Allow setting tls_priority option
Add tls_priority config option to libvirtd.conf config.
libvirt-4.0.0 supports this functionality out of the box.
To fully comply with PROD-27620 priority string should be set in reclass
to the following string:
SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:\
-CIPHER-ALL:+AES-256-GCM:+AES-256-CBC:-MAC-ALL:+AEAD:+SHA384
Also, fix some inconsistiences found:
* tests/pillar/compute_single.sls - change qemu's group name to 'nova' as
'cinder' does not exists.
Change-Id: I56a8c3726e1af274e2d2fffce8dca4501745519e
Related-Prod: PROD-27620
(cherry picked from commit 77d9dacf644b1c8a93dcc35d30d90b046b86c9fa)
diff --git a/.kitchen.yml b/.kitchen.yml
index 6f06138..af3150d 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -71,5 +71,20 @@
controller:
version: <%= ENV['OS_VERSION'] || 'ocata' %>
+ - name: compute_single_ssl
+ driver:
+ devices:
+ - /dev/mem
+ cap_add:
+ - SYS_RAWIO
+ provisioner:
+ pillars-from-files:
+ compute_single.sls: tests/pillar/compute_single.sls
+ nova.sls: tests/pillar/compute_single_ssl.sls
+ pillars:
+ release.sls:
+ nova:
+ compute:
+ version: <%= ENV['OS_VERSION'] || 'ocata' %>
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/README.rst b/README.rst
index f15f41e..fc58787 100644
--- a/README.rst
+++ b/README.rst
@@ -1087,6 +1087,59 @@
key: (certificate content)
cert: (certificate content)
+It is possible to limit allowed SSL / TLS ciphers using libvirt's tls_priority:
+
+.. code-block:: yaml
+
+ nova:
+ compute:
+ libvirt:
+ tls:
+ priority: <TLS priority string>
+
+Example priority strings are:
+
+- The system imposed security level:
+
+.. code-block:: text
+
+ "SYSTEM"
+
+- The default priority without the HMAC-MD5:
+
+.. code-block:: text
+
+ "NORMAL:-MD5"
+
+- Specifying RSA with AES-128-CBC:
+
+.. code-block:: text
+
+ "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
+
+- Specifying the defaults plus ARCFOUR-128:
+
+.. code-block:: text
+
+ "NORMAL:+ARCFOUR-128"
+
+- Enabling the 128-bit secure ciphers, while disabling TLS 1.0:
+
+.. code-block:: text
+
+ "SECURE128:-VERS-TLS1.0"
+
+- Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS
+ versions except TLS 1.2:
+
+.. code-block:: text
+
+ "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
+
+More on TLS Priority Strings:
+
+- https://gnutls.org/manual/html_node/Priority-Strings.html
+
Controlling access by `tls_allowed_dn_list`.
Enable an access control list of client certificate Distinguished Names (DNs)
which can connect to the TLS port on this server. The default is that DNs are
diff --git a/nova/files/queens/libvirtd.conf.Debian b/nova/files/queens/libvirtd.conf.Debian
index fdbcf9e..eda4d23 100644
--- a/nova/files/queens/libvirtd.conf.Debian
+++ b/nova/files/queens/libvirtd.conf.Debian
@@ -21,26 +21,29 @@
#
{%- if compute.libvirt.tls.get('enabled', False) %}
-{%- set listen_tls = 1 %}
-{%- set listen_tcp = 0 %}
-{%- set key_file = compute.libvirt.tls.key_file %}
-{%- set cert_file = compute.libvirt.tls.cert_file %}
-{%- set ca_file = compute.libvirt.tls.ca_file %}
-{%- set unix_sock_ro_perms = "0777" %}
-{%- set unix_sock_rw_perms = "0770" %}
-{%- if compute.libvirt.tls.allowed_dn_list is defined %}
- {% set tls_allowed_dn_list = [] %}
- {%- for _,item in compute.libvirt.tls.allowed_dn_list.iteritems() %}
- {%- if item.enabled %}
- {%- do tls_allowed_dn_list.append(item.value) %}
- {%- endif %}
- {%- endfor %}
-{%- endif %}
+ {%- set listen_tls = 1 %}
+ {%- set listen_tcp = 0 %}
+ {%- set key_file = compute.libvirt.tls.key_file %}
+ {%- set cert_file = compute.libvirt.tls.cert_file %}
+ {%- set ca_file = compute.libvirt.tls.ca_file %}
+ {%- if compute.libvirt.tls.priority is defined %}
+ {%- set tls_priority = compute.libvirt.tls.priority %}
+ {%- endif %}
+ {%- set unix_sock_ro_perms = "0777" %}
+ {%- set unix_sock_rw_perms = "0770" %}
+ {%- if compute.libvirt.tls.allowed_dn_list is defined %}
+ {% set tls_allowed_dn_list = [] %}
+ {%- for _,item in compute.libvirt.tls.allowed_dn_list.iteritems() %}
+ {%- if item.enabled %}
+ {%- do tls_allowed_dn_list.append(item.value) %}
+ {%- endif %}
+ {%- endfor %}
+ {%- endif %}
{%- else %}
-{%- set listen_tls = 0 %}
-{%- set listen_tcp = 1 %}
-{%- set unix_sock_ro_perms = "0777" %}
-{%- set unix_sock_rw_perms = "0770" %}
+ {%- set listen_tls = 0 %}
+ {%- set listen_tcp = 1 %}
+ {%- set unix_sock_ro_perms = "0777" %}
+ {%- set unix_sock_rw_perms = "0770" %}
{%- endif %}
# This is enabled by default, uncomment this to disable it
@@ -217,7 +220,14 @@
# Defaults to not using a CRL, uncomment to enable it
#crl_file = "/etc/pki/CA/crl.pem"
-
+# TLS Priority String
+#
+# Examples:
+#tls_priority = "NORMAL"
+#tls_priority = "NORMAL:-VERS-SSL3.0"
+{%- if tls_priority is defined %}
+tls_priority = "{{ tls_priority }}"
+{%- endif %}
#################################################################
#
diff --git a/tests/pillar/compute_single.sls b/tests/pillar/compute_single.sls
index b8754f6..2d00ef3 100644
--- a/tests/pillar/compute_single.sls
+++ b/tests/pillar/compute_single.sls
@@ -53,6 +53,7 @@
host: 127.0.0.1
port: 9292
network:
+ user: nova
engine: neutron
region: RegionOne
host: 127.0.0.1
@@ -73,7 +74,7 @@
secret_key: secret
qemu:
user: nova
- group: cinder
+ group: nova
dynamic_ownership: 1
consoleauth:
token_ttl: 600
diff --git a/tests/pillar/compute_single_ssl.sls b/tests/pillar/compute_single_ssl.sls
new file mode 100644
index 0000000..983cb02
--- /dev/null
+++ b/tests/pillar/compute_single_ssl.sls
@@ -0,0 +1,201 @@
+include:
+ - .compute_single
+
+nova:
+ compute:
+ user:
+ private_key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIEpQIBAAKCAQEAoU9IJGIK88lrMfXFrLzPS8F/gL3EQqS5pjshQJiTHiG4ZzuE
+ z+y5xjWGAjwPYWNqwEqFpabPpCCJaDeDHKY48qQ5BAPkfUQjEi59+cuSI16/WGjH
+ LI3OfiecfDHnb48CQVkbIsE3osr0KzsXSByoAKfWm40kydBKyCbhEEL5Brc6QE4T
+ vKa3N8Lu+brxdjPVgMzyb6oouU+xjmLUIpNJ8ia+j+xe6XiVBbCx90TrZVQGHk3X
+ MHWbHMuF5kJM8JBZ8CMLHLbhSmW588Se6sei5RVaFB7hJUEtHbBhVWZCVCVmkKhk
+ mgXB1galrIyH9kmTHWT67TR2Rx7ZFqrJfGVvBQIDAQABAoIBACjiESS3fJMg/3wg
+ EEOhbuCCYDBe6DkDytGottrKUK8YWMZBPX39P3BO7HHwiu1h5xJpUMoVJxcv7+Nr
+ /lzqfBBzMsgjvGtLM6BODDudLqKsRs6/b4uJPUaX/38ynreVhTrOvKPoWJN34L58
+ MYBjUuknoKq38RT9J5bm06/taXQb4RQbgdH95e+PqMEDYyW0OSNtBWsPmgnBXueT
+ MI+00BKDRsyoXo1TvDLpuV793D89TjPZ2gpWHvp8aRO7rl++CFQ2RioSTnEQZP56
+ +DNqMfPV/EH7t5Wf/NmnuQS4FsPJrFL3edeCzPutL7GcITZFG4WrmqEE0bJZVGEG
+ ZsqsVcECgYEA1WVLVcMUMiYksROOjKCQjw1lTcdbTtIYoyiArYhRf+u5zqN9dVGc
+ PWlJzOPK41dvhnU+HDAVX4cLdmmb4ZY8KVbO949kVU1PurdEak3fGDGZXswO4O6q
+ P/2ornAs/nrjWhZF5MYCd/Gl3ohdnS84Nr7Ds5g/FG//hn0BkzDcrgkCgYEAwYPc
+ JopUeHhFXnh3O+nGrg7xwZHh9gZ7A8eYuVh8i24pOcfjSc1WWqcRiVx7TphlM2mv
+ T+nHYhNmzHDVHgW1YR0IlKQYP8yls4xGpSX67FKiO9RBDLz+ByWR2F8eZM1iOmWs
+ b4GzYhUMPDOhFFqm7QyeYGIBhCFdDbOKssel+B0CgYEAvsgw8hvWkn9HjojNiSyE
+ EWEIkOEK4Q00uaocYQje1F8LX5MLNzgfV0gqkuOVIGuraaqoPMtAUIeL1/HTS3vl
+ jY/uuaWZLipQfb4bjG7SZe7yD66gHrlBvLQreskPcPStDn2bP01IJ7QDd1CzYTQ2
+ Lbufe5FB1CPNb4+TOOUWZwECgYEAjWqkNpH+eu9BmnEkiWck50xKhe/rFlTUDwYM
+ 6N3uXiKKBAy8X9GsGqFe4mfwQJaD1leUYyzvpQ+SnzKRu9fmHesOuzlT80PFj/mi
+ IswnnA4jOt+5DesLJQPimiGg339sGkr1AaPiCHpjL5d3Tp2UwUTodH0KqJmNHBcp
+ 886Mzk0CgYEAzYTf6ihsJ8HTd1sbYRShHoQkroJtg/CfZpuyyAoVbaSxt23dnzKF
+ 4dXgCPwfHGxylAvD/cYOMx+NKSMTqyf9k0rYPHZocW/40WS1JQWsAP9Zhgkr0S8R
+ 5foiwMM8TMO/R5XUlSjrWmVlgYNJtOonx12rWDX/ID8l9nvwEZrkRqI=
+ -----END RSA PRIVATE KEY-----
+ public_key: AAAAB3NzaC1yc2EAAAADAQABAAABAQChT0gkYgrzyWsx9cWsvM9LwX+AvcRCpLmmOyFAmJMeIbhnO4TP7LnGNYYCPA9hY2rASoWlps+kIIloN4McpjjypDkEA+R9RCMSLn35y5IjXr9YaMcsjc5+J5x8MedvjwJBWRsiwTeiyvQrOxdIHKgAp9abjSTJ0ErIJuEQQvkGtzpAThO8prc3wu75uvF2M9WAzPJvqii5T7GOYtQik0nyJr6P7F7peJUFsLH3ROtlVAYeTdcwdZscy4XmQkzwkFnwIwsctuFKZbnzxJ7qx6LlFVoUHuElQS0dsGFVZkJUJWaQqGSaBcHWBqWsjIf2SZMdZPrtNHZHHtkWqsl8ZW8F
+ database:
+ ssl:
+ enabled: True
+ libvirt:
+ tls:
+ enabled: True
+ priority: SECURE256
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIG5AIBAAKCAYEA5bsQmqKIJ6fV33XIeGDd03J7bZJm+AYMTRfjr/fIiMBM97Lx
+ p15k7eNx0AGXBiKsA5ZnnLNP3aqhlyKPr2IkUDiXHhZurB8RJ7oCixawVvELU2wX
+ VA8OSiV4/zOiXKl4LntqQXf6QCmtyIxNQgP4AHo7Jinpg4tK6n2kdQzBFSjO5ze/
+ qzaStq8LoJ9rwAdKXhqSpJL+9IVoA2tMOm7PuUzuNuBEqtr6va1kMUWdha4CN6AV
+ vF26Ac6FPaAiF7R3GtRvRSmhHyYoqqhK+NWo4TGEpn0hvvom5wKvYn7KpAS0NmR7
+ 8iq3Xk8eubLYhIXVtWlOcNcRfOV67KGMZKLd7S8eegZZI9dchT5Pk3eStOm7FZAO
+ KMkSgYtnEqPPRUP646dXXrxGLgH+v6zKCa6TH+urJREWW/b7bkz/+ua9O7xA7ldq
+ lCBtmeqJOwpjvlFuVYOomCnDZA7dVg76Qwad1pDh77lk8wq4FCG6kLu3jaaxhaTa
+ ISM2e4GXTRqo79YpAgMBAAECggGABZWDdM7IknYw66qYQdzQ54fb2jD50cOL3v/a
+ p/dU54YNGOQ/nXrc5y9lH9I6EosbNUcdo6B0K4YvQVY0ueWfzldhzPhsnkBvEVEj
+ KLBXfvWC+fchpghrp3+7rjBaHPh9lFupnIfHDHI26C4I3rbr+079SxMvuuPS4VpG
+ ehXiR5pjVRl0zjuYW1pr5O6bFuLWeu0YbWmpStZHTfX4t17kK7PkAm93G9QQzjV9
+ vvjbOFmfciyw+pAoqkyTzoiq63qWcsGzliC5D3gP0tDnZobe6l6l4AsnXpelcaEc
+ SDR/YYi9kEkgIo4BSTfV+J/FY+nMLtTi5zjqXcsCaT0pOq2dNcmJwlgh9+3i0a78
+ ZxmP+KmCgZMsnmlSqyHJMcV9jSIS5DBLV7Iza2jQby//69+WED/gPHHScuFEje3Q
+ c8/hL96oJ85fIkjXX0f7oHXswAXw0XGWzeJ01rFisdOhI02ziJJ1/J3usQ4Ylm4g
+ xBl4XJttxlH/M9042qUSAI5kjsw1AoHBAP7N1EbZDq7YUEP+XsXcKGtslpnDCdxv
+ rZu2aFhl0sQlt5+qptvbA1G/breXDc8GD9fOOsnCzZU7R/hZfg7wr0hWOOCkGRuz
+ kyZcxwLR/nKHjCZ7sLvmhSIhYrmKrvtAgNCx3LCq83bSk3e29G74DYBsnE2kXGXh
+ EHYe3ch++tE5EU+HxMqgAzuVGR8UmbMvk6NmbaIi9pRSBRBoGy4Suvmxcwn37Clq
+ q7nG9zXGdlzCDzQwhhrHsSKTPQ4Qc2T/hwKBwQDmzxuVU282wLN1fgQTHJ/rUDhY
+ F45dJ6K2E5BE80UBwobKCkbqk9306xjfmUxydKs/n557jsl+/JtfDpwZx2m32cX1
+ pQ1mfvIZAakDZPcOPQisR0bVMM1CaiAPYtZD95S1Zl48r0aQlDR7J6KFaymRCvPK
+ uEYkaeVQL63obbSiyJsOakDrvECQ5ey+V5+gUHvRtQ4Me6z34J6LqpLCN2hc9Dwa
+ UZKpre0XjDpmVHo6aIKKDwBSJB+ky4lka5OvCM8CgcEAgH4Zk1S4Q9HPwEoRTuPz
+ +iA7XfTuDxy+RqzYt+M5QzLmA32SQYKTjPDli22ASCr9aE2WddJny96mL4YpvK0B
+ J5BbhGUcSEzpYsocjb6J+wWB1pI/kLHx50FAwOI/1XI0w4k+ClVbC0urlA5N+3vZ
+ iy66L6k38yRpIbf1DbuDDmkh4qJLygahOrW4gmToEWVnpVns5XuOL0OhTCHDuxs0
+ 8N/cbGV60XP6f2fnmFWpsKMn+aCSsASNvirT+jiviHoXAoHALuHiuHI6JOT/jt4J
+ 9dfao/GngD1IraNfaZyPsXG4kqLwvhlYTk26yAT5CHIbFSSdpE7H4lEenKyy4pwV
+ GSdoUe/qRftAvZELnAi6S/Y2OK4tFNFlkehXySXFXVq2KxgfHLmuaqUvsC5qepmS
+ aYda6htPad4EYWEhMyh8Krod9vLIjCUJCtkyRDxv2jnyMp4miHI+aEq216LIkZYU
+ OV8H09nIW5A2OkEZ566ULjT6nuKboW9qoUS1KMQvJDa1yNgBAoHBAOK5e9YyECLd
+ 8LLIkDN41hyjRH1MsjTgiEUcGPOPu1p4HFIvh3IGcbY2dzgxZ/AnKobZ1dqdYBE5
+ fyZQ3dZ+IKpXbv9H+LpktEr4yv3/EE4DXoMh1RNYuZA63Sx3NAYydY0ElPz/2aQK
+ aTZRoazxJOVIE1NH2xfpUS0u9FA+wcxuIZnJecL/xrnpLnzzSPSsF5QURm0EGacP
+ xGw3NQ0nElV3BqSvP6c0d6LwqDTW1eJUbRbijIcRJPuyMh7nXwNw1A==
+ -----END RSA PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIEPDCCAqSgAwIBAgIMXL2b4RG95wh5X3h4MA0GCSqGSIb3DQEBCwUAMBkxFzAV
+ BgNVBAMTDk9wZW5TdGFjayBOb3ZhMB4XDTE5MDQyMjEwNDgwMVoXDTIwMDQyMTEw
+ NDgwMVowJzESMBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQKEwhNaXJhbnRpczCC
+ AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOW7EJqiiCen1d91yHhg3dNy
+ e22SZvgGDE0X46/3yIjATPey8adeZO3jcdABlwYirAOWZ5yzT92qoZcij69iJFA4
+ lx4WbqwfESe6AosWsFbxC1NsF1QPDkoleP8zolypeC57akF3+kAprciMTUID+AB6
+ OyYp6YOLSup9pHUMwRUozuc3v6s2kravC6Cfa8AHSl4akqSS/vSFaANrTDpuz7lM
+ 7jbgRKra+r2tZDFFnYWuAjegFbxdugHOhT2gIhe0dxrUb0UpoR8mKKqoSvjVqOEx
+ hKZ9Ib76JucCr2J+yqQEtDZke/Iqt15PHrmy2ISF1bVpTnDXEXzleuyhjGSi3e0v
+ HnoGWSPXXIU+T5N3krTpuxWQDijJEoGLZxKjz0VD+uOnV168Ri4B/r+sygmukx/r
+ qyURFlv2+25M//rmvTu8QO5XapQgbZnqiTsKY75RblWDqJgpw2QO3VYO+kMGndaQ
+ 4e+5ZPMKuBQhupC7t42msYWk2iEjNnuBl00aqO/WKQIDAQABo3YwdDAMBgNVHRMB
+ Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYD
+ VR0OBBYEFMUM+eSe/YhyqQDfQAXEBSM1paC+MB8GA1UdIwQYMBaAFLS3fsoB5F2w
+ 4WvN0T2UQw1cIX5rMA0GCSqGSIb3DQEBCwUAA4IBgQDJrUUoR3AlrB7JiKgKz8gO
+ FyY5QLaRobICUUGBNdwN5q6n/8OpSnDMixbNLQI34XMqzdaUds5RcVIJX5KgU/0L
+ RFYKTrbIAQ9JOTZjtCQuFrVv/RTDzJhR+W5Q+vPMeFrA7U87TfVVyOrD/YikFyE6
+ U0UDkr2zq0ISNZUepGFsAdiq6VwNBZw1zbyI0aqBniIBWmdLk1QKIMX8lMuzoG6p
+ 7pbi4rwUL0QZ5QJ/D12RLyFb/k8AWj4ptRXQxdtD7R2SZyMxouYMWnQ0z4/3Cvtx
+ co0U4rH7Y61YD95FhW9UzCB9hnV4Pt+Cdp7Av5vM3AUSONE+T86tpFrLJyoZBorS
+ f2Qmy9OO7fWeryyN5Tp2/ijA3pjNQsNgIhl+TKA5GsYxgup06XmPmdZAfpEbkq69
+ bqoWiXMw/5aHjsSnRnBZXwYxK9IBu0GmsqlqCBAgmdhMqqhTMvRS7hBQuaV8JW/7
+ Ahz/VMGac9AT7mMpRpaZ0jmnzxiraJLmEXn/7mFVTOo=
+ -----END CERTIFICATE-----
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIID+zCCAmOgAwIBAgIMXL2aMgMqfC9H3olaMA0GCSqGSIb3DQEBCwUAMBkxFzAV
+ BgNVBAMTDk9wZW5TdGFjayBOb3ZhMB4XDTE5MDQyMjEwNDA1MFoXDTI5MDQxOTEw
+ NDA1MFowGTEXMBUGA1UEAxMOT3BlblN0YWNrIE5vdmEwggGiMA0GCSqGSIb3DQEB
+ AQUAA4IBjwAwggGKAoIBgQDj+WQEufvPshRd2rgTRwbll7iYvoMaFqNZTne7xgCy
+ NuyMk8y/yvfjxqtnk6cH57P+monk1ofsvWbnNoTr7HbSqj+VD6gQ8w2HtzNh3NgO
+ WFqS93exsoffdxRD33zFRTuH9STe4E4o9bnsbjYOkSdKYfB9DsiapENhVn2RoyJM
+ kQpsNxUbHfv8tWsbRi1uwlSj7iupFhKf6a7rW57FlS6Se2Z/9bJ88ueLSDv4aKBL
+ S/uPOM3Tfyk0P0834pz9wv8RzcpM2qLW+7hGBg37F7Il6bGWz5uS06AS0yBHfRmT
+ OOKw3pCnk6iL5HGPq19pNER/b4EArkuZkKzZ10ANeCG5J1eRbK4lA0gQwfxvdNre
+ 8FiJFuZJOmWoTeAIfQAet9TNtJHwe1xw39fELKLjDSPaJc5jMqTC1PgtUMFHM7O6
+ USEwUtb02OrPsK8Y6waChuFekTKrRkN8J36jD92bVmd4FjFPGvX+0G/hwy2mJlyj
+ ekFxWXiZiRpfuxEyJQVmfN8CAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNV
+ HQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBS0t37KAeRdsOFrzdE9lEMNXCF+azANBgkq
+ hkiG9w0BAQsFAAOCAYEAM6Jt0SOZPOi6RD05b9pulgHxHgF+CgzSPnXT00NN9+7P
+ jHmv1uDSEJ8l/DEcZcwUv/A8q0RLJbzpKVTGGcI2B7B3Q7Rj+02HdAzUPQgsgCnX
+ zmVXuwAd12MpSmcp6Xk0swTdPxQF05VT55lsOFyzWek6J9H4nGe/9CPACyxFqNcB
+ nzpQbodYIngssoxFTJQhrClljWkVxatH+wRa70kdMLhGoNUgsID0WTDswv8ZTT22
+ QqZrUbeK5eA79mCM8jxP/QdD3d3TjXPJuPi8X7B/VDADfkKHV3BdUx1ki+8izWif
+ UJz3bZibPk3gItxxCv4UkNMOROhJTyPK3cJ0GQjFKM4LYZKYRmhZM1nW7diUnwDm
+ twjtwBQoRfGH5Fb2Cxy2i4CCm/Ch/fIfAXr9ya4LxCU+h3xB910KjNOT3leUIPXR
+ tuf2sFulEEvLiPvHQWJkpbbyMC0NZ6fXx8uFPakOOjvP/Fi+YWakqpN4LKMsYuK0
+ E+wWW1k4rKol6LEuAd7t
+ -----END CERTIFICATE-----
+ client:
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIG5AIBAAKCAYEAokywgb8hArmsX4U7xa+gj49h66Q51CRAEBQ0oiVohdpUyd+E
+ J8/ZOx4Di3Q/lHV1N/NlHFQZNPagAeoCxEhFydUDwLNxy22eXWqwdQckQXQ5UPhx
+ eOV5SMynmmUCiEe0ZwVPY50KA1ffdHMnpHb+3jGdX6S4SuFqnDgnsna+lN4uAdJA
+ ID9LnTsUQ1J5pR/Q93IgO/vPcoTV+8Xw8riPbmL54MhIBCrbjkbtY/P+jHidKct3
+ 7Qam8xeY91OfU/uLbApeKPeu+d5lL9tcnX0E309Rx1ldBVkKKKQ3DNw8UY0B3yJt
+ gJkzZda5POpvK5k+ZeBjdbtiK3yASNYvt+XcxS+7Nu6aofzpWPZv+UaSvo4dCJ36
+ FsTqsfnWZm3SZlUcuqph+MA+sg8ZGSCY8I+rxoNekV4VYur+4hIrJFNPIGpBSdpX
+ ZKgWWIzdls0Dlo0+3QVKjZZ/mAw2vlGkoMm9GcNeMiixxoiWvjpfkSeXmnjX8Imo
+ LoaJa0AiNTrwXu3xAgMBAAECggGASWjcsWMNAFmRUQdHeOwueKDHDrmSepUG8P7i
+ q7C17U1K6qCR+xv1StsRiWNEWtch9PO/eSfE2wLubs80/ykdf+Q8tU21G+lyJxjZ
+ xaU8TerO/gPR93f7+uSurpQfqBqey7ZIKWtfmxGE/fwUIzy7nS7d2uP7g8sf2JdB
+ xWQWYel479P0s2FNx0lwqd7FLN4OO85ALEGCnG7fBumKSY8XOTvFgFm20UO9WUZV
+ m89CBLGNjNj+XpSSsQOsabpGJ8tvlTWTQi/SmZrh8k/e2bHjurWx3rh+Gl0FZcNY
+ Qt/1+4yrR4II0KpnI6UOJs00h11fzN5geI8pxJVlGkjDAu/g1FSCQ8J6JICBXsTl
+ o+uVn3wlOybZCGkE0Pq9IXAN6Tkze4EP4gIUYbJNYhOWt9Ua/wDnMswQ1qs3sZ7D
+ 3Af4ukr1yHokgAorOccFaEEhZMLwIOcXH9kfJ4ZfMH7Wp3Hot1pJ0tKJwbG0BUWp
+ N4CPDXQviUulkyKTRKtOskYl0Bl9AoHBANCmNHfHgNf5SrPoxX2cITfjEGOHNkg/
+ DTDO22nLlkOUggLtznlr7I+McJRskVI30JpFPtoh+jyS0SwZS+N2BAt97PLVUSn3
+ zXtogU2t7CxfNrH+3khAexdphnTmDH+2LdO+3JSA2w3UTmiufqZnC+4TGe2gUesX
+ JLIPFmFEGN99omq4txiY96nlwAMy1TD0m1RHQ9oqyNZeePX8o3l3dknPBGLtUNE7
+ Wm+TqIULdGKC2OLnQ2TeINJ9QMlv0RA12wKBwQDHIbrbw3QZMbfbspqicPqe8EVB
+ XBaz4r68+wl9DAeRrJ2RHKc57epRbkFEU7prPsVR9NN0dHdv708QdV8wxmq5vByy
+ YBqXnSYHG+o5aptekTT8Gxh2WdUEfUcA6xXRJFIDMtN2G36E3bYN5+aiLet4i0wh
+ NEwVusUZfmaHw/EVtAt5t95fMN4RP8HOlQu5TZnEobvr33I/2PwaEFrWSuibgeUg
+ S8GlYRV0IEOSk3L9e9shrVqiMIcAmMbBoz1yAyMCgcEAgdi9VEF65G1G2RmmNdqB
+ LbeITngqBuH+Qn6pO3iwRdRY6Ju34AaTDG6Y7TV3ZpRHpIotaDC2+xVfSTNg7+hU
+ 8hXm7ORmA1ksrn1F4uK21JJYhoMXMB24vMQ2Ie+8nYnxkRH5Ug2yxTN3rFvTg5kj
+ aoDGpQQdltErTAhppBRt6j/UYNgdUhh4IGpTiWoMFNBVDijfiBkSLZ5TZrpXvdLj
+ cWF82FfZ8KwgRsm8mTecsWW+tc64OUCnanb6Z6HHmG/7AoHACAZK8mo49n7zas4S
+ vzMQVnFWSSD95Tfg+dqf8kMW1v7+xodCEeqNg8SOqsM5AvNfnkLgdpPu8DrTk9U3
+ Bc8pI9z5xxJqX+u8SZMNaEzsf+4YFYS+Ap7yH6EwyE+w7GGrUGeu79aBzbbljD/p
+ ImX5VD1AzyG9Yy7InJNkbFowD/DWeYw4UNu2RzmrhLiq5UfER5FA8mtpvjrvRdmc
+ 33/bSdD9O8Txw8laxPg74N9CRgbEuOG0gk60UgjWEZ2Tb1HDAoHBAKMgawCKoc5m
+ HhS7+YnrE1Vs2jNzIS7SXG5aAVExzsaDyS78McFEvaxqBnJCVUf48B2H0hRhgFgQ
+ WxXvDWQkWB4TtravGL5Fu6WCyLb1isWOqHHgVgPCDDoU2EcmEzgw20/kPK9tKaAI
+ ot+TQS2sKHFrixY4rL9iIfu6DRNLEnqcdWVe1O2OwMib5BOOYVnQ2SjLUrZg0TAN
+ GUHtd3+OTCD/dmlCZmTNJ+9T2wLh5d7adB3O6nDvHY/3NzAM/xgsJQ==
+ -----END RSA PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIEazCCAtOgAwIBAgIMXL3NGQ6SWK9G4DMxMA0GCSqGSIb3DQEBCwUAMBkxFzAV
+ BgNVBAMTDk9wZW5TdGFjayBOb3ZhMB4XDTE5MDQyMjE0MTgwMVoXDTIwMDQyMTE0
+ MTgwMVowVjESMBAGA1UEAxMJbG9jYWxob3N0MREwDwYDVQQKEwhNaXJhbnRpczEP
+ MA0GA1UEBxMGTW9zY293MQ8wDQYDVQQIEwZNb3Njb3cxCzAJBgNVBAYTAlJVMIIB
+ ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAokywgb8hArmsX4U7xa+gj49h
+ 66Q51CRAEBQ0oiVohdpUyd+EJ8/ZOx4Di3Q/lHV1N/NlHFQZNPagAeoCxEhFydUD
+ wLNxy22eXWqwdQckQXQ5UPhxeOV5SMynmmUCiEe0ZwVPY50KA1ffdHMnpHb+3jGd
+ X6S4SuFqnDgnsna+lN4uAdJAID9LnTsUQ1J5pR/Q93IgO/vPcoTV+8Xw8riPbmL5
+ 4MhIBCrbjkbtY/P+jHidKct37Qam8xeY91OfU/uLbApeKPeu+d5lL9tcnX0E309R
+ x1ldBVkKKKQ3DNw8UY0B3yJtgJkzZda5POpvK5k+ZeBjdbtiK3yASNYvt+XcxS+7
+ Nu6aofzpWPZv+UaSvo4dCJ36FsTqsfnWZm3SZlUcuqph+MA+sg8ZGSCY8I+rxoNe
+ kV4VYur+4hIrJFNPIGpBSdpXZKgWWIzdls0Dlo0+3QVKjZZ/mAw2vlGkoMm9GcNe
+ MiixxoiWvjpfkSeXmnjX8ImoLoaJa0AiNTrwXu3xAgMBAAGjdjB0MAwGA1UdEwEB
+ /wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAwegADAdBgNV
+ HQ4EFgQUeeHhT7Bd+qgiGOrVyIAXMFpjINwwHwYDVR0jBBgwFoAUtLd+ygHkXbDh
+ a83RPZRDDVwhfmswDQYJKoZIhvcNAQELBQADggGBAKP5pbe0dXy4w53oiXC2JwZd
+ hC0MYopS6BSaZ5ZAC7AJvQKkGUDCG6x/3A3Gv5r3qC6WCPruQnwUiaPJDjFk5wkF
+ Vbyx768AORbMy6SR+GVcdr1pZFSbm4seppHaKDDcez3zD8DW+YYSEERobfdOOjNw
+ x5063DvbccjvpsGWAVPSz7E+BDmBdRtBeIxhmcvo5Vi84teTFrw+M4D2AUneiNip
+ vD5QnzdHdRKfhcA/cJH2xWTs0hXIi+CfTOf61oNiyuF22PEBE9Fo4fqvTo9YEK7O
+ /vPLtlaSunjTlFJv8vYmJDswKNUCvB74PCruOp+PMiFI1F2tJpfnPYz8DMGvmOUs
+ PXE1nEDZSyduYeTxwXTFGBV7JGTPkNcF3m0m1uIPgi/TvDR25DEd7sUDLBXFnCrD
+ d58gp+67iOb782LimjkdktsBIvYEKDXVP+LXN8sONBTHHsjAqgl2pg2bCpTkF7L5
+ hwPWWMUfTaOnVTWNVz+rtpRymS87HVshRaw0DgURMg==
+ -----END CERTIFICATE-----