const
+  {
+    if (is_api_result()) {
+      return false;
+    }
+
+    if (!is_some()) {
+      return false;
+    }
+
+    return rec->host_override;
+  }
+
   unsigned
   max_retries(ParentRetry_t method) const
   {

include/proxy/http/remap/NextHopSelectionStrategy.h

@@ -27,7 +27,6 @@
 #include <utility>
 
 #include "ts/apidefs.h"
-#include "proxy/ParentSelection.h"
 #include "proxy/http/HttpTransact.h"
 
 #ifndef _NH_UNIT_TESTS_
@@ -199,8 +198,6 @@ class NextHopSelectionStrategy
                            const time_t now = 0);
   bool         nextHopExists(TSHttpTxn txnp, void *ih = nullptr);
 
-  void setHostHeader(TSHttpTxn txnp, const char *hostname);
-
   virtual ParentRetry_t responseIsRetryable(int64_t sm_id, HttpTransact::CurrentInfo &current_info, HTTPStatus response_code);
 
   void retryComplete(TSHttpTxn txn, const char *hostname, const int port);

src/proxy/ParentSelection.cc

@@ -797,6 +797,13 @@ ParentRecord::Init(matcher_line *line_info)
         ignore_self_detect = false;
       }
       used = true;
+    } else if (strcasecmp(label, "host_override") == 0) {
+      if (strcasecmp(val, "true") == 0) {
+        host_override = true;
+      } else {
+        host_override = false;
+      }
+      used = true;
     } else if (strcasecmp(label, "hash_algorithm") == 0) {
       consistent_hash_algorithm = parseHashAlgorithm(val);
       used                      = true;

src/proxy/http/HttpSM.cc

@@ -5274,11 +5274,11 @@ HttpSM::get_outbound_sni() const
     // By default the host header field value is used for the SNI.
     zret = t_state.hdr_info.server_request.host_get();
   } else if (_ua.get_txn() && policy == "server_name"_tv) {
-    const char *server_name = snis->get_sni_server_name();
-    if (server_name[0] == '\0') {
+    const char *const server_name = snis->get_sni_server_name();
+    if (nullptr == server_name || server_name[0] == '\0') {
       zret.assign(nullptr, swoc::TextView::npos);
     } else {
-      zret.assign(snis->get_sni_server_name(), swoc::TextView::npos);
+      zret.assign(server_name, swoc::TextView::npos);
     }
   } else if (policy.front() == '@') { // guaranteed non-empty from previous clause
     zret = policy.remove_prefix(1);

src/proxy/http/HttpTransact.cc

@@ -139,19 +139,49 @@ bypass_ok(HttpTransact::State *s)
   return false;
 }
 
+// wrapper to choose between a remap next hop strategy or use parent.config
+// remap next hop strategy is preferred
+inline static bool
+host_override(HttpTransact::State *s)
+{
+  bool res = false;
+  if (nullptr != s->next_hop_strategy) {
+    // remap strategies do not support the TSHttpTxnParentProxySet API.
+    res = s->next_hop_strategy->host_override;
+  } else if (nullptr != s->parent_params) {
+    res = s->parent_result.host_override();
+  }
+  return res;
+}
+
+// wrapper to choose between a remap next hop strategy or use parent.config
+// remap next hop strategy is preferred
+inline static bool
+is_some(HttpTransact::State *s)
+{
+  bool res = false;
+  if (nullptr != s->next_hop_strategy) {
+    // remap strategies do not support the TSHttpTxnParentProxySet API.
+    res = s->parent_result.result == ParentResultType::SPECIFIED;
+  } else if (nullptr != s->parent_params) {
+    res = s->parent_result.is_some();
+  }
+  return res;
+}
+
 // wrapper to choose between a remap next hop strategy or use parent.config
 // remap next hop strategy is preferred
 inline static bool
 is_api_result(HttpTransact::State *s)
 {
-  bool r = false;
+  bool res = false;
   if (nullptr != s->next_hop_strategy) {
     // remap strategies do not support the TSHttpTxnParentProxySet API.
-    r = false;
+    res = false;
   } else if (nullptr != s->parent_params) {
-    r = s->parent_result.is_api_result();
+    res = s->parent_result.is_api_result();
   }
-  return r;
+  return res;
 }
 
 // wrapper to get the max_retries.
@@ -207,6 +237,8 @@ retry_type(HttpTransact::State *s)
 inline static void
 findParent(HttpTransact::State *s)
 {
+  TxnDbg(dbg_ctl_http_trans, "findParent");
+
   Metrics::Counter::increment(http_rsb.parent_count);
   if (s->response_action.handled) {
     s->parent_result.hostname = s->response_action.action.hostname;
@@ -295,6 +327,8 @@ parentExists(HttpTransact::State *s)
 inline static void
 nextParent(HttpTransact::State *s)
 {
+  TxnDbg(dbg_ctl_http_trans, "nextParent");
+
   TxnDbg(dbg_ctl_parent_down, "connection to parent %s failed, conn_state: %s, request to origin: %s", s->parent_result.hostname,
          HttpDebugNames::get_server_state_name(s->current.state), s->request_data.get_host());
   Metrics::Counter::increment(http_rsb.parent_count);
@@ -594,15 +628,19 @@ find_server_and_update_current_info(HttpTransact::State *s)
     TxnDbg(dbg_ctl_http_trans, "request is from localhost, so bypass parent");
     s->parent_result.result = ParentResultType::DIRECT;
   } else if (s->method == HTTP_WKSIDX_CONNECT && s->http_config_param->disable_ssl_parenting) {
+    /// BNO
+
     if (s->parent_result.result == ParentResultType::SPECIFIED) {
       nextParent(s);
     } else {
       findParent(s);
     }
-    if (!s->parent_result.is_some() || is_api_result(s) || parent_is_proxy(s)) {
+
+    if (!is_some(s) || is_api_result(s) || parent_is_proxy(s)) {
       TxnDbg(dbg_ctl_http_trans, "request not cacheable, so bypass parent");
       s->parent_result.result = ParentResultType::DIRECT;
     }
+
   } else if (s->txn_conf->uncacheable_requests_bypass_parent && s->txn_conf->no_dns_forward_to_parent == 0 &&
              !HttpTransact::is_request_cache_lookupable(s)) {
     // request not lookupable and cacheable, so bypass parent if the parent is not an origin server.
@@ -616,10 +654,12 @@ find_server_and_update_current_info(HttpTransact::State *s)
     } else {
       findParent(s);
     }
-    if (!s->parent_result.is_some() || is_api_result(s) || parent_is_proxy(s)) {
+
+    if (!is_some(s) || is_api_result(s) || parent_is_proxy(s)) {
       TxnDbg(dbg_ctl_http_trans, "request not cacheable, so bypass parent");
       s->parent_result.result = ParentResultType::DIRECT;
     }
+
   } else {
     switch (s->parent_result.result) {
     case ParentResultType::UNDEFINED:
@@ -660,14 +700,29 @@ find_server_and_update_current_info(HttpTransact::State *s)
   }
 
   switch (s->parent_result.result) {
-  case ParentResultType::SPECIFIED:
-    s->parent_info.name = s->arena.str_store(s->parent_result.hostname, strlen(s->parent_result.hostname));
+  case ParentResultType::SPECIFIED: {
+    char const *const hostname = s->parent_result.hostname;
+    s->parent_info.name        = s->arena.str_store(hostname, strlen(hostname));
+
+    // if host header override option enabled
+    if (host_override(s)) {
+      TxnDbg(dbg_ctl_http_trans, "overriding host header with parent %s", hostname);
+      if (!s->hdr_info.server_request.valid()) {
+        s->hdr_info.client_request.value_set(static_cast<std::string_view>(MIME_FIELD_HOST), hostname);
+        s->hdr_info.client_request.mark_target_dirty();
+      } else {
+        s->hdr_info.server_request.value_set(static_cast<std::string_view>(MIME_FIELD_HOST), hostname);
+        s->hdr_info.server_request.mark_target_dirty();
+      }
+    }
+
     update_current_info(&s->current, &s->parent_info, ResolveInfo::PARENT_PROXY, false);
     update_dns_info(&s->dns_info, &s->current);
     ink_assert(s->dns_info.looking_up == ResolveInfo::PARENT_PROXY);
     s->next_hop_scheme = URL_WKSIDX_HTTP;
 
     return ResolveInfo::PARENT_PROXY;
+  }
   case ParentResultType::FAIL:
     // No more parents - need to return an error message
     s->current.request_to = ResolveInfo::HOST_NONE;

src/proxy/http/remap/NextHopConsistentHash.cc

@@ -547,8 +547,4 @@ NextHopConsistentHash::findNextHop(TSHttpTxn txnp, void * /* ih ATS_UNUSED */, t
     NH_Dbg(NH_DBG_CTL, "[%" PRIu64 "] result.result: %s set hostname null port 0 retry false", sm_id,
            ParentResultStr[static_cast<int>(result.result)]);
   }
-
-  setHostHeader(txnp, result.hostname);
-
-  return;
 }

src/proxy/http/remap/NextHopRoundRobin.cc

@@ -170,7 +170,6 @@ NextHopRoundRobin::findNextHop(TSHttpTxn txnp, void * /* ih ATS_UNUSED */, time_
       result->last_parent = cur_hst_index;
       result->last_group  = cur_grp_index;
       result->retry       = parentRetry;
-      setHostHeader(txnp, result->hostname);
       ink_assert(result->hostname != nullptr);
       ink_assert(result->port != 0);
       NH_Dbg(NH_DBG_CTL, "[%" PRIu64 "] Chosen parent = %s.%d", sm_id, result->hostname, result->port);

src/proxy/http/remap/NextHopSelectionStrategy.cc

@@ -265,16 +265,6 @@ NextHopSelectionStrategy::markNextHop(TSHttpTxn txnp, const char *hostname, cons
   return passive_health.markNextHop(txnp, hostname, port, status, ih, now);
 }
 
-void
-NextHopSelectionStrategy::setHostHeader(TSHttpTxn txnp, const char *hostname)
-{
-  if (host_override && nullptr != hostname) {
-    HttpSM *sm = reinterpret_cast<HttpSM *>(txnp);
-    sm->t_state.hdr_info.client_request.value_set(static_cast<std::string_view>(MIME_FIELD_HOST), hostname);
-    NH_Dbg(NH_DBG_CTL, "[%" PRIu64 "] overriding host header with parent %s", sm->sm_id, hostname);
-  }
-}
-
 bool
 NextHopSelectionStrategy::nextHopExists(TSHttpTxn txnp, void * /* ih ATS_UNUSED */)
 {

tests/gold_tests/tls/ssl/gen_foobar_certs.sh

@@ -0,0 +1,29 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+# bash script used to generate sni parent test certs
+
+for name in foo bar
+do
+  openssl req -x509 -newkey rsa:2048 \
+    -keyout server-${name}.key -out server-${name}.pem \
+    -days 3650 -nodes \
+    -subj "/C=US/ST=CO/L=Denver/O=Comcast/OU=Edge/CN=${name}.com" \
+    -addext "subjectAltName=DNS:${name}.com,DNS:www.${name}.com,DNS:*.${name}.com" \
+    -addext "basicConstraints=critical,CA:TRUE" \
+    -addext "keyUsage=critical,keyCertSign,cRLSign" \
+    -addext "subjectKeyIdentifier=hash"
+done

tests/gold_tests/tls/ssl/server-bar.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7hSSKR+PDyaK9
+Qf5Wi2DoBedwTaIiHRVUOmjGMhb9bHH/xQ1xXbIlXhl9LB5z6KWZTLN/6tDbJMlk
+SF5CEPLXt0+XSwpx1ZZpBaxInKCZoiUbfazwb95y8evPYfOOmMR8tP/BKtygo0+U
+MbzjpIGZEdOkyWF6U4BtMJopC41JOxkrwvGG3DDBDNMui3qAgpmedylGhz7Lilpu
+XLc2cprtIBbo8jcQj4G0My5flZhvHmFe29L2YboLG2JtS8e39zOe+pfLb7T0JmDm
+UgxeJB7KH/d7BI90J1tYctVH2ky20oXQ2R1IC2bhsfuDEIo5OhPu56rINSmvXYDD
+RHL1nJH9AgMBAAECggEAJYzSVdxyeBzS+UoTR7pOU/gGsd7h5injwQOXQoT6RJIo
+O9r2R6rHByOSQBYLHRPLwWhyE13up8t0hp/VPC6PqnG7PuUYeNYX8fzgVIQExu8I
+tjoS3OzR4zudiGApePcPdZd7FW/jUUmSoG7bT8x75S6ELp3i5q986qCOZkS5bJ3Q
+Tr6LdgwYsdRMuwTBmHFym3obd8rVe1oQ4QY2M0mYAraGnFxiCNV+S+hDNsJ7na3F
+hbeBk+YpFKZ/dGDrKClhNbOmpSZmazihHaYoKrBc+fhJSzxVU5YfN+Ds7jsOptpa
+m0pr8Di3QnibkIUrjNiB3ewkIi+tyo0YO5Zzq406oQKBgQDxt4r/6hni0mBY3VrR
+UT74gzGihqxfXTLjq7Hiju9BC5qK9MaVRl+s5I6+phfSg4kyJSFsoWxcoKYFE/Km
+4xpk3sJlVIBwRBmx76h5B3eEpLayhoBR2TT0Cl5M8yhvz2p8CQO/MmGLP3qe/PqH
+32rBNLAs65e4ts2uKUJMC+AkrQKBgQDGmcM6vgRtq/DASFMMqpimSX+8fj9AGqLf
+mVcItXHx7pS1Aiq1G3PSA4efSryMjoleez3mfqFoPvTSP0ASIaQua9rAerfWfYaG
+/P8yAG7oddBb0SDe7f05VjY5jv3dS7sSDHpfaIa06xtRxd6HqUo7iPOir0FR6UzA
+iNkxKfR8kQKBgQCnhxxxjmDukfxw2soM9RB90P/fsxNY7RFONjuN2J7+J/qugEP6
+RdId1DMS867jGoNGG/H0hlTCRh2Ku26cOB6c9r8o185FAQ4GAyJy77foWPi+9vWM
+xMwsr9r33jeSduFIoj7UjyiICDEGbDN/ZFtrGQdZutdnEFuxb6shZcGt6QKBgFJj
+r65K7iNhVTsvxeRXUYSKsUdNSIgbhL4mKwkd3Ot1ApQlFfqULPRPKpBWvOnCqBJe
+Jkvc9LD+jSo7uyTKeAYaEGIRhvqgkJKnmmbv7xLY7Vtp4q0ZJhgHP++Y9pA7vpu6
+OXojLt8XOfoukCbPgFA6fHhdJEgK9SBapV/T++1BAoGBAMzO2jugm25fBzqWQpSe
+JV/CoQIbw2SUyXunsReIMqnYBETUDvzPrvQ0aRWUPtkzwf+vlbU7vauX4CRogB8e
+PWakmkCuSjPlxqycYUk/xIYEuaXn7Kk7IeF3UEbeSJLq9+cXeDun8OSE9lmD2Phn
+ITIVjf8kn1qEPgfr9GlGnaSN
+-----END PRIVATE KEY-----

tests/gold_tests/tls/ssl/server-bar.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnTCCAoWgAwIBAgIUS33d4I/Zq7YeC+bDnGr/e1BJkdwwDQYJKoZIhvcNAQEL
+BQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQHDAZEZW52ZXIx
+EDAOBgNVBAoMB0NvbWNhc3QxDTALBgNVBAsMBEVkZ2UxEDAOBgNVBAMMB2Jhci5j
+b20wHhcNMjUxMjE3MTcxMDA0WhcNMzUxMjE1MTcxMDA0WjBeMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ08xDzANBgNVBAcMBkRlbnZlcjEQMA4GA1UECgwHQ29tY2Fz
+dDENMAsGA1UECwwERWRnZTEQMA4GA1UEAwwHYmFyLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALuFJIpH48PJor1B/laLYOgF53BNoiIdFVQ6aMYy
+Fv1scf/FDXFdsiVeGX0sHnPopZlMs3/q0NskyWRIXkIQ8te3T5dLCnHVlmkFrEic
+oJmiJRt9rPBv3nLx689h846YxHy0/8Eq3KCjT5QxvOOkgZkR06TJYXpTgG0wmikL
+jUk7GSvC8YbcMMEM0y6LeoCCmZ53KUaHPsuKWm5ctzZymu0gFujyNxCPgbQzLl+V
+mG8eYV7b0vZhugsbYm1Lx7f3M576l8tvtPQmYOZSDF4kHsof93sEj3QnW1hy1Ufa
+TLbShdDZHUgLZuGx+4MQijk6E+7nqsg1Ka9dgMNEcvWckf0CAwEAAaNTMFEwHQYD
+VR0OBBYEFPSlsbODTwZv1B8DmEyvQSzKWKQTMB8GA1UdIwQYMBaAFPSlsbODTwZv
+1B8DmEyvQSzKWKQTMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+ACOxraNGdHERXHVCW3ICKd14ASA+Xewc2pQrjc/VEAuOH10G1yyDzHCNZrmiJFYN
+IAje3JTfagKK6dFXgeC8tbJhHoNlC+Y/tLxdReuRshJdEraD/2ih2NgUqsI4soJT
+EhB+pUIeni5hF+ymWzewx3axrnblDEt5nl50zOnKKdHuDO6JlovnI50JaFdduWAS
+oOrornY+r6WO9CKt9uLmf/y4Epn6yFX7AL9aDzQQsS62+4o/nkQLf/u5eFRSLJK2
+Jj+QAWNP37is8q+2Jgmbt3DWybOq2znN1edNtUYjRCNafiK9qrhGeNp+yI/qB8dm
+W5pOyGNb+j9iY39KbNkSmTM=
+-----END CERTIFICATE-----

tests/gold_tests/tls/ssl/server-foo.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQCHQOoMuJlA4tSU
+DVSDcrb/ggBNvN4DIh3d4briYf2QFB1Gx7pnOwTG3Mt6jc6i/cBmOUhFWnYpe6An
+0on3ARlDzdXj3BiAd1Iw+BXCjxSGW6fVEWwalg09FkgOhRasYwOxggI01fGuY0uH
+CgRMi++4Xgr6umFFDh5hjvX1dLcn5gedseGLK+goiYI8ZPQIXWfIoKDAVb8aDFVu
++gIaZwexkQsSB/gr9uTqLNCZNlaI13fCuOFGLztvERDLwoQ88y1u9v9SpWnOB35l
+bbXf9jdcnv67ug0N04gtAYIUgyOOB0THDsjH2v8gKY7mL5UEOjzM0ZIKHGVDRSAp
+hgakHRVbAgMBAAECgf8h6GgJcWSImLm1168RQeQku9mcPYN75+izDBxMZvr67ZDX
+0p8Rrv+Oc6Wen5J/d2mJU5ol6mWVa90gG1IOeFBOHpvTn8Ki4Lc4oFVuJtobtSoE
+wKIwcy/r2YSFtEZRETZb1BZxkfNlS3cRdvMVbi6AVJrYzwkqTKHs01mgrf7zRs1G
+dpqSj32j4q6H/C6jF+3hBGfWX2HphNzEknZCjrtTqFDIdZ+v9XIAmthfAysKWLII
+oDcDj2NZbBgs32Woy90BTakxpE5r07spplXBdrEboF4ZikmZTd9GwMtY2pfzEMQ0
+IZzPyGyRyU8knr50mDeFNfSTcDdASUj5sBnYeQUCgYEAvQoDkGKm+DZNvI/ltTIF
+1cgcnb62Lrp+GHfSGNV4V0n3uQxyWLpFItARom5nfwrWoyAo+hskbqmAl2OcJj9J
+p3WIaudYb5NTzXYi4eY4gTOuyiXXsXR+PO1RvZEQnCPJAXH+Y+GxPVII5oxYcWeN
+mAnl5UrD17efMB3f2E8wDd8CgYEAtymmbkrxHMTry0JqR+r47i4eRS4LvXyPpVDa
+MMx8nHPqeIfYEgMjgmkBDZIHainKCoFsHseevLwTPz7UN4AXOqqYND4csZsjqAiI
+2/PEFiPczWiJkWN1JoUVBHgTdvrSaIEZ4xYsBfthfzgqan8Tkt/tDI9ysrWdC/QP
+EkbNMAUCgYA93bEc56xNPzhhpZY/nodaV4tF9Mwart3llBEmH3aq2oJABVrGvu8x
+XXbn+cnVQe7MpBHFCGz76m0zHl5UBhJMw6JJmjzPByA99ZOk6ntDjW5+qbPVV5KY
+zfIaYAdXkj6OQohGl+4xa0+OZA/tzT4Bq/uY9sbxKh7m2GARopjPcQKBgG1jboZI
+M5+e68PEsnypFGoLGQDv8wsDrTZqByVFutYlVE8PsjdvsHFeDMbyA4Of2Y5UpSHs
+zhyhpk0LVOqgkT70S1pIDhL0OGNOVY4nE2C1olT6rc4qu/h5WogEvns8aRUIpVE+
+GKSp8Rxtisd3hVUebxAlS7b3SAevhqC/sCORAoGAGy4yXxWrsNBu+OPpLDTiN3WN
+oou1MfVWx/5VmW71w5EUW1tZ1Umva6OSRszO8niRMARYvrqXMoOYRjHEaB1LoTiz
+berNI55iVxlfiwnl7AzigxU+EaDpf5wLPLi7yq5PJZSXW3TC5HZrqvVOEc4CAb1T
+7p7zNQCKEL3QA2jUymw=
+-----END PRIVATE KEY-----

tests/gold_tests/tls/ssl/server-foo.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnTCCAoWgAwIBAgIUKNL6X8hvp7XV9J3DJg/IXI0XsawwDQYJKoZIhvcNAQEL
+BQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMQ8wDQYDVQQHDAZEZW52ZXIx
+EDAOBgNVBAoMB0NvbWNhc3QxDTALBgNVBAsMBEVkZ2UxEDAOBgNVBAMMB2Zvby5j
+b20wHhcNMjUxMjE3MTcwOTU1WhcNMzUxMjE1MTcwOTU1WjBeMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ08xDzANBgNVBAcMBkRlbnZlcjEQMA4GA1UECgwHQ29tY2Fz
+dDENMAsGA1UECwwERWRnZTEQMA4GA1UEAwwHZm9vLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAIdA6gy4mUDi1JQNVINytv+CAE283gMiHd3huuJh
+/ZAUHUbHumc7BMbcy3qNzqL9wGY5SEVadil7oCfSifcBGUPN1ePcGIB3UjD4FcKP
+FIZbp9URbBqWDT0WSA6FFqxjA7GCAjTV8a5jS4cKBEyL77heCvq6YUUOHmGO9fV0
+tyfmB52x4Ysr6CiJgjxk9AhdZ8igoMBVvxoMVW76AhpnB7GRCxIH+Cv25Oos0Jk2
+VojXd8K44UYvO28REMvChDzzLW72/1Klac4HfmVttd/2N1ye/ru6DQ3TiC0BghSD
+I44HRMcOyMfa/yApjuYvlQQ6PMzRkgocZUNFICmGBqQdFVsCAwEAAaNTMFEwHQYD
+VR0OBBYEFGKhV4jaRQ0wg1AWGgJleyIxP/UzMB8GA1UdIwQYMBaAFGKhV4jaRQ0w
+g1AWGgJleyIxP/UzMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+AEQ6IHWosM7rA0OTjTT8Cuovg1hO+EgFyXzzNYRUSNjlidXYPRfgXO1fRAK9Xzca
+dO+meaMgLxWK5AOcrtOLkorJom1tHzMsJmneRGiONGmGSNN84Fk0RwVWKz9Aumoj
+WVz+z/DEV+Myw8BQNP2BtZBX5MsDGWvLcZsZY9YNofIPvAVJONpiAuowc4/IQHH9
+156X3GYgaFkFEV9g6QqFpitR470DKihky8zpspJoeHD/pnZyY+3afKyU4i0YVPpa
+ZHri+ITdWjbqaRMewbcckIB6I+wWXTImHNibcL8sd1yLpw5+IDaV7AdMQmLj5Tmw
+6eiYbN3uwTKx79XwGOas1T0=
+-----END CERTIFICATE-----