From 9b6975ef82fb4a4b9b1f2952cb51ef3e206effef Mon Sep 17 00:00:00 2001 From: Tom Dykstra Date: Wed, 29 May 2024 14:16:21 -0700 Subject: [PATCH] freshness review --- aspnetcore/security/enforcing-ssl.md | 51 +++++++++--------- .../enforcing-ssl/_static/out-vs2022.png | Bin 0 -> 22725 bytes 2 files changed, 24 insertions(+), 27 deletions(-) create mode 100644 aspnetcore/security/enforcing-ssl/_static/out-vs2022.png diff --git a/aspnetcore/security/enforcing-ssl.md b/aspnetcore/security/enforcing-ssl.md index 3c8cdd181d..dc3b489490 100644 --- a/aspnetcore/security/enforcing-ssl.md +++ b/aspnetcore/security/enforcing-ssl.md @@ -12,7 +12,7 @@ uid: security/enforcing-ssl By [David Galvan](https://www.linkedin.com/in/dave-galvan/) and [Rick Anderson](https://twitter.com/RickAndMSFT) -This document shows how to: +this article shows how to: * Require HTTPS for all requests. * Redirect all HTTP requests to HTTPS. @@ -39,7 +39,7 @@ No API can prevent a client from sending sensitive data on the first request. ### HTTP redirection to HTTPS causes ERR_INVALID_REDIRECT on the CORS preflight request -Requests to an endpoint using HTTP that are redirected to HTTPS by fail with `ERR_INVALID_REDIRECT on the CORS preflight request`. +Requests to an endpoint using HTTP that are redirected to HTTPS by fail with `ERR_INVALID_REDIRECT` on the CORS preflight request. API projects can reject HTTP requests rather than use `UseHttpsRedirection` to redirect requests to HTTPS. @@ -135,7 +135,7 @@ When configuring services in `Program.cs`: An alternative to using HTTPS Redirection Middleware (`UseHttpsRedirection`) is to use URL Rewriting Middleware (`AddRedirectToHttps`). `AddRedirectToHttps` can also set the status code and port when the redirect is executed. For more information, see [URL Rewriting Middleware](xref:fundamentals/url-rewriting). -When redirecting to HTTPS without the requirement for additional redirect rules, we recommend using HTTPS Redirection Middleware (`UseHttpsRedirection`) described in this topic. +When redirecting to HTTPS without the requirement for additional redirect rules, we recommend using HTTPS Redirection Middleware (`UseHttpsRedirection`) described in this article. @@ -243,7 +243,7 @@ Create a policy file (`policies.json`) at: * Windows: `%PROGRAMFILES%\Mozilla Firefox\distribution\` * MacOS: `Firefox.app/Contents/Resources/distribution` -* Linux: See [Trust the certificate with Firefox on Linux](#trust-ff-linux) in this document. +* Linux: See [Trust the certificate with Firefox on Linux](#trust-ff-linux) in this article. Add the following JSON to the Firefox policy file: @@ -373,7 +373,7 @@ EOF ``` Note: Ubuntu 21.10 Firefox comes as a snap package and the installation folder is `/snap/firefox/current/usr/lib/firefox`. -See [Configure trust of HTTPS certificate using Firefox browser](#trust-ff-ba) in this document for an alternative way to configure the policy file using the browser. +See [Configure trust of HTTPS certificate using Firefox browser](#trust-ff-ba) in this article for an alternative way to configure the policy file using the browser. # [Red Hat Enterprise Linux](#tab/linux-rhel) @@ -811,7 +811,7 @@ public void ConfigureServices(IServiceCollection services) An alternative to using HTTPS Redirection Middleware (`UseHttpsRedirection`) is to use URL Rewriting Middleware (`AddRedirectToHttps`). `AddRedirectToHttps` can also set the status code and port when the redirect is executed. For more information, see [URL Rewriting Middleware](xref:fundamentals/url-rewriting). -When redirecting to HTTPS without the requirement for additional redirect rules, we recommend using HTTPS Redirection Middleware (`UseHttpsRedirection`) described in this topic. +When redirecting to HTTPS without the requirement for additional redirect rules, we recommend using HTTPS Redirection Middleware (`UseHttpsRedirection`) described in this article. @@ -861,7 +861,7 @@ To opt-out of HTTPS/HSTS: Uncheck the **Configure for HTTPS** checkbox. -![New ASP.NET Core Web Application dialog showing the Configure for HTTPS checkbox unselected.](enforcing-ssl/_static/out-vs2019.png) +![Additional information dialog for New ASP.NET Core Web App template, showing the Configure for HTTPS checkbox](enforcing-ssl/_static/out-vs2019.png) # [.NET Core CLI](#tab/netcore-cli) @@ -879,18 +879,15 @@ dotnet new webapp --no-https For the Firefox browser, see the next section. -The .NET Core SDK includes an HTTPS development certificate. The certificate is installed as part of the first-run experience. For example, `dotnet --info` produces a variation of the following output: +The .NET Core SDK includes an HTTPS development certificate. The certificate is installed as part of the first-run experience. For example, running `dotnet new webapp` for the first time produces a variation of the following output: -```cli -ASP.NET Core ------------- -Successfully installed the ASP.NET Core HTTPS Development Certificate. -To trust the certificate run 'dotnet dev-certs https --trust' (Windows and macOS only). -For establishing trust on other platforms refer to the platform specific documentation. -For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054. +```output +Installed an ASP.NET Core HTTPS development certificate. +To trust the certificate, run 'dotnet dev-certs https --trust' +Learn about HTTPS: https://aka.ms/dotnet-https ``` -Installing the .NET Core SDK installs the ASP.NET Core HTTPS development certificate to the local user certificate store. The certificate has been installed, but it's not trusted. To trust the certificate, perform the one-time step to run the dotnet `dev-certs` tool: +Installing the .NET Core SDK installs the ASP.NET Core HTTPS development certificate to the local user certificate store. The certificate has been installed, but it's not trusted. To trust the certificate, perform the one-time step to run the .NET `dev-certs` tool: ```dotnetcli dotnet dev-certs https --trust @@ -919,7 +916,7 @@ Create a policy file (`policies.json`) at: * Windows: `%PROGRAMFILES%\Mozilla Firefox\distribution\` * MacOS: `Firefox.app/Contents/Resources/distribution` -* Linux: See [Trust the certificate with Firefox on Linux](#trust-ff-linux) in this document. +* Linux: See [Trust the certificate with Firefox on Linux](#trust-ff-linux) later in this article. Add the following JSON to the Firefox policy file: @@ -943,9 +940,9 @@ Set `security.enterprise_roots.enabled` = `true` using the following instructio 1. Enter `about:config` in the FireFox browser. 1. Select **Accept the Risk and Continue** if you accept the risk. -1. Select **Show All** -1. Set `security.enterprise_roots.enabled` = `true` -1. Exit and restart Firefox +1. Select **Show All**. +1. Set `security.enterprise_roots.enabled` = `true`. +1. Exit and restart Firefox. For more information, see [Setting Up Certificate Authorities (CAs) in Firefox](https://support.mozilla.org/kb/setting-certificate-authorities-firefox) and the [mozilla/policy-templates/README file](https://github.com/mozilla/policy-templates/blob/master/README.md). @@ -971,8 +968,8 @@ Establishing trust is distribution and browser specific. The following sections The preceding commands: * Ensure the current user's developer certificate is created. -* Exports the certificate with elevated permissions needed for the `ca-certificates` folder, using the current user's environment. -* Removing the `-E` flag exports the root user certificate, generating it if necessary. Each newly generated certificate has a different thumbprint. When running as root, `sudo` and `-E` are not needed. +* Export the certificate with elevated permissions needed for the `ca-certificates` folder, using the current user's environment. +* Remove the `-E` flag to export the root user certificate, generating it if necessary. Each newly generated certificate has a different thumbprint. When running as root, `sudo` and `-E` are not needed. The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs). @@ -1032,7 +1029,7 @@ cat < @@ -1118,9 +1115,9 @@ dotnet dev-certs https --clean dotnet dev-certs https --trust ``` -Close any browser instances open. Open a new browser window to app. Certificate trust is cached by browsers. +Close any browser instances that are open. Open a new browser window to the app. Certificate trust is cached by browsers. -### dotnet dev-certs https --clean Fails +### dotnet dev-certs https --clean fails The preceding commands solve most browser trust issues. If the browser is still not trusting the certificate, follow the platform-specific suggestions that follow. @@ -1141,7 +1138,7 @@ dotnet dev-certs https --clean dotnet dev-certs https --trust ``` -Close any browser instances open. Open a new browser window to app. +Close any browser instances that are open. Open a new browser window to the app. Certificate trust is cached by browsers. ### OS X - certificate not trusted @@ -1157,7 +1154,7 @@ dotnet dev-certs https --clean dotnet dev-certs https --trust ``` -Close any browser instances open. Open a new browser window to app. +Close any browser instances that are open. Open a new browser window to the app. Certificate trust is cached by browsers. See [HTTPS Error using IIS Express (dotnet/AspNetCore #16892)](https://github.com/dotnet/AspNetCore/issues/16892) for troubleshooting certificate issues with Visual Studio. diff --git a/aspnetcore/security/enforcing-ssl/_static/out-vs2022.png b/aspnetcore/security/enforcing-ssl/_static/out-vs2022.png new file mode 100644 index 0000000000000000000000000000000000000000..73e00b005718062f54d029085ba0d148fccc7eb5 GIT binary patch literal 22725 zcmdSBXIN8fw=Rqe1(jx_iGpPzDosRs6IqIif=cfo0xlr*8c2d7pwcW9krI#vNDW0o zO@dUVBvFA70*RE+AwWU`gphCIdiS-@K4+Kre0zUCz8_vV=VU(fX=99g+~a5#Yz3pa;g+cq*|c=75X6o`!b~d3dT* z1h!rG0oMooZ`ua&@Cdi>{@c^-_wf-AkB!}}KMXCxotDNp8NXXT(Fo@zcF$zad`URP zdtUIA5&e5GOZUo|Sk+I)5>+zyQZ-)3cIv0ZB)1*BG7Ii{QZQ3Jw4Ou-rP|(*>7Kmc z;aS}(nR=c7kD`2#ok-7GP2zKPN5;0lhVLIYJpP#KFE5`jEie6o6M-9fj7n)NCwbX7@q&+yX+RI496C+$gHaBWmS#>5*Tz4|KO^WYe+DZBi2hxy9Z<^W~7$KeIEk z>5s#WwuRy>c9(1@mpk{=`5>^)JfJhPdw6&%=)-O)v2yUJK&SWLMAXXXuWOt8fmg3CbmXz7H85JXRxd-WF3#qJPrMkX?JU#U zN{Vww#F-Djut^vW$$!Y!Q%LYB{V)TVxFOpmL*?7CsKWgbuk-kMcs^n6_Ji-MEuMrh zzL^|ZJ7Wm!Hk&GmHxDQg-tU!t6f^3MFg{#fge=%o?B2W*Kk)0b<%N0HN`!4}82art zmi+MVzLclsS#wOux8!oJtn5(~ko`5PTCt~2^PlD0bGsT3Jq1=AuU)1$D-_u@{otA2 z?x!B-NK8BsiT~5CB#%XaaR{znUS2M*5?pEC&g}OxcYqG&o!V{aQ{rxC@t1eoxZ1n> zK_11k|I-idG(ROT>9nCC>^Aht`r=;xMi2EC307o)y2IOx@I&>qFWAp$@%BZvxwTcz zGY)~cl=fN-(cYmKW%i7#XbTKS;!$S|nN8z{1Q=mvR#!UDeh;~U>@f8EVV%1llS2|` z>a#=y4n`BU+k;$b=*AV29Qug5Y>#zWEFY>f7w%eA9%B2%FO}W=<0naRxGZs!?swi zZK-Z)pP^s1uW(As5%$W$3Jmtxz(ByeuPB9l(gO}Yy*>ZLd#iV!9uJS$WA_;Hx=1{% z_qQQ=%(i>@1vYK8GLoe%kp!BXUUD@q$M_jvo~^KyM+ehi^0(0inuM1E`WF*6Jz1T^ zKk&Rf(fjN^=Y{>TF)0SX+2$d}zt1jZh>C!ZZadxr);qfJQ=lR3 zxq?E!yT*E?v;Z7OcIK{Ns2WWeG?z2CRd9&GOvtMb+za$8{rk&(sJpD?gF(ckCHa(5 z2OoLAHSW^5Kcv8SEMUCUZ(CEB{hiiE*7fO+)l)W*f=1zF$Dii|?fYXZSnZ31q;}pVmDIeHwnw?}$d)$eCgqbSr(s-Yyc>r;2Cc6j4fER=Ga*W# zgN!ugR1!%b~$ZSl;SFf0> z<1Zi#hRhUK{oF}k`uz%SJir>F*XOas3B@@Sn}%{=S#?_Mb^pPDGERM{z2wx8CJZdn*Y&n#>(PcT_(Bc$2hTirMXHxYxXF@5Xxhre6 zBJs*{Shw=Xd6@jx=I!E&<(W?;r+i)O3#e-6qaMzQq#E4t9u&mHI6KH_1DgUDQVvNG z#nDa1i83&`(N~Mk>eGZ;@a8)mm|0x_M{_jj>m!Kq5uQAd)%n>RaWtze+-S>he0-r7 zL=$0gwS6OHbpwOydR&*Op^oficZzp-oAB;HKt!hVlJh8oFu z+JiM(`hNy=%*e?9)>hWs21&|%Ia%3kuzgwJ>?V}Xhk77)LeQ>B>(p!ro4e-5Q8f%e z&SfB`*{H4I8ShEum>;8~%&lm}e-+I_k%dhR`JznR`@ z5?ZqBEOyg$_@qHW4z*{nW-WW2J9+iWsaX^^a@@Ka)tJ%l=Ddu-62>S8x)2`SWt>Sv zxmkC&+{h5)hT<*TJ}fmX_d=JbCrRXH->Khts?>&!-k-7KWTNo2U*K6^Fd0BO=0Hl zk-LL}PEB`gwrm=YYpiDLa<4XA1AMN{TdPyEX&O@{t*WzKSAv#AUQ*L+!zDJ33R3Sv z)WS~$n1utDOMUIXYq@#R)v1OELF@J{cxd&H5sRU_YH#|8qyUNjPg+pm~z%O1NY$&D!LzoCPTx9OcDD&e#b*Zg$w& zV(7iNY5_gR)|a`zol6#Pqim-TSKc-}Vix{tC@0+P}ok)bhScUw;l!}+j0!!W(5`Z&5R+pZDnQB zv;~E}W)5gA`$W$16NVN-Ln_@V3J>!I!C$Kdx1#PqRJJz?$uajQc>SFs3O9B}Yc~x7 z6|UnKp4Ca*i|=oe#W{LX_P8Zex$kisos+xp$NSs67^h8A#P!*5YFcVwSBc7`22Cik z$Xrg6k&BkwL}Bc5RQ96sIk;4f?Lo=EI`K8eAuwg$bCI>K<;GHgI1px3FRCy8T9 z0POiR79K;!(|)G)Txw9>Cbbh-NYBr*TlnBd9Q4EuOvgC zYon5&{{4Hu-gq^Rg;YML388-732o{@1F$WO%xXhSFb`+=4y8X!)|pL%*E>U$v#l$# zHQ#TeS%3*5d(MKw5oeS6d~Lj+6YOuKYf zAUoNnID!nIg=nOd8(!XTXr?A>+E8PmaP5iWpwz%xQHXQ+dIl?g!7HWGK*@m>Gt*9P zw7@Tn{lVgve?B~(9U1z}deUur5_*;&wbrGx{#RFDw0}T9FD_+;esG;)n;>>H`=unx zha^&2(HE`WMUo)Q3xQFEAL*QywlXtl;ZDl_NntQGk(^uHt~UsK^`(*~l1q`A=G%*^ zfzQGA-r9%iQzKTdNv>tY@3gdy(nYRxo%^+d8&3h$C60j)y{kC>mlU>C18rU(F9#zX z2#SP>=Pqo23EG*&ug2%YUfDEBo(uqm|7^sztGqY(q|YL)Of447MXOwzU5B1|NFh_E z3~r!*p~arHC*vR1VrXeHKcHL0jAnx(4oS|B#=i9w*oJ2-a}=*#-PV7!GdV#O>BSrm zO`UW!GE|NmAg7S6p_d@JGFdW__yj_@@oMDrG2G+glpq`~PDb}6$s~I+&^G7 zBp;|MXMi(4q-iwNSYo!XR&ya}fnz3`f5}gS4=p2Zkf(RvMeqRFPkZ8xKkle?woN z-82NG0c>L+8>w2{#jMfkyGa(0-3`D)^E{T^&2aME|9|%&S~T?M6aKguVeRuRoBe)H zR;v=LHvA|2uhz)KB$mMvzICbedmia-v3cuXd2W@CPghY6J#p!xp@_@APVP7ExXg~L z=FY}sJCF(BZDE`9hAC=O%qlkudSzl!?ZsuA$O+7)ZkVGfCk3WeVPCJr6`!(zms*wn+ssKky{s@8kGa_ z&>~`-dD1pV+_PPciuCqqPZ*rEpms0T=?q6rE`LpdKX$W$cNgliVzwSIAgwk!GXadB zKq81}NgniWp3sJ~YRruEy>)z@BYSmyxdg&nw-*FPH1BtI`9VUILCXqwh_FbDypTcY z;8r6Bj(oW9d(o=q-*z6DdH*k`a?I1KNQkk!{bBX@t{;vfyu@Vx$Qta=JdMDgvjfilmwIvc1A>SO32sh8 zhJG8364HPDAb{Q#3V}OA`t@T3=G)gUVsBAvHD|Xy;7Npx6^BHV!;G3$%k~F?_g917 z#D4^HEDMh^AGSJ`Lc6k32DmHTt^-nS1L!hKsqQQATPNrb@3u9*@4&TxG^9D_!we0&rd%O^VNn8PETlVRTd|Pf-5?&yPyUVl$sgJIIUU!99d4@(Z zDbwf!CSgVmdVT1fI}HmH^8tQ6NIeN8LZ(95#C@*o(;eUULO}?YM_m{N5};WZB*g9w zi*Hue4Sx`epNm_lP%lWsg9AWYbg-M>sD}O_CsIgQL-1rC&fgQ> zdy$=Z6Yr)~eh*(ZiWe3%%;8Zv6=f-uD|sapr z+7PegMqLp{cEC=rTmLy;N3X;jkYm4k!rFF=^%mUz@z1YDkG~av;Fh%7as<`c>C(6z zh9WTqSPNgy{Ne-8A_M^!4w29Q{XThcc1EpM`O5q;!*Y_W;r)i)4 zd*h~U?2a(>{f##wLi?IoI-`mh*{p8~rBgKtI$%V|P zoM33Hy3&)Hi&c}mlECxZqHZsGMfnqJk$Pjk@TrZL^h|icK=^z1@7O;B9LttMD?Nv} zVEBziPwPoljg_t7`Sl#cfTuf*Jv3{6A;9UNJLPycSZ~2xHd=6pG&`3wb2-W#guzQX z%f3qctSq9H19HbF)FSJac>BZ|FL^}Utrmj{QHbuzRB9UJp?`0Tdok+v)jRt>%_F_h z+-n8>riXk!u@J;YT5Qvq{Y6GIZAqc#k};#vrv~3q<@Lhp+xgyKefRTYXVXa92pY7C zM39hvnOWe4+F~!&B4+Z>46%Ra;HI8DhFqRy0?YG~Sk5mqI<`dX7xBnf$faC2 zR;U*Ra!rXw)lk8Z0EeV|ui~3cH_FhJLz&%glC-3`naypTIa0$>akR?j_T^>dyhQ1f z3c5B1-D&WqBeQ~h*H=Lq*J(7KPYAPq>QtzJbqPgM7@Wq%kqnSUvM8n7wo~F}tv=+G zKyJ{c=X}0@@BZ2Z6V~R&)dn|0Ws4a{gKi7+HdIE#%Mz=bP_}-pP-=u!BtA>1{&&yH zi9QEny?u?#F$0+ZQsv4|qvrMn+#}8y2OPeVp5$t@NV}V3TP36sPn%JFgiS8`-LvRU8Rxw3N&{hcb7+IU_fauU_y@%=(YmOd_bS-c6v#qbzqbM&JQ52lV9w<>x z%*Dw!?@7@(E-rFV%XV|oQKrxLX>F@oGwO(XoPCW{+v}%Jq1c|hP;SlgZ&u9Ih~g)D+y zn&;S&^c~;XM0dXvZu$c64u%>rvwE>4%^0U?-mq<5=l5Ip#D+_|Q6&x&4f+E51}RT8 zm}UDP<3@x2B+o=qh-W@_ZZ$6_lM*i3B%k$#M^;Hs&x5+}sd3+BD9jE%b%^3{{OMgL zZ8^Jr{_Cj=dZ4z+S#BFJUF?x%$fYRlWlC6!wqXkO(oSB6pm68i<-DwKfnBcmewy&1 zdW3xHd>!c?dT;l~$2@haHxvDu_pQX>!Tzs*8Fim3$ZmGpkT`abUnVG=UFgyL^%Mbw zS%rStEUACn;N%$7_7F2=^A_IgfmxVeTJ)r>1>tp}je4YdSMh$HKoXDx;F6@6u<+c_-$&#--c> zA);DY?B^QO0_cp*9I|)qQ=tGjtuT{FX~ojSdo`P%__BFjXL2%v(?M1q^d9uIYFLgW zs<*Tj+Q}}I05IEd3_0(risoaB;A=MYxE8U!^3x(#b6Iqc$8!tzGt-e%SxcRJQ9Y~i z?-5HkqHn=x*5Y7Q5#4qIUpSx7i4He`LJ_!dUmIF6aI?U+7WJyGWNq)3ve<=i8&WE~l=9H=vX<48Bq_5+>85OlK z%BuF~GAj+8_z1j-B6ZPgFUoYxPDgFkL983s{>YQv+L}>MAQdB`_S|S5KfZIap;Py{ ztX-2-8&v?@x#;Y9VP03`*0=9T7Z!{KPrA#PBWmd`IAcf;zqsYw~p=hHLr5{(G%}k z^MVJ#CCGUD9-w$dX_4I#N)_>#iwdLt5b>DF8@1wVn2)gwd@5bm3-CJust%a1rBYhi zmcH*3q=q`~uC-``*2lgO>H#0C_*j=-hkBK#aSESUbUe5ep+g;ns&5Ujpm~2ZJDyE; zow_HPbcoS36KKFrhr>IxZbFA@+&Xy%T9R{`)(;Kqges<{hGdaykr@WFqNgudI-Qq! z|EA8~_J(cNH>sw+%c2av!Mk$`bA34XhnQ-96t-_@dA^*?^qvGz^9inUe9AnWky^?9TXV%D4USwUskokVL?ph$b}ckb1f%MgmX?U@3^ zMhS1cl(frBDQbk@fa*FipSmBMX?p7U=SQQ4ey&R*0ur2=izgX;e$LN*rM~_g(ji2k zZo_XF7_{r3ZO0kq9|iLz)du#@ASi-;Vw%6h-6* zn{sOQDUX%6z`M^I`r*HSd7a^_p5Y=~reh)JpWeObBg6jQpRBvsiL+5^o^!hT(Zm)o z2MI=xOZHbxg0&D#r78{K#_3{X%N?s}G2@>h&GeeVl}qWqTz>R&V)J*}vc%+CuT8o^ zV&QDqVWzfQe}`L|5jI8w+>RU$)FF4^8_6B=YYuF&8<}vgXfDX4V}N( z0#Id>HZ7Zc|AdYXJV`%kjd(t|(%P%MfB_>f3~lSCK6#wVgM>pC7Ae-AF7RHodv|ZU z3C)hsX6(tGXHIB$x)rt$wTJ+jb&24e-b0M11$NXVY*RDlP7 zzx9=4EwCGS(RmuQyP-u^o~`|`nWDxK?8p3%VKMf;Qql~t1}zDicsae)loK2G@l0!B z%F*7fu5X&wB|Ms!fcU0nOZvKX!2P2{u&*|u5-N1uJ<0np!j__0(6KHNbyA=p%5*-Y zC+LVJ&TT%5=1eIytUyABJuB`Haev2_n^7_9o=ek)h2PN3klIj!g}UT&=_oX5i=`0HWrl<;v*SLY11?EhW`^uTZQQg=o;K zu=Z@;N;hn~`zv=&x%jA=t_o)L)_RFo;a0r_=){kxa{+w`Y6oU|D6KAKkiLKu1pP~_a2@%O%Z0L{AFGoptL>u%54y!5X%KOWqxCiEf|5}mjz|9_fwC1S0FlfREARtHK~Hv)N_W8qz0ADXoi4X03o1-p8rR9nN@2cMijX2&nFf&V)Xv-0-k!@|uVSGAO2fQBt z;g5hQ>i2<>J9d&kZ%0IgDsKH|=P}&w_yFYo9rS4OICLEW(nlin?iJ0dw+R(NAbr0!icPCRE2i8-~(E(9ROd#H^h*m zZS}++U64tCP}@-pR3r>o8;Jf@7$aZ~8~C#OIoGS@mDI}s=D$mxCGL`EF;BW=7#}v% z2@jsvdP8bMbEp|6`dNfbS%*^E^d24s4MPz=yUe`q=SL_dy_k%K4pm>ErtwP)^8c~C z;-8gp$WKMb2n%f(UI z&Ra_SdIt1LBS5ycegqs1GB$Hp!SOQZhxrSz_pK8@u$T1GE}H1j)0JoPmq(jD+M5I_ z_xov0Z}@KtJ?DF<@7qs= zj956ap3#*||Nh2Hs4-&yy-p^BwSL6VYbN;JOLvmTntBtPN=vwEO+lRRUFg(yKa@ZU zU0z(4;dNVW(lpf=rRF2Z@lMXYlXqh0at5ysE9*a!jjQ+g7)h8}?oq3E-cgQhn>HIw z_YnY8RqrfS3#>`x0|BvKUrL9h*3c?vGZOYF`_lGyf>dqCGfVrxL!V3YOmcGT(%Uz@_i4x?htsF95E~vpnF!d(CPMa;99g zhgs7!7M(FzwzoBwAEhwm4idJju?4f6mCvX9`l8CkW*->R-qn)d67<%MWd1S3KqCR_ z2(hM~8jCN-8Tx2bTn*Laij;}Er-wGM7qmOk>xEhFD^gK?5`6Lf^JzewFv!0r6jG8W zo)HL^07h43Q|3SCu?ne=YNTQ_FV()2L~ZDcJWeXi8e8fI4~F)DsOSRe+8?ybf1T@q z-+8VYvMMLqbB~2JgPgWTJHv?1Qz6)f0Bs_m<7JXQtDA@6QJmBxFNU77_6sIr-{5LMCaA_#i1dpuJ)zag9$SpL>w=VcRKI|;zc2_ zPCGW|dbqbQZ6C@t-^*t6{8Gn~d${EHp@HBb+}tHKXH>Pse(DzjTY7xV}w1tE7`Z|cEJ&6yq>rDCu2kUW! zVyb%AWH;TsS-tG~#EC1FvOKAK_44|y{P4ZLLklLfQjJx5?0Z-0plz-V0!DOot}=;> zo%Z?m%57TJ1?8TGav>5uo9YE?LPvX`I<@rrJQYH+Ej%YXlSm{E5#{3MO~;1oqqMwc zAQyj%E&bJV9P$xGGq9r6-A#9&)`E40gQ<;cV6~@u|M+kSUTUWa>_!pv9&9?0_7ks> zl_9A(+v#QjX&V2dX z8)<8Hu=fw~pxpMZ0QQ!Jmestj;03ABo%zWUY0RklV?mxzgLMQaDJZiRzN=KMS(udJ zhHL(e=4}f3H31R$-e4oEkjVKswAalD!Gmd%xdY$(Wre^ImrD4P$SPTE3$n(RR`8wv zwe5G;_b<%r#3w;+fZ=$pp_a*8pVT&VEqcTvcbe8AW+E;R#)5y`9jgkX_iGTYIqhyO z-31I_ zC##`~mw2xl0^8pQv=?)}{2mH%eoPq%2Ta&qWAXL)Dy!d0e*jGnE{1(kfkYb6fPY9>SV= zfmu9az%zS@5v^_?YobAT6@V3^x)x`DwM*cO?b_^N8V3!D@_=_2WiN^|z=qm2MU_mc zT6%*IOl-tBL9u<)doD%)vdwxgQA(J6#%1B1%$T}|vK|Z`mrMV~RsqH3rPse&(&KSC zvpaoBYJiQGp95^h%1vNbiJ2Jx-xX&neA&Z)@-n~l`1pHVN_wL}F-0XUy#%w2T%5iNaVe^iY>k(eWPJwwb6g}TemC;aOhobeTIG)?_{V(Z1$0Z-_55B9SmB<0D$HJdaBkO zsi>5ofFxXVLp#)rdYcff1N&W*wLupVk!=y;a)0-t#SkI3 zd@)}cM%n*I9jl~9Aukow>HkA8*nO-V2)R8pK4DTZ6TLrzlV4V92eYwX4Uv6EbuDvB zUv{=E;MgEW<&L&{euEaH)=sRSEF*X2t#-zjcdQHvhS0V~9UG^ayw?>y`$IUt{a)xIj|RlFnLxnfcWTZ<130^@FkYb$;)!$Qb<1 z@#5^sprOdMref%<+gBt|>0gy_21+N+W5l8dvQYz0o@>OK%OCs1pO(@l7Yr$WQb=50 z%^nktvdOP8KhA?X327=rzY(f9rAJ6^IuNtViphgZVU+4=`((TGGF?Yt*Yc0gKQL5Q zqB1Ut0SfF0z_J3SFN!L7^=g!voc65w`QX5n0PaI}RPQC#h>vpvG6C>S60Oc!sAv;; zg#UpZ5eX~uG!1O2L!ezSJYF+?~J{7mOvvYW@5QB?x*ggTA2v!*L*A9 zi^Z^ve_7@-fVLBH!%v;UrXNQS=qH|cZX!B}HGcwzFh07S0T-~|UZl|Pg>9NS^~Nd*5U@wh-8o=ergT5{Zt@<*1}R;-j4pxv}MiH)AC z)}Vs(WwBRz@gO0xkPv@L8{@@_dHkAb|D#{lFDR_RW~1DT&{C}7xUC{ z0s_J$7H08WTK&~J01duJ1IX=K|2P5+;po4>OZ6dO3aj4#wQS2X;^MQrL84a= z{gT{xV4jkDVJjXsZy&%t0r3sM&b&z7(&gp3YQG7y6cBlrO2n9W*VMk&Ai*O_BH(YMadego?l^YGj`ZkRGe*V@P9@;y;;))BHk$d(;E zm-z5B+#F~;W)}c6@9zh{rTz!GYVtpRlh-iClG-6)a6)OTdu+U?_*y^JU=v~kn=^jP z?(_UdYhwFQC6`b^&cpQxHy}^DJ!BsZQbi$)irTRdopy%B2XbH;^Q@)*8<6WcBA3hr zsix62p62}cK|~LNl9;{F8ILyPNB}!0qBjGuxn;*%*Rg%p&+1PEMQLt7d)wYrkrB&^ z3OT1ty3ARcLboeS1p%jxKvnZk$)Nf%vD~P&uPfHDb?Y$@eK{+>3gYTv4aLeC8ajvEcR;GKNT-;+kOF-4cH5Vdr^}q2Ku^dU(Svf8*u&{ZU}Iz@R>#T zXBMPl6P+6qtHclLe16na-{C*Qu<(pTK>h4x2P{Su(l4dE8?~9utoQX{eK4kQZ-{sD z*};@)ea>V_owIk@2*Qo0vo3<8Rw{{5%k7e65fIe|7Aiy z0Ajl44a%-^DhfC;1JuSU8>io+!GH)mU)A{f&)K+q-QNe>zo0Wg*KK!lYA&DZmwDKu zPM1xns~Kmnx0x0AhHme;qR89A@eQ)~isV2*a~_o})K@2oC2^UW zBklI81E__dFzS1fGB-odl`iLNf=sJzdE_5)GYa)6}?L zW0z;L59Njhn>n!tL?8;pe{HxaxK=RoTe_nCR*y-0j8hR^f@?S2``i81)NY9z7v1af zt|&D0Sr2*F0!aO^E*&l89fYP;7qTQlx|T6L4|dmZDx6e9r;Isezcrjx_&Yf2fUCs*`rqB@A;!C#B{)@J6UOFs|8X0VyN4%Faj)LF2lI46!0A*w|MJ>{#{a8C zvJ2QY=&gCq8?U2)M~AuzflHQvvp_bt`A-Dd(Yj(Q4xFGn z1337=iC7t7an9tjKh->cdJVpA^{*5C=o&`tb_=5N^ETjGv6{Ea^hBD|$nJ_yO|glp1OofpuQ@WGIXoQ7=G zL4frs7k%oKlvmH}gE>uvttmxpbVi*+2!?!X#xTbGcQjx&BxZ3v8-u{5_Go|_90jOB2pkl!=@ta<3RshU<1PiTAjM-%K-8!$H@AIY zN2+fc2)+lOWIAzbFhDtm#f4+t>}OUTOTxTQpDO#FTM)-%~<2z zBlcppuz7Vk6H@PiS_?Vn-7NMX@cQ|AiqnY#>8<14X3WNbzW0U@`>T;-D#zFiR`bUn zGDXLi{z^7ji4s>{A0bSXaAN*<=W5t z%cO6DS0i%%sJi20CVf`93{9hvw%sJYlUr4OPd1-lG#7bdl>GX!_lk|YdxF04pK{LI zuXSfT`4JYpV?%7|e#`pnKoY=T|JTTGJkfP7mt&k1Z+2wX*Ej{iA6hA$WE?qN>2)vX zdi=W^#G8LNdxbTpq2{QN<=_wJ&%t>RKj7|foRS_qwYY2f^Lh>$xq;tMv#H#ri{U+A}qLZ{fxO+fso&%$$v^|MG@qQFIzclnxO@`4!%qy~R>;i=VgZQr;)E?jn zh)O~CWjjYhMDQ1T?s@LlSc$C<8y491WWCeBEdB$4x;U@@;UfNrm zw9J$NYM1mmKRFh_dYmJK$2dtND+TR`2J1nUXy>XB*WN(>hWk^eD@Rh!;6vM;^qIFC zvOGusDNf?iao~8wQ!~XW#TSEz7<`Ep$Cn=-IuXFU43(q3iFfYvTlVCIcqTDQFYh^a@T*gPTA_If?up@s#@>;aARX$05n*0M|!kJve5!{dWp(8 z&szGz>pG!X_{6OYJ8K!7ta5%aCu-GrEl*sg<$+MJJuUKz^_W;Ea5?(M3y1;lbjxOR zz(6kKwR9!JRCu^}3+nRNd)Zvg#fO&!oNW)J$ELX#hWw|b!B^F;yo|ZNPlLbR7mIsY zY}R$k@uuVQ5_roWwtytQM*>ZdVoO18b0*nILxUFww_3Yz^B}LcXYo3g) zt@}vQs9Zks(I>5Tah4y_RuS=^A`~GYeqIKYz$!J0&RcBVFP-pv;iMwfraj6^ghbVd z>c#Cy*fC+Wj*Q-e#LX%jVIvvda>civjl`4Jt20Q)GO z-p}zTb4P*5{m$Vj`MCeTYvNb`S5WZ(_S}S|Jzj^J3Z!XPX#;u!SEYbs8m%3-$7*># zJpq!(JLUhEH_L&nAFLUGErtg`GCc1dl|+gG$&ni% zL=5+YJEeBwk?V{8;6Uy)wAyKtQX|ZRw-R^oH*DD1TJWAgdZ2!Fy&NTpdgAJP&-NUk zlW8XwXHa>rk{pA-T_1bJdLj~as@xfaMwtF$JAf(7t9v*sb!_d!uU9|)J}XM;T;OZe z9kyiE1|Q{_&1mx6^Ek%x7~>^>`GCx)2SP!EgcmG8k~K>74C|Q}aU)&{N!~r-;`n!8 zWdZc&vi)n6y9e`+%KvXe|L1S+LdsoQ?!SAOzx%^UfBfh1;jkPjb%)KbqxXw*M0fY* zBS&BtNA1-U`;XFZfVrNm{>_l~rE0THzCF!4)S*G^L}qz?NAl+YEwpeId+V@0gGmBB;gAphsVv?L!Q7b+<41L2e>LQOweA5L$+zZ9dl?o28*K za(*EL(&s}QmHCU{KG~bm6*^+dRDOHH4^u!{_1wJU*ys@SuD~>_XCc?0-1&;7|mX}VDsM)w3&bMRukcg{u+8r>_g8;a6<7-?&(W-;{J1M6Z`U=##`U?R4l z!wcj_&A=eRj6wC=Nytgfrq9UzE!U;4N1k0r=#a7Omm9CrB*^dcmmT5F@`O?7CT8(K zmO+61E&_AeEYFoh{Sl$}(IUol9a5|CmcL$8N3?KW=uc&uaigEHbncPvxp`&#aEd&_ zO~xy~0mET1H_%6Hnn4U2Wr@y3|qc{cQF(8>3;SXD27ZZ(w@I`_8XNqId_Crzwm>a}H z)OH&njkGWVNbAnRZ0Rnbs37mwVyN6>bi+NWr~_3Gs48Hl+re3>7~zIKE`fyahD+k-Z#x*U__`Ug&jVV6&1 z2Rh*v=Z(g64Ax^EHlZAM*lU8;WY^pyKorrsb{vLxBd({nq{qb$#FG9AK3PH85CNK4 zbXa0TzJ2HWXCPxVRc^NKM&lzj(b;tM*)-vZ1sSSA;~^vGWAL7c;cB_xcQqrE|091W z1YiMk0($^%c;96ZC7Vh$pyFu%m)xY@LfAXf)Exe9iHY&t>*e(D&Q1k~X_Bkl` zXpwqh&yCV@q|t)X#=& zXeYf5Hqlv7 z1zjHl+t&4OG+j2b@h%g5d!18@(=R5Ome|}F@j-m2Jc{IL_4+$Vs2yRv%(D`KxN|-@ zal^KH)TN$ON0k4-Rqk!{(&^W?q=Dlt1-?;9#?m4AhZGTqq_ zq-=UXE;LlGMYiYQ^{kmIMlK*`#aZ~AH`8^P-LvpyDUH2{M}GW6g3^3ki%8T@URTc6 zIwa)pn5vF0sGrTth;30&7LYkX`$!w&B+b1mN=vq>9YuS+As z3$u7h@+@8+tFpi66p%6ST!Q|36(F0VU!?5@Oon&drJX+;w&V4AOp9B$oMgT_0 z(8>}YNsFXp#kbI)tmg5mcHsqIXB*%E^4<6xHb8#cp{SRa@zvSg_Q^=`@6#Vcx*=G8 zTL*)GmUg+?Q+fd0Edz@RpL%WFW(M2(Q57)RWk-A(L(bZjiR@D1Gmu|4(@gT#Ub=(( zD8P#N`qR?y)o0I-6PbL@spLVV_s;MgrGfG7VX?%+Y2{<$I zhGKtw z5FkJjNJt=o^oIVKwPwa~)^yF9S!;ftd+)yI?0e2Sckge1=d(aZR$?{Pd_RJA;gv^a zPyHlz3V=?y3sr%$7P()GgYF~?{Lcw&CBd^b=237OH zbG^w&)&fl@YQ2$>ReWovFzo2@JR-w<4k%+1mL!Ca0bD$_BJk8x9~ZW0I_s+m>Fu!f z%Dv}1;>U0Yzcw|+C~&G>3hSr=(7ooHE>k_a z zPR7vOza_Dm*1ZKT#-g=zQ{3uTI$+;>=X^$7NX)Vxc@hg%-nUMEwyhSMF}(YQ|M_u| z|CZYwxWvO794=GS9yA6KD7bcTe?#2bPd{Z5?jO}!E29BA0BR;~U|zjsYjNRu33m|yiPrg`N#mX7n}g3|j9I;oA5d*J_v0nH z`JkOV{%)E15pa4y0HL}A7{nO#H%du>yym}zOAGuYetVs?4<+*czw`f$Zr%ULe9-Ix z(%@MS0Gf$NFsMn)=!!5y=VLhncXqbmE)U7_s$O zg(DDbUAn$=j6^JMs5S&oyKWRiEi;830P)nQ!1iA@aDXUJuLUvdq0DA=@)e257ZnK8Qn<`m`1wob`f zRCIHxgPF@I?OlCMhe0<-9`+V*jggsEqO?g9(=}(q19&e`vk%u6 zeKy|q*e*=C=1Y*5W?unCuzsm8!ezP!MXzDj*Ep3k7WEzU&M3*Crv~0~O4^(^1=~70 zgK4erl%BS|jS%Qdf7c%E4M1E*8{<{DgR&C&_`B-PK&zMghN#k;IqH{h$X7{a^vXW& z72$UxdJ%g|0(zkKxop9S6}DOVaLK0;`?FdR$D^1sWD93Krm`HrbwiEOwTS+UTD{P& zd^&`Gs%y+mP1sqbp8@C|z@(PX!Z6*hQJT4C;hM|r)oMWO@+qw=kt$Pc_L1F>VOplO zuWKyXzTznV7^O$Ls%9`L>Y#T9`J*~V<Us14r@4{RrG} z&&`_i8JtNcFem$FIVj<}fM7X&LzTUX#X|732QDm@M25HC?R+&je>>X#d#{1x^nr?_ z0!x98!10nnHYwv+3YR|Gugk6+<0mUMX-Q;Ee@s5@=|*#DxKo>Y4%s-b&1j*A?I~}- zWJd4mdNzgg(uK@WDWu|j6ZS-K*XLlEo~k*N?fKHH=wT1IR$pMymGaN+RqtTMWMyox z$(Ubx6tDQ=!pZdbLntJBiCBfT(m@olP7K)^a`MnRzRevk?{fRG1FjEP;fUaY#T~4K zFQl(4oY^nQr}0!Z49iH*B49@6<(^D=VZ!1X$RAk-wVDE3 zhaJl3jH$Y~e4AKt8;OhKf781`Ij6&;XQIe~u<_D&_{75Hujl#*YMG!6&tGn=SGM`` zA`#0=;s6f}0`wM^-Pq)V_B3YY8T3CtIbzHL=s6#5VD#9^@ViwnC8^CFqGYQ~Vly zHxDq0fCa`7aGHDfyw?lm`Or#Jh_K1Q0^iT&-T>~>@I**j+_jiaEyuTy2-Okwa!5<| z#`>!UQQE)615bpr&vi3xk~|fI@;2yFnLHcXtRPuuv*1Mw0?*0&13;D-0ekB&1QcsG zc2O1>auY(zi7iT@xiDoImwr`0a$Ik%Yu9T`VmVEBMqhY{)92ogOj^*Ms^z zMg0|sG;L_(TUHQ}WP^9qmFbnG*bOcq44V0tpCV%sb~tytKO+$>vHPxpPF@cZ-;%<_ zvPmEgdW?yhlfca+56+}(Tx@W=nIoMx2?%-w6=BSRX6qr2rRAk literal 0 HcmV?d00001