From 158901694ef7fb7d65b0153e287d196b5ec6f410 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Wed, 6 Dec 2023 18:02:44 +0200
Subject: [PATCH 01/16] add changed of Nats 2.9.22

---
 conf/lex.go                                   |    5 +-
 conf/lex_test.go                              |   78 +-
 conf/parse.go                                 |    8 +-
 conf/parse_test.go                            |  349 ++-
 conf/simple.conf                              |    6 +
 go.mod                                        |    8 +-
 go.sum                                        |   18 +-
 internal/testhelper/logging.go                |    3 +
 logger/log.go                                 |   47 +-
 logger/log_test.go                            |    2 +-
 logger/syslog.go                              |    2 +
 logger/syslog_windows.go                      |    4 +
 main.go                                       |   22 +-
 server/accounts.go                            |  288 +-
 server/accounts_test.go                       |   93 +-
 server/auth.go                                |    9 +-
 server/auth_test.go                           |    1 +
 server/certidp/certidp.go                     |  297 ++
 server/certidp/messages.go                    |  106 +
 server/certidp/ocsp_responder.go              |   83 +
 server/certstore/certstore.go                 |  102 +
 server/certstore/certstore_other.go           |   46 +
 server/certstore/certstore_windows.go         |  827 ++++++
 server/certstore/errors.go                    |   73 +
 server/certstore_windows_test.go              |  230 ++
 server/ciphersuites.go                        |    3 +
 server/client.go                              |  485 ++--
 server/client_test.go                         |  158 +-
 server/config_check_test.go                   |   27 +-
 .../configs/certs/tls/benchmark-ca-cert.pem   |   23 +
 server/configs/certs/tls/benchmark-ca-key.pem |   28 +
 .../tls/benchmark-server-cert-ed25519.pem     |   19 +
 .../tls/benchmark-server-cert-rsa-1024.pem    |   22 +
 .../tls/benchmark-server-cert-rsa-2048.pem    |   24 +
 .../tls/benchmark-server-cert-rsa-4096.pem    |   30 +
 .../tls/benchmark-server-key-ed25519.pem      |    3 +
 .../tls/benchmark-server-key-rsa-1024.pem     |   16 +
 .../tls/benchmark-server-key-rsa-2048.pem     |   28 +
 .../tls/benchmark-server-key-rsa-4096.pem     |   52 +
 server/configs/reload/reload.conf             |    1 +
 server/configs/tls/tls-ed25519.conf           |   10 +
 server/configs/tls/tls-none.conf              |    4 +
 server/configs/tls/tls-rsa-1024.conf          |   10 +
 server/configs/tls/tls-rsa-2048.conf          |   10 +
 server/configs/tls/tls-rsa-4096.conf          |   10 +
 server/const.go                               |   16 +-
 server/consumer.go                            |  472 +++-
 server/core_benchmarks_test.go                |  251 ++
 server/dirstore.go                            |    7 +
 server/disk_avail.go                          |    2 +-
 server/errors_gen.go                          |   14 +-
 server/events.go                              |  511 +++-
 server/events_test.go                         |   49 +-
 server/filestore.go                           |  848 ++++--
 server/filestore_test.go                      |  524 +++-
 server/gateway.go                             |   19 +-
 server/ipqueue.go                             |   37 +-
 server/ipqueue_test.go                        |    8 +-
 server/jetstream.go                           |  285 +-
 server/jetstream_api.go                       |   88 +-
 server/jetstream_benchmark_consume_test.go    |  404 ---
 server/jetstream_benchmark_kv_test.go         |  265 --
 server/jetstream_benchmark_publish_test.go    |  274 --
 server/jetstream_benchmark_test.go            | 1376 +++++++++
 server/jetstream_chaos_cluster_test.go        |   76 -
 server/jetstream_chaos_consumer_test.go       |  615 ----
 server/jetstream_chaos_helpers_test.go        |  177 --
 server/jetstream_chaos_kv_test.go             |  456 ---
 server/jetstream_chaos_test.go                | 1285 +++++++++
 server/jetstream_cluster.go                   |  912 ++++--
 server/jetstream_cluster_1_test.go            |   27 +-
 server/jetstream_cluster_2_test.go            |   25 +-
 server/jetstream_cluster_3_test.go            | 2479 ++++++++++++++++-
 server/jetstream_errors.go                    |   12 -
 server/jetstream_errors_generated.go          |   13 -
 server/jetstream_errors_test.go               |   12 -
 server/jetstream_helpers_test.go              |  124 +-
 server/jetstream_leafnode_test.go             |   48 +-
 server/jetstream_super_cluster_test.go        |   94 +
 server/jetstream_test.go                      |  804 +++++-
 server/jwt_test.go                            |  197 +-
 server/leafnode.go                            |  155 +-
 server/leafnode_test.go                       |  725 ++++-
 server/log.go                                 |   17 +-
 server/log_test.go                            |    2 +-
 server/memstore.go                            |  109 +-
 server/monitor.go                             |  359 ++-
 server/monitor_sort_opts.go                   |   18 +-
 server/monitor_test.go                        |  520 +++-
 server/mqtt.go                                |    8 +-
 server/mqtt_test.go                           |   47 +-
 server/nkey.go                                |    2 +-
 server/norace_test.go                         | 1721 +++++++++++-
 server/ocsp.go                                |  276 +-
 server/ocsp_peer.go                           |  405 +++
 server/ocsp_responsecache.go                  |  636 +++++
 server/opts.go                                |  196 +-
 server/opts_test.go                           |   22 +-
 server/parser.go                              |   13 +-
 server/raft.go                                |  451 ++-
 server/raft_helpers_test.go                   |  276 ++
 server/raft_test.go                           |   49 +-
 server/reload.go                              |  176 +-
 server/reload_test.go                         |  222 +-
 server/route.go                               |   53 +-
 server/routes_test.go                         |   88 +-
 server/sendq.go                               |   37 +-
 server/server.go                              |  288 +-
 server/server_test.go                         |    2 +-
 server/signal_test.go                         |    2 +-
 server/split_test.go                          |    1 +
 server/store.go                               |    5 +-
 server/stream.go                              |  616 ++--
 server/sublist.go                             |   33 +-
 server/sublist_test.go                        |   40 +-
 server/test_test.go                           |   24 +-
 server/util.go                                |    3 +
 server/util_test.go                           |    1 +
 server/websocket.go                           |   57 +-
 server/websocket_test.go                      |   15 +-
 120 files changed, 19212 insertions(+), 4934 deletions(-)
 create mode 100644 conf/simple.conf
 create mode 100644 server/certidp/certidp.go
 create mode 100644 server/certidp/messages.go
 create mode 100644 server/certidp/ocsp_responder.go
 create mode 100644 server/certstore/certstore.go
 create mode 100644 server/certstore/certstore_other.go
 create mode 100644 server/certstore/certstore_windows.go
 create mode 100644 server/certstore/errors.go
 create mode 100644 server/certstore_windows_test.go
 create mode 100644 server/configs/certs/tls/benchmark-ca-cert.pem
 create mode 100644 server/configs/certs/tls/benchmark-ca-key.pem
 create mode 100644 server/configs/certs/tls/benchmark-server-cert-ed25519.pem
 create mode 100644 server/configs/certs/tls/benchmark-server-cert-rsa-1024.pem
 create mode 100644 server/configs/certs/tls/benchmark-server-cert-rsa-2048.pem
 create mode 100644 server/configs/certs/tls/benchmark-server-cert-rsa-4096.pem
 create mode 100644 server/configs/certs/tls/benchmark-server-key-ed25519.pem
 create mode 100644 server/configs/certs/tls/benchmark-server-key-rsa-1024.pem
 create mode 100644 server/configs/certs/tls/benchmark-server-key-rsa-2048.pem
 create mode 100644 server/configs/certs/tls/benchmark-server-key-rsa-4096.pem
 create mode 100644 server/configs/tls/tls-ed25519.conf
 create mode 100644 server/configs/tls/tls-none.conf
 create mode 100644 server/configs/tls/tls-rsa-1024.conf
 create mode 100644 server/configs/tls/tls-rsa-2048.conf
 create mode 100644 server/configs/tls/tls-rsa-4096.conf
 create mode 100644 server/core_benchmarks_test.go
 delete mode 100644 server/jetstream_benchmark_consume_test.go
 delete mode 100644 server/jetstream_benchmark_kv_test.go
 delete mode 100644 server/jetstream_benchmark_publish_test.go
 create mode 100644 server/jetstream_benchmark_test.go
 delete mode 100644 server/jetstream_chaos_cluster_test.go
 delete mode 100644 server/jetstream_chaos_consumer_test.go
 delete mode 100644 server/jetstream_chaos_helpers_test.go
 delete mode 100644 server/jetstream_chaos_kv_test.go
 create mode 100644 server/jetstream_chaos_test.go
 create mode 100644 server/ocsp_peer.go
 create mode 100644 server/ocsp_responsecache.go
 create mode 100644 server/raft_helpers_test.go

diff --git a/conf/lex.go b/conf/lex.go
index be990a610..b1d68bda1 100644
--- a/conf/lex.go
+++ b/conf/lex.go
@@ -78,6 +78,7 @@ const (
 	topOptTerm        = '}'
 	blockStart        = '('
 	blockEnd          = ')'
+	mapEndString      = string(mapEnd)
 )
 
 type stateFn func(lx *lexer) stateFn
@@ -681,7 +682,7 @@ func lexMapQuotedKey(lx *lexer) stateFn {
 	return lexMapQuotedKey
 }
 
-// lexMapQuotedKey consumes the text of a key between quotes.
+// lexMapDubQuotedKey consumes the text of a key between quotes.
 func lexMapDubQuotedKey(lx *lexer) stateFn {
 	if r := lx.peek(); r == eof {
 		return lx.errorf("Unexpected EOF processing double quoted map key.")
@@ -1061,7 +1062,7 @@ func lexNegNumberStart(lx *lexer) stateFn {
 	return lexNegNumber
 }
 
-// lexNumber consumes a negative integer or a float after seeing the first digit.
+// lexNegNumber consumes a negative integer or a float after seeing the first digit.
 func lexNegNumber(lx *lexer) stateFn {
 	r := lx.next()
 	switch {
diff --git a/conf/lex_test.go b/conf/lex_test.go
index a91fdb674..2d2bec12d 100644
--- a/conf/lex_test.go
+++ b/conf/lex_test.go
@@ -1,15 +1,3 @@
-// Copyright 2012-2018 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
 package conf
 
 import "testing"
@@ -1483,6 +1471,8 @@ func TestJSONCompat(t *testing.T) {
 			expected: []item{
 				{itemKey, "http_port", 3, 28},
 				{itemInteger, "8223", 3, 40},
+				{itemKey, "}", 4, 25},
+				{itemEOF, "", 0, 0},
 			},
 		},
 		{
@@ -1490,14 +1480,16 @@ func TestJSONCompat(t *testing.T) {
 			input: `
                         {
                           "http_port": 8223,
-                          "port": 4223
+                          "port": 6667
                         }
                         `,
 			expected: []item{
 				{itemKey, "http_port", 3, 28},
 				{itemInteger, "8223", 3, 40},
 				{itemKey, "port", 4, 28},
-				{itemInteger, "4223", 4, 35},
+				{itemInteger, "6667", 4, 35},
+				{itemKey, "}", 5, 25},
+				{itemEOF, "", 0, 0},
 			},
 		},
 		{
@@ -1505,7 +1497,7 @@ func TestJSONCompat(t *testing.T) {
 			input: `
                         {
                           "http_port": 8223,
-                          "port": 4223,
+                          "port": 6667,
                           "max_payload": "5MB",
                           "debug": true,
                           "max_control_line": 1024
@@ -1515,24 +1507,27 @@ func TestJSONCompat(t *testing.T) {
 				{itemKey, "http_port", 3, 28},
 				{itemInteger, "8223", 3, 40},
 				{itemKey, "port", 4, 28},
-				{itemInteger, "4223", 4, 35},
+				{itemInteger, "6667", 4, 35},
 				{itemKey, "max_payload", 5, 28},
 				{itemString, "5MB", 5, 43},
 				{itemKey, "debug", 6, 28},
 				{itemBool, "true", 6, 36},
 				{itemKey, "max_control_line", 7, 28},
 				{itemInteger, "1024", 7, 47},
+				{itemKey, "}", 8, 25},
+				{itemEOF, "", 0, 0},
 			},
 		},
 		{
 			name: "should support JSON not prettified",
-			input: `{"http_port": 8224,"port": 4224}
+			input: `{"http_port": 8224,"port": 6668}
                         `,
 			expected: []item{
 				{itemKey, "http_port", 1, 2},
 				{itemInteger, "8224", 1, 14},
 				{itemKey, "port", 1, 20},
-				{itemInteger, "4224", 1, 27},
+				{itemInteger, "6668", 1, 27},
+				{itemEOF, "", 0, 0},
 			},
 		},
 		{
@@ -1545,11 +1540,13 @@ func TestJSONCompat(t *testing.T) {
 				{itemInteger, "8225", 1, 14},
 				{itemKey, "port", 1, 20},
 				{itemInteger, "4225", 1, 27},
+				{itemKey, "}", 2, 25},
+				{itemEOF, "", 0, 0},
 			},
 		},
 		{
 			name: "should support uglified JSON with inner blocks",
-			input: `{"http_port": 8227,"port": 4227,"write_deadline": "1h","cluster": {"port": 6222,"routes": ["nats://127.0.0.1:6666","nats://127.0.0.1:4223","nats://127.0.0.1:4224"]}}
+			input: `{"http_port": 8227,"port": 4227,"write_deadline": "1h","cluster": {"port": 6222,"routes": ["nats://127.0.0.1:6666","nats://127.0.0.1:6667","nats://127.0.0.1:6668"]}}
                         `,
 			expected: []item{
 				{itemKey, "http_port", 1, 2},
@@ -1565,10 +1562,12 @@ func TestJSONCompat(t *testing.T) {
 				{itemKey, "routes", 1, 81},
 				{itemArrayStart, "", 1, 91},
 				{itemString, "nats://127.0.0.1:6666", 1, 92},
-				{itemString, "nats://127.0.0.1:4223", 1, 116},
-				{itemString, "nats://127.0.0.1:4224", 1, 140},
+				{itemString, "nats://127.0.0.1:6667", 1, 116},
+				{itemString, "nats://127.0.0.1:6667", 1, 140},
 				{itemArrayEnd, "", 1, 163},
 				{itemMapEnd, "", 1, 164},
+				{itemKey, "}", 14, 25},
+				{itemEOF, "", 0, 0},
 			},
 		},
 		{
@@ -1582,8 +1581,8 @@ func TestJSONCompat(t *testing.T) {
                             "port": 6222,
                             "routes": [
                               "nats://127.0.0.1:6666",
-                              "nats://127.0.0.1:4223",
-                              "nats://127.0.0.1:4224"
+                              "nats://127.0.0.1:6667",
+                              "nats://127.0.0.1:6668"
                             ]
                           }
                         }
@@ -1602,10 +1601,39 @@ func TestJSONCompat(t *testing.T) {
 				{itemKey, "routes", 8, 30},
 				{itemArrayStart, "", 8, 40},
 				{itemString, "nats://127.0.0.1:6666", 9, 32},
-				{itemString, "nats://127.0.0.1:4223", 10, 32},
-				{itemString, "nats://127.0.0.1:4224", 11, 32},
+				{itemString, "nats://127.0.0.1:6667", 10, 32},
+				{itemString, "nats://127.0.0.1:6668", 11, 32},
 				{itemArrayEnd, "", 12, 30},
 				{itemMapEnd, "", 13, 28},
+				{itemKey, "}", 14, 25},
+				{itemEOF, "", 0, 0},
+			},
+		},
+		{
+			name: "should support JSON with blocks",
+			input: `{
+                          "jetstream": {
+                            "store_dir": "/tmp/nats"
+                            "max_mem": 1000000,
+                          },
+                          "port": 6666,
+                          "server_name": "nats1"
+                        }
+                        `,
+			expected: []item{
+				{itemKey, "jetstream", 2, 28},
+				{itemMapStart, "", 2, 41},
+				{itemKey, "store_dir", 3, 30},
+				{itemString, "/tmp/nats", 3, 43},
+				{itemKey, "max_mem", 4, 30},
+				{itemInteger, "1000000", 4, 40},
+				{itemMapEnd, "", 5, 28},
+				{itemKey, "port", 6, 28},
+				{itemInteger, "6666", 6, 35},
+				{itemKey, "server_name", 7, 28},
+				{itemString, "nats1", 7, 43},
+				{itemKey, "}", 8, 25},
+				{itemEOF, "", 0, 0},
 			},
 		},
 	} {
diff --git a/conf/parse.go b/conf/parse.go
index 23d082f54..649ff9850 100644
--- a/conf/parse.go
+++ b/conf/parse.go
@@ -147,16 +147,22 @@ func parse(data, fp string, pedantic bool) (p *parser, err error) {
 	}
 	p.pushContext(p.mapping)
 
+	var prevItem item
 	for {
 		it := p.next()
 		if it.typ == itemEOF {
+			// Here we allow the final character to be a bracket '}'
+			// in order to support JSON like configurations.
+			if prevItem.typ == itemKey && prevItem.val != mapEndString {
+				return nil, fmt.Errorf("config is invalid (%s:%d:%d)", fp, it.line, it.pos)
+			}
 			break
 		}
+		prevItem = it
 		if err := p.processItem(it, fp); err != nil {
 			return nil, err
 		}
 	}
-
 	return p, nil
 }
 
diff --git a/conf/parse_test.go b/conf/parse_test.go
index b50cc8b80..5bb1662f4 100644
--- a/conf/parse_test.go
+++ b/conf/parse_test.go
@@ -1,20 +1,9 @@
-// Copyright 2012-2018 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
 package conf
 
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"reflect"
 	"strings"
 	"testing"
@@ -415,3 +404,339 @@ func TestParserNoInfiniteLoop(t *testing.T) {
 		}
 	}
 }
+
+func TestParseWithNoValuesAreInvalid(t *testing.T) {
+	for _, test := range []struct {
+		name string
+		conf string
+		err  string
+	}{
+		{
+			"invalid key without values",
+			`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`,
+			"config is invalid (:1:41)",
+		},
+		{
+			"invalid untrimmed key without values",
+			`              aaaaaaaaaaaaaaaaaaaaaaaaaaa`,
+			"config is invalid (:1:41)",
+		},
+		{
+			"invalid untrimmed key without values",
+			`     aaaaaaaaaaaaaaaaaaaaaaaaaaa         `,
+			"config is invalid (:1:41)",
+		},
+		{
+			"invalid keys after comments",
+			`
+          		# with comments and no spaces to create key values
+         		# is also an invalid config.
+         		aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+                        `,
+			"config is invalid (:5:25)",
+		},
+		{
+			"comma separated without values are invalid",
+			`
+                        a,a,a,a,a,a,a,a,a,a,a
+                        `,
+			"config is invalid (:3:25)",
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			if _, err := parse(test.conf, "", true); err == nil {
+				t.Error("expected an error")
+			} else if !strings.Contains(err.Error(), test.err) {
+				t.Errorf("expected invalid conf error, got: %v", err)
+			}
+		})
+	}
+}
+
+func TestParseWithNoValuesEmptyConfigsAreValid(t *testing.T) {
+	for _, test := range []struct {
+		name string
+		conf string
+	}{
+		{
+			"empty conf",
+			"",
+		},
+		{
+			"empty conf with line breaks",
+			`
+
+
+                        `,
+		},
+		{
+			"just comments with no values",
+			`
+                        # just comments with no values
+                        # is still valid.
+                        `,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			if _, err := parse(test.conf, "", true); err != nil {
+				t.Errorf("unexpected error: %v", err)
+			}
+		})
+	}
+}
+
+func TestParseWithTrailingBracketsAreValid(t *testing.T) {
+	for _, test := range []struct {
+		name string
+		conf string
+	}{
+		{
+			"empty conf",
+			"{}",
+		},
+		{
+			"just comments with no values",
+			`
+                        {
+                        # comments in the body
+                        }
+                        `,
+		},
+		{
+			// trailing brackets accidentally can become keys,
+			// this is valid since needed to support JSON like configs..
+			"trailing brackets after config",
+			`
+                        accounts { users = [{}]}
+                        }
+                        `,
+		},
+		{
+			"wrapped in brackets",
+			`{
+                          accounts { users = [{}]}
+                        }
+                        `,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			if _, err := parse(test.conf, "", true); err != nil {
+				t.Errorf("unexpected error: %v", err)
+			}
+		})
+	}
+}
+
+func TestParseWithNoValuesIncludes(t *testing.T) {
+	for _, test := range []struct {
+		input    string
+		includes map[string]string
+		err      string
+		linepos  string
+	}{
+		{
+			`# includes
+			accounts {
+                          foo { include 'foo.conf'}
+                          bar { users = [{user = "bar"}] }
+                          quux { include 'quux.conf'}
+                        }
+                        `,
+			map[string]string{
+				"foo.conf":  ``,
+				"quux.conf": `?????????????`,
+			},
+			"error parsing include file 'quux.conf', config is invalid",
+			"quux.conf:1:1",
+		},
+		{
+			`# includes
+			accounts {
+                          foo { include 'foo.conf'}
+                          bar { include 'bar.conf'}
+                          quux { include 'quux.conf'}
+                        }
+                        `,
+			map[string]string{
+				"foo.conf": ``, // Empty configs are ok
+				"bar.conf": `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`,
+				"quux.conf": `
+                                   # just some comments,
+                                   # and no key values also ok.
+                                `,
+			},
+			"error parsing include file 'bar.conf', config is invalid",
+			"bar.conf:1:34",
+		},
+	} {
+		t.Run("", func(t *testing.T) {
+			sdir := t.TempDir()
+			f, err := os.CreateTemp(sdir, "nats.conf-")
+			if err != nil {
+				t.Fatal(err)
+			}
+			if err := os.WriteFile(f.Name(), []byte(test.input), 066); err != nil {
+				t.Error(err)
+			}
+			if test.includes != nil {
+				for includeFile, contents := range test.includes {
+					inf, err := os.Create(filepath.Join(sdir, includeFile))
+					if err != nil {
+						t.Fatal(err)
+					}
+					if err := os.WriteFile(inf.Name(), []byte(contents), 066); err != nil {
+						t.Error(err)
+					}
+				}
+			}
+			if _, err := parse(test.input, f.Name(), true); err == nil {
+				t.Error("expected an error")
+			} else if !strings.Contains(err.Error(), test.err) || !strings.Contains(err.Error(), test.linepos) {
+				t.Errorf("expected invalid conf error, got: %v", err)
+			}
+		})
+	}
+}
+
+func TestJSONParseCompat(t *testing.T) {
+	for _, test := range []struct {
+		name     string
+		input    string
+		includes map[string]string
+		expected map[string]interface{}
+	}{
+		{
+			"JSON with nested blocks",
+			`
+                        {
+                          "http_port": 8227,
+                          "port": 4227,
+                          "write_deadline": "1h",
+                          "cluster": {
+                            "port": 6222,
+                            "routes": [
+                              "nats://127.0.0.1:6666",
+                              "nats://127.0.0.1:6667",
+                              "nats://127.0.0.1:6668"
+                            ]
+                          }
+                        }
+                        `,
+			nil,
+			map[string]interface{}{
+				"http_port":      int64(8227),
+				"port":           int64(4227),
+				"write_deadline": "1h",
+				"cluster": map[string]interface{}{
+					"port": int64(6222),
+					"routes": []interface{}{
+						"nats://127.0.0.1:6666",
+						"nats://127.0.0.1:6667",
+						"nats://127.0.0.1:6668",
+					},
+				},
+			},
+		},
+		{
+			"JSON with nested blocks",
+			`{
+                          "jetstream": {
+                            "store_dir": "/tmp/nats"
+                            "max_mem": 1000000,
+                          },
+                          "port": 6666,
+                          "server_name": "nats1"
+                        }
+                        `,
+			nil,
+			map[string]interface{}{
+				"jetstream": map[string]interface{}{
+					"store_dir": "/tmp/nats",
+					"max_mem":   int64(1_000_000),
+				},
+				"port":        int64(6666),
+				"server_name": "nats1",
+			},
+		},
+		{
+			"JSON empty object in one line",
+			`{}`,
+			nil,
+			map[string]interface{}{},
+		},
+		{
+			"JSON empty object with line breaks",
+			`
+                        {
+                        }
+                        `,
+			nil,
+			map[string]interface{}{},
+		},
+		{
+			"JSON includes",
+			`
+                        accounts {
+                          foo  { include 'foo.json'  }
+                          bar  { include 'bar.json'  }
+                          quux { include 'quux.json' }
+                        }
+                        `,
+			map[string]string{
+				"foo.json": `{ "users": [ {"user": "foo"} ] }`,
+				"bar.json": `{ 
+                                  "users": [ {"user": "bar"} ] 
+                                }`,
+				"quux.json": `{}`,
+			},
+			map[string]interface{}{
+				"accounts": map[string]interface{}{
+					"foo": map[string]interface{}{
+						"users": []interface{}{
+							map[string]interface{}{
+								"user": "foo",
+							},
+						},
+					},
+					"bar": map[string]interface{}{
+						"users": []interface{}{
+							map[string]interface{}{
+								"user": "bar",
+							},
+						},
+					},
+					"quux": map[string]interface{}{},
+				},
+			},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			sdir := t.TempDir()
+			f, err := os.CreateTemp(sdir, "nats.conf-")
+			if err != nil {
+				t.Fatal(err)
+			}
+			if err := os.WriteFile(f.Name(), []byte(test.input), 066); err != nil {
+				t.Error(err)
+			}
+			if test.includes != nil {
+				for includeFile, contents := range test.includes {
+					inf, err := os.Create(filepath.Join(sdir, includeFile))
+					if err != nil {
+						t.Fatal(err)
+					}
+					if err := os.WriteFile(inf.Name(), []byte(contents), 066); err != nil {
+						t.Error(err)
+					}
+				}
+			}
+			m, err := ParseFile(f.Name())
+			if err != nil {
+				t.Fatalf("Unexpected error: %v", err)
+			}
+			if !reflect.DeepEqual(m, test.expected) {
+				t.Fatalf("Not Equal:\nReceived: '%+v'\nExpected: '%+v'\n", m, test.expected)
+			}
+		})
+	}
+}
diff --git a/conf/simple.conf b/conf/simple.conf
new file mode 100644
index 000000000..8f75d73ad
--- /dev/null
+++ b/conf/simple.conf
@@ -0,0 +1,6 @@
+listen: 127.0.0.1:4222
+
+authorization {
+  include 'includes/users.conf' # Pull in from file
+  timeout: 0.5
+}
diff --git a/go.mod b/go.mod
index 50eeb729d..d27980bf9 100644
--- a/go.mod
+++ b/go.mod
@@ -9,14 +9,14 @@ require (
 	github.com/go-playground/validator/v10 v10.14.0
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/jhump/protoreflect v1.13.0
-	github.com/klauspost/compress v1.16.0
+	github.com/klauspost/compress v1.16.7
 	github.com/minio/highwayhash v1.0.2
-	github.com/nats-io/jwt/v2 v2.3.0
-	github.com/nats-io/nats.go v1.25.0
+	github.com/nats-io/jwt/v2 v2.5.0
+	github.com/nats-io/nats.go v1.28.0
 	github.com/nats-io/nkeys v0.4.4
 	github.com/nats-io/nuid v1.0.1
 	github.com/tkanos/gonfig v0.0.0-20210106201359-53e13348de2f
-	go.uber.org/automaxprocs v1.5.1
+	go.uber.org/automaxprocs v1.5.3
 	golang.org/x/crypto v0.14.0
 	golang.org/x/sys v0.13.0
 	golang.org/x/time v0.3.0
diff --git a/go.sum b/go.sum
index d26ed40d5..7dcbca35f 100644
--- a/go.sum
+++ b/go.sum
@@ -241,8 +241,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4=
-github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
+github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.4 h1:acbojRNwl3o09bUq+yDCtZFc1aiwaAAxtcn8YkZXnvk=
 github.com/klauspost/cpuid/v2 v2.2.4/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
@@ -294,12 +294,11 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/nats-io/jwt/v2 v2.3.0 h1:z2mA1a7tIf5ShggOFlR1oBPgd6hGqcDYsISxZByUzdI=
-github.com/nats-io/jwt/v2 v2.3.0/go.mod h1:0tqz9Hlu6bCBFLWAASKhE5vUA4c24L9KPUUgvwumE/k=
+github.com/nats-io/jwt/v2 v2.5.0 h1:WQQ40AAlqqfx+f6ku+i0pOVm+ASirD4fUh+oQsiE9Ak=
+github.com/nats-io/jwt/v2 v2.5.0/go.mod h1:24BeQtRwxRV8ruvC4CojXlx/WQ/VjuwlYiH+vu/+ibI=
 github.com/nats-io/nats-server/v2 v2.9.5 h1:TlduKZ9YGoM0n34Lhm6AN0zRFOt/G3jTy9mPxXnE6dU=
-github.com/nats-io/nats.go v1.25.0 h1:t5/wCPGciR7X3Mu8QOi4jiJaXaWM8qtkLu4lzGZvYHE=
-github.com/nats-io/nats.go v1.25.0/go.mod h1:D2WALIhz7V8M0pH8Scx8JZXlg6Oqz5VG+nQkK8nJdvg=
-github.com/nats-io/nkeys v0.3.0/go.mod h1:gvUNGjVcM2IPr5rCsRsC6Wb3Hr2CQAm08dsxtV6A5y4=
+github.com/nats-io/nats.go v1.28.0 h1:Th4G6zdsz2d0OqXdfzKLClo6bOfoI/b1kInhRtFIy5c=
+github.com/nats-io/nats.go v1.28.0/go.mod h1:XpbWUlOElGwTYbMR7imivs7jJj9GtK7ypv321Wp6pjc=
 github.com/nats-io/nkeys v0.4.4 h1:xvBJ8d69TznjcQl9t6//Q5xXuVhyYiSos6RPtvQNTwA=
 github.com/nats-io/nkeys v0.4.4/go.mod h1:XUkxdLPTufzlihbamfzQ7mw/VGx6ObUs+0bN5sNvt64=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
@@ -377,8 +376,8 @@ go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/automaxprocs v1.5.1 h1:e1YG66Lrk73dn4qhg8WFSvhF0JuFQF0ERIp4rpuV8Qk=
-go.uber.org/automaxprocs v1.5.1/go.mod h1:BF4eumQw0P9GtnuxxovUd06vwm1o18oMzFtK66vU6XU=
+go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
+go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
@@ -396,7 +395,6 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210314154223-e6e6c4f2bb5b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
diff --git a/internal/testhelper/logging.go b/internal/testhelper/logging.go
index ddabbd70d..d0382bb58 100644
--- a/internal/testhelper/logging.go
+++ b/internal/testhelper/logging.go
@@ -82,12 +82,15 @@ func (l *DummyLogger) Tracef(format string, v ...interface{}) {
 	l.Msg = fmt.Sprintf(format, v...)
 	l.aggregate()
 }
+
+// ** added by Memphis
 func (l *DummyLogger) Systemf(format string, v ...interface{}) {
 	l.Lock()
 	defer l.Unlock()
 	l.Msg = fmt.Sprintf(format, v...)
 	l.aggregate()
 }
+// ** added by Memphis
 
 // NewDummyLogger creates a dummy logger and allows to ask for logs to be
 // retained instead of just keeping the most recent. Use retain to provide an
diff --git a/logger/log.go b/logger/log.go
index d8e8367a1..6afe9b499 100644
--- a/logger/log.go
+++ b/logger/log.go
@@ -10,6 +10,8 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
+// Package logger provides logging facilities for the NATS server
 package logger
 
 import (
@@ -33,17 +35,41 @@ type Logger struct {
 	fatalLabel  string
 	debugLabel  string
 	traceLabel  string
-	systemLabel string
+	systemLabel string // ** added by Memphis
 	fl          *fileLogger
 }
 
-// NewStdLogger creates a logger with output directed to Stderr
-func NewStdLogger(time, debug, trace, colors, pid bool) *Logger {
+type LogOption interface {
+	isLoggerOption()
+}
+
+// LogUTC controls whether timestamps in the log output should be UTC or local time.
+type LogUTC bool
+
+func (l LogUTC) isLoggerOption() {}
+
+func logFlags(time bool, opts ...LogOption) int {
 	flags := 0
 	if time {
 		flags = log.LstdFlags | log.Lmicroseconds
 	}
 
+	for _, opt := range opts {
+		switch v := opt.(type) {
+		case LogUTC:
+			if time && bool(v) {
+				flags |= log.LUTC
+			}
+		}
+	}
+
+	return flags
+}
+
+// NewStdLogger creates a logger with output directed to Stderr
+func NewStdLogger(time, debug, trace, colors, pid bool, opts ...LogOption) *Logger {
+	flags := logFlags(time, opts...)
+
 	pre := ""
 	if pid {
 		pre = pidPrefix()
@@ -64,6 +90,7 @@ func NewStdLogger(time, debug, trace, colors, pid bool) *Logger {
 	return l
 }
 
+// ** added by Memphis
 // HybridLogPublishFunc is a function used to publish logs
 type HybridLogPublishFunc func(string, []byte)
 
@@ -140,13 +167,11 @@ func NewMemphisLogger(publishFunc HybridLogPublishFunc, fallbackPublishFunc Hybr
 		hsl.canPublishMu.Unlock()
 	}
 }
+// ** added by Memphis
 
 // NewFileLogger creates a logger with output directed to a file
-func NewFileLogger(filename string, time, debug, trace, pid bool) *Logger {
-	flags := 0
-	if time {
-		flags = log.LstdFlags | log.Lmicroseconds
-	}
+func NewFileLogger(filename string, time, debug, trace, pid bool, opts ...LogOption) *Logger {
+	flags := logFlags(time, opts...)
 
 	pre := ""
 	if pid {
@@ -350,7 +375,7 @@ func setPlainLabelFormats(l *Logger) {
 	l.errorLabel = "[ERR] "
 	l.fatalLabel = "[FTL] "
 	l.traceLabel = "[TRC] "
-	l.systemLabel = "[SYS] "
+	l.systemLabel = "[SYS] " // ** added by Memphis
 }
 
 func setColoredLabelFormats(l *Logger) {
@@ -358,7 +383,7 @@ func setColoredLabelFormats(l *Logger) {
 	l.infoLabel = fmt.Sprintf(colorFormat, "32", "INF")
 	l.debugLabel = fmt.Sprintf(colorFormat, "36", "DBG")
 	l.warnLabel = fmt.Sprintf(colorFormat, "0;93", "WRN")
-	l.systemLabel = fmt.Sprintf(colorFormat, "32", "SYS")
+	l.systemLabel = fmt.Sprintf(colorFormat, "32", "SYS") // ** added by Memphis
 	l.errorLabel = fmt.Sprintf(colorFormat, "31", "ERR")
 	l.fatalLabel = fmt.Sprintf(colorFormat, "31", "FTL")
 	l.traceLabel = fmt.Sprintf(colorFormat, "33", "TRC")
@@ -379,10 +404,12 @@ func (l *Logger) Errorf(format string, v ...interface{}) {
 	l.logger.Printf(l.errorLabel+format, v...)
 }
 
+// ** added by Memphis
 // Systemf logs an system statement
 func (l *Logger) Systemf(format string, v ...interface{}) {
 	l.logger.Printf(l.systemLabel+format, v...)
 }
+// ** added by Memphis
 
 // Fatalf logs a fatal error
 func (l *Logger) Fatalf(format string, v ...interface{}) {
diff --git a/logger/log_test.go b/logger/log_test.go
index a8d13f39f..f49c07e64 100644
--- a/logger/log_test.go
+++ b/logger/log_test.go
@@ -125,7 +125,7 @@ func TestFileLogger(t *testing.T) {
 	file = createFileAtDir(t, tmpDir, "nats-server:log_")
 	file.Close()
 
-	logger = NewFileLogger(file.Name(), true, true, true, true)
+	logger = NewFileLogger(file.Name(), true, false, true, true)
 	defer logger.Close()
 	logger.Errorf("foo")
 
diff --git a/logger/syslog.go b/logger/syslog.go
index 7d7183f27..b535a6593 100644
--- a/logger/syslog.go
+++ b/logger/syslog.go
@@ -132,7 +132,9 @@ func (l *SysLogger) Tracef(format string, v ...interface{}) {
 	}
 }
 
+// ** added by Memphis
 // Systemf logs a trace statement
 func (l *SysLogger) Systemf(format string, v ...interface{}) {
 	l.writer.Notice(fmt.Sprintf(format, v...))
 }
+// ** added by Memphis
diff --git a/logger/syslog_windows.go b/logger/syslog_windows.go
index 35de340a7..af277a1ce 100644
--- a/logger/syslog_windows.go
+++ b/logger/syslog_windows.go
@@ -10,6 +10,8 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
+// Package logger logs to the windows event log
 package logger
 
 import (
@@ -109,9 +111,11 @@ func (l *SysLogger) Tracef(format string, v ...interface{}) {
 	}
 }
 
+// ** added by Memphis
 // Systemf logs a system statement
 func (l *SysLogger) Systemf(format string, v ...interface{}) {
 	if l.trace {
 		l.writer.Info(4, formatMsg("SYSTEM", format, v...))
 	}
 }
+// ** added by Memphis
diff --git a/main.go b/main.go
index bea9e9512..16975a416 100644
--- a/main.go
+++ b/main.go
@@ -35,8 +35,9 @@ Usage: nats-server [options]
 
 Server Options:
     -a, --addr, --net <host>         Bind to host address (default: 0.0.0.0)
-    -p, --port <port>                Use port for clients (default: 6666)
-    -n, --name --server_name <server_name>  Server name (default: auto)
+    -p, --port <port>                Use port for clients (default: 4222)
+    -n, --name
+        --server_name <server_name>  Server name (default: auto)
     -P, --pid <file>                 File to store PID
     -m, --http_port <port>           Use port for http monitoring
     -ms,--https_port <port>          Use port for https monitoring
@@ -44,8 +45,8 @@ Server Options:
     -t                               Test configuration and exit
     -sl,--signal <signal>[=<pid>]    Send signal to nats-server process (ldm, stop, quit, term, reopen, reload)
                                      pid> can be either a PID (e.g. 1) or the path to a PID file (e.g. /var/run/nats-server.pid)
-    --client_advertise <string>  Client URL to advertise to other servers
-    --ports_file_dir <dir>       Creates a ports file in the specified directory (<executable_name>_<pid>.ports).
+        --client_advertise <string>  Client URL to advertise to other servers
+        --ports_file_dir <dir>       Creates a ports file in the specified directory (<executable_name>_<pid>.ports).
 
 Logging Options:
     -l, --log <file>                 File to redirect log output
@@ -57,12 +58,12 @@ Logging Options:
     -VV                              Verbose trace (traces system account as well)
     -DV                              Debug and trace
     -DVV                             Debug and verbose trace (traces system account as well)
-    --log_size_limit <limit>     Logfile size limit (default: auto)
-    --max_traced_msg_len <len>   Maximum printable length for traced messages (default: unlimited)
+        --log_size_limit <limit>     Logfile size limit (default: auto)
+        --max_traced_msg_len <len>   Maximum printable length for traced messages (default: unlimited)
 
 JetStream Options:
-    -js, --jetstream                 Enable JetStream functionality.
-    -sd, --store_dir <dir>           Set the storage directory.
+    -js, --jetstream                 Enable JetStream functionality
+    -sd, --store_dir <dir>           Set the storage directory
 
 Authorization Options:
         --user <user>                User required for connections
@@ -85,6 +86,9 @@ Cluster Options:
         --connect_retries <number>   For implicit routes, number of connect retries
         --cluster_listen <url>       Cluster url from which members can solicit routes
 
+Profiling Options:
+        --profile <port>             Profiling HTTP port
+
 Common Options:
     -h, --help                       Show this message
     -v, --version                    Show version
@@ -204,8 +208,6 @@ func main() {
 		s.Warnf("Failed to set GOMAXPROCS: %v", err)
 	} else {
 		defer undo()
-		// Reset these from the snapshots from init for monitor.go
-		server.SnapshotMonitorInfo()
 	}
 	s.Noticef("Established connection with the meta-data storage")
 
diff --git a/server/accounts.go b/server/accounts.go
index c0a792e79..4c132475a 100644
--- a/server/accounts.go
+++ b/server/accounts.go
@@ -1,4 +1,4 @@
-// Copyright 2018-2022 The NATS Authors
+// Copyright 2018-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -21,6 +21,7 @@ import (
 	"hash/fnv"
 	"hash/maphash"
 	"io"
+	"io/fs"
 	"math"
 	"math/rand"
 	"net/http"
@@ -73,7 +74,9 @@ type Account struct {
 	lqws         map[string]int32
 	usersRevoked map[string]int64
 	mappings     []*mapping
+	lmu          sync.RWMutex
 	lleafs       []*client
+	leafClusters map[string]uint64
 	imports      importMap
 	exports      exportMap
 	js           *jsAccount
@@ -165,14 +168,17 @@ const (
 	Chunked
 )
 
-var commaSeparatorRegEx = regexp.MustCompile(`,\s*`)
-var partitionMappingFunctionRegEx = regexp.MustCompile(`{{\s*[pP]artition\s*\((.*)\)\s*}}`)
-var wildcardMappingFunctionRegEx = regexp.MustCompile(`{{\s*[wW]ildcard\s*\((.*)\)\s*}}`)
-var splitFromLeftMappingFunctionRegEx = regexp.MustCompile(`{{\s*[sS]plit[fF]rom[lL]eft\s*\((.*)\)\s*}}`)
-var splitFromRightMappingFunctionRegEx = regexp.MustCompile(`{{\s*[sS]plit[fF]rom[rR]ight\s*\((.*)\)\s*}}`)
-var sliceFromLeftMappingFunctionRegEx = regexp.MustCompile(`{{\s*[sS]lice[fF]rom[lL]eft\s*\((.*)\)\s*}}`)
-var sliceFromRightMappingFunctionRegEx = regexp.MustCompile(`{{\s*[sS]lice[fF]rom[rR]ight\s*\((.*)\)\s*}}`)
-var splitMappingFunctionRegEx = regexp.MustCompile(`{{\s*[sS]plit\s*\((.*)\)\s*}}`)
+// Subject mapping and transform setups.
+var (
+	commaSeparatorRegEx                = regexp.MustCompile(`,\s*`)
+	partitionMappingFunctionRegEx      = regexp.MustCompile(`{{\s*[pP]artition\s*\((.*)\)\s*}}`)
+	wildcardMappingFunctionRegEx       = regexp.MustCompile(`{{\s*[wW]ildcard\s*\((.*)\)\s*}}`)
+	splitFromLeftMappingFunctionRegEx  = regexp.MustCompile(`{{\s*[sS]plit[fF]rom[lL]eft\s*\((.*)\)\s*}}`)
+	splitFromRightMappingFunctionRegEx = regexp.MustCompile(`{{\s*[sS]plit[fF]rom[rR]ight\s*\((.*)\)\s*}}`)
+	sliceFromLeftMappingFunctionRegEx  = regexp.MustCompile(`{{\s*[sS]lice[fF]rom[lL]eft\s*\((.*)\)\s*}}`)
+	sliceFromRightMappingFunctionRegEx = regexp.MustCompile(`{{\s*[sS]lice[fF]rom[rR]ight\s*\((.*)\)\s*}}`)
+	splitMappingFunctionRegEx          = regexp.MustCompile(`{{\s*[sS]plit\s*\((.*)\)\s*}}`)
+)
 
 // Enum for the subject mapping transform function types
 const (
@@ -261,8 +267,7 @@ func (a *Account) String() string {
 
 // Used to create shallow copies of accounts for transfer
 // from opts to real accounts in server struct.
-func (a *Account) shallowCopy() *Account {
-	na := NewAccount(a.Name)
+func (a *Account) shallowCopy(na *Account) {
 	na.Nkey = a.Nkey
 	na.Issuer = a.Issuer
 
@@ -302,12 +307,14 @@ func (a *Account) shallowCopy() *Account {
 			}
 		}
 	}
+	na.mappings = a.mappings
+	if len(na.mappings) > 0 && na.prand == nil {
+		na.prand = rand.New(rand.NewSource(time.Now().UnixNano()))
+	}
 	// JetStream
 	na.jsLimits = a.jsLimits
 	// Server config account limits.
 	na.limits = a.limits
-
-	return na
 }
 
 // nextEventID uses its own lock for better concurrency.
@@ -372,12 +379,14 @@ func (a *Account) updateRemoteServer(m *AccountNumConns) []*client {
 	mtlce := a.mleafs != jwt.NoLimit && (a.nleafs+a.nrleafs > a.mleafs)
 	if mtlce {
 		// Take ones from the end.
+		a.lmu.RLock()
 		leafs := a.lleafs
 		over := int(a.nleafs + a.nrleafs - a.mleafs)
 		if over < len(leafs) {
 			leafs = leafs[len(leafs)-over:]
 		}
 		clients = append(clients, leafs...)
+		a.lmu.RUnlock()
 	}
 	a.mu.Unlock()
 
@@ -607,7 +616,7 @@ func (a *Account) AddMapping(src, dest string) error {
 	return a.AddWeightedMappings(src, NewMapDest(dest, 100))
 }
 
-// AddWeightedMapping will add in a weighted mappings for the destinations.
+// AddWeightedMappings will add in a weighted mappings for the destinations.
 // TODO(dlc) - Allow cluster filtering
 func (a *Account) AddWeightedMappings(src string, dests ...*MapDest) error {
 	a.mu.Lock()
@@ -717,13 +726,15 @@ func (a *Account) AddWeightedMappings(src string, dests ...*MapDest) error {
 	a.mappings = append(a.mappings, m)
 
 	// If we have connected leafnodes make sure to update.
-	if len(a.lleafs) > 0 {
-		leafs := append([]*client(nil), a.lleafs...)
+	if a.nleafs > 0 {
 		// Need to release because lock ordering is client -> account
 		a.mu.Unlock()
-		for _, lc := range leafs {
+		// Now grab the leaf list lock. We can hold client lock under this one.
+		a.lmu.RLock()
+		for _, lc := range a.lleafs {
 			lc.forceAddToSmap(src)
 		}
+		a.lmu.RUnlock()
 		a.mu.Lock()
 	}
 	return nil
@@ -909,11 +920,17 @@ func (a *Account) addClient(c *client) int {
 			a.sysclients++
 		} else if c.kind == LEAF {
 			a.nleafs++
-			a.lleafs = append(a.lleafs, c)
 		}
 	}
 	a.mu.Unlock()
 
+	// If we added a new leaf use the list lock and add it to the list.
+	if added && c.kind == LEAF {
+		a.lmu.Lock()
+		a.lleafs = append(a.lleafs, c)
+		a.lmu.Unlock()
+	}
+
 	if c != nil && c.srv != nil && added {
 		c.srv.accConnsUpdate(a)
 	}
@@ -921,11 +938,38 @@ func (a *Account) addClient(c *client) int {
 	return n
 }
 
+// For registering clusters for remote leafnodes.
+// We only register as the hub.
+func (a *Account) registerLeafNodeCluster(cluster string) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	if a.leafClusters == nil {
+		a.leafClusters = make(map[string]uint64)
+	}
+	a.leafClusters[cluster]++
+}
+
+// Check to see if this cluster is isolated, meaning the only one.
+// Read Lock should be held.
+func (a *Account) isLeafNodeClusterIsolated(cluster string) bool {
+	if cluster == _EMPTY_ {
+		return false
+	}
+	if len(a.leafClusters) > 1 {
+		return false
+	}
+	return a.leafClusters[cluster] == uint64(a.nleafs)
+}
+
 // Helper function to remove leaf nodes. If number of leafnodes gets large
 // this may need to be optimized out of linear search but believe number
 // of active leafnodes per account scope to be small and therefore cache friendly.
-// Lock should be held on account.
+// Lock should not be held on general account lock.
 func (a *Account) removeLeafNode(c *client) {
+	// Make sure we hold the list lock as well.
+	a.lmu.Lock()
+	defer a.lmu.Unlock()
+
 	ll := len(a.lleafs)
 	for i, l := range a.lleafs {
 		if l == c {
@@ -951,11 +995,24 @@ func (a *Account) removeClient(c *client) int {
 			a.sysclients--
 		} else if c.kind == LEAF {
 			a.nleafs--
-			a.removeLeafNode(c)
+			// Need to do cluster accounting here.
+			// Do cluster accounting if we are a hub.
+			if c.isHubLeafNode() {
+				cluster := c.remoteCluster()
+				if count := a.leafClusters[cluster]; count > 1 {
+					a.leafClusters[cluster]--
+				} else if count == 1 {
+					delete(a.leafClusters, cluster)
+				}
+			}
 		}
 	}
 	a.mu.Unlock()
 
+	if removed && c.kind == LEAF {
+		a.removeLeafNode(c)
+	}
+
 	if c != nil && c.srv != nil && removed {
 		c.srv.mu.Lock()
 		doRemove := a != c.srv.gacc
@@ -1342,7 +1399,7 @@ func (a *Account) sendBackendErrorTrackingLatency(si *serviceImport, reason rsiR
 	a.sendLatencyResult(si, sl)
 }
 
-// sendTrackingMessage will send out the appropriate tracking information for the
+// sendTrackingLatency will send out the appropriate tracking information for the
 // service request/response latency. This is called when the requestor's server has
 // received the response.
 // TODO(dlc) - holding locks for RTTs may be too much long term. Should revisit.
@@ -1372,7 +1429,7 @@ func (a *Account) sendTrackingLatency(si *serviceImport, responder *client) bool
 	}
 	sl.RequestStart = time.Unix(0, si.ts-int64(reqRTT)).UTC()
 	sl.ServiceLatency = serviceRTT - respRTT
-	sl.TotalLatency = sl.Requestor.RTT + serviceRTT
+	sl.TotalLatency = reqRTT + serviceRTT
 	if respRTT > 0 {
 		sl.SystemLatency = time.Since(ts)
 		sl.TotalLatency += sl.SystemLatency
@@ -1602,7 +1659,7 @@ func (a *Account) NumPendingAllResponses() int {
 	return a.NumPendingResponses(_EMPTY_)
 }
 
-// NumResponsesPending returns the number of responses outstanding for service exports
+// NumPendingResponses returns the number of responses outstanding for service exports
 // on this account. An empty filter string returns all responses regardless of which export.
 // If you specify the filter we will only return ones that are for that export.
 // NOTE this is only for what this server is tracking.
@@ -1988,7 +2045,7 @@ func (a *Account) addServiceImportSub(si *serviceImport) error {
 	// This is similar to what initLeafNodeSmapAndSendSubs does
 	// TODO we need to consider performing this update as we get client subscriptions.
 	//      This behavior would result in subscription propagation only where actually used.
-	a.srv.updateLeafNodes(a, sub, 1)
+	a.updateLeafNodes(sub, 1)
 	return nil
 }
 
@@ -2017,7 +2074,14 @@ func (a *Account) removeAllServiceImportSubs() {
 
 // Add in subscriptions for all registered service imports.
 func (a *Account) addAllServiceImportSubs() {
+	var sis [32]*serviceImport
+	serviceImports := sis[:0]
+	a.mu.RLock()
 	for _, si := range a.imports.services {
+		serviceImports = append(serviceImports, si)
+	}
+	a.mu.RUnlock()
+	for _, si := range serviceImports {
 		a.addServiceImportSub(si)
 	}
 }
@@ -2237,7 +2301,7 @@ func (si *serviceImport) isRespServiceImport() bool {
 	return si != nil && si.response
 }
 
-// Sets the response theshold timer for a service export.
+// Sets the response threshold timer for a service export.
 // Account lock should be held
 func (se *serviceExport) setResponseThresholdTimer() {
 	if se.rtmr != nil {
@@ -2794,7 +2858,12 @@ func (a *Account) checkStreamImportsEqual(b *Account) bool {
 	return true
 }
 
+// Returns true if `a` and `b` stream exports are the same.
+// Acquires `a` read lock, but `b` is assumed to not be accessed
+// by anyone but the caller (`b` is not registered anywhere).
 func (a *Account) checkStreamExportsEqual(b *Account) bool {
+	a.mu.RLock()
+	defer a.mu.RUnlock()
 	if len(a.exports.streams) != len(b.exports.streams) {
 		return false
 	}
@@ -2803,14 +2872,29 @@ func (a *Account) checkStreamExportsEqual(b *Account) bool {
 		if !ok {
 			return false
 		}
-		if !reflect.DeepEqual(aea, bea) {
+		if !isStreamExportEqual(aea, bea) {
 			return false
 		}
 	}
 	return true
 }
 
+func isStreamExportEqual(a, b *streamExport) bool {
+	if a == nil && b == nil {
+		return true
+	}
+	if (a == nil && b != nil) || (a != nil && b == nil) {
+		return false
+	}
+	return isExportAuthEqual(&a.exportAuth, &b.exportAuth)
+}
+
+// Returns true if `a` and `b` service exports are the same.
+// Acquires `a` read lock, but `b` is assumed to not be accessed
+// by anyone but the caller (`b` is not registered anywhere).
 func (a *Account) checkServiceExportsEqual(b *Account) bool {
+	a.mu.RLock()
+	defer a.mu.RUnlock()
 	if len(a.exports.services) != len(b.exports.services) {
 		return false
 	}
@@ -2819,7 +2903,66 @@ func (a *Account) checkServiceExportsEqual(b *Account) bool {
 		if !ok {
 			return false
 		}
-		if !reflect.DeepEqual(aea, bea) {
+		if !isServiceExportEqual(aea, bea) {
+			return false
+		}
+	}
+	return true
+}
+
+func isServiceExportEqual(a, b *serviceExport) bool {
+	if a == nil && b == nil {
+		return true
+	}
+	if (a == nil && b != nil) || (a != nil && b == nil) {
+		return false
+	}
+	if !isExportAuthEqual(&a.exportAuth, &b.exportAuth) {
+		return false
+	}
+	if a.acc.Name != b.acc.Name {
+		return false
+	}
+	if a.respType != b.respType {
+		return false
+	}
+	if a.latency != nil || b.latency != nil {
+		if (a.latency != nil && b.latency == nil) || (a.latency == nil && b.latency != nil) {
+			return false
+		}
+		if a.latency.sampling != b.latency.sampling {
+			return false
+		}
+		if a.latency.subject != b.latency.subject {
+			return false
+		}
+	}
+	return true
+}
+
+// Returns true if `a` and `b` exportAuth structures are equal.
+// Both `a` and `b` are guaranteed to be non-nil.
+// Locking is handled by the caller.
+func isExportAuthEqual(a, b *exportAuth) bool {
+	if a.tokenReq != b.tokenReq {
+		return false
+	}
+	if a.accountPos != b.accountPos {
+		return false
+	}
+	if len(a.approved) != len(b.approved) {
+		return false
+	}
+	for ak, av := range a.approved {
+		if bv, ok := b.approved[ak]; !ok || av.Name != bv.Name {
+			return false
+		}
+	}
+	if len(a.actsRevoked) != len(b.actsRevoked) {
+		return false
+	}
+	for ak, av := range a.actsRevoked {
+		if bv, ok := b.actsRevoked[ak]; !ok || av != bv {
 			return false
 		}
 	}
@@ -2969,7 +3112,7 @@ func (a *Account) isClaimAccount() bool {
 	return a.claimJWT != _EMPTY_
 }
 
-// updateAccountClaims will update an existing account with new claims.
+// UpdateAccountClaims will update an existing account with new claims.
 // This will replace any exports or imports previously defined.
 // Lock MUST NOT be held upon entry.
 func (s *Server) UpdateAccountClaims(a *Account, ac *jwt.AccountClaims) {
@@ -3360,7 +3503,7 @@ func (s *Server) updateAccountClaimsWithRefresh(a *Account, ac *jwt.AccountClaim
 		a.jsLimits = nil
 	}
 
-	a.updated = time.Now().UTC()
+	a.updated = time.Now()
 	clients := a.getClientsLocked()
 	a.mu.Unlock()
 
@@ -3641,10 +3784,11 @@ func (ur *URLAccResolver) Fetch(name string) (string, error) {
 		return _EMPTY_, fmt.Errorf("could not fetch <%q>: %v", redactURLString(url), err)
 	} else if resp == nil {
 		return _EMPTY_, fmt.Errorf("could not fetch <%q>: no response", redactURLString(url))
-	} else if resp.StatusCode != http.StatusOK {
-		return _EMPTY_, fmt.Errorf("could not fetch <%q>: %v", redactURLString(url), resp.Status)
 	}
 	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return _EMPTY_, fmt.Errorf("could not fetch <%q>: %v", redactURLString(url), resp.Status)
+	}
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return _EMPTY_, err
@@ -3819,7 +3963,7 @@ func removeCb(s *Server, pubKey string) {
 	a.mpay = 0
 	a.mconns = 0
 	a.mleafs = 0
-	a.updated = time.Now().UTC()
+	a.updated = time.Now()
 	jsa := a.js
 	a.mu.Unlock()
 	// set the account to be expired and disconnect clients
@@ -3851,17 +3995,19 @@ func (dr *DirAccResolver) Start(s *Server) error {
 	dr.DirJWTStore.changed = func(pubKey string) {
 		if v, ok := s.accounts.Load(pubKey); ok {
 			if theJwt, err := dr.LoadAcc(pubKey); err != nil {
-				s.Errorf("update got error on load: %v", err)
+				s.Errorf("DirResolver - Update got error on load: %v", err)
 			} else {
 				acc := v.(*Account)
 				if err = s.updateAccountWithClaimJWT(acc, theJwt); err != nil {
-					s.Errorf("update resulted in error %v", err)
+					s.Errorf("DirResolver - Update for account %q resulted in error %v", pubKey, err)
 				} else {
 					if _, jsa, err := acc.checkForJetStream(); err != nil {
-						s.Warnf("error checking for JetStream enabled error %v", err)
+						if !IsNatsErr(err, JSNotEnabledForAccountErr) {
+							s.Warnf("DirResolver - Error checking for JetStream support for account %q: %v", pubKey, err)
+						}
 					} else if jsa == nil {
 						if err = s.configJetStream(acc); err != nil {
-							s.Errorf("updated resulted in error when configuring JetStream %v", err)
+							s.Errorf("DirResolver - Error configuring JetStream for account %q: %v", pubKey, err)
 						}
 					}
 				}
@@ -3882,7 +4028,7 @@ func (dr *DirAccResolver) Start(s *Server) error {
 			} else if len(tk) == accUpdateTokensOld {
 				pubKey = tk[accUpdateAccIdxOld]
 			} else {
-				s.Debugf("jwt update skipped due to bad subject %q", subj)
+				s.Debugf("DirResolver - jwt update skipped due to bad subject %q", subj)
 				return
 			}
 			if claim, err := jwt.DecodeAccountClaims(string(msg)); err != nil {
@@ -3932,8 +4078,15 @@ func (dr *DirAccResolver) Start(s *Server) error {
 		if len(tk) != accLookupReqTokens {
 			return
 		}
-		if theJWT, err := dr.DirJWTStore.LoadAcc(tk[accReqAccIndex]); err != nil {
-			s.Errorf("Merging resulted in error: %v", err)
+		accName := tk[accReqAccIndex]
+		if theJWT, err := dr.DirJWTStore.LoadAcc(accName); err != nil {
+			if errors.Is(err, fs.ErrNotExist) {
+				s.Debugf("DirResolver - Could not find account %q", accName)
+				// Reply with empty response to signal absence of JWT to others.
+				s.sendInternalMsgLocked(reply, _EMPTY_, nil, nil)
+			} else {
+				s.Errorf("DirResolver - Error looking up account %q: %v", accName, err)
+			}
 		} else {
 			s.sendInternalMsgLocked(reply, _EMPTY_, nil, []byte(theJWT))
 		}
@@ -3941,7 +4094,7 @@ func (dr *DirAccResolver) Start(s *Server) error {
 		return fmt.Errorf("error setting up lookup request handling: %v", err)
 	}
 	// respond to pack requests with one or more pack messages
-	// an empty message signifies the end of the response responder
+	// an empty message signifies the end of the response responder.
 	if _, err := s.sysSubscribeQ(accPackReqSubj, "responder", func(_ *subscription, _ *client, _ *Account, _, reply string, theirHash []byte) {
 		if reply == _EMPTY_ {
 			return
@@ -3949,14 +4102,14 @@ func (dr *DirAccResolver) Start(s *Server) error {
 		ourHash := dr.DirJWTStore.Hash()
 		if bytes.Equal(theirHash, ourHash[:]) {
 			s.sendInternalMsgLocked(reply, _EMPTY_, nil, []byte{})
-			s.Debugf("pack request matches hash %x", ourHash[:])
+			s.Debugf("DirResolver - Pack request matches hash %x", ourHash[:])
 		} else if err := dr.DirJWTStore.PackWalk(1, func(partialPackMsg string) {
 			s.sendInternalMsgLocked(reply, _EMPTY_, nil, []byte(partialPackMsg))
 		}); err != nil {
 			// let them timeout
-			s.Errorf("pack request error: %v", err)
+			s.Errorf("DirResolver - Pack request error: %v", err)
 		} else {
-			s.Debugf("pack request hash %x - finished responding with hash %x", theirHash, ourHash)
+			s.Debugf("DirResolver - Pack request hash %x - finished responding with hash %x", theirHash, ourHash)
 			s.sendInternalMsgLocked(reply, _EMPTY_, nil, []byte{})
 		}
 	}); err != nil {
@@ -3977,12 +4130,12 @@ func (dr *DirAccResolver) Start(s *Server) error {
 	if _, err := s.sysSubscribe(packRespIb, func(_ *subscription, _ *client, _ *Account, _, _ string, msg []byte) {
 		hash := dr.DirJWTStore.Hash()
 		if len(msg) == 0 { // end of response stream
-			s.Debugf("Merging Finished and resulting in: %x", dr.DirJWTStore.Hash())
+			s.Debugf("DirResolver - Merging finished and resulting in: %x", dr.DirJWTStore.Hash())
 			return
 		} else if err := dr.DirJWTStore.Merge(string(msg)); err != nil {
-			s.Errorf("Merging resulted in error: %v", err)
+			s.Errorf("DirResolver - Merging resulted in error: %v", err)
 		} else {
-			s.Debugf("Merging succeeded and changed %x to %x", hash, dr.DirJWTStore.Hash())
+			s.Debugf("DirResolver - Merging succeeded and changed %x to %x", hash, dr.DirJWTStore.Hash())
 		}
 	}); err != nil {
 		return fmt.Errorf("error setting up pack response handling: %v", err)
@@ -4000,7 +4153,7 @@ func (dr *DirAccResolver) Start(s *Server) error {
 			case <-ticker.C:
 			}
 			ourHash := dr.DirJWTStore.Hash()
-			s.Debugf("Checking store state: %x", ourHash)
+			s.Debugf("DirResolver - Checking store state: %x", ourHash)
 			s.sendInternalMsgLocked(accPackReqSubj, packRespIb, nil, ourHash[:])
 		}
 	})
@@ -4049,18 +4202,14 @@ func (dr *DirAccResolver) apply(opts ...DirResOption) error {
 	return nil
 }
 
-func NewDirAccResolver(path string, limit int64, syncInterval time.Duration, delete bool, opts ...DirResOption) (*DirAccResolver, error) {
+func NewDirAccResolver(path string, limit int64, syncInterval time.Duration, delete deleteType, opts ...DirResOption) (*DirAccResolver, error) {
 	if limit == 0 {
 		limit = math.MaxInt64
 	}
 	if syncInterval <= 0 {
 		syncInterval = time.Minute
 	}
-	deleteType := NoDelete
-	if delete {
-		deleteType = RenameDeleted
-	}
-	store, err := NewExpiringDirJWTStore(path, false, true, deleteType, 0, limit, false, 0, nil)
+	store, err := NewExpiringDirJWTStore(path, false, true, delete, 0, limit, false, 0, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -4089,20 +4238,35 @@ func (s *Server) fetch(res AccountResolver, name string, timeout time.Duration)
 		s.mu.Unlock()
 		return _EMPTY_, fmt.Errorf("eventing shut down")
 	}
+	// Resolver will wait for detected active servers to reply
+	// before serving an error in case there weren't any found.
+	expectedServers := len(s.sys.servers)
 	replySubj := s.newRespInbox()
 	replies := s.sys.replies
+
 	// Store our handler.
 	replies[replySubj] = func(sub *subscription, _ *client, _ *Account, subject, _ string, msg []byte) {
-		clone := make([]byte, len(msg))
-		copy(clone, msg)
+		var clone []byte
+		isEmpty := len(msg) == 0
+		if !isEmpty {
+			clone = make([]byte, len(msg))
+			copy(clone, msg)
+		}
 		s.mu.Lock()
+		defer s.mu.Unlock()
+		expectedServers--
+		// Skip empty responses until getting all the available servers.
+		if isEmpty && expectedServers > 0 {
+			return
+		}
+		// Use the first valid response if there is still interest or
+		// one of the empty responses to signal that it was not found.
 		if _, ok := replies[replySubj]; ok {
 			select {
-			case respC <- clone: // only use first response and only if there is still interest
+			case respC <- clone:
 			default:
 			}
 		}
-		s.mu.Unlock()
 	}
 	s.sendInternalMsg(accountLookupRequest, replySubj, nil, []byte{})
 	quit := s.quitCh
@@ -4115,7 +4279,9 @@ func (s *Server) fetch(res AccountResolver, name string, timeout time.Duration)
 	case <-time.After(timeout):
 		err = errors.New("fetching jwt timed out")
 	case m := <-respC:
-		if err = res.Store(name, string(m)); err == nil {
+		if len(m) == 0 {
+			err = errors.New("account jwt not found")
+		} else if err = res.Store(name, string(m)); err == nil {
 			theJWT = string(m)
 		}
 	}
@@ -4153,9 +4319,9 @@ func (dr *CacheDirAccResolver) Start(s *Server) error {
 	dr.DirJWTStore.changed = func(pubKey string) {
 		if v, ok := s.accounts.Load(pubKey); !ok {
 		} else if theJwt, err := dr.LoadAcc(pubKey); err != nil {
-			s.Errorf("update got error on load: %v", err)
+			s.Errorf("DirResolver - Update got error on load: %v", err)
 		} else if err := s.updateAccountWithClaimJWT(v.(*Account), theJwt); err != nil {
-			s.Errorf("update resulted in error %v", err)
+			s.Errorf("DirResolver - Update resulted in error %v", err)
 		}
 	}
 	dr.DirJWTStore.deleted = func(pubKey string) {
@@ -4171,7 +4337,7 @@ func (dr *CacheDirAccResolver) Start(s *Server) error {
 			} else if len(tk) == accUpdateTokensOld {
 				pubKey = tk[accUpdateAccIdxOld]
 			} else {
-				s.Debugf("jwt update cache skipped due to bad subject %q", subj)
+				s.Debugf("DirResolver - jwt update cache skipped due to bad subject %q", subj)
 				return
 			}
 			if claim, err := jwt.DecodeAccountClaims(string(msg)); err != nil {
diff --git a/server/accounts_test.go b/server/accounts_test.go
index 623ba9c07..e54f8903a 100644
--- a/server/accounts_test.go
+++ b/server/accounts_test.go
@@ -1,4 +1,4 @@
-// Copyright 2018-2022 The NATS Authors
+// Copyright 2018-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -269,7 +269,7 @@ func TestAccountIsolationExportImport(t *testing.T) {
 			// Setup NATS server.
 			s := opTrustBasicSetup()
 			defer s.Shutdown()
-			go s.Start()
+			s.Start()
 			if err := s.readyForConnections(5 * time.Second); err != nil {
 				t.Fatal(err)
 			}
@@ -1733,7 +1733,7 @@ func TestAccountRequestReplyTrackLatency(t *testing.T) {
 	defer s.Shutdown()
 
 	// Run server in Go routine. We need this one running for internal sending of msgs.
-	go s.Start()
+	s.Start()
 	// Wait for accept loop(s) to be started
 	if err := s.readyForConnections(10 * time.Second); err != nil {
 		t.Fatal(err)
@@ -2099,12 +2099,17 @@ func TestCrossAccountServiceResponseTypes(t *testing.T) {
 
 	cfoo.parseAsync(string(mReply))
 
-	var b [256]byte
-	n, err := crBar.Read(b[:])
-	if err != nil {
-		t.Fatalf("Error reading response: %v", err)
+	var buf []byte
+	for i := 0; i < 20; i++ {
+		b, err := crBar.ReadBytes('\n')
+		if err != nil {
+			t.Fatalf("Error reading response: %v", err)
+		}
+		buf = append(buf[:], b...)
+		if mraw = msgPat.FindAllStringSubmatch(string(buf), -1); len(mraw) == 10 {
+			break
+		}
 	}
-	mraw = msgPat.FindAllStringSubmatch(string(b[:n]), -1)
 	if len(mraw) != 10 {
 		t.Fatalf("Expected a response but got %d", len(mraw))
 	}
@@ -3678,3 +3683,75 @@ func TestAccountImportDuplicateResponseDeliveryWithLeafnodes(t *testing.T) {
 		t.Fatalf("Expected only 1 response, got %d", n)
 	}
 }
+
+func TestAccountReloadServiceImportPanic(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+		listen: 127.0.0.1:-1
+		accounts {
+			A {
+				users = [ { user: "a", pass: "p" } ]
+				exports [ { service: "HELP" } ]
+			}
+			B {
+				users = [ { user: "b", pass: "p" } ]
+				imports [ { service: { account: A, subject: "HELP"} } ]
+			}
+			$SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }
+		}
+	`))
+
+	s, _ := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	// Now connect up the subscriber for HELP. No-op for this test.
+	nc, _ := jsClientConnect(t, s, nats.UserInfo("a", "p"))
+	_, err := nc.Subscribe("HELP", func(m *nats.Msg) { m.Respond([]byte("OK")) })
+	require_NoError(t, err)
+	defer nc.Close()
+
+	// Now create connection to account b where we will publish to HELP.
+	nc, _ = jsClientConnect(t, s, nats.UserInfo("b", "p"))
+	require_NoError(t, err)
+	defer nc.Close()
+
+	// We want to continually be publishing messages that will trigger the service import while calling reload.
+	done := make(chan bool)
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	var requests, responses atomic.Uint64
+	reply := nats.NewInbox()
+	_, err = nc.Subscribe(reply, func(m *nats.Msg) { responses.Add(1) })
+	require_NoError(t, err)
+
+	go func() {
+		defer wg.Done()
+		for {
+			select {
+			case <-done:
+				return
+			default:
+				nc.PublishRequest("HELP", reply, []byte("HELP"))
+				requests.Add(1)
+			}
+		}
+	}()
+
+	// Perform a bunch of reloads.
+	for i := 0; i < 1000; i++ {
+		err := s.Reload()
+		require_NoError(t, err)
+	}
+
+	close(done)
+	wg.Wait()
+
+	totalRequests := requests.Load()
+	checkFor(t, 10*time.Second, 250*time.Millisecond, func() error {
+		resp := responses.Load()
+		if resp == totalRequests {
+			return nil
+		}
+		return fmt.Errorf("Have not received all responses, want %d got %d", totalRequests, resp)
+	})
+}
diff --git a/server/auth.go b/server/auth.go
index 8f755863e..fb9eeb0c0 100644
--- a/server/auth.go
+++ b/server/auth.go
@@ -171,13 +171,14 @@ func (p *Permissions) clone() *Permissions {
 // Lock is assumed held.
 func (s *Server) checkAuthforWarnings() {
 	warn := false
-	if s.opts.Password != _EMPTY_ && !isBcrypt(s.opts.Password) {
+	opts := s.getOpts()
+	if opts.Password != _EMPTY_ && !isBcrypt(opts.Password) {
 		warn = true
 	}
 	for _, u := range s.users {
 		// Skip warn if using TLS certs based auth
 		// unless a password has been left in the config.
-		if u.Password == _EMPTY_ && s.opts.TLSMap {
+		if u.Password == _EMPTY_ && opts.TLSMap {
 			continue
 		}
 		// Check if this is our internal sys client created on the fly.
@@ -937,6 +938,8 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) boo
 
 	if c.kind == CLIENT {
 		if token != _EMPTY_ {
+
+			// ** added by Memphis
 			if !strings.Contains(c.opts.Name, connectItemSep) {
 				// if the Name field does not contain '::' this is native NATS SDK
 				tokenSplit := strings.Split(c.opts.Token, connectItemSep)
@@ -945,6 +948,8 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) boo
 				}
 				return comparePasswords(token, tokenSplit[1])
 			}
+			// ** added by Memphis
+
 			return comparePasswords(token, c.opts.Token)
 		} else if username != _EMPTY_ {
 			if username != c.opts.Username {
diff --git a/server/auth_test.go b/server/auth_test.go
index c4045fa58..dcd876492 100644
--- a/server/auth_test.go
+++ b/server/auth_test.go
@@ -10,6 +10,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package server
 
 import (
diff --git a/server/certidp/certidp.go b/server/certidp/certidp.go
new file mode 100644
index 000000000..f7b660dff
--- /dev/null
+++ b/server/certidp/certidp.go
@@ -0,0 +1,297 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certidp
+
+import (
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"strings"
+	"time"
+
+	"golang.org/x/crypto/ocsp"
+)
+
+const (
+	DefaultAllowedClockSkew     = 30 * time.Second
+	DefaultOCSPResponderTimeout = 2 * time.Second
+	DefaultTTLUnsetNextUpdate   = 1 * time.Hour
+)
+
+type StatusAssertion int
+
+var (
+	StatusAssertionStrToVal = map[string]StatusAssertion{
+		"good":    ocsp.Good,
+		"revoked": ocsp.Revoked,
+		"unknown": ocsp.Unknown,
+	}
+	StatusAssertionValToStr = map[StatusAssertion]string{
+		ocsp.Good:    "good",
+		ocsp.Revoked: "revoked",
+		ocsp.Unknown: "unknown",
+	}
+	StatusAssertionIntToVal = map[int]StatusAssertion{
+		0: ocsp.Good,
+		1: ocsp.Revoked,
+		2: ocsp.Unknown,
+	}
+)
+
+func GetStatusAssertionStr(sa int) string {
+	return StatusAssertionValToStr[StatusAssertionIntToVal[sa]]
+}
+
+func (sa StatusAssertion) MarshalJSON() ([]byte, error) {
+	str, ok := StatusAssertionValToStr[sa]
+	if !ok {
+		// set unknown as fallback
+		str = StatusAssertionValToStr[ocsp.Unknown]
+	}
+	return json.Marshal(str)
+}
+
+func (sa *StatusAssertion) UnmarshalJSON(in []byte) error {
+	v, ok := StatusAssertionStrToVal[strings.ReplaceAll(string(in), "\"", "")]
+	if !ok {
+		// set unknown as fallback
+		v = StatusAssertionStrToVal["unknown"]
+	}
+	*sa = v
+	return nil
+}
+
+type ChainLink struct {
+	Leaf             *x509.Certificate
+	Issuer           *x509.Certificate
+	OCSPWebEndpoints *[]*url.URL
+}
+
+// OCSPPeerConfig holds the parsed OCSP peer configuration section of TLS configuration
+type OCSPPeerConfig struct {
+	Verify                 bool
+	Timeout                float64
+	ClockSkew              float64
+	WarnOnly               bool
+	UnknownIsGood          bool
+	AllowWhenCAUnreachable bool
+	TTLUnsetNextUpdate     float64
+}
+
+func NewOCSPPeerConfig() *OCSPPeerConfig {
+	return &OCSPPeerConfig{
+		Verify:                 false,
+		Timeout:                DefaultOCSPResponderTimeout.Seconds(),
+		ClockSkew:              DefaultAllowedClockSkew.Seconds(),
+		WarnOnly:               false,
+		UnknownIsGood:          false,
+		AllowWhenCAUnreachable: false,
+		TTLUnsetNextUpdate:     DefaultTTLUnsetNextUpdate.Seconds(),
+	}
+}
+
+// Log is a neutral method of passing server loggers to plugins
+type Log struct {
+	Debugf  func(format string, v ...interface{})
+	Noticef func(format string, v ...interface{})
+	Warnf   func(format string, v ...interface{})
+	Errorf  func(format string, v ...interface{})
+	Tracef  func(format string, v ...interface{})
+}
+
+type CertInfo struct {
+	Subject     string `json:"subject,omitempty"`
+	Issuer      string `json:"issuer,omitempty"`
+	Fingerprint string `json:"fingerprint,omitempty"`
+	Raw         []byte `json:"raw,omitempty"`
+}
+
+var OCSPPeerUsage = `
+For client, leaf spoke (remotes), and leaf hub connections, you may enable OCSP peer validation:
+
+    tls {
+        ...
+        # mTLS must be enabled (with exception of Leaf remotes)
+        verify: true
+        ...
+        # short form enables peer verify and takes option defaults
+        ocsp_peer: true
+        
+        # long form includes settable options
+        ocsp_peer {
+           # Enable OCSP peer validation (default false)
+           verify: true
+
+           # OCSP responder timeout in seconds (may be fractional, default 2 seconds)
+           ca_timeout: 2
+
+           # Allowed skew between server and OCSP responder time in seconds (may be fractional, default 30 seconds)
+           allowed_clockskew: 30
+
+           # Warn-only and never reject connections (default false)
+           warn_only: false
+
+           # Treat response Unknown status as valid certificate (default false)
+           unknown_is_good: false
+
+           # Warn-only if no CA response can be obtained and no cached revocation exists (default false)
+           allow_when_ca_unreachable: false
+
+           # If response NextUpdate unset by CA, set a default cache TTL in seconds from ThisUpdate (default 1 hour)
+           cache_ttl_when_next_update_unset: 3600
+        }
+        ...
+    }
+
+Note: OCSP validation for route and gateway connections is enabled using the 'ocsp' configuration option.
+`
+
+// GenerateFingerprint returns a base64-encoded SHA256 hash of the raw certificate
+func GenerateFingerprint(cert *x509.Certificate) string {
+	data := sha256.Sum256(cert.Raw)
+	return base64.StdEncoding.EncodeToString(data[:])
+}
+
+func getWebEndpoints(uris []string) []*url.URL {
+	var urls []*url.URL
+	for _, uri := range uris {
+		endpoint, err := url.ParseRequestURI(uri)
+		if err != nil {
+			// skip invalid URLs
+			continue
+		}
+		if endpoint.Scheme != "http" && endpoint.Scheme != "https" {
+			// skip non-web URLs
+			continue
+		}
+		urls = append(urls, endpoint)
+	}
+	return urls
+}
+
+// GetSubjectDNForm returns RDN sequence concatenation of the certificate's subject to be
+// used in logs, events, etc. Should never be used for reliable cache matching or other crypto purposes.
+func GetSubjectDNForm(cert *x509.Certificate) string {
+	if cert == nil {
+		return ""
+	}
+	return strings.TrimSuffix(fmt.Sprintf("%s+", cert.Subject.ToRDNSequence()), "+")
+}
+
+// GetIssuerDNForm returns RDN sequence concatenation of the certificate's issuer to be
+// used in logs, events, etc. Should never be used for reliable cache matching or other crypto purposes.
+func GetIssuerDNForm(cert *x509.Certificate) string {
+	if cert == nil {
+		return ""
+	}
+	return strings.TrimSuffix(fmt.Sprintf("%s+", cert.Issuer.ToRDNSequence()), "+")
+}
+
+// CertOCSPEligible checks if the certificate's issuer has populated AIA with OCSP responder endpoint(s)
+// and is thus eligible for OCSP validation
+func CertOCSPEligible(link *ChainLink) bool {
+	if link == nil || link.Leaf.Raw == nil || len(link.Leaf.Raw) == 0 {
+		return false
+	}
+	if link.Leaf.OCSPServer == nil || len(link.Leaf.OCSPServer) == 0 {
+		return false
+	}
+	urls := getWebEndpoints(link.Leaf.OCSPServer)
+	if len(urls) == 0 {
+		return false
+	}
+	link.OCSPWebEndpoints = &urls
+	return true
+}
+
+// GetLeafIssuerCert returns the issuer certificate of the leaf (positional) certificate in the chain
+func GetLeafIssuerCert(chain []*x509.Certificate, leafPos int) *x509.Certificate {
+	if len(chain) == 0 || leafPos < 0 {
+		return nil
+	}
+	// self-signed certificate or too-big leafPos
+	if leafPos >= len(chain)-1 {
+		return nil
+	}
+	// returns pointer to issuer cert or nil
+	return (chain)[leafPos+1]
+}
+
+// OCSPResponseCurrent checks if the OCSP response is current (i.e. not expired and not future effective)
+func OCSPResponseCurrent(ocspr *ocsp.Response, opts *OCSPPeerConfig, log *Log) bool {
+	skew := time.Duration(opts.ClockSkew * float64(time.Second))
+	if skew < 0*time.Second {
+		skew = DefaultAllowedClockSkew
+	}
+	now := time.Now().UTC()
+	// Typical effectivity check based on CA response ThisUpdate and NextUpdate semantics
+	if !ocspr.NextUpdate.IsZero() && ocspr.NextUpdate.Before(now.Add(-1*skew)) {
+		t := ocspr.NextUpdate.Format(time.RFC3339Nano)
+		nt := now.Format(time.RFC3339Nano)
+		log.Debugf(DbgResponseExpired, t, nt, skew)
+		return false
+	}
+	// CA responder can assert NextUpdate unset, in which case use config option to set a default cache TTL
+	if ocspr.NextUpdate.IsZero() {
+		ttl := time.Duration(opts.TTLUnsetNextUpdate * float64(time.Second))
+		if ttl < 0*time.Second {
+			ttl = DefaultTTLUnsetNextUpdate
+		}
+		expiryTime := ocspr.ThisUpdate.Add(ttl)
+		if expiryTime.Before(now.Add(-1 * skew)) {
+			t := expiryTime.Format(time.RFC3339Nano)
+			nt := now.Format(time.RFC3339Nano)
+			log.Debugf(DbgResponseTTLExpired, t, nt, skew)
+			return false
+		}
+	}
+	if ocspr.ThisUpdate.After(now.Add(skew)) {
+		t := ocspr.ThisUpdate.Format(time.RFC3339Nano)
+		nt := now.Format(time.RFC3339Nano)
+		log.Debugf(DbgResponseFutureDated, t, nt, skew)
+		return false
+	}
+	return true
+}
+
+// ValidDelegationCheck checks if the CA OCSP Response was signed by a valid CA Issuer delegate as per (RFC 6960, section 4.2.2.2)
+// If a valid delegate or direct-signed by CA Issuer, true returned.
+func ValidDelegationCheck(iss *x509.Certificate, ocspr *ocsp.Response) bool {
+	// This call assumes prior successful parse and signature validation of the OCSP response
+	// The Go OCSP library (as of x/crypto/ocsp v0.9) will detect and perform a 1-level delegate signature check but does not
+	// implement the additional criteria for delegation specified in RFC 6960, section 4.2.2.2.
+	if iss == nil || ocspr == nil {
+		return false
+	}
+	// not a delegation, no-op
+	if ocspr.Certificate == nil {
+		return true
+	}
+	// delegate is self-same with CA Issuer, not a delegation although response issued in that form
+	if ocspr.Certificate.Equal(iss) {
+		return true
+	}
+	// we need to verify CA Issuer stamped id-kp-OCSPSigning on delegate
+	delegatedSigner := false
+	for _, keyUseExt := range ocspr.Certificate.ExtKeyUsage {
+		if keyUseExt == x509.ExtKeyUsageOCSPSigning {
+			delegatedSigner = true
+			break
+		}
+	}
+	return delegatedSigner
+}
diff --git a/server/certidp/messages.go b/server/certidp/messages.go
new file mode 100644
index 000000000..52a799ac8
--- /dev/null
+++ b/server/certidp/messages.go
@@ -0,0 +1,106 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certidp
+
+var (
+	// Returned errors
+	ErrIllegalPeerOptsConfig              = "expected map to define OCSP peer options, got [%T]"
+	ErrIllegalCacheOptsConfig             = "expected map to define OCSP peer cache options, got [%T]"
+	ErrParsingPeerOptFieldGeneric         = "error parsing tls peer config, unknown field [%q]"
+	ErrParsingPeerOptFieldTypeConversion  = "error parsing tls peer config, conversion error: %s"
+	ErrParsingCacheOptFieldTypeConversion = "error parsing OCSP peer cache config, conversion error: %s"
+	ErrUnableToPlugTLSEmptyConfig         = "unable to plug TLS verify connection, config is nil"
+	ErrMTLSRequired                       = "OCSP peer verification for client connections requires TLS verify (mTLS) to be enabled"
+	ErrUnableToPlugTLSClient              = "unable to register client OCSP verification"
+	ErrUnableToPlugTLSServer              = "unable to register server OCSP verification"
+	ErrCannotWriteCompressed              = "error writing to compression writer: %w"
+	ErrCannotReadCompressed               = "error reading compression reader: %w"
+	ErrTruncatedWrite                     = "short write on body (%d != %d)"
+	ErrCannotCloseWriter                  = "error closing compression writer: %w"
+	ErrParsingCacheOptFieldGeneric        = "error parsing OCSP peer cache config, unknown field [%q]"
+	ErrUnknownCacheType                   = "error parsing OCSP peer cache config, unknown type [%s]"
+	ErrInvalidChainlink                   = "invalid chain link"
+	ErrBadResponderHTTPStatus             = "bad OCSP responder http status: [%d]"
+	ErrNoAvailOCSPServers                 = "no available OCSP servers"
+	ErrFailedWithAllRequests              = "exhausted OCSP responders: %w"
+
+	// Direct logged errors
+	ErrLoadCacheFail          = "Unable to load OCSP peer cache: %s"
+	ErrSaveCacheFail          = "Unable to save OCSP peer cache: %s"
+	ErrBadCacheTypeConfig     = "Unimplemented OCSP peer cache type [%v]"
+	ErrResponseCompressFail   = "Unable to compress OCSP response for key [%s]: %s"
+	ErrResponseDecompressFail = "Unable to decompress OCSP response for key [%s]: %s"
+	ErrPeerEmptyNoEvent       = "Peer certificate is nil, cannot send OCSP peer reject event"
+	ErrPeerEmptyAutoReject    = "Peer certificate is nil, rejecting OCSP peer"
+
+	// Debug information
+	DbgPlugTLSForKind        = "Plugging TLS OCSP peer for [%s]"
+	DbgNumServerChains       = "Peer OCSP enabled: %d TLS server chain(s) will be evaluated"
+	DbgNumClientChains       = "Peer OCSP enabled: %d TLS client chain(s) will be evaluated"
+	DbgLinksInChain          = "Chain [%d]: %d total link(s)"
+	DbgSelfSignedValid       = "Chain [%d] is self-signed, thus peer is valid"
+	DbgValidNonOCSPChain     = "Chain [%d] has no OCSP eligible links, thus peer is valid"
+	DbgChainIsOCSPEligible   = "Chain [%d] has %d OCSP eligible link(s)"
+	DbgChainIsOCSPValid      = "Chain [%d] is OCSP valid for all eligible links, thus peer is valid"
+	DbgNoOCSPValidChains     = "No OCSP valid chains, thus peer is invalid"
+	DbgCheckingCacheForCert  = "Checking OCSP peer cache for [%s], key [%s]"
+	DbgCurrentResponseCached = "Cached OCSP response is current, status [%s]"
+	DbgExpiredResponseCached = "Cached OCSP response is expired, status [%s]"
+	DbgOCSPValidPeerLink     = "OCSP verify pass for [%s]"
+	DbgCachingResponse       = "Caching OCSP response for [%s], key [%s]"
+	DbgAchievedCompression   = "OCSP response compression ratio: [%f]"
+	DbgCacheHit              = "OCSP peer cache hit for key [%s]"
+	DbgCacheMiss             = "OCSP peer cache miss for key [%s]"
+	DbgPreservedRevocation   = "Revoked OCSP response for key [%s] preserved by cache policy"
+	DbgDeletingCacheResponse = "Deleting OCSP peer cached response for key [%s]"
+	DbgStartingCache         = "Starting OCSP peer cache"
+	DbgStoppingCache         = "Stopping OCSP peer cache"
+	DbgLoadingCache          = "Loading OCSP peer cache [%s]"
+	DbgNoCacheFound          = "No OCSP peer cache found, starting with empty cache"
+	DbgSavingCache           = "Saving OCSP peer cache [%s]"
+	DbgCacheSaved            = "Saved OCSP peer cache successfully (%d bytes)"
+	DbgMakingCARequest       = "Trying OCSP responder url [%s]"
+	DbgResponseExpired       = "OCSP response NextUpdate [%s] is before now [%s] with clockskew [%s]"
+	DbgResponseTTLExpired    = "OCSP response cache expiry [%s] is before now [%s] with clockskew [%s]"
+	DbgResponseFutureDated   = "OCSP response ThisUpdate [%s] is before now [%s] with clockskew [%s]"
+	DbgCacheSaveTimerExpired = "OCSP peer cache save timer expired"
+	DbgCacheDirtySave        = "OCSP peer cache is dirty, saving"
+
+	// Returned to peer as TLS reject reason
+	MsgTLSClientRejectConnection = "client not OCSP valid"
+	MsgTLSServerRejectConnection = "server not OCSP valid"
+
+	// Expected runtime errors (direct logged)
+	ErrCAResponderCalloutFail  = "Attempt to obtain OCSP response from CA responder for [%s] failed: %s"
+	ErrNewCAResponseNotCurrent = "New OCSP CA response obtained for [%s] but not current"
+	ErrCAResponseParseFailed   = "Could not parse OCSP CA response for [%s]: %s"
+	ErrOCSPInvalidPeerLink     = "OCSP verify fail for [%s] with CA status [%s]"
+
+	// Policy override warnings (direct logged)
+	MsgAllowWhenCAUnreachableOccurred             = "Failed to obtain OCSP CA response for [%s] but AllowWhenCAUnreachable set; no cached revocation so allowing"
+	MsgAllowWhenCAUnreachableOccurredCachedRevoke = "Failed to obtain OCSP CA response for [%s] but AllowWhenCAUnreachable set; cached revocation exists so rejecting"
+	MsgAllowWarnOnlyOccurred                      = "OCSP verify fail for [%s] but WarnOnly is true so allowing"
+
+	// Info (direct logged)
+	MsgCacheOnline  = "OCSP peer cache online, type [%s]"
+	MsgCacheOffline = "OCSP peer cache offline, type [%s]"
+
+	// OCSP cert invalid reasons (debug and event reasons)
+	MsgFailedOCSPResponseFetch       = "Failed OCSP response fetch"
+	MsgOCSPResponseNotEffective      = "OCSP response not in effectivity window"
+	MsgFailedOCSPResponseParse       = "Failed OCSP response parse"
+	MsgOCSPResponseInvalidStatus     = "Invalid OCSP response status: %s"
+	MsgOCSPResponseDelegationInvalid = "Invalid OCSP response delegation: %s"
+	MsgCachedOCSPResponseInvalid     = "Invalid cached OCSP response for [%s] with fingerprint [%s]"
+)
diff --git a/server/certidp/ocsp_responder.go b/server/certidp/ocsp_responder.go
new file mode 100644
index 000000000..6e210f2b5
--- /dev/null
+++ b/server/certidp/ocsp_responder.go
@@ -0,0 +1,83 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certidp
+
+import (
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"golang.org/x/crypto/ocsp"
+)
+
+func FetchOCSPResponse(link *ChainLink, opts *OCSPPeerConfig, log *Log) ([]byte, error) {
+	if link == nil || link.Leaf == nil || link.Issuer == nil || opts == nil || log == nil {
+		return nil, fmt.Errorf(ErrInvalidChainlink)
+	}
+
+	timeout := time.Duration(opts.Timeout * float64(time.Second))
+	if timeout <= 0*time.Second {
+		timeout = DefaultOCSPResponderTimeout
+	}
+
+	getRequestBytes := func(u string, hc *http.Client) ([]byte, error) {
+		resp, err := hc.Get(u)
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			return nil, fmt.Errorf(ErrBadResponderHTTPStatus, resp.StatusCode)
+		}
+		return io.ReadAll(resp.Body)
+	}
+
+	// Request documentation:
+	// https://tools.ietf.org/html/rfc6960#appendix-A.1
+
+	reqDER, err := ocsp.CreateRequest(link.Leaf, link.Issuer, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	reqEnc := base64.StdEncoding.EncodeToString(reqDER)
+
+	responders := *link.OCSPWebEndpoints
+
+	if len(responders) == 0 {
+		return nil, fmt.Errorf(ErrNoAvailOCSPServers)
+	}
+
+	var raw []byte
+	hc := &http.Client{
+		Timeout: timeout,
+	}
+	for _, u := range responders {
+		url := u.String()
+		log.Debugf(DbgMakingCARequest, url)
+		url = strings.TrimSuffix(url, "/")
+		raw, err = getRequestBytes(fmt.Sprintf("%s/%s", url, reqEnc), hc)
+		if err == nil {
+			break
+		}
+	}
+	if err != nil {
+		return nil, fmt.Errorf(ErrFailedWithAllRequests, err)
+	}
+
+	return raw, nil
+}
diff --git a/server/certstore/certstore.go b/server/certstore/certstore.go
new file mode 100644
index 000000000..3d7dfde60
--- /dev/null
+++ b/server/certstore/certstore.go
@@ -0,0 +1,102 @@
+// Copyright 2022-2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certstore
+
+import (
+	"crypto"
+	"crypto/x509"
+	"io"
+	"runtime"
+	"strings"
+)
+
+type StoreType int
+
+const MATCHBYEMPTY = 0
+const STOREEMPTY = 0
+
+const (
+	windowsCurrentUser StoreType = iota + 1
+	windowsLocalMachine
+)
+
+var StoreMap = map[string]StoreType{
+	"windowscurrentuser":  windowsCurrentUser,
+	"windowslocalmachine": windowsLocalMachine,
+}
+
+var StoreOSMap = map[StoreType]string{
+	windowsCurrentUser:  "windows",
+	windowsLocalMachine: "windows",
+}
+
+type MatchByType int
+
+const (
+	matchByIssuer MatchByType = iota + 1
+	matchBySubject
+)
+
+var MatchByMap = map[string]MatchByType{
+	"issuer":  matchByIssuer,
+	"subject": matchBySubject,
+}
+
+var Usage = `
+In place of cert_file and key_file you may use the windows certificate store:
+
+    tls {
+        cert_store:     "WindowsCurrentUser"
+        cert_match_by:  "Subject"
+        cert_match:     "MyServer123"
+    }
+`
+
+func ParseCertStore(certStore string) (StoreType, error) {
+	certStoreType, exists := StoreMap[strings.ToLower(certStore)]
+	if !exists {
+		return 0, ErrBadCertStore
+	}
+	validOS, exists := StoreOSMap[certStoreType]
+	if !exists || validOS != runtime.GOOS {
+		return 0, ErrOSNotCompatCertStore
+	}
+	return certStoreType, nil
+}
+
+func ParseCertMatchBy(certMatchBy string) (MatchByType, error) {
+	certMatchByType, exists := MatchByMap[strings.ToLower(certMatchBy)]
+	if !exists {
+		return 0, ErrBadMatchByType
+	}
+	return certMatchByType, nil
+}
+
+func GetLeafIssuer(leaf *x509.Certificate, vOpts x509.VerifyOptions) (issuer *x509.Certificate) {
+	chains, err := leaf.Verify(vOpts)
+	if err != nil || len(chains) == 0 {
+		issuer = nil
+	} else {
+		issuer = chains[0][1]
+	}
+	return
+}
+
+// credential provides access to a public key and is a crypto.Signer.
+type credential interface {
+	// Public returns the public key corresponding to the leaf certificate.
+	Public() crypto.PublicKey
+	// Sign signs digest with the private key.
+	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
+}
diff --git a/server/certstore/certstore_other.go b/server/certstore/certstore_other.go
new file mode 100644
index 000000000..a72df834a
--- /dev/null
+++ b/server/certstore/certstore_other.go
@@ -0,0 +1,46 @@
+// Copyright 2022-2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !windows
+
+package certstore
+
+import (
+	"crypto"
+	"crypto/tls"
+	"io"
+)
+
+var _ = MATCHBYEMPTY
+
+// otherKey implements crypto.Signer and crypto.Decrypter to satisfy linter on platforms that don't implement certstore
+type otherKey struct{}
+
+func TLSConfig(certStore StoreType, certMatchBy MatchByType, certMatch string, config *tls.Config) error {
+	_, _, _, _ = certStore, certMatchBy, certMatch, config
+	return ErrOSNotCompatCertStore
+}
+
+// Public always returns nil public key since this is a stub on non-supported platform
+func (k otherKey) Public() crypto.PublicKey {
+	return nil
+}
+
+// Sign always returns a nil signature since this is a stub on non-supported platform
+func (k otherKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
+	_, _, _ = rand, digest, opts
+	return nil, nil
+}
+
+// Verify interface conformance.
+var _ credential = &otherKey{}
diff --git a/server/certstore/certstore_windows.go b/server/certstore/certstore_windows.go
new file mode 100644
index 000000000..57adc187a
--- /dev/null
+++ b/server/certstore/certstore_windows.go
@@ -0,0 +1,827 @@
+// Copyright 2022-2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Adapted, updated, and enhanced from CertToStore, https://github.com/google/certtostore/releases/tag/v1.0.2
+// Apache License, Version 2.0, Copyright 2017 Google Inc.
+
+package certstore
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"math/big"
+	"reflect"
+	"sync"
+	"syscall"
+	"unicode/utf16"
+	"unsafe"
+
+	"golang.org/x/crypto/cryptobyte"
+	"golang.org/x/crypto/cryptobyte/asn1"
+	"golang.org/x/sys/windows"
+)
+
+const (
+	// wincrypt.h constants
+	winAcquireCached           = 0x1                                                   // CRYPT_ACQUIRE_CACHE_FLAG
+	winAcquireSilent           = 0x40                                                  // CRYPT_ACQUIRE_SILENT_FLAG
+	winAcquireOnlyNCryptKey    = 0x40000                                               // CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG
+	winEncodingX509ASN         = 1                                                     // X509_ASN_ENCODING
+	winEncodingPKCS7           = 65536                                                 // PKCS_7_ASN_ENCODING
+	winCertStoreProvSystem     = 10                                                    // CERT_STORE_PROV_SYSTEM
+	winCertStoreCurrentUser    = uint32(winCertStoreCurrentUserID << winCompareShift)  // CERT_SYSTEM_STORE_CURRENT_USER
+	winCertStoreLocalMachine   = uint32(winCertStoreLocalMachineID << winCompareShift) // CERT_SYSTEM_STORE_LOCAL_MACHINE
+	winCertStoreCurrentUserID  = 1                                                     // CERT_SYSTEM_STORE_CURRENT_USER_ID
+	winCertStoreLocalMachineID = 2                                                     // CERT_SYSTEM_STORE_LOCAL_MACHINE_ID
+	winInfoIssuerFlag          = 4                                                     // CERT_INFO_ISSUER_FLAG
+	winInfoSubjectFlag         = 7                                                     // CERT_INFO_SUBJECT_FLAG
+	winCompareNameStrW         = 8                                                     // CERT_COMPARE_NAME_STR_A
+	winCompareShift            = 16                                                    // CERT_COMPARE_SHIFT
+
+	// Reference https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore
+	winFindIssuerStr  = winCompareNameStrW<<winCompareShift | winInfoIssuerFlag  // CERT_FIND_ISSUER_STR_W
+	winFindSubjectStr = winCompareNameStrW<<winCompareShift | winInfoSubjectFlag // CERT_FIND_SUBJECT_STR_W
+
+	winNcryptKeySpec = 0xFFFFFFFF // CERT_NCRYPT_KEY_SPEC
+
+	winBCryptPadPKCS1   uintptr = 0x2
+	winBCryptPadPSS     uintptr = 0x8 // Modern TLS 1.2+
+	winBCryptPadPSSSalt uint32  = 32  // default 20, 32 optimal for typical SHA256 hash
+
+	winRSA1Magic = 0x31415352 // "RSA1" BCRYPT_RSAPUBLIC_MAGIC
+
+	winECS1Magic = 0x31534345 // "ECS1" BCRYPT_ECDSA_PUBLIC_P256_MAGIC
+	winECS3Magic = 0x33534345 // "ECS3" BCRYPT_ECDSA_PUBLIC_P384_MAGIC
+	winECS5Magic = 0x35534345 // "ECS5" BCRYPT_ECDSA_PUBLIC_P521_MAGIC
+
+	winECK1Magic = 0x314B4345 // "ECK1" BCRYPT_ECDH_PUBLIC_P256_MAGIC
+	winECK3Magic = 0x334B4345 // "ECK3" BCRYPT_ECDH_PUBLIC_P384_MAGIC
+	winECK5Magic = 0x354B4345 // "ECK5" BCRYPT_ECDH_PUBLIC_P521_MAGIC
+
+	winCryptENotFound = 0x80092004 // CRYPT_E_NOT_FOUND
+
+	providerMSSoftware = "Microsoft Software Key Storage Provider"
+)
+
+var (
+	winBCryptRSAPublicBlob = winWide("RSAPUBLICBLOB")
+	winBCryptECCPublicBlob = winWide("ECCPUBLICBLOB")
+
+	winNCryptAlgorithmGroupProperty = winWide("Algorithm Group") // NCRYPT_ALGORITHM_GROUP_PROPERTY
+	winNCryptUniqueNameProperty     = winWide("Unique Name")     // NCRYPT_UNIQUE_NAME_PROPERTY
+	winNCryptECCCurveNameProperty   = winWide("ECCCurveName")    // NCRYPT_ECC_CURVE_NAME_PROPERTY
+
+	winCurveIDs = map[uint32]elliptic.Curve{
+		winECS1Magic: elliptic.P256(), // BCRYPT_ECDSA_PUBLIC_P256_MAGIC
+		winECS3Magic: elliptic.P384(), // BCRYPT_ECDSA_PUBLIC_P384_MAGIC
+		winECS5Magic: elliptic.P521(), // BCRYPT_ECDSA_PUBLIC_P521_MAGIC
+		winECK1Magic: elliptic.P256(), // BCRYPT_ECDH_PUBLIC_P256_MAGIC
+		winECK3Magic: elliptic.P384(), // BCRYPT_ECDH_PUBLIC_P384_MAGIC
+		winECK5Magic: elliptic.P521(), // BCRYPT_ECDH_PUBLIC_P521_MAGIC
+	}
+
+	winCurveNames = map[string]elliptic.Curve{
+		"nistP256": elliptic.P256(), // BCRYPT_ECC_CURVE_NISTP256
+		"nistP384": elliptic.P384(), // BCRYPT_ECC_CURVE_NISTP384
+		"nistP521": elliptic.P521(), // BCRYPT_ECC_CURVE_NISTP521
+	}
+
+	winAlgIDs = map[crypto.Hash]*uint16{
+		crypto.SHA1:   winWide("SHA1"),   // BCRYPT_SHA1_ALGORITHM
+		crypto.SHA256: winWide("SHA256"), // BCRYPT_SHA256_ALGORITHM
+		crypto.SHA384: winWide("SHA384"), // BCRYPT_SHA384_ALGORITHM
+		crypto.SHA512: winWide("SHA512"), // BCRYPT_SHA512_ALGORITHM
+	}
+
+	// MY is well-known system store on Windows that holds personal certificates
+	winMyStore = winWide("MY")
+
+	// These DLLs must be available on all Windows hosts
+	winCrypt32 = windows.MustLoadDLL("crypt32.dll")
+	winNCrypt  = windows.MustLoadDLL("ncrypt.dll")
+
+	winCertFindCertificateInStore        = winCrypt32.MustFindProc("CertFindCertificateInStore")
+	winCryptAcquireCertificatePrivateKey = winCrypt32.MustFindProc("CryptAcquireCertificatePrivateKey")
+	winNCryptExportKey                   = winNCrypt.MustFindProc("NCryptExportKey")
+	winNCryptOpenStorageProvider         = winNCrypt.MustFindProc("NCryptOpenStorageProvider")
+	winNCryptGetProperty                 = winNCrypt.MustFindProc("NCryptGetProperty")
+	winNCryptSignHash                    = winNCrypt.MustFindProc("NCryptSignHash")
+
+	winFnGetProperty = winGetProperty
+)
+
+type winPKCS1PaddingInfo struct {
+	pszAlgID *uint16
+}
+
+type winPSSPaddingInfo struct {
+	pszAlgID *uint16
+	cbSalt   uint32
+}
+
+// TLSConfig fulfills the same function as reading cert and key pair from pem files but
+// sources the Windows certificate store instead
+func TLSConfig(certStore StoreType, certMatchBy MatchByType, certMatch string, config *tls.Config) error {
+	var (
+		leaf     *x509.Certificate
+		leafCtx  *windows.CertContext
+		pk       *winKey
+		vOpts    = x509.VerifyOptions{}
+		chains   [][]*x509.Certificate
+		chain    []*x509.Certificate
+		rawChain [][]byte
+	)
+
+	// By StoreType, open a store
+	if certStore == windowsCurrentUser || certStore == windowsLocalMachine {
+		var scope uint32
+		cs, err := winOpenCertStore(providerMSSoftware)
+		if err != nil || cs == nil {
+			return err
+		}
+		if certStore == windowsCurrentUser {
+			scope = winCertStoreCurrentUser
+		}
+		if certStore == windowsLocalMachine {
+			scope = winCertStoreLocalMachine
+		}
+
+		// certByIssuer or certBySubject
+		if certMatchBy == matchBySubject || certMatchBy == MATCHBYEMPTY {
+			leaf, leafCtx, err = cs.certBySubject(certMatch, scope)
+		} else if certMatchBy == matchByIssuer {
+			leaf, leafCtx, err = cs.certByIssuer(certMatch, scope)
+		} else {
+			return ErrBadMatchByType
+		}
+		if err != nil {
+			// pass through error from cert search
+			return err
+		}
+		if leaf == nil || leafCtx == nil {
+			return ErrFailedCertSearch
+		}
+		pk, err = cs.certKey(leafCtx)
+		if err != nil {
+			return err
+		}
+		if pk == nil {
+			return ErrNoPrivateKeyStoreRef
+		}
+	} else {
+		return ErrBadCertStore
+	}
+
+	// Get intermediates in the cert store for the found leaf IFF there is a full chain of trust in the store
+	// otherwise just use leaf as the final chain.
+	//
+	// Using std lib Verify as a reliable way to get valid chains out of the win store for the leaf; however,
+	// using empty options since server TLS stanza could be TLS role as server identity or client identity.
+	chains, err := leaf.Verify(vOpts)
+	if err != nil || len(chains) == 0 {
+		chains = append(chains, []*x509.Certificate{leaf})
+	}
+
+	// We have at least one verified chain so pop the first chain and remove the self-signed CA cert (if present)
+	// from the end of the chain
+	chain = chains[0]
+	if len(chain) > 1 {
+		chain = chain[:len(chain)-1]
+	}
+
+	// For tls.Certificate.Certificate need a [][]byte from []*x509.Certificate
+	// Approximate capacity for efficiency
+	rawChain = make([][]byte, 0, len(chain))
+	for _, link := range chain {
+		rawChain = append(rawChain, link.Raw)
+	}
+
+	tlsCert := tls.Certificate{
+		Certificate: rawChain,
+		PrivateKey:  pk,
+		Leaf:        leaf,
+	}
+	config.Certificates = []tls.Certificate{tlsCert}
+
+	// note: pk is a windows pointer (not freed by Go) but needs to live the life of the server for Signing.
+	// The cert context (leafCtx) windows pointer must not be freed underneath the pk so also life of the server.
+	return nil
+}
+
+// winWide returns a pointer to uint16 representing the equivalent
+// to a Windows LPCWSTR.
+func winWide(s string) *uint16 {
+	w := utf16.Encode([]rune(s))
+	w = append(w, 0)
+	return &w[0]
+}
+
+// winOpenProvider gets a provider handle for subsequent calls
+func winOpenProvider(provider string) (uintptr, error) {
+	var hProv uintptr
+	pname := winWide(provider)
+	// Open the provider, the last parameter is not used
+	r, _, err := winNCryptOpenStorageProvider.Call(uintptr(unsafe.Pointer(&hProv)), uintptr(unsafe.Pointer(pname)), 0)
+	if r == 0 {
+		return hProv, nil
+	}
+	return hProv, fmt.Errorf("NCryptOpenStorageProvider returned %X: %v", r, err)
+}
+
+// winFindCert wraps the CertFindCertificateInStore library call. Note that any cert context passed
+// into prev will be freed. If no certificate was found, nil will be returned.
+func winFindCert(store windows.Handle, enc, findFlags, findType uint32, para *uint16, prev *windows.CertContext) (*windows.CertContext, error) {
+	h, _, err := winCertFindCertificateInStore.Call(
+		uintptr(store),
+		uintptr(enc),
+		uintptr(findFlags),
+		uintptr(findType),
+		uintptr(unsafe.Pointer(para)),
+		uintptr(unsafe.Pointer(prev)),
+	)
+	if h == 0 {
+		// Actual error, or simply not found?
+		if errno, ok := err.(syscall.Errno); ok && errno == winCryptENotFound {
+			return nil, ErrFailedCertSearch
+		}
+		return nil, ErrFailedCertSearch
+	}
+	// nolint:govet
+	return (*windows.CertContext)(unsafe.Pointer(h)), nil
+}
+
+// winCertStore is a store implementation for the Windows Certificate Store
+type winCertStore struct {
+	Prov     uintptr
+	ProvName string
+	stores   map[string]*winStoreHandle
+	mu       sync.Mutex
+}
+
+// winOpenCertStore creates a winCertStore
+func winOpenCertStore(provider string) (*winCertStore, error) {
+	cngProv, err := winOpenProvider(provider)
+	if err != nil {
+		// pass through error from winOpenProvider
+		return nil, err
+	}
+
+	wcs := &winCertStore{
+		Prov:     cngProv,
+		ProvName: provider,
+		stores:   make(map[string]*winStoreHandle),
+	}
+
+	return wcs, nil
+}
+
+// winCertContextToX509 creates an x509.Certificate from a Windows cert context.
+func winCertContextToX509(ctx *windows.CertContext) (*x509.Certificate, error) {
+	var der []byte
+	slice := (*reflect.SliceHeader)(unsafe.Pointer(&der))
+	slice.Data = uintptr(unsafe.Pointer(ctx.EncodedCert))
+	slice.Len = int(ctx.Length)
+	slice.Cap = int(ctx.Length)
+	return x509.ParseCertificate(der)
+}
+
+// certByIssuer matches and returns the first certificate found by passed issuer.
+// CertContext pointer returned allows subsequent key operations like Sign. Caller specifies
+// current user's personal certs or local machine's personal certs using storeType.
+// See CERT_FIND_ISSUER_STR description at https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore
+func (w *winCertStore) certByIssuer(issuer string, storeType uint32) (*x509.Certificate, *windows.CertContext, error) {
+	return w.certSearch(winFindIssuerStr, issuer, winMyStore, storeType)
+}
+
+// certBySubject matches and returns the first certificate found by passed subject field.
+// CertContext pointer returned allows subsequent key operations like Sign. Caller specifies
+// current user's personal certs or local machine's personal certs using storeType.
+// See CERT_FIND_SUBJECT_STR description at https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore
+func (w *winCertStore) certBySubject(subject string, storeType uint32) (*x509.Certificate, *windows.CertContext, error) {
+	return w.certSearch(winFindSubjectStr, subject, winMyStore, storeType)
+}
+
+// certSearch is a helper function to lookup certificates based on search type and match value.
+// store is used to specify which store to perform the lookup in (system or user).
+func (w *winCertStore) certSearch(searchType uint32, matchValue string, searchRoot *uint16, store uint32) (*x509.Certificate, *windows.CertContext, error) {
+	// store handle to "MY" store
+	h, err := w.storeHandle(store, searchRoot)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var prev *windows.CertContext
+	var cert *x509.Certificate
+
+	i, err := windows.UTF16PtrFromString(matchValue)
+	if err != nil {
+		return nil, nil, ErrFailedCertSearch
+	}
+
+	// pass 0 as the third parameter because it is not used
+	// https://msdn.microsoft.com/en-us/library/windows/desktop/aa376064(v=vs.85).aspx
+	nc, err := winFindCert(h, winEncodingX509ASN|winEncodingPKCS7, 0, searchType, i, prev)
+	if err != nil {
+		return nil, nil, err
+	}
+	if nc != nil {
+		// certificate found
+		prev = nc
+
+		// Extract the DER-encoded certificate from the cert context
+		xc, err := winCertContextToX509(nc)
+		if err == nil {
+			cert = xc
+		} else {
+			return nil, nil, ErrFailedX509Extract
+		}
+	} else {
+		return nil, nil, ErrFailedCertSearch
+	}
+
+	if cert == nil {
+		return nil, nil, ErrFailedX509Extract
+	}
+
+	return cert, prev, nil
+}
+
+type winStoreHandle struct {
+	handle *windows.Handle
+}
+
+func winNewStoreHandle(provider uint32, store *uint16) (*winStoreHandle, error) {
+	var s winStoreHandle
+	if s.handle != nil {
+		return &s, nil
+	}
+	st, err := windows.CertOpenStore(
+		winCertStoreProvSystem,
+		0,
+		0,
+		provider,
+		uintptr(unsafe.Pointer(store)))
+	if err != nil {
+		return nil, ErrBadCryptoStoreProvider
+	}
+	s.handle = &st
+	return &s, nil
+}
+
+// winKey implements crypto.Signer and crypto.Decrypter for key based operations.
+type winKey struct {
+	handle         uintptr
+	pub            crypto.PublicKey
+	Container      string
+	AlgorithmGroup string
+}
+
+// Public exports a public key to implement crypto.Signer
+func (k winKey) Public() crypto.PublicKey {
+	return k.pub
+}
+
+// Sign returns the signature of a hash to implement crypto.Signer
+func (k winKey) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	switch k.AlgorithmGroup {
+	case "ECDSA", "ECDH":
+		return winSignECDSA(k.handle, digest)
+	case "RSA":
+		hf := opts.HashFunc()
+		algID, ok := winAlgIDs[hf]
+		if !ok {
+			return nil, ErrBadRSAHashAlgorithm
+		}
+		switch opts.(type) {
+		case *rsa.PSSOptions:
+			return winSignRSAPSSPadding(k.handle, digest, algID)
+		default:
+			return winSignRSAPKCS1Padding(k.handle, digest, algID)
+		}
+	default:
+		return nil, ErrBadSigningAlgorithm
+	}
+}
+
+func winSignECDSA(kh uintptr, digest []byte) ([]byte, error) {
+	var size uint32
+	// Obtain the size of the signature
+	r, _, _ := winNCryptSignHash.Call(
+		kh,
+		0,
+		uintptr(unsafe.Pointer(&digest[0])),
+		uintptr(len(digest)),
+		0,
+		0,
+		uintptr(unsafe.Pointer(&size)),
+		0)
+	if r != 0 {
+		return nil, ErrStoreECDSASigningError
+	}
+
+	// Obtain the signature data
+	buf := make([]byte, size)
+	r, _, _ = winNCryptSignHash.Call(
+		kh,
+		0,
+		uintptr(unsafe.Pointer(&digest[0])),
+		uintptr(len(digest)),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(size),
+		uintptr(unsafe.Pointer(&size)),
+		0)
+	if r != 0 {
+		return nil, ErrStoreECDSASigningError
+	}
+	if len(buf) != int(size) {
+		return nil, ErrStoreECDSASigningError
+	}
+
+	return winPackECDSASigValue(bytes.NewReader(buf[:size]), len(digest))
+}
+
+func winPackECDSASigValue(r io.Reader, digestLength int) ([]byte, error) {
+	sigR := make([]byte, digestLength)
+	if _, err := io.ReadFull(r, sigR); err != nil {
+		return nil, ErrStoreECDSASigningError
+	}
+
+	sigS := make([]byte, digestLength)
+	if _, err := io.ReadFull(r, sigS); err != nil {
+		return nil, ErrStoreECDSASigningError
+	}
+
+	var b cryptobyte.Builder
+	b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
+		b.AddASN1BigInt(new(big.Int).SetBytes(sigR))
+		b.AddASN1BigInt(new(big.Int).SetBytes(sigS))
+	})
+	return b.Bytes()
+}
+
+func winSignRSAPKCS1Padding(kh uintptr, digest []byte, algID *uint16) ([]byte, error) {
+	// PKCS#1 v1.5 padding for some TLS 1.2
+	padInfo := winPKCS1PaddingInfo{pszAlgID: algID}
+	var size uint32
+	// Obtain the size of the signature
+	r, _, _ := winNCryptSignHash.Call(
+		kh,
+		uintptr(unsafe.Pointer(&padInfo)),
+		uintptr(unsafe.Pointer(&digest[0])),
+		uintptr(len(digest)),
+		0,
+		0,
+		uintptr(unsafe.Pointer(&size)),
+		winBCryptPadPKCS1)
+	if r != 0 {
+		return nil, ErrStoreRSASigningError
+	}
+
+	// Obtain the signature data
+	sig := make([]byte, size)
+	r, _, _ = winNCryptSignHash.Call(
+		kh,
+		uintptr(unsafe.Pointer(&padInfo)),
+		uintptr(unsafe.Pointer(&digest[0])),
+		uintptr(len(digest)),
+		uintptr(unsafe.Pointer(&sig[0])),
+		uintptr(size),
+		uintptr(unsafe.Pointer(&size)),
+		winBCryptPadPKCS1)
+	if r != 0 {
+		return nil, ErrStoreRSASigningError
+	}
+
+	return sig[:size], nil
+}
+
+func winSignRSAPSSPadding(kh uintptr, digest []byte, algID *uint16) ([]byte, error) {
+	// PSS padding for TLS 1.3 and some TLS 1.2
+	padInfo := winPSSPaddingInfo{pszAlgID: algID, cbSalt: winBCryptPadPSSSalt}
+
+	var size uint32
+	// Obtain the size of the signature
+	r, _, _ := winNCryptSignHash.Call(
+		kh,
+		uintptr(unsafe.Pointer(&padInfo)),
+		uintptr(unsafe.Pointer(&digest[0])),
+		uintptr(len(digest)),
+		0,
+		0,
+		uintptr(unsafe.Pointer(&size)),
+		winBCryptPadPSS)
+	if r != 0 {
+		return nil, ErrStoreRSASigningError
+	}
+
+	// Obtain the signature data
+	sig := make([]byte, size)
+	r, _, _ = winNCryptSignHash.Call(
+		kh,
+		uintptr(unsafe.Pointer(&padInfo)),
+		uintptr(unsafe.Pointer(&digest[0])),
+		uintptr(len(digest)),
+		uintptr(unsafe.Pointer(&sig[0])),
+		uintptr(size),
+		uintptr(unsafe.Pointer(&size)),
+		winBCryptPadPSS)
+	if r != 0 {
+		return nil, ErrStoreRSASigningError
+	}
+
+	return sig[:size], nil
+}
+
+// certKey wraps CryptAcquireCertificatePrivateKey. It obtains the CNG private
+// key of a known certificate and returns a pointer to a winKey which implements
+// both crypto.Signer. When a nil cert context is passed
+// a nil key is intentionally returned, to model the expected behavior of a
+// non-existent cert having no private key.
+// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecertificateprivatekey
+func (w *winCertStore) certKey(cert *windows.CertContext) (*winKey, error) {
+	// Return early if a nil cert was passed.
+	if cert == nil {
+		return nil, nil
+	}
+	var (
+		kh       uintptr
+		spec     uint32
+		mustFree int
+	)
+	r, _, _ := winCryptAcquireCertificatePrivateKey.Call(
+		uintptr(unsafe.Pointer(cert)),
+		winAcquireCached|winAcquireSilent|winAcquireOnlyNCryptKey,
+		0, // Reserved, must be null.
+		uintptr(unsafe.Pointer(&kh)),
+		uintptr(unsafe.Pointer(&spec)),
+		uintptr(unsafe.Pointer(&mustFree)),
+	)
+	// If the function succeeds, the return value is nonzero (TRUE).
+	if r == 0 {
+		return nil, ErrNoPrivateKeyStoreRef
+	}
+	if mustFree != 0 {
+		return nil, ErrNoPrivateKeyStoreRef
+	}
+	if spec != winNcryptKeySpec {
+		return nil, ErrNoPrivateKeyStoreRef
+	}
+
+	return winKeyMetadata(kh)
+}
+
+func winKeyMetadata(kh uintptr) (*winKey, error) {
+	// uc is used to populate the unique container name attribute of the private key
+	uc, err := winGetPropertyStr(kh, winNCryptUniqueNameProperty)
+	if err != nil {
+		// unable to determine key unique name
+		return nil, ErrExtractingPrivateKeyMetadata
+	}
+
+	alg, err := winGetPropertyStr(kh, winNCryptAlgorithmGroupProperty)
+	if err != nil {
+		// unable to determine key algorithm
+		return nil, ErrExtractingPrivateKeyMetadata
+	}
+
+	var pub crypto.PublicKey
+
+	switch alg {
+	case "ECDSA", "ECDH":
+		buf, err := winExport(kh, winBCryptECCPublicBlob)
+		if err != nil {
+			// failed to export ECC public key
+			return nil, ErrExtractingECCPublicKey
+		}
+		pub, err = unmarshalECC(buf, kh)
+		if err != nil {
+			return nil, ErrExtractingECCPublicKey
+		}
+	case "RSA":
+		buf, err := winExport(kh, winBCryptRSAPublicBlob)
+		if err != nil {
+			return nil, ErrExtractingRSAPublicKey
+		}
+		pub, err = winUnmarshalRSA(buf)
+		if err != nil {
+			return nil, ErrExtractingRSAPublicKey
+		}
+	default:
+		return nil, ErrBadPublicKeyAlgorithm
+	}
+
+	return &winKey{handle: kh, pub: pub, Container: uc, AlgorithmGroup: alg}, nil
+}
+
+func winGetProperty(kh uintptr, property *uint16) ([]byte, error) {
+	var strSize uint32
+	r, _, _ := winNCryptGetProperty.Call(
+		kh,
+		uintptr(unsafe.Pointer(property)),
+		0,
+		0,
+		uintptr(unsafe.Pointer(&strSize)),
+		0,
+		0)
+	if r != 0 {
+		return nil, ErrExtractPropertyFromKey
+	}
+
+	buf := make([]byte, strSize)
+	r, _, _ = winNCryptGetProperty.Call(
+		kh,
+		uintptr(unsafe.Pointer(property)),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(strSize),
+		uintptr(unsafe.Pointer(&strSize)),
+		0,
+		0)
+	if r != 0 {
+		return nil, ErrExtractPropertyFromKey
+	}
+
+	return buf, nil
+}
+
+func winGetPropertyStr(kh uintptr, property *uint16) (string, error) {
+	buf, err := winFnGetProperty(kh, property)
+	if err != nil {
+		return "", ErrExtractPropertyFromKey
+	}
+	uc := bytes.ReplaceAll(buf, []byte{0x00}, []byte(""))
+	return string(uc), nil
+}
+
+func winExport(kh uintptr, blobType *uint16) ([]byte, error) {
+	var size uint32
+	// When obtaining the size of a public key, most parameters are not required
+	r, _, _ := winNCryptExportKey.Call(
+		kh,
+		0,
+		uintptr(unsafe.Pointer(blobType)),
+		0,
+		0,
+		0,
+		uintptr(unsafe.Pointer(&size)),
+		0)
+	if r != 0 {
+		return nil, ErrExtractingPublicKey
+	}
+
+	// Place the exported key in buf now that we know the size required
+	buf := make([]byte, size)
+	r, _, _ = winNCryptExportKey.Call(
+		kh,
+		0,
+		uintptr(unsafe.Pointer(blobType)),
+		0,
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(size),
+		uintptr(unsafe.Pointer(&size)),
+		0)
+	if r != 0 {
+		return nil, ErrExtractingPublicKey
+	}
+	return buf, nil
+}
+
+func unmarshalECC(buf []byte, kh uintptr) (*ecdsa.PublicKey, error) {
+	// BCRYPT_ECCKEY_BLOB from bcrypt.h
+	header := struct {
+		Magic uint32
+		Key   uint32
+	}{}
+
+	r := bytes.NewReader(buf)
+	if err := binary.Read(r, binary.LittleEndian, &header); err != nil {
+		return nil, ErrExtractingECCPublicKey
+	}
+
+	curve, ok := winCurveIDs[header.Magic]
+	if !ok {
+		// Fix for b/185945636, where despite specifying the curve, nCrypt returns
+		// an incorrect response with BCRYPT_ECDSA_PUBLIC_GENERIC_MAGIC.
+		var err error
+		curve, err = winCurveName(kh)
+		if err != nil {
+			// unsupported header magic or cannot match the curve by name
+			return nil, err
+		}
+	}
+
+	keyX := make([]byte, header.Key)
+	if n, err := r.Read(keyX); n != int(header.Key) || err != nil {
+		// failed to read key X
+		return nil, ErrExtractingECCPublicKey
+	}
+
+	keyY := make([]byte, header.Key)
+	if n, err := r.Read(keyY); n != int(header.Key) || err != nil {
+		// failed to read key Y
+		return nil, ErrExtractingECCPublicKey
+	}
+
+	pub := &ecdsa.PublicKey{
+		Curve: curve,
+		X:     new(big.Int).SetBytes(keyX),
+		Y:     new(big.Int).SetBytes(keyY),
+	}
+	return pub, nil
+}
+
+// winCurveName reads the curve name property and returns the corresponding curve.
+func winCurveName(kh uintptr) (elliptic.Curve, error) {
+	cn, err := winGetPropertyStr(kh, winNCryptECCCurveNameProperty)
+	if err != nil {
+		// unable to determine the curve property name
+		return nil, ErrExtractPropertyFromKey
+	}
+	curve, ok := winCurveNames[cn]
+	if !ok {
+		// unknown curve name
+		return nil, ErrBadECCCurveName
+	}
+	return curve, nil
+}
+
+func winUnmarshalRSA(buf []byte) (*rsa.PublicKey, error) {
+	// BCRYPT_RSA_BLOB from bcrypt.h
+	header := struct {
+		Magic         uint32
+		BitLength     uint32
+		PublicExpSize uint32
+		ModulusSize   uint32
+		UnusedPrime1  uint32
+		UnusedPrime2  uint32
+	}{}
+
+	r := bytes.NewReader(buf)
+	if err := binary.Read(r, binary.LittleEndian, &header); err != nil {
+		return nil, ErrExtractingRSAPublicKey
+	}
+
+	if header.Magic != winRSA1Magic {
+		// invalid header magic
+		return nil, ErrExtractingRSAPublicKey
+	}
+
+	if header.PublicExpSize > 8 {
+		// unsupported public exponent size
+		return nil, ErrExtractingRSAPublicKey
+	}
+
+	exp := make([]byte, 8)
+	if n, err := r.Read(exp[8-header.PublicExpSize:]); n != int(header.PublicExpSize) || err != nil {
+		// failed to read public exponent
+		return nil, ErrExtractingRSAPublicKey
+	}
+
+	mod := make([]byte, header.ModulusSize)
+	if n, err := r.Read(mod); n != int(header.ModulusSize) || err != nil {
+		// failed to read modulus
+		return nil, ErrExtractingRSAPublicKey
+	}
+
+	pub := &rsa.PublicKey{
+		N: new(big.Int).SetBytes(mod),
+		E: int(binary.BigEndian.Uint64(exp)),
+	}
+	return pub, nil
+}
+
+// storeHandle returns a handle to a given cert store, opening the handle as needed.
+func (w *winCertStore) storeHandle(provider uint32, store *uint16) (windows.Handle, error) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	key := fmt.Sprintf("%d%s", provider, windows.UTF16PtrToString(store))
+	var err error
+	if w.stores[key] == nil {
+		w.stores[key], err = winNewStoreHandle(provider, store)
+		if err != nil {
+			return 0, ErrBadCryptoStoreProvider
+		}
+	}
+	return *w.stores[key].handle, nil
+}
+
+// Verify interface conformance.
+var _ credential = &winKey{}
diff --git a/server/certstore/errors.go b/server/certstore/errors.go
new file mode 100644
index 000000000..bbb1c9d83
--- /dev/null
+++ b/server/certstore/errors.go
@@ -0,0 +1,73 @@
+package certstore
+
+import (
+	"errors"
+)
+
+var (
+	// ErrBadCryptoStoreProvider represents inablity to establish link with a certificate store
+	ErrBadCryptoStoreProvider = errors.New("unable to open certificate store or store not available")
+
+	// ErrBadRSAHashAlgorithm represents a bad or unsupported RSA hash algorithm
+	ErrBadRSAHashAlgorithm = errors.New("unsupported RSA hash algorithm")
+
+	// ErrBadSigningAlgorithm represents a bad or unsupported signing algorithm
+	ErrBadSigningAlgorithm = errors.New("unsupported signing algorithm")
+
+	// ErrStoreRSASigningError represents an error returned from store during RSA signature
+	ErrStoreRSASigningError = errors.New("unable to obtain RSA signature from store")
+
+	// ErrStoreECDSASigningError represents an error returned from store during ECDSA signature
+	ErrStoreECDSASigningError = errors.New("unable to obtain ECDSA signature from store")
+
+	// ErrNoPrivateKeyStoreRef represents an error getting a handle to a private key in store
+	ErrNoPrivateKeyStoreRef = errors.New("unable to obtain private key handle from store")
+
+	// ErrExtractingPrivateKeyMetadata represents a family of errors extracting metadata about the private key in store
+	ErrExtractingPrivateKeyMetadata = errors.New("unable to extract private key metadata")
+
+	// ErrExtractingECCPublicKey represents an error exporting ECC-type public key from store
+	ErrExtractingECCPublicKey = errors.New("unable to extract ECC public key from store")
+
+	// ErrExtractingRSAPublicKey represents an error exporting RSA-type public key from store
+	ErrExtractingRSAPublicKey = errors.New("unable to extract RSA public key from store")
+
+	// ErrExtractingPublicKey represents a general error exporting public key from store
+	ErrExtractingPublicKey = errors.New("unable to extract public key from store")
+
+	// ErrBadPublicKeyAlgorithm represents a bad or unsupported public key algorithm
+	ErrBadPublicKeyAlgorithm = errors.New("unsupported public key algorithm")
+
+	// ErrExtractPropertyFromKey represents a general failure to extract a metadata property field
+	ErrExtractPropertyFromKey = errors.New("unable to extract property from key")
+
+	// ErrBadECCCurveName represents an ECC signature curve name that is bad or unsupported
+	ErrBadECCCurveName = errors.New("unsupported ECC curve name")
+
+	// ErrFailedCertSearch represents not able to find certificate in store
+	ErrFailedCertSearch = errors.New("unable to find certificate in store")
+
+	// ErrFailedX509Extract represents not being able to extract x509 certificate from found cert in store
+	ErrFailedX509Extract = errors.New("unable to extract x509 from certificate")
+
+	// ErrBadMatchByType represents unknown CERT_MATCH_BY passed
+	ErrBadMatchByType = errors.New("cert match by type not implemented")
+
+	// ErrBadCertStore represents unknown CERT_STORE passed
+	ErrBadCertStore = errors.New("cert store type not implemented")
+
+	// ErrConflictCertFileAndStore represents ambiguous configuration of both file and store
+	ErrConflictCertFileAndStore = errors.New("'cert_file' and 'cert_store' may not both be configured")
+
+	// ErrBadCertStoreField represents malformed cert_store option
+	ErrBadCertStoreField = errors.New("expected 'cert_store' to be a valid non-empty string")
+
+	// ErrBadCertMatchByField represents malformed cert_match_by option
+	ErrBadCertMatchByField = errors.New("expected 'cert_match_by' to be a valid non-empty string")
+
+	// ErrBadCertMatchField represents malformed cert_match option
+	ErrBadCertMatchField = errors.New("expected 'cert_match' to be a valid non-empty string")
+
+	// ErrOSNotCompatCertStore represents cert_store passed that exists but is not valid on current OS
+	ErrOSNotCompatCertStore = errors.New("cert_store not compatible with current operating system")
+)
diff --git a/server/certstore_windows_test.go b/server/certstore_windows_test.go
new file mode 100644
index 000000000..e0f33c2e7
--- /dev/null
+++ b/server/certstore_windows_test.go
@@ -0,0 +1,230 @@
+// Copyright 2022-2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build windows
+
+package server
+
+import (
+	"fmt"
+	"net/url"
+	"os"
+	"os/exec"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/nats-io/nats.go"
+)
+
+func runPowershellScript(scriptFile string, args []string) error {
+	_ = args
+	psExec, _ := exec.LookPath("powershell.exe")
+	execArgs := []string{psExec, "-command", fmt.Sprintf("& '%s'", scriptFile)}
+
+	cmdImport := &exec.Cmd{
+		Path:   psExec,
+		Args:   execArgs,
+		Stdout: os.Stdout,
+		Stderr: os.Stderr,
+	}
+	return cmdImport.Run()
+}
+
+func runConfiguredLeaf(t *testing.T, hubPort int, certStore string, matchBy string, match string, expectedLeafCount int) {
+
+	// Fire up the leaf
+	u, err := url.Parse(fmt.Sprintf("nats://localhost:%d", hubPort))
+	if err != nil {
+		t.Fatalf("Error parsing url: %v", err)
+	}
+
+	configStr := fmt.Sprintf(`
+		port: -1
+		leaf {
+			remotes [
+				{
+					url: "%s"
+					tls {
+						cert_store: "%s"
+						cert_match_by: "%s"
+						cert_match: "%s"
+
+						# Above should be equivalent to:
+						# cert_file: "../test/configs/certs/tlsauth/client.pem"
+						# key_file: "../test/configs/certs/tlsauth/client-key.pem"
+
+						ca_file: "../test/configs/certs/tlsauth/ca.pem"
+						timeout: 5
+					}
+				}
+			]
+		}
+	`, u.String(), certStore, matchBy, match)
+
+	leafConfig := createConfFile(t, []byte(configStr))
+	defer removeFile(t, leafConfig)
+	leafServer, _ := RunServerWithConfig(leafConfig)
+	defer leafServer.Shutdown()
+
+	// After client verify, hub will match by SAN email, SAN dns, and Subject (in that order)
+	// Our test client specifies Subject only so we should match on that...
+
+	// A little settle time
+	time.Sleep(1 * time.Second)
+	checkLeafNodeConnectedCount(t, leafServer, expectedLeafCount)
+}
+
+// TestLeafTLSWindowsCertStore tests the topology of two NATS Servers connected as leaf and hub with authentication of
+// leaf to hub via mTLS with leaf's certificate and signing key provisioned in the Windows certificate store.
+func TestLeafTLSWindowsCertStore(t *testing.T) {
+
+	// Client Identity (client.pem)
+	// Issuer: O = Synadia Communications Inc., OU = NATS.io, CN = localhost
+	// Subject: OU = NATS.io, CN = example.com
+
+	// Make sure windows cert store is reset to avoid conflict with other tests
+	err := runPowershellScript("../test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1", nil)
+	if err != nil {
+		t.Fatalf("expected powershell cert delete to succeed: %s", err.Error())
+	}
+
+	// Provision Windows cert store with client cert and secret
+	err = runPowershellScript("../test/configs/certs/tlsauth/certstore/import-p12-client.ps1", nil)
+	if err != nil {
+		t.Fatalf("expected powershell provision to succeed: %s", err.Error())
+	}
+
+	// Fire up the hub
+	hubConfig := createConfFile(t, []byte(`
+		port: -1
+		leaf {
+			listen: "127.0.0.1:-1"
+			tls {
+				ca_file: "../test/configs/certs/tlsauth/ca.pem"
+				cert_file: "../test/configs/certs/tlsauth/server.pem"
+				key_file:  "../test/configs/certs/tlsauth/server-key.pem"
+				timeout: 5
+				verify_and_map: true
+			}
+		}
+
+		accounts: {
+			AcctA: {
+			  users: [ {user: "OU = NATS.io, CN = example.com"} ]
+			},
+			AcctB: {
+			  users: [ {user: UserB1} ]
+			},
+			SYS: {
+				users: [ {user: System} ]
+			}
+		}
+		system_account: "SYS"
+	`))
+	defer removeFile(t, hubConfig)
+	hubServer, hubOptions := RunServerWithConfig(hubConfig)
+	defer hubServer.Shutdown()
+
+	testCases := []struct {
+		certStore         string
+		certMatchBy       string
+		certMatch         string
+		expectedLeafCount int
+	}{
+		{"WindowsCurrentUser", "Subject", "example.com", 1},
+		{"WindowsCurrentUser", "Issuer", "Synadia Communications Inc.", 1},
+		{"WindowsCurrentUser", "Issuer", "Frodo Baggins, Inc.", 0},
+	}
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("%s by %s match %s", tc.certStore, tc.certMatchBy, tc.certMatch), func(t *testing.T) {
+			defer func() {
+				if r := recover(); r != nil {
+					if tc.expectedLeafCount != 0 {
+						t.Fatalf("did not expect panic")
+					} else {
+						if !strings.Contains(fmt.Sprintf("%v", r), "Error processing configuration file") {
+							t.Fatalf("did not expect unknown panic cause")
+						}
+					}
+				}
+			}()
+			runConfiguredLeaf(t, hubOptions.LeafNode.Port, tc.certStore, tc.certMatchBy, tc.certMatch, tc.expectedLeafCount)
+		})
+	}
+}
+
+// TestServerTLSWindowsCertStore tests the topology of a NATS server requiring TLS and gettings it own server
+// cert identiy (as used when accepting NATS client connections and negotiating TLS) from Windows certificate store.
+func TestServerTLSWindowsCertStore(t *testing.T) {
+
+	// Server Identity (server.pem)
+	// Issuer: O = Synadia Communications Inc., OU = NATS.io, CN = localhost
+	// Subject: OU = NATS.io Operators, CN = localhost
+
+	// Make sure windows cert store is reset to avoid conflict with other tests
+	err := runPowershellScript("../test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1", nil)
+	if err != nil {
+		t.Fatalf("expected powershell cert delete to succeed: %s", err.Error())
+	}
+
+	// Provision Windows cert store with server cert and secret
+	err = runPowershellScript("../test/configs/certs/tlsauth/certstore/import-p12-server.ps1", nil)
+	if err != nil {
+		t.Fatalf("expected powershell provision to succeed: %s", err.Error())
+	}
+
+	// Fire up the server
+	srvConfig := createConfFile(t, []byte(`
+	listen: "localhost:-1"
+	tls {
+		cert_store: "WindowsCurrentUser"
+		cert_match_by: "Subject"
+		cert_match: "NATS.io Operators"
+		timeout: 5
+	}
+	`))
+	defer removeFile(t, srvConfig)
+	srvServer, _ := RunServerWithConfig(srvConfig)
+	if srvServer == nil {
+		t.Fatalf("expected to be able start server with cert store configuration")
+	}
+	defer srvServer.Shutdown()
+
+	testCases := []struct {
+		clientCA string
+		expect   bool
+	}{
+		{"../test/configs/certs/tlsauth/ca.pem", true},
+		{"../test/configs/certs/tlsauth/client.pem", false},
+	}
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("Client CA: %s", tc.clientCA), func(t *testing.T) {
+			nc, _ := nats.Connect(srvServer.clientConnectURLs[0], nats.RootCAs(tc.clientCA))
+			err := nc.Publish("foo", []byte("hello TLS server-authenticated server"))
+			if (err != nil) == tc.expect {
+				t.Fatalf("expected publish result %v to TLS authenticated server", tc.expect)
+			}
+			nc.Close()
+
+			for i := 0; i < 5; i++ {
+				nc, _ = nats.Connect(srvServer.clientConnectURLs[0], nats.RootCAs(tc.clientCA))
+				err = nc.Publish("foo", []byte("hello TLS server-authenticated server"))
+				if (err != nil) == tc.expect {
+					t.Fatalf("expected repeated connection result %v to TLS authenticated server", tc.expect)
+				}
+				nc.Close()
+			}
+		})
+	}
+}
diff --git a/server/ciphersuites.go b/server/ciphersuites.go
index b12682c10..12014327b 100644
--- a/server/ciphersuites.go
+++ b/server/ciphersuites.go
@@ -108,6 +108,7 @@ func defaultCurvePreferences() []tls.CurveID {
 	}
 }
 
+// ** added by Memphis
 func EncryptAES(plaintext []byte) (string, error) {
 	key := getAESKey()
 	c, err := aes.NewCipher(key)
@@ -163,3 +164,5 @@ func getAESKey() []byte {
 	}
 	return key
 }
+
+// ** added by Memphis
diff --git a/server/client.go b/server/client.go
index 80bc6974f..d088f1cd3 100644
--- a/server/client.go
+++ b/server/client.go
@@ -18,6 +18,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"math/rand"
@@ -110,9 +111,6 @@ const (
 	// For stalling fast producers
 	stallClientMinDuration = 100 * time.Millisecond
 	stallClientMaxDuration = time.Second
-
-	// Threshold for not knowingly doing a potential blocking operation when internal and on a route or gateway or leafnode.
-	noBlockThresh = 500 * time.Millisecond
 )
 
 var readLoopReportThreshold = readLoopReport
@@ -139,7 +137,6 @@ const (
 	skipFlushOnClose                              // Marks that flushOutbound() should not be called on connection close.
 	expectConnect                                 // Marks if this connection is expected to send a CONNECT
 	connectProcessFinished                        // Marks if this connection has finished the connect process.
-	connectionIdSent                              // connectionId sent to client
 )
 
 // set the flag (would be equivalent to set the boolean to true)
@@ -254,7 +251,9 @@ type client struct {
 	ping       pinfo
 	msgb       [msgScratchSize]byte
 	last       time.Time
-	headers    bool
+	lastIn     time.Time
+
+	headers bool
 
 	rtt      time.Duration
 	rttStart time.Time
@@ -278,15 +277,18 @@ type client struct {
 
 	tlsTo *time.Timer
 
-	memphisInfo memphisClientInfo
+	memphisInfo memphisClientInfo // ** added by Memphis
 }
 
+// ** added by Memphis
 type memphisClientInfo struct {
 	username     string
 	connectionId string `json:"connection_id,omitempty"`
 	isNative     bool
 }
 
+// ** added by Memphis
+
 type rrTracking struct {
 	rmap map[string]*remoteLatency
 	ptmr *time.Timer
@@ -295,20 +297,15 @@ type rrTracking struct {
 
 // Struct for PING initiation from the server.
 type pinfo struct {
-	tmr  *time.Timer
-	last time.Time
-	out  int
+	tmr *time.Timer
+	out int
 }
 
 // outbound holds pending data for a socket.
 type outbound struct {
-	p   []byte        // Primary write buffer
-	s   []byte        // Secondary for use post flush
-	nb  net.Buffers   // net.Buffers for writev IO
-	sz  int32         // limit size per []byte, uses variable BufSize constants, start, min, max.
-	sws int32         // Number of short writes, used for dynamic resizing.
+	nb  net.Buffers   // Pending buffers for send, each has fixed capacity as per nbPool below.
+	wnb net.Buffers   // Working copy of "nb", reused on each flushOutbound call, partial writes may leave entries here for next iteration.
 	pb  int64         // Total pending/queued bytes.
-	pm  int32         // Total pending/queued messages.
 	fsp int32         // Flush signals that are pending per producer from readLoop's pcd.
 	sg  *sync.Cond    // To signal writeLoop that there is data to flush.
 	wdl time.Duration // Snapshot of write deadline.
@@ -317,6 +314,59 @@ type outbound struct {
 	stc chan struct{} // Stall chan we create to slow down producers on overrun, e.g. fan-in.
 }
 
+const nbPoolSizeSmall = 512   // Underlying array size of small buffer
+const nbPoolSizeMedium = 4096 // Underlying array size of medium buffer
+const nbPoolSizeLarge = 65536 // Underlying array size of large buffer
+
+var nbPoolSmall = &sync.Pool{
+	New: func() any {
+		b := [nbPoolSizeSmall]byte{}
+		return &b
+	},
+}
+
+var nbPoolMedium = &sync.Pool{
+	New: func() any {
+		b := [nbPoolSizeMedium]byte{}
+		return &b
+	},
+}
+
+var nbPoolLarge = &sync.Pool{
+	New: func() any {
+		b := [nbPoolSizeLarge]byte{}
+		return &b
+	},
+}
+
+func nbPoolGet(sz int) []byte {
+	switch {
+	case sz <= nbPoolSizeSmall:
+		return nbPoolSmall.Get().(*[nbPoolSizeSmall]byte)[:0]
+	case sz <= nbPoolSizeMedium:
+		return nbPoolMedium.Get().(*[nbPoolSizeMedium]byte)[:0]
+	default:
+		return nbPoolLarge.Get().(*[nbPoolSizeLarge]byte)[:0]
+	}
+}
+
+func nbPoolPut(b []byte) {
+	switch cap(b) {
+	case nbPoolSizeSmall:
+		b := (*[nbPoolSizeSmall]byte)(b[0:nbPoolSizeSmall])
+		nbPoolSmall.Put(b)
+	case nbPoolSizeMedium:
+		b := (*[nbPoolSizeMedium]byte)(b[0:nbPoolSizeMedium])
+		nbPoolMedium.Put(b)
+	case nbPoolSizeLarge:
+		b := (*[nbPoolSizeLarge]byte)(b[0:nbPoolSizeLarge])
+		nbPoolLarge.Put(b)
+	default:
+		// Ignore frames that are the wrong size, this might happen
+		// with WebSocket/MQTT messages as they are framed
+	}
+}
+
 type perm struct {
 	allow *Sublist
 	deny  *Sublist
@@ -593,7 +643,6 @@ func (c *client) initClient() {
 	c.cid = atomic.AddUint64(&s.gcid, 1)
 
 	// Outbound data structure setup
-	c.out.sz = startBufSize
 	c.out.sg = sync.NewCond(&(c.mu))
 	opts := s.getOpts()
 	// Snapshots to avoid mutex access in fast paths.
@@ -752,15 +801,16 @@ func (c *client) subsAtLimit() bool {
 }
 
 func minLimit(value *int32, limit int32) bool {
-	if *value != jwt.NoLimit {
+	v := atomic.LoadInt32(value)
+	if v != jwt.NoLimit {
 		if limit != jwt.NoLimit {
-			if limit < *value {
-				*value = limit
+			if limit < v {
+				atomic.StoreInt32(value, limit)
 				return true
 			}
 		}
 	} else if limit != jwt.NoLimit {
-		*value = limit
+		atomic.StoreInt32(value, limit)
 		return true
 	}
 	return false
@@ -773,7 +823,7 @@ func (c *client) applyAccountLimits() {
 	if c.acc == nil || (c.kind != CLIENT && c.kind != LEAF) {
 		return
 	}
-	c.mpay = jwt.NoLimit
+	atomic.StoreInt32(&c.mpay, jwt.NoLimit)
 	c.msubs = jwt.NoLimit
 	if c.opts.JWT != _EMPTY_ { // user jwt implies account
 		if uc, _ := jwt.DecodeUserClaims(c.opts.JWT); uc != nil {
@@ -1107,7 +1157,7 @@ func (c *client) writeLoop() {
 // sent to during processing. We pass in a budget as a time.Duration
 // for how much time to spend in place flushing for this client.
 func (c *client) flushClients(budget time.Duration) time.Time {
-	last := time.Now().UTC()
+	last := time.Now()
 
 	// Check pending clients for flush.
 	for cp := range c.pcd {
@@ -1290,8 +1340,10 @@ func (c *client) readLoop(pre []byte) {
 		c.mu.Lock()
 
 		// Activity based on interest changes or data/msgs.
+		// Also update last receive activity for ping sender
 		if c.in.msgs > 0 || c.in.subs > 0 {
 			c.last = last
+			c.lastIn = last
 		}
 
 		if n >= cap(b) {
@@ -1353,11 +1405,6 @@ func (c *client) collapsePtoNB() (net.Buffers, int64) {
 	if c.isWebsocket() {
 		return c.wsCollapsePtoNB()
 	}
-	if c.out.p != nil {
-		p := c.out.p
-		c.out.p = nil
-		return append(c.out.nb, p), c.out.pb
-	}
 	return c.out.nb, c.out.pb
 }
 
@@ -1368,9 +1415,6 @@ func (c *client) handlePartialWrite(pnb net.Buffers) {
 		c.ws.frames = append(pnb, c.ws.frames...)
 		return
 	}
-	nb, _ := c.collapsePtoNB()
-	// The partial needs to be first, so append nb to pnb
-	c.out.nb = append(pnb, nb...)
 }
 
 // flushOutbound will flush outbound buffer to a client.
@@ -1394,26 +1438,38 @@ func (c *client) flushOutbound() bool {
 		return true // true because no need to queue a signal.
 	}
 
-	// Place primary on nb, assign primary to secondary, nil out nb and secondary.
-	nb, attempted := c.collapsePtoNB()
-	c.out.p, c.out.nb, c.out.s = c.out.s, nil, nil
-	if nb == nil {
-		return true
-	}
-
-	// For selecting primary replacement.
-	cnb := nb
-	var lfs int
-	if len(cnb) > 0 {
-		lfs = len(cnb[0])
-	}
+	// In the case of a normal socket connection, "collapsed" is just a ref
+	// to "nb". In the case of WebSockets, additional framing is added to
+	// anything that is waiting in "nb". Also keep a note of how many bytes
+	// were queued before we release the mutex.
+	collapsed, attempted := c.collapsePtoNB()
+
+	// Frustratingly, (net.Buffers).WriteTo() modifies the receiver so we
+	// can't work on "nb" directly — while the mutex is unlocked during IO,
+	// something else might call queueOutbound and modify it. So instead we
+	// need a working copy — we'll operate on "wnb" instead. Note that in
+	// the case of a partial write, "wnb" may have remaining data from the
+	// previous write, and in the case of WebSockets, that data may already
+	// be framed, so we are careful not to re-frame "wnb" here. Instead we
+	// will just frame up "nb" and append it onto whatever is left on "wnb".
+	// "nb" will be reset back to its starting position so it can be modified
+	// safely by queueOutbound calls.
+	c.out.wnb = append(c.out.wnb, collapsed...)
+	var _orig [1024][]byte
+	orig := append(_orig[:0], c.out.wnb...)
+	c.out.nb = c.out.nb[:0]
+
+	// Since WriteTo is lopping things off the beginning, we need to remember
+	// the start position of the underlying array so that we can get back to it.
+	// Otherwise we'll always "slide forward" and that will result in reallocs.
+	startOfWnb := c.out.wnb[0:]
 
 	// In case it goes away after releasing the lock.
 	nc := c.nc
-	apm := c.out.pm
 
 	// Capture this (we change the value in some tests)
 	wdl := c.out.wdl
+
 	// Do NOT hold lock during actual IO.
 	c.mu.Unlock()
 
@@ -1425,7 +1481,7 @@ func (c *client) flushOutbound() bool {
 	nc.SetWriteDeadline(start.Add(wdl))
 
 	// Actual write to the socket.
-	n, err := nb.WriteTo(nc)
+	n, err := c.out.wnb.WriteTo(nc)
 	nc.SetWriteDeadline(time.Time{})
 
 	lft := time.Since(start)
@@ -1433,11 +1489,35 @@ func (c *client) flushOutbound() bool {
 	// Re-acquire client lock.
 	c.mu.Lock()
 
+	// At this point, "wnb" has been mutated by WriteTo and any consumed
+	// buffers have been lopped off the beginning, so in order to return
+	// them to the pool, we need to look at the difference between "orig"
+	// and "wnb".
+	for i := 0; i < len(orig)-len(c.out.wnb); i++ {
+		nbPoolPut(orig[i])
+	}
+
+	// At this point it's possible that "nb" has been modified by another
+	// call to queueOutbound while the lock was released, so we'll leave
+	// those for the next iteration. Meanwhile it's possible that we only
+	// managed a partial write of "wnb", so we'll shift anything that
+	// remains up to the beginning of the array to prevent reallocating.
+	// Anything left in "wnb" has already been framed for WebSocket conns
+	// so leave them alone for the next call to flushOutbound.
+	c.out.wnb = append(startOfWnb[:0], c.out.wnb...)
+
+	// If we've written everything but the underlying array of our working
+	// buffer has grown excessively then free it — the GC will tidy it up
+	// and we can allocate a new one next time.
+	if len(c.out.wnb) == 0 && cap(c.out.wnb) > nbPoolSizeLarge*8 {
+		c.out.wnb = nil
+	}
+
 	// Ignore ErrShortWrite errors, they will be handled as partials.
 	if err != nil && err != io.ErrShortWrite {
 		// Handle timeout error (slow consumer) differently
 		if ne, ok := err.(net.Error); ok && ne.Timeout() {
-			if closed := c.handleWriteTimeout(n, attempted, len(cnb)); closed {
+			if closed := c.handleWriteTimeout(n, attempted, len(orig)); closed {
 				return true
 			}
 		} else {
@@ -1461,43 +1541,11 @@ func (c *client) flushOutbound() bool {
 	if c.isWebsocket() {
 		c.ws.fs -= n
 	}
-	c.out.pm -= apm // FIXME(dlc) - this will not be totally accurate on partials.
 
 	// Check for partial writes
 	// TODO(dlc) - zero write with no error will cause lost message and the writeloop to spin.
 	if n != attempted && n > 0 {
-		c.handlePartialWrite(nb)
-	} else if int32(n) >= c.out.sz {
-		c.out.sws = 0
-	}
-
-	// Adjust based on what we wrote plus any pending.
-	pt := n + c.out.pb
-
-	// Adjust sz as needed downward, keeping power of 2.
-	// We do this at a slower rate.
-	if pt < int64(c.out.sz) && c.out.sz > minBufSize {
-		c.out.sws++
-		if c.out.sws > shortsToShrink {
-			c.out.sz >>= 1
-		}
-	}
-	// Adjust sz as needed upward, keeping power of 2.
-	if pt > int64(c.out.sz) && c.out.sz < maxBufSize {
-		c.out.sz <<= 1
-	}
-
-	// Check to see if we can reuse buffers.
-	if lfs != 0 && n >= int64(lfs) {
-		oldp := cnb[0][:0]
-		if cap(oldp) >= int(c.out.sz) {
-			// Replace primary or secondary if they are nil, reusing same buffer.
-			if c.out.p == nil {
-				c.out.p = oldp
-			} else if c.out.s == nil || cap(c.out.s) < int(c.out.sz) {
-				c.out.s = oldp
-			}
-		}
+		c.handlePartialWrite(c.out.nb)
 	}
 
 	// Check that if there is still data to send and writeLoop is in wait,
@@ -1608,11 +1656,13 @@ func (c *client) markConnAsClosed(reason ClosedState) {
 			// TODO: May want to send events to single go routine instead
 			// of creating a new go routine for each save.
 			go c.srv.saveClosedClient(c, nc, reason)
+			// ** added by Memphis
 			if c.kind == CLIENT {
 				if err := c.memphisInfo.updateDisconnection(c.acc.GetName()); err != nil {
 					c.srv.Errorf("Disconnection update error: " + err.Error())
 				}
 			}
+			// ** added by Memphis
 		}
 	}
 	// If writeLoop exists, let it do the final flush, close and teardown.
@@ -1934,13 +1984,6 @@ func (c *client) sendErrAndDebug(err string) {
 	c.Debugf(err)
 }
 
-// *** added by Memphis
-func (c *client) sendErrAndWarn(funcName, err string) {
-	c.sendErr(err)
-	// c.Warnf("[tenant: %s]%s: %s", c.acc.GetName(), funcName, err)
-}
-// added by Memphis ***
-
 func (c *client) authTimeout() {
 	c.sendErrAndDebug("Authentication Timeout")
 	c.closeConnection(AuthenticationTimeout)
@@ -1961,6 +2004,7 @@ func (c *client) accountIdErr() {
 	c.sendErrAndDebug("Authorization Violation: Wrong / missing account ID")
 	c.closeConnection(MissingAccount)
 }
+
 // added by Memphis ***
 
 func (c *client) authViolation() {
@@ -1982,11 +2026,13 @@ func (c *client) authViolation() {
 			ErrAuthentication.Error(),
 			c.opts.Nkey)
 	} else if hasUsers {
-		c.Warnf("%s - User %q",
+		c.Warnf("%s - User %q", // ** changed by Memphis to Warnf
 			ErrAuthentication.Error(),
 			c.opts.Username)
 	} else {
-		c.Warnf(ErrAuthentication.Error())
+		if c.srv != nil {
+			c.Warnf(ErrAuthentication.Error()) // ** changed by Memphis to Warnf
+		}
 	}
 	if c.isMqtt() {
 		c.mqttEnqueueConnAck(mqttConnAckRCNotAuthorized, false)
@@ -2035,6 +2081,35 @@ func (c *client) queueOutbound(data []byte) {
 	// Add to pending bytes total.
 	c.out.pb += int64(len(data))
 
+	// Take a copy of the slice ref so that we can chop bits off the beginning
+	// without affecting the original "data" slice.
+	toBuffer := data
+
+	// All of the queued []byte have a fixed capacity, so if there's a []byte
+	// at the tail of the buffer list that isn't full yet, we should top that
+	// up first. This helps to ensure we aren't pulling more []bytes from the
+	// pool than we need to.
+	if len(c.out.nb) > 0 {
+		last := &c.out.nb[len(c.out.nb)-1]
+		if free := cap(*last) - len(*last); free > 0 {
+			if l := len(toBuffer); l < free {
+				free = l
+			}
+			*last = append(*last, toBuffer[:free]...)
+			toBuffer = toBuffer[free:]
+		}
+	}
+
+	// Now we can push the rest of the data into new []bytes from the pool
+	// in fixed size chunks. This ensures we don't go over the capacity of any
+	// of the buffers and end up reallocating.
+	for len(toBuffer) > 0 {
+		new := nbPoolGet(len(toBuffer))
+		n := copy(new[:cap(new)], toBuffer)
+		c.out.nb = append(c.out.nb, new[:n])
+		toBuffer = toBuffer[n:]
+	}
+
 	// Check for slow consumer via pending bytes limit.
 	// ok to return here, client is going away.
 	if c.kind == CLIENT && c.out.pb > c.out.mp {
@@ -2050,58 +2125,6 @@ func (c *client) queueOutbound(data []byte) {
 		return
 	}
 
-	if c.out.p == nil && len(data) < maxBufSize {
-		if c.out.sz == 0 {
-			c.out.sz = startBufSize
-		}
-		if c.out.s != nil && cap(c.out.s) >= int(c.out.sz) {
-			c.out.p = c.out.s
-			c.out.s = nil
-		} else {
-			// FIXME(dlc) - make power of 2 if less than maxBufSize?
-			c.out.p = make([]byte, 0, c.out.sz)
-		}
-	}
-	// Determine if we copy or reference
-	available := cap(c.out.p) - len(c.out.p)
-	if len(data) > available {
-		// We can't fit everything into existing primary, but message will
-		// fit in next one we allocate or utilize from the secondary.
-		// So copy what we can.
-		if available > 0 && len(data) < int(c.out.sz) {
-			c.out.p = append(c.out.p, data[:available]...)
-			data = data[available:]
-		}
-		// Put the primary on the nb if it has a payload
-		if len(c.out.p) > 0 {
-			c.out.nb = append(c.out.nb, c.out.p)
-			c.out.p = nil
-		}
-		// TODO: It was found with LeafNode and Websocket that referencing
-		// the data buffer when > maxBufSize would cause corruption
-		// (reproduced with small maxBufSize=10 and TestLeafNodeWSNoBufferCorruption).
-		// So always make a copy for now.
-
-		// We will copy to primary.
-		if c.out.p == nil {
-			// Grow here
-			if (c.out.sz << 1) <= maxBufSize {
-				c.out.sz <<= 1
-			}
-			if len(data) > int(c.out.sz) {
-				c.out.p = make([]byte, 0, len(data))
-			} else {
-				if c.out.s != nil && cap(c.out.s) >= int(c.out.sz) { // TODO(dlc) - Size mismatch?
-					c.out.p = c.out.s
-					c.out.s = nil
-				} else {
-					c.out.p = make([]byte, 0, c.out.sz)
-				}
-			}
-		}
-	}
-	c.out.p = append(c.out.p, data...)
-
 	// Check here if we should create a stall channel if we are falling behind.
 	// We do this here since if we wait for consumer's writeLoop it could be
 	// too late with large number of fan in producers.
@@ -2188,9 +2211,28 @@ func (c *client) generateClientInfoJSON(info Info) []byte {
 	info.CID = c.cid
 	info.ClientIP = c.host
 	info.MaxPayload = c.mpay
-	info.ConnectionId = c.memphisInfo.connectionId
+	info.ConnectionId = c.memphisInfo.connectionId // ** added by Memphis
 	if c.isWebsocket() {
 		info.ClientConnectURLs = info.WSConnectURLs
+		if c.srv != nil { // Otherwise lame duck info can panic
+			c.srv.websocket.mu.RLock()
+			info.TLSAvailable = c.srv.websocket.tls
+			if c.srv.websocket.tls && c.srv.websocket.server != nil {
+				if tc := c.srv.websocket.server.TLSConfig; tc != nil {
+					info.TLSRequired = !tc.InsecureSkipVerify
+				}
+			}
+			if c.srv.websocket.listener != nil {
+				laddr := c.srv.websocket.listener.Addr().String()
+				if h, p, err := net.SplitHostPort(laddr); err == nil {
+					if p, err := strconv.Atoi(p); err == nil {
+						info.Host = h
+						info.Port = p
+					}
+				}
+			}
+			c.srv.websocket.mu.RUnlock()
+		}
 	}
 	info.WSConnectURLs = nil
 	// Generate the info json
@@ -2231,7 +2273,7 @@ func (c *client) processPing() {
 
 	// Record this to suppress us sending one if this
 	// is within a given time interval for activity.
-	c.ping.last = time.Now()
+	c.lastIn = time.Now()
 
 	// If not a CLIENT, we are done. Also the CONNECT should
 	// have been received, but make sure it is so before proceeding
@@ -2270,9 +2312,7 @@ func (c *client) processPing() {
 		c.flags.set(firstPongSent)
 		// If there was a cluster update since this client was created,
 		// send an updated INFO protocol now.
-		// send connectionId to client if wasn't yet sent
-		if srv.lastCURLsUpdate >= c.start.UnixNano() || c.mpay != int32(opts.MaxPayload) || !c.flags.isSet(connectionIdSent) {
-			c.flags.set(connectionIdSent)
+		if srv.lastCURLsUpdate >= c.start.UnixNano() || c.mpay != int32(opts.MaxPayload) {
 			c.enqueueProto(c.generateClientInfoJSON(srv.copyInfo()))
 		}
 		c.mu.Unlock()
@@ -2588,7 +2628,7 @@ func (c *client) processSubEx(subject, queue, bsid []byte, cb msgHandler, noForw
 		}
 	}
 	// Now check on leafnode updates.
-	srv.updateLeafNodes(acc, sub, 1)
+	acc.updateLeafNodes(sub, 1)
 	return sub, nil
 }
 
@@ -2887,7 +2927,7 @@ func (c *client) unsubscribe(acc *Account, sub *subscription, force, remove bool
 			}
 		}
 		// Now check on leafnode updates.
-		c.srv.updateLeafNodes(nsub.im.acc, nsub, -1)
+		nsub.im.acc.updateLeafNodes(nsub, -1)
 	}
 
 	// Now check to see if this was part of a respMap entry for service imports.
@@ -2951,7 +2991,7 @@ func (c *client) processUnsub(arg []byte) error {
 			}
 		}
 		// Now check on leafnode updates.
-		srv.updateLeafNodes(acc, sub, -1)
+		acc.updateLeafNodes(sub, -1)
 	}
 
 	return nil
@@ -3134,18 +3174,14 @@ var needFlush = struct{}{}
 // deliverMsg will deliver a message to a matching subscription and its underlying client.
 // We process all connection/client types. mh is the part that will be protocol/client specific.
 func (c *client) deliverMsg(prodIsMQTT bool, sub *subscription, acc *Account, subject, reply, mh, msg []byte, gwrply bool) bool {
-	if sub.client == nil {
+	// Check sub client and check echo. Only do this if not a service import.
+	if sub.client == nil || (c == sub.client && !sub.client.echo && !sub.si) {
 		return false
 	}
+
 	client := sub.client
 	client.mu.Lock()
 
-	// Check echo
-	if c == client && !client.echo {
-		client.mu.Unlock()
-		return false
-	}
-
 	// Check if we have a subscribe deny clause. This will trigger us to check the subject
 	// for a match against the denied subjects.
 	if client.mperms != nil && client.checkDenySub(string(subject)) {
@@ -3298,8 +3334,6 @@ func (c *client) deliverMsg(prodIsMQTT bool, sub *subscription, acc *Account, su
 		client.queueOutbound([]byte(CR_LF))
 	}
 
-	client.out.pm++
-
 	// If we are tracking dynamic publish permissions that track reply subjects,
 	// do that accounting here. We only look at client.replies which will be non-nil.
 	if client.replies != nil && len(reply) > 0 {
@@ -3314,7 +3348,7 @@ func (c *client) deliverMsg(prodIsMQTT bool, sub *subscription, acc *Account, su
 	// to intervene before this producer goes back to top of readloop. We are in the producer's
 	// readloop go routine at this point.
 	// FIXME(dlc) - We may call this alot, maybe suppress after first call?
-	if client.out.pm > 1 && client.out.pb > maxBufSize*2 {
+	if len(client.out.nb) != 0 {
 		client.flushSignal()
 	}
 
@@ -3598,15 +3632,21 @@ func (c *client) processInboundClientMsg(msg []byte) (bool, bool) {
 	}
 
 	// Mostly under testing scenarios.
+	c.mu.Lock()
 	if c.srv == nil || c.acc == nil {
+		c.mu.Unlock()
 		return false, false
 	}
+	acc := c.acc
+	genidAddr := &acc.sl.genid
 
 	// Check pub permissions
-	if c.perms != nil && (c.perms.pub.allow != nil || c.perms.pub.deny != nil) && !c.pubAllowed(string(c.pa.subject)) {
+	if c.perms != nil && (c.perms.pub.allow != nil || c.perms.pub.deny != nil) && !c.pubAllowedFullCheck(string(c.pa.subject), true, true) {
+		c.mu.Unlock()
 		c.pubPermissionViolation(c.pa.subject)
 		return false, true
 	}
+	c.mu.Unlock()
 
 	// Now check for reserved replies. These are used for service imports.
 	if c.kind == CLIENT && len(c.pa.reply) > 0 && isReservedReply(c.pa.reply) {
@@ -3627,10 +3667,10 @@ func (c *client) processInboundClientMsg(msg []byte) (bool, bool) {
 	// performance impact reported in our bench)
 	var isGWRouted bool
 	if c.kind != CLIENT {
-		if atomic.LoadInt32(&c.acc.gwReplyMapping.check) > 0 {
-			c.acc.mu.RLock()
-			c.pa.subject, isGWRouted = c.acc.gwReplyMapping.get(c.pa.subject)
-			c.acc.mu.RUnlock()
+		if atomic.LoadInt32(&acc.gwReplyMapping.check) > 0 {
+			acc.mu.RLock()
+			c.pa.subject, isGWRouted = acc.gwReplyMapping.get(c.pa.subject)
+			acc.mu.RUnlock()
 		}
 	} else if atomic.LoadInt32(&c.gwReplyMapping.check) > 0 {
 		c.mu.Lock()
@@ -3673,7 +3713,7 @@ func (c *client) processInboundClientMsg(msg []byte) (bool, bool) {
 	var r *SublistResult
 	var ok bool
 
-	genid := atomic.LoadUint64(&c.acc.sl.genid)
+	genid := atomic.LoadUint64(genidAddr)
 	if genid == c.in.genid && c.in.results != nil {
 		r, ok = c.in.results[string(c.pa.subject)]
 	} else {
@@ -3684,15 +3724,17 @@ func (c *client) processInboundClientMsg(msg []byte) (bool, bool) {
 
 	// Go back to the sublist data structure.
 	if !ok {
-		r = c.acc.sl.Match(string(c.pa.subject))
-		c.in.results[string(c.pa.subject)] = r
-		// Prune the results cache. Keeps us from unbounded growth. Random delete.
-		if len(c.in.results) > maxResultCacheSize {
-			n := 0
-			for subject := range c.in.results {
-				delete(c.in.results, subject)
-				if n++; n > pruneSize {
-					break
+		r = acc.sl.Match(string(c.pa.subject))
+		if len(r.psubs)+len(r.qsubs) > 0 {
+			c.in.results[string(c.pa.subject)] = r
+			// Prune the results cache. Keeps us from unbounded growth. Random delete.
+			if len(c.in.results) > maxResultCacheSize {
+				n := 0
+				for subject := range c.in.results {
+					delete(c.in.results, subject)
+					if n++; n > pruneSize {
+						break
+					}
 				}
 			}
 		}
@@ -3715,7 +3757,7 @@ func (c *client) processInboundClientMsg(msg []byte) (bool, bool) {
 			atomic.LoadInt64(&c.srv.gateway.totalQSubs) > 0 {
 			flag |= pmrCollectQueueNames
 		}
-		didDeliver, qnames = c.processMsgResults(c.acc, r, msg, c.pa.deliver, c.pa.subject, c.pa.reply, flag)
+		didDeliver, qnames = c.processMsgResults(acc, r, msg, c.pa.deliver, c.pa.subject, c.pa.reply, flag)
 	}
 
 	// Now deal with gateways
@@ -3725,7 +3767,7 @@ func (c *client) processInboundClientMsg(msg []byte) (bool, bool) {
 			reply = append(reply, '@')
 			reply = append(reply, c.pa.deliver...)
 		}
-		didDeliver = c.sendMsgToGateways(c.acc, msg, c.pa.subject, reply, qnames) || didDeliver
+		didDeliver = c.sendMsgToGateways(acc, msg, c.pa.subject, reply, qnames) || didDeliver
 	}
 
 	// Check to see if we did not deliver to anyone and the client has a reply subject set
@@ -3931,6 +3973,7 @@ func (c *client) processServiceImport(si *serviceImport, acc *Account, msg []byt
 			checkJS = true
 		}
 	}
+	siAcc := si.acc
 	acc.mu.RUnlock()
 
 	// We have a special case where JetStream pulls in all service imports through one export.
@@ -3961,7 +4004,7 @@ func (c *client) processServiceImport(si *serviceImport, acc *Account, msg []byt
 		}
 	} else if !isResponse && si.latency != nil && tracking {
 		// Check to see if this was a bad request with no reply and we were supposed to be tracking.
-		si.acc.sendBadRequestTrackingLatency(si, c, headers)
+		siAcc.sendBadRequestTrackingLatency(si, c, headers)
 	}
 
 	// Send tracking info here if we are tracking this response.
@@ -3989,7 +4032,7 @@ func (c *client) processServiceImport(si *serviceImport, acc *Account, msg []byt
 	// Now check to see if this account has mappings that could affect the service import.
 	// Can't use non-locked trick like in processInboundClientMsg, so just call into selectMappedSubject
 	// so we only lock once.
-	nsubj, changed := si.acc.selectMappedSubject(to)
+	nsubj, changed := siAcc.selectMappedSubject(to)
 	if changed {
 		c.pa.mapped = []byte(to)
 		to = nsubj
@@ -4006,7 +4049,7 @@ func (c *client) processServiceImport(si *serviceImport, acc *Account, msg []byt
 	// Place our client info for the request in the original message.
 	// This will survive going across routes, etc.
 	if !isResponse {
-		isSysImport := si.acc == c.srv.SystemAccount()
+		isSysImport := siAcc == c.srv.SystemAccount()
 		var ci *ClientInfo
 		if hadPrevSi && c.pa.hdr >= 0 {
 			var cis ClientInfo
@@ -4047,11 +4090,11 @@ func (c *client) processServiceImport(si *serviceImport, acc *Account, msg []byt
 	c.pa.reply = nrr
 
 	if changed && c.isMqtt() && c.pa.hdr > 0 {
-		c.srv.mqttStoreQoS1MsgForAccountOnNewSubject(c.pa.hdr, msg, si.acc.GetName(), to)
+		c.srv.mqttStoreQoS1MsgForAccountOnNewSubject(c.pa.hdr, msg, siAcc.GetName(), to)
 	}
 
 	// FIXME(dlc) - Do L1 cache trick like normal client?
-	rr := si.acc.sl.Match(to)
+	rr := siAcc.sl.Match(to)
 
 	// If we are a route or gateway or leafnode and this message is flipped to a queue subscriber we
 	// need to handle that since the processMsgResults will want a queue filter.
@@ -4076,10 +4119,10 @@ func (c *client) processServiceImport(si *serviceImport, acc *Account, msg []byt
 	if c.srv.gateway.enabled {
 		flags |= pmrCollectQueueNames
 		var queues [][]byte
-		didDeliver, queues = c.processMsgResults(si.acc, rr, msg, c.pa.deliver, []byte(to), nrr, flags)
-		didDeliver = c.sendMsgToGateways(si.acc, msg, []byte(to), nrr, queues) || didDeliver
+		didDeliver, queues = c.processMsgResults(siAcc, rr, msg, c.pa.deliver, []byte(to), nrr, flags)
+		didDeliver = c.sendMsgToGateways(siAcc, msg, []byte(to), nrr, queues) || didDeliver
 	} else {
-		didDeliver, _ = c.processMsgResults(si.acc, rr, msg, c.pa.deliver, []byte(to), nrr, flags)
+		didDeliver, _ = c.processMsgResults(siAcc, rr, msg, c.pa.deliver, []byte(to), nrr, flags)
 	}
 
 	// Restore to original values.
@@ -4112,7 +4155,7 @@ func (c *client) processServiceImport(si *serviceImport, acc *Account, msg []byt
 		} else {
 			// This is a main import and since we could not even deliver to the exporting account
 			// go ahead and remove the respServiceImport we created above.
-			si.acc.removeRespServiceImport(rsi, reason)
+			siAcc.removeRespServiceImport(rsi, reason)
 		}
 	}
 }
@@ -4199,7 +4242,7 @@ func (c *client) processMsgResults(acc *Account, r *SublistResult, msg, deliver,
 	// delivery subject for clients
 	var dsubj []byte
 	// Used as scratch if mapping
-	var _dsubj [64]byte
+	var _dsubj [128]byte
 
 	// For stats, we will keep track of the number of messages that have been
 	// delivered and then multiply by the size of that message and update
@@ -4612,17 +4655,14 @@ func (c *client) processPingTimer() {
 	now := time.Now()
 	needRTT := c.rtt == 0 || now.Sub(c.rttStart) > DEFAULT_RTT_MEASUREMENT_INTERVAL
 
-	// Do not delay PINGs for GATEWAY or spoke LEAF connections.
-	if c.kind == GATEWAY || c.isSpokeLeafNode() {
+	// Do not delay PINGs for ROUTER, GATEWAY or spoke LEAF connections.
+	if c.kind == ROUTER || c.kind == GATEWAY || c.isSpokeLeafNode() {
 		sendPing = true
 	} else {
-		// If we have had activity within the PingInterval then
-		// there is no need to send a ping. This can be client data
-		// or if we received a ping from the other side.
-		if delta := now.Sub(c.last); delta < pingInterval && !needRTT {
-			c.Debugf("Delaying PING due to client activity %v ago", delta.Round(time.Second))
-		} else if delta := now.Sub(c.ping.last); delta < pingInterval && !needRTT {
-			c.Debugf("Delaying PING due to remote ping %v ago", delta.Round(time.Second))
+		// If we received client data or a ping from the other side within the PingInterval,
+		// then there is no need to send a ping.
+		if delta := now.Sub(c.lastIn); delta < pingInterval && !needRTT {
+			c.Debugf("Delaying PING due to remote client data or ping %v ago", delta.Round(time.Second))
 		} else {
 			sendPing = true
 		}
@@ -4730,7 +4770,10 @@ func (c *client) flushAndClose(minimalFlush bool) {
 		}
 		c.flushOutbound()
 	}
-	c.out.p, c.out.s = nil, nil
+	for i := range c.out.nb {
+		nbPoolPut(c.out.nb[i])
+	}
+	c.out.nb = nil
 
 	// Close the low level connection.
 	if c.nc != nil {
@@ -4769,12 +4812,19 @@ func (c *client) kindString() string {
 // an older one.
 func (c *client) swapAccountAfterReload() {
 	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.srv == nil {
+	srv := c.srv
+	an := c.acc.GetName()
+	c.mu.Unlock()
+	if srv == nil {
 		return
 	}
-	acc, _ := c.srv.LookupAccount(c.acc.Name)
-	c.acc = acc
+	if acc, _ := srv.LookupAccount(an); acc != nil {
+		c.mu.Lock()
+		if c.acc != acc {
+			c.acc = acc
+		}
+		c.mu.Unlock()
+	}
 }
 
 // processSubsOnConfigReload removes any subscriptions the client has that are no
@@ -4941,7 +4991,7 @@ func (c *client) closeConnection(reason ClosedState) {
 							srv.gatewayUpdateSubInterest(acc.Name, sub, -1)
 						}
 					}
-					srv.updateLeafNodes(acc, sub, -1)
+					acc.updateLeafNodes(sub, -1)
 				} else {
 					// We handle queue subscribers special in case we
 					// have a bunch we can just send one update to the
@@ -4966,7 +5016,7 @@ func (c *client) closeConnection(reason ClosedState) {
 						srv.gatewayUpdateSubInterest(acc.Name, esub.sub, -(esub.n))
 					}
 				}
-				srv.updateLeafNodes(acc, esub.sub, -(esub.n))
+				acc.updateLeafNodes(esub.sub, -(esub.n))
 			}
 			if prev := acc.removeClient(c); prev == 1 {
 				srv.decActiveAccounts()
@@ -5309,7 +5359,10 @@ func (c *client) doTLSHandshake(typ string, solicit bool, url *url.URL, tlsConfi
 		if solicit {
 			// Based on type of error, possibly clear the saved tlsName
 			// See: https://github.com/nats-io/nats-server/issues/1256
-			if _, ok := err.(x509.HostnameError); ok {
+			// NOTE: As of Go 1.20, the HostnameError is wrapped so cannot
+			// type assert to check directly.
+			var hostnameErr x509.HostnameError
+			if errors.As(err, &hostnameErr) {
 				if host == tlsName {
 					resetTLSName = true
 				}
@@ -5353,20 +5406,28 @@ func (c *client) doTLSHandshake(typ string, solicit bool, url *url.URL, tlsConfi
 	return false, err
 }
 
-// getRAwAuthUser returns the raw auth user for the client.
+// getRawAuthUserLock returns the raw auth user for the client.
+// Will acquire the client lock.
+func (c *client) getRawAuthUserLock() string {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.getRawAuthUser()
+}
+
+// getRawAuthUser returns the raw auth user for the client.
 // Lock should be held.
 func (c *client) getRawAuthUser() string {
 	switch {
-	case c.opts.Nkey != "":
+	case c.opts.Nkey != _EMPTY_:
 		return c.opts.Nkey
-	case c.opts.Username != "":
+	case c.opts.Username != _EMPTY_:
 		return c.opts.Username
-	case c.opts.JWT != "":
+	case c.opts.JWT != _EMPTY_:
 		return c.pubKey
-	case c.opts.Token != "":
+	case c.opts.Token != _EMPTY_:
 		return c.opts.Token
 	default:
-		return ""
+		return _EMPTY_
 	}
 }
 
@@ -5374,11 +5435,11 @@ func (c *client) getRawAuthUser() string {
 // Lock should be held.
 func (c *client) getAuthUser() string {
 	switch {
-	case c.opts.Nkey != "":
+	case c.opts.Nkey != _EMPTY_:
 		return fmt.Sprintf("Nkey %q", c.opts.Nkey)
-	case c.opts.Username != "":
+	case c.opts.Username != _EMPTY_:
 		return fmt.Sprintf("User %q", c.opts.Username)
-	case c.opts.JWT != "":
+	case c.opts.JWT != _EMPTY_:
 		return fmt.Sprintf("JWT User %q", c.pubKey)
 	default:
 		return `User "N/A"`
@@ -5480,10 +5541,12 @@ func (c *client) Tracef(format string, v ...interface{}) {
 	c.srv.Tracef(format, v...)
 }
 
+// ** added by Memphis
 func (c *client) Systemf(format string, v ...interface{}) {
 	format = fmt.Sprintf("%s - %s", c, format)
 	c.srv.Systemf(format, v...)
 }
+// ** added by Memphis
 
 func (c *client) Warnf(format string, v ...interface{}) {
 	format = fmt.Sprintf("%s - %s", c, format)
diff --git a/server/client_test.go b/server/client_test.go
index 2ff9d2c41..518df8867 100644
--- a/server/client_test.go
+++ b/server/client_test.go
@@ -31,7 +31,6 @@ import (
 	"testing"
 	"time"
 
-	"crypto/rand"
 	"crypto/tls"
 
 	"github.com/nats-io/jwt/v2"
@@ -1484,7 +1483,11 @@ func TestWildcardCharsInLiteralSubjectWorks(t *testing.T) {
 	}
 }
 
-func TestDynamicBuffers(t *testing.T) {
+// This test ensures that coalescing into the fixed-size output
+// queues works as expected. When bytes are queued up, they should
+// not overflow a buffer until the capacity is exceeded, at which
+// point a new buffer should be added.
+func TestClientOutboundQueueCoalesce(t *testing.T) {
 	opts := DefaultOptions()
 	s := RunServer(opts)
 	defer s.Shutdown()
@@ -1495,139 +1498,49 @@ func TestDynamicBuffers(t *testing.T) {
 	}
 	defer nc.Close()
 
-	// Grab the client from server.
-	s.mu.Lock()
-	lc := len(s.clients)
-	c := s.clients[s.gcid]
-	s.mu.Unlock()
-
-	if lc != 1 {
-		t.Fatalf("Expected only 1 client but got %d\n", lc)
-	}
-	if c == nil {
-		t.Fatal("Expected to retrieve client\n")
+	clients := s.GlobalAccount().getClients()
+	if len(clients) != 1 {
+		t.Fatal("Expecting a client to exist")
 	}
+	client := clients[0]
+	client.mu.Lock()
+	defer client.mu.Unlock()
 
-	// Create some helper functions and data structures.
-	done := make(chan bool)            // Used to stop recording.
-	type maxv struct{ rsz, wsz int32 } // Used to hold max values.
-	results := make(chan maxv)
+	// First up, queue something small into the queue.
+	client.queueOutbound([]byte{1, 2, 3, 4, 5})
 
-	// stopRecording stops the recording ticker and releases go routine.
-	stopRecording := func() maxv {
-		done <- true
-		return <-results
+	if len(client.out.nb) != 1 {
+		t.Fatal("Expecting a single queued buffer")
 	}
-	// max just grabs max values.
-	max := func(a, b int32) int32 {
-		if a > b {
-			return a
-		}
-		return b
+	if l := len(client.out.nb[0]); l != 5 {
+		t.Fatalf("Expecting only 5 bytes in the first queued buffer, found %d instead", l)
 	}
-	// Returns current value of the buffer sizes.
-	getBufferSizes := func() (int32, int32) {
-		c.mu.Lock()
-		defer c.mu.Unlock()
-		return c.in.rsz, c.out.sz
-	}
-	// Record the max values seen.
-	recordMaxBufferSizes := func() {
-		ticker := time.NewTicker(10 * time.Microsecond)
-		defer ticker.Stop()
-
-		var m maxv
 
-		recordMax := func() {
-			rsz, wsz := getBufferSizes()
-			m.rsz = max(m.rsz, rsz)
-			m.wsz = max(m.wsz, wsz)
-		}
+	// Then queue up a few more bytes, but not enough
+	// to overflow into the next buffer.
+	client.queueOutbound([]byte{6, 7, 8, 9, 10})
 
-		for {
-			select {
-			case <-done:
-				recordMax()
-				results <- m
-				return
-			case <-ticker.C:
-				recordMax()
-			}
-		}
+	if len(client.out.nb) != 1 {
+		t.Fatal("Expecting a single queued buffer")
 	}
-	// Check that the current value is what we expected.
-	checkBuffers := func(ers, ews int32) {
-		t.Helper()
-		rsz, wsz := getBufferSizes()
-		if rsz != ers {
-			t.Fatalf("Expected read buffer of %d, but got %d\n", ers, rsz)
-		}
-		if wsz != ews {
-			t.Fatalf("Expected write buffer of %d, but got %d\n", ews, wsz)
-		}
+	if l := len(client.out.nb[0]); l != 10 {
+		t.Fatalf("Expecting 10 bytes in the first queued buffer, found %d instead", l)
 	}
 
-	// Check that the max was as expected.
-	checkResults := func(m maxv, rsz, wsz int32) {
-		t.Helper()
-		if rsz != m.rsz {
-			t.Fatalf("Expected read buffer of %d, but got %d\n", rsz, m.rsz)
-		}
-		if wsz != m.wsz {
-			t.Fatalf("Expected write buffer of %d, but got %d\n", wsz, m.wsz)
-		}
-	}
-
-	// Here is where testing begins..
-
-	// Should be at or below the startBufSize for both.
-	rsz, wsz := getBufferSizes()
-	if rsz > startBufSize {
-		t.Fatalf("Expected read buffer of <= %d, but got %d\n", startBufSize, rsz)
-	}
-	if wsz > startBufSize {
-		t.Fatalf("Expected write buffer of <= %d, but got %d\n", startBufSize, wsz)
-	}
-
-	// Send some data.
-	data := make([]byte, 2048)
-	rand.Read(data)
-
-	go recordMaxBufferSizes()
-	for i := 0; i < 200; i++ {
-		nc.Publish("foo", data)
-	}
-	nc.Flush()
-	m := stopRecording()
-
-	if m.rsz != maxBufSize && m.rsz != maxBufSize/2 {
-		t.Fatalf("Expected read buffer of %d or %d, but got %d\n", maxBufSize, maxBufSize/2, m.rsz)
+	// Finally, queue up something that is guaranteed
+	// to overflow.
+	b := nbPoolSmall.Get().(*[nbPoolSizeSmall]byte)[:]
+	b = b[:cap(b)]
+	client.queueOutbound(b)
+	if len(client.out.nb) != 2 {
+		t.Fatal("Expecting buffer to have overflowed")
 	}
-	if m.wsz > startBufSize {
-		t.Fatalf("Expected write buffer of <= %d, but got %d\n", startBufSize, m.wsz)
+	if l := len(client.out.nb[0]); l != cap(b) {
+		t.Fatalf("Expecting %d bytes in the first queued buffer, found %d instead", cap(b), l)
 	}
-
-	// Create Subscription to test outbound buffer from server.
-	nc.Subscribe("foo", func(m *nats.Msg) {
-		// Just eat it..
-	})
-	go recordMaxBufferSizes()
-
-	for i := 0; i < 200; i++ {
-		nc.Publish("foo", data)
-	}
-	nc.Flush()
-
-	m = stopRecording()
-	checkResults(m, maxBufSize, maxBufSize)
-
-	// Now test that we shrink correctly.
-
-	// Should go to minimum for both..
-	for i := 0; i < 20; i++ {
-		nc.Flush()
+	if l := len(client.out.nb[1]); l != 10 {
+		t.Fatalf("Expecting 10 bytes in the second queued buffer, found %d instead", l)
 	}
-	checkBuffers(minBufSize, minBufSize)
 }
 
 func TestClientTraceRace(t *testing.T) {
@@ -2246,7 +2159,6 @@ func TestFlushOutboundNoSliceReuseIfPartial(t *testing.T) {
 		expected.Write(buf)
 		c.mu.Lock()
 		c.queueOutbound(buf)
-		c.out.sz = 10
 		c.flushOutbound()
 		fakeConn.partial = false
 		c.mu.Unlock()
diff --git a/server/config_check_test.go b/server/config_check_test.go
index 74f9e75d8..9b1e6d250 100644
--- a/server/config_check_test.go
+++ b/server/config_check_test.go
@@ -1579,13 +1579,30 @@ func TestConfigCheck(t *testing.T) {
 			errorLine: 5,
 			errorPos:  6,
 		},
+		{
+			name:       "show warnings on empty configs without values",
+			config:     ``,
+			warningErr: errors.New(`config has no values or is empty`),
+			errorLine:  0,
+			errorPos:   0,
+			reason:     "",
+		},
+		{
+			name: "show warnings on empty configs without values and only comments",
+			config: `# Valid file but has no usable values.
+                                    `,
+			warningErr: errors.New(`config has no values or is empty`),
+			errorLine:  0,
+			errorPos:   0,
+			reason:     "",
+		},
 	}
 
 	checkConfig := func(config string) error {
 		opts := &Options{
 			CheckConfig: true,
 		}
-		return opts.ProcessConfigFile(config, false)
+		return opts.ProcessConfigFile(config, false) // ** false added by Memphis
 	}
 
 	checkErr := func(t *testing.T, err, expectedErr error) {
@@ -1620,6 +1637,8 @@ func TestConfigCheck(t *testing.T) {
 					if test.reason != "" {
 						msg += ": " + test.reason
 					}
+				} else if test.warningErr != nil {
+					msg = expectedErr.Error()
 				} else {
 					msg = test.reason
 				}
@@ -1639,7 +1658,7 @@ func TestConfigCheckIncludes(t *testing.T) {
 	opts := &Options{
 		CheckConfig: true,
 	}
-	err := opts.ProcessConfigFile("./configs/include_conf_check_a.conf", false)
+	err := opts.ProcessConfigFile("./configs/include_conf_check_a.conf", false) // ** false added by Memphis
 	if err != nil {
 		t.Errorf("Unexpected error processing include files with configuration check enabled: %v", err)
 	}
@@ -1647,7 +1666,7 @@ func TestConfigCheckIncludes(t *testing.T) {
 	opts = &Options{
 		CheckConfig: true,
 	}
-	err = opts.ProcessConfigFile("./configs/include_bad_conf_check_a.conf", false)
+	err = opts.ProcessConfigFile("./configs/include_bad_conf_check_a.conf", false) // ** false added by Memphis
 	if err == nil {
 		t.Errorf("Expected error processing include files with configuration check enabled: %v", err)
 	}
@@ -1661,7 +1680,7 @@ func TestConfigCheckMultipleErrors(t *testing.T) {
 	opts := &Options{
 		CheckConfig: true,
 	}
-	err := opts.ProcessConfigFile("./configs/multiple_errors.conf", false)
+	err := opts.ProcessConfigFile("./configs/multiple_errors.conf", false) // ** false added by Memphis
 	if err == nil {
 		t.Errorf("Expected error processing config files with multiple errors check enabled: %v", err)
 	}
diff --git a/server/configs/certs/tls/benchmark-ca-cert.pem b/server/configs/certs/tls/benchmark-ca-cert.pem
new file mode 100644
index 000000000..f91985a67
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-ca-cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2zCCAsOgAwIBAgIUZj0PngA93uUSShcRndTQju/J88YwDQYJKoZIhvcNAQEL
+BQAwfDETMBEGA1UEAwwKbmF0cy5pby5DQTEiMCAGA1UECwwZUGVyZm9ybWFuY2VB
+bmRSZWxpYWJpbGl0eTEQMA4GA1UECgwHU3luYWRpYTEQMA4GA1UEBwwHVG9yb250
+bzEQMA4GA1UECAwHT250YXJpbzELMAkGA1UEBhMCQ0EwIBcNMjMwODE0MTUyNzU3
+WhgPMjEyMzA3MjExNTI3NTdaMHwxEzARBgNVBAMMCm5hdHMuaW8uQ0ExIjAgBgNV
+BAsMGVBlcmZvcm1hbmNlQW5kUmVsaWFiaWxpdHkxEDAOBgNVBAoMB1N5bmFkaWEx
+EDAOBgNVBAcMB1Rvcm9udG8xEDAOBgNVBAgMB09udGFyaW8xCzAJBgNVBAYTAkNB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2cCyJL+DExUyZto2eFLm
+MBRSkQLxM9pOWB9O8TecHlPcc/SPGq/x9lpguJ/IiaUj+VffVWy236KW2JL5Xj83
+PZwhXi1yZzxlIBsKAgAUeNfWuTAc0K0Qm9pR5Wjv5eNcT0mw6JX0SPgUQAl9BSwU
+WvtMOTxOt0hBjHmZaEamp7nLmwogpvgPsrubD6U4O/vUQm3JTsbp2rFQxXPpkG19
+69PGsT37r0/w9Zv0xNAcB/zCWdNBXCTA2ACV2IpJedWm8Jrjcn3Kp4Fv3TKTsCZl
+eWtfxCdljndk88+NFK7cEw7b9Bs5R5Zhu20C+Ne8vmMWhYbVBFYws5/jGzPBkVTD
+7wIDAQABo1MwUTAdBgNVHQ4EFgQUEqfeAemfeIp4MM4C7H1bJS+mra4wHwYDVR0j
+BBgwFoAUEqfeAemfeIp4MM4C7H1bJS+mra4wDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAiamiPxOlZ0pwOJvv0ylDreHVk2kast67YlhAOcZoSMvi
+e2jbKL98U3+ZznGj21AKqEaOkO7UmKoJ/3QlrjgElXzcMUrUrJ1WNowlbXPlAhyL
+KhNthLKUr72Tv6wv5GZdAR6DaAwq3iYTbpnLq4oCnFHiXgDWgWyJDLsTGulWve/K
+GGM2JMcnacNgNC18uki440Wcfp0vGj9HhO6I/u63oGewZnIK87GQMQCt3JLFyiUc
+hrn9nWoixFWcJfCjBcMlwZXMIAlDdelU1/hWtSknKCs57GvZuACcicAYiYIkWCkd
+p1pF4G0Ic6irAnLTqhdGwL4+5pjNd1Ih0Gezn9hJLg==
+-----END CERTIFICATE-----
diff --git a/server/configs/certs/tls/benchmark-ca-key.pem b/server/configs/certs/tls/benchmark-ca-key.pem
new file mode 100644
index 000000000..69bbac4fc
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-ca-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDZwLIkv4MTFTJm
+2jZ4UuYwFFKRAvEz2k5YH07xN5weU9xz9I8ar/H2WmC4n8iJpSP5V99VbLbfopbY
+kvlePzc9nCFeLXJnPGUgGwoCABR419a5MBzQrRCb2lHlaO/l41xPSbDolfRI+BRA
+CX0FLBRa+0w5PE63SEGMeZloRqanucubCiCm+A+yu5sPpTg7+9RCbclOxunasVDF
+c+mQbX3r08axPfuvT/D1m/TE0BwH/MJZ00FcJMDYAJXYikl51abwmuNyfcqngW/d
+MpOwJmV5a1/EJ2WOd2Tzz40UrtwTDtv0GzlHlmG7bQL417y+YxaFhtUEVjCzn+Mb
+M8GRVMPvAgMBAAECggEASvFWfm5JMtqjP6HPiGbjoV2FMzJjiFiUiSCxXzSn7wom
+v+PGEsXGTWa6jiAz+SeUc38KNtDVOa+wIfani4fPP82J8GtMyfoPxdZ4gcq8QQDr
+/k1wRWOi6Tjg4cdVdXXkMcencs0VR73V3lpFpG+Qy+VcTQCUCOF96dZ59VkHh4a4
+CHX6PegOWwr0TSaCUacwhua+rPmCar/btAYv7Wp7+c+Zf7Rn2WYTV7ol4sYXR4ZQ
+Sy/ROijeFTMkYNpaW/KOO2/pn3OJA8ycYH8UWZpsenPfIajC0Eka7BoEQpw6M8HR
+wRWrKwssBEs0psFiq9s8J+6resPgXfU/9pf+mTkTqQKBgQD8kktUqN+vYc6t22DE
+tSkg8y8OsGh9VTYfp7x5hu9qEC9t4mAKjqA/rRLiTXze/wInntreRTjjMb/NlqMy
+PvI0Z+dM1UuqcF1axgKrIYsgnLJWuunOhaj5K3LhiNcHznlCtN9601dbccwLlQhL
+5jdjnOuJ0i+Nh9v5oiu37SfldwKBgQDctWdbF4hJrBPnS6CcojuQj6ha10wYYe46
+ZVcxKe5hFBs1q975YCHnEntyCDvXGfOTRgbKeZbwNhMvAc7Pp6eGMR/9SpiRwTt4
+567hUz56WXVmp4gSvxoNuYRlWiMI8rZkyKJ8KFipvHgRa8nuamh0QBB4ShEJiVk8
+fhaUiZeTSQKBgF0hAD/OKPR9Jv06J9tARVMN+Cr9ZvnXwqY3biqNU5gTMbndv7YE
+0xfHlG/3THTZKI09aMyOT6SOQn/m7HPpe9tQ+Jt/BnBpEDMZUgCR1MAIp0WNlAp/
+hEej+q8oiskpG9M56DFc3hgsxKT8pdt+nqvPP5ZI9xnDn5vTbTVbb9uPAoGAFRvU
+csXhZwpqLOjyx4hMohrbQzTsNjjHjBY9LJqSDf7aS1vQy5ECLRN7cwCOmJgGz8MW
+yy6t3POPCiPmH74tK4xvPs5voSEWCw49j5dillkP/W1wejqEx2NC4l6okyaDg0gd
+IjrJoBJCeYgRnBfZPaUS7i5HSt40BrEYf8RZFuECgYAjSnvY8nYFRudsylYOu3TL
+AcGbAdpDfL2H4G9z7qEQC6t1LqqGNcfMan/qS4J/n5GCOedVWHcfCraROOMil52v
+3ZDXyyjGEO08XgKnoa2ZL/z2a6s077+hAAnbcywyi2Qz8Yfi6GnwYfU1u8SN0APd
+T71HPNsWkU4zkxmP4S0Olg==
+-----END PRIVATE KEY-----
diff --git a/server/configs/certs/tls/benchmark-server-cert-ed25519.pem b/server/configs/certs/tls/benchmark-server-cert-ed25519.pem
new file mode 100644
index 000000000..bc9cb2d0a
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-server-cert-ed25519.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIUc31LCktokAIQGqLsSC2BlsLCTsYwDQYJKoZIhvcNAQEL
+BQAwfDETMBEGA1UEAwwKbmF0cy5pby5DQTEiMCAGA1UECwwZUGVyZm9ybWFuY2VB
+bmRSZWxpYWJpbGl0eTEQMA4GA1UECgwHU3luYWRpYTEQMA4GA1UEBwwHVG9yb250
+bzEQMA4GA1UECAwHT250YXJpbzELMAkGA1UEBhMCQ0EwIBcNMjMwODE0MTUyNzU3
+WhgPMjEyMzA3MjExNTI3NTdaMHkxEDAOBgNVBAMMB25hdHMuaW8xIjAgBgNVBAsM
+GVBlcmZvcm1hbmNlQW5kUmVsaWFiaWxpdHkxEDAOBgNVBAoMB1N5bmFkaWExEDAO
+BgNVBAcMB1Rvcm9udG8xEDAOBgNVBAgMB09udGFyaW8xCzAJBgNVBAYTAkNBMCow
+BQYDK2VwAyEAyyc9y9iZgWWSsPRahbeGxF6XN3VOFPZBvD/HQps6jr6jgZEwgY4w
+CwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMCoGA1UdEQQjMCGCDnJl
+dWJlbi5uYXRzLmlvgg9yZXViZW4ubmF0cy5jb20wHQYDVR0OBBYEFBwkwMU8xuQO
+FN1Ck5o2qQ4Dz87ZMB8GA1UdIwQYMBaAFBKn3gHpn3iKeDDOAux9WyUvpq2uMA0G
+CSqGSIb3DQEBCwUAA4IBAQALjCynuxEobk1MYQAFhkrfAD29H6yRpOcKigHCZjTJ
+Dnpupip1xvaFPPvhi4nxtuWcXgKpWEfd1jOPaiNV6lrefahitZpzcflD7wNOxqvx
+Hau2U3lFnjnGaC0ppp66x26cQznp6YcTdxrJ1QF4vkOejxqNvaTzmiwzSPIIYm7+
+iKVWT+Z86WKof3vAdsX/f148YH1YSPk0ykiBzlbLScbyWebbaydrAIpU01IkSvMo
+qDYu+Fba0tpONLe1BUklc608riwQjw9HiJJ2zJIAOBAUev5+48RP91/K111Ix1bl
+fGPT8/1TJbyGG2jeJwyLoSIu72aDnnIBfqGkVunRTmeg
+-----END CERTIFICATE-----
diff --git a/server/configs/certs/tls/benchmark-server-cert-rsa-1024.pem b/server/configs/certs/tls/benchmark-server-cert-rsa-1024.pem
new file mode 100644
index 000000000..be9bbafa9
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-server-cert-rsa-1024.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIUc31LCktokAIQGqLsSC2BlsLCTsMwDQYJKoZIhvcNAQEL
+BQAwfDETMBEGA1UEAwwKbmF0cy5pby5DQTEiMCAGA1UECwwZUGVyZm9ybWFuY2VB
+bmRSZWxpYWJpbGl0eTEQMA4GA1UECgwHU3luYWRpYTEQMA4GA1UEBwwHVG9yb250
+bzEQMA4GA1UECAwHT250YXJpbzELMAkGA1UEBhMCQ0EwIBcNMjMwODE0MTUyNzU3
+WhgPMjEyMzA3MjExNTI3NTdaMHkxEDAOBgNVBAMMB25hdHMuaW8xIjAgBgNVBAsM
+GVBlcmZvcm1hbmNlQW5kUmVsaWFiaWxpdHkxEDAOBgNVBAoMB1N5bmFkaWExEDAO
+BgNVBAcMB1Rvcm9udG8xEDAOBgNVBAgMB09udGFyaW8xCzAJBgNVBAYTAkNBMIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyHHaVHinB3jBsicR4hp7uopz0u3+O
+kUicIUSQXDcWiPzdvE+7YZ/s4+Ud4aw4g9q0wHzkZSaMg8nil4tCKmTrUKolVTVj
+CCCBmtqq3LwzNLapyoDJRyXsWqHt5TWYSxaf/UQT6sWOgqHOLrbd4J8F0sjxEniB
+GDHR1ZXpJCBaIQIDAQABo4GRMIGOMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggr
+BgEFBQcDATAqBgNVHREEIzAhgg5yZXViZW4ubmF0cy5pb4IPcmV1YmVuLm5hdHMu
+Y29tMB0GA1UdDgQWBBQk5kWOUcUNn7FppddLANe3droUlzAfBgNVHSMEGDAWgBQS
+p94B6Z94ingwzgLsfVslL6atrjANBgkqhkiG9w0BAQsFAAOCAQEA2Njy2f1PUZRf
+G1/oZ0El7J8L6Ql1HmEC7tOTzbORg7U9uMHKqIFL/IXXAdAlE/EjFEA2riPO8cu/
+bvL2A4CapYzt2kDD9PPYfVtniRr7mv0EVntPwEvfiySMAEeZuW/M2liPfgPpQkhL
+fzwPeCOfqM8AjpyDab8NEGX5Bbf421oQorlENpm4PKQCXoUN5cWpBwuwWxj7yndj
+256MevLDKKe/ALSLQEo/2Jgpnmp7Qol0GtomCzsLgZ+ASuVtCsGTFmaRrsqVPspJ
+oOl6qby5gYwN9TR8zfRYL1m1sbYROz+5+ofEoiTnaOoOSjiBIoYoMeSC/jvJQTPT
+VdD8QeQ6Og==
+-----END CERTIFICATE-----
diff --git a/server/configs/certs/tls/benchmark-server-cert-rsa-2048.pem b/server/configs/certs/tls/benchmark-server-cert-rsa-2048.pem
new file mode 100644
index 000000000..9fb03ac4f
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-server-cert-rsa-2048.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFzCCAv+gAwIBAgIUc31LCktokAIQGqLsSC2BlsLCTsQwDQYJKoZIhvcNAQEL
+BQAwfDETMBEGA1UEAwwKbmF0cy5pby5DQTEiMCAGA1UECwwZUGVyZm9ybWFuY2VB
+bmRSZWxpYWJpbGl0eTEQMA4GA1UECgwHU3luYWRpYTEQMA4GA1UEBwwHVG9yb250
+bzEQMA4GA1UECAwHT250YXJpbzELMAkGA1UEBhMCQ0EwIBcNMjMwODE0MTUyNzU3
+WhgPMjEyMzA3MjExNTI3NTdaMHkxEDAOBgNVBAMMB25hdHMuaW8xIjAgBgNVBAsM
+GVBlcmZvcm1hbmNlQW5kUmVsaWFiaWxpdHkxEDAOBgNVBAoMB1N5bmFkaWExEDAO
+BgNVBAcMB1Rvcm9udG8xEDAOBgNVBAgMB09udGFyaW8xCzAJBgNVBAYTAkNBMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyx3O+Z6u8Y1SiuHu3szWbLvL
+WrZpSpEiZkll+wk5205S1FRcQLccfr4ubdtjOBdi+RzILCtkflUI01Dbqu6cV7/2
+yfLthxBeNDiXMhjyOFkYLwwE4w7CdTwWWsmW31oUH1rYXIDPoeb7WPF7w3NwaUJu
+ZXnqM98LRgWDTmh+nsqDDW/bz1fYIdxcO9az6iBOnJ2AGWI2ur5GzWc4+gNMOZiZ
+Xj657g0MbyVM4Gzyc4Au22hShZ/YorLP8NAiwNJamlrCFzlnZN/ePjuQPcI6glnb
+oO9IAGfPdAOJptfayuPAZgUngzewB38yY0Q/rKG1GJKSkQ8X6/lXiWaRPZJjYwID
+AQABo4GRMIGOMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggrBgEFBQcDATAqBgNV
+HREEIzAhgg5yZXViZW4ubmF0cy5pb4IPcmV1YmVuLm5hdHMuY29tMB0GA1UdDgQW
+BBRtanJZScdSlsPsi58lBcpdj+bV/zAfBgNVHSMEGDAWgBQSp94B6Z94ingwzgLs
+fVslL6atrjANBgkqhkiG9w0BAQsFAAOCAQEAV4TZ3b8cYO7ZeRyoCQtCBAab9gNe
+kbQpWqICvkVQOk5Anq3opwAWk2FuIRs5KoT7ssckHpXwTwWLs+KuIVo+Fet19IH6
+BQfck1jwhzM04MA6zLO/F2j548XlrJy3IzViPM/VxwMMTt5YSoogrz/3TzzJPIe0
+eQomf5HbpVgrf08pMVkdaI7PCd7N/CxeWiD5zEWqBu9FqofO188Kb/umx0VwgBju
+dX46MKO5TyUc91UrG3M35/r4Z7fd52SWWWFQiI7UBOl2L27samjHlJsKjyFoBF3Z
+alvnoUVzo7zwAYmhEdPYDNVceF4KtAFpGipoQPRMg83G87LgYBA4Sa6uKw==
+-----END CERTIFICATE-----
diff --git a/server/configs/certs/tls/benchmark-server-cert-rsa-4096.pem b/server/configs/certs/tls/benchmark-server-cert-rsa-4096.pem
new file mode 100644
index 000000000..ed231a1a1
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-server-cert-rsa-4096.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFzCCA/+gAwIBAgIUc31LCktokAIQGqLsSC2BlsLCTsUwDQYJKoZIhvcNAQEL
+BQAwfDETMBEGA1UEAwwKbmF0cy5pby5DQTEiMCAGA1UECwwZUGVyZm9ybWFuY2VB
+bmRSZWxpYWJpbGl0eTEQMA4GA1UECgwHU3luYWRpYTEQMA4GA1UEBwwHVG9yb250
+bzEQMA4GA1UECAwHT250YXJpbzELMAkGA1UEBhMCQ0EwIBcNMjMwODE0MTUyNzU3
+WhgPMjEyMzA3MjExNTI3NTdaMHkxEDAOBgNVBAMMB25hdHMuaW8xIjAgBgNVBAsM
+GVBlcmZvcm1hbmNlQW5kUmVsaWFiaWxpdHkxEDAOBgNVBAoMB1N5bmFkaWExEDAO
+BgNVBAcMB1Rvcm9udG8xEDAOBgNVBAgMB09udGFyaW8xCzAJBgNVBAYTAkNBMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAj/rw0WpCnizUSs06NxSsjuYb
+6sWtYQjLd6O6SCoQwrPSY2Zv0u28RywBJkSiIbv12kWxrhqv+kDqhmt7tfwEdHAE
+gOl6E2P/CFDnyAJ4it5qgFRHcEItGp1Ap4ZrZ3OTl41DDe28giflHb7+VAzxUV6r
+zkHmrqkaJd41YrJoKyZ3u+/FHs6CudO+jGXC2ubH1i71ARXHn6tkmOTwFf1N49wB
+Hr144xBmPyvH/A/elgXBjR28/7x64MO/qBZsr/lbTaS4YwN1+rod/HRc2GIiJxpS
+tB1bh/dXZCfa0QyhTzCNLG/j7IzetDrPBGzpw2WjufhkSuaxoMDWlDkkfqmQxtHJ
+5L+PqIiPT69tzEbfuS9Ogz7DW10CcpSdXW13sWCdSNCGEvPqLFka36q9B82V0GHz
+tmx8VqdfWSu4qMyVmTsxxzLTTxpQU4X1Q2RnT/1igbsOM620LuvrvnXlh5Rdg7tp
+T++QJ/b4xCCg62tv4VwORe27xHYXMeDn4aoRdyoI45/+ZK6yqwNAOrKKpse/M8uz
+mJK2i8pfEFmitIKoNYn3MR2dFrCqifZkFf9rX9A/1Ym+WKAPLmWdGp13fvTdzxQG
+Y44f9tBL2RWsoGX++01XEwIiWz7kqObC0L8fz3EdIPaULX7MZiQrxzzhRCcJhyn/
+aOrJfLYj0GAmIaHElHkCAwEAAaOBkTCBjjALBgNVHQ8EBAMCBDAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwKgYDVR0RBCMwIYIOcmV1YmVuLm5hdHMuaW+CD3JldWJlbi5u
+YXRzLmNvbTAdBgNVHQ4EFgQUbJSM8LNWmc9IgLe0X53yE3c3h1cwHwYDVR0jBBgw
+FoAUEqfeAemfeIp4MM4C7H1bJS+mra4wDQYJKoZIhvcNAQELBQADggEBAEGmLvEE
++MTE1bHMbl/5QG+/xusmervIuxkfAfId0H+8TWB75y+yhVZpEdM7knfl+lexmtGQ
+Gr4HNGTZhAZ3NYFaBw7nfeqO48He7gHUKfJA/zv7FREF3Fy+Qe/hydDJQzBzZfaU
+64XqhY6jOurpZhTAoOXfjpYzZaLi7+rdpTAbfxHCCAC8SxZD3++Q97ZeoT6en47O
+8SQQ7FIzWxs15k88oYalw51vZujxX7dz4l+LxsLXtlYW7ZM1163cgU7lF/jQqDcN
+z8X8jk1AjQY7AuFPuOzQ1hLXcZySm8rUG5pPgHrZ1QKmkFFWRaeCiO2hU794wI5C
+vIGR8lIhkNwEJnQ=
+-----END CERTIFICATE-----
diff --git a/server/configs/certs/tls/benchmark-server-key-ed25519.pem b/server/configs/certs/tls/benchmark-server-key-ed25519.pem
new file mode 100644
index 000000000..edb1732a9
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-server-key-ed25519.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIJRCtUNxUuutNs9j8OtcwFw1xkbs+zxjHhpAqVuqDNo5
+-----END PRIVATE KEY-----
diff --git a/server/configs/certs/tls/benchmark-server-key-rsa-1024.pem b/server/configs/certs/tls/benchmark-server-key-rsa-1024.pem
new file mode 100644
index 000000000..4847c5a85
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-server-key-rsa-1024.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALIcdpUeKcHeMGyJ
+xHiGnu6inPS7f46RSJwhRJBcNxaI/N28T7thn+zj5R3hrDiD2rTAfORlJoyDyeKX
+i0IqZOtQqiVVNWMIIIGa2qrcvDM0tqnKgMlHJexaoe3lNZhLFp/9RBPqxY6Coc4u
+tt3gnwXSyPESeIEYMdHVlekkIFohAgMBAAECgYAwt8RfyV5WnvXT2mMZLIlwcJ5J
++rdLQcYAnsDoU7DlwxaXeBi/AlcCLtvOrpmy464A3t3KgzhmGu4vwo/ey0XK+nTQ
+tzORP/PXTaVC8DzJ8PnJmUaB7l+H7a88OSPLbjgnbpw4SyvDpKUHiiw0EDYC7L6Y
+1vvCOlnprptXbE5eeQJBAOpjwdBVWkVtmStjsxbxZsUTI7XKxS2VZinRLH0l5/hI
+hIHRxwy9oRbeNrf5815lGolTUD0mq+N0dJRlMop1yKsCQQDCiGDkH/pQqhB8ibmD
+0XNw0EzxJmPFACO/x49VCfCPE5p1FQhpyIl6JkyAFNN7Xs4HX8jMHTuvNgJVti61
+O0BjAkEAj0wr2vXDubyWrztF61nszcG0zFjKkeLL0fcLLvv0xQt4z3F0MyrgCH4U
+kAflLSm8voZMAQbagbXZ7DuuWY5G/wJAWyKnOdidXZL+3ElthwrmKVD86vEQRqe1
+F9C3HqDkeTM25mkvItfXSEmPB2Y6WY7luOCv4qhDYOdNmrgaE7+pfwJAcbV5ZVJW
+OZvH1ofsJVvUA8J58tzv1+KPb96pI3YRAu8xbMC0mzezPsYjg2wjaRgJ2C+7On27
+BaArNo75B20AkA==
+-----END PRIVATE KEY-----
diff --git a/server/configs/certs/tls/benchmark-server-key-rsa-2048.pem b/server/configs/certs/tls/benchmark-server-key-rsa-2048.pem
new file mode 100644
index 000000000..60bd94579
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-server-key-rsa-2048.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDLHc75nq7xjVKK
+4e7ezNZsu8tatmlKkSJmSWX7CTnbTlLUVFxAtxx+vi5t22M4F2L5HMgsK2R+VQjT
+UNuq7pxXv/bJ8u2HEF40OJcyGPI4WRgvDATjDsJ1PBZayZbfWhQfWthcgM+h5vtY
+8XvDc3BpQm5leeoz3wtGBYNOaH6eyoMNb9vPV9gh3Fw71rPqIE6cnYAZYja6vkbN
+Zzj6A0w5mJlePrnuDQxvJUzgbPJzgC7baFKFn9iiss/w0CLA0lqaWsIXOWdk394+
+O5A9wjqCWdug70gAZ890A4mm19rK48BmBSeDN7AHfzJjRD+sobUYkpKRDxfr+VeJ
+ZpE9kmNjAgMBAAECggEADicdEWKfsQAWZMv6X3bpZ/kr4b29F2+GdJcfrn7Fk8Tg
+25+nL/EyYJhy1r/HKZTjlhUN05oQbgcRztue+smWhjy/fvHY4CThU4Uv79MyKX/3
+wet1+bZBEXcm3ZuXUifOKCMl2Ug2b4MPN3LYG1XTWtpAo/x7N7MOb4oZzKBWVk0J
+GEfxvJVZyVe3libIN2WWZFQJ1620AxaWP2jZ83PhRR/TJIBiq+pI/lBIyt+nu8Z3
+3vzB020R2uvENOhnaDjzNVfnJxSvlAAQkN47zo2Tf4UnB0792Y7DEEjFKX4XCFVd
+zxmjmw7VcRcnyruDhCoRC6mNraaAHuMqPwuBoC6GtQKBgQD/7CV8XKzcPPfFJY9e
+aHPzgXJwK+5u3jq7tNYUksVfv0s2lLQnRdbqAhHzxNYLQjdVd7J6t55h2z8scYaP
+oB7TTwszhKZS2sQ/lcpfOFoFN6KjN0iOnXVFucGoQ36gexNqPw894NFKWX/RHrnZ
+UfL/OnOUPpra3w+WMxjUYQ5ivQKBgQDLLZDIpM8fSRKeqZzjv/eoKnoDhqmzPipj
+bvNXAkIr/nWfUHL9YRnpxX7PW8DqFWIYoM8b0uOKO4vLJnQUMyc2jPq1rPXEBrjk
+w+xKWCipKdPrqwttiLKme+ZArRT5CJ9qcqxSX0yNp69xwXtyHe+zY18F/a4+70wT
+5wJwYmhQnwKBgHpICTk8xtOMxg6K/c/sNMr65QU32Htc789Ufp3h6zDupC92KgZB
+1oiFaLKDMIq8ntfVk5ATQDgdnDfOHq9toIzyzbVWAmrAYNjI56NLt6eah7lY5vBN
+yAUC1sdhSJXBeOthKhU04IuX6/yto7t07piJA0SoDTHbNwVbcNe5cDg5AoGBALjR
+jxVlDd+4mc5oHYXy1rZLRUg10+JvlyFyCLrKHCVmx9oO1Tr1fBvxggPfw+FraBtd
+FGiL8l2JAwXdydOiIHZ30Ys3dSxGrSOzsRqDjSEsIlEK+088/L2CkRWeHCjYliK/
+g08+zyVANtC0nrVU0/mLWCHb/AfVp4+nIMnYSmmjAoGAEMyBqq2AyUmx1xAmhw36
+LqgKy+vgHEAFRFPD8IttHFLOlUdXlvxoDq4xW2a7bJsJrs9ZrluRFKVh7QnSckmP
+Jt/Plg+XYB3B2exD5Xyh9xNYNVW/Aqvg+NuiWeCGK/o7mUfGWd9qWrD2aw51m+X3
+Svtkgck1kulqPoUFG1b3R4k=
+-----END PRIVATE KEY-----
diff --git a/server/configs/certs/tls/benchmark-server-key-rsa-4096.pem b/server/configs/certs/tls/benchmark-server-key-rsa-4096.pem
new file mode 100644
index 000000000..daf897f85
--- /dev/null
+++ b/server/configs/certs/tls/benchmark-server-key-rsa-4096.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCP+vDRakKeLNRK
+zTo3FKyO5hvqxa1hCMt3o7pIKhDCs9JjZm/S7bxHLAEmRKIhu/XaRbGuGq/6QOqG
+a3u1/AR0cASA6XoTY/8IUOfIAniK3mqAVEdwQi0anUCnhmtnc5OXjUMN7byCJ+Ud
+vv5UDPFRXqvOQeauqRol3jVismgrJne778UezoK5076MZcLa5sfWLvUBFcefq2SY
+5PAV/U3j3AEevXjjEGY/K8f8D96WBcGNHbz/vHrgw7+oFmyv+VtNpLhjA3X6uh38
+dFzYYiInGlK0HVuH91dkJ9rRDKFPMI0sb+PsjN60Os8EbOnDZaO5+GRK5rGgwNaU
+OSR+qZDG0cnkv4+oiI9Pr23MRt+5L06DPsNbXQJylJ1dbXexYJ1I0IYS8+osWRrf
+qr0HzZXQYfO2bHxWp19ZK7iozJWZOzHHMtNPGlBThfVDZGdP/WKBuw4zrbQu6+u+
+deWHlF2Du2lP75An9vjEIKDra2/hXA5F7bvEdhcx4OfhqhF3Kgjjn/5krrKrA0A6
+soqmx78zy7OYkraLyl8QWaK0gqg1ifcxHZ0WsKqJ9mQV/2tf0D/Vib5YoA8uZZ0a
+nXd+9N3PFAZjjh/20EvZFaygZf77TVcTAiJbPuSo5sLQvx/PcR0g9pQtfsxmJCvH
+POFEJwmHKf9o6sl8tiPQYCYhocSUeQIDAQABAoICAAEYUQ4KqeyJiJN0DvIIdc0q
+v1dwVEKlaOS6nvSkYJcWe9kL2E8JRfy1lIxTCneethPdoqhhZWljZn/fX+QRAVir
+BGxq5NCHxWgDCNble+oJydNlhgXldEcxnyJXBvM/trA49Q5X+pkeeWMvRsBiuSVx
+BqCi3CtZDQzw18TtzessF6OF2IuE2bYqP9anVyLH4rOvN5JKn9zH69PaLorq76rL
+YMp4JEFNKIs+R5RUFjwxBC6Q+r+9fM1qTQdtJOZMC293pfusylAoll315ZczXIah
+xYi/ThOmjtMrwWyEan1PcCIVzMI0X7o3q0eMQNU0ApmBY9k0+sYEnsJ8Um8l1icb
+WE/KBDzQk2mSoIzEdo99gYiuLAhi5WTEcQzeovZKHKkhRxLn3GUK/ZznpTuI0Voh
+1Qbfw05wf62yh8/nc747n5ULPgf8/nUH5G8jUeSis9gMGtFloqIxUEBphzIHwj7W
+FUIKoKpGkHL4Jkg9wXIe7lg5Qp+cdCrkWKKvQc57EbWxsM1Pjktw6X5ctNQclWG0
+WQJUw+BJhq6InKAV4aDW4/QlCOjvGtDDkYvwghE+ZgIzm9BARM4+DbeoPTmAkwwz
+6NTM8DYWvdcYVpgchEwphS6OFkOD1Dc6Wg2OUUtLjvl4NVf/NDYN8wIWNwmMm4aj
++Is12NwoUqZ44E4pSfohAoIBAQDLloatDuObuLzInBqER2tByPNnDV9AVTR2rm6w
+TgBmslFHBCf/uSzq0ivh1oZmFfDhcqdrtheTL0BWXbFxR/GelDm9N4d/LqOGRyWV
+Qmy5dGp2wE6gsZGZuvsbVst6eFO+zgDLvDMLrVqP+577g/QbrSR8gPz39WCgLpvf
+RcNpM2rHeKkm09IdUe0G+YEnW3fD7rxtMS+j8J57yuuxLO+SemGJuJQqGHYOukxF
+KMZxX2wMs1YMNwKEXY0/9M+LAtW9J3azkRp5xd+E2kzXGoWcl2nS/3+J6nh1+HWq
+SZE7SDWSimzut/aPTOM7YxLVqtANWHzVBBNpTbOMSrSZTZQJAoIBAQC1C/afOROb
+GQMb1LOt95AxvGyYo62mOkcPxhxQGojVIi+Yz8Q1ZWTuT5qyyWSofR3bE9mQwQGW
+KQ/znJKiwA48BS0osnmQi3Bi6eVD73NfwxMkL6zrGFxf336DNQi9mbidJvOaHNsT
+wXGPqRQXDcLa3s3WqerDzKJ2gxG22rtkoC0uCw+J9NlkJTTI9bJ9rjDZIh6mE/M0
+3ye19IgkBdbMv7FSjGVpovdqWZ2HELDYAXJftzuMPUO1GNYbyMHAHnWH0a1TQRM8
+ELHzmPRaFBeegmpBVaenlxKoi72iwqrVFrEr5FLAKxLq/9RwizJ8FzySIpH/5+hU
+Ky4mG93lmHjxAoIBAQDLOXs+jTpPW923M3yUxuYeSQYPvJ10jplMT1tWysZDvYS8
+qz1yW9qmnR4I1ihbB1Po+JZ/QsnNtsE2dViHiBV9AuGQLDopjtjVVXgCwsfdaIRN
+/jF+30JEfw3igIWlvy95rBHHThp2cZmRWM+eql2msvNVBT2AF4VY4K3f9rfV7+mL
+LLtNcuyvL/S3naB7NSccgte89/hiYfMSB8G2nvCW+2saGxJr4vcWRImWD9nnmiU1
+mF8w2ki88NXrHel/Dlll9FrdbN9M52T0LSW/I050vgB5C2q4tUGCIX7zeXRsBOzV
+VzDeKu0Ipuu9gGxwtY3xhH839FWcLGAqjvgwf+xhAoIBAQCuvWs9ZoNr0QpVFEiQ
+Aj9kIa7W7DOwGtN3gAjXr6Sdwa8a2H1R5Bk0ghSXtxW2IXxtdI0qz35OhjdlM5u8
+BY43k+9wNkJqporEjWfA2B4NMWUKKhHFnu+ZgUbEMK3NAc9TrsKz3mH8gVqwA8rm
+LVwCj8UwCTQT4zBzHjI8wITZrFeu9vH6fx5LMDXwOGQcNcHj8LCQLvUv9KqJTgkQ
+a6pUWDg3qlY/TRFrzi7iq9NjyJGxnFKXGpJ8+gm9K1kFquBZRKD7l/WOpbZ7nQdK
+4dWiIdGYWanFcWSK1MUlkKn9nTdHW8oau/g4ZM+QCGmjp3HIwiEUU6rDgiG6mm7j
+KPShAoIBAG1sFn8X841038Z/sp4JzYypQjj7g9UOTkghHcJHIZzRXLiTqW3lKxbt
+Gz93DjWRxXD404hem8dOUf22VgfjB4z1mSrV5SWtLjLf5wD8gl0eUNKP2lZFLggz
+O6nHCLLzlKs2RH5pDo3c8qyjLRIfCXy0YGnr+9RErVJG+TVB/MOSgHagmkdVOYCH
+phw4EiwJ+rPFy/xm5D6+BuOyt7hw7boQsw3EHpZTyQHWObcIggjlopTX2VSG8Dx+
+/iQRTuVRVyNAhYwCuNtSh27zawWr+A40acFJsJpvkFkbZBEH1IqoCteUaiEVU1qm
+51lKgt3ZVAXuecJ1U/0u4HtC0QdEBGE=
+-----END PRIVATE KEY-----
diff --git a/server/configs/reload/reload.conf b/server/configs/reload/reload.conf
index 613033a73..068500b32 100644
--- a/server/configs/reload/reload.conf
+++ b/server/configs/reload/reload.conf
@@ -6,6 +6,7 @@ port: 2233
 debug:         true # enable on reload
 trace:         true # enable on reload
 logtime:       true # enable on reload
+logtime_utc:   true # enable on reload
 
 log_file:         "nats-server.log" # change on reload
 pid_file:         "nats-server.pid" # change on reload
diff --git a/server/configs/tls/tls-ed25519.conf b/server/configs/tls/tls-ed25519.conf
new file mode 100644
index 000000000..dcb8fd945
--- /dev/null
+++ b/server/configs/tls/tls-ed25519.conf
@@ -0,0 +1,10 @@
+# Simple TLS (ed25519) config file
+
+listen: 127.0.0.1:-1
+
+tls {
+  cert_file:  "./configs/certs/tls/benchmark-server-cert-ed25519.pem"
+  key_file:   "./configs/certs/tls/benchmark-server-key-ed25519.pem"
+  ca_file:    "./configs/certs/tls/benchmark-ca-cert.pem"
+  timeout:    "5s"
+}
diff --git a/server/configs/tls/tls-none.conf b/server/configs/tls/tls-none.conf
new file mode 100644
index 000000000..042bf4e0b
--- /dev/null
+++ b/server/configs/tls/tls-none.conf
@@ -0,0 +1,4 @@
+# Simple config file
+
+listen: 127.0.0.1:-1
+
diff --git a/server/configs/tls/tls-rsa-1024.conf b/server/configs/tls/tls-rsa-1024.conf
new file mode 100644
index 000000000..fb3aaa418
--- /dev/null
+++ b/server/configs/tls/tls-rsa-1024.conf
@@ -0,0 +1,10 @@
+# Simple TLS (rsa-1024) config file
+
+listen: 127.0.0.1:-1
+
+tls {
+  cert_file:  "./configs/certs/tls/benchmark-server-cert-rsa-1024.pem"
+  key_file:   "./configs/certs/tls/benchmark-server-key-rsa-1024.pem"
+  ca_file:    "./configs/certs/tls/benchmark-ca-cert.pem"
+  timeout:    "5s"
+}
diff --git a/server/configs/tls/tls-rsa-2048.conf b/server/configs/tls/tls-rsa-2048.conf
new file mode 100644
index 000000000..08f54a250
--- /dev/null
+++ b/server/configs/tls/tls-rsa-2048.conf
@@ -0,0 +1,10 @@
+# Simple TLS (rsa-2048) config file
+
+listen: 127.0.0.1:-1
+
+tls {
+  cert_file:  "./configs/certs/tls/benchmark-server-cert-rsa-2048.pem"
+  key_file:   "./configs/certs/tls/benchmark-server-key-rsa-2048.pem"
+  ca_file:    "./configs/certs/tls/benchmark-ca-cert.pem"
+  timeout:    "5s"
+}
diff --git a/server/configs/tls/tls-rsa-4096.conf b/server/configs/tls/tls-rsa-4096.conf
new file mode 100644
index 000000000..68ad841b7
--- /dev/null
+++ b/server/configs/tls/tls-rsa-4096.conf
@@ -0,0 +1,10 @@
+# Simple TLS (rsa-4096) config file
+
+listen: 127.0.0.1:-1
+
+tls {
+  cert_file:  "./configs/certs/tls/benchmark-server-cert-rsa-4096.pem"
+  key_file:   "./configs/certs/tls/benchmark-server-key-rsa-4096.pem"
+  ca_file:    "./configs/certs/tls/benchmark-ca-cert.pem"
+  timeout:    "5s"
+}
diff --git a/server/const.go b/server/const.go
index 0074a7171..cd50444d8 100644
--- a/server/const.go
+++ b/server/const.go
@@ -40,9 +40,10 @@ var (
 )
 
 const (
-	// VERSION is the current version for the memphis.
-	VERSION = "1.4.1"
+	// VERSION is the current version for the memphis server.
+	VERSION = "1.4.1" // ** changed by Memphis
 
+	// ** added by Memphis
 	DEFAULT_SERVER_NAME                        = "memphis-0"
 	DEFAULT_WS_PORT                            = 7770
 	DEFAULT_UI_PORT                            = 9000
@@ -52,9 +53,10 @@ const (
 	SHOWABLE_ERROR_STATUS_CODE                 = 666
 	DEFAULT_TIERED_STORAGE_UPLOAD_INTERVAL_SEC = 8
 	DEFAULT_DLS_RETENTION_HOURS                = 3
-
+	DEFAULT_ENCRYPTION_SECRET_KEY = "thisis32bitlongpassphraseimusing"
 	// COMP_WITH_NATS_VERSION is the NATS version Memphis is compatible with
-	COMP_WITH_NATS_VERSION = "2.9.15"
+	COMP_WITH_NATS_VERSION = "2.9.22"
+	// ** added by Memphis
 
 	// PROTO is the currently supported protocol.
 	// 0 was the original
@@ -63,7 +65,7 @@ const (
 	PROTO = 1
 
 	// DEFAULT_PORT is the default port for client connections.
-	DEFAULT_PORT = 6666
+	DEFAULT_PORT = 6666 // ** changed by Memphis
 
 	// RANDOM_PORT is the value for port that, when supplied, will cause the
 	// server to listen on a randomly-chosen available port. The resolved port
@@ -79,7 +81,7 @@ const (
 
 	// MAX_PAYLOAD_SIZE is the maximum allowed payload size. Should be using
 	// something different if > 1MB payloads are needed.
-	MAX_PAYLOAD_SIZE = (1 * 1024 * 1024)
+	MAX_PAYLOAD_SIZE = (1024 * 1024)
 
 	// MAX_PAYLOAD_MAX_SIZE is the size at which the server will warn about
 	// max_payload being too high. In the future, the server may enforce/reject
@@ -221,6 +223,4 @@ const (
 
 	// DEFAULT_FETCH_TIMEOUT is the default time that the system will wait for an account fetch to return.
 	DEFAULT_ACCOUNT_FETCH_TIMEOUT = 1900 * time.Millisecond
-
-	DEFAULT_ENCRYPTION_SECRET_KEY = "thisis32bitlongpassphraseimusing"
 )
diff --git a/server/consumer.go b/server/consumer.go
index 1bad9c692..b198d0d68 100644
--- a/server/consumer.go
+++ b/server/consumer.go
@@ -1,4 +1,4 @@
-// Copyright 2019-2022 The NATS Authors
+// Copyright 2019-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -213,14 +213,14 @@ var (
 
 // Calculate accurate replicas for the consumer config with the parent stream config.
 func (consCfg ConsumerConfig) replicas(strCfg *StreamConfig) int {
-	if consCfg.Replicas == 0 {
-		if !isDurableConsumer(&consCfg) && strCfg.Retention == LimitsPolicy {
+	if consCfg.Replicas == 0 || consCfg.Replicas > strCfg.Replicas {
+		if !isDurableConsumer(&consCfg) && strCfg.Retention == LimitsPolicy && consCfg.Replicas == 0 {
+			// Matches old-school ephemerals only, where the replica count is 0.
 			return 1
 		}
 		return strCfg.Replicas
-	} else {
-		return consCfg.Replicas
 	}
+	return consCfg.Replicas
 }
 
 // Consumer is a jetstream consumer.
@@ -254,6 +254,7 @@ type consumer struct {
 	ackReplyT         string
 	ackSubj           string
 	nextMsgSubj       string
+	nextMsgReqs       *ipQueue[*nextMsgReq]
 	maxp              int
 	pblimit           int
 	maxpb             int
@@ -299,6 +300,8 @@ type consumer struct {
 	prOk      bool
 	uch       chan struct{}
 	retention RetentionPolicy
+
+	monitorWg sync.WaitGroup
 	inMonitor bool
 
 	// R>1 proposals
@@ -618,7 +621,7 @@ func (mset *stream) addConsumerWithAssignment(config *ConsumerConfig, oname stri
 	mset.mu.Lock()
 	if mset.client == nil || mset.store == nil || mset.consumers == nil {
 		mset.mu.Unlock()
-		return nil, errors.New("invalid stream")
+		return nil, NewJSStreamInvalidError()
 	}
 
 	// If this one is durable and already exists, we let that be ok as long as only updating what should be allowed.
@@ -748,6 +751,8 @@ func (mset *stream) addConsumerWithAssignment(config *ConsumerConfig, oname stri
 	// Create our request waiting queue.
 	if o.isPullMode() {
 		o.waiting = newWaitQueue(config.MaxWaiting)
+		// Create our internal queue for next msg requests.
+		o.nextMsgReqs = newIPQueue[*nextMsgReq](s, fmt.Sprintf("[ACC:%s] consumer '%s' on stream '%s' pull requests", accName, o.name, mset.cfg.Name))
 	}
 
 	// Check if we have  filtered subject that is a wildcard.
@@ -818,8 +823,10 @@ func (mset *stream) addConsumerWithAssignment(config *ConsumerConfig, oname stri
 	// Set up the ack subscription for this consumer. Will use wildcard for all acks.
 	// We will remember the template to generate replies with sequence numbers and use
 	// that to scanf them back in.
-	mn := mset.cfg.Name
-	pre := fmt.Sprintf(jsAckT, mn, o.name)
+	// Escape '%' in consumer and stream names, as `pre` is used as a template later
+	// in consumer.ackReply(), resulting in erroneous formatting of the ack subject.
+	mn := strings.ReplaceAll(mset.cfg.Name, "%", "%%")
+	pre := fmt.Sprintf(jsAckT, mn, strings.ReplaceAll(o.name, "%", "%%"))
 	o.ackReplyT = fmt.Sprintf("%s.%%d.%%d.%%d.%%d.%%d", pre)
 	o.ackSubj = fmt.Sprintf("%s.*.*.*.*.*", pre)
 	o.nextMsgSubj = fmt.Sprintf(JSApiRequestNextT, mn, o.name)
@@ -981,7 +988,24 @@ func (o *consumer) setLeader(isLeader bool) {
 
 	// If we are here we have a change in leader status.
 	if isLeader {
-		if mset == nil || isRunning {
+		if mset == nil {
+			return
+		}
+		if isRunning {
+			// If we detect we are scaling up, make sure to create clustered routines and channels.
+			o.mu.Lock()
+			if o.node != nil && o.pch == nil {
+				// We are moving from R1 to clustered.
+				o.pch = make(chan struct{}, 1)
+				go o.loopAndForwardProposals(o.qch)
+				if o.phead != nil {
+					select {
+					case o.pch <- struct{}{}:
+					default:
+					}
+				}
+			}
+			o.mu.Unlock()
 			return
 		}
 
@@ -1019,10 +1043,12 @@ func (o *consumer) setLeader(isLeader bool) {
 		}
 
 		var err error
-		if o.ackSub, err = o.subscribeInternal(o.ackSubj, o.pushAck); err != nil {
-			o.mu.Unlock()
-			o.deleteWithoutAdvisory()
-			return
+		if o.cfg.AckPolicy != AckNone {
+			if o.ackSub, err = o.subscribeInternal(o.ackSubj, o.pushAck); err != nil {
+				o.mu.Unlock()
+				o.deleteWithoutAdvisory()
+				return
+			}
 		}
 
 		// Setup the internal sub for next message requests regardless.
@@ -1065,7 +1091,7 @@ func (o *consumer) setLeader(isLeader bool) {
 		if o.dthresh > 0 && (o.isPullMode() || !o.active) {
 			// Pull consumer. We run the dtmr all the time for this one.
 			stopAndClearTimer(&o.dtmr)
-			o.dtmr = time.AfterFunc(o.dthresh, func() { o.deleteNotActive() })
+			o.dtmr = time.AfterFunc(o.dthresh, o.deleteNotActive)
 		}
 
 		// If we are not in ReplayInstant mode mark us as in replay state until resolved.
@@ -1080,6 +1106,7 @@ func (o *consumer) setLeader(isLeader bool) {
 		if node != nil && o.pch == nil {
 			o.pch = make(chan struct{}, 1)
 		}
+		pullMode := o.isPullMode()
 		o.mu.Unlock()
 
 		// Snapshot initial info.
@@ -1091,6 +1118,11 @@ func (o *consumer) setLeader(isLeader bool) {
 		// Now start up Go routine to process acks.
 		go o.processInboundAcks(qch)
 
+		if pullMode {
+			// Now start up Go routine to process inbound next message requests.
+			go o.processInboundNextMsgReqs(qch)
+		}
+
 		// If we are R>1 spin up our proposal loop.
 		if node != nil {
 			// Determine if we can send pending requests info to the group.
@@ -1107,7 +1139,10 @@ func (o *consumer) setLeader(isLeader bool) {
 			close(o.qch)
 			o.qch = nil
 		}
-		// Make sure to clear out any re delivery queues
+		// Stop any inactivity timers. Should only be running on leaders.
+		stopAndClearTimer(&o.dtmr)
+
+		// Make sure to clear out any re-deliver queues
 		stopAndClearTimer(&o.ptmr)
 		o.rdq, o.rdqi = nil, nil
 		o.pending = nil
@@ -1123,9 +1158,7 @@ func (o *consumer) setLeader(isLeader bool) {
 		// Reset waiting if we are in pull mode.
 		if o.isPullMode() {
 			o.waiting = newWaitQueue(o.cfg.MaxWaiting)
-			if !o.isDurable() {
-				stopAndClearTimer(&o.dtmr)
-			}
+			o.nextMsgReqs.drain()
 		} else if o.srv.gateway.enabled {
 			stopAndClearTimer(&o.gwdtmr)
 		}
@@ -1315,7 +1348,7 @@ func (o *consumer) updateDeliveryInterest(localInterest bool) bool {
 	// If we do not have interest anymore and have a delete threshold set, then set
 	// a timer to delete us. We wait for a bit in case of server reconnect.
 	if !interest && o.dthresh > 0 {
-		o.dtmr = time.AfterFunc(o.dthresh, func() { o.deleteNotActive() })
+		o.dtmr = time.AfterFunc(o.dthresh, o.deleteNotActive)
 		return true
 	}
 	return false
@@ -1342,7 +1375,7 @@ func (o *consumer) deleteNotActive() {
 			if o.dtmr != nil {
 				o.dtmr.Reset(o.dthresh - elapsed)
 			} else {
-				o.dtmr = time.AfterFunc(o.dthresh-elapsed, func() { o.deleteNotActive() })
+				o.dtmr = time.AfterFunc(o.dthresh-elapsed, o.deleteNotActive)
 			}
 			o.mu.Unlock()
 			return
@@ -1352,7 +1385,7 @@ func (o *consumer) deleteNotActive() {
 			if o.dtmr != nil {
 				o.dtmr.Reset(o.dthresh)
 			} else {
-				o.dtmr = time.AfterFunc(o.dthresh, func() { o.deleteNotActive() })
+				o.dtmr = time.AfterFunc(o.dthresh, o.deleteNotActive)
 			}
 			o.mu.Unlock()
 			return
@@ -1383,9 +1416,10 @@ func (o *consumer) deleteNotActive() {
 				defer ticker.Stop()
 				for range ticker.C {
 					js.mu.RLock()
-					ca := js.consumerAssignment(acc, stream, name)
+					nca := js.consumerAssignment(acc, stream, name)
 					js.mu.RUnlock()
-					if ca != nil {
+					// Make sure this is not a new consumer with the same name.
+					if nca != nil && nca == ca {
 						s.Warnf("Consumer assignment for '%s > %s > %s' not cleaned up, retrying", acc, stream, name)
 						meta.ForwardProposal(removeEntry)
 					} else {
@@ -1605,7 +1639,7 @@ func (o *consumer) updateConfig(cfg *ConsumerConfig) error {
 		stopAndClearTimer(&o.dtmr)
 		// Restart timer only if we are the leader.
 		if o.isLeader() && o.dthresh > 0 {
-			o.dtmr = time.AfterFunc(o.dthresh, func() { o.deleteNotActive() })
+			o.dtmr = time.AfterFunc(o.dthresh, o.deleteNotActive)
 		}
 	}
 
@@ -1691,7 +1725,7 @@ func newJSAckMsg(subj, reply string, hdr int, msg []byte) *jsAckMsg {
 	} else {
 		m = &jsAckMsg{}
 	}
-	// When getting something from a pool it is criticical that all fields are
+	// When getting something from a pool it is critical that all fields are
 	// initialized. Doing this way guarantees that if someone adds a field to
 	// the structure, the compiler will fail the build if this line is not updated.
 	(*m) = jsAckMsg{subj, reply, hdr, msg}
@@ -1791,7 +1825,9 @@ func (o *consumer) loopAndForwardProposals(qch chan struct{}) {
 		const maxBatch = 256 * 1024
 		var entries []*Entry
 		for sz := 0; proposal != nil; proposal = proposal.next {
-			entries = append(entries, &Entry{EntryNormal, proposal.data})
+			entry := entryPool.Get().(*Entry)
+			entry.Type, entry.Data = EntryNormal, proposal.data
+			entries = append(entries, entry)
 			sz += len(proposal.data)
 			if sz > maxBatch {
 				node.ProposeDirect(entries)
@@ -2280,6 +2316,16 @@ func (o *consumer) infoWithSnapAndReply(snap bool, reply string) *ConsumerInfo {
 		NumPending:     o.checkNumPending(),
 		PushBound:      o.isPushMode() && o.active,
 	}
+
+	// If we are replicated and we are not the leader we need to pull certain data from our store.
+	if rg != nil && rg.node != nil && !o.isLeader() && o.store != nil {
+		state, _ := o.store.BorrowState()
+		info.Delivered.Consumer, info.Delivered.Stream = state.Delivered.Consumer, state.Delivered.Stream
+		info.AckFloor.Consumer, info.AckFloor.Stream = state.AckFloor.Consumer, state.AckFloor.Stream
+		info.NumAckPending = len(state.Pending)
+		info.NumRedelivered = len(state.Redelivered)
+	}
+
 	// Adjust active based on non-zero etc. Also make UTC here.
 	if !o.ldt.IsZero() {
 		ldt := o.ldt.UTC() // This copies as well.
@@ -2371,6 +2417,11 @@ func (o *consumer) sampleAck(sseq, dseq, dc uint64) {
 
 func (o *consumer) processAckMsg(sseq, dseq, dc uint64, doSample bool) {
 	o.mu.Lock()
+	if o.closed {
+		o.mu.Unlock()
+		return
+	}
+
 	var sagap uint64
 	var needSignal bool
 
@@ -2478,20 +2529,25 @@ func (o *consumer) needAck(sseq uint64, subj string) bool {
 	var needAck bool
 	var asflr, osseq uint64
 	var pending map[uint64]*Pending
+
 	o.mu.RLock()
+	defer o.mu.RUnlock()
+
+	isFiltered := o.isFiltered()
+	if isFiltered && o.mset == nil {
+		return false
+	}
 
 	// Check if we are filtered, and if so check if this is even applicable to us.
-	if o.isFiltered() && o.mset != nil {
+	if isFiltered {
 		if subj == _EMPTY_ {
 			var svp StoreMsg
 			if _, err := o.mset.store.LoadMsg(sseq, &svp); err != nil {
-				o.mu.RUnlock()
 				return false
 			}
 			subj = svp.subj
 		}
 		if !o.isFilteredMatch(subj) {
-			o.mu.RUnlock()
 			return false
 		}
 	}
@@ -2501,15 +2557,12 @@ func (o *consumer) needAck(sseq uint64, subj string) bool {
 		pending = o.pending
 	} else {
 		if o.store == nil {
-			o.mu.RUnlock()
 			return false
 		}
 		state, err := o.store.BorrowState()
 		if err != nil || state == nil {
 			// Fall back to what we track internally for now.
-			needAck := sseq > o.asflr && !o.isFiltered()
-			o.mu.RUnlock()
-			return needAck
+			return sseq > o.asflr && !o.isFiltered()
 		}
 		// If loading state as here, the osseq is +1.
 		asflr, osseq, pending = state.AckFloor.Stream, state.Delivered.Stream+1, state.Pending
@@ -2528,7 +2581,6 @@ func (o *consumer) needAck(sseq uint64, subj string) bool {
 		}
 	}
 
-	o.mu.RUnlock()
 	return needAck
 }
 
@@ -2784,6 +2836,17 @@ func (o *consumer) nextWaiting(sz int) *waitingRequest {
 			} else if o.srv.gateway.enabled && o.srv.hasGatewayInterest(wr.acc.Name, wr.interest) {
 				return o.waiting.pop()
 			}
+		} else {
+			// We do check for expiration in `processWaiting`, but it is possible to hit the expiry here, and not there.
+			hdr := []byte(fmt.Sprintf("NATS/1.0 408 Request Timeout\r\n%s: %d\r\n%s: %d\r\n\r\n", JSPullRequestPendingMsgs, wr.n, JSPullRequestPendingBytes, wr.b))
+			o.outq.send(newJSPubMsg(wr.reply, _EMPTY_, _EMPTY_, hdr, nil, nil, 0))
+			o.waiting.removeCurrent()
+			if o.node != nil {
+				o.removeClusterPendingRequest(wr.reply)
+			}
+			wr.recycle()
+			continue
+
 		}
 		if wr.interest != wr.reply {
 			const intExpT = "NATS/1.0 408 Interest Expired\r\n%s: %d\r\n%s: %d\r\n\r\n"
@@ -2800,6 +2863,37 @@ func (o *consumer) nextWaiting(sz int) *waitingRequest {
 	return nil
 }
 
+// Next message request.
+type nextMsgReq struct {
+	reply string
+	msg   []byte
+}
+
+var nextMsgReqPool sync.Pool
+
+func newNextMsgReq(reply string, msg []byte) *nextMsgReq {
+	var nmr *nextMsgReq
+	m := nextMsgReqPool.Get()
+	if m != nil {
+		nmr = m.(*nextMsgReq)
+	} else {
+		nmr = &nextMsgReq{}
+	}
+	// When getting something from a pool it is critical that all fields are
+	// initialized. Doing this way guarantees that if someone adds a field to
+	// the structure, the compiler will fail the build if this line is not updated.
+	(*nmr) = nextMsgReq{reply, msg}
+	return nmr
+}
+
+func (nmr *nextMsgReq) returnToPool() {
+	if nmr == nil {
+		return
+	}
+	nmr.reply, nmr.msg = _EMPTY_, nil
+	nextMsgReqPool.Put(nmr)
+}
+
 // processNextMsgReq will process a request for the next message available. A nil message payload means deliver
 // a single message. If the payload is a formal request or a number parseable with Atoi(), then we will send a
 // batch of messages without requiring another request to this endpoint, or an ACK.
@@ -2807,21 +2901,16 @@ func (o *consumer) processNextMsgReq(_ *subscription, c *client, _ *Account, _,
 	if reply == _EMPTY_ {
 		return
 	}
-	_, msg = c.msgParts(msg)
 
-	inlineOk := c.kind != ROUTER && c.kind != GATEWAY && c.kind != LEAF
-	if !inlineOk {
-		// Check how long we have been away from the readloop for the route or gateway or leafnode.
-		// If too long move to a separate go routine.
-		if elapsed := time.Since(c.in.start); elapsed < noBlockThresh {
-			inlineOk = true
-		}
-	}
-	if inlineOk {
-		o.processNextMsgRequest(reply, msg)
-	} else {
-		go o.processNextMsgRequest(reply, copyBytes(msg))
+	// Short circuit error here.
+	if o.nextMsgReqs == nil {
+		hdr := []byte("NATS/1.0 409 Consumer is push based\r\n\r\n")
+		o.outq.send(newJSPubMsg(reply, _EMPTY_, _EMPTY_, hdr, nil, nil, 0))
+		return
 	}
+
+	_, msg = c.msgParts(msg)
+	o.nextMsgReqs.push(newNextMsgReq(reply, copyBytes(msg)))
 }
 
 func (o *consumer) processNextMsgRequest(reply string, msg []byte) {
@@ -2944,6 +3033,22 @@ func (o *consumer) incDeliveryCount(sseq uint64) uint64 {
 	return o.rdc[sseq] + 1
 }
 
+// Used if we have to adjust on failed delivery or bad lookups.
+// Those failed attempts should not increase deliver count.
+// Lock should be held.
+func (o *consumer) decDeliveryCount(sseq uint64) {
+	if o.rdc == nil {
+		return
+	}
+	if dc, ok := o.rdc[sseq]; ok {
+		if dc == 1 {
+			delete(o.rdc, sseq)
+		} else {
+			o.rdc[sseq] -= 1
+		}
+	}
+}
+
 // send a delivery exceeded advisory.
 func (o *consumer) notifyDeliveryExceeded(sseq, dc uint64, sm *StoreMsg) { // ** added by memphis (sm to notifyDeliveryExceeded) **
 	// *** added by memphis
@@ -2962,9 +3067,7 @@ func (o *consumer) notifyDeliveryExceeded(sseq, dc uint64, sm *StoreMsg) { // **
 		StreamSeq:  sseq,
 		Deliveries: dc,
 		Domain:     o.srv.getOpts().JetStreamDomain,
-		// ** added by memphis
-		Account: o.acc.GetName(),
-		// added by memphis **
+		Account:    o.acc.GetName(), // ** added by memphis
 	}
 	// added by memphis ***
 	if sm != nil {
@@ -3007,9 +3110,9 @@ var (
 // Is partition aware and redeliver aware.
 // Lock should be held.
 func (o *consumer) getNextMsg() (*jsPubMsg, uint64, bool, error) { // *** bool (redelivery) returned value added by memphis
-	redelivery := false
+	redelivery := false // ** added by memphis
 	if o.mset == nil || o.mset.store == nil {
-		return nil, 0, redelivery, errBadConsumer
+		return nil, 0, redelivery, errBadConsumer // ** redelivery added by memphis
 	}
 	seq, dc := o.sseq, uint64(1)
 	// Process redelivered messages before looking at possibly "skip list" (deliver last per subject)
@@ -3023,11 +3126,13 @@ func (o *consumer) getNextMsg() (*jsPubMsg, uint64, bool, error) { // *** bool (
 			if o.maxdc > 0 && dc > o.maxdc {
 				// Only send once
 				if dc == o.maxdc+1 {
-					// ** added by memphis (sm to notifyDeliveryExceeded) **
-					o.notifyDeliveryExceeded(seq, dc-1, sm)
+					o.notifyDeliveryExceeded(seq, dc-1, sm) // ** added by memphis (sm to notifyDeliveryExceeded) **
 				}
 				// Make sure to remove from pending.
-				delete(o.pending, seq)
+				if p, ok := o.pending[seq]; ok && p != nil {
+					delete(o.pending, seq)
+					o.updateDelivered(p.Sequence, seq, dc, p.Timestamp)
+				}
 				continue
 			}
 			if seq > 0 {
@@ -3038,9 +3143,11 @@ func (o *consumer) getNextMsg() (*jsPubMsg, uint64, bool, error) { // *** bool (
 				if sm == nil || err != nil {
 					pmsg.returnToPool()
 					pmsg, dc = nil, 0
+					// Adjust back deliver count.
+					o.decDeliveryCount(seq)
 				}
-				redelivery = true
-				return pmsg, dc, redelivery, err
+				redelivery = true                // ** added by memphis
+				return pmsg, dc, redelivery, err // ** redelivery added by memphis
 			}
 		}
 		// Fallback if all redeliveries are gone.
@@ -3063,7 +3170,7 @@ func (o *consumer) getNextMsg() (*jsPubMsg, uint64, bool, error) { // *** bool (
 	if o.maxp > 0 && len(o.pending) >= o.maxp {
 		// maxp only set when ack policy != AckNone and user set MaxAckPending
 		// Stall if we have hit max pending.
-		return nil, 0, redelivery, errMaxAckPending
+		return nil, 0, redelivery, errMaxAckPending // ** redelivery added by memphis
 	}
 
 	store := o.mset.store
@@ -3087,7 +3194,7 @@ func (o *consumer) getNextMsg() (*jsPubMsg, uint64, bool, error) { // *** bool (
 		}
 	}
 
-	return pmsg, dc, redelivery, err
+	return pmsg, dc, redelivery, err // ** redelivery added by memphis
 }
 
 // Will check for expiration and lack of interest on waiting requests.
@@ -3140,6 +3247,7 @@ func (o *consumer) processWaiting(eos bool) (int, int, int, time.Time) {
 				interest = true
 			}
 		}
+
 		// If interest, update batch pending requests counter and update fexp timer.
 		if interest {
 			brp += wr.n
@@ -3187,13 +3295,115 @@ func (o *consumer) hbTimer() (time.Duration, *time.Timer) {
 	return o.cfg.Heartbeat, time.NewTimer(o.cfg.Heartbeat)
 }
 
+// Check here for conditions when our ack floor may have drifted below the streams first sequence.
+// In general this is accounted for in normal operations, but if the consumer misses the signal from
+// the stream it will not clear the message and move the ack state.
+// Should only be called from consumer leader.
+func (o *consumer) checkAckFloor() {
+	o.mu.RLock()
+	mset, closed, asflr, numPending := o.mset, o.closed, o.asflr, len(o.pending)
+	o.mu.RUnlock()
+
+	if asflr == 0 || closed || mset == nil {
+		return
+	}
+
+	var ss StreamState
+	mset.store.FastState(&ss)
+
+	// If our floor is equal or greater that is normal and nothing for us to do.
+	if ss.FirstSeq == 0 || asflr >= ss.FirstSeq-1 {
+		return
+	}
+
+	// Check which linear space is less to walk.
+	if ss.FirstSeq-asflr-1 < uint64(numPending) {
+		// Process all messages that no longer exist.
+		for seq := asflr + 1; seq < ss.FirstSeq; seq++ {
+			// Check if this message was pending.
+			o.mu.RLock()
+			p, isPending := o.pending[seq]
+			var rdc uint64 = 1
+			if o.rdc != nil {
+				rdc = o.rdc[seq]
+			}
+			o.mu.RUnlock()
+			// If it was pending for us, get rid of it.
+			if isPending {
+				o.processTerm(seq, p.Sequence, rdc)
+			}
+		}
+	} else if numPending > 0 {
+		// here it is shorter to walk pending.
+		// toTerm is seq, dseq, rcd for each entry.
+		toTerm := make([]uint64, 0, numPending*3)
+		o.mu.RLock()
+		for seq, p := range o.pending {
+			if seq < ss.FirstSeq {
+				var dseq uint64 = 1
+				if p != nil {
+					dseq = p.Sequence
+				}
+				var rdc uint64 = 1
+				if o.rdc != nil {
+					rdc = o.rdc[seq]
+				}
+				toTerm = append(toTerm, seq, dseq, rdc)
+			}
+		}
+		o.mu.RUnlock()
+
+		for i := 0; i < len(toTerm); i += 3 {
+			seq, dseq, rdc := toTerm[i], toTerm[i+1], toTerm[i+2]
+			o.processTerm(seq, dseq, rdc)
+		}
+	}
+
+	// Do one final check here.
+	o.mu.Lock()
+	defer o.mu.Unlock()
+
+	// If we are here, and this should be rare, we still are off with our ack floor.
+	// We will set it explicitly to 1 behind our current lowest in pending, or if
+	// pending is empty, to our current delivered -1.
+	if o.asflr < ss.FirstSeq-1 {
+		var psseq, pdseq uint64
+		for seq, p := range o.pending {
+			if psseq == 0 || seq < psseq {
+				psseq, pdseq = seq, p.Sequence
+			}
+		}
+		// If we still have none, set to current delivered -1.
+		if psseq == 0 {
+			psseq, pdseq = o.sseq-1, o.dseq-1
+			// If still not adjusted.
+			if psseq < ss.FirstSeq-1 {
+				psseq, pdseq = ss.FirstSeq-1, ss.FirstSeq-1
+			}
+		}
+		o.asflr, o.adflr = psseq, pdseq
+	}
+}
+
 func (o *consumer) processInboundAcks(qch chan struct{}) {
 	// Grab the server lock to watch for server quit.
 	o.mu.RLock()
-	s := o.srv
+	s, mset := o.srv, o.mset
 	hasInactiveThresh := o.cfg.InactiveThreshold > 0
 	o.mu.RUnlock()
 
+	if s == nil || mset == nil {
+		return
+	}
+
+	// We will check this on entry and periodically.
+	o.checkAckFloor()
+
+	// How often we will check for ack floor drift.
+	// Spread these out for large numbers on a server restart.
+	delta := time.Duration(rand.Int63n(int64(time.Minute)))
+	var ackFloorCheck = time.Minute + delta
+
 	for {
 		select {
 		case <-o.ackMsgs.ch:
@@ -3207,6 +3417,32 @@ func (o *consumer) processInboundAcks(qch chan struct{}) {
 			if hasInactiveThresh {
 				o.suppressDeletion()
 			}
+		case <-time.After(ackFloorCheck):
+			o.checkAckFloor()
+		case <-qch:
+			return
+		case <-s.quitCh:
+			return
+		}
+	}
+}
+
+// Process inbound next message requests.
+func (o *consumer) processInboundNextMsgReqs(qch chan struct{}) {
+	// Grab the server lock to watch for server quit.
+	o.mu.RLock()
+	s := o.srv
+	o.mu.RUnlock()
+
+	for {
+		select {
+		case <-o.nextMsgReqs.ch:
+			reqs := o.nextMsgReqs.pop()
+			for _, req := range reqs {
+				o.processNextMsgRequest(req.reply, req.msg)
+				req.returnToPool()
+			}
+			o.nextMsgReqs.recycle(&reqs)
 		case <-qch:
 			return
 		case <-s.quitCh:
@@ -3279,15 +3515,13 @@ func (o *consumer) loopAndGatherMsgs(qch chan struct{}) {
 	// Deliver all the msgs we have now, once done or on a condition, we wait for new ones.
 	for {
 		var (
-			pmsg     *jsPubMsg
-			dc       uint64
-			dsubj    string
-			ackReply string
-			delay    time.Duration
-			sz       int
-			// *** Added by Memphis
-			redelivery bool
-			// Added by Memphis ***
+			pmsg       *jsPubMsg
+			dc         uint64
+			dsubj      string
+			ackReply   string
+			delay      time.Duration
+			sz         int
+			redelivery bool // *** Added by Memphis
 		)
 		o.mu.Lock()
 		// consumer is closed when mset is set to nil.
@@ -3310,7 +3544,7 @@ func (o *consumer) loopAndGatherMsgs(qch chan struct{}) {
 		}
 
 		// Grab our next msg.
-		pmsg, dc, redelivery, err = o.getNextMsg()
+		pmsg, dc, redelivery, err = o.getNextMsg() // ** redelivery added by memphis
 
 		// On error either wait or return.
 		if err != nil || pmsg == nil {
@@ -3318,10 +3552,16 @@ func (o *consumer) loopAndGatherMsgs(qch chan struct{}) {
 			if err == ErrStoreEOF {
 				o.checkNumPendingOnEOF()
 			}
-			if err == ErrStoreMsgNotFound || err == ErrStoreEOF || err == errMaxAckPending || err == errPartialCache {
+			if err == ErrStoreMsgNotFound || err == errDeletedMsg || err == ErrStoreEOF || err == errMaxAckPending {
+				goto waitForMsgs
+			} else if err == errPartialCache {
+				s.Warnf("Unexpected partial cache error looking up message for consumer '%s > %s > %s'",
+					o.mset.acc, o.mset.cfg.Name, o.cfg.Name)
 				goto waitForMsgs
+
 			} else {
-				s.Errorf("Received an error looking up message for consumer: %v", err)
+				s.Errorf("Received an error looking up message for consumer '%s > %s > %s': %v",
+					o.mset.acc, o.mset.cfg.Name, o.cfg.Name, err)
 				goto waitForMsgs
 			}
 		}
@@ -3723,20 +3963,39 @@ func (o *consumer) trackPending(sseq, dseq uint64) {
 	}
 }
 
+// Credit back a failed delivery.
+// lock should be held.
+func (o *consumer) creditWaitingRequest(reply string) {
+	for i, rp := 0, o.waiting.rp; i < o.waiting.n; i++ {
+		if wr := o.waiting.reqs[rp]; wr != nil {
+			if wr.reply == reply {
+				wr.n++
+				wr.d--
+				return
+			}
+		}
+		rp = (rp + 1) % cap(o.waiting.reqs)
+	}
+}
+
 // didNotDeliver is called when a delivery for a consumer message failed.
 // Depending on our state, we will process the failure.
-func (o *consumer) didNotDeliver(seq uint64) {
+func (o *consumer) didNotDeliver(seq uint64, subj string) {
 	o.mu.Lock()
 	mset := o.mset
 	if mset == nil {
 		o.mu.Unlock()
 		return
 	}
+	// Adjust back deliver count.
+	o.decDeliveryCount(seq)
+
 	var checkDeliveryInterest bool
 	if o.isPushMode() {
 		o.active = false
 		checkDeliveryInterest = true
 	} else if o.pending != nil {
+		o.creditWaitingRequest(subj)
 		// pull mode and we have pending.
 		if _, ok := o.pending[seq]; ok {
 			// We found this messsage on pending, we need
@@ -3822,7 +4081,8 @@ func (o *consumer) checkPending() {
 	o.mu.RLock()
 	mset := o.mset
 	// On stop, mset and timer will be nil.
-	if mset == nil || o.ptmr == nil {
+	if o.closed || mset == nil || o.ptmr == nil {
+		stopAndClearTimer(&o.ptmr)
 		o.mu.RUnlock()
 		return
 	}
@@ -4249,6 +4509,13 @@ func (o *consumer) delete() error {
 	return o.stopWithFlags(true, false, true, true)
 }
 
+// To test for closed state.
+func (o *consumer) isClosed() bool {
+	o.mu.RLock()
+	defer o.mu.RUnlock()
+	return o.closed
+}
+
 func (o *consumer) stopWithFlags(dflag, sdflag, doSignal, advisory bool) error {
 	o.mu.Lock()
 	js := o.js
@@ -4310,6 +4577,9 @@ func (o *consumer) stopWithFlags(dflag, sdflag, doSignal, advisory bool) error {
 	n := o.node
 	qgroup := o.cfg.DeliverGroup
 	o.ackMsgs.unregister()
+	if o.nextMsgReqs != nil {
+		o.nextMsgReqs.unregister()
+	}
 
 	// For cleaning up the node assignment.
 	var ca *consumerAssignment
@@ -4359,14 +4629,15 @@ func (o *consumer) stopWithFlags(dflag, sdflag, doSignal, advisory bool) error {
 		}
 
 		var rmseqs []uint64
-		mset.mu.RLock()
+		mset.mu.Lock()
 		for seq := start; seq <= stop; seq++ {
-			if !mset.checkInterest(seq, o) {
+			if mset.noInterest(seq, o) {
 				rmseqs = append(rmseqs, seq)
 			}
 		}
-		mset.mu.RUnlock()
+		mset.mu.Unlock()
 
+		// These can be removed.
 		for _, seq := range rmseqs {
 			mset.store.RemoveMsg(seq)
 		}
@@ -4378,7 +4649,7 @@ func (o *consumer) stopWithFlags(dflag, sdflag, doSignal, advisory bool) error {
 			n.Delete()
 		} else {
 			// Try to install snapshot on clean exit
-			if o.store != nil && n.NeedSnapshot() {
+			if o.store != nil && (o.retention != LimitsPolicy || n.NeedSnapshot()) {
 				if snap, err := o.store.EncodedState(); err == nil {
 					n.InstallSnapshot(snap)
 				}
@@ -4560,7 +4831,48 @@ func (o *consumer) clearMonitorRunning() {
 
 // Test whether we are in the monitor routine.
 func (o *consumer) isMonitorRunning() bool {
-	o.mu.Lock()
-	defer o.mu.Unlock()
+	o.mu.RLock()
+	defer o.mu.RUnlock()
 	return o.inMonitor
 }
+
+// If we are a consumer of an interest or workqueue policy stream, process that state and make sure consistent.
+func (o *consumer) checkStateForInterestStream() {
+	o.mu.Lock()
+	// See if we need to process this update if our parent stream is not a limits policy stream.
+	mset := o.mset
+	shouldProcessState := mset != nil && o.retention != LimitsPolicy
+	if o.closed || !shouldProcessState {
+		o.mu.Unlock()
+		return
+	}
+	state, err := o.store.State()
+	o.mu.Unlock()
+
+	if err != nil {
+		return
+	}
+
+	// We should make sure to update the acks.
+	var ss StreamState
+	mset.store.FastState(&ss)
+
+	asflr := state.AckFloor.Stream
+	for seq := ss.FirstSeq; seq <= asflr; seq++ {
+		mset.ackMsg(o, seq)
+	}
+
+	o.mu.RLock()
+	// See if we need to process this update if our parent stream is not a limits policy stream.
+	state, _ = o.store.State()
+	o.mu.RUnlock()
+
+	// If we have pending, we will need to walk through to delivered in case we missed any of those acks as well.
+	if state != nil && len(state.Pending) > 0 {
+		for seq := state.AckFloor.Stream + 1; seq <= state.Delivered.Stream; seq++ {
+			if _, ok := state.Pending[seq]; !ok {
+				mset.ackMsg(o, seq)
+			}
+		}
+	}
+}
diff --git a/server/core_benchmarks_test.go b/server/core_benchmarks_test.go
new file mode 100644
index 000000000..1ecb594e5
--- /dev/null
+++ b/server/core_benchmarks_test.go
@@ -0,0 +1,251 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package server
+
+import (
+	"crypto/rand"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"os"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/nats-io/nats.go"
+)
+
+func BenchmarkCoreRequestReply(b *testing.B) {
+	const (
+		subject = "test-subject"
+	)
+
+	messageSizes := []int64{
+		1024,   // 1kb
+		4096,   // 4kb
+		40960,  // 40kb
+		409600, // 400kb
+	}
+
+	for _, messageSize := range messageSizes {
+		b.Run(fmt.Sprintf("msgSz=%db", messageSize), func(b *testing.B) {
+
+			// Start server
+			serverOpts := DefaultOptions()
+			server := RunServer(serverOpts)
+			defer server.Shutdown()
+
+			clientUrl := server.ClientURL()
+
+			// Create "echo" subscriber
+			ncSub, err := nats.Connect(clientUrl)
+			if err != nil {
+				b.Fatal(err)
+			}
+			defer ncSub.Close()
+			sub, err := ncSub.Subscribe(subject, func(msg *nats.Msg) {
+				// Responder echoes the request payload as-is
+				msg.Respond(msg.Data)
+			})
+			defer sub.Unsubscribe()
+			if err != nil {
+				b.Fatal(err)
+			}
+
+			// Create publisher
+			ncPub, err := nats.Connect(clientUrl)
+			if err != nil {
+				b.Fatal(err)
+			}
+			defer ncPub.Close()
+
+			var errors = 0
+
+			// Create message (reused for all requests)
+			messageData := make([]byte, messageSize)
+			b.SetBytes(messageSize)
+			rand.Read(messageData)
+
+			// Benchmark
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				_, err := ncPub.Request(subject, messageData, time.Second)
+				if err != nil {
+					errors++
+				}
+			}
+			b.StopTimer()
+
+			b.ReportMetric(float64(errors), "errors")
+		})
+	}
+}
+
+func BenchmarkCoreTLSFanOut(b *testing.B) {
+	const (
+		subject            = "test-subject"
+		configsBasePath    = "./configs/tls"
+		maxPendingMessages = 25
+		maxPendingBytes    = 15 * 1024 * 1024 // 15MiB
+	)
+
+	keyTypeCases := []string{
+		"none",
+		"ed25519",
+		"rsa-1024",
+		"rsa-2048",
+		"rsa-4096",
+	}
+	messageSizeCases := []int64{
+		512 * 1024, // 512Kib
+	}
+	numSubsCases := []int{
+		5,
+	}
+
+	// Custom error handler that ignores ErrSlowConsumer.
+	// Lots of them are expected in this benchmark which indiscriminately publishes at a rate higher
+	// than what the server can fan-out to subscribers.
+	ignoreSlowConsumerErrorHandler := func(conn *nats.Conn, s *nats.Subscription, err error) {
+		if errors.Is(err, nats.ErrSlowConsumer) {
+			// Swallow this error
+		} else {
+			_, _ = fmt.Fprintf(os.Stderr, "Warning: %s\n", err)
+		}
+	}
+
+	for _, keyType := range keyTypeCases {
+
+		b.Run(
+			fmt.Sprintf("keyType=%s", keyType),
+			func(b *testing.B) {
+
+				for _, messageSize := range messageSizeCases {
+					b.Run(
+						fmt.Sprintf("msgSz=%db", messageSize),
+						func(b *testing.B) {
+
+							for _, numSubs := range numSubsCases {
+								b.Run(
+									fmt.Sprintf("subs=%d", numSubs),
+									func(b *testing.B) {
+										// Start server
+										configPath := fmt.Sprintf("%s/tls-%s.conf", configsBasePath, keyType)
+										server, _ := RunServerWithConfig(configPath)
+										defer server.Shutdown()
+
+										opts := []nats.Option{
+											nats.MaxReconnects(-1),
+											nats.ReconnectWait(0),
+											nats.ErrorHandler(ignoreSlowConsumerErrorHandler),
+										}
+
+										if keyType != "none" {
+											opts = append(opts, nats.Secure(&tls.Config{
+												InsecureSkipVerify: true,
+											}))
+										}
+
+										clientUrl := server.ClientURL()
+
+										// Count of messages received for by each subscriber
+										counters := make([]int, numSubs)
+
+										// Wait group for subscribers to signal they received b.N messages
+										var wg sync.WaitGroup
+										wg.Add(numSubs)
+
+										// Create subscribers
+										for i := 0; i < numSubs; i++ {
+											subIndex := i
+											ncSub, err := nats.Connect(clientUrl, opts...)
+											if err != nil {
+												b.Fatal(err)
+											}
+											defer ncSub.Close()
+											sub, err := ncSub.Subscribe(subject, func(msg *nats.Msg) {
+												counters[subIndex] += 1
+												if counters[subIndex] == b.N {
+													wg.Done()
+												}
+											})
+											if err != nil {
+												b.Fatalf("failed to subscribe: %s", err)
+											}
+											err = sub.SetPendingLimits(maxPendingMessages, maxPendingBytes)
+											if err != nil {
+												b.Fatalf("failed to set pending limits: %s", err)
+											}
+											defer sub.Unsubscribe()
+											if err != nil {
+												b.Fatal(err)
+											}
+										}
+
+										// publisher
+										ncPub, err := nats.Connect(clientUrl, opts...)
+										if err != nil {
+											b.Fatal(err)
+										}
+										defer ncPub.Close()
+
+										var errorCount = 0
+
+										// random bytes as payload
+										messageData := make([]byte, messageSize)
+										rand.Read(messageData)
+
+										quitCh := make(chan bool, 1)
+
+										publish := func() {
+											for {
+												select {
+												case <-quitCh:
+													return
+												default:
+													// continue publishing
+												}
+
+												err := ncPub.Publish(subject, messageData)
+												if err != nil {
+													errorCount += 1
+												}
+											}
+										}
+
+										// Set bytes per operation
+										b.SetBytes(messageSize)
+										// Start the clock
+										b.ResetTimer()
+										// Start publishing as fast as the server allows
+										go publish()
+										// Wait for all subscribers to have delivered b.N messages
+										wg.Wait()
+										// Stop the clock
+										b.StopTimer()
+
+										// Stop publisher
+										quitCh <- true
+
+										b.ReportMetric(float64(errorCount), "errors")
+									},
+								)
+							}
+						},
+					)
+				}
+			},
+		)
+	}
+}
diff --git a/server/dirstore.go b/server/dirstore.go
index cabd4a199..b39ab9ae0 100644
--- a/server/dirstore.go
+++ b/server/dirstore.go
@@ -288,6 +288,10 @@ func (store *DirJWTStore) PackWalk(maxJWTs int, cb func(partialPackMsg string))
 			if err != nil {
 				return err
 			}
+			if len(jwtBytes) == 0 {
+				// Skip if no contents in the JWT.
+				return nil
+			}
 			if exp != nil {
 				claim, err := jwt.DecodeGeneric(string(jwtBytes))
 				if err == nil && claim.Expires > 0 && claim.Expires < time.Now().Unix() {
@@ -406,6 +410,9 @@ func (store *DirJWTStore) load(publicKey string) (string, error) {
 // write that keeps hash of all jwt in sync
 // Assumes the lock is held. Does return true or an error never both.
 func (store *DirJWTStore) write(path string, publicKey string, theJWT string) (bool, error) {
+	if len(theJWT) == 0 {
+		return false, fmt.Errorf("invalid JWT")
+	}
 	var newHash *[sha256.Size]byte
 	if store.expiration != nil {
 		h := sha256.Sum256([]byte(theJWT))
diff --git a/server/disk_avail.go b/server/disk_avail.go
index 9ef2e76f2..9bddda80f 100644
--- a/server/disk_avail.go
+++ b/server/disk_avail.go
@@ -28,7 +28,7 @@ func diskAvailable(storeDir string) int64 {
 	}
 	var fs syscall.Statfs_t
 	if err := syscall.Statfs(storeDir, &fs); err == nil {
-		// Estimate 95% of available storage.
+		// Estimate 95% of available storage. // ** changed to 95 by Memphis
 		ba = int64(uint64(fs.Blocks) * uint64(fs.Bsize) / 20 * 19) // ** changed to 95% by Memphis **
 	} else {
 		// Used 1TB default as a guess if all else fails.
diff --git a/server/errors_gen.go b/server/errors_gen.go
index cd7dbd595..fca18a55a 100644
--- a/server/errors_gen.go
+++ b/server/errors_gen.go
@@ -1,19 +1,7 @@
 //go:build ignore
 // +build ignore
 
-// Copyright 2012-2018 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-package server
+package server // ** changed to server by Memphis **
 
 import (
 	"encoding/json"
diff --git a/server/events.go b/server/events.go
index 34b0fec10..97654e09c 100644
--- a/server/events.go
+++ b/server/events.go
@@ -1,4 +1,4 @@
-// Copyright 2018-2022 The NATS Authors
+// Copyright 2018-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -10,17 +10,20 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package server
 
 import (
 	"bytes"
 	"compress/gzip"
 	"crypto/sha256"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"math/rand"
 	"net/http"
+	"runtime"
 	"strconv"
 	"strings"
 	"sync"
@@ -28,6 +31,7 @@ import (
 	"time"
 
 	"github.com/klauspost/compress/s2"
+	"github.com/memphisdev/memphis/server/certidp"
 	"github.com/memphisdev/memphis/server/pse"
 	"github.com/nats-io/jwt/v2"
 )
@@ -51,6 +55,7 @@ const (
 	connsRespSubj            = "$SYS._INBOX_.%s"
 	accConnsEventSubjNew     = "$SYS.ACCOUNT.%s.SERVER.CONNS"
 	accConnsEventSubjOld     = "$SYS.SERVER.ACCOUNT.%s.CONNS" // kept for backward compatibility
+	lameDuckEventSubj        = "$SYS.SERVER.%s.LAMEDUCK"
 	shutdownEventSubj        = "$SYS.SERVER.%s.SHUTDOWN"
 	authErrorEventSubj       = "$SYS.SERVER.%s.CLIENT.AUTH.ERR"
 	serverStatsSubj          = "$SYS.SERVER.%s.STATSZ"
@@ -76,31 +81,50 @@ const (
 
 	accReqTokens   = 5
 	accReqAccIndex = 3
+
+	ocspPeerRejectEventSubj           = "$SYS.SERVER.%s.OCSP.PEER.CONN.REJECT"
+	ocspPeerChainlinkInvalidEventSubj = "$SYS.SERVER.%s.OCSP.PEER.LINK.INVALID"
 )
 
 // FIXME(dlc) - make configurable.
 var eventsHBInterval = 30 * time.Second
 
+type sysMsgHandler func(sub *subscription, client *client, acc *Account, subject, reply string, hdr, msg []byte)
+
+// Used if we have to queue things internally to avoid the route/gw path.
+type inSysMsg struct {
+	sub  *subscription
+	c    *client
+	acc  *Account
+	subj string
+	rply string
+	hdr  []byte
+	msg  []byte
+	cb   sysMsgHandler
+}
+
 // Used to send and receive messages from inside the server.
 type internal struct {
-	account  *Account
-	client   *client
-	seq      uint64
-	sid      int
-	servers  map[string]*serverUpdate
-	sweeper  *time.Timer
-	stmr     *time.Timer
-	replies  map[string]msgHandler
-	sendq    *ipQueue[*pubMsg]
-	resetCh  chan struct{}
-	wg       sync.WaitGroup
-	sq       *sendq
-	orphMax  time.Duration
-	chkOrph  time.Duration
-	statsz   time.Duration
-	cstatsz  time.Duration
-	shash    string
-	inboxPre string
+	account        *Account
+	client         *client
+	seq            uint64
+	sid            int
+	servers        map[string]*serverUpdate
+	sweeper        *time.Timer
+	stmr           *time.Timer
+	replies        map[string]msgHandler
+	sendq          *ipQueue[*pubMsg]
+	recvq          *ipQueue[*inSysMsg]
+	resetCh        chan struct{}
+	wg             sync.WaitGroup
+	sq             *sendq
+	orphMax        time.Duration
+	chkOrph        time.Duration
+	statsz         time.Duration
+	cstatsz        time.Duration
+	shash          string
+	inboxPre       string
+	remoteStatsSub *subscription
 }
 
 // ServerStatsMsg is sent periodically with stats updates.
@@ -133,6 +157,34 @@ type DisconnectEventMsg struct {
 // DisconnectEventMsgType is the schema type for DisconnectEventMsg
 const DisconnectEventMsgType = "io.nats.server.advisory.v1.client_disconnect"
 
+// OCSPPeerRejectEventMsg is sent when a peer TLS handshake is ultimately rejected due to OCSP invalidation.
+// A "peer" can be an inbound client connection or a leaf connection to a remote server. Peer in event payload
+// is always the peer's (TLS) leaf cert, which may or may be the invalid cert (See also OCSPPeerChainlinkInvalidEventMsg)
+type OCSPPeerRejectEventMsg struct {
+	TypedEvent
+	Kind   string           `json:"kind"`
+	Peer   certidp.CertInfo `json:"peer"`
+	Server ServerInfo       `json:"server"`
+	Reason string           `json:"reason"`
+}
+
+// OCSPPeerRejectEventMsgType is the schema type for OCSPPeerRejectEventMsg
+const OCSPPeerRejectEventMsgType = "io.nats.server.advisory.v1.ocsp_peer_reject"
+
+// OCSPPeerChainlinkInvalidEventMsg is sent when a certificate (link) in a valid TLS chain is found to be OCSP invalid
+// during a peer TLS handshake. A "peer" can be an inbound client connection or a leaf connection to a remote server.
+// Peer and Link may be the same if the invalid cert was the peer's leaf cert
+type OCSPPeerChainlinkInvalidEventMsg struct {
+	TypedEvent
+	Link   certidp.CertInfo `json:"link"`
+	Peer   certidp.CertInfo `json:"peer"`
+	Server ServerInfo       `json:"server"`
+	Reason string           `json:"reason"`
+}
+
+// OCSPPeerChainlinkInvalidEventMsgType is the schema type for OCSPPeerChainlinkInvalidEventMsg
+const OCSPPeerChainlinkInvalidEventMsgType = "io.nats.server.advisory.v1.ocsp_peer_link_invalid"
+
 // AccountNumConns is an event that will be sent from a server that is tracking
 // a given account when the number of connections changes. It will also HB
 // updates in the absence of any changes.
@@ -298,6 +350,33 @@ type TypedEvent struct {
 	Time time.Time `json:"timestamp"`
 }
 
+// internalReceiveLoop will be responsible for dispatching all messages that
+// a server receives and needs to internally process, e.g. internal subs.
+func (s *Server) internalReceiveLoop() {
+	s.mu.RLock()
+	if s.sys == nil || s.sys.recvq == nil {
+		s.mu.RUnlock()
+		return
+	}
+	recvq := s.sys.recvq
+	s.mu.RUnlock()
+
+	for s.eventsRunning() {
+		select {
+		case <-recvq.ch:
+			msgs := recvq.pop()
+			for _, m := range msgs {
+				if m.cb != nil {
+					m.cb(m.sub, m.c, m.acc, m.subj, m.rply, m.hdr, m.msg)
+				}
+			}
+			recvq.recycle(&msgs)
+		case <-s.quitCh:
+			return
+		}
+	}
+}
+
 // internalSendLoop will be responsible for serializing all messages that
 // a server wants to send.
 func (s *Server) internalSendLoop(wg *sync.WaitGroup) {
@@ -454,6 +533,19 @@ RESET:
 	}
 }
 
+// Will send a shutdown message for lame-duck. Unlike sendShutdownEvent, this will
+// not close off the send queue or reply handler, as we may still have a workload
+// that needs migrating off.
+// Lock should be held.
+func (s *Server) sendLDMShutdownEventLocked() {
+	if s.sys == nil || s.sys.sendq == nil {
+		return
+	}
+	subj := fmt.Sprintf(lameDuckEventSubj, s.info.ID)
+	si := &ServerInfo{}
+	s.sys.sendq.push(newPubMsg(nil, subj, _EMPTY_, si, nil, si, noCompression, false, true))
+}
+
 // Will send a shutdown message.
 func (s *Server) sendShutdownEvent() {
 	s.mu.Lock()
@@ -611,11 +703,9 @@ func (s *Server) checkRemoteServers() {
 // Grab RSS and PCPU
 // Server lock will be held but released.
 func (s *Server) updateServerUsage(v *ServerStats) {
-	s.mu.Unlock()
-	defer s.mu.Lock()
 	var vss int64
 	pse.ProcUsage(&v.CPU, &v.Mem, &vss)
-	v.Cores = numCores
+	v.Cores = runtime.NumCPU()
 }
 
 // Generate a route stat for our statz update.
@@ -648,6 +738,32 @@ func routeStat(r *client) *RouteStat {
 func (s *Server) sendStatsz(subj string) {
 	var m ServerStatsMsg
 	s.updateServerUsage(&m.Stats)
+
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	// Check that we have a system account, etc.
+	if s.sys == nil || s.sys.account == nil {
+		return
+	}
+
+	// if we are running standalone, check for interest.
+	if s.standAloneMode() {
+		// Check if we even have interest in this subject.
+		sacc := s.sys.account
+		rr := sacc.sl.Match(subj)
+		totalSubs := len(rr.psubs) + len(rr.qsubs)
+		if totalSubs == 0 {
+			return
+		} else if totalSubs == 1 && len(rr.psubs) == 1 {
+			// For the broadcast subject we listen to that ourselves with no echo for remote updates.
+			// If we are the only ones listening do not send either.
+			if rr.psubs[0] == s.sys.remoteStatsSub {
+				return
+			}
+		}
+	}
+
 	m.Stats.Start = s.start
 	m.Stats.Connections = len(s.clients)
 	m.Stats.TotalConnections = s.totalClients
@@ -691,14 +807,12 @@ func (s *Server) sendStatsz(subj string) {
 		gw.RUnlock()
 	}
 	// Active Servers
-	m.Stats.ActiveServers = 1
-	if s.sys != nil {
-		m.Stats.ActiveServers += len(s.sys.servers)
-	}
+	m.Stats.ActiveServers = len(s.sys.servers) + 1
+
 	// JetStream
 	if js := s.js; js != nil {
 		jStat := &JetStreamVarz{}
-		s.mu.Unlock()
+		s.mu.RUnlock()
 		js.mu.RLock()
 		c := js.config
 		c.StoreDir = _EMPTY_
@@ -740,7 +854,7 @@ func (s *Server) sendStatsz(subj string) {
 			}
 		}
 		m.Stats.JetStream = jStat
-		s.mu.Lock()
+		s.mu.RLock()
 	}
 	// Send message.
 	s.sendInternalMsg(subj, _EMPTY_, &m.Server, &m)
@@ -759,13 +873,12 @@ func (s *Server) heartbeatStatsz() {
 		}
 		s.sys.stmr.Reset(s.sys.cstatsz)
 	}
-	s.sendStatsz(fmt.Sprintf(serverStatsSubj, s.info.ID))
+	// Do in separate Go routine.
+	go s.sendStatszUpdate()
 }
 
 func (s *Server) sendStatszUpdate() {
-	s.mu.Lock()
-	s.sendStatsz(fmt.Sprintf(serverStatsSubj, s.info.ID))
-	s.mu.Unlock()
+	s.sendStatsz(fmt.Sprintf(serverStatsSubj, s.ID()))
 }
 
 // This should be wrapChk() to setup common locking.
@@ -790,35 +903,15 @@ func getHash(name string) string {
 	return getHashSize(name, sysHashLen)
 }
 
-var nameToHashSize8 = sync.Map{}
-var nameToHashSize6 = sync.Map{}
-
 // Computes a hash for the given `name`. The result will be `size` characters long.
 func getHashSize(name string, size int) string {
-	compute := func() string {
-		sha := sha256.New()
-		sha.Write([]byte(name))
-		b := sha.Sum(nil)
-		for i := 0; i < size; i++ {
-			b[i] = digits[int(b[i]%base)]
-		}
-		return string(b[:size])
-	}
-	var m *sync.Map
-	switch size {
-	case 8:
-		m = &nameToHashSize8
-	case 6:
-		m = &nameToHashSize6
-	default:
-		return compute()
-	}
-	if v, ok := m.Load(name); ok {
-		return v.(string)
+	sha := sha256.New()
+	sha.Write([]byte(name))
+	b := sha.Sum(nil)
+	for i := 0; i < size; i++ {
+		b[i] = digits[int(b[i]%base)]
 	}
-	h := compute()
-	m.Store(name, h)
-	return h
+	return string(b[:size])
 }
 
 // Returns the node name for this server which is a hash of the server name.
@@ -852,26 +945,36 @@ func (s *Server) initEventTracking() {
 	s.sys.inboxPre = subject
 	// This is for remote updates for connection accounting.
 	subject = fmt.Sprintf(accConnsEventSubjOld, "*")
-	if _, err := s.sysSubscribe(subject, s.remoteConnsUpdate); err != nil {
+	if _, err := s.sysSubscribe(subject, s.noInlineCallback(s.remoteConnsUpdate)); err != nil {
 		s.Errorf("Error setting up internal tracking for %s: %v", subject, err)
 	}
 	// This will be for responses for account info that we send out.
 	subject = fmt.Sprintf(connsRespSubj, s.info.ID)
-	if _, err := s.sysSubscribe(subject, s.remoteConnsUpdate); err != nil {
+	if _, err := s.sysSubscribe(subject, s.noInlineCallback(s.remoteConnsUpdate)); err != nil {
 		s.Errorf("Error setting up internal tracking: %v", err)
 	}
 	// Listen for broad requests to respond with number of subscriptions for a given subject.
-	if _, err := s.sysSubscribe(accNumSubsReqSubj, s.nsubsRequest); err != nil {
+	if _, err := s.sysSubscribe(accNumSubsReqSubj, s.noInlineCallback(s.nsubsRequest)); err != nil {
 		s.Errorf("Error setting up internal tracking: %v", err)
 	}
 	// Listen for statsz from others.
 	subject = fmt.Sprintf(serverStatsSubj, "*")
-	if _, err := s.sysSubscribe(subject, s.remoteServerUpdate); err != nil {
+	if sub, err := s.sysSubscribe(subject, s.noInlineCallback(s.remoteServerUpdate)); err != nil {
 		s.Errorf("Error setting up internal tracking: %v", err)
+	} else {
+		// Keep track of this one.
+		s.sys.remoteStatsSub = sub
 	}
 	// Listen for all server shutdowns.
 	subject = fmt.Sprintf(shutdownEventSubj, "*")
-	if _, err := s.sysSubscribe(subject, s.remoteServerShutdown); err != nil {
+	if _, err := s.sysSubscribe(subject, s.noInlineCallback(s.remoteServerShutdown)); err != nil {
+		s.Errorf("Error setting up internal tracking: %v", err)
+	}
+	// Listen for servers entering lame-duck mode.
+	// NOTE: This currently is handled in the same way as a server shutdown, but has
+	// a different subject in case we need to handle differently in future.
+	subject = fmt.Sprintf(lameDuckEventSubj, "*")
+	if _, err := s.sysSubscribe(subject, s.noInlineCallback(s.remoteServerShutdown)); err != nil {
 		s.Errorf("Error setting up internal tracking: %v", err)
 	}
 	// Listen for account claims updates.
@@ -881,62 +984,62 @@ func (s *Server) initEventTracking() {
 	}
 	if subscribeToUpdate {
 		for _, sub := range []string{accUpdateEventSubjOld, accUpdateEventSubjNew} {
-			if _, err := s.sysSubscribe(fmt.Sprintf(sub, "*"), s.accountClaimUpdate); err != nil {
+			if _, err := s.sysSubscribe(fmt.Sprintf(sub, "*"), s.noInlineCallback(s.accountClaimUpdate)); err != nil {
 				s.Errorf("Error setting up internal tracking: %v", err)
 			}
 		}
 	}
 	// Listen for ping messages that will be sent to all servers for statsz.
 	// This subscription is kept for backwards compatibility. Got replaced by ...PING.STATZ from below
-	if _, err := s.sysSubscribe(serverStatsPingReqSubj, s.statszReq); err != nil {
+	if _, err := s.sysSubscribe(serverStatsPingReqSubj, s.noInlineCallback(s.statszReq)); err != nil {
 		s.Errorf("Error setting up internal tracking: %v", err)
 	}
-	monSrvc := map[string]msgHandler{
+	monSrvc := map[string]sysMsgHandler{
 		"STATSZ": s.statszReq,
-		"VARZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"VARZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &VarzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Varz(&optz.VarzOptions) })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Varz(&optz.VarzOptions) })
 		},
-		"SUBSZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"SUBSZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &SubszEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Subsz(&optz.SubszOptions) })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Subsz(&optz.SubszOptions) })
 		},
-		"CONNZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"CONNZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &ConnzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Connz(&optz.ConnzOptions) })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Connz(&optz.ConnzOptions) })
 		},
-		"ROUTEZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"ROUTEZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &RoutezEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Routez(&optz.RoutezOptions) })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Routez(&optz.RoutezOptions) })
 		},
-		"GATEWAYZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"GATEWAYZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &GatewayzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Gatewayz(&optz.GatewayzOptions) })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Gatewayz(&optz.GatewayzOptions) })
 		},
-		"LEAFZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"LEAFZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &LeafzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Leafz(&optz.LeafzOptions) })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Leafz(&optz.LeafzOptions) })
 		},
-		"ACCOUNTZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"ACCOUNTZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &AccountzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Accountz(&optz.AccountzOptions) })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Accountz(&optz.AccountzOptions) })
 		},
-		"JSZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"JSZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &JszEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Jsz(&optz.JSzOptions) })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.Jsz(&optz.JSzOptions) })
 		},
-		"HEALTHZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"HEALTHZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &HealthzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.healthz(&optz.HealthzOptions), nil })
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) { return s.healthz(&optz.HealthzOptions), nil })
 		},
 	}
 	for name, req := range monSrvc {
 		subject = fmt.Sprintf(serverDirectReqSubj, s.info.ID, name)
-		if _, err := s.sysSubscribe(subject, req); err != nil {
+		if _, err := s.sysSubscribe(subject, s.noInlineCallback(req)); err != nil {
 			s.Errorf("Error setting up internal tracking: %v", err)
 		}
 		subject = fmt.Sprintf(serverPingReqSubj, name)
-		if _, err := s.sysSubscribe(subject, req); err != nil {
+		if _, err := s.sysSubscribe(subject, s.noInlineCallback(req)); err != nil {
 			s.Errorf("Error setting up internal tracking: %v", err)
 		}
 	}
@@ -947,10 +1050,10 @@ func (s *Server) initEventTracking() {
 			return tk[accReqAccIndex], nil
 		}
 	}
-	monAccSrvc := map[string]msgHandler{
-		"SUBSZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+	monAccSrvc := map[string]sysMsgHandler{
+		"SUBSZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &SubszEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
 				if acc, err := extractAccount(c, subject, msg); err != nil {
 					return nil, err
 				} else {
@@ -960,9 +1063,9 @@ func (s *Server) initEventTracking() {
 				}
 			})
 		},
-		"CONNZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"CONNZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &ConnzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
 				if acc, err := extractAccount(c, subject, msg); err != nil {
 					return nil, err
 				} else {
@@ -971,9 +1074,9 @@ func (s *Server) initEventTracking() {
 				}
 			})
 		},
-		"LEAFZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"LEAFZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &LeafzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
 				if acc, err := extractAccount(c, subject, msg); err != nil {
 					return nil, err
 				} else {
@@ -982,9 +1085,9 @@ func (s *Server) initEventTracking() {
 				}
 			})
 		},
-		"JSZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"JSZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &JszEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
 				if acc, err := extractAccount(c, subject, msg); err != nil {
 					return nil, err
 				} else {
@@ -993,9 +1096,9 @@ func (s *Server) initEventTracking() {
 				}
 			})
 		},
-		"INFO": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"INFO": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &AccInfoEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
 				if acc, err := extractAccount(c, subject, msg); err != nil {
 					return nil, err
 				} else {
@@ -1006,9 +1109,9 @@ func (s *Server) initEventTracking() {
 		// STATZ is essentially a duplicate of CONNS with an envelope identical to the others.
 		// For historical reasons CONNS is the odd one out.
 		// STATZ is also less heavy weight than INFO
-		"STATZ": func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		"STATZ": func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &AccountStatzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
 				if acc, err := extractAccount(c, subject, msg); err != nil {
 					return nil, err
 				} else if acc == "PING" { // Filter PING subject. Happens for server as well. But wildcards are not used
@@ -1028,16 +1131,16 @@ func (s *Server) initEventTracking() {
 		"CONNS": s.connsRequest,
 	}
 	for name, req := range monAccSrvc {
-		if _, err := s.sysSubscribe(fmt.Sprintf(accDirectReqSubj, "*", name), req); err != nil {
+		if _, err := s.sysSubscribe(fmt.Sprintf(accDirectReqSubj, "*", name), s.noInlineCallback(req)); err != nil {
 			s.Errorf("Error setting up internal tracking: %v", err)
 		}
 	}
 
 	// For now only the STATZ subject has an account specific ping equivalent.
 	if _, err := s.sysSubscribe(fmt.Sprintf(accPingReqSubj, "STATZ"),
-		func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
+		s.noInlineCallback(func(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 			optz := &AccountStatzEventOptions{}
-			s.zReq(c, reply, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
+			s.zReq(c, reply, hdr, msg, &optz.EventFilterOptions, optz, func() (interface{}, error) {
 				if stz, err := s.AccountStatz(&optz.AccountStatzOptions); err != nil {
 					return nil, err
 				} else if len(stz.Accounts) == 0 && !optz.IncludeUnused {
@@ -1046,23 +1149,23 @@ func (s *Server) initEventTracking() {
 					return stz, nil
 				}
 			})
-		}); err != nil {
+		})); err != nil {
 		s.Errorf("Error setting up internal tracking: %v", err)
 	}
 
 	// Listen for updates when leaf nodes connect for a given account. This will
 	// force any gateway connections to move to `modeInterestOnly`
 	subject = fmt.Sprintf(leafNodeConnectEventSubj, "*")
-	if _, err := s.sysSubscribe(subject, s.leafNodeConnected); err != nil {
+	if _, err := s.sysSubscribe(subject, s.noInlineCallback(s.leafNodeConnected)); err != nil {
 		s.Errorf("Error setting up internal tracking: %v", err)
 	}
 	// For tracking remote latency measurements.
 	subject = fmt.Sprintf(remoteLatencyEventSubj, s.sys.shash)
-	if _, err := s.sysSubscribe(subject, s.remoteLatencyUpdate); err != nil {
+	if _, err := s.sysSubscribe(subject, s.noInlineCallback(s.remoteLatencyUpdate)); err != nil {
 		s.Errorf("Error setting up internal latency tracking: %v", err)
 	}
 	// This is for simple debugging of number of subscribers that exist in the system.
-	if _, err := s.sysSubscribeInternal(accSubsSubj, s.debugSubscribers); err != nil {
+	if _, err := s.sysSubscribeInternal(accSubsSubj, s.noInlineCallback(s.debugSubscribers)); err != nil {
 		s.Errorf("Error setting up internal debug service for subscribers: %v", err)
 	}
 }
@@ -1130,7 +1233,7 @@ func (s *Server) addSystemAccountExports(sacc *Account) {
 }
 
 // accountClaimUpdate will receive claim updates for accounts.
-func (s *Server) accountClaimUpdate(sub *subscription, c *client, _ *Account, subject, resp string, rmsg []byte) {
+func (s *Server) accountClaimUpdate(sub *subscription, c *client, _ *Account, subject, resp string, hdr, msg []byte) {
 	if !s.EventsEnabled() {
 		return
 	}
@@ -1144,7 +1247,7 @@ func (s *Server) accountClaimUpdate(sub *subscription, c *client, _ *Account, su
 		s.Debugf("Received account claims update on bad subject %q", subject)
 		return
 	}
-	if _, msg := c.msgParts(rmsg); len(msg) == 0 {
+	if len(msg) == 0 {
 		err := errors.New("request body is empty")
 		respondToUpdate(s, resp, pubKey, "jwt update error", err)
 	} else if claim, err := jwt.DecodeAccountClaims(string(msg)); err != nil {
@@ -1187,7 +1290,7 @@ func (s *Server) sameDomain(domain string) bool {
 }
 
 // remoteServerShutdownEvent is called when we get an event from another server shutting down.
-func (s *Server) remoteServerShutdown(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
+func (s *Server) remoteServerShutdown(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if !s.eventsEnabled() {
@@ -1199,7 +1302,6 @@ func (s *Server) remoteServerShutdown(sub *subscription, c *client, _ *Account,
 		return
 	}
 
-	_, msg := c.msgParts(rmsg)
 	if len(msg) == 0 {
 		s.Errorf("Remote server sent invalid (empty) shutdown message to %q", subject)
 		return
@@ -1230,9 +1332,9 @@ func (s *Server) remoteServerShutdown(sub *subscription, c *client, _ *Account,
 }
 
 // remoteServerUpdate listens for statsz updates from other servers.
-func (s *Server) remoteServerUpdate(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
+func (s *Server) remoteServerUpdate(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 	var ssm ServerStatsMsg
-	if _, msg := c.msgParts(rmsg); len(msg) == 0 {
+	if len(msg) == 0 {
 		s.Debugf("Received empty server info for remote server update")
 		return
 	} else if err := json.Unmarshal(msg, &ssm); err != nil {
@@ -1244,6 +1346,13 @@ func (s *Server) remoteServerUpdate(sub *subscription, c *client, _ *Account, su
 	}
 	si := ssm.Server
 
+	// Should do normal updates before bailing if wrong domain.
+	s.mu.Lock()
+	if s.running && s.eventsEnabled() && ssm.Server.ID != s.info.ID {
+		s.updateRemoteServer(&si)
+	}
+	s.mu.Unlock()
+
 	// JetStream node updates.
 	if !s.sameDomain(si.Domain) {
 		return
@@ -1269,11 +1378,6 @@ func (s *Server) remoteServerUpdate(sub *subscription, c *client, _ *Account, su
 		stats,
 		false, si.JetStream,
 	})
-	s.mu.Lock()
-	if s.running && s.eventsEnabled() && ssm.Server.ID != s.info.ID {
-		s.updateRemoteServer(&si)
-	}
-	s.mu.Unlock()
 }
 
 // updateRemoteServer is called when we have an update from a remote server.
@@ -1312,7 +1416,8 @@ func (s *Server) processNewServer(si *ServerInfo) {
 		}
 	}
 	// Announce ourselves..
-	s.sendStatsz(fmt.Sprintf(serverStatsSubj, s.info.ID))
+	// Do this in a separate Go routine.
+	go s.sendStatszUpdate()
 }
 
 // If GW is enabled on this server and there are any leaf node connections,
@@ -1365,7 +1470,7 @@ func (s *Server) shutdownEventing() {
 }
 
 // Request for our local connection count.
-func (s *Server) connsRequest(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
+func (s *Server) connsRequest(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 	if !s.eventsRunning() {
 		return
 	}
@@ -1376,7 +1481,7 @@ func (s *Server) connsRequest(sub *subscription, c *client, _ *Account, subject,
 	}
 	a := tk[accReqAccIndex]
 	m := accNumConnsReq{Account: a}
-	if _, msg := c.msgParts(rmsg); len(msg) > 0 {
+	if len(msg) > 0 {
 		if err := json.Unmarshal(msg, &m); err != nil {
 			s.sys.client.Errorf("Error unmarshalling account connections request message: %v", err)
 			return
@@ -1404,7 +1509,7 @@ func (s *Server) connsRequest(sub *subscription, c *client, _ *Account, subject,
 }
 
 // leafNodeConnected is an event we will receive when a leaf node for a given account connects.
-func (s *Server) leafNodeConnected(sub *subscription, _ *client, _ *Account, subject, reply string, msg []byte) {
+func (s *Server) leafNodeConnected(sub *subscription, _ *client, _ *Account, subject, reply string, hdr, msg []byte) {
 	m := accNumConnsReq{}
 	if err := json.Unmarshal(msg, &m); err != nil {
 		s.sys.client.Errorf("Error unmarshalling account connections request message: %v", err)
@@ -1563,7 +1668,7 @@ type ServerAPIConnzResponse struct {
 }
 
 // statszReq is a request for us to respond with current statsz.
-func (s *Server) statszReq(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
+func (s *Server) statszReq(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 	if !s.EventsEnabled() {
 		return
 	}
@@ -1574,7 +1679,7 @@ func (s *Server) statszReq(sub *subscription, c *client, _ *Account, subject, re
 	}
 
 	opts := StatszEventOptions{}
-	if _, msg := c.msgParts(rmsg); len(msg) != 0 {
+	if len(msg) != 0 {
 		if err := json.Unmarshal(msg, &opts); err != nil {
 			response := &ServerAPIResponse{
 				Server: &ServerInfo{},
@@ -1586,9 +1691,7 @@ func (s *Server) statszReq(sub *subscription, c *client, _ *Account, subject, re
 			return
 		}
 	}
-	s.mu.Lock()
 	s.sendStatsz(reply)
-	s.mu.Unlock()
 }
 
 var errSkipZreq = errors.New("filtered response")
@@ -1613,14 +1716,13 @@ func getAcceptEncoding(hdr []byte) compressionType {
 	return unsupportedCompression
 }
 
-func (s *Server) zReq(c *client, reply string, rmsg []byte, fOpts *EventFilterOptions, optz interface{}, respf func() (interface{}, error)) {
+func (s *Server) zReq(c *client, reply string, hdr, msg []byte, fOpts *EventFilterOptions, optz interface{}, respf func() (interface{}, error)) {
 	if !s.EventsEnabled() || reply == _EMPTY_ {
 		return
 	}
 	response := &ServerAPIResponse{Server: &ServerInfo{}}
 	var err error
 	status := 0
-	hdr, msg := c.msgParts(rmsg)
 	if len(msg) != 0 {
 		if err = json.Unmarshal(msg, optz); err != nil {
 			status = http.StatusBadRequest // status is only included on error, so record how far execution got
@@ -1645,12 +1747,12 @@ func (s *Server) zReq(c *client, reply string, rmsg []byte, fOpts *EventFilterOp
 }
 
 // remoteConnsUpdate gets called when we receive a remote update from another server.
-func (s *Server) remoteConnsUpdate(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
+func (s *Server) remoteConnsUpdate(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 	if !s.eventsRunning() {
 		return
 	}
 	var m AccountNumConns
-	if _, msg := c.msgParts(rmsg); len(msg) == 0 {
+	if len(msg) == 0 {
 		s.sys.client.Errorf("No message body provided")
 		return
 	} else if err := json.Unmarshal(msg, &m); err != nil {
@@ -1694,7 +1796,7 @@ func (s *Server) remoteConnsUpdate(sub *subscription, c *client, _ *Account, sub
 
 // This will import any system level exports.
 func (s *Server) registerSystemImports(a *Account) {
-	if a == nil || !s.eventsEnabled() {
+	if a == nil || !s.EventsEnabled() {
 		return
 	}
 	sacc := s.SystemAccount()
@@ -2005,6 +2107,25 @@ func (s *Server) sendAuthErrorEvent(c *client) {
 // rmsg contains header and the message. use client.msgParts(rmsg) to split them apart
 type msgHandler func(sub *subscription, client *client, acc *Account, subject, reply string, rmsg []byte)
 
+// Create a wrapped callback handler for the subscription that will move it to an
+// internal recvQ for processing not inline with routes etc.
+func (s *Server) noInlineCallback(cb sysMsgHandler) msgHandler {
+	s.mu.RLock()
+	if !s.eventsEnabled() {
+		s.mu.RUnlock()
+		return nil
+	}
+	// Capture here for direct reference to avoid any unnecessary blocking inline with routes, gateways etc.
+	recvq := s.sys.recvq
+	s.mu.RUnlock()
+
+	return func(sub *subscription, c *client, acc *Account, subj, rply string, rmsg []byte) {
+		// Need to copy and split here.
+		hdr, msg := c.msgParts(rmsg)
+		recvq.push(&inSysMsg{sub, c, acc, subj, rply, copyBytes(hdr), copyBytes(msg), cb})
+	}
+}
+
 // Create an internal subscription. sysSubscribeQ for queue groups.
 func (s *Server) sysSubscribe(subject string, cb msgHandler) (*subscription, error) {
 	return s.systemSubscribe(subject, _EMPTY_, false, nil, cb)
@@ -2044,9 +2165,10 @@ func (s *Server) systemSubscribe(subject, queue string, internalOnly bool, c *cl
 	}
 
 	var q []byte
-	if queue != "" {
+	if queue != _EMPTY_ {
 		q = []byte(queue)
 	}
+
 	// Now create the subscription
 	return c.processSub([]byte(subject), q, []byte(sid), cb, internalOnly)
 }
@@ -2079,11 +2201,11 @@ func remoteLatencySubjectForResponse(subject []byte) string {
 }
 
 // remoteLatencyUpdate is used to track remote latency measurements for tracking on exported services.
-func (s *Server) remoteLatencyUpdate(sub *subscription, _ *client, _ *Account, subject, _ string, msg []byte) {
+func (s *Server) remoteLatencyUpdate(sub *subscription, _ *client, _ *Account, subject, _ string, hdr, msg []byte) {
 	if !s.eventsRunning() {
 		return
 	}
-	rl := remoteLatency{}
+	var rl remoteLatency
 	if err := json.Unmarshal(msg, &rl); err != nil {
 		s.Errorf("Error unmarshalling remote latency measurement: %v", err)
 		return
@@ -2105,25 +2227,21 @@ func (s *Server) remoteLatencyUpdate(sub *subscription, _ *client, _ *Account, s
 		acc.mu.RUnlock()
 		return
 	}
-	m1 := si.m1
-	m2 := rl.M2
-
 	lsub := si.latency.subject
 	acc.mu.RUnlock()
 
+	si.acc.mu.Lock()
+	m1 := si.m1
+	m2 := rl.M2
+
 	// So we have not processed the response tracking measurement yet.
 	if m1 == nil {
-		si.acc.mu.Lock()
-		// Double check since could have slipped in.
-		m1 = si.m1
-		if m1 == nil {
-			// Store our value there for them to pick up.
-			si.m1 = &m2
-		}
-		si.acc.mu.Unlock()
-		if m1 == nil {
-			return
-		}
+		// Store our value there for them to pick up.
+		si.m1 = &m2
+	}
+	si.acc.mu.Unlock()
+	if m1 == nil {
+		return
 	}
 
 	// Calculate the correct latencies given M1 and M2.
@@ -2215,7 +2333,7 @@ func totalSubs(rr *SublistResult, qg []byte) (nsubs int32) {
 
 // Allows users of large systems to debug active subscribers for a given subject.
 // Payload should be the subject of interest.
-func (s *Server) debugSubscribers(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
+func (s *Server) debugSubscribers(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 	// Even though this is an internal only subscription, meaning interest was not forwarded, we could
 	// get one here from a GW in optimistic mode. Ignore for now.
 	// FIXME(dlc) - Should we send no interest here back to the GW?
@@ -2223,8 +2341,26 @@ func (s *Server) debugSubscribers(sub *subscription, c *client, _ *Account, subj
 		return
 	}
 
-	_, acc, _, msg, err := s.getRequestInfo(c, rmsg)
-	if err != nil {
+	var ci ClientInfo
+	if len(hdr) > 0 {
+		if err := json.Unmarshal(getHeader(ClientInfoHdr, hdr), &ci); err != nil {
+			return
+		}
+	}
+
+	var acc *Account
+	if ci.Service != _EMPTY_ {
+		acc, _ = s.LookupAccount(ci.Service)
+	} else if ci.Account != _EMPTY_ {
+		acc, _ = s.LookupAccount(ci.Account)
+	} else {
+		// Direct $SYS access.
+		acc = c.acc
+		if acc == nil {
+			acc = s.SystemAccount()
+		}
+	}
+	if acc == nil {
 		return
 	}
 
@@ -2325,12 +2461,12 @@ func (s *Server) debugSubscribers(sub *subscription, c *client, _ *Account, subj
 
 // Request for our local subscription count. This will come from a remote origin server
 // that received the initial request.
-func (s *Server) nsubsRequest(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
+func (s *Server) nsubsRequest(sub *subscription, c *client, _ *Account, subject, reply string, hdr, msg []byte) {
 	if !s.eventsRunning() {
 		return
 	}
 	m := accNumSubsReq{}
-	if _, msg := c.msgParts(rmsg); len(msg) == 0 {
+	if len(msg) == 0 {
 		s.sys.client.Errorf("request requires a body")
 		return
 	} else if err := json.Unmarshal(msg, &m); err != nil {
@@ -2405,3 +2541,74 @@ func (s *Server) wrapChk(f func()) func() {
 		s.mu.Unlock()
 	}
 }
+
+// sendOCSPPeerRejectEvent sends a system level event to system account when a peer connection is
+// rejected due to OCSP invalid status of its trust chain(s).
+func (s *Server) sendOCSPPeerRejectEvent(kind string, peer *x509.Certificate, reason string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if !s.eventsEnabled() {
+		return
+	}
+	if peer == nil {
+		s.Errorf(certidp.ErrPeerEmptyNoEvent)
+		return
+	}
+	eid := s.nextEventID()
+	now := time.Now().UTC()
+	m := OCSPPeerRejectEventMsg{
+		TypedEvent: TypedEvent{
+			Type: OCSPPeerRejectEventMsgType,
+			ID:   eid,
+			Time: now,
+		},
+		Kind: kind,
+		Peer: certidp.CertInfo{
+			Subject:     certidp.GetSubjectDNForm(peer),
+			Issuer:      certidp.GetIssuerDNForm(peer),
+			Fingerprint: certidp.GenerateFingerprint(peer),
+			Raw:         peer.Raw,
+		},
+		Reason: reason,
+	}
+	subj := fmt.Sprintf(ocspPeerRejectEventSubj, s.info.ID)
+	s.sendInternalMsg(subj, _EMPTY_, &m.Server, &m)
+}
+
+// sendOCSPPeerChainlinkInvalidEvent sends a system level event to system account when a link in a peer's trust chain
+// is OCSP invalid.
+func (s *Server) sendOCSPPeerChainlinkInvalidEvent(peer *x509.Certificate, link *x509.Certificate, reason string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if !s.eventsEnabled() {
+		return
+	}
+	if peer == nil || link == nil {
+		s.Errorf(certidp.ErrPeerEmptyNoEvent)
+		return
+	}
+	eid := s.nextEventID()
+	now := time.Now().UTC()
+	m := OCSPPeerChainlinkInvalidEventMsg{
+		TypedEvent: TypedEvent{
+			Type: OCSPPeerChainlinkInvalidEventMsgType,
+			ID:   eid,
+			Time: now,
+		},
+		Link: certidp.CertInfo{
+			Subject:     certidp.GetSubjectDNForm(link),
+			Issuer:      certidp.GetIssuerDNForm(link),
+			Fingerprint: certidp.GenerateFingerprint(link),
+			Raw:         link.Raw,
+		},
+		Peer: certidp.CertInfo{
+			Subject:     certidp.GetSubjectDNForm(peer),
+			Issuer:      certidp.GetIssuerDNForm(peer),
+			Fingerprint: certidp.GenerateFingerprint(peer),
+			Raw:         peer.Raw,
+		},
+		Reason: reason,
+	}
+	subj := fmt.Sprintf(ocspPeerChainlinkInvalidEventSubj, s.info.ID)
+	s.sendInternalMsg(subj, _EMPTY_, &m.Server, &m)
+}
diff --git a/server/events_test.go b/server/events_test.go
index 70745e3f8..34a9d0d47 100644
--- a/server/events_test.go
+++ b/server/events_test.go
@@ -1,4 +1,4 @@
-// Copyright 2018-2020 The NATS Authors
+// Copyright 2018-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -436,8 +436,8 @@ func checkLeafNodeConnectedCount(t testing.TB, s *Server, lnCons int) {
 	t.Helper()
 	checkFor(t, 5*time.Second, 15*time.Millisecond, func() error {
 		if nln := s.NumLeafNodes(); nln != lnCons {
-			return fmt.Errorf("Expected %d connected leafnode(s) for server %q, got %d",
-				lnCons, s.ID(), nln)
+			return fmt.Errorf("Expected %d connected leafnode(s) for server %v, got %d",
+				lnCons, s, nln)
 		}
 		return nil
 	})
@@ -1220,6 +1220,7 @@ func TestAccountClaimsUpdates(t *testing.T) {
 		claimUpdateSubj := fmt.Sprintf(subj, pub)
 		nc.Publish(claimUpdateSubj, []byte(ajwt))
 		nc.Flush()
+		time.Sleep(200 * time.Millisecond)
 
 		acc, _ = s.LookupAccount(pub)
 		if acc.MaxActiveConnections() != 8 {
@@ -1340,6 +1341,9 @@ func TestAccountReqMonitoring(t *testing.T) {
 	require_NoError(t, nc.PublishRequest(pStatz, ib, nil))
 	resp, err = rSub.NextMsg(time.Second)
 	require_NoError(t, err)
+	// Since we now have processed our own message, msgs will be 1.
+	respContentAcc = []string{`"conns":1,`, `"total_conns":1`, `"slow_consumers":0`, `"sent":{"msgs":0,"bytes":0}`,
+		`"received":{"msgs":1,"bytes":0}`, fmt.Sprintf(`"acc":"%s"`, acc.Name)}
 	require_Contains(t, string(resp.Data), respContentAcc...)
 	_, err = rSub.NextMsg(200 * time.Millisecond)
 	require_Error(t, err)
@@ -1511,6 +1515,7 @@ func TestAccountClaimsUpdatesWithServiceImports(t *testing.T) {
 		nc.Publish(claimUpdateSubj, []byte(ajwt2))
 	}
 	nc.Flush()
+	time.Sleep(50 * time.Millisecond)
 
 	if startSubs < s.NumSubscriptions() {
 		t.Fatalf("Subscriptions leaked: %d vs %d", startSubs, s.NumSubscriptions())
@@ -1641,7 +1646,7 @@ func TestSystemAccountWithBadRemoteLatencyUpdate(t *testing.T) {
 		ReqId:   "_INBOX.22",
 	}
 	b, _ := json.Marshal(&rl)
-	s.remoteLatencyUpdate(nil, nil, nil, "foo", _EMPTY_, b)
+	s.remoteLatencyUpdate(nil, nil, nil, "foo", _EMPTY_, nil, b)
 }
 
 func TestSystemAccountWithGateways(t *testing.T) {
@@ -1661,7 +1666,7 @@ func TestSystemAccountWithGateways(t *testing.T) {
 
 	// If this tests fails with wrong number after 10 seconds we may have
 	// added a new inititial subscription for the eventing system.
-	checkExpectedSubs(t, 45, sa)
+	checkExpectedSubs(t, 46, sa)
 
 	// Create a client on B and see if we receive the event
 	urlb := fmt.Sprintf("nats://%s:%d", ob.Host, ob.Port)
@@ -2496,6 +2501,40 @@ func TestServerEventsAndDQSubscribers(t *testing.T) {
 	checkSubsPending(t, sub, 10)
 }
 
+func TestServerEventsStatszSingleServer(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+		listen: "127.0.0.1:-1"
+		accounts { $SYS { users [{user: "admin", password: "p1d"}]} }
+	`))
+	s, _ := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	// Grab internal system client.
+	s.mu.RLock()
+	sysc := s.sys.client
+	wait := s.sys.cstatsz + 25*time.Millisecond
+	s.mu.RUnlock()
+
+	// Wait for when first statsz would have gone out..
+	time.Sleep(wait)
+
+	sysc.mu.Lock()
+	outMsgs := sysc.stats.outMsgs
+	sysc.mu.Unlock()
+
+	require_True(t, outMsgs == 0)
+
+	// Connect as a system user and make sure if there is
+	// subscription interest that we will receive updates.
+	nc, _ := jsClientConnect(t, s, nats.UserInfo("admin", "p1d"))
+	defer nc.Close()
+
+	sub, err := nc.SubscribeSync(fmt.Sprintf(serverStatsSubj, "*"))
+	require_NoError(t, err)
+
+	checkSubsPending(t, sub, 1)
+}
+
 func Benchmark_GetHash(b *testing.B) {
 	b.StopTimer()
 	// Get 100 random names
diff --git a/server/filestore.go b/server/filestore.go
index 3b871ac73..4aea0fa34 100644
--- a/server/filestore.go
+++ b/server/filestore.go
@@ -107,6 +107,7 @@ type psi struct {
 }
 
 type fileStore struct {
+	srv         *Server
 	mu          sync.RWMutex
 	state       StreamState
 	ld          *LostStreamData
@@ -258,6 +259,8 @@ const (
 	// For smaller reuse buffers. Usually being generated during contention on the lead write buffer.
 	// E.g. mirrors/sources etc.
 	defaultSmallBlockSize = 1 * 1024 * 1024 // 1MB
+	// Maximum size for the encrypted head block.
+	maximumEncryptedBlockSize = 2 * 1024 * 1024 // 2MB
 	// Default for KV based
 	defaultKVBlockSize = defaultMediumBlockSize
 	// max block size for now.
@@ -274,6 +277,8 @@ const (
 	wiThresh = int64(30 * time.Second)
 	// Time threshold to write index info for non FIFO cases
 	winfThresh = int64(2 * time.Second)
+	// Checksum size for hash for msg records.
+	recordHashSize = 8
 )
 
 func newFileStore(fcfg FileStoreConfig, cfg StreamConfig) (*fileStore, error) {
@@ -290,7 +295,7 @@ func newFileStoreWithCreatedMemphis(fcfg FileStoreConfig, cfg StreamConfig, crea
 	}
 	// Default values.
 	if fcfg.BlockSize == 0 {
-		fcfg.BlockSize = dynBlkSize(cfg.Retention, cfg.MaxBytes)
+		fcfg.BlockSize = dynBlkSize(cfg.Retention, cfg.MaxBytes, prf != nil)
 	}
 	if fcfg.BlockSize > maxBlockSize {
 		return nil, fmt.Errorf("filestore max block size is %s", friendlyBytes(maxBlockSize))
@@ -314,8 +319,11 @@ func newFileStoreWithCreatedMemphis(fcfg FileStoreConfig, cfg StreamConfig, crea
 	if err != nil {
 		return nil, fmt.Errorf("storage directory is not writable")
 	}
+
 	tmpfile.Close()
+	<-dios
 	os.Remove(tmpfile.Name())
+	dios <- struct{}{}
 
 	fs := &fileStore{
 		fcfg:    fcfg,
@@ -347,6 +355,14 @@ func newFileStoreWithCreatedMemphis(fcfg FileStoreConfig, cfg StreamConfig, crea
 		return nil, fmt.Errorf("could not create hash: %v", err)
 	}
 
+	keyFile := filepath.Join(fs.fcfg.StoreDir, JetStreamMetaFileKey)
+	// Make sure we do not have an encrypted store underneath of us but no main key.
+	if fs.prf == nil {
+		if _, err := os.Stat(keyFile); err == nil {
+			return nil, errNoMainKey
+		}
+	}
+
 	// Recover our message state.
 	if err := fs.recoverMsgs(); err != nil {
 		return nil, err
@@ -364,7 +380,6 @@ func newFileStoreWithCreatedMemphis(fcfg FileStoreConfig, cfg StreamConfig, crea
 	// If we expect to be encrypted check that what we are restoring is not plaintext.
 	// This can happen on snapshot restores or conversions.
 	if fs.prf != nil {
-		keyFile := filepath.Join(fs.fcfg.StoreDir, JetStreamMetaFileKey)
 		if _, err := os.Stat(keyFile); err != nil && os.IsNotExist(err) {
 			if err := fs.writeStreamMeta(); err != nil {
 				return nil, err
@@ -387,7 +402,7 @@ func newFileStoreWithCreated(fcfg FileStoreConfig, cfg StreamConfig, created tim
 	}
 	// Default values.
 	if fcfg.BlockSize == 0 {
-		fcfg.BlockSize = dynBlkSize(cfg.Retention, cfg.MaxBytes)
+		fcfg.BlockSize = dynBlkSize(cfg.Retention, cfg.MaxBytes, prf != nil)
 	}
 	if fcfg.BlockSize > maxBlockSize {
 		return nil, fmt.Errorf("filestore max block size is %s", friendlyBytes(maxBlockSize))
@@ -411,8 +426,11 @@ func newFileStoreWithCreated(fcfg FileStoreConfig, cfg StreamConfig, created tim
 	if err != nil {
 		return nil, fmt.Errorf("storage directory is not writable")
 	}
+
 	tmpfile.Close()
+	<-dios
 	os.Remove(tmpfile.Name())
+	dios <- struct{}{}
 
 	fs := &fileStore{
 		fcfg: fcfg,
@@ -443,6 +461,14 @@ func newFileStoreWithCreated(fcfg FileStoreConfig, cfg StreamConfig, created tim
 		return nil, fmt.Errorf("could not create hash: %v", err)
 	}
 
+	keyFile := filepath.Join(fs.fcfg.StoreDir, JetStreamMetaFileKey)
+	// Make sure we do not have an encrypted store underneath of us but no main key.
+	if fs.prf == nil {
+		if _, err := os.Stat(keyFile); err == nil {
+			return nil, errNoMainKey
+		}
+	}
+
 	// Recover our message state.
 	if err := fs.recoverMsgs(); err != nil {
 		return nil, err
@@ -460,7 +486,6 @@ func newFileStoreWithCreated(fcfg FileStoreConfig, cfg StreamConfig, created tim
 	// If we expect to be encrypted check that what we are restoring is not plaintext.
 	// This can happen on snapshot restores or conversions.
 	if fs.prf != nil {
-		keyFile := filepath.Join(fs.fcfg.StoreDir, JetStreamMetaFileKey)
 		if _, err := os.Stat(keyFile); err != nil && os.IsNotExist(err) {
 			if err := fs.writeStreamMeta(); err != nil {
 				return nil, err
@@ -473,6 +498,12 @@ func newFileStoreWithCreated(fcfg FileStoreConfig, cfg StreamConfig, created tim
 	return fs, nil
 }
 
+func (fs *fileStore) registerServer(s *Server) {
+	fs.mu.Lock()
+	defer fs.mu.Unlock()
+	fs.srv = s
+}
+
 // Lock all existing message blocks.
 // Lock held on entry.
 func (fs *fileStore) lockAllMsgBlocks() {
@@ -530,7 +561,7 @@ func (fs *fileStore) UpdateConfig(cfg *StreamConfig) error {
 		fs.ageChk = nil
 	}
 
-	if cfg.MaxMsgsPer > 0 && cfg.MaxMsgsPer < old_cfg.MaxMsgsPer {
+	if fs.cfg.MaxMsgsPer > 0 && fs.cfg.MaxMsgsPer < old_cfg.MaxMsgsPer {
 		fs.enforceMsgPerSubjectLimit()
 	}
 	fs.mu.Unlock()
@@ -541,7 +572,7 @@ func (fs *fileStore) UpdateConfig(cfg *StreamConfig) error {
 	return nil
 }
 
-func dynBlkSize(retention RetentionPolicy, maxBytes int64) uint64 {
+func dynBlkSize(retention RetentionPolicy, maxBytes int64, encrypted bool) uint64 {
 	if maxBytes > 0 {
 		blkSize := (maxBytes / 4) + 1 // (25% overhead)
 		// Round up to nearest 100
@@ -555,13 +586,24 @@ func dynBlkSize(retention RetentionPolicy, maxBytes int64) uint64 {
 		} else {
 			blkSize = defaultMediumBlockSize
 		}
+		if encrypted && blkSize > maximumEncryptedBlockSize {
+			// Notes on this below.
+			blkSize = maximumEncryptedBlockSize
+		}
 		return uint64(blkSize)
 	}
 
-	if retention == LimitsPolicy {
+	switch {
+	case encrypted:
+		// In the case of encrypted stores, large blocks can result in worsened perf
+		// since many writes on disk involve re-encrypting the entire block. For now,
+		// we will enforce a cap on the block size when encryption is enabled to avoid
+		// this.
+		return maximumEncryptedBlockSize
+	case retention == LimitsPolicy:
 		// TODO(dlc) - Make the blocksize relative to this if set.
 		return defaultLargeBlockSize
-	} else {
+	default:
 		// TODO(dlc) - Make the blocksize relative to this if set.
 		return defaultMediumBlockSize
 	}
@@ -865,6 +907,7 @@ func (fs *fileStore) recoverMsgBlock(fi os.FileInfo, index uint32) (*msgBlock, e
 	if ld, _ := mb.rebuildState(); ld != nil {
 		fs.addLostData(ld)
 	}
+
 	if mb.msgs > 0 && !mb.noTrack && fs.psim != nil {
 		fs.populateGlobalPerSubjectInfo(mb)
 		// Try to dump any state we needed on recovery.
@@ -1040,6 +1083,10 @@ func (mb *msgBlock) rebuildState() (*LostStreamData, error) {
 func (mb *msgBlock) rebuildStateLocked() (*LostStreamData, error) {
 	startLastSeq := mb.last.seq
 
+	// Remove the .fss file and clear any cache we have set.
+	mb.clearCacheAndOffset()
+	mb.removePerSubjectInfoLocked()
+
 	buf, err := mb.loadBlock(nil)
 	if err != nil || len(buf) == 0 {
 		var ld *LostStreamData
@@ -1095,7 +1142,7 @@ func (mb *msgBlock) rebuildStateLocked() (*LostStreamData, error) {
 			fd = mb.mfd
 		} else {
 			fd, err = os.OpenFile(mb.mfn, os.O_RDWR, defaultFilePerms)
-			if err != nil {
+			if err == nil {
 				defer fd.Close()
 			}
 		}
@@ -1136,19 +1183,40 @@ func (mb *msgBlock) rebuildStateLocked() (*LostStreamData, error) {
 		rl &^= hbit
 		dlen := int(rl) - msgHdrSize
 		// Do some quick sanity checks here.
-		if dlen < 0 || int(slen) > dlen || dlen > int(rl) || rl > rlBadThresh {
+		if dlen < 0 || int(slen) > (dlen-recordHashSize) || dlen > int(rl) || index+rl > lbuf || rl > rlBadThresh {
 			truncate(index)
 			return gatherLost(lbuf - index), errBadMsg
 		}
 
-		if index+rl > lbuf {
-			truncate(index)
-			return gatherLost(lbuf - index), errBadMsg
+		// Check for checksum failures before additional processing.
+		data := buf[index+msgHdrSize : index+rl]
+		if hh := mb.hh; hh != nil {
+			hh.Reset()
+			hh.Write(hdr[4:20])
+			hh.Write(data[:slen])
+			if hasHeaders {
+				hh.Write(data[slen+4 : dlen-recordHashSize])
+			} else {
+				hh.Write(data[slen : dlen-recordHashSize])
+			}
+			checksum := hh.Sum(nil)
+			if !bytes.Equal(checksum, data[len(data)-recordHashSize:]) {
+				truncate(index)
+				return gatherLost(lbuf - index), errBadMsg
+			}
+			copy(mb.lchk[0:], checksum)
 		}
 
+		// Grab our sequence and timestamp.
 		seq := le.Uint64(hdr[4:])
 		ts := int64(le.Uint64(hdr[12:]))
 
+		// Check if this is a delete tombstone.
+		if seq&tbit != 0 {
+			index += rl
+			continue
+		}
+
 		// This is an old erased message, or a new one that we can track.
 		if seq == 0 || seq&ebit != 0 || seq < mb.first.seq {
 			seq = seq &^ ebit
@@ -1157,15 +1225,17 @@ func (mb *msgBlock) rebuildStateLocked() (*LostStreamData, error) {
 				addToDmap(seq)
 			}
 			index += rl
-			mb.last.seq = seq
-			mb.last.ts = ts
+			if seq >= mb.first.seq {
+				mb.last.seq = seq
+				mb.last.ts = ts
+			}
 			continue
 		}
 
 		// This is for when we have index info that adjusts for deleted messages
 		// at the head. So the first.seq will be already set here. If this is larger
 		// replace what we have with this seq.
-		if firstNeedsSet && seq > mb.first.seq {
+		if firstNeedsSet && seq >= mb.first.seq {
 			firstNeedsSet, mb.first.seq, mb.first.ts = false, seq, ts
 		}
 
@@ -1174,29 +1244,7 @@ func (mb *msgBlock) rebuildStateLocked() (*LostStreamData, error) {
 			_, deleted = mb.dmap[seq]
 		}
 
-		// Always set last.
-		mb.last.seq = seq
-		mb.last.ts = ts
-
 		if !deleted {
-			data := buf[index+msgHdrSize : index+rl]
-			if hh := mb.hh; hh != nil {
-				hh.Reset()
-				hh.Write(hdr[4:20])
-				hh.Write(data[:slen])
-				if hasHeaders {
-					hh.Write(data[slen+4 : dlen-8])
-				} else {
-					hh.Write(data[slen : dlen-8])
-				}
-				checksum := hh.Sum(nil)
-				if !bytes.Equal(checksum, data[len(data)-8:]) {
-					truncate(index)
-					return gatherLost(lbuf - index), errBadMsg
-				}
-				copy(mb.lchk[0:], checksum)
-			}
-
 			if firstNeedsSet {
 				firstNeedsSet, mb.first.seq, mb.first.ts = false, seq, ts
 			}
@@ -1222,6 +1270,11 @@ func (mb *msgBlock) rebuildStateLocked() (*LostStreamData, error) {
 				mb.fssNeedsWrite = true
 			}
 		}
+
+		// Always set last
+		mb.last.seq = seq
+		mb.last.ts = ts
+
 		// Advance to next record.
 		index += rl
 	}
@@ -1231,6 +1284,11 @@ func (mb *msgBlock) rebuildStateLocked() (*LostStreamData, error) {
 		mb.last.seq = mb.first.seq - 1
 	}
 
+	// Update our fss file if needed.
+	if len(mb.fss) > 0 {
+		mb.writePerSubjectInfo()
+	}
+
 	return nil, nil
 }
 
@@ -1240,9 +1298,11 @@ func (fs *fileStore) recoverMsgs() error {
 
 	// Check for any left over purged messages.
 	pdir := filepath.Join(fs.fcfg.StoreDir, purgeDir)
+	<-dios
 	if _, err := os.Stat(pdir); err == nil {
 		os.RemoveAll(pdir)
 	}
+	dios <- struct{}{}
 
 	mdir := filepath.Join(fs.fcfg.StoreDir, msgDir)
 	fis, err := os.ReadDir(mdir)
@@ -1260,6 +1320,13 @@ func (fs *fileStore) recoverMsgs() error {
 				return err
 			}
 			if mb, err := fs.recoverMsgBlock(finfo, index); err == nil && mb != nil {
+				// This is a truncate block with possibly no index. If the OS got shutdown
+				// out from underneath of us this is possible.
+				if mb.first.seq == 0 {
+					mb.dirtyCloseWithRemove(true)
+					fs.removeMsgBlockFromList(mb)
+					continue
+				}
 				if fs.state.FirstSeq == 0 || mb.first.seq < fs.state.FirstSeq {
 					fs.state.FirstSeq = mb.first.seq
 					fs.state.FirstTime = time.Unix(0, mb.first.ts).UTC()
@@ -1367,6 +1434,11 @@ func (fs *fileStore) expireMsgsOnRecover() {
 			fs.psim = make(map[string]*psi)
 			return false
 		}
+		// Make sure we do subject cleanup as well.
+		mb.ensurePerSubjectInfoLoaded()
+		for subj := range mb.fss {
+			fs.removePerSubject(subj)
+		}
 		mb.dirtyCloseWithRemove(true)
 		deleted++
 		return true
@@ -1398,6 +1470,7 @@ func (fs *fileStore) expireMsgsOnRecover() {
 		}
 
 		var smv StoreMsg
+		var needNextFirst bool
 
 		// Walk messages and remove if expired.
 		mb.ensurePerSubjectInfoLoaded()
@@ -1412,14 +1485,13 @@ func (fs *fileStore) expireMsgsOnRecover() {
 						mb.dmap = nil
 					}
 				}
-				// Keep this update just in case since we are removing dmap entries.
-				mb.first.seq = seq
+				// Keep this updated just in case since we are removing dmap entries.
+				mb.first.seq, needNextFirst = seq, true
 				continue
 			}
 			// Break on other errors.
 			if err != nil || sm == nil {
-				// Keep this update just in case since we could have removed dmap entries.
-				mb.first.seq = seq
+				mb.first.seq, needNextFirst = seq, true
 				break
 			}
 
@@ -1427,6 +1499,7 @@ func (fs *fileStore) expireMsgsOnRecover() {
 
 			// Check for done.
 			if minAge < sm.ts {
+				mb.first.seq, needNextFirst = sm.seq, false
 				mb.first.seq = sm.seq
 				mb.first.ts = sm.ts
 				nts = sm.ts
@@ -1435,7 +1508,11 @@ func (fs *fileStore) expireMsgsOnRecover() {
 
 			// Delete the message here.
 			if mb.msgs > 0 {
+				mb.first.seq, needNextFirst = seq, true
 				sz := fileStoreMsgSize(sm.subj, sm.hdr, sm.msg)
+				if sz > mb.bytes {
+					sz = mb.bytes
+				}
 				mb.bytes -= sz
 				bytes += sz
 				mb.msgs--
@@ -1443,10 +1520,13 @@ func (fs *fileStore) expireMsgsOnRecover() {
 			}
 			// Update fss
 			// Make sure we have fss loaded.
-			mb.removeSeqPerSubject(sm.subj, seq, nil)
+			mb.removeSeqPerSubject(sm.subj, seq)
 			fs.removePerSubject(sm.subj)
 		}
-
+		// Make sure we have a proper next first sequence.
+		if needNextFirst {
+			mb.selectNextFirst()
+		}
 		// Check if empty after processing, could happen if tail of messages are all deleted.
 		needWriteIndex := true
 		if mb.msgs == 0 {
@@ -1480,8 +1560,16 @@ func (fs *fileStore) expireMsgsOnRecover() {
 		}
 	}
 	// Update top level accounting.
-	fs.state.Msgs -= purged
-	fs.state.Bytes -= bytes
+	if purged < fs.state.Msgs {
+		fs.state.Msgs -= purged
+	} else {
+		fs.state.Msgs = 0
+	}
+	if bytes < fs.state.Bytes {
+		fs.state.Bytes -= bytes
+	} else {
+		fs.state.Bytes = 0
+	}
 	// Make sure to we properly set the fs first sequence and timestamp.
 	fs.selectNextFirst()
 }
@@ -1564,6 +1652,9 @@ func (mb *msgBlock) firstMatching(filter string, wc bool, start uint64, sm *Stor
 		fseq = mb.last.seq + 1
 		for _, subj := range subs {
 			ss := mb.fss[subj]
+			if ss != nil && ss.firstNeedsUpdate {
+				mb.recalculateFirstForSubj(subj, ss.First, ss)
+			}
 			if ss == nil || start > ss.Last || ss.First >= fseq {
 				continue
 			}
@@ -1669,6 +1760,9 @@ func (mb *msgBlock) filteredPendingLocked(filter string, wc bool, sseq uint64) (
 	var havePartial bool
 	for subj, ss := range mb.fss {
 		if isAll || isMatch(subj) {
+			if ss.firstNeedsUpdate {
+				mb.recalculateFirstForSubj(subj, ss.First, ss)
+			}
 			if sseq <= ss.First {
 				update(ss)
 			} else if sseq <= ss.Last {
@@ -1866,6 +1960,9 @@ func (fs *fileStore) SubjectsState(subject string) map[string]SimpleState {
 		mb.ensurePerSubjectInfoLoaded()
 		for subj, ss := range mb.fss {
 			if subject == _EMPTY_ || subject == fwcs || subjectIsSubsetMatch(subj, subject) {
+				if ss.firstNeedsUpdate {
+					mb.recalculateFirstForSubj(subj, ss.First, ss)
+				}
 				oss := fss[subj]
 				if oss.First == 0 { // New
 					fss[subj] = *ss
@@ -1907,12 +2004,24 @@ func (fs *fileStore) NumPending(sseq uint64, filter string, lastPerSubject bool)
 		seqStart, _ = fs.selectMsgBlockWithIndex(sseq)
 	}
 
-	tsa := [32]string{}
-	fsa := [32]string{}
+	var tsa, fsa [32]string
 	fts := tokenizeSubjectIntoSlice(fsa[:0], filter)
 	isAll := filter == _EMPTY_ || filter == fwcs
 	wc := subjectHasWildcard(filter)
 
+	// See if filter was provided but its the only subject.
+	if !isAll && !wc && len(fs.psim) == 1 && fs.psim[filter] != nil {
+		isAll = true
+	}
+
+	// If we are isAll and have no deleted we can do a simpler calculation.
+	if isAll && (fs.state.LastSeq-fs.state.FirstSeq+1) == fs.state.Msgs {
+		if sseq == 0 {
+			return fs.state.Msgs, validThrough
+		}
+		return fs.state.LastSeq - sseq + 1, validThrough
+	}
+
 	isMatch := func(subj string) bool {
 		if isAll {
 			return true
@@ -1939,6 +2048,7 @@ func (fs *fileStore) NumPending(sseq uint64, filter string, lastPerSubject bool)
 			var t uint64
 			if isAll && sseq <= mb.first.seq {
 				if lastPerSubject {
+					mb.ensurePerSubjectInfoLoaded()
 					for subj := range mb.fss {
 						if !seen[subj] {
 							total++
@@ -1965,6 +2075,9 @@ func (fs *fileStore) NumPending(sseq uint64, filter string, lastPerSubject bool)
 							seen[subj] = true
 						}
 					} else {
+						if ss.firstNeedsUpdate {
+							mb.recalculateFirstForSubj(subj, ss.First, ss)
+						}
 						if sseq <= ss.First {
 							t += ss.Msgs
 						} else if sseq <= ss.Last {
@@ -2059,16 +2172,20 @@ func (fs *fileStore) NumPending(sseq uint64, filter string, lastPerSubject bool)
 		mb.mu.Lock()
 		// Check if we should include all of this block in adjusting. If so work with metadata.
 		if sseq > mb.last.seq {
-			// We need to adjust for all matches in this block.
-			// We will scan fss state vs messages themselves.
-			// Make sure we have fss loaded.
-			mb.ensurePerSubjectInfoLoaded()
-			for subj, ss := range mb.fss {
-				if isMatch(subj) {
-					if lastPerSubject {
-						adjust++
-					} else {
-						adjust += ss.Msgs
+			if isAll && !lastPerSubject {
+				adjust += mb.msgs
+			} else {
+				// We need to adjust for all matches in this block.
+				// We will scan fss state vs messages themselves.
+				// Make sure we have fss loaded.
+				mb.ensurePerSubjectInfoLoaded()
+				for subj, ss := range mb.fss {
+					if isMatch(subj) {
+						if lastPerSubject {
+							adjust++
+						} else {
+							adjust += ss.Msgs
+						}
 					}
 				}
 			}
@@ -2300,6 +2417,7 @@ func (fs *fileStore) storeRawMsg(subj string, hdr, msg []byte, seq uint64, ts in
 	if fs.closed {
 		return ErrStoreClosed
 	}
+
 	// Per subject max check needed.
 	mmp := uint64(fs.cfg.MaxMsgsPer)
 	var psmc uint64
@@ -2393,6 +2511,12 @@ func (fs *fileStore) storeRawMsg(subj string, hdr, msg []byte, seq uint64, ts in
 					}
 				}
 			}
+		} else if mb := fs.selectMsgBlock(fseq); mb != nil {
+			// If we are here we could not remove fseq from above, so rebuild.
+			var ld *LostStreamData
+			if ld, _ = mb.rebuildState(); ld != nil {
+				fs.rebuildStateLocked(ld)
+			}
 		}
 	}
 
@@ -2451,7 +2575,7 @@ func (fs *fileStore) StoreMsg(subj string, hdr, msg []byte) (uint64, int64, erro
 
 // skipMsg will update this message block for a skipped message.
 // If we do not have any messages, just update the metadata, otherwise
-// we will place and empty record marking the sequence as used. The
+// we will place an empty record marking the sequence as used. The
 // sequence will be marked erased.
 // fs lock should be held.
 func (mb *msgBlock) skipMsg(seq uint64, now time.Time) {
@@ -2513,12 +2637,23 @@ func (fs *fileStore) rebuildFirst() {
 	if len(fs.blks) == 0 {
 		return
 	}
-	if fmb := fs.blks[0]; fmb != nil {
-		fmb.removeIndexFile()
-		fmb.rebuildState()
+	fmb := fs.blks[0]
+	if fmb == nil {
+		return
+	}
+
+	fmb.removeIndexFile()
+	ld, _ := fmb.rebuildState()
+	fmb.mu.RLock()
+	isEmpty := fmb.msgs == 0
+	fmb.mu.RUnlock()
+	if isEmpty {
+		fs.removeMsgBlock(fmb)
+	} else {
 		fmb.writeIndexInfo()
-		fs.selectNextFirst()
 	}
+	fs.selectNextFirst()
+	fs.rebuildStateLocked(ld)
 }
 
 // Optimized helper function to return first sequence.
@@ -2555,6 +2690,9 @@ func (fs *fileStore) firstSeqForSubj(subj string) (uint64, error) {
 					info.fblk = i
 				}
 			}
+			if ss.firstNeedsUpdate {
+				mb.recalculateFirstForSubj(subj, ss.First, ss)
+			}
 			return ss.First, nil
 		}
 	}
@@ -2602,14 +2740,42 @@ func (fs *fileStore) enforceMsgPerSubjectLimit() {
 	fs.scb = nil
 	defer func() { fs.scb = cb }()
 
+	var numMsgs uint64
+
 	// collect all that are not correct.
 	needAttention := make(map[string]*psi)
 	for subj, psi := range fs.psim {
+		numMsgs += psi.total
 		if psi.total > maxMsgsPer {
 			needAttention[subj] = psi
 		}
 	}
 
+	// We had an issue with a use case where psim (and hence fss) were correct but idx was not and was not properly being caught.
+	// So do a quick sanity check here. If we detect a skew do a rebuild then re-check.
+	if numMsgs != fs.state.Msgs {
+		// Clear any global subject state.
+		fs.psim = make(map[string]*psi)
+		for _, mb := range fs.blks {
+			mb.removeIndexFile()
+			ld, err := mb.rebuildState()
+			mb.writeIndexInfo()
+			if err != nil && ld != nil {
+				fs.addLostData(ld)
+			}
+			fs.populateGlobalPerSubjectInfo(mb)
+		}
+		// Rebuild fs state too.
+		fs.rebuildStateLocked(nil)
+		// Need to redo blocks that need attention.
+		needAttention = make(map[string]*psi)
+		for subj, psi := range fs.psim {
+			if psi.total > maxMsgsPer {
+				needAttention[subj] = psi
+			}
+		}
+	}
+
 	// Collect all the msgBlks we alter.
 	blks := make(map[*msgBlock]struct{})
 
@@ -2629,6 +2795,9 @@ func (fs *fileStore) enforceMsgPerSubjectLimit() {
 			mb.mu.Lock()
 			mb.ensurePerSubjectInfoLoaded()
 			ss := mb.fss[subj]
+			if ss != nil && ss.firstNeedsUpdate {
+				mb.recalculateFirstForSubj(subj, ss.First, ss)
+			}
 			mb.mu.Unlock()
 			if ss == nil {
 				continue
@@ -2724,6 +2893,16 @@ func (fs *fileStore) removeMsg(seq uint64, secure, viaLimits, needFSLock bool) (
 	if secure && fs.prf != nil {
 		secure = false
 	}
+
+	if fs.state.Msgs == 0 {
+		var err = ErrStoreEOF
+		if seq <= fs.state.LastSeq {
+			err = ErrStoreMsgNotFound
+		}
+		fsUnlock()
+		return false, err
+	}
+
 	mb := fs.selectMsgBlock(seq)
 	if mb == nil {
 		var err = ErrStoreEOF
@@ -2736,8 +2915,8 @@ func (fs *fileStore) removeMsg(seq uint64, secure, viaLimits, needFSLock bool) (
 
 	mb.mu.Lock()
 
-	// See if the sequence number is still relevant.
-	if seq < mb.first.seq {
+	// See if we are closed or the sequence number is still relevant.
+	if mb.closed || seq < mb.first.seq {
 		mb.mu.Unlock()
 		fsUnlock()
 		return false, nil
@@ -2756,11 +2935,27 @@ func (fs *fileStore) removeMsg(seq uint64, secure, viaLimits, needFSLock bool) (
 	// Now just load regardless.
 	// TODO(dlc) - Figure out a way not to have to load it in, we need subject tracking outside main data block.
 	if mb.cacheNotLoaded() {
-		if err := mb.loadMsgsWithLock(); err != nil {
+		// We do not want to block possible activity within another msg block.
+		// We have to unlock both locks and acquire the mb lock in the loadMsgs() call to avoid a deadlock if another
+		// go routine was trying to get fs then this mb lock at the same time. E.g. another call to remove for same block.
+		mb.mu.Unlock()
+		fsUnlock()
+		if err := mb.loadMsgs(); err != nil {
+			return false, err
+		}
+		fsLock()
+		// We need to check if things changed out from underneath us.
+		if fs.closed {
+			fsUnlock()
+			return false, ErrStoreClosed
+		}
+		mb.mu.Lock()
+		if mb.closed || seq < mb.first.seq {
 			mb.mu.Unlock()
 			fsUnlock()
-			return false, err
+			return false, nil
 		}
+		// cacheLookup below will do dmap check so no need to repeat here.
 	}
 
 	var smv StoreMsg
@@ -2768,9 +2963,14 @@ func (fs *fileStore) removeMsg(seq uint64, secure, viaLimits, needFSLock bool) (
 	if err != nil {
 		mb.mu.Unlock()
 		fsUnlock()
+		// Mimic err behavior from above check to dmap. No error returned if already removed.
+		if err == errDeletedMsg {
+			err = nil
+		}
 		return false, err
 	}
 
+	// ** added by memphis
 	// send the message to tiered 2 storage if needed
 	tieredStorageEnabled := fs.cfg.StreamConfig.TieredStorageEnabled
 	if !secure && !strings.HasPrefix(fs.cfg.StreamConfig.Name, "$memphis") && tieredStorageEnabled && serv != nil {
@@ -2779,7 +2979,8 @@ func (fs *fileStore) removeMsg(seq uint64, secure, viaLimits, needFSLock bool) (
 			return false, err
 		}
 	}
-
+	// ** added by memphis
+	
 	// Grab size
 	msz := fileStoreMsgSize(sm.subj, sm.hdr, sm.msg)
 
@@ -2787,18 +2988,30 @@ func (fs *fileStore) removeMsg(seq uint64, secure, viaLimits, needFSLock bool) (
 	mb.lrts = time.Now().UnixNano()
 
 	// Global stats
-	fs.state.Msgs--
-	fs.state.Bytes -= msz
+	if fs.state.Msgs > 0 {
+		fs.state.Msgs--
+	}
+	if msz < fs.state.Bytes {
+		fs.state.Bytes -= msz
+	} else {
+		fs.state.Bytes = 0
+	}
 
 	// Now local mb updates.
-	mb.msgs--
-	mb.bytes -= msz
+	if mb.msgs > 0 {
+		mb.msgs--
+	}
+	if msz < mb.bytes {
+		mb.bytes -= msz
+	} else {
+		mb.bytes = 0
+	}
 
 	// If we are tracking subjects here make sure we update that accounting.
 	mb.ensurePerSubjectInfoLoaded()
 
 	// If we are tracking multiple subjects here make sure we update that accounting.
-	mb.removeSeqPerSubject(sm.subj, seq, &smv)
+	mb.removeSeqPerSubject(sm.subj, seq)
 	fs.removePerSubject(sm.subj)
 
 	if secure {
@@ -2972,7 +3185,8 @@ func (mb *msgBlock) compact() {
 		if !isDeleted(seq) {
 			// Normal message here.
 			nbuf = append(nbuf, buf[index:index+rl]...)
-			if !firstSet {
+			// Do not set based on tombstone.
+			if !firstSet && seq&tbit == 0 {
 				firstSet = true
 				mb.first.seq = seq
 			}
@@ -3019,8 +3233,7 @@ func (mb *msgBlock) compact() {
 		return
 	}
 
-	// Close cache and index file and wipe delete map, then rebuild.
-	mb.clearCacheAndOffset()
+	// Remove index file and wipe delete map, then rebuild.
 	mb.removeIndexFileLocked()
 	mb.deleteDmap()
 	mb.rebuildStateLocked()
@@ -3042,9 +3255,15 @@ func (mb *msgBlock) slotInfo(slot int) (uint32, uint32, bool, error) {
 	if mb.cache == nil || slot >= len(mb.cache.idx) {
 		return 0, 0, false, errPartialCache
 	}
+
 	bi := mb.cache.idx[slot]
 	ri, hashChecked := (bi &^ hbit), (bi&hbit) != 0
 
+	// If this is a deleted slot return here.
+	if bi == dbit {
+		return 0, 0, false, errDeletedMsg
+	}
+
 	// Determine record length
 	var rl uint32
 	if len(mb.cache.idx) > slot+1 {
@@ -3269,6 +3488,9 @@ func (mb *msgBlock) truncate(sm *StoreMsg) (nmsgs, nbytes uint64, err error) {
 			if mb.msgs > 0 {
 				rl := fileStoreMsgSize(m.subj, m.hdr, m.msg)
 				mb.msgs--
+				if rl > mb.bytes {
+					rl = mb.bytes
+				}
 				mb.bytes -= rl
 				mb.rbytes -= rl
 				// For return accounting.
@@ -3727,20 +3949,25 @@ func (mb *msgBlock) writeMsgRecord(rl, seq uint64, subj string, mhdr, msg []byte
 	// Update write through cache.
 	// Write to msg record.
 	mb.cache.buf = append(mb.cache.buf, checksum...)
-	// Write index
-	mb.cache.idx = append(mb.cache.idx, uint32(index)|hbit)
 	mb.cache.lrl = uint32(rl)
-	if mb.cache.fseq == 0 {
-		mb.cache.fseq = seq
-	}
 
 	// Set cache timestamp for last store.
 	mb.lwts = ts
 	// Decide if we write index info if flushing in place.
 	writeIndex := ts-mb.lwits > wiThresh
 
-	// Accounting
-	mb.updateAccounting(seq, ts, rl)
+	// Only update index and do accounting if not a delete tombstone.
+	if seq&tbit == 0 {
+		// Accounting, do this before stripping ebit, it is ebit aware.
+		mb.updateAccounting(seq, ts, rl)
+		// Strip ebit if set.
+		seq = seq &^ ebit
+		if mb.cache.fseq == 0 {
+			mb.cache.fseq = seq
+		}
+		// Write index
+		mb.cache.idx = append(mb.cache.idx, uint32(index)|hbit)
+	}
 
 	fch, werr := mb.fch, mb.werr
 
@@ -3843,7 +4070,7 @@ func (mb *msgBlock) updateAccounting(seq uint64, ts int64, rl uint64) {
 		seq = seq &^ ebit
 	}
 
-	if mb.first.seq == 0 || mb.first.ts == 0 {
+	if (mb.first.seq == 0 || mb.first.ts == 0) && seq >= mb.first.seq {
 		mb.first.seq = seq
 		mb.first.ts = ts
 	}
@@ -3936,28 +4163,30 @@ func (fs *fileStore) selectMsgBlockWithIndex(seq uint64) (int, *msgBlock) {
 		return -1, nil
 	}
 
-	// Starting index, defaults to beginning.
-	si := 0
+	const linearThresh = 32
+	nb := len(fs.blks) - 1
 
-	// TODO(dlc) - Use new AVL and make this real for anything beyond certain size.
-	// Max threshold before we probe for a starting block to start our linear search.
-	const maxl = 256
-	if nb := len(fs.blks); nb > maxl {
-		d := nb / 8
-		for _, i := range []int{d, 2 * d, 3 * d, 4 * d, 5 * d, 6 * d, 7 * d} {
-			mb := fs.blks[i]
+	if nb < linearThresh {
+		for i, mb := range fs.blks {
 			if seq <= atomic.LoadUint64(&mb.last.seq) {
-				break
+				return i, mb
 			}
-			si = i
 		}
+		return -1, nil
 	}
 
-	// blks are sorted in ascending order.
-	for i := si; i < len(fs.blks); i++ {
-		mb := fs.blks[i]
-		if seq <= atomic.LoadUint64(&mb.last.seq) {
-			return i, mb
+	// Do traditional binary search here since we know the blocks are sorted by sequence first and last.
+	for low, high, mid := 0, nb, nb/2; low <= high; mid = (low + high) / 2 {
+		mb := fs.blks[mid]
+		// Right now these atomic loads do not factor in, so fine to leave. Was considering
+		// uplifting these to fs scope to avoid atomic load but not needed.
+		first, last := atomic.LoadUint64(&mb.first.seq), atomic.LoadUint64(&mb.last.seq)
+		if seq > last {
+			low = mid + 1
+		} else if seq < first {
+			high = mid - 1
+		} else {
+			return mid, mb
 		}
 	}
 
@@ -3987,7 +4216,7 @@ func (fs *fileStore) selectMsgBlockForStart(minTime time.Time) *msgBlock {
 func (mb *msgBlock) indexCacheBuf(buf []byte) error {
 	var le = binary.LittleEndian
 
-	var fseq uint64
+	var fseq, pseq uint64
 	var idx []uint32
 	var index uint32
 
@@ -4020,22 +4249,45 @@ func (mb *msgBlock) indexCacheBuf(buf []byte) error {
 		dlen := int(rl) - msgHdrSize
 
 		// Do some quick sanity checks here.
-		if dlen < 0 || int(slen) > dlen || dlen > int(rl) || rl > 32*1024*1024 {
+		if dlen < 0 || int(slen) > (dlen-recordHashSize) || dlen > int(rl) || index+rl > lbuf || rl > rlBadThresh {
 			// This means something is off.
 			// TODO(dlc) - Add into bad list?
 			return errCorruptState
 		}
+
+		// Check for tombstones which we can skip in terms of indexing.
+		if seq&tbit != 0 {
+			index += rl
+			continue
+		}
+
 		// Clear erase bit.
 		seq = seq &^ ebit
-		// Adjust if we guessed wrong.
-		if seq != 0 && seq < fseq {
-			fseq = seq
-		}
+
 		// We defer checksum checks to individual msg cache lookups to amortorize costs and
 		// not introduce latency for first message from a newly loaded block.
-		idx = append(idx, index)
-		mb.cache.lrl = uint32(rl)
-		index += mb.cache.lrl
+		if seq >= mb.first.seq {
+			// Track that we do not have holes.
+			// Not expected but did see it in the field.
+			if pseq > 0 && seq != pseq+1 {
+				if mb.dmap == nil {
+					mb.dmap = make(map[uint64]struct{})
+				}
+				for dseq := pseq + 1; dseq < seq; dseq++ {
+					idx = append(idx, dbit)
+					mb.dmap[dseq] = struct{}{}
+				}
+			}
+			pseq = seq
+
+			idx = append(idx, index)
+			mb.cache.lrl = uint32(rl)
+			// Adjust if we guessed wrong.
+			if seq != 0 && seq < fseq {
+				fseq = seq
+			}
+		}
+		index += rl
 	}
 	mb.cache.buf = buf
 	mb.cache.idx = idx
@@ -4102,15 +4354,13 @@ func (mb *msgBlock) flushPendingMsgsLocked() (*LostStreamData, error) {
 
 	// Check if we need to encrypt.
 	if mb.bek != nil && lob > 0 {
-		const rsz = 32 * 1024 // 32k
-		var rdst [rsz]byte
+		// Need to leave original alone.
 		var dst []byte
-		if lob > rsz {
-			dst = make([]byte, lob)
+		if lob <= defaultLargeBlockSize {
+			dst = getMsgBlockBuf(lob)[:lob]
 		} else {
-			dst = rdst[:lob]
+			dst = make([]byte, lob)
 		}
-		// Need to leave original alone.
 		mb.bek.XORKeyStream(dst, buf)
 		buf = dst
 	}
@@ -4363,14 +4613,20 @@ var (
 	errMsgBlkTooBig  = errors.New("message block size exceeded int capacity")
 	errUnknownCipher = errors.New("unknown cipher")
 	errDIOStalled    = errors.New("IO is stalled")
+	errNoMainKey     = errors.New("encrypted store encountered with no main key")
 )
 
-// Used for marking messages that have had their checksums checked.
-// Used to signal a message record with headers.
-const hbit = 1 << 31
-
-// Used for marking erased messages sequences.
-const ebit = 1 << 63
+const (
+	// Used for marking messages that have had their checksums checked.
+	// Used to signal a message record with headers.
+	hbit = 1 << 31
+	// Used for marking erased messages sequences.
+	ebit = 1 << 63
+	// Used for marking tombstone sequences.
+	tbit = 1 << 62
+	// Used to mark a bad index as deleted.
+	dbit = 1 << 30
+)
 
 // Will do a lookup from cache.
 // Lock should be held.
@@ -4382,6 +4638,7 @@ func (mb *msgBlock) cacheLookup(seq uint64, sm *StoreMsg) (*StoreMsg, error) {
 	// If we have a delete map check it.
 	if mb.dmap != nil {
 		if _, ok := mb.dmap[seq]; ok {
+			mb.llts = time.Now().UnixNano()
 			return nil, errDeletedMsg
 		}
 	}
@@ -4514,7 +4771,7 @@ func (mb *msgBlock) msgFromBuf(buf []byte, sm *StoreMsg, hh hash.Hash64) (*Store
 	dlen := int(rl) - msgHdrSize
 	slen := int(le.Uint16(hdr[20:]))
 	// Simple sanity check.
-	if dlen < 0 || slen > dlen || int(rl) > len(buf) {
+	if dlen < 0 || slen > (dlen-recordHashSize) || dlen > int(rl) || int(rl) > len(buf) {
 		return nil, errBadMsg
 	}
 	data := buf[msgHdrSize : msgHdrSize+dlen]
@@ -4524,9 +4781,9 @@ func (mb *msgBlock) msgFromBuf(buf []byte, sm *StoreMsg, hh hash.Hash64) (*Store
 		hh.Write(hdr[4:20])
 		hh.Write(data[:slen])
 		if hasHeaders {
-			hh.Write(data[slen+4 : dlen-8])
+			hh.Write(data[slen+4 : dlen-recordHashSize])
 		} else {
-			hh.Write(data[slen : dlen-8])
+			hh.Write(data[slen : dlen-recordHashSize])
 		}
 		if !bytes.Equal(hh.Sum(nil), data[len(data)-8:]) {
 			return nil, errBadMsg
@@ -4569,32 +4826,50 @@ func (mb *msgBlock) msgFromBuf(buf []byte, sm *StoreMsg, hh hash.Hash64) (*Store
 	return sm, nil
 }
 
+// Used to intern strings for subjects.
+// Based on idea from https://github.com/josharian/intern/blob/master/intern.go
+var subjPool = sync.Pool{
+	New: func() any {
+		return make(map[string]string)
+	},
+}
+
+// Get an interned string from a byte slice.
+func subjFromBytes(b []byte) string {
+	sm := subjPool.Get().(map[string]string)
+	defer subjPool.Put(sm)
+	subj, ok := sm[string(b)]
+	if ok {
+		return subj
+	}
+	s := string(b)
+	sm[s] = s
+	return s
+}
+
 // Given the `key` byte slice, this function will return the subject
-// as a copy of `key` or a configured subject as to minimize memory allocations.
+// as an interned string of `key` or a configured subject as to minimize memory allocations.
 // Lock should be held.
-func (mb *msgBlock) subjString(key []byte) string {
-	if len(key) == 0 {
+func (mb *msgBlock) subjString(skey []byte) string {
+	if len(skey) == 0 {
 		return _EMPTY_
 	}
 
 	if lsubjs := len(mb.fs.cfg.Subjects); lsubjs > 0 {
 		if lsubjs == 1 {
 			// The cast for the comparison does not make a copy
-			if string(key) == mb.fs.cfg.Subjects[0] {
+			if string(skey) == mb.fs.cfg.Subjects[0] {
 				return mb.fs.cfg.Subjects[0]
 			}
 		} else {
 			for _, subj := range mb.fs.cfg.Subjects {
-				if string(key) == subj {
+				if string(skey) == subj {
 					return subj
 				}
 			}
 		}
 	}
-	// Copy here to not reference underlying buffer.
-	var sb strings.Builder
-	sb.Write(key)
-	return sb.String()
+	return subjFromBytes(skey)
 }
 
 // LoadMsg will lookup the message by sequence number and return it if found.
@@ -4637,7 +4912,16 @@ func (fs *fileStore) loadLast(subj string, sm *StoreMsg) (lsm *StoreMsg, err err
 			mb.mu.Unlock()
 			return nil, err
 		}
-		_, _, l := mb.filteredPendingLocked(subj, wc, mb.first.seq)
+		var l uint64
+		// Optimize if subject is not a wildcard.
+		if !wc {
+			if ss := mb.fss[subj]; ss != nil {
+				l = ss.Last
+			}
+		}
+		if l == 0 {
+			_, _, l = mb.filteredPendingLocked(subj, wc, mb.first.seq)
+		}
 		if l > 0 {
 			if mb.cacheNotLoaded() {
 				if err := mb.loadMsgsWithLock(); err != nil {
@@ -4680,20 +4964,17 @@ func (fs *fileStore) LoadNextMsg(filter string, wc bool, start uint64, sm *Store
 		start = fs.state.FirstSeq
 	}
 
-	// TODO(dlc) - If num blocks gets large maybe use selectMsgBlock but have it return index b/c
-	// we need to keep walking if no match found in first mb.
-	for _, mb := range fs.blks {
-		// Skip blocks that are less than our starting sequence.
-		if start > atomic.LoadUint64(&mb.last.seq) {
-			continue
-		}
-		if sm, expireOk, err := mb.firstMatching(filter, wc, start, sm); err == nil {
-			if expireOk && mb != fs.lmb {
-				mb.tryForceExpireCache()
+	if bi, _ := fs.selectMsgBlockWithIndex(start); bi >= 0 {
+		for i := bi; i < len(fs.blks); i++ {
+			mb := fs.blks[i]
+			if sm, expireOk, err := mb.firstMatching(filter, wc, start, sm); err == nil {
+				if expireOk && mb != fs.lmb {
+					mb.tryForceExpireCache()
+				}
+				return sm, sm.seq, nil
+			} else if err != ErrStoreMsgNotFound {
+				return nil, 0, err
 			}
-			return sm, sm.seq, nil
-		} else if err != ErrStoreMsgNotFound {
-			return nil, 0, err
 		}
 	}
 
@@ -4868,6 +5149,9 @@ func (mb *msgBlock) writeIndexInfoLocked() error {
 		if err != nil {
 			return err
 		}
+		if fi, _ := ifd.Stat(); fi != nil {
+			mb.liwsz = fi.Size()
+		}
 		mb.ifd = ifd
 	}
 
@@ -5077,26 +5361,13 @@ func compareFn(subject string) func(string, string) bool {
 // PurgeEx will remove messages based on subject filters, sequence and number of messages to keep.
 // Will return the number of purged messages.
 func (fs *fileStore) PurgeEx(subject string, sequence, keep uint64) (purged uint64, err error) {
-	if sequence > 1 && keep > 0 {
-		return 0, ErrPurgeArgMismatch
-	}
-
 	if subject == _EMPTY_ || subject == fwcs {
 		if keep == 0 && (sequence == 0 || sequence == 1) {
 			return fs.Purge()
 		}
 		if sequence > 1 {
 			return fs.Compact(sequence)
-		} else if keep > 0 {
-			fs.mu.RLock()
-			msgs, lseq := fs.state.Msgs, fs.state.LastSeq
-			fs.mu.RUnlock()
-			if keep >= msgs {
-				return 0, nil
-			}
-			return fs.Compact(lseq - keep + 1)
 		}
-		return 0, nil
 	}
 
 	eq, wc := compareFn(subject), subjectHasWildcard(subject)
@@ -5146,15 +5417,24 @@ func (fs *fileStore) PurgeEx(subject string, sequence, keep uint64) (purged uint
 				// Do fast in place remove.
 				// Stats
 				if mb.msgs > 0 {
+					// Msgs
 					fs.state.Msgs--
-					fs.state.Bytes -= rl
 					mb.msgs--
+					// Bytes, make sure to not go negative.
+					if rl > fs.state.Bytes {
+						rl = fs.state.Bytes
+					}
+					if rl > mb.bytes {
+						rl = mb.bytes
+					}
+					fs.state.Bytes -= rl
 					mb.bytes -= rl
+					// Totals
 					purged++
 					bytes += rl
 				}
 				// FSS updates.
-				mb.removeSeqPerSubject(sm.subj, seq, &smv)
+				mb.removeSeqPerSubject(sm.subj, seq)
 				fs.removePerSubject(sm.subj)
 
 				// Check for first message.
@@ -5163,7 +5443,8 @@ func (fs *fileStore) PurgeEx(subject string, sequence, keep uint64) (purged uint
 					if mb.isEmpty() {
 						fs.removeMsgBlock(mb)
 						i--
-						firstSeqNeedsUpdate = seq == fs.state.FirstSeq
+						// keep flag set, if set previously
+						firstSeqNeedsUpdate = firstSeqNeedsUpdate || seq == fs.state.FirstSeq
 					} else if seq == fs.state.FirstSeq {
 						fs.state.FirstSeq = mb.first.seq // new one.
 						fs.state.FirstTime = time.Unix(0, mb.first.ts).UTC()
@@ -5287,23 +5568,24 @@ func (fs *fileStore) purge(fseq uint64) (uint64, error) {
 // but not including the seq parameter.
 // Will return the number of purged messages.
 func (fs *fileStore) Compact(seq uint64) (uint64, error) {
-	if seq == 0 || seq > fs.lastSeq() {
+	if seq == 0 {
 		return fs.purge(seq)
 	}
 
 	var purged, bytes uint64
 
-	// We have to delete interior messages.
 	fs.mu.Lock()
+	// Same as purge all.
+	if lseq := fs.state.LastSeq; seq > lseq {
+		fs.mu.Unlock()
+		return fs.purge(seq)
+	}
+	// We have to delete interior messages.
 	smb := fs.selectMsgBlock(seq)
 	if smb == nil {
 		fs.mu.Unlock()
 		return 0, nil
 	}
-	if err := smb.loadMsgs(); err != nil {
-		fs.mu.Unlock()
-		return 0, err
-	}
 
 	// All msgblocks up to this one can be thrown away.
 	var deleted int
@@ -5330,7 +5612,12 @@ func (fs *fileStore) Compact(seq uint64) (uint64, error) {
 	var isEmpty bool
 
 	smb.mu.Lock()
-	// Since we loaded before we acquired our lock, double check here under lock that we have the messages loaded.
+	if smb.first.seq == seq {
+		isEmpty = smb.msgs == 0
+		goto SKIP
+	}
+
+	// Make sure we have the messages loaded.
 	if smb.cacheNotLoaded() {
 		if err = smb.loadMsgsWithLock(); err != nil {
 			goto SKIP
@@ -5341,7 +5628,7 @@ func (fs *fileStore) Compact(seq uint64) (uint64, error) {
 		if err == errDeletedMsg {
 			// Update dmap.
 			if len(smb.dmap) > 0 {
-				delete(smb.dmap, seq)
+				delete(smb.dmap, mseq)
 				if len(smb.dmap) == 0 {
 					smb.dmap = nil
 				}
@@ -5349,13 +5636,16 @@ func (fs *fileStore) Compact(seq uint64) (uint64, error) {
 		} else if sm != nil {
 			sz := fileStoreMsgSize(sm.subj, sm.hdr, sm.msg)
 			if smb.msgs > 0 {
+				smb.msgs--
+				if sz > smb.bytes {
+					sz = smb.bytes
+				}
 				smb.bytes -= sz
 				bytes += sz
-				smb.msgs--
 				purged++
 			}
 			// Update fss
-			smb.removeSeqPerSubject(sm.subj, mseq, &smv)
+			smb.removeSeqPerSubject(sm.subj, mseq)
 			fs.removePerSubject(sm.subj)
 		}
 	}
@@ -5377,7 +5667,7 @@ func (fs *fileStore) Compact(seq uint64) (uint64, error) {
 
 		// Check if we should reclaim the head space from this block.
 		// This will be optimistic only, so don't continue if we encounter any errors here.
-		if smb.bytes*2 < smb.rbytes {
+		if smb.rbytes > compactMinimum && smb.bytes*2 < smb.rbytes {
 			var moff uint32
 			moff, _, _, err = smb.slotInfo(int(smb.first.seq - smb.cache.fseq))
 			if err != nil || moff >= uint32(len(smb.cache.buf)) {
@@ -5411,13 +5701,13 @@ func (fs *fileStore) Compact(seq uint64) (uint64, error) {
 	}
 
 SKIP:
-	smb.mu.Unlock()
-
 	if !isEmpty {
 		// Make sure to write out our index info.
-		smb.writeIndexInfo()
+		smb.writeIndexInfoLocked()
 	}
 
+	smb.mu.Unlock()
+
 	if deleted > 0 {
 		// Update block map.
 		if fs.bim != nil {
@@ -5435,13 +5725,20 @@ SKIP:
 	}
 
 	// Update top level accounting.
+	if purged > fs.state.Msgs {
+		purged = fs.state.Msgs
+	}
 	fs.state.Msgs -= purged
+
+	if bytes > fs.state.Bytes {
+		bytes = fs.state.Bytes
+	}
 	fs.state.Bytes -= bytes
 
 	cb := fs.scb
 	fs.mu.Unlock()
 
-	if cb != nil {
+	if cb != nil && purged > 0 {
 		cb(-int64(purged), -int64(bytes), 0, _EMPTY_)
 	}
 
@@ -5450,7 +5747,6 @@ SKIP:
 
 // Will completely reset our store.
 func (fs *fileStore) reset() error {
-
 	fs.mu.Lock()
 	if fs.closed {
 		fs.mu.Unlock()
@@ -5464,14 +5760,12 @@ func (fs *fileStore) reset() error {
 	var purged, bytes uint64
 	cb := fs.scb
 
-	if cb != nil {
-		for _, mb := range fs.blks {
-			mb.mu.Lock()
-			purged += mb.msgs
-			bytes += mb.bytes
-			mb.dirtyCloseWithRemove(true)
-			mb.mu.Unlock()
-		}
+	for _, mb := range fs.blks {
+		mb.mu.Lock()
+		purged += mb.msgs
+		bytes += mb.bytes
+		mb.dirtyCloseWithRemove(true)
+		mb.mu.Unlock()
 	}
 
 	// Reset
@@ -5560,7 +5854,13 @@ func (fs *fileStore) Truncate(seq uint64) error {
 	fs.state.LastSeq = lsm.seq
 	fs.state.LastTime = time.Unix(0, lsm.ts).UTC()
 	// Update msgs and bytes.
+	if purged > fs.state.Msgs {
+		purged = fs.state.Msgs
+	}
 	fs.state.Msgs -= purged
+	if bytes > fs.state.Bytes {
+		bytes = fs.state.Bytes
+	}
 	fs.state.Bytes -= bytes
 
 	// Reset our subject lookup info.
@@ -5621,11 +5921,9 @@ func (fs *fileStore) addMsgBlock(mb *msgBlock) {
 	fs.bim[mb.index] = mb
 }
 
-// Removes the msgBlock
+// Remove from our list of blks.
 // Both locks should be held.
-func (fs *fileStore) removeMsgBlock(mb *msgBlock) {
-	mb.dirtyCloseWithRemove(true)
-
+func (fs *fileStore) removeMsgBlockFromList(mb *msgBlock) {
 	// Remove from list.
 	for i, omb := range fs.blks {
 		if mb == omb {
@@ -5637,6 +5935,13 @@ func (fs *fileStore) removeMsgBlock(mb *msgBlock) {
 			break
 		}
 	}
+}
+
+// Removes the msgBlock
+// Both locks should be held.
+func (fs *fileStore) removeMsgBlock(mb *msgBlock) {
+	mb.dirtyCloseWithRemove(true)
+	fs.removeMsgBlockFromList(mb)
 	// Check for us being last message block
 	if mb == fs.lmb {
 		// Creating a new message write block requires that the lmb lock is not held.
@@ -5734,50 +6039,81 @@ func (mb *msgBlock) dirtyCloseWithRemove(remove bool) {
 
 // Remove a seq from the fss and select new first.
 // Lock should be held.
-func (mb *msgBlock) removeSeqPerSubject(subj string, seq uint64, smp *StoreMsg) {
+func (mb *msgBlock) removeSeqPerSubject(subj string, seq uint64) {
 	mb.ensurePerSubjectInfoLoaded()
 	ss := mb.fss[subj]
 	if ss == nil {
 		return
 	}
 
-	// Mark dirty
-	mb.fssNeedsWrite = true
-
 	if ss.Msgs == 1 {
 		delete(mb.fss, subj)
+		mb.fssNeedsWrite = true // Mark dirty
 		return
 	}
 
 	ss.Msgs--
-	if seq != ss.First {
-		return
-	}
 
 	// Only one left.
 	if ss.Msgs == 1 {
-		if seq != ss.First {
+		if seq == ss.Last {
 			ss.Last = ss.First
 		} else {
 			ss.First = ss.Last
 		}
+		ss.firstNeedsUpdate = false
+		mb.fssNeedsWrite = true // Mark dirty
 		return
 	}
 
-	// Recalculate first.
-	// TODO(dlc) - Might want to optimize this.
-	if seq == ss.First {
-		var smv StoreMsg
-		if smp == nil {
-			smp = &smv
+	// We can lazily calculate the first sequence when needed.
+	ss.firstNeedsUpdate = seq == ss.First || ss.firstNeedsUpdate
+}
+
+// Will recalulate the first sequence for this subject in this block.
+// Will avoid slower path message lookups and scan the cache directly instead.
+func (mb *msgBlock) recalculateFirstForSubj(subj string, startSeq uint64, ss *SimpleState) {
+	// Need to make sure messages are loaded.
+	if mb.cacheNotLoaded() {
+		if err := mb.loadMsgsWithLock(); err != nil {
+			return
 		}
-		for tseq := seq + 1; tseq <= ss.Last; tseq++ {
-			if sm, _ := mb.cacheLookup(tseq, smp); sm != nil {
-				if sm.subj == subj {
-					ss.First = tseq
-					return
+	}
+	// Mark first as updated.
+	ss.firstNeedsUpdate = false
+	startSeq++
+
+	startSlot := int(startSeq - mb.cache.fseq)
+	if startSlot >= len(mb.cache.idx) {
+		ss.First = ss.Last
+		return
+	} else if startSlot < 0 {
+		startSlot = 0
+	}
+
+	var le = binary.LittleEndian
+	for slot := startSlot; slot < len(mb.cache.idx); slot++ {
+		li := int(mb.cache.idx[slot]&^hbit) - mb.cache.off
+		if li >= len(mb.cache.buf) {
+			ss.First = ss.Last
+			return
+		}
+		buf := mb.cache.buf[li:]
+		hdr := buf[:msgHdrSize]
+		slen := int(le.Uint16(hdr[20:]))
+		if subj == string(buf[msgHdrSize:msgHdrSize+slen]) {
+			seq := le.Uint64(hdr[4:])
+			if seq < mb.first.seq || seq&ebit != 0 {
+				continue
+			}
+			if len(mb.dmap) > 0 {
+				if _, ok := mb.dmap[seq]; ok {
+					continue
 				}
 			}
+			ss.First = seq
+			mb.fssNeedsWrite = true // Mark dirty
+			return
 		}
 	}
 }
@@ -6006,6 +6342,9 @@ func (mb *msgBlock) writePerSubjectInfo() error {
 	n := binary.PutUvarint(scratch[0:], uint64(len(mb.fss)))
 	b.Write(scratch[0:n])
 	for subj, ss := range mb.fss {
+		if ss.firstNeedsUpdate {
+			mb.recalculateFirstForSubj(subj, ss.First, ss)
+		}
 		n := binary.PutUvarint(scratch[0:], uint64(len(subj)))
 		b.Write(scratch[0:n])
 		b.WriteString(subj)
@@ -6097,6 +6436,16 @@ func (fs *fileStore) Delete() error {
 	if fs.isClosed() {
 		// Always attempt to remove since we could have been closed beforehand.
 		os.RemoveAll(fs.fcfg.StoreDir)
+		// Since we did remove, if we did have anything remaining make sure to
+		// call into any storage updates that had been registered.
+		fs.mu.Lock()
+		cb, msgs, bytes := fs.scb, int64(fs.state.Msgs), int64(fs.state.Bytes)
+		// Guard against double accounting if called twice.
+		fs.state.Msgs, fs.state.Bytes = 0, 0
+		fs.mu.Unlock()
+		if msgs > 0 && cb != nil {
+			cb(-msgs, -bytes, 0, _EMPTY_)
+		}
 		return ErrStoreClosed
 	}
 	fs.Purge()
@@ -6149,6 +6498,9 @@ func (fs *fileStore) Stop() error {
 	fs.cancelSyncTimer()
 	fs.cancelAgeChk()
 
+	// We should update the upper usage layer on a stop.
+	cb, bytes := fs.scb, int64(fs.state.Bytes)
+
 	var _cfs [256]ConsumerStore
 	cfs := append(_cfs[:0], fs.cfs...)
 	fs.cfs = nil
@@ -6158,6 +6510,10 @@ func (fs *fileStore) Stop() error {
 		o.Stop()
 	}
 
+	if bytes > 0 && cb != nil {
+		cb(0, -bytes, 0, _EMPTY_)
+	}
+
 	return nil
 }
 
@@ -6529,6 +6885,10 @@ func (fs *fileStore) ConsumerStore(name string, cfg *ConsumerConfig) (ConsumerSt
 	o.qch = make(chan struct{})
 	go o.flushLoop(o.fch, o.qch)
 
+	// Make sure to load in our state from disk if needed.
+	o.loadState()
+
+	// Assign to filestore.
 	fs.AddConsumer(o)
 
 	return o, nil
@@ -6739,17 +7099,28 @@ func (o *consumerFileStore) UpdateDelivered(dseq, sseq, dc uint64, ts int64) err
 		}
 
 		if dc > 1 {
+			if maxdc := uint64(o.cfg.MaxDeliver); maxdc > 0 && dc > maxdc {
+				// Make sure to remove from pending.
+				delete(o.state.Pending, sseq)
+			}
 			if o.state.Redelivered == nil {
 				o.state.Redelivered = make(map[uint64]uint64)
 			}
-			o.state.Redelivered[sseq] = dc - 1
+			// Only update if greater then what we already have.
+			if o.state.Redelivered[sseq] < dc-1 {
+				o.state.Redelivered[sseq] = dc - 1
+			}
 		}
 	} else {
 		// For AckNone just update delivered and ackfloor at the same time.
-		o.state.Delivered.Consumer = dseq
-		o.state.Delivered.Stream = sseq
-		o.state.AckFloor.Consumer = dseq
-		o.state.AckFloor.Stream = sseq
+		if dseq > o.state.Delivered.Consumer {
+			o.state.Delivered.Consumer = dseq
+			o.state.AckFloor.Consumer = dseq
+		}
+		if sseq > o.state.Delivered.Stream {
+			o.state.Delivered.Stream = sseq
+			o.state.AckFloor.Stream = sseq
+		}
 	}
 	// Make sure we flush to disk.
 	o.kickFlusher()
@@ -6765,15 +7136,16 @@ func (o *consumerFileStore) UpdateAcks(dseq, sseq uint64) error {
 	if o.cfg.AckPolicy == AckNone {
 		return ErrNoAckPolicy
 	}
-	if len(o.state.Pending) == 0 || o.state.Pending[sseq] == nil {
-		return ErrStoreMsgNotFound
-	}
 
 	// On restarts the old leader may get a replay from the raft logs that are old.
 	if dseq <= o.state.AckFloor.Consumer {
 		return nil
 	}
 
+	if len(o.state.Pending) == 0 || o.state.Pending[sseq] == nil {
+		return ErrStoreMsgNotFound
+	}
+
 	// Check for AckAll here.
 	if o.cfg.AckPolicy == AckAll {
 		sgap := sseq - o.state.AckFloor.Stream
@@ -6796,21 +7168,15 @@ func (o *consumerFileStore) UpdateAcks(dseq, sseq uint64) error {
 		delete(o.state.Pending, sseq)
 		dseq = p.Sequence // Use the original.
 	}
-	// Now remove from redelivered.
-	if len(o.state.Redelivered) > 0 {
-		delete(o.state.Redelivered, sseq)
-	}
-
 	if len(o.state.Pending) == 0 {
 		o.state.AckFloor.Consumer = o.state.Delivered.Consumer
 		o.state.AckFloor.Stream = o.state.Delivered.Stream
 	} else if dseq == o.state.AckFloor.Consumer+1 {
-		first := o.state.AckFloor.Consumer == 0
 		o.state.AckFloor.Consumer = dseq
 		o.state.AckFloor.Stream = sseq
 
-		if !first && o.state.Delivered.Consumer > dseq {
-			for ss := sseq + 1; ss < o.state.Delivered.Stream; ss++ {
+		if o.state.Delivered.Consumer > dseq {
+			for ss := sseq + 1; ss <= o.state.Delivered.Stream; ss++ {
 				if p, ok := o.state.Pending[ss]; ok {
 					if p.Sequence > 0 {
 						o.state.AckFloor.Consumer = p.Sequence - 1
@@ -6821,6 +7187,8 @@ func (o *consumerFileStore) UpdateAcks(dseq, sseq uint64) error {
 			}
 		}
 	}
+	// We do these regardless.
+	delete(o.state.Redelivered, sseq)
 
 	o.kickFlusher()
 	return nil
@@ -6834,18 +7202,16 @@ const seqsHdrSize = 6*binary.MaxVarintLen64 + hdrLen
 func (o *consumerFileStore) EncodedState() ([]byte, error) {
 	o.mu.Lock()
 	defer o.mu.Unlock()
-
-	if o.closed {
-		return nil, ErrStoreClosed
-	}
-	return encodeConsumerState(&o.state), nil
+	return o.encodeState()
 }
 
 func (o *consumerFileStore) encodeState() ([]byte, error) {
-	if o.closed {
-		return nil, ErrStoreClosed
+	// Grab reference to state, but make sure we load in if needed, so do not reference o.state directly.
+	state, err := o.stateWithCopyLocked(false)
+	if err != nil {
+		return nil, err
 	}
-	return encodeConsumerState(&o.state), nil
+	return encodeConsumerState(state), nil
 }
 
 func (o *consumerFileStore) UpdateConfig(cfg *ConsumerConfig) error {
@@ -6864,7 +7230,7 @@ func (o *consumerFileStore) Update(state *ConsumerState) error {
 	defer o.mu.Unlock()
 
 	// Check to see if this is an outdated update.
-	if state.Delivered.Consumer < o.state.Delivered.Consumer {
+	if state.Delivered.Consumer < o.state.Delivered.Consumer || state.AckFloor.Stream < o.state.AckFloor.Stream {
 		return nil
 	}
 
@@ -7077,7 +7443,11 @@ func (o *consumerFileStore) BorrowState() (*ConsumerState, error) {
 func (o *consumerFileStore) stateWithCopy(doCopy bool) (*ConsumerState, error) {
 	o.mu.Lock()
 	defer o.mu.Unlock()
+	return o.stateWithCopyLocked(doCopy)
+}
 
+// Lock should be held.
+func (o *consumerFileStore) stateWithCopyLocked(doCopy bool) (*ConsumerState, error) {
 	if o.closed {
 		return nil, ErrStoreClosed
 	}
@@ -7156,6 +7526,14 @@ func (o *consumerFileStore) stateWithCopy(doCopy bool) (*ConsumerState, error) {
 	return state, nil
 }
 
+// Lock should be held. Called at startup.
+func (o *consumerFileStore) loadState() {
+	if _, err := os.Stat(o.ifn); err == nil {
+		// This will load our state in from disk.
+		o.stateWithCopyLocked(false)
+	}
+}
+
 // Decode consumer state.
 func decodeConsumerState(buf []byte) (*ConsumerState, error) {
 	version, err := checkConsumerHeader(buf)
diff --git a/server/filestore_test.go b/server/filestore_test.go
index 92ccfd2f3..a1c356031 100644
--- a/server/filestore_test.go
+++ b/server/filestore_test.go
@@ -1278,7 +1278,10 @@ func TestFileStoreBitRot(t *testing.T) {
 			// Now twiddle some bits.
 			fs.mu.Lock()
 			lmb := fs.lmb
-			contents, _ := os.ReadFile(lmb.mfn)
+			contents, err := os.ReadFile(lmb.mfn)
+			require_NoError(t, err)
+			require_True(t, len(contents) > 0)
+
 			var index int
 			for {
 				index = rand.Intn(len(contents))
@@ -1296,6 +1299,10 @@ func TestFileStoreBitRot(t *testing.T) {
 			if len(ld.Msgs) > 0 {
 				break
 			}
+			// If our bitrot caused us to not be able to recover any messages we can break as well.
+			if state := fs.State(); state.Msgs == 0 {
+				break
+			}
 			// Fail the test if we have tried the 10 times and still did not
 			// get any corruption report.
 			if i == 9 {
@@ -1314,7 +1321,10 @@ func TestFileStoreBitRot(t *testing.T) {
 
 		// checkMsgs will repair the underlying store, so checkMsgs should be clean now.
 		if ld := fs.checkMsgs(); ld != nil {
-			t.Fatalf("Expected no errors restoring checked and fixed filestore, got %+v", ld)
+			// If we have no msgs left this will report the head msgs as lost again.
+			if state := fs.State(); state.Msgs > 0 {
+				t.Fatalf("Expected no errors restoring checked and fixed filestore, got %+v", ld)
+			}
 		}
 	})
 }
@@ -2776,8 +2786,8 @@ func TestFileStoreConsumerDeliveredAndAckUpdates(t *testing.T) {
 			}
 		}
 
-		testAck(1, 100, 1, 100)
-		testAck(3, 130, 1, 100)
+		testAck(1, 100, 1, 109)
+		testAck(3, 130, 1, 109)
 		testAck(2, 110, 3, 149) // We do not track explicit state on previous stream floors, so we take last known -1
 		testAck(5, 165, 3, 149)
 		testAck(4, 150, 5, 165)
@@ -3668,7 +3678,7 @@ func TestFileStoreFetchPerf(t *testing.T) {
 // https://github.com/nats-io/nats-server/issues/2936
 func TestFileStoreCompactReclaimHeadSpace(t *testing.T) {
 	testFileStoreAllPermutations(t, func(t *testing.T, fcfg FileStoreConfig) {
-		fcfg.BlockSize = 1024 * 1024
+		fcfg.BlockSize = 4 * 1024 * 1024
 
 		fs, err := newFileStore(
 			fcfg,
@@ -3678,7 +3688,7 @@ func TestFileStoreCompactReclaimHeadSpace(t *testing.T) {
 		defer fs.Stop()
 
 		// Create random bytes for payload to test for corruption vs repeated.
-		msg := make([]byte, 16*1024)
+		msg := make([]byte, 64*1024)
 		crand.Read(msg)
 
 		// This gives us ~63 msgs in first and ~37 in second.
@@ -4020,6 +4030,7 @@ func TestFileStorePurgeExWithSubject(t *testing.T) {
 		require_True(t, int(p) == total)
 		require_True(t, int(p) == total)
 		require_True(t, fs.State().Msgs == 1)
+		require_True(t, fs.State().FirstSeq == 201)
 	})
 }
 
@@ -4320,6 +4331,55 @@ func TestFileStoreMaxMsgsPerSubject(t *testing.T) {
 	})
 }
 
+// Testing the case in https://github.com/nats-io/nats-server/issues/4247
+func TestFileStoreMaxMsgsAndMaxMsgsPerSubject(t *testing.T) {
+	testFileStoreAllPermutations(t, func(t *testing.T, fcfg FileStoreConfig) {
+		fcfg.BlockSize = 128
+		fcfg.CacheExpire = time.Second
+
+		fs, err := newFileStore(
+			fcfg,
+			StreamConfig{
+				Name:     "zzz",
+				Subjects: []string{"kv.>"},
+				Storage:  FileStorage,
+				Discard:  DiscardNew, MaxMsgs: 100, // Total stream policy
+				DiscardNewPer: true, MaxMsgsPer: 1, // Per-subject policy
+			},
+		)
+		require_NoError(t, err)
+		defer fs.Stop()
+
+		for i := 1; i <= 101; i++ {
+			subj := fmt.Sprintf("kv.%d", i)
+			_, _, err := fs.StoreMsg(subj, nil, []byte("value"))
+			if i == 101 {
+				// The 101th iteration should fail because MaxMsgs is set to
+				// 100 and the policy is DiscardNew.
+				require_Error(t, err)
+			} else {
+				require_NoError(t, err)
+			}
+		}
+
+		for i := 1; i <= 100; i++ {
+			subj := fmt.Sprintf("kv.%d", i)
+			_, _, err := fs.StoreMsg(subj, nil, []byte("value"))
+			// All of these iterations should fail because MaxMsgsPer is set
+			// to 1 and DiscardNewPer is set to true, forcing us to reject
+			// cases where there is already a message on this subject.
+			require_Error(t, err)
+		}
+
+		if state := fs.State(); state.Msgs != 100 || state.FirstSeq != 1 || state.LastSeq != 100 || len(state.Deleted) != 0 {
+			// There should be 100 messages exactly, as the 101st subject
+			// should have been rejected in the first loop, and any duplicates
+			// on the other subjects should have been rejected in the second loop.
+			t.Fatalf("Bad state: %+v", state)
+		}
+	})
+}
+
 func TestFileStoreSubjectStateCacheExpiration(t *testing.T) {
 	testFileStoreAllPermutations(t, func(t *testing.T, fcfg FileStoreConfig) {
 		fcfg.BlockSize = 32
@@ -4612,6 +4672,40 @@ func TestFileStoreFSSCloseAndKeepOnExpireOnRecoverBug(t *testing.T) {
 	})
 }
 
+func TestFileStoreExpireOnRecoverSubjectAccounting(t *testing.T) {
+	const msgLen = 19
+	msg := bytes.Repeat([]byte("A"), msgLen)
+
+	testFileStoreAllPermutations(t, func(t *testing.T, fcfg FileStoreConfig) {
+		fcfg.BlockSize = 100
+		ttl := 200 * time.Millisecond
+		scfg := StreamConfig{Name: "zzz", Subjects: []string{"*"}, Storage: FileStorage, MaxAge: ttl}
+
+		fs, err := newFileStore(fcfg, scfg)
+		require_NoError(t, err)
+		defer fs.Stop()
+
+		// These are in first block.
+		fs.StoreMsg("A", nil, msg)
+		fs.StoreMsg("B", nil, msg)
+		time.Sleep(ttl / 2)
+		// This one in 2nd block.
+		fs.StoreMsg("C", nil, msg)
+		fs.Stop()
+
+		time.Sleep(ttl/2 + 10*time.Millisecond)
+
+		fs, err = newFileStore(fcfg, scfg)
+		require_NoError(t, err)
+		defer fs.Stop()
+
+		// Make sure we take into account PSIM when throwing a whole block away.
+		if state := fs.State(); state.NumSubjects != 1 {
+			t.Fatalf("Expected 1 subject, got %d", state.NumSubjects)
+		}
+	})
+}
+
 func TestFileStoreFSSBadStateBug(t *testing.T) {
 	testFileStoreAllPermutations(t, func(t *testing.T, fcfg FileStoreConfig) {
 		fs, err := newFileStore(
@@ -5373,125 +5467,359 @@ func TestFileStoreSubjectsTotals(t *testing.T) {
 	}
 }
 
-func TestFileStoreNumPending(t *testing.T) {
+func TestFileStoreConsumerStoreEncodeAfterRestart(t *testing.T) {
+	testFileStoreAllPermutations(t, func(t *testing.T, fcfg FileStoreConfig) {
+		fs, err := newFileStore(fcfg, StreamConfig{Name: "zzz", Storage: FileStorage})
+		require_NoError(t, err)
+		defer fs.Stop()
+
+		o, err := fs.ConsumerStore("o22", &ConsumerConfig{AckPolicy: AckExplicit})
+		require_NoError(t, err)
+
+		state := &ConsumerState{}
+		state.Delivered.Consumer = 22
+		state.Delivered.Stream = 22
+		state.AckFloor.Consumer = 11
+		state.AckFloor.Stream = 11
+		err = o.Update(state)
+		require_NoError(t, err)
+
+		fs.Stop()
+
+		fs, err = newFileStore(fcfg, StreamConfig{Name: "zzz", Storage: FileStorage})
+		require_NoError(t, err)
+		defer fs.Stop()
+
+		o, err = fs.ConsumerStore("o22", &ConsumerConfig{AckPolicy: AckExplicit})
+		require_NoError(t, err)
+
+		if o.(*consumerFileStore).state.Delivered != state.Delivered {
+			t.Fatalf("Consumer state is wrong %+v vs %+v", o.(*consumerFileStore).state, state)
+		}
+		if o.(*consumerFileStore).state.AckFloor != state.AckFloor {
+			t.Fatalf("Consumer state is wrong %+v vs %+v", o.(*consumerFileStore).state, state)
+		}
+	})
+}
+
+func TestFileStoreNumPendingLargeNumBlks(t *testing.T) {
 	// No need for all permutations here.
 	storeDir := t.TempDir()
 	fcfg := FileStoreConfig{
 		StoreDir:  storeDir,
-		BlockSize: 2 * 1024, // Create many blocks on purpose.
+		BlockSize: 128, // Small on purpose to create alot of blks.
 	}
-	fs, err := newFileStore(fcfg, StreamConfig{Name: "zzz", Subjects: []string{"*.*.*.*"}, Storage: FileStorage})
+	fs, err := newFileStore(fcfg, StreamConfig{Name: "zzz", Subjects: []string{"zzz"}, Storage: FileStorage})
 	require_NoError(t, err)
 	defer fs.Stop()
 
-	tokens := []string{"foo", "bar", "baz"}
-	genSubj := func() string {
-		return fmt.Sprintf("%s.%s.%s.%s",
-			tokens[rand.Intn(len(tokens))],
-			tokens[rand.Intn(len(tokens))],
-			tokens[rand.Intn(len(tokens))],
-			tokens[rand.Intn(len(tokens))],
-		)
+	subj, msg := "zzz", bytes.Repeat([]byte("X"), 100)
+	numMsgs := 10_000
+
+	for i := 0; i < numMsgs; i++ {
+		fs.StoreMsg(subj, nil, msg)
 	}
 
-	for i := 0; i < 50_000; i++ {
-		subj := genSubj()
-		_, _, err := fs.StoreMsg(subj, nil, []byte("Hello World"))
+	start := time.Now()
+	total, _ := fs.NumPending(4000, "zzz", false)
+	require_True(t, time.Since(start) < 5*time.Millisecond)
+	require_True(t, total == 6001)
+
+	start = time.Now()
+	total, _ = fs.NumPending(6000, "zzz", false)
+	require_True(t, time.Since(start) < 5*time.Millisecond)
+	require_True(t, total == 4001)
+
+	// Now delete a message in first half and second half.
+	fs.RemoveMsg(1000)
+	fs.RemoveMsg(9000)
+
+	start = time.Now()
+	total, _ = fs.NumPending(4000, "zzz", false)
+	require_True(t, time.Since(start) < 50*time.Millisecond)
+	require_True(t, total == 6000)
+
+	start = time.Now()
+	total, _ = fs.NumPending(6000, "zzz", false)
+	require_True(t, time.Since(start) < 50*time.Millisecond)
+	require_True(t, total == 4000)
+}
+
+func TestFileStoreRestoreEncryptedWithNoKeyFuncFails(t *testing.T) {
+	// No need for all permutations here.
+	fcfg := FileStoreConfig{StoreDir: t.TempDir(), Cipher: AES}
+	scfg := StreamConfig{Name: "zzz", Subjects: []string{"zzz"}, Storage: FileStorage}
+
+	// Create at first with encryption (prf)
+	prf := func(context []byte) ([]byte, error) {
+		h := hmac.New(sha256.New, []byte("dlc22"))
+		if _, err := h.Write(context); err != nil {
+			return nil, err
+		}
+		return h.Sum(nil), nil
+	}
+
+	fs, err := newFileStoreWithCreated(
+		fcfg, scfg,
+		time.Now(),
+		prf,
+	)
+	require_NoError(t, err)
+	defer fs.Stop()
+
+	subj, msg := "zzz", bytes.Repeat([]byte("X"), 100)
+	numMsgs := 100
+	for i := 0; i < numMsgs; i++ {
+		fs.StoreMsg(subj, nil, msg)
+	}
+
+	fs.Stop()
+
+	// Make sure if we try to restore with no prf (key) that it fails.
+	_, err = newFileStoreWithCreated(
+		fcfg, scfg,
+		time.Now(),
+		nil,
+	)
+	require_Error(t, err, errNoMainKey)
+}
+
+func TestFileStoreRecalculateFirstForSubjBug(t *testing.T) {
+	fs, err := newFileStore(FileStoreConfig{StoreDir: t.TempDir()}, StreamConfig{Name: "zzz", Subjects: []string{"*"}, Storage: FileStorage})
+	require_NoError(t, err)
+	defer fs.Stop()
+
+	fs.StoreMsg("foo", nil, nil) // 1
+	fs.StoreMsg("bar", nil, nil) // 2
+	fs.StoreMsg("foo", nil, nil) // 3
+
+	// Now remove first 2..
+	fs.RemoveMsg(1)
+	fs.RemoveMsg(2)
+
+	// Now grab first (and only) block.
+	fs.mu.RLock()
+	mb := fs.blks[0]
+	fs.mu.RUnlock()
+
+	// Since we lazy update the first, simulate that we have not updated it as of yet.
+	ss := &SimpleState{Msgs: 1, First: 1, Last: 3, firstNeedsUpdate: true}
+
+	mb.mu.Lock()
+	defer mb.mu.Unlock()
+
+	// Flush the cache.
+	mb.clearCacheAndOffset()
+	// Now call with start sequence of 1, the old one
+	// This will panic without the fix.
+	mb.recalculateFirstForSubj("foo", 1, ss)
+	// Make sure it was update properly.
+	require_True(t, *ss == SimpleState{Msgs: 1, First: 3, Last: 3, firstNeedsUpdate: false})
+}
+
+func TestFileStoreKeepWithDeletedMsgsBug(t *testing.T) {
+	fs, err := newFileStore(FileStoreConfig{StoreDir: t.TempDir()}, StreamConfig{Name: "zzz", Subjects: []string{"*"}, Storage: FileStorage})
+	require_NoError(t, err)
+	defer fs.Stop()
+
+	msg := bytes.Repeat([]byte("A"), 19)
+	for i := 0; i < 5; i++ {
+		fs.StoreMsg("A", nil, msg)
+		fs.StoreMsg("B", nil, msg)
+	}
+
+	n, err := fs.PurgeEx("A", 0, 0)
+	require_NoError(t, err)
+	require_True(t, n == 5)
+
+	// Purge with keep.
+	n, err = fs.PurgeEx(_EMPTY_, 0, 2)
+	require_NoError(t, err)
+	require_True(t, n == 3)
+}
+
+// This is for 2.10 delete tombstones and backward compatibility if a user downgrades to 2.9.x
+// TODO(dlc) - Can remove once merged into 2.10 codebase.
+func TestFileStoreTombstoneBackwardCompatibility(t *testing.T) {
+	sd := t.TempDir()
+	fs, err := newFileStore(FileStoreConfig{StoreDir: sd}, StreamConfig{Name: "zzz", Subjects: []string{"*"}, Storage: FileStorage})
+	require_NoError(t, err)
+	defer fs.Stop()
+
+	// We will test scenarios where tombstones are embedded in a filestore from a 2.10 system.
+	msgA := bytes.Repeat([]byte("A"), 22)
+	msgZ := bytes.Repeat([]byte("Z"), 22)
+
+	fs.StoreMsg("A", nil, msgA)
+	fs.StoreMsg("B", nil, msgZ)
+
+	mb := fs.getFirstBlock()
+	require_True(t, mb != nil)
+
+	// >= 2.10 tombstone
+	mb.writeMsgRecord(emptyRecordLen, 2|tbit, _EMPTY_, nil, nil, time.Now().UnixNano(), true)
+
+	// Put a real message behind it.
+	fs.StoreMsg("C", nil, msgA)
+
+	checkState := func() {
+		state := fs.State()
+		require_True(t, state.Msgs == 3)
+		require_True(t, state.FirstSeq == 1)
+		require_True(t, state.LastSeq == 3)
+		require_True(t, state.NumSubjects == 3)
+
+		sm, err := fs.LoadMsg(2, nil)
+		require_NoError(t, err)
+		require_True(t, bytes.Equal(sm.msg, msgZ))
+		require_True(t, sm.subj == "B")
+
+		sm, err = fs.LoadMsg(3, nil)
 		require_NoError(t, err)
+		require_True(t, bytes.Equal(sm.msg, msgA))
+		require_True(t, sm.subj == "C")
 	}
 
-	state := fs.State()
+	checkState()
+	fs.Stop()
 
-	// Scan one by one for sanity check against other calculations.
-	sanityCheck := func(sseq uint64, filter string) SimpleState {
-		t.Helper()
-		var ss SimpleState
-		var smv StoreMsg
-		// For here we know 0 is invalid, set to 1.
-		if sseq == 0 {
-			sseq = 1
-		}
-		for seq := sseq; seq <= state.LastSeq; seq++ {
-			sm, err := fs.LoadMsg(seq, &smv)
-			if err != nil {
-				t.Logf("Encountered error %v loading sequence: %d", err, seq)
-				continue
-			}
-			if subjectIsSubsetMatch(sm.subj, filter) {
-				ss.Msgs++
-				ss.Last = seq
-				if ss.First == 0 || seq < ss.First {
-					ss.First = seq
-				}
-			}
-		}
-		return ss
+	// Make sure we are good on recreate.
+	fs, err = newFileStore(FileStoreConfig{StoreDir: sd}, StreamConfig{Name: "zzz", Subjects: []string{"*"}, Storage: FileStorage})
+	require_NoError(t, err)
+	defer fs.Stop()
+
+	checkState()
+
+	// Now we will purge, place tombstone first, then add messages and check.
+	_, err = fs.Purge()
+	require_NoError(t, err)
+
+	// >= 2.10 tombstone
+	mb.writeMsgRecord(emptyRecordLen, 22|tbit, _EMPTY_, nil, nil, time.Now().UnixNano(), true)
+
+	fs.StoreMsg("A", nil, msgA) // seq 4
+	fs.StoreMsg("B", nil, msgZ) // seq 5
+
+	checkPurgeState := func() {
+		state := fs.State()
+		require_True(t, state.Msgs == 2)
+		require_True(t, state.FirstSeq == 4)
+		require_True(t, state.LastSeq == 5)
+		require_True(t, state.NumSubjects == 2)
+
+		sm, err := fs.LoadMsg(4, nil)
+		require_NoError(t, err)
+		require_True(t, bytes.Equal(sm.msg, msgA))
+		require_True(t, sm.subj == "A")
+
+		sm, err = fs.LoadMsg(5, nil)
+		require_NoError(t, err)
+		require_True(t, bytes.Equal(sm.msg, msgZ))
+		require_True(t, sm.subj == "B")
 	}
 
-	check := func(sseq uint64, filter string) {
-		t.Helper()
-		np, lvs := fs.NumPending(sseq, filter, false)
-		ss := fs.FilteredState(sseq, filter)
-		sss := sanityCheck(sseq, filter)
-		if lvs != state.LastSeq {
-			t.Fatalf("Expected NumPending to return valid through last of %d but got %d", state.LastSeq, lvs)
-		}
-		if ss.Msgs != np {
-			t.Fatalf("NumPending of %d did not match ss.Msgs of %d", np, ss.Msgs)
-		}
-		if ss != sss {
-			t.Fatalf("Failed sanity check, expected %+v got %+v", sss, ss)
+	checkPurgeState()
+
+	// Make sure we are good on recreate.
+	fs, err = newFileStore(FileStoreConfig{StoreDir: sd}, StreamConfig{Name: "zzz", Subjects: []string{"*"}, Storage: FileStorage})
+	require_NoError(t, err)
+	defer fs.Stop()
+
+	checkPurgeState()
+}
+
+// Test that loads from lmb under lots of writes do not return errPartialCache.
+func TestFileStoreErrPartialLoad(t *testing.T) {
+	fs, err := newFileStore(FileStoreConfig{StoreDir: t.TempDir()}, StreamConfig{Name: "zzz", Subjects: []string{"*"}, Storage: FileStorage})
+	require_NoError(t, err)
+	defer fs.Stop()
+
+	put := func(num int) {
+		for i := 0; i < num; i++ {
+			fs.StoreMsg("Z", nil, []byte("ZZZZZZZZZZZZZ"))
 		}
 	}
 
-	sanityCheckLastOnly := func(sseq uint64, filter string) SimpleState {
-		t.Helper()
-		var ss SimpleState
-		var smv StoreMsg
-		// For here we know 0 is invalid, set to 1.
-		if sseq == 0 {
-			sseq = 1
-		}
-		seen := make(map[string]bool)
-		for seq := state.LastSeq; seq >= sseq; seq-- {
-			sm, err := fs.LoadMsg(seq, &smv)
-			if err != nil {
-				t.Logf("Encountered error %v loading sequence: %d", err, seq)
-				continue
-			}
-			if !seen[sm.subj] && subjectIsSubsetMatch(sm.subj, filter) {
-				ss.Msgs++
-				if ss.Last == 0 {
-					ss.Last = seq
-				}
-				if ss.First == 0 || seq < ss.First {
-					ss.First = seq
+	put(100)
+
+	// Dump cache of lmb.
+	clearCache := func() {
+		fs.mu.RLock()
+		lmb := fs.lmb
+		fs.mu.RUnlock()
+		lmb.mu.Lock()
+		lmb.clearCache()
+		lmb.mu.Unlock()
+	}
+	clearCache()
+
+	qch := make(chan struct{})
+	defer close(qch)
+
+	for i := 0; i < 10; i++ {
+		go func() {
+			for {
+				select {
+				case <-qch:
+					return
+				default:
+					put(5)
 				}
-				seen[sm.subj] = true
 			}
-		}
-		return ss
+		}()
 	}
 
-	checkLastOnly := func(sseq uint64, filter string) {
-		t.Helper()
-		np, lvs := fs.NumPending(sseq, filter, true)
-		ss := sanityCheckLastOnly(sseq, filter)
-		if lvs != state.LastSeq {
-			t.Fatalf("Expected NumPending to return valid through last of %d but got %d", state.LastSeq, lvs)
+	time.Sleep(100 * time.Millisecond)
+
+	var smv StoreMsg
+	for i := 0; i < 10_000; i++ {
+		fs.mu.RLock()
+		lmb := fs.lmb
+		fs.mu.RUnlock()
+		lmb.mu.Lock()
+		first, last := fs.lmb.first.seq, fs.lmb.last.seq
+		if i%100 == 0 {
+			lmb.clearCache()
 		}
-		if ss.Msgs != np {
-			t.Fatalf("NumPending of %d did not match ss.Msgs of %d", np, ss.Msgs)
+		lmb.mu.Unlock()
+
+		if spread := int(last - first); spread > 0 {
+			seq := first + uint64(rand.Intn(spread))
+			_, err = fs.LoadMsg(seq, &smv)
+			require_NoError(t, err)
 		}
 	}
+}
+
+func TestFileStoreErrPartialLoadOnSyncClose(t *testing.T) {
+	fs, err := newFileStore(
+		FileStoreConfig{StoreDir: t.TempDir(), BlockSize: 500},
+		StreamConfig{Name: "zzz", Subjects: []string{"*"}, Storage: FileStorage},
+	)
+	require_NoError(t, err)
+	defer fs.Stop()
 
-	startSeqs := []uint64{0, 1, 2, 200, 444, 555, 2222, 8888, 12_345, 28_222, 33_456, 44_400, 49_999}
-	checkSubs := []string{"foo.>", "*.bar.>", "foo.bar.*.baz", "*.bar.>", "*.foo.bar.*", "foo.foo.bar.baz"}
+	// This yields an internal record length of 50 bytes. So 10 msgs per blk.
+	msgLen := 19
+	msg := bytes.Repeat([]byte("A"), msgLen)
 
-	for _, filter := range checkSubs {
-		for _, start := range startSeqs {
-			check(start, filter)
-			checkLastOnly(start, filter)
-		}
+	// Load up half the block.
+	for _, subj := range []string{"A", "B", "C", "D", "E"} {
+		fs.StoreMsg(subj, nil, msg)
 	}
+
+	// Now simulate the sync timer closing the last block.
+	fs.mu.RLock()
+	lmb := fs.lmb
+	fs.mu.RUnlock()
+	require_True(t, lmb != nil)
+
+	lmb.mu.Lock()
+	lmb.expireCacheLocked()
+	lmb.dirtyCloseWithRemove(false)
+	lmb.mu.Unlock()
+
+	fs.StoreMsg("Z", nil, msg)
+	_, err = fs.LoadMsg(1, nil)
+	require_NoError(t, err)
 }
diff --git a/server/gateway.go b/server/gateway.go
index f86944b6e..f23ada3bb 100644
--- a/server/gateway.go
+++ b/server/gateway.go
@@ -761,7 +761,7 @@ func (s *Server) createGateway(cfg *gatewayCfg, url *url.URL, conn net.Conn) {
 	// Snapshot server options.
 	opts := s.getOpts()
 
-	now := time.Now().UTC()
+	now := time.Now()
 	c := &client{srv: s, nc: conn, start: now, last: now, kind: GATEWAY}
 
 	// Are we creating the gateway based on the configuration
@@ -870,9 +870,7 @@ func (s *Server) createGateway(cfg *gatewayCfg, url *url.URL, conn net.Conn) {
 
 	// Announce ourselves again to new connections.
 	if solicit && s.EventsEnabled() {
-		s.mu.Lock()
-		s.sendStatsz(fmt.Sprintf(serverStatsSubj, s.info.ID))
-		s.mu.Unlock()
+		s.sendStatszUpdate()
 	}
 }
 
@@ -2680,12 +2678,11 @@ func (s *Server) gatewayHandleSubjectNoInterest(c *client, acc *Account, accName
 	// If there is no subscription for this account, we would normally
 	// send an A-, however, if this account has the internal subscription
 	// for service reply, send a specific RS- for the subject instead.
-	hasSubs := acc.sl.Count() > 0
-	if !hasSubs {
-		acc.mu.RLock()
-		hasSubs = acc.siReply != nil
-		acc.mu.RUnlock()
-	}
+	// Need to grab the lock here since sublist can change during reload.
+	acc.mu.RLock()
+	hasSubs := acc.sl.Count() > 0 || acc.siReply != nil
+	acc.mu.RUnlock()
+
 	// If there is at least a subscription, possibly send RS-
 	if hasSubs {
 		sendProto := false
@@ -2964,7 +2961,7 @@ func (c *client) processInboundGatewayMsg(msg []byte) {
 	// Check if this is a service reply subject (_R_)
 	noInterest := len(r.psubs) == 0
 	checkNoInterest := true
-	if acc.imports.services != nil {
+	if acc.NumServiceImports() > 0 {
 		if isServiceReply(c.pa.subject) {
 			checkNoInterest = false
 		} else {
diff --git a/server/ipqueue.go b/server/ipqueue.go
index d0bba0ecf..9a96e4863 100644
--- a/server/ipqueue.go
+++ b/server/ipqueue.go
@@ -1,4 +1,4 @@
-// Copyright 2021 The NATS Authors
+// Copyright 2021-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -20,28 +20,28 @@ import (
 
 const (
 	ipQueueDefaultMaxRecycleSize = 4 * 1024
-	ipQueueDefaultLen            = 0
-	ipQueueInitialCapacity       = 32
+	ipQueueDefaultLen            = 0  // ** added by Memphis
+	ipQueueInitialCapacity       = 32 // ** added by Memphis
 )
 
 // This is a generic intra-process queue.
 type ipQueue[T any] struct {
 	inprogress int64
-	sync.RWMutex
+	sync.Mutex
 	ch         chan struct{}
 	elts       []T
 	pos        int
 	pool       *sync.Pool
 	mrs        int
-	mql        int
-	wrapAround bool
+	mql        int  // ** added by Memphis
+	wrapAround bool // ** added by Memphis
 	name       string
 	m          *sync.Map
 }
 
 type ipQueueOpts struct {
 	maxRecycleSize int
-	maxQueueLen    int
+	maxQueueLen    int // ** added by Memphis
 }
 
 type ipQueueOpt func(*ipQueueOpts)
@@ -54,6 +54,7 @@ func ipQueue_MaxRecycleSize(max int) ipQueueOpt {
 	}
 }
 
+// ** added by Memphis
 // This option allows to set the maximum queue length
 // Queues with this option enabled (>0) do not support the popOne() op
 func ipQueue_MaxQueueLen(max int) ipQueueOpt {
@@ -62,10 +63,12 @@ func ipQueue_MaxQueueLen(max int) ipQueueOpt {
 	}
 }
 
+// ** added by Memphis
+
 func newIPQueue[T any](s *Server, name string, opts ...ipQueueOpt) *ipQueue[T] {
 	qo := ipQueueOpts{
 		maxRecycleSize: ipQueueDefaultMaxRecycleSize,
-		maxQueueLen:    ipQueueDefaultLen,
+		maxQueueLen:    ipQueueDefaultLen, // ** added by Memphis
 	}
 
 	for _, o := range opts {
@@ -74,7 +77,7 @@ func newIPQueue[T any](s *Server, name string, opts ...ipQueueOpt) *ipQueue[T] {
 	q := &ipQueue[T]{
 		ch:   make(chan struct{}, 1),
 		mrs:  qo.maxRecycleSize,
-		mql:  qo.maxQueueLen,
+		mql:  qo.maxQueueLen, // ** added by Memphis
 		pool: &sync.Pool{},
 		name: name,
 		m:    &s.ipQueues,
@@ -91,9 +94,11 @@ func (q *ipQueue[T]) push(e T) int {
 	q.Lock()
 	l := len(q.elts) - q.pos
 
+	// ** added by Memphis
 	if q.wrapAround {
 		l = q.mql
 	}
+	// ** added by Memphis
 
 	if l == 0 {
 		signal = true
@@ -104,10 +109,11 @@ func (q *ipQueue[T]) push(e T) int {
 			q.elts = (*(eltsi.(*[]T)))[:0]
 		}
 		if cap(q.elts) == 0 {
-			q.elts = make([]T, 0, ipQueueInitialCapacity)
+			q.elts = make([]T, 0, ipQueueInitialCapacity) // ** changed by Memphis
 		}
 	}
 
+	// ** added/changed by Memphis
 	if q.mql > 0 && q.mql == l {
 		if !q.wrapAround {
 			//first time we reached max elements
@@ -119,6 +125,7 @@ func (q *ipQueue[T]) push(e T) int {
 		q.elts = append(q.elts, e)
 		l++
 	}
+	// ** added by Memphis
 
 	q.Unlock()
 	if signal {
@@ -140,13 +147,17 @@ func (q *ipQueue[T]) push(e T) int {
 // emptied the queue. So the caller should never assume that pop() will
 // return a slice of 1 or more, it could return `nil`.
 func (q *ipQueue[T]) pop() []T {
+	if q == nil {
+		return nil
+	}
 	var elts []T
 	q.Lock()
 	if q.pos == 0 {
 		elts = q.elts
-	} else if q.wrapAround {
+	} else if q.wrapAround { // ** added by Memphis
 		elts = q.elts[q.pos:]
 		elts = append(elts, q.elts[:q.pos]...)
+		// ** added by Memphis
 	} else {
 		elts = q.elts[q.pos:]
 	}
@@ -219,9 +230,9 @@ func (q *ipQueue[T]) recycle(elts *[]T) {
 
 // Returns the current length of the queue.
 func (q *ipQueue[T]) len() int {
-	q.RLock()
+	q.Lock()
 	l := len(q.elts) - q.pos
-	q.RUnlock()
+	q.Unlock()
 	return l
 }
 
diff --git a/server/ipqueue_test.go b/server/ipqueue_test.go
index ba0e9f34b..1800f2a13 100644
--- a/server/ipqueue_test.go
+++ b/server/ipqueue_test.go
@@ -221,9 +221,9 @@ func TestIPQueuePopOne(t *testing.T) {
 	q.push(1)
 	q.push(2)
 	// Capture current capacity
-	q.RLock()
+	q.Lock()
 	c := cap(q.elts)
-	q.RUnlock()
+	q.Unlock()
 	e, ok = q.popOne()
 	if !ok || e != 1 {
 		t.Fatalf("Invalid value: %v", e)
@@ -343,9 +343,9 @@ func TestIPQueueRecycle(t *testing.T) {
 	values = q.pop()
 	q.recycle(&values)
 	q.push(1002)
-	q.RLock()
+	q.Lock()
 	recycled := &q.elts == &values
-	q.RUnlock()
+	q.Unlock()
 	if recycled {
 		t.Fatalf("Unexpected recycled slice")
 	}
diff --git a/server/jetstream.go b/server/jetstream.go
index e502b4ef5..6fbf25b66 100644
--- a/server/jetstream.go
+++ b/server/jetstream.go
@@ -1,4 +1,4 @@
-// Copyright 2019-2022 The NATS Authors
+// Copyright 2019-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -109,11 +109,14 @@ type jetStream struct {
 	started       time.Time
 
 	// System level request to purge a stream move
-	accountPurge   *subscription
+	accountPurge *subscription
+
+	// Some bools regarding general state.
 	metaRecovering bool
 	standAlone     bool
 	disabled       bool
 	oos            bool
+	shuttingDown   bool
 }
 
 type remoteUsage struct {
@@ -137,6 +140,7 @@ type jsAccount struct {
 	js        *jetStream
 	account   *Account
 	storeDir  string
+	inflight  sync.Map
 	streams   map[string]*stream
 	templates map[string]*streamTemplate
 	store     TemplateStore
@@ -144,6 +148,9 @@ type jsAccount struct {
 	// From server
 	sendq *ipQueue[*pubMsg]
 
+	// For limiting only running one checkAndSync at a time.
+	sync atomic.Bool
+
 	// Usage/limits related fields that will be protected by usageMu
 	usageMu    sync.RWMutex
 	limits     map[string]JetStreamAccountLimits // indexed by tierName
@@ -172,6 +179,7 @@ func (s *Server) EnableJetStream(config *JetStreamConfig) error {
 		return fmt.Errorf("jetstream already enabled")
 	}
 
+	s.Noticef("Starting JetStream")
 	if config == nil || config.MaxMemory <= 0 || config.MaxStore <= 0 {
 		var storeDir, domain string
 		var maxStore, maxMem int64
@@ -358,6 +366,7 @@ func (s *Server) enableJetStream(cfg JetStreamConfig) error {
 		s.SetDefaultSystemAccount()
 	}
 
+	// ** changed by Memphis
 	s.Noticef(" __  __                              _       _           __      _                 __   ")
 	s.Noticef(" |  \\/  |                            | |     (_)         / /     | |                \\ \\  ")
 	s.Noticef(" | \\  / |   ___   _ __ ___    _ __   | |__    _   ___   | |    __| |   ___  __   __  | | ")
@@ -369,6 +378,7 @@ func (s *Server) enableJetStream(cfg JetStreamConfig) error {
 	s.Noticef("")
 	s.Noticef("         https://docs.memphis.dev")
 	s.Noticef("")
+	// ** changed by Memphis
 	s.Noticef("  Max Memory:      %s", friendlyBytes(cfg.MaxMemory))
 	s.Noticef("  Max Storage:     %s", friendlyBytes(cfg.MaxStore))
 	s.Noticef("  Store Directory: \"%s\"", cfg.StoreDir)
@@ -465,7 +475,7 @@ func (s *Server) restartJetStream() error {
 	return nil
 }
 
-// checkStreamExports will check if we have the JS exports setup
+// checkJetStreamExports will check if we have the JS exports setup
 // on the system account, and if not go ahead and set them up.
 func (s *Server) checkJetStreamExports() {
 	if sacc := s.SystemAccount(); sacc != nil {
@@ -580,6 +590,9 @@ func (s *Server) DisableJetStream() error {
 	// Normal shutdown.
 	s.shutdownJetStream()
 
+	// Shut down the RAFT groups.
+	s.shutdownRaftNodes()
+
 	return nil
 }
 
@@ -636,7 +649,7 @@ func (a *Account) enableAllJetStreamServiceImportsAndMappings() error {
 	return nil
 }
 
-// enableJetStreamEnabledServiceImportOnly will enable the single service import responder.
+// enableJetStreamInfoServiceImportOnly will enable the single service import responder.
 // Should we do them all regardless?
 func (a *Account) enableJetStreamInfoServiceImportOnly() error {
 	// Check if this import would be overshadowed. This can happen when accounts
@@ -853,6 +866,13 @@ func (s *Server) signalPullConsumers() {
 	}
 }
 
+// Helper for determining if we are shutting down.
+func (js *jetStream) isShuttingDown() bool {
+	js.mu.RLock()
+	defer js.mu.RUnlock()
+	return js.shuttingDown
+}
+
 // Shutdown jetstream for this server.
 func (s *Server) shutdownJetStream() {
 	s.mu.RLock()
@@ -885,6 +905,8 @@ func (s *Server) shutdownJetStream() {
 	}
 	accPurgeSub := js.accountPurge
 	js.accountPurge = nil
+	// Signal we are shutting down.
+	js.shuttingDown = true
 	js.mu.Unlock()
 
 	if accPurgeSub != nil {
@@ -1006,9 +1028,9 @@ func (a *Account) EnableJetStream(limits map[string]JetStreamAccountLimits) erro
 		return fmt.Errorf("jetstream can not be enabled on the system account")
 	}
 
-	s.mu.Lock()
+	s.mu.RLock()
 	sendq := s.sys.sendq
-	s.mu.Unlock()
+	s.mu.RUnlock()
 
 	// No limits means we dynamically set up limits.
 	// We also place limits here so we know that the account is configured for JetStream.
@@ -1040,12 +1062,15 @@ func (a *Account) EnableJetStream(limits map[string]JetStreamAccountLimits) erro
 	jsa := &jsAccount{js: js, account: a, limits: limits, streams: make(map[string]*stream), sendq: sendq, usage: make(map[string]*jsaStorage)}
 	jsa.storeDir = filepath.Join(js.config.StoreDir, a.Name)
 
-	jsa.usageMu.Lock()
-	jsa.utimer = time.AfterFunc(usageTick, jsa.sendClusterUsageUpdateTimer)
-	// Cluster mode updates to resource usage, but we always will turn on. System internal prevents echos.
-	jsa.updatesPub = fmt.Sprintf(jsaUpdatesPubT, a.Name, sysNode)
-	jsa.updatesSub, _ = s.sysSubscribe(fmt.Sprintf(jsaUpdatesSubT, a.Name), jsa.remoteUpdateUsage)
-	jsa.usageMu.Unlock()
+	// A single server does not need to do the account updates at this point.
+	if js.cluster != nil || !s.standAloneMode() {
+		jsa.usageMu.Lock()
+		jsa.utimer = time.AfterFunc(usageTick, jsa.sendClusterUsageUpdateTimer)
+		// Cluster mode updates to resource usage. System internal prevents echos.
+		jsa.updatesPub = fmt.Sprintf(jsaUpdatesPubT, a.Name, sysNode)
+		jsa.updatesSub, _ = s.sysSubscribe(fmt.Sprintf(jsaUpdatesSubT, a.Name), jsa.remoteUpdateUsage)
+		jsa.usageMu.Unlock()
+	}
 
 	js.accounts[a.Name] = jsa
 	js.mu.Unlock()
@@ -1195,22 +1220,23 @@ func (a *Account) EnableJetStream(limits map[string]JetStreamAccountLimits) erro
 
 		// Check if we are encrypted.
 		keyFile := filepath.Join(mdir, JetStreamMetaFileKey)
-		if key, err := os.ReadFile(keyFile); err == nil {
+		keyBuf, err := os.ReadFile(keyFile)
+		if err == nil {
 			s.Debugf("  Stream metafile is encrypted, reading encrypted keyfile")
-			if len(key) < minMetaKeySize {
-				s.Warnf("  Bad stream encryption key length of %d", len(key))
+			if len(keyBuf) < minMetaKeySize {
+				s.Warnf("  Bad stream encryption key length of %d", len(keyBuf))
 				continue
 			}
 			// Decode the buffer before proceeding.
-			nbuf, err := s.decryptMeta(sc, key, buf, a.Name, fi.Name())
+			nbuf, err := s.decryptMeta(sc, keyBuf, buf, a.Name, fi.Name())
 			if err != nil {
 				// See if we are changing ciphers.
 				switch sc {
 				case ChaCha:
-					nbuf, err = s.decryptMeta(AES, key, buf, a.Name, fi.Name())
+					nbuf, err = s.decryptMeta(AES, keyBuf, buf, a.Name, fi.Name())
 					osc, convertingCiphers = AES, true
 				case AES:
-					nbuf, err = s.decryptMeta(ChaCha, key, buf, a.Name, fi.Name())
+					nbuf, err = s.decryptMeta(ChaCha, keyBuf, buf, a.Name, fi.Name())
 					osc, convertingCiphers = ChaCha, true
 				}
 				if err != nil {
@@ -1220,9 +1246,6 @@ func (a *Account) EnableJetStream(limits map[string]JetStreamAccountLimits) erro
 			}
 			buf = nbuf
 			plaintext = false
-
-			// Remove the key file to have system regenerate with the new cipher.
-			os.Remove(keyFile)
 		}
 
 		var cfg FileStreamInfo
@@ -1274,6 +1297,8 @@ func (a *Account) EnableJetStream(limits map[string]JetStreamAccountLimits) erro
 				s.Noticef("  Encrypting stream '%s > %s'", a.Name, cfg.StreamConfig.Name)
 			} else if convertingCiphers {
 				s.Noticef("  Converting from %s to %s for stream '%s > %s'", osc, sc, a.Name, cfg.StreamConfig.Name)
+				// Remove the key file to have system regenerate with the new cipher.
+				os.Remove(keyFile)
 			}
 		}
 
@@ -1281,6 +1306,13 @@ func (a *Account) EnableJetStream(limits map[string]JetStreamAccountLimits) erro
 		mset, err := a.addStream(&cfg.StreamConfig)
 		if err != nil {
 			s.Warnf("  Error recreating stream %q: %v", cfg.Name, err)
+			// If we removed a keyfile from above make sure to put it back.
+			if convertingCiphers {
+				err := os.WriteFile(keyFile, keyBuf, defaultFilePerms)
+				if err != nil {
+					s.Warnf("  Error replacing meta keyfile for stream %q: %v", cfg.Name, err)
+				}
+			}
 			continue
 		}
 		if !cfg.Created.IsZero() {
@@ -1742,14 +1774,13 @@ func (a *Account) JetStreamEnabled() bool {
 }
 
 func (jsa *jsAccount) remoteUpdateUsage(sub *subscription, c *client, _ *Account, subject, _ string, msg []byte) {
-	const usageSize = 32
-
 	// jsa.js.srv is immutable and guaranteed to no be nil, so no lock needed.
 	s := jsa.js.srv
 
 	jsa.usageMu.Lock()
-	if len(msg) < usageSize {
-		jsa.usageMu.Unlock()
+	defer jsa.usageMu.Unlock()
+
+	if len(msg) < minUsageUpdateLen {
 		s.Warnf("Ignoring remote usage update with size too short")
 		return
 	}
@@ -1758,7 +1789,6 @@ func (jsa *jsAccount) remoteUpdateUsage(sub *subscription, c *client, _ *Account
 		rnode = subject[li+1:]
 	}
 	if rnode == _EMPTY_ {
-		jsa.usageMu.Unlock()
 		s.Warnf("Received remote usage update with no remote node")
 		return
 	}
@@ -1793,21 +1823,31 @@ func (jsa *jsAccount) remoteUpdateUsage(sub *subscription, c *client, _ *Account
 	apiTotal, apiErrors := le.Uint64(msg[16:]), le.Uint64(msg[24:])
 	memUsed, storeUsed := int64(le.Uint64(msg[0:])), int64(le.Uint64(msg[8:]))
 
-	// we later extended the data structure to support multiple tiers
-	excessRecordCnt := uint32(0)
-	tierName := _EMPTY_
-	if len(msg) >= 44 {
-		excessRecordCnt = le.Uint32(msg[32:])
-		length := le.Uint64(msg[36:])
-		tierName = string(msg[44 : 44+length])
-		msg = msg[44+length:]
+	// We later extended the data structure to support multiple tiers
+	var excessRecordCnt uint32
+	var tierName string
+
+	if len(msg) >= usageMultiTiersLen {
+		excessRecordCnt = le.Uint32(msg[minUsageUpdateLen:])
+		length := le.Uint64(msg[minUsageUpdateLen+4:])
+		// Need to protect past this point in case this is wrong.
+		if uint64(len(msg)) < usageMultiTiersLen+length {
+			s.Warnf("Received corrupt remote usage update")
+			return
+		}
+		tierName = string(msg[usageMultiTiersLen : usageMultiTiersLen+length])
+		msg = msg[usageMultiTiersLen+length:]
 	}
 	updateTotal(tierName, memUsed, storeUsed)
-	for ; excessRecordCnt > 0 && len(msg) >= 24; excessRecordCnt-- {
+	for ; excessRecordCnt > 0 && len(msg) >= usageRecordLen; excessRecordCnt-- {
 		memUsed, storeUsed := int64(le.Uint64(msg[0:])), int64(le.Uint64(msg[8:]))
 		length := le.Uint64(msg[16:])
-		tierName = string(msg[24 : 24+length])
-		msg = msg[24+length:]
+		if uint64(len(msg)) < usageRecordLen+length {
+			s.Warnf("Received corrupt remote usage update on excess record")
+			return
+		}
+		tierName = string(msg[usageRecordLen : usageRecordLen+length])
+		msg = msg[usageRecordLen+length:]
 		updateTotal(tierName, memUsed, storeUsed)
 	}
 	jsa.apiTotal -= rUsage.api
@@ -1816,7 +1856,85 @@ func (jsa *jsAccount) remoteUpdateUsage(sub *subscription, c *client, _ *Account
 	rUsage.err = apiErrors
 	jsa.apiTotal += apiTotal
 	jsa.apiErrors += apiErrors
-	jsa.usageMu.Unlock()
+}
+
+// When we detect a skew of some sort this will verify the usage reporting is correct.
+// No locks should be held.
+func (jsa *jsAccount) checkAndSyncUsage(tierName string, storeType StorageType) {
+	// This will run in a separate go routine, so check that we are only running once.
+	if !jsa.sync.CompareAndSwap(false, true) {
+		return
+	}
+	defer jsa.sync.Store(false)
+
+	// Hold the account read lock and the usage lock while we calculate.
+	// We scope by tier and storage type, but if R3 File has 200 streams etc. could
+	// show a pause. I did test with > 100 non-active streams and was 80-200ns or so.
+	// Should be rare this gets called as well.
+	jsa.mu.RLock()
+	defer jsa.mu.RUnlock()
+	js := jsa.js
+	if js == nil {
+		return
+	}
+	s := js.srv
+
+	// We need to collect the stream stores before we acquire the usage lock since in storeUpdates the
+	// stream lock could be held if deletion are inline with storing a new message, e.g. via limits.
+	var stores []StreamStore
+	for _, mset := range jsa.streams {
+		mset.mu.RLock()
+		if mset.tier == tierName && mset.stype == storeType && mset.store != nil {
+			stores = append(stores, mset.store)
+		}
+		mset.mu.RUnlock()
+	}
+
+	// Now range and qualify, hold usage lock to prevent updates.
+	jsa.usageMu.Lock()
+	defer jsa.usageMu.Unlock()
+
+	usage, ok := jsa.usage[tierName]
+	if !ok {
+		return
+	}
+
+	// Collect current total for all stream stores that matched.
+	var total int64
+	var state StreamState
+	for _, store := range stores {
+		store.FastState(&state)
+		total += int64(state.Bytes)
+	}
+
+	var needClusterUpdate bool
+	// If we do not match on our calculations compute delta and adjust.
+	if storeType == MemoryStorage {
+		if total != usage.local.mem {
+			s.Warnf("MemStore usage drift of %v vs %v detected for account %q",
+				friendlyBytes(total), friendlyBytes(usage.local.mem), jsa.account.GetName())
+			delta := total - usage.local.mem
+			usage.local.mem += delta
+			usage.total.mem += delta
+			atomic.AddInt64(&js.memUsed, delta)
+			needClusterUpdate = true
+		}
+	} else {
+		if total != usage.local.store {
+			s.Warnf("FileStore usage drift of %v vs %v detected for account %q",
+				friendlyBytes(total), friendlyBytes(usage.local.store), jsa.account.GetName())
+			delta := total - usage.local.store
+			usage.local.store += delta
+			usage.total.store += delta
+			atomic.AddInt64(&js.storeUsed, delta)
+			needClusterUpdate = true
+		}
+	}
+
+	// Publish our local updates if in clustered mode.
+	if needClusterUpdate && js.isClusteredNoLock() {
+		jsa.sendClusterUsageUpdate()
+	}
 }
 
 // Updates accounting on in use memory and storage. This is called from locally
@@ -1829,9 +1947,8 @@ func (jsa *jsAccount) updateUsage(tierName string, storeType StorageType, delta
 	// use of an atomic to do the check without having data race reports.
 	isClustered := js.isClusteredNoLock()
 
+	var needsCheck bool
 	jsa.usageMu.Lock()
-	defer jsa.usageMu.Unlock()
-
 	s, ok := jsa.usage[tierName]
 	if !ok {
 		s = &jsaStorage{}
@@ -1841,15 +1958,25 @@ func (jsa *jsAccount) updateUsage(tierName string, storeType StorageType, delta
 		s.local.mem += delta
 		s.total.mem += delta
 		atomic.AddInt64(&js.memUsed, delta)
+		needsCheck = s.local.mem < 0
 	} else {
 		s.local.store += delta
 		s.total.store += delta
 		atomic.AddInt64(&js.storeUsed, delta)
+		needsCheck = s.local.store < 0
 	}
 	// Publish our local updates if in clustered mode.
 	if isClustered {
 		jsa.sendClusterUsageUpdate()
 	}
+	jsa.usageMu.Unlock()
+
+	if needsCheck {
+		// We could be holding the stream lock from up in the stack, and this
+		// will want the jsa lock, which would violate locking order.
+		// So do this in a Go routine. The function will check if it is already running.
+		go jsa.checkAndSyncUsage(tierName, storeType)
+	}
 }
 
 var usageTick = 1500 * time.Millisecond
@@ -1863,12 +1990,22 @@ func (jsa *jsAccount) sendClusterUsageUpdateTimer() {
 	}
 }
 
+// For usage fields.
+const (
+	minUsageUpdateLen    = 32
+	stackUsageUpdate     = 72
+	usageRecordLen       = 24
+	usageMultiTiersLen   = 44
+	apiStatsAndNumTiers  = 20
+	minUsageUpdateWindow = 250 * time.Millisecond
+)
+
 // Send updates to our account usage for this server.
 // jsa.usageMu lock should be held.
 func (jsa *jsAccount) sendClusterUsageUpdate() {
 	// These values are absolute so we can limit send rates.
 	now := time.Now()
-	if now.Sub(jsa.lupdate) < 250*time.Millisecond {
+	if now.Sub(jsa.lupdate) < minUsageUpdateWindow {
 		return
 	}
 	jsa.lupdate = now
@@ -1878,32 +2015,37 @@ func (jsa *jsAccount) sendClusterUsageUpdate() {
 		return
 	}
 	// every base record contains mem/store/len(tier) as well as the tier name
-	l := 24 * lenUsage
+	l := usageRecordLen * lenUsage
 	for tier := range jsa.usage {
 		l += len(tier)
 	}
-	if lenUsage > 0 {
-		// first record contains api/usage errors as well as count for extra base records
-		l += 20
+	// first record contains api/usage errors as well as count for extra base records
+	l += apiStatsAndNumTiers
+
+	var raw [stackUsageUpdate]byte
+	var b []byte
+	if l > stackUsageUpdate {
+		b = make([]byte, l)
+	} else {
+		b = raw[:l]
 	}
-	var le = binary.LittleEndian
-	b := make([]byte, l)
-	i := 0
 
+	var i int
+	var le = binary.LittleEndian
 	for tier, usage := range jsa.usage {
 		le.PutUint64(b[i+0:], uint64(usage.local.mem))
 		le.PutUint64(b[i+8:], uint64(usage.local.store))
 		if i == 0 {
-			le.PutUint64(b[i+16:], jsa.usageApi)
-			le.PutUint64(b[i+24:], jsa.usageErr)
-			le.PutUint32(b[i+32:], uint32(len(jsa.usage)-1))
-			le.PutUint64(b[i+36:], uint64(len(tier)))
-			copy(b[i+44:], tier)
-			i += 44 + len(tier)
+			le.PutUint64(b[16:], jsa.usageApi)
+			le.PutUint64(b[24:], jsa.usageErr)
+			le.PutUint32(b[32:], uint32(len(jsa.usage)-1))
+			le.PutUint64(b[36:], uint64(len(tier)))
+			copy(b[usageMultiTiersLen:], tier)
+			i = usageMultiTiersLen + len(tier)
 		} else {
 			le.PutUint64(b[i+16:], uint64(len(tier)))
-			copy(b[i+24:], tier)
-			i += 24 + len(tier)
+			copy(b[i+usageRecordLen:], tier)
+			i += usageRecordLen + len(tier)
 		}
 	}
 	jsa.sendq.push(newPubMsg(nil, jsa.updatesPub, _EMPTY_, nil, nil, b, noCompression, false, false))
@@ -2136,15 +2278,24 @@ func (js *jetStream) usageStats() *JetStreamStats {
 	var stats JetStreamStats
 	js.mu.RLock()
 	stats.Accounts = len(js.accounts)
-	stats.ReservedMemory = (uint64)(js.memReserved)
-	stats.ReservedStore = (uint64)(js.storeReserved)
+	stats.ReservedMemory = uint64(js.memReserved)
+	stats.ReservedStore = uint64(js.storeReserved)
 	s := js.srv
 	js.mu.RUnlock()
-	stats.API.Total = (uint64)(atomic.LoadInt64(&js.apiTotal))
-	stats.API.Errors = (uint64)(atomic.LoadInt64(&js.apiErrors))
-	stats.API.Inflight = (uint64)(atomic.LoadInt64(&js.apiInflight))
-	stats.Memory = (uint64)(atomic.LoadInt64(&js.memUsed))
-	stats.Store = (uint64)(atomic.LoadInt64(&js.storeUsed))
+	stats.API.Total = uint64(atomic.LoadInt64(&js.apiTotal))
+	stats.API.Errors = uint64(atomic.LoadInt64(&js.apiErrors))
+	stats.API.Inflight = uint64(atomic.LoadInt64(&js.apiInflight))
+	// Make sure we do not report negative.
+	used := atomic.LoadInt64(&js.memUsed)
+	if used < 0 {
+		used = 0
+	}
+	stats.Memory = uint64(used)
+	used = atomic.LoadInt64(&js.storeUsed)
+	if used < 0 {
+		used = 0
+	}
+	stats.Store = uint64(used)
 	stats.HAAssets = s.numRaftNodes()
 	return &stats
 }
@@ -2610,9 +2761,13 @@ func (jsa *jsAccount) checkTemplateOwnership(tname, sname string) bool {
 	return false
 }
 
+type Number interface {
+	int | int8 | int16 | int32 | int64 | uint | uint8 | uint16 | uint32 | uint64 | float32 | float64
+}
+
 // friendlyBytes returns a string with the given bytes int64
 // represented as a size, such as 1KB, 10MB, etc...
-func friendlyBytes(bytes int64) string {
+func friendlyBytes[T Number](bytes T) string {
 	fbytes := float64(bytes)
 	base := 1024
 	pre := []string{"K", "M", "G", "T", "P", "E"}
@@ -2638,7 +2793,7 @@ func canonicalName(name string) string {
 }
 
 // To throttle the out of resources errors.
-func (s *Server) resourcesExeededError() {
+func (s *Server) resourcesExceededError() {
 	var didAlert bool
 
 	s.rerrMu.Lock()
diff --git a/server/jetstream_api.go b/server/jetstream_api.go
index f88fe4fa6..eafc96b45 100644
--- a/server/jetstream_api.go
+++ b/server/jetstream_api.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2022 The NATS Authors
+// Copyright 2020-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -735,13 +735,13 @@ type jsAPIRoutedReq struct {
 
 func (js *jetStream) apiDispatch(sub *subscription, c *client, acc *Account, subject, reply string, rmsg []byte) {
 	// No lock needed, those are immutable.
-	wrappedSubject := memphisFindJSAPIWrapperSubject(c, subject)
-	s, rr := js.srv, js.apiSubs.Match(wrappedSubject)
+	wrappedSubject := memphisFindJSAPIWrapperSubject(c, subject) // ** added by memphis
+	s, rr := js.srv, js.apiSubs.Match(wrappedSubject)            // ** changed to wrappedSubject by memphis
 
 	hdr, _ := c.msgParts(rmsg)
 	if len(getHeader(ClientInfoHdr, hdr)) == 0 {
 		// Check if this is the system account. We will let these through for the account info only.
-		if s.SystemAccount() != acc || wrappedSubject != JSApiAccountInfo {
+		if s.SystemAccount() != acc || wrappedSubject != JSApiAccountInfo { // ** changed to wrappedSubject by memphis
 			return
 		}
 	}
@@ -754,7 +754,7 @@ func (js *jetStream) apiDispatch(sub *subscription, c *client, acc *Account, sub
 	// We should only have psubs and only 1 per result.
 	// FIXME(dlc) - Should we respond here with NoResponders or error?
 	if len(rr.psubs) != 1 {
-		s.Warnf("Malformed JetStream API Request: [%s] %q", wrappedSubject, rmsg)
+		s.Warnf("Malformed JetStream API Request: [%s] %q", wrappedSubject, rmsg) // ** changed to wrappedSubject by memphis
 		return
 	}
 	jsub := rr.psubs[0]
@@ -764,7 +764,7 @@ func (js *jetStream) apiDispatch(sub *subscription, c *client, acc *Account, sub
 		start := time.Now()
 		jsub.icb(sub, c, acc, subject, reply, rmsg)
 		if dur := time.Since(start); dur >= readLoopReportThreshold {
-			s.Warnf("Internal subscription on %q took too long: %v", wrappedSubject, dur)
+			s.Warnf("Internal subscription on %q took too long: %v", wrappedSubject, dur) // ** changed to wrappedSubject by memphis
 		}
 		return
 	}
@@ -837,13 +837,13 @@ func (s *Server) setJetStreamExportSubs() error {
 		{JSApiTemplateInfo, s.jsTemplateInfoRequest},
 		{JSApiTemplateDelete, s.jsTemplateDeleteRequest},
 		{JSApiStreamCreate, s.jsStreamCreateRequest},
-		{memphisJSApiStreamCreate, s.memphisJSApiWrapStreamCreate},
+		{memphisJSApiStreamCreate, s.memphisJSApiWrapStreamCreate}, // ** added by memphis
 		{JSApiStreamUpdate, s.jsStreamUpdateRequest},
 		{JSApiStreams, s.jsStreamNamesRequest},
 		{JSApiStreamList, s.jsStreamListRequest},
 		{JSApiStreamInfo, s.jsStreamInfoRequest},
 		{JSApiStreamDelete, s.jsStreamDeleteRequest},
-		{memphisJSApiStreamDelete, s.memphisJSApiWrapStreamDelete},
+		{memphisJSApiStreamDelete, s.memphisJSApiWrapStreamDelete}, // ** added by memphis
 		{JSApiStreamPurge, s.jsStreamPurgeRequest},
 		{JSApiStreamSnapshot, s.jsStreamSnapshotRequest},
 		{JSApiStreamRestore, s.jsStreamRestoreRequest},
@@ -890,6 +890,7 @@ func (s *Server) sendAPIErrResponse(ci *ClientInfo, acc *Account, subject, reply
 	s.sendJetStreamAPIAuditAdvisory(ci, acc, subject, request, response)
 }
 
+// ** added by memphis
 func (s *Server) sendAPIErrResponseWithEcho(ci *ClientInfo, acc *Account, subject, reply, request, response string) {
 	acc.trackAPIErr()
 	if reply != _EMPTY_ {
@@ -898,13 +899,22 @@ func (s *Server) sendAPIErrResponseWithEcho(ci *ClientInfo, acc *Account, subjec
 	s.sendJetStreamAPIAuditAdvisory(ci, acc, subject, request, response)
 }
 
+// ** added by memphis
+
 const errRespDelay = 500 * time.Millisecond
 
 func (s *Server) sendDelayedAPIErrResponse(ci *ClientInfo, acc *Account, subject, reply, request, response string, rg *raftGroup) {
+	js := s.getJetStream()
+	if js == nil {
+		return
+	}
 	var quitCh <-chan struct{}
+	js.mu.RLock()
 	if rg != nil && rg.node != nil {
 		quitCh = rg.node.QuitC()
 	}
+	js.mu.RUnlock()
+
 	s.startGoRoutine(func() {
 		defer s.grWG.Done()
 		select {
@@ -1281,12 +1291,14 @@ func (jsa *jsAccount) tieredReservation(tier string, cfg *StreamConfig) int64 {
 }
 
 // Request to create a stream.
+// ** changed by memphis
 func (s *Server) jsStreamCreateRequest(sub *subscription, c *client, acc *Account, subject, reply string, rmsg []byte) {
 	s.jsStreamCreateRequestIntern(sub, c, acc, subject, reply, rmsg)
 }
 
-func (s *Server) jsStreamCreateRequestIntern(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
-	var cfg StreamConfig
+// ** changed by memphis
+
+func (s *Server) jsStreamCreateRequestIntern(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) { // ** changed by memphis
 	if c == nil || !s.JetStreamEnabled() {
 		return
 	}
@@ -1323,6 +1335,7 @@ func (s *Server) jsStreamCreateRequestIntern(sub *subscription, c *client, _ *Ac
 		return
 	}
 
+	var cfg StreamConfig
 	if err := json.Unmarshal(msg, &cfg); err != nil {
 		resp.Error = NewJSInvalidJSONError()
 		s.sendAPIErrResponse(ci, acc, subject, reply, string(msg), s.jsonResponse(&resp))
@@ -1902,7 +1915,7 @@ func (s *Server) jsStreamInfoRequest(sub *subscription, c *client, a *Account, s
 
 				if actualSize > 0 {
 					sd = make(map[string]uint64, actualSize)
-					subjState = make(map[string]SimpleState, actualSize)
+					subjState = make(map[string]SimpleState, actualSize) // ** added by Memphis
 					for _, ss := range subjs[offset:end] {
 						sd[ss] = st[ss]
 						subjState[ss] = subjectsState[ss] // ** added by Memphis
@@ -1999,18 +2012,24 @@ func (s *Server) jsStreamLeaderStepDownRequest(sub *subscription, c *client, _ *
 		return
 	}
 
-	// Call actual stepdown.
-	if mset != nil {
+	if mset == nil {
+		resp.Success = true
+		s.sendAPIResponse(ci, acc, subject, reply, string(msg), s.jsonResponse(resp))
+		return
+	}
+
+	// Call actual stepdown. Do this in a Go routine.
+	go func() {
 		if node := mset.raftNode(); node != nil {
 			mset.setLeader(false)
 			// TODO (mh) eventually make sure all go routines exited and all channels are cleared
 			time.Sleep(250 * time.Millisecond)
 			node.StepDown()
 		}
-	}
 
-	resp.Success = true
-	s.sendAPIResponse(ci, acc, subject, reply, string(msg), s.jsonResponse(resp))
+		resp.Success = true
+		s.sendAPIResponse(ci, acc, subject, reply, string(msg), s.jsonResponse(resp))
+	}()
 }
 
 // Request to have a consumer leader stepdown.
@@ -2105,16 +2124,23 @@ func (s *Server) jsConsumerLeaderStepDownRequest(sub *subscription, c *client, _
 		return
 	}
 
-	// Call actual stepdown.
-	if n := o.raftNode(); n != nil {
+	n := o.raftNode()
+	if n == nil {
+		resp.Success = true
+		s.sendAPIResponse(ci, acc, subject, reply, string(msg), s.jsonResponse(resp))
+		return
+	}
+
+	// Call actual stepdown. Do this in a Go routine.
+	go func() {
 		o.setLeader(false)
 		// TODO (mh) eventually make sure all go routines exited and all channels are cleared
 		time.Sleep(250 * time.Millisecond)
 		n.StepDown()
-	}
 
-	resp.Success = true
-	s.sendAPIResponse(ci, acc, subject, reply, string(msg), s.jsonResponse(resp))
+		resp.Success = true
+		s.sendAPIResponse(ci, acc, subject, reply, string(msg), s.jsonResponse(resp))
+	}()
 }
 
 // Request to remove a peer from a clustered stream.
@@ -2668,7 +2694,7 @@ func (s *Server) jsLeaderAccountPurgeRequest(sub *subscription, c *client, _ *Ac
 }
 
 // Request to have the meta leader stepdown.
-// These will only be received the the meta leaders, so less checking needed.
+// These will only be received by the meta leader, so less checking needed.
 func (s *Server) jsLeaderStepDownRequest(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
 	if c == nil || !s.JetStreamEnabled() {
 		return
@@ -2763,11 +2789,13 @@ func isEmptyRequest(req []byte) bool {
 }
 
 // Request to delete a stream.
+// ** added/changed by Memphis
 func (s *Server) jsStreamDeleteRequest(sub *subscription, c *client, acc *Account, subject, reply string, rmsg []byte) {
 	s.jsStreamDeleteRequestIntern(sub, c, acc, subject, reply, rmsg)
 }
+// ** added/changed by Memphis
 
-func (s *Server) jsStreamDeleteRequestIntern(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
+func (s *Server) jsStreamDeleteRequestIntern(sub *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) { // ** added/changed by Memphis
 	if c == nil || !s.JetStreamEnabled() {
 		return
 	}
@@ -3342,7 +3370,7 @@ func (s *Server) processStreamRestore(ci *ClientInfo, acc *Account, cfg *StreamC
 
 	var total int
 
-	// FIXM(dlc) - Probably take out of network path eventually due to disk I/O?
+	// FIXME(dlc) - Probably take out of network path eventually due to disk I/O?
 	processChunk := func(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
 		// We require reply subjects to communicate back failures, flow etc. If they do not have one log and cancel.
 		if reply == _EMPTY_ {
@@ -3376,7 +3404,7 @@ func (s *Server) processStreamRestore(ci *ClientInfo, acc *Account, cfg *StreamC
 		// TODO(dlc) - We could check apriori and cancel initial request if we know it won't fit.
 		total += len(msg)
 		if js.wouldExceedLimits(FileStorage, total) {
-			s.resourcesExeededError()
+			s.resourcesExceededError()
 			resultCh <- result{NewJSInsufficientResourcesError(), reply}
 			return
 		}
@@ -3782,11 +3810,11 @@ func (s *Server) jsConsumerCreateRequest(sub *subscription, c *client, a *Accoun
 		} else {
 			streamName = streamNameFromSubject(subject)
 			consumerName = consumerNameFromSubject(subject)
-		}
-		// New has optional filtered subject as part of main subject..
-		if n > 7 {
-			tokens := strings.Split(subject, tsep)
-			filteredSubject = strings.Join(tokens[6:], tsep)
+			// New has optional filtered subject as part of main subject..
+			if n > 6 {
+				tokens := strings.Split(subject, tsep)
+				filteredSubject = strings.Join(tokens[6:], tsep)
+			}
 		}
 	}
 
diff --git a/server/jetstream_benchmark_consume_test.go b/server/jetstream_benchmark_consume_test.go
deleted file mode 100644
index f2af0ef2d..000000000
--- a/server/jetstream_benchmark_consume_test.go
+++ /dev/null
@@ -1,404 +0,0 @@
-// Copyright 2022 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !skip_js_tests && !skip_js_cluster_tests && !skip_js_cluster_tests_2
-// +build !skip_js_tests,!skip_js_cluster_tests,!skip_js_cluster_tests_2
-
-package server
-
-import (
-	"fmt"
-	"math/rand"
-	"testing"
-	"time"
-
-	"github.com/nats-io/nats.go"
-)
-
-func BenchmarkJetStreamConsume(b *testing.B) {
-
-	const (
-		verbose        = false
-		streamName     = "S"
-		subject        = "s"
-		seed           = 12345
-		publishTimeout = 30 * time.Second
-	)
-
-	runSyncPushConsumer := func(b *testing.B, js nats.JetStreamContext, streamName, subject string) (int, int, int) {
-		const nextMsgTimeout = 3 * time.Second
-
-		subOpts := []nats.SubOpt{
-			nats.BindStream(streamName),
-		}
-		sub, err := js.SubscribeSync("", subOpts...)
-		if err != nil {
-			b.Fatalf("Failed to subscribe: %v", err)
-		}
-		defer sub.Unsubscribe()
-
-		bitset := NewBitset(uint64(b.N))
-		uniqueConsumed, duplicates, errors := 0, 0, 0
-
-		b.ResetTimer()
-
-		for uniqueConsumed < b.N {
-			msg, err := sub.NextMsg(nextMsgTimeout)
-			if err != nil {
-				b.Fatalf("No more messages (received: %d/%d)", uniqueConsumed, b.N)
-			}
-
-			metadata, mdErr := msg.Metadata()
-			if mdErr != nil {
-				errors++
-				continue
-			}
-
-			ackErr := msg.Ack()
-			if ackErr != nil {
-				errors++
-				continue
-			}
-
-			seq := metadata.Sequence.Stream
-
-			index := seq - 1
-			if bitset.get(index) {
-				duplicates++
-				continue
-			}
-
-			uniqueConsumed++
-			bitset.set(index, true)
-			b.SetBytes(int64(len(msg.Data)))
-
-			if verbose && uniqueConsumed%1000 == 0 {
-				b.Logf("Consumed: %d/%d", bitset.count(), b.N)
-			}
-		}
-
-		b.StopTimer()
-
-		return uniqueConsumed, duplicates, errors
-	}
-
-	runAsyncPushConsumer := func(b *testing.B, js nats.JetStreamContext, streamName, subject string, ordered, durable bool) (int, int, int) {
-		const timeout = 3 * time.Minute
-		bitset := NewBitset(uint64(b.N))
-		doneCh := make(chan bool, 1)
-		uniqueConsumed, duplicates, errors := 0, 0, 0
-
-		handleMsg := func(msg *nats.Msg) {
-			metadata, mdErr := msg.Metadata()
-			if mdErr != nil {
-				// fmt.Printf("Metadata error: %v\n", mdErr)
-				errors++
-				return
-			}
-
-			// Ordered defaults to AckNone policy, don't try to ACK
-			if !ordered {
-				ackErr := msg.Ack()
-				if ackErr != nil {
-					// fmt.Printf("Ack error: %v\n", ackErr)
-					errors++
-					return
-				}
-			}
-
-			seq := metadata.Sequence.Stream
-
-			index := seq - 1
-			if bitset.get(index) {
-				duplicates++
-				return
-			}
-
-			uniqueConsumed++
-			bitset.set(index, true)
-			b.SetBytes(int64(len(msg.Data)))
-
-			if uniqueConsumed == b.N {
-				msg.Sub.Unsubscribe()
-				doneCh <- true
-			}
-			if verbose && uniqueConsumed%1000 == 0 {
-				b.Logf("Consumed %d/%d", uniqueConsumed, b.N)
-			}
-		}
-
-		subOpts := []nats.SubOpt{
-			nats.BindStream(streamName),
-		}
-
-		if ordered {
-			subOpts = append(subOpts, nats.OrderedConsumer())
-		}
-
-		if durable {
-			subOpts = append(subOpts, nats.Durable("c"))
-		}
-
-		sub, err := js.Subscribe("", handleMsg, subOpts...)
-		if err != nil {
-			b.Fatalf("Failed to subscribe: %v", err)
-		}
-		defer sub.Unsubscribe()
-
-		b.ResetTimer()
-
-		select {
-		case <-doneCh:
-			b.StopTimer()
-		case <-time.After(timeout):
-			b.Fatalf("Timeout, %d/%d received, %d errors", uniqueConsumed, b.N, errors)
-		}
-
-		return uniqueConsumed, duplicates, errors
-	}
-
-	runPullConsumer := func(b *testing.B, js nats.JetStreamContext, streamName, subject string, durable bool) (int, int, int) {
-		const fetchMaxWait = nats.MaxWait(3 * time.Second)
-		const fetchMaxMessages = 1000
-
-		bitset := NewBitset(uint64(b.N))
-		uniqueConsumed, duplicates, errors := 0, 0, 0
-
-		subOpts := []nats.SubOpt{
-			nats.BindStream(streamName),
-		}
-
-		consumerName := "" // Default ephemeral
-		if durable {
-			consumerName = "c" // Durable
-		}
-
-		sub, err := js.PullSubscribe("", consumerName, subOpts...)
-		if err != nil {
-			b.Fatalf("Failed to subscribe: %v", err)
-		}
-		defer sub.Unsubscribe()
-
-		b.ResetTimer()
-
-	fetchLoop:
-		for {
-			msgs, err := sub.Fetch(fetchMaxMessages, fetchMaxWait)
-			if err != nil {
-				b.Fatalf("Failed to fetch: %v", err)
-			}
-
-		processMsgsLoop:
-			for _, msg := range msgs {
-				metadata, mdErr := msg.Metadata()
-				if mdErr != nil {
-					errors++
-					continue processMsgsLoop
-				}
-
-				ackErr := msg.Ack()
-				if ackErr != nil {
-					errors++
-					continue processMsgsLoop
-				}
-
-				seq := metadata.Sequence.Stream
-
-				index := seq - 1
-				if bitset.get(index) {
-					duplicates++
-					continue processMsgsLoop
-				}
-
-				uniqueConsumed++
-				bitset.set(index, true)
-				b.SetBytes(int64(len(msg.Data)))
-
-				if uniqueConsumed == b.N {
-					msg.Sub.Unsubscribe()
-					break fetchLoop
-				}
-
-				if verbose && uniqueConsumed%1000 == 0 {
-					b.Logf("Consumed %d/%d", uniqueConsumed, b.N)
-				}
-			}
-		}
-
-		b.StopTimer()
-
-		return uniqueConsumed, duplicates, errors
-	}
-
-	type ConsumerType string
-	const (
-		PushSync         ConsumerType = "PUSH[Sync,Ephemeral]"
-		PushAsync        ConsumerType = "PUSH[Async,Ephemeral]"
-		PushAsyncOrdered ConsumerType = "PUSH[Async,Ordered]"
-		PushAsyncDurable ConsumerType = "PUSH[Async,Durable]"
-		PullDurable      ConsumerType = "PULL[Durable]"
-		PullEphemeral    ConsumerType = "PULL[Ephemeral]"
-	)
-
-	benchmarksCases := []struct {
-		clusterSize int
-		replicas    int
-		messageSize int
-		minMessages int
-	}{
-		{1, 1, 10, 100_000}, // Single node, 10B messages, ~1MiB minimum
-		{1, 1, 1024, 1_000}, // Single node, 1KB messages, ~1MiB minimum
-		{3, 3, 10, 100_000}, // Cluster, R3, 10B messages, ~1MiB minimum
-		{3, 3, 1024, 1_000}, // Cluster, R3, 1KB messages, ~1MiB minimum
-	}
-
-	//Each of the cases above is run with each of the consumer types
-	consumerTypes := []ConsumerType{
-		PushSync,
-		PushAsync,
-		PushAsyncOrdered,
-		PushAsyncDurable,
-		PullDurable,
-		PullEphemeral,
-	}
-
-	for _, bc := range benchmarksCases {
-
-		name := fmt.Sprintf(
-			"N=%d,R=%d,MsgSz=%db",
-			bc.clusterSize,
-			bc.replicas,
-			bc.messageSize,
-		)
-
-		b.Run(
-			name,
-			func(b *testing.B) {
-
-				for _, ct := range consumerTypes {
-					name := fmt.Sprintf(
-						"%v",
-						ct,
-					)
-					b.Run(
-						name,
-						func(b *testing.B) {
-							// Skip short runs, benchmark gets re-executed with a larger N
-							if b.N < bc.minMessages {
-								b.ResetTimer()
-								return
-							}
-
-							if verbose {
-								b.Logf("Running %s with %d messages", name, b.N)
-							}
-
-							if verbose {
-								b.Logf("Setting up %d nodes", bc.clusterSize)
-							}
-							var connectURL string
-							if bc.clusterSize == 1 {
-								s := RunBasicJetStreamServer(b)
-								defer s.Shutdown()
-								connectURL = s.ClientURL()
-							} else {
-								cl := createJetStreamClusterExplicit(b, "BENCH_PUB", bc.clusterSize)
-								defer cl.shutdown()
-								cl.waitOnClusterReadyWithNumPeers(bc.clusterSize)
-								cl.waitOnLeader()
-								connectURL = cl.randomServer().ClientURL()
-							}
-
-							nc, js := jsClientConnectURL(b, connectURL)
-							defer nc.Close()
-
-							if verbose {
-								b.Logf("Creating stream with R=%d", bc.replicas)
-							}
-							streamConfig := &nats.StreamConfig{
-								Name:     streamName,
-								Subjects: []string{subject},
-								Replicas: bc.replicas,
-							}
-							if _, err := js.AddStream(streamConfig); err != nil {
-								b.Fatalf("Error creating stream: %v", err)
-							}
-
-							rng := rand.New(rand.NewSource(int64(seed)))
-							message := make([]byte, bc.messageSize)
-							publishedCount := 0
-							for publishedCount < b.N {
-								rng.Read(message)
-								_, err := js.PublishAsync(subject, message)
-								if err != nil {
-									continue
-								} else {
-									publishedCount++
-								}
-							}
-
-							select {
-							case <-js.PublishAsyncComplete():
-								if verbose {
-									b.Logf("Published %d messages", b.N)
-								}
-							case <-time.After(publishTimeout):
-								b.Fatalf("Publish timed out")
-							}
-
-							// Discard time spent during setup
-							// Consumer may reset again further in
-							b.ResetTimer()
-
-							var consumed, duplicates, errors int
-
-							const (
-								ordered   = true
-								unordered = false
-								durable   = true
-								ephemeral = false
-							)
-
-							switch ct {
-							case PushSync:
-								consumed, duplicates, errors = runSyncPushConsumer(b, js, streamName, subject)
-							case PushAsync:
-								consumed, duplicates, errors = runAsyncPushConsumer(b, js, streamName, subject, unordered, ephemeral)
-							case PushAsyncOrdered:
-								consumed, duplicates, errors = runAsyncPushConsumer(b, js, streamName, subject, ordered, ephemeral)
-							case PushAsyncDurable:
-								consumed, duplicates, errors = runAsyncPushConsumer(b, js, streamName, subject, unordered, durable)
-							case PullDurable:
-								consumed, duplicates, errors = runPullConsumer(b, js, streamName, subject, durable)
-							case PullEphemeral:
-								consumed, duplicates, errors = runPullConsumer(b, js, streamName, subject, ephemeral)
-							default:
-								b.Fatalf("Unknown consumer type: %v", ct)
-							}
-
-							// Benchmark ends here, (consumer may have stopped earlier)
-							b.StopTimer()
-
-							if consumed != b.N {
-								b.Fatalf("Something doesn't add up: %d != %d", consumed, b.N)
-							}
-
-							b.ReportMetric(float64(duplicates)*100/float64(b.N), "%dupe")
-							b.ReportMetric(float64(errors)*100/float64(b.N), "%error")
-						},
-					)
-				}
-			},
-		)
-	}
-}
diff --git a/server/jetstream_benchmark_kv_test.go b/server/jetstream_benchmark_kv_test.go
deleted file mode 100644
index f89f686c5..000000000
--- a/server/jetstream_benchmark_kv_test.go
+++ /dev/null
@@ -1,265 +0,0 @@
-// Copyright 2022 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !skip_js_tests && !skip_js_cluster_tests && !skip_js_cluster_tests_2
-// +build !skip_js_tests,!skip_js_cluster_tests,!skip_js_cluster_tests_2
-
-package server
-
-import (
-	"fmt"
-	"math/rand"
-	"testing"
-
-	"github.com/nats-io/nats.go"
-)
-
-func BenchmarkJetStreamKV(b *testing.B) {
-
-	const (
-		verbose      = false
-		kvNamePrefix = "B_"
-		keyPrefix    = "K_"
-		seed         = 12345
-		minOps       = 1_000
-	)
-
-	runKVGet := func(b *testing.B, kvs []nats.KeyValue, keys []string) int {
-		rng := rand.New(rand.NewSource(int64(seed)))
-		errors := 0
-
-		b.ResetTimer()
-
-		for i := 1; i <= b.N; i++ {
-			kv := kvs[rng.Intn(len(kvs))]
-			key := keys[rng.Intn(len(keys))]
-			kve, err := kv.Get(key)
-			if err != nil {
-				errors++
-				continue
-			}
-
-			b.SetBytes(int64(len(kve.Value())))
-
-			if verbose && i%1000 == 0 {
-				b.Logf("Completed %d/%d Get ops", i, b.N)
-			}
-		}
-
-		b.StopTimer()
-		return errors
-	}
-
-	runKVPut := func(b *testing.B, kvs []nats.KeyValue, keys []string, valueSize int) int {
-		rng := rand.New(rand.NewSource(int64(seed)))
-		value := make([]byte, valueSize)
-		errors := 0
-
-		b.ResetTimer()
-
-		for i := 1; i <= b.N; i++ {
-			kv := kvs[rng.Intn(len(kvs))]
-			key := keys[rng.Intn(len(keys))]
-			rng.Read(value)
-			_, err := kv.Put(key, value)
-			if err != nil {
-				errors++
-				continue
-			}
-
-			b.SetBytes(int64(valueSize))
-
-			if verbose && i%1000 == 0 {
-				b.Logf("Completed %d/%d Put ops", i, b.N)
-			}
-		}
-
-		b.StopTimer()
-		return errors
-	}
-
-	runKVUpdate := func(b *testing.B, kvs []nats.KeyValue, keys []string, valueSize int) int {
-		rng := rand.New(rand.NewSource(int64(seed)))
-		value := make([]byte, valueSize)
-		errors := 0
-
-		b.ResetTimer()
-
-		for i := 1; i <= b.N; i++ {
-			kv := kvs[rng.Intn(len(kvs))]
-			key := keys[rng.Intn(len(keys))]
-
-			kve, getErr := kv.Get(key)
-			if getErr != nil {
-				errors++
-				continue
-			}
-
-			rng.Read(value)
-			_, updateErr := kv.Update(key, value, kve.Revision())
-			if updateErr != nil {
-				errors++
-				continue
-			}
-
-			b.SetBytes(int64(valueSize))
-
-			if verbose && i%1000 == 0 {
-				b.Logf("Completed %d/%d Update ops", i, b.N)
-			}
-		}
-
-		b.StopTimer()
-		return errors
-	}
-
-	type WorkloadType string
-	const (
-		Get    WorkloadType = "GET"
-		Put    WorkloadType = "PUT"
-		Update WorkloadType = "CAS"
-	)
-
-	benchmarksCases := []struct {
-		clusterSize int
-		replicas    int
-		numBuckets  int
-		numKeys     int
-		valueSize   int
-	}{
-		{1, 1, 1, 100, 100},    // 1 node, 1 bucket with 100 keys, 100B values
-		{1, 1, 10, 1000, 100},  // 1 node, 10 buckets with 1000 keys, 100B values
-		{3, 3, 1, 100, 100},    // 3 nodes, 1 bucket with 100 keys, 100B values
-		{3, 3, 10, 1000, 100},  // 3 nodes, 10 buckets with 1000 keys, 100B values
-		{3, 3, 10, 1000, 1024}, // 3 nodes, 10 buckets with 1000 keys, 1KB values
-	}
-
-	workloadCases := []WorkloadType{
-		Get,
-		Put,
-		Update,
-	}
-
-	for _, bc := range benchmarksCases {
-
-		bName := fmt.Sprintf(
-			"N=%d,R=%d,B=%d,K=%d,ValSz=%db",
-			bc.clusterSize,
-			bc.replicas,
-			bc.numBuckets,
-			bc.numKeys,
-			bc.valueSize,
-		)
-
-		b.Run(
-			bName,
-			func(b *testing.B) {
-				for _, wc := range workloadCases {
-					wName := fmt.Sprintf("%v", wc)
-					b.Run(
-						wName,
-						func(b *testing.B) {
-							// Skip short runs, benchmark gets re-executed with a larger N
-							if b.N < minOps {
-								b.ResetTimer()
-								return
-							}
-
-							if verbose {
-								b.Logf("Running %s workload %s with %d messages", wName, bName, b.N)
-							}
-
-							if verbose {
-								b.Logf("Setting up %d nodes", bc.clusterSize)
-							}
-							var connectURL string
-							if bc.clusterSize == 1 {
-								s := RunBasicJetStreamServer(b)
-								defer s.Shutdown()
-								connectURL = s.ClientURL()
-							} else {
-								cl := createJetStreamClusterExplicit(b, "BENCH_KV", bc.clusterSize)
-								defer cl.shutdown()
-								cl.waitOnClusterReadyWithNumPeers(bc.clusterSize)
-								cl.waitOnLeader()
-								connectURL = cl.randomServer().ClientURL()
-							}
-
-							nc, js := jsClientConnectURL(b, connectURL)
-							defer nc.Close()
-
-							// Pre-generate all keys
-							keys := make([]string, 0, bc.numKeys)
-							for i := 1; i <= bc.numKeys; i++ {
-								key := fmt.Sprintf("%s%d", keyPrefix, i)
-								keys = append(keys, key)
-							}
-
-							// Initialize all KVs
-							kvs := make([]nats.KeyValue, 0, bc.numBuckets)
-							for i := 1; i <= bc.numBuckets; i++ {
-								// Create bucket
-								kvName := fmt.Sprintf("%s%d", kvNamePrefix, i)
-								if verbose {
-									b.Logf("Creating KV %s with R=%d", kvName, bc.replicas)
-								}
-								kvConfig := &nats.KeyValueConfig{
-									Bucket:   kvName,
-									Replicas: bc.replicas,
-								}
-								kv, err := js.CreateKeyValue(kvConfig)
-								if err != nil {
-									b.Fatalf("Error creating KV: %v", err)
-								}
-								kvs = append(kvs, kv)
-
-								// Initialize all keys
-								rng := rand.New(rand.NewSource(int64(seed * i)))
-								value := make([]byte, bc.valueSize)
-								for _, key := range keys {
-									rng.Read(value)
-									_, err := kv.Create(key, value)
-									if err != nil {
-										b.Fatalf("Failed to initialize %s/%s: %v", kvName, key, err)
-									}
-								}
-							}
-
-							// Discard time spent during setup
-							// May reset again further in
-							b.ResetTimer()
-
-							var errors int
-
-							switch wc {
-							case Get:
-								errors = runKVGet(b, kvs, keys)
-							case Put:
-								errors = runKVPut(b, kvs, keys, bc.valueSize)
-							case Update:
-								errors = runKVUpdate(b, kvs, keys, bc.valueSize)
-							default:
-								b.Fatalf("Unknown workload type: %v", wc)
-							}
-
-							// Benchmark ends here, (may have stopped earlier)
-							b.StopTimer()
-
-							b.ReportMetric(float64(errors)*100/float64(b.N), "%error")
-						},
-					)
-				}
-			},
-		)
-	}
-}
diff --git a/server/jetstream_benchmark_publish_test.go b/server/jetstream_benchmark_publish_test.go
deleted file mode 100644
index c1f3427a4..000000000
--- a/server/jetstream_benchmark_publish_test.go
+++ /dev/null
@@ -1,274 +0,0 @@
-// Copyright 2022 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !skip_js_tests && !skip_js_cluster_tests && !skip_js_cluster_tests_2
-// +build !skip_js_tests,!skip_js_cluster_tests,!skip_js_cluster_tests_2
-
-package server
-
-import (
-	"fmt"
-	"math/rand"
-	"testing"
-	"time"
-
-	"github.com/nats-io/nats.go"
-)
-
-func BenchmarkJetStreamPublish(b *testing.B) {
-
-	const (
-		verbose = false
-		seed    = 12345
-	)
-
-	runSyncPublisher := func(b *testing.B, js nats.JetStreamContext, messageSize int, subjects []string) (int, int) {
-		published, errors := 0, 0
-		rng := rand.New(rand.NewSource(int64(seed)))
-		message := make([]byte, messageSize)
-
-		b.ResetTimer()
-
-		for i := 1; i <= b.N; i++ {
-			rng.Read(message) // TODO may skip this?
-			subject := subjects[rng.Intn(len(subjects))]
-			_, pubErr := js.Publish(subject, message)
-			if pubErr != nil {
-				errors++
-			} else {
-				published++
-				b.SetBytes(int64(messageSize))
-			}
-
-			if verbose && i%1000 == 0 {
-				b.Logf("Published %d/%d, %d errors", i, b.N, errors)
-			}
-		}
-
-		b.StopTimer()
-
-		return published, errors
-	}
-
-	runAsyncPublisher := func(b *testing.B, js nats.JetStreamContext, messageSize int, subjects []string, asyncWindow int) (int, int) {
-		const publishCompleteMaxWait = 30 * time.Second
-		rng := rand.New(rand.NewSource(int64(seed)))
-		message := make([]byte, messageSize)
-		pending := make([]nats.PubAckFuture, 0, asyncWindow)
-		published, errors := 0, 0
-
-		b.ResetTimer()
-
-		for i := 1; i <= b.N; i++ {
-			rng.Read(message) // TODO may skip this?
-			subject := subjects[rng.Intn(len(subjects))]
-			pubAckFuture, err := js.PublishAsync(subject, message)
-			if err != nil {
-				errors++
-				continue
-			}
-			pending = append(pending, pubAckFuture)
-
-			// Regularly trim the list of pending
-			if i%asyncWindow == 0 {
-				newPending := make([]nats.PubAckFuture, 0, asyncWindow)
-				for _, pubAckFuture := range pending {
-					select {
-					case <-pubAckFuture.Ok():
-						published++
-						b.SetBytes(int64(messageSize))
-					case <-pubAckFuture.Err():
-						errors++
-					default:
-						// This pubAck is still pending, keep it
-						newPending = append(newPending, pubAckFuture)
-					}
-				}
-				pending = newPending
-			}
-
-			if verbose && i%1000 == 0 {
-				b.Logf("Published %d/%d, %d errors", i, b.N, errors)
-			}
-		}
-
-		// All published, wait for completed
-		select {
-		case <-js.PublishAsyncComplete():
-		case <-time.After(publishCompleteMaxWait):
-			b.Fatalf("Publish timed out")
-		}
-
-		// Clear whatever is left pending
-		for _, pubAckFuture := range pending {
-			select {
-			case <-pubAckFuture.Ok():
-				published++
-				b.SetBytes(int64(messageSize))
-			case <-pubAckFuture.Err():
-				errors++
-			default:
-				b.Fatalf("PubAck is still pending after publish completed")
-			}
-		}
-
-		b.StopTimer()
-
-		return published, errors
-	}
-
-	type PublishType string
-	const (
-		Sync  PublishType = "Sync"
-		Async PublishType = "Async"
-	)
-
-	benchmarksCases := []struct {
-		clusterSize int
-		replicas    int
-		messageSize int
-		numSubjects int
-		minMessages int
-	}{
-		{1, 1, 10, 1, 100_000}, // Single node, 10B messages, ~1MB minimum
-		{1, 1, 1024, 1, 1_000}, // Single node, 1KB messages, ~1MB minimum
-		{3, 3, 10, 1, 100_000}, // 3-nodes cluster, R=3, 10B messages, ~1MB minimum
-		{3, 3, 1024, 1, 1_000}, // 3-nodes cluster, R=3, 10B messages, ~1MB minimum
-	}
-
-	// All the cases above are run with each of the publisher cases below
-	publisherCases := []struct {
-		pType       PublishType
-		asyncWindow int
-	}{
-		{Sync, -1},
-		{Async, 1000},
-		{Async, 4000},
-		{Async, 8000},
-	}
-
-	for _, bc := range benchmarksCases {
-		name := fmt.Sprintf(
-			"N=%d,R=%d,MsgSz=%db,Subjs=%d",
-			bc.clusterSize,
-			bc.replicas,
-			bc.messageSize,
-			bc.numSubjects,
-		)
-
-		b.Run(
-			name,
-			func(b *testing.B) {
-
-				for _, pc := range publisherCases {
-					name := fmt.Sprintf("%v", pc.pType)
-					if pc.pType == Async && pc.asyncWindow > 0 {
-						name = fmt.Sprintf("%s[W:%d]", name, pc.asyncWindow)
-					}
-
-					b.Run(
-						name,
-						func(b *testing.B) {
-							// Skip short runs, benchmark gets re-executed with a larger N
-							if b.N < bc.minMessages {
-								b.ResetTimer()
-								return
-							}
-
-							subjects := make([]string, bc.numSubjects)
-							for i := 0; i < bc.numSubjects; i++ {
-								subjects[i] = fmt.Sprintf("s-%d", i+1)
-							}
-
-							if verbose {
-								b.Logf("Running %s with %d ops", name, b.N)
-							}
-
-							if verbose {
-								b.Logf("Setting up %d nodes", bc.clusterSize)
-							}
-							var connectURL string
-
-							if bc.clusterSize == 1 {
-								s := RunBasicJetStreamServer(b)
-								defer s.Shutdown()
-								connectURL = s.ClientURL()
-							} else {
-								cl := createJetStreamClusterExplicit(b, "BENCH_PUB", bc.clusterSize)
-								defer cl.shutdown()
-								cl.waitOnClusterReadyWithNumPeers(bc.clusterSize)
-								cl.waitOnLeader()
-								connectURL = cl.randomServer().ClientURL()
-							}
-
-							nc, err := nats.Connect(connectURL)
-							if err != nil {
-								b.Fatalf("Failed to create client: %v", err)
-							}
-							defer nc.Close()
-
-							jsOpts := []nats.JSOpt{
-								nats.MaxWait(10 * time.Second),
-							}
-
-							if pc.asyncWindow > 0 && pc.pType == Async {
-								jsOpts = append(jsOpts, nats.PublishAsyncMaxPending(pc.asyncWindow))
-							}
-
-							js, err := nc.JetStream(jsOpts...)
-							if err != nil {
-								b.Fatalf("Unexpected error getting JetStream context: %v", err)
-							}
-
-							if verbose {
-								b.Logf("Creating stream with R=%d and %d input subjects", bc.replicas, bc.numSubjects)
-							}
-							streamConfig := &nats.StreamConfig{
-								Name:     "S",
-								Subjects: subjects,
-								Replicas: bc.replicas,
-							}
-							if _, err := js.AddStream(streamConfig); err != nil {
-								b.Fatalf("Error creating stream: %v", err)
-							}
-
-							if verbose {
-								b.Logf("Running %v publisher with message size: %dB", pc.pType, bc.messageSize)
-							}
-
-							// Benchmark starts here
-							b.ResetTimer()
-
-							var published, errors int
-							switch pc.pType {
-							case Sync:
-								published, errors = runSyncPublisher(b, js, bc.messageSize, subjects)
-							case Async:
-								published, errors = runAsyncPublisher(b, js, bc.messageSize, subjects, pc.asyncWindow)
-							}
-
-							// Benchmark ends here
-							b.StopTimer()
-
-							if published+errors != b.N {
-								b.Fatalf("Something doesn't add up: %d + %d != %d", published, errors, b.N)
-							}
-
-							b.ReportMetric(float64(errors)*100/float64(b.N), "%error")
-						},
-					)
-				}
-			},
-		)
-	}
-}
diff --git a/server/jetstream_benchmark_test.go b/server/jetstream_benchmark_test.go
new file mode 100644
index 000000000..94ded0ef9
--- /dev/null
+++ b/server/jetstream_benchmark_test.go
@@ -0,0 +1,1376 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !skip_js_tests && !skip_js_cluster_tests && !skip_js_cluster_tests_2
+// +build !skip_js_tests,!skip_js_cluster_tests,!skip_js_cluster_tests_2
+
+package server
+
+import (
+	"fmt"
+	"math/rand"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/nats-io/nats.go"
+)
+
+func BenchmarkJetStreamConsume(b *testing.B) {
+
+	const (
+		verbose        = false
+		streamName     = "S"
+		subject        = "s"
+		seed           = 12345
+		publishTimeout = 30 * time.Second
+	)
+
+	runSyncPushConsumer := func(b *testing.B, js nats.JetStreamContext, streamName, subject string) (int, int, int) {
+		const nextMsgTimeout = 3 * time.Second
+
+		subOpts := []nats.SubOpt{
+			nats.BindStream(streamName),
+		}
+		sub, err := js.SubscribeSync("", subOpts...)
+		if err != nil {
+			b.Fatalf("Failed to subscribe: %v", err)
+		}
+		defer sub.Unsubscribe()
+
+		bitset := NewBitset(uint64(b.N))
+		uniqueConsumed, duplicates, errors := 0, 0, 0
+
+		b.ResetTimer()
+
+		for uniqueConsumed < b.N {
+			msg, err := sub.NextMsg(nextMsgTimeout)
+			if err != nil {
+				b.Fatalf("No more messages (received: %d/%d)", uniqueConsumed, b.N)
+			}
+
+			metadata, mdErr := msg.Metadata()
+			if mdErr != nil {
+				errors++
+				continue
+			}
+
+			ackErr := msg.Ack()
+			if ackErr != nil {
+				errors++
+				continue
+			}
+
+			seq := metadata.Sequence.Stream
+
+			index := seq - 1
+			if bitset.get(index) {
+				duplicates++
+				continue
+			}
+
+			uniqueConsumed++
+			bitset.set(index, true)
+			b.SetBytes(int64(len(msg.Data)))
+
+			if verbose && uniqueConsumed%1000 == 0 {
+				b.Logf("Consumed: %d/%d", bitset.count(), b.N)
+			}
+		}
+
+		b.StopTimer()
+
+		return uniqueConsumed, duplicates, errors
+	}
+
+	runAsyncPushConsumer := func(b *testing.B, js nats.JetStreamContext, streamName, subject string, ordered, durable bool) (int, int, int) {
+		const timeout = 3 * time.Minute
+		bitset := NewBitset(uint64(b.N))
+		doneCh := make(chan bool, 1)
+		uniqueConsumed, duplicates, errors := 0, 0, 0
+
+		handleMsg := func(msg *nats.Msg) {
+			metadata, mdErr := msg.Metadata()
+			if mdErr != nil {
+				// fmt.Printf("Metadata error: %v\n", mdErr)
+				errors++
+				return
+			}
+
+			// Ordered defaults to AckNone policy, don't try to ACK
+			if !ordered {
+				ackErr := msg.Ack()
+				if ackErr != nil {
+					// fmt.Printf("Ack error: %v\n", ackErr)
+					errors++
+					return
+				}
+			}
+
+			seq := metadata.Sequence.Stream
+
+			index := seq - 1
+			if bitset.get(index) {
+				duplicates++
+				return
+			}
+
+			uniqueConsumed++
+			bitset.set(index, true)
+			b.SetBytes(int64(len(msg.Data)))
+
+			if uniqueConsumed == b.N {
+				msg.Sub.Unsubscribe()
+				doneCh <- true
+			}
+			if verbose && uniqueConsumed%1000 == 0 {
+				b.Logf("Consumed %d/%d", uniqueConsumed, b.N)
+			}
+		}
+
+		subOpts := []nats.SubOpt{
+			nats.BindStream(streamName),
+		}
+
+		if ordered {
+			subOpts = append(subOpts, nats.OrderedConsumer())
+		}
+
+		if durable {
+			subOpts = append(subOpts, nats.Durable("c"))
+		}
+
+		sub, err := js.Subscribe("", handleMsg, subOpts...)
+		if err != nil {
+			b.Fatalf("Failed to subscribe: %v", err)
+		}
+		defer sub.Unsubscribe()
+
+		b.ResetTimer()
+
+		select {
+		case <-doneCh:
+			b.StopTimer()
+		case <-time.After(timeout):
+			b.Fatalf("Timeout, %d/%d received, %d errors", uniqueConsumed, b.N, errors)
+		}
+
+		return uniqueConsumed, duplicates, errors
+	}
+
+	runPullConsumer := func(b *testing.B, js nats.JetStreamContext, streamName, subject string, durable bool) (int, int, int) {
+		const fetchMaxWait = nats.MaxWait(3 * time.Second)
+		const fetchMaxMessages = 1000
+
+		bitset := NewBitset(uint64(b.N))
+		uniqueConsumed, duplicates, errors := 0, 0, 0
+
+		subOpts := []nats.SubOpt{
+			nats.BindStream(streamName),
+		}
+
+		consumerName := "" // Default ephemeral
+		if durable {
+			consumerName = "c" // Durable
+		}
+
+		sub, err := js.PullSubscribe("", consumerName, subOpts...)
+		if err != nil {
+			b.Fatalf("Failed to subscribe: %v", err)
+		}
+		defer sub.Unsubscribe()
+
+		b.ResetTimer()
+
+	fetchLoop:
+		for {
+			msgs, err := sub.Fetch(fetchMaxMessages, fetchMaxWait)
+			if err != nil {
+				b.Fatalf("Failed to fetch: %v", err)
+			}
+
+		processMsgsLoop:
+			for _, msg := range msgs {
+				metadata, mdErr := msg.Metadata()
+				if mdErr != nil {
+					errors++
+					continue processMsgsLoop
+				}
+
+				ackErr := msg.Ack()
+				if ackErr != nil {
+					errors++
+					continue processMsgsLoop
+				}
+
+				seq := metadata.Sequence.Stream
+
+				index := seq - 1
+				if bitset.get(index) {
+					duplicates++
+					continue processMsgsLoop
+				}
+
+				uniqueConsumed++
+				bitset.set(index, true)
+				b.SetBytes(int64(len(msg.Data)))
+
+				if uniqueConsumed == b.N {
+					msg.Sub.Unsubscribe()
+					break fetchLoop
+				}
+
+				if verbose && uniqueConsumed%1000 == 0 {
+					b.Logf("Consumed %d/%d", uniqueConsumed, b.N)
+				}
+			}
+		}
+
+		b.StopTimer()
+
+		return uniqueConsumed, duplicates, errors
+	}
+
+	type ConsumerType string
+	const (
+		PushSync         ConsumerType = "PUSH[Sync,Ephemeral]"
+		PushAsync        ConsumerType = "PUSH[Async,Ephemeral]"
+		PushAsyncOrdered ConsumerType = "PUSH[Async,Ordered]"
+		PushAsyncDurable ConsumerType = "PUSH[Async,Durable]"
+		PullDurable      ConsumerType = "PULL[Durable]"
+		PullEphemeral    ConsumerType = "PULL[Ephemeral]"
+	)
+
+	benchmarksCases := []struct {
+		clusterSize int
+		replicas    int
+		messageSize int
+		minMessages int
+	}{
+		{1, 1, 10, 100_000}, // Single node, 10B messages, ~1MiB minimum
+		{1, 1, 1024, 1_000}, // Single node, 1KB messages, ~1MiB minimum
+		{3, 3, 10, 100_000}, // Cluster, R3, 10B messages, ~1MiB minimum
+		{3, 3, 1024, 1_000}, // Cluster, R3, 1KB messages, ~1MiB minimum
+	}
+
+	//Each of the cases above is run with each of the consumer types
+	consumerTypes := []ConsumerType{
+		PushSync,
+		PushAsync,
+		PushAsyncOrdered,
+		PushAsyncDurable,
+		PullDurable,
+		PullEphemeral,
+	}
+
+	for _, bc := range benchmarksCases {
+
+		name := fmt.Sprintf(
+			"N=%d,R=%d,MsgSz=%db",
+			bc.clusterSize,
+			bc.replicas,
+			bc.messageSize,
+		)
+
+		b.Run(
+			name,
+			func(b *testing.B) {
+
+				for _, ct := range consumerTypes {
+					name := fmt.Sprintf(
+						"%v",
+						ct,
+					)
+					b.Run(
+						name,
+						func(b *testing.B) {
+							// Skip short runs, benchmark gets re-executed with a larger N
+							if b.N < bc.minMessages {
+								b.ResetTimer()
+								return
+							}
+
+							if verbose {
+								b.Logf("Running %s with %d messages", name, b.N)
+							}
+
+							if verbose {
+								b.Logf("Setting up %d nodes", bc.clusterSize)
+							}
+							var connectURL string
+							if bc.clusterSize == 1 {
+								s := RunBasicJetStreamServer(b)
+								defer s.Shutdown()
+								connectURL = s.ClientURL()
+							} else {
+								cl := createJetStreamClusterExplicit(b, "BENCH_PUB", bc.clusterSize)
+								defer cl.shutdown()
+								cl.waitOnClusterReadyWithNumPeers(bc.clusterSize)
+								cl.waitOnLeader()
+								connectURL = cl.randomServer().ClientURL()
+							}
+
+							nc, js := jsClientConnectURL(b, connectURL)
+							defer nc.Close()
+
+							if verbose {
+								b.Logf("Creating stream with R=%d", bc.replicas)
+							}
+							streamConfig := &nats.StreamConfig{
+								Name:     streamName,
+								Subjects: []string{subject},
+								Replicas: bc.replicas,
+							}
+							if _, err := js.AddStream(streamConfig); err != nil {
+								b.Fatalf("Error creating stream: %v", err)
+							}
+
+							rng := rand.New(rand.NewSource(int64(seed)))
+							message := make([]byte, bc.messageSize)
+							publishedCount := 0
+							for publishedCount < b.N {
+								rng.Read(message)
+								_, err := js.PublishAsync(subject, message)
+								if err != nil {
+									continue
+								} else {
+									publishedCount++
+								}
+							}
+
+							select {
+							case <-js.PublishAsyncComplete():
+								if verbose {
+									b.Logf("Published %d messages", b.N)
+								}
+							case <-time.After(publishTimeout):
+								b.Fatalf("Publish timed out")
+							}
+
+							// Discard time spent during setup
+							// Consumer may reset again further in
+							b.ResetTimer()
+
+							var consumed, duplicates, errors int
+
+							const (
+								ordered   = true
+								unordered = false
+								durable   = true
+								ephemeral = false
+							)
+
+							switch ct {
+							case PushSync:
+								consumed, duplicates, errors = runSyncPushConsumer(b, js, streamName, subject)
+							case PushAsync:
+								consumed, duplicates, errors = runAsyncPushConsumer(b, js, streamName, subject, unordered, ephemeral)
+							case PushAsyncOrdered:
+								consumed, duplicates, errors = runAsyncPushConsumer(b, js, streamName, subject, ordered, ephemeral)
+							case PushAsyncDurable:
+								consumed, duplicates, errors = runAsyncPushConsumer(b, js, streamName, subject, unordered, durable)
+							case PullDurable:
+								consumed, duplicates, errors = runPullConsumer(b, js, streamName, subject, durable)
+							case PullEphemeral:
+								consumed, duplicates, errors = runPullConsumer(b, js, streamName, subject, ephemeral)
+							default:
+								b.Fatalf("Unknown consumer type: %v", ct)
+							}
+
+							// Benchmark ends here, (consumer may have stopped earlier)
+							b.StopTimer()
+
+							if consumed != b.N {
+								b.Fatalf("Something doesn't add up: %d != %d", consumed, b.N)
+							}
+
+							b.ReportMetric(float64(duplicates)*100/float64(b.N), "%dupe")
+							b.ReportMetric(float64(errors)*100/float64(b.N), "%error")
+						},
+					)
+				}
+			},
+		)
+	}
+}
+
+func BenchmarkJetStreamPublish(b *testing.B) {
+
+	const (
+		verbose = false
+		seed    = 12345
+	)
+
+	runSyncPublisher := func(b *testing.B, js nats.JetStreamContext, messageSize int, subjects []string) (int, int) {
+		published, errors := 0, 0
+		rng := rand.New(rand.NewSource(int64(seed)))
+		message := make([]byte, messageSize)
+
+		b.ResetTimer()
+
+		for i := 1; i <= b.N; i++ {
+			rng.Read(message) // TODO may skip this?
+			subject := subjects[rng.Intn(len(subjects))]
+			_, pubErr := js.Publish(subject, message)
+			if pubErr != nil {
+				errors++
+			} else {
+				published++
+				b.SetBytes(int64(messageSize))
+			}
+
+			if verbose && i%1000 == 0 {
+				b.Logf("Published %d/%d, %d errors", i, b.N, errors)
+			}
+		}
+
+		b.StopTimer()
+
+		return published, errors
+	}
+
+	runAsyncPublisher := func(b *testing.B, js nats.JetStreamContext, messageSize int, subjects []string, asyncWindow int) (int, int) {
+		const publishCompleteMaxWait = 30 * time.Second
+		rng := rand.New(rand.NewSource(int64(seed)))
+		message := make([]byte, messageSize)
+		pending := make([]nats.PubAckFuture, 0, asyncWindow)
+		published, errors := 0, 0
+
+		b.ResetTimer()
+
+		for i := 1; i <= b.N; i++ {
+			rng.Read(message) // TODO may skip this?
+			subject := subjects[rng.Intn(len(subjects))]
+			pubAckFuture, err := js.PublishAsync(subject, message)
+			if err != nil {
+				errors++
+				continue
+			}
+			pending = append(pending, pubAckFuture)
+
+			// Regularly trim the list of pending
+			if i%asyncWindow == 0 {
+				newPending := make([]nats.PubAckFuture, 0, asyncWindow)
+				for _, pubAckFuture := range pending {
+					select {
+					case <-pubAckFuture.Ok():
+						published++
+						b.SetBytes(int64(messageSize))
+					case <-pubAckFuture.Err():
+						errors++
+					default:
+						// This pubAck is still pending, keep it
+						newPending = append(newPending, pubAckFuture)
+					}
+				}
+				pending = newPending
+			}
+
+			if verbose && i%1000 == 0 {
+				b.Logf("Published %d/%d, %d errors", i, b.N, errors)
+			}
+		}
+
+		// All published, wait for completed
+		select {
+		case <-js.PublishAsyncComplete():
+		case <-time.After(publishCompleteMaxWait):
+			b.Fatalf("Publish timed out")
+		}
+
+		// Clear whatever is left pending
+		for _, pubAckFuture := range pending {
+			select {
+			case <-pubAckFuture.Ok():
+				published++
+				b.SetBytes(int64(messageSize))
+			case <-pubAckFuture.Err():
+				errors++
+			default:
+				b.Fatalf("PubAck is still pending after publish completed")
+			}
+		}
+
+		b.StopTimer()
+
+		return published, errors
+	}
+
+	type PublishType string
+	const (
+		Sync  PublishType = "Sync"
+		Async PublishType = "Async"
+	)
+
+	benchmarksCases := []struct {
+		clusterSize int
+		replicas    int
+		messageSize int
+		numSubjects int
+		minMessages int
+	}{
+		{1, 1, 10, 1, 100_000}, // Single node, 10B messages, ~1MB minimum
+		{1, 1, 1024, 1, 1_000}, // Single node, 1KB messages, ~1MB minimum
+		{3, 3, 10, 1, 100_000}, // 3-nodes cluster, R=3, 10B messages, ~1MB minimum
+		{3, 3, 1024, 1, 1_000}, // 3-nodes cluster, R=3, 10B messages, ~1MB minimum
+	}
+
+	// All the cases above are run with each of the publisher cases below
+	publisherCases := []struct {
+		pType       PublishType
+		asyncWindow int
+	}{
+		{Sync, -1},
+		{Async, 1000},
+		{Async, 4000},
+		{Async, 8000},
+	}
+
+	for _, bc := range benchmarksCases {
+		name := fmt.Sprintf(
+			"N=%d,R=%d,MsgSz=%db,Subjs=%d",
+			bc.clusterSize,
+			bc.replicas,
+			bc.messageSize,
+			bc.numSubjects,
+		)
+
+		b.Run(
+			name,
+			func(b *testing.B) {
+
+				for _, pc := range publisherCases {
+					name := fmt.Sprintf("%v", pc.pType)
+					if pc.pType == Async && pc.asyncWindow > 0 {
+						name = fmt.Sprintf("%s[W:%d]", name, pc.asyncWindow)
+					}
+
+					b.Run(
+						name,
+						func(b *testing.B) {
+							// Skip short runs, benchmark gets re-executed with a larger N
+							if b.N < bc.minMessages {
+								b.ResetTimer()
+								return
+							}
+
+							subjects := make([]string, bc.numSubjects)
+							for i := 0; i < bc.numSubjects; i++ {
+								subjects[i] = fmt.Sprintf("s-%d", i+1)
+							}
+
+							if verbose {
+								b.Logf("Running %s with %d ops", name, b.N)
+							}
+
+							if verbose {
+								b.Logf("Setting up %d nodes", bc.clusterSize)
+							}
+							var connectURL string
+
+							if bc.clusterSize == 1 {
+								s := RunBasicJetStreamServer(b)
+								defer s.Shutdown()
+								connectURL = s.ClientURL()
+							} else {
+								cl := createJetStreamClusterExplicit(b, "BENCH_PUB", bc.clusterSize)
+								defer cl.shutdown()
+								cl.waitOnClusterReadyWithNumPeers(bc.clusterSize)
+								cl.waitOnLeader()
+								connectURL = cl.randomServer().ClientURL()
+							}
+
+							nc, err := nats.Connect(connectURL)
+							if err != nil {
+								b.Fatalf("Failed to create client: %v", err)
+							}
+							defer nc.Close()
+
+							jsOpts := []nats.JSOpt{
+								nats.MaxWait(10 * time.Second),
+							}
+
+							if pc.asyncWindow > 0 && pc.pType == Async {
+								jsOpts = append(jsOpts, nats.PublishAsyncMaxPending(pc.asyncWindow))
+							}
+
+							js, err := nc.JetStream(jsOpts...)
+							if err != nil {
+								b.Fatalf("Unexpected error getting JetStream context: %v", err)
+							}
+
+							if verbose {
+								b.Logf("Creating stream with R=%d and %d input subjects", bc.replicas, bc.numSubjects)
+							}
+							streamConfig := &nats.StreamConfig{
+								Name:     "S",
+								Subjects: subjects,
+								Replicas: bc.replicas,
+							}
+							if _, err := js.AddStream(streamConfig); err != nil {
+								b.Fatalf("Error creating stream: %v", err)
+							}
+
+							if verbose {
+								b.Logf("Running %v publisher with message size: %dB", pc.pType, bc.messageSize)
+							}
+
+							// Benchmark starts here
+							b.ResetTimer()
+
+							var published, errors int
+							switch pc.pType {
+							case Sync:
+								published, errors = runSyncPublisher(b, js, bc.messageSize, subjects)
+							case Async:
+								published, errors = runAsyncPublisher(b, js, bc.messageSize, subjects, pc.asyncWindow)
+							}
+
+							// Benchmark ends here
+							b.StopTimer()
+
+							if published+errors != b.N {
+								b.Fatalf("Something doesn't add up: %d + %d != %d", published, errors, b.N)
+							}
+
+							b.ReportMetric(float64(errors)*100/float64(b.N), "%error")
+						},
+					)
+				}
+			},
+		)
+	}
+}
+
+func BenchmarkJetStreamInterestStreamWithLimit(b *testing.B) {
+
+	const (
+		verbose          = true
+		seed             = 12345
+		publishBatchSize = 100
+		messageSize      = 256
+		numSubjects      = 2500
+		subjectPrefix    = "S"
+		numPublishers    = 4
+		randomData       = true
+		warmupMessages   = 1
+	)
+
+	if verbose {
+		b.Logf(
+			"BatchSize: %d, MsgSize: %d, Subjects: %d, Publishers: %d, Random Message: %v",
+			publishBatchSize,
+			messageSize,
+			numSubjects,
+			numPublishers,
+			randomData,
+		)
+	}
+
+	// Benchmark parameters: sub-benchmarks are executed for every combination of the following 3 groups
+	// Unless a more restrictive filter is specified, e.g.:
+	// BenchmarkJetStreamInterestStreamWithLimit/.*R=3.*/Storage=Memory/unlimited
+
+	// Parameter: Number of nodes and number of stream replicas
+	clusterAndReplicasCases := []struct {
+		clusterSize int
+		replicas    int
+	}{
+		{1, 1}, // Single node, R=1
+		{3, 3}, // 3-nodes cluster, R=3
+	}
+
+	// Parameter: Stream storage type
+	storageTypeCases := []nats.StorageType{
+		nats.MemoryStorage,
+		nats.FileStorage,
+	}
+
+	// Parameter: Stream limit configuration
+	limitConfigCases := map[string]func(*nats.StreamConfig){
+		"unlimited": func(config *nats.StreamConfig) {
+		},
+		"MaxMsg=1000": func(config *nats.StreamConfig) {
+			config.MaxMsgs = 100
+		},
+		"MaxMsg=10": func(config *nats.StreamConfig) {
+			config.MaxMsgs = 10
+		},
+		"MaxPerSubject=10": func(config *nats.StreamConfig) {
+			config.MaxMsgsPerSubject = 10
+		},
+		"MaxAge=1s": func(config *nats.StreamConfig) {
+			config.MaxAge = 1 * time.Second
+		},
+		"MaxBytes=1MB": func(config *nats.StreamConfig) {
+			config.MaxBytes = 1024 * 1024
+		},
+	}
+
+	// Helper: Stand up in-process single node or cluster
+	setupCluster := func(b *testing.B, clusterSize int) (string, func()) {
+		var connectURL string
+		var shutdownFunc func()
+
+		if clusterSize == 1 {
+			s := RunBasicJetStreamServer(b)
+			shutdownFunc = s.Shutdown
+			connectURL = s.ClientURL()
+		} else {
+			cl := createJetStreamClusterExplicit(b, "BENCH_PUB", clusterSize)
+			shutdownFunc = cl.shutdown
+			cl.waitOnClusterReadyWithNumPeers(clusterSize)
+			cl.waitOnLeader()
+			connectURL = cl.randomServer().ClientURL()
+			//connectURL = cl.leader().ClientURL()
+		}
+
+		return connectURL, shutdownFunc
+	}
+
+	// Helper: Create the stream
+	setupStream := func(b *testing.B, connectURL string, streamConfig *nats.StreamConfig) {
+		// Connect
+		nc, err := nats.Connect(connectURL)
+		if err != nil {
+			b.Fatalf("Failed to create client: %v", err)
+		}
+		defer nc.Close()
+
+		jsOpts := []nats.JSOpt{}
+
+		js, err := nc.JetStream(jsOpts...)
+		if err != nil {
+			b.Fatalf("Unexpected error getting JetStream context: %v", err)
+		}
+
+		if _, err := js.AddStream(streamConfig); err != nil {
+			b.Fatalf("Error creating stream: %v", err)
+		}
+	}
+
+	// Context shared by publishers routines
+	type PublishersContext = struct {
+		readyWg      sync.WaitGroup
+		completedWg  sync.WaitGroup
+		messagesLeft int
+		lock         sync.Mutex
+		errors       int
+	}
+
+	// Helper: Publish synchronously as Goroutine
+	publish := func(publisherId int, ctx *PublishersContext, js nats.JetStreamContext) {
+		defer ctx.completedWg.Done()
+		errors := 0
+		messageBuf := make([]byte, messageSize)
+		rng := rand.New(rand.NewSource(int64(seed + publisherId)))
+
+		// Warm up: publish a few messages
+		for i := 0; i < warmupMessages; i++ {
+			subject := fmt.Sprintf("%s.%d", subjectPrefix, rng.Intn(numSubjects))
+			if randomData {
+				rng.Read(messageBuf)
+			}
+			_, err := js.Publish(subject, messageBuf)
+			if err != nil {
+				b.Logf("Warning: failed to publish warmup message: %s", err)
+			}
+		}
+
+		// Signal this publisher is ready
+		ctx.readyWg.Done()
+
+		for {
+			// Obtain a batch of messages to publish
+			batchSize := 0
+			{
+				ctx.lock.Lock()
+				if ctx.messagesLeft >= publishBatchSize {
+					batchSize = publishBatchSize
+				} else if ctx.messagesLeft < publishBatchSize {
+					batchSize = ctx.messagesLeft
+				}
+				ctx.messagesLeft -= batchSize
+				ctx.lock.Unlock()
+			}
+
+			// Nothing left to publish, terminate
+			if batchSize == 0 {
+				ctx.lock.Lock()
+				ctx.errors += errors
+				ctx.lock.Unlock()
+				return
+			}
+
+			// Publish a batch of messages
+			for i := 0; i < batchSize; i++ {
+				subject := fmt.Sprintf("%s.%d", subjectPrefix, rng.Intn(numSubjects))
+				if randomData {
+					rng.Read(messageBuf)
+				}
+				_, err := js.Publish(subject, messageBuf)
+				if err != nil {
+					errors += 1
+				}
+			}
+		}
+	}
+
+	// Benchmark matrix: (cluster and replicas) * (storage type) * (stream limit)
+	for _, benchmarkCase := range clusterAndReplicasCases {
+		b.Run(
+			fmt.Sprintf(
+				"N=%d,R=%d",
+				benchmarkCase.clusterSize,
+				benchmarkCase.replicas,
+			),
+			func(b *testing.B) {
+				for _, storageType := range storageTypeCases {
+					b.Run(
+						fmt.Sprintf("Storage=%v", storageType),
+						func(b *testing.B) {
+
+							for limitDescription, limitConfigFunc := range limitConfigCases {
+								b.Run(
+									limitDescription,
+									func(b *testing.B) {
+										// Stop timer during setup
+										b.StopTimer()
+										b.ResetTimer()
+
+										// Set per-iteration bytes to calculate throughput (a.k.a. speed)
+										b.SetBytes(messageSize)
+
+										// Print benchmark parameters
+										if verbose {
+											b.Logf(
+												"Stream: %+v, Storage: [%v] Limit: [%s], Ops: %d",
+												benchmarkCase,
+												storageType,
+												limitDescription,
+												b.N,
+											)
+										}
+
+										// Setup server or cluster
+										connectURL, shutdownFunc := setupCluster(b, benchmarkCase.clusterSize)
+										defer shutdownFunc()
+
+										// Common stream configuration
+										streamConfig := &nats.StreamConfig{
+											Name:      "S",
+											Subjects:  []string{fmt.Sprintf("%s.>", subjectPrefix)},
+											Replicas:  benchmarkCase.replicas,
+											Storage:   storageType,
+											Discard:   DiscardOld,
+											Retention: DiscardOld,
+										}
+										// Configure stream limit
+										limitConfigFunc(streamConfig)
+										// Create stream
+										setupStream(b, connectURL, streamConfig)
+
+										// Set up publishers shared context
+										var pubCtx PublishersContext
+										pubCtx.readyWg.Add(numPublishers)
+										pubCtx.completedWg.Add(numPublishers)
+
+										// Hold this lock until all publishers are ready
+										pubCtx.lock.Lock()
+										pubCtx.messagesLeft = b.N
+
+										// Spawn publishers routines, each with its own connection and JS context
+										for i := 0; i < numPublishers; i++ {
+											nc, err := nats.Connect(connectURL)
+											if err != nil {
+												b.Fatal(err)
+											}
+											defer nc.Close()
+											js, err := nc.JetStream()
+											if err != nil {
+												b.Fatal(err)
+											}
+											go publish(i, &pubCtx, js)
+										}
+
+										// Wait for all publishers to be ready
+										pubCtx.readyWg.Wait()
+
+										// Benchmark starts here
+										b.StartTimer()
+
+										// Unblock the publishers
+										pubCtx.lock.Unlock()
+
+										// Wait for all publishers to complete
+										pubCtx.completedWg.Wait()
+
+										// Benchmark ends here
+										b.StopTimer()
+
+										// Sanity check, publishers may have died before completing
+										if pubCtx.messagesLeft != 0 {
+											b.Fatalf("Some messages left: %d", pubCtx.messagesLeft)
+										}
+
+										b.ReportMetric(float64(pubCtx.errors)*100/float64(b.N), "%error")
+									},
+								)
+							}
+						},
+					)
+				}
+			},
+		)
+	}
+}
+
+func BenchmarkJetStreamKV(b *testing.B) {
+
+	const (
+		verbose      = false
+		kvNamePrefix = "B_"
+		keyPrefix    = "K_"
+		seed         = 12345
+		minOps       = 1_000
+	)
+
+	runKVGet := func(b *testing.B, kvs []nats.KeyValue, keys []string) int {
+		rng := rand.New(rand.NewSource(int64(seed)))
+		errors := 0
+
+		b.ResetTimer()
+
+		for i := 1; i <= b.N; i++ {
+			kv := kvs[rng.Intn(len(kvs))]
+			key := keys[rng.Intn(len(keys))]
+			kve, err := kv.Get(key)
+			if err != nil {
+				errors++
+				continue
+			}
+
+			b.SetBytes(int64(len(kve.Value())))
+
+			if verbose && i%1000 == 0 {
+				b.Logf("Completed %d/%d Get ops", i, b.N)
+			}
+		}
+
+		b.StopTimer()
+		return errors
+	}
+
+	runKVPut := func(b *testing.B, kvs []nats.KeyValue, keys []string, valueSize int) int {
+		rng := rand.New(rand.NewSource(int64(seed)))
+		value := make([]byte, valueSize)
+		errors := 0
+
+		b.ResetTimer()
+
+		for i := 1; i <= b.N; i++ {
+			kv := kvs[rng.Intn(len(kvs))]
+			key := keys[rng.Intn(len(keys))]
+			rng.Read(value)
+			_, err := kv.Put(key, value)
+			if err != nil {
+				errors++
+				continue
+			}
+
+			b.SetBytes(int64(valueSize))
+
+			if verbose && i%1000 == 0 {
+				b.Logf("Completed %d/%d Put ops", i, b.N)
+			}
+		}
+
+		b.StopTimer()
+		return errors
+	}
+
+	runKVUpdate := func(b *testing.B, kvs []nats.KeyValue, keys []string, valueSize int) int {
+		rng := rand.New(rand.NewSource(int64(seed)))
+		value := make([]byte, valueSize)
+		errors := 0
+
+		b.ResetTimer()
+
+		for i := 1; i <= b.N; i++ {
+			kv := kvs[rng.Intn(len(kvs))]
+			key := keys[rng.Intn(len(keys))]
+
+			kve, getErr := kv.Get(key)
+			if getErr != nil {
+				errors++
+				continue
+			}
+
+			rng.Read(value)
+			_, updateErr := kv.Update(key, value, kve.Revision())
+			if updateErr != nil {
+				errors++
+				continue
+			}
+
+			b.SetBytes(int64(valueSize))
+
+			if verbose && i%1000 == 0 {
+				b.Logf("Completed %d/%d Update ops", i, b.N)
+			}
+		}
+
+		b.StopTimer()
+		return errors
+	}
+
+	type WorkloadType string
+	const (
+		Get    WorkloadType = "GET"
+		Put    WorkloadType = "PUT"
+		Update WorkloadType = "CAS"
+	)
+
+	benchmarksCases := []struct {
+		clusterSize int
+		replicas    int
+		numBuckets  int
+		numKeys     int
+		valueSize   int
+	}{
+		{1, 1, 1, 100, 100},    // 1 node, 1 bucket with 100 keys, 100B values
+		{1, 1, 10, 1000, 100},  // 1 node, 10 buckets with 1000 keys, 100B values
+		{3, 3, 1, 100, 100},    // 3 nodes, 1 bucket with 100 keys, 100B values
+		{3, 3, 10, 1000, 100},  // 3 nodes, 10 buckets with 1000 keys, 100B values
+		{3, 3, 10, 1000, 1024}, // 3 nodes, 10 buckets with 1000 keys, 1KB values
+	}
+
+	workloadCases := []WorkloadType{
+		Get,
+		Put,
+		Update,
+	}
+
+	for _, bc := range benchmarksCases {
+
+		bName := fmt.Sprintf(
+			"N=%d,R=%d,B=%d,K=%d,ValSz=%db",
+			bc.clusterSize,
+			bc.replicas,
+			bc.numBuckets,
+			bc.numKeys,
+			bc.valueSize,
+		)
+
+		b.Run(
+			bName,
+			func(b *testing.B) {
+				for _, wc := range workloadCases {
+					wName := fmt.Sprintf("%v", wc)
+					b.Run(
+						wName,
+						func(b *testing.B) {
+							// Skip short runs, benchmark gets re-executed with a larger N
+							if b.N < minOps {
+								b.ResetTimer()
+								return
+							}
+
+							if verbose {
+								b.Logf("Running %s workload %s with %d messages", wName, bName, b.N)
+							}
+
+							if verbose {
+								b.Logf("Setting up %d nodes", bc.clusterSize)
+							}
+							var connectURL string
+							if bc.clusterSize == 1 {
+								s := RunBasicJetStreamServer(b)
+								defer s.Shutdown()
+								connectURL = s.ClientURL()
+							} else {
+								cl := createJetStreamClusterExplicit(b, "BENCH_KV", bc.clusterSize)
+								defer cl.shutdown()
+								cl.waitOnClusterReadyWithNumPeers(bc.clusterSize)
+								cl.waitOnLeader()
+								connectURL = cl.randomServer().ClientURL()
+							}
+
+							nc, js := jsClientConnectURL(b, connectURL)
+							defer nc.Close()
+
+							// Pre-generate all keys
+							keys := make([]string, 0, bc.numKeys)
+							for i := 1; i <= bc.numKeys; i++ {
+								key := fmt.Sprintf("%s%d", keyPrefix, i)
+								keys = append(keys, key)
+							}
+
+							// Initialize all KVs
+							kvs := make([]nats.KeyValue, 0, bc.numBuckets)
+							for i := 1; i <= bc.numBuckets; i++ {
+								// Create bucket
+								kvName := fmt.Sprintf("%s%d", kvNamePrefix, i)
+								if verbose {
+									b.Logf("Creating KV %s with R=%d", kvName, bc.replicas)
+								}
+								kvConfig := &nats.KeyValueConfig{
+									Bucket:   kvName,
+									Replicas: bc.replicas,
+								}
+								kv, err := js.CreateKeyValue(kvConfig)
+								if err != nil {
+									b.Fatalf("Error creating KV: %v", err)
+								}
+								kvs = append(kvs, kv)
+
+								// Initialize all keys
+								rng := rand.New(rand.NewSource(int64(seed * i)))
+								value := make([]byte, bc.valueSize)
+								for _, key := range keys {
+									rng.Read(value)
+									_, err := kv.Create(key, value)
+									if err != nil {
+										b.Fatalf("Failed to initialize %s/%s: %v", kvName, key, err)
+									}
+								}
+							}
+
+							// Discard time spent during setup
+							// May reset again further in
+							b.ResetTimer()
+
+							var errors int
+
+							switch wc {
+							case Get:
+								errors = runKVGet(b, kvs, keys)
+							case Put:
+								errors = runKVPut(b, kvs, keys, bc.valueSize)
+							case Update:
+								errors = runKVUpdate(b, kvs, keys, bc.valueSize)
+							default:
+								b.Fatalf("Unknown workload type: %v", wc)
+							}
+
+							// Benchmark ends here, (may have stopped earlier)
+							b.StopTimer()
+
+							b.ReportMetric(float64(errors)*100/float64(b.N), "%error")
+						},
+					)
+				}
+			},
+		)
+	}
+}
+
+func BenchmarkJetStreamObjStore(b *testing.B) {
+	const (
+		verbose      = false
+		objStoreName = "B"
+		keyPrefix    = "K_"
+		seed         = 12345
+		initKeys     = true
+
+		// read/write ratios
+		ReadOnly  = 1.0
+		WriteOnly = 0.0
+	)
+
+	// rwRatio to string
+	rwRatioToString := func(rwRatio float64) string {
+		switch rwRatio {
+		case ReadOnly:
+			return "readOnly"
+		case WriteOnly:
+			return "writeOnly"
+		default:
+			return fmt.Sprintf("%0.1f", rwRatio)
+		}
+	}
+
+	// benchmark for object store by performing read/write operations with data of random size
+	RunObjStoreBenchmark := func(b *testing.B, objStore nats.ObjectStore, minObjSz int, maxObjSz int, numKeys int, rwRatio float64) (int, int, int) {
+		var (
+			errors int
+			reads  int
+			writes int
+		)
+
+		rng := rand.New(rand.NewSource(int64(seed)))
+
+		// Each operation is processing a random amount of bytes within a size range which
+		// will be either read from or written to an object store bucket. However, here we are
+		// approximating the size of the processed data with a simple average of the range.
+		b.SetBytes(int64((minObjSz + maxObjSz) / 2))
+
+		for i := 1; i <= b.N; i++ {
+			key := fmt.Sprintf("%s_%d", keyPrefix, rng.Intn(numKeys))
+			var err error
+
+			rwOp := rng.Float64()
+			switch {
+			case rwOp <= rwRatio:
+				// Read Op
+				_, err = objStore.GetBytes(key)
+				reads++
+			case rwOp > rwRatio:
+				// Write Op
+				// dataSz is a random value between min-max object size and cannot be less than 1 byte
+				dataSz := rng.Intn(maxObjSz-minObjSz+1) + minObjSz
+				data := make([]byte, dataSz)
+				rng.Read(data)
+				_, err = objStore.PutBytes(key, data)
+				writes++
+			}
+			if err != nil {
+				errors++
+			}
+
+			if verbose && i%1000 == 0 {
+				b.Logf("Completed: %d reads, %d writes, %d errors. %d/%d total operations have been completed.", reads, writes, errors, i, b.N)
+			}
+		}
+		return errors, reads, writes
+	}
+
+	// benchmark cases table
+	benchmarkCases := []struct {
+		storage  nats.StorageType
+		numKeys  int
+		minObjSz int
+		maxObjSz int
+	}{
+		// TODO remove duplicates and fix comments
+		{nats.MemoryStorage, 100, 1024, 102400},     // mem storage, 100 objects sized (1KB-100KB)
+		{nats.MemoryStorage, 100, 102400, 1048576},  // mem storage, 100 objects sized (100KB-1MB)
+		{nats.MemoryStorage, 1000, 10240, 102400},   // mem storage, 1k objects of various size (10KB - 100KB)
+		{nats.FileStorage, 100, 1024, 102400},       // file storage, 100 objects sized (1KB-100KB)
+		{nats.FileStorage, 1000, 10240, 1048576},    // file storage, 1k objects of various size (10KB - 1MB)
+		{nats.FileStorage, 100, 102400, 1048576},    // file storage, 100 objects sized (100KB-1MB)
+		{nats.FileStorage, 100, 1048576, 10485760},  // file storage, 100 objects sized (1MB-10MB)
+		{nats.FileStorage, 10, 10485760, 104857600}, // file storage, 10 objects sized (10MB-100MB)
+
+	}
+
+	var (
+		clusterSizeCases = []int{1, 3}
+		rwRatioCases     = []float64{ReadOnly, WriteOnly, 0.8}
+	)
+
+	// Test with either single node or 3 node cluster
+	for _, clusterSize := range clusterSizeCases {
+		replicas := clusterSize
+		cName := fmt.Sprintf("N=%d,R=%d", clusterSize, replicas)
+		b.Run(
+			cName,
+			func(b *testing.B) {
+				for _, rwRatio := range rwRatioCases {
+					rName := fmt.Sprintf("workload=%s", rwRatioToString(rwRatio))
+					b.Run(
+						rName,
+						func(b *testing.B) {
+							// Test all tabled benchmark cases
+							for _, bc := range benchmarkCases {
+								bName := fmt.Sprintf("K=%d,storage=%s,minObjSz=%db,maxObjSz=%db", bc.numKeys, bc.storage, bc.minObjSz, bc.maxObjSz)
+								b.Run(
+									bName,
+									func(b *testing.B) {
+
+										// Test setup
+										rng := rand.New(rand.NewSource(int64(seed)))
+
+										if verbose {
+											b.Logf("Setting up %d nodes", replicas)
+										}
+										var (
+											connectURL string
+											cl         *cluster
+										)
+										if clusterSize == 1 {
+											s := RunBasicJetStreamServer(b)
+											defer s.Shutdown()
+											connectURL = s.ClientURL()
+										} else {
+											cl = createJetStreamClusterExplicit(b, "BENCH_OBJ_STORE", clusterSize)
+											defer cl.shutdown()
+											cl.waitOnClusterReadyWithNumPeers(replicas)
+											cl.waitOnLeader()
+											// connect to leader and not replicas
+											connectURL = cl.leader().ClientURL()
+										}
+										nc, js := jsClientConnectURL(b, connectURL)
+										defer nc.Close()
+
+										// Initialize object store
+										if verbose {
+											b.Logf("Creating ObjectStore %s with R=%d", objStoreName, replicas)
+										}
+										objStoreConfig := &nats.ObjectStoreConfig{
+											Bucket:   objStoreName,
+											Replicas: replicas,
+											Storage:  bc.storage,
+										}
+										objStore, err := js.CreateObjectStore(objStoreConfig)
+										if err != nil {
+											b.Fatalf("Error creating ObjectStore: %v", err)
+										}
+
+										// if cluster_size > 1, connect to stream leader
+										if cl != nil {
+											nc.Close()
+											connectURL = cl.streamLeader("$G", fmt.Sprintf("OBJ_%s", objStoreName)).ClientURL()
+											nc, js := jsClientConnectURL(b, connectURL)
+											defer nc.Close()
+											objStore, err = js.ObjectStore(objStoreName)
+											if err != nil {
+												b.Fatalf("Error binding to ObjectStore: %v", err)
+											}
+										}
+
+										// Initialize keys
+										if initKeys {
+											for n := 0; n < bc.numKeys; n++ {
+												key := fmt.Sprintf("%s_%d", keyPrefix, n)
+												dataSz := rng.Intn(bc.maxObjSz-bc.minObjSz+1) + bc.minObjSz
+												value := make([]byte, dataSz)
+												rng.Read(value)
+												_, err := objStore.PutBytes(key, value)
+												if err != nil {
+													b.Fatalf("Failed to initialize %s/%s: %v", objStoreName, key, err)
+												}
+											}
+										}
+
+										b.ResetTimer()
+
+										// Run benchmark
+										errors, reads, writes := RunObjStoreBenchmark(b, objStore, bc.minObjSz, bc.maxObjSz, bc.numKeys, rwRatio)
+
+										// Report metrics
+										b.ReportMetric(float64(errors)*100/float64(b.N), "%error")
+										b.ReportMetric(float64(reads), "reads")
+										b.ReportMetric(float64(writes), "writes")
+
+									},
+								)
+							}
+						},
+					)
+
+				}
+			},
+		)
+	}
+}
diff --git a/server/jetstream_chaos_cluster_test.go b/server/jetstream_chaos_cluster_test.go
deleted file mode 100644
index 6d409d290..000000000
--- a/server/jetstream_chaos_cluster_test.go
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright 2022 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build js_chaos_tests
-// +build js_chaos_tests
-
-package server
-
-import (
-	"testing"
-	"time"
-)
-
-// Bounces the entire set of nodes, then brings them back up.
-// Fail if some nodes don't come back online.
-func TestJetStreamChaosClusterBounce(t *testing.T) {
-
-	const duration = 60 * time.Second
-	const clusterSize = 3
-
-	c := createJetStreamClusterExplicit(t, "R3", clusterSize)
-	defer c.shutdown()
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: clusterSize,
-			maxDownServers: clusterSize,
-			pause:          3 * time.Second,
-		},
-	)
-	chaos.start()
-	defer chaos.stop()
-
-	<-time.After(duration)
-}
-
-// Bounces a subset of the nodes, then brings them back up.
-// Fails if some nodes don't come back online.
-func TestJetStreamChaosClusterBounceSubset(t *testing.T) {
-
-	const duration = 60 * time.Second
-	const clusterSize = 3
-
-	c := createJetStreamClusterExplicit(t, "R3", clusterSize)
-	defer c.shutdown()
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: 1,
-			maxDownServers: clusterSize,
-			pause:          3 * time.Second,
-		},
-	)
-	chaos.start()
-	defer chaos.stop()
-
-	<-time.After(duration)
-}
diff --git a/server/jetstream_chaos_consumer_test.go b/server/jetstream_chaos_consumer_test.go
deleted file mode 100644
index bd21104bd..000000000
--- a/server/jetstream_chaos_consumer_test.go
+++ /dev/null
@@ -1,615 +0,0 @@
-// Copyright 2022 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build js_chaos_tests
-// +build js_chaos_tests
-
-package server
-
-import (
-	"bytes"
-	"fmt"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/nats-io/nats.go"
-)
-
-const (
-	chaosConsumerTestsClusterName = "CONSUMERS_CHAOS_TEST"
-	chaosConsumerTestsStreamName  = "CONSUMER_CHAOS_TEST_STREAM"
-	chaosConsumerTestsSubject     = "foo"
-	chaosConsumerTestsDebug       = false
-)
-
-// Creates stream and fills it with the given number of messages.
-// Each message is the string representation of the stream sequence number,
-// e.g. the first message (seqno: 1) contains data "1".
-// This allows consumers to verify the content of each message without tracking additional state
-func createStreamForConsumerChaosTest(t *testing.T, c *cluster, replicas, numMessages int) {
-	t.Helper()
-
-	const publishBatchSize = 1_000
-
-	pubNc, pubJs := jsClientConnectCluster(t, c)
-	defer pubNc.Close()
-
-	_, err := pubJs.AddStream(&nats.StreamConfig{
-		Name:     chaosConsumerTestsStreamName,
-		Subjects: []string{chaosConsumerTestsSubject},
-		Replicas: replicas,
-	})
-	if err != nil {
-		t.Fatalf("Error creating stream: %v", err)
-	}
-
-	ackFutures := make([]nats.PubAckFuture, 0, publishBatchSize)
-
-	for i := 1; i <= numMessages; i++ {
-		message := []byte(fmt.Sprintf("%d", i))
-		pubAckFuture, err := pubJs.PublishAsync(chaosConsumerTestsSubject, message, nats.ExpectLastSequence(uint64(i-1)))
-		if err != nil {
-			t.Fatalf("Publish error: %s", err)
-		}
-		ackFutures = append(ackFutures, pubAckFuture)
-
-		if (i > 0 && i%publishBatchSize == 0) || i == numMessages {
-			select {
-			case <-pubJs.PublishAsyncComplete():
-				for _, pubAckFuture := range ackFutures {
-					select {
-					case <-pubAckFuture.Ok():
-						// Noop
-					case pubAckErr := <-pubAckFuture.Err():
-						t.Fatalf("Error publishing: %s", pubAckErr)
-					case <-time.After(30 * time.Second):
-						t.Fatalf("Timeout verifying pubAck for message: %s", pubAckFuture.Msg().Data)
-					}
-				}
-				ackFutures = make([]nats.PubAckFuture, 0, publishBatchSize)
-				t.Logf("Published %d/%d messages", i, numMessages)
-
-			case <-time.After(30 * time.Second):
-				t.Fatalf("Publish timed out")
-			}
-		}
-	}
-}
-
-// Verify ordered delivery despite cluster-wide outages
-func TestJetStreamChaosConsumerOrdered(t *testing.T) {
-
-	const numMessages = 30_000
-	const maxRetries = 100
-	const retryDelay = 500 * time.Millisecond
-	const fetchTimeout = 250 * time.Millisecond
-	const clusterSize = 3
-	const replicas = 3
-
-	c := createJetStreamClusterExplicit(t, chaosConsumerTestsClusterName, clusterSize)
-	defer c.shutdown()
-
-	createStreamForConsumerChaosTest(t, c, replicas, numMessages)
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: clusterSize, // Whole cluster outage
-			maxDownServers: clusterSize,
-			pause:          1 * time.Second,
-		},
-	)
-
-	subNc, subJs := jsClientConnectCluster(t, c)
-	defer subNc.Close()
-
-	sub, err := subJs.SubscribeSync(
-		chaosConsumerTestsSubject,
-		nats.OrderedConsumer(),
-	)
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	defer sub.Unsubscribe()
-
-	if chaosConsumerTestsDebug {
-		t.Logf("Initial subscription: %s", toIndentedJsonString(sub))
-	}
-
-	chaos.start()
-	defer chaos.stop()
-
-	for i := 1; i <= numMessages; i++ {
-		var msg *nats.Msg
-		var nextMsgErr error
-		var expectedMsgData = []byte(fmt.Sprintf("%d", i))
-
-	nextMsgRetryLoop:
-		for r := 0; r <= maxRetries; r++ {
-			msg, nextMsgErr = sub.NextMsg(fetchTimeout)
-			if nextMsgErr == nil {
-				break nextMsgRetryLoop
-			} else if r == maxRetries {
-				t.Fatalf("Exceeded max retries for NextMsg")
-			} else if nextMsgErr == nats.ErrBadSubscription {
-				t.Fatalf("Subscription is invalid: %s", toIndentedJsonString(sub))
-			} else {
-				time.Sleep(retryDelay)
-			}
-		}
-
-		metadata, err := msg.Metadata()
-		if err != nil {
-			t.Fatalf("Failed to get message metadata: %v", err)
-		}
-
-		if metadata.Sequence.Stream != uint64(i) {
-			t.Fatalf("Expecting stream sequence %d, got %d instead", i, metadata.Sequence.Stream)
-		}
-
-		if !bytes.Equal(msg.Data, expectedMsgData) {
-			t.Fatalf("Expecting message %s, got %s instead", expectedMsgData, msg.Data)
-		}
-
-		// Simulate application processing (and gives the monkey some time to brew chaos)
-		time.Sleep(10 * time.Millisecond)
-
-		if i%1000 == 0 {
-			t.Logf("Consumed %d/%d", i, numMessages)
-		}
-	}
-}
-
-// Verify ordered delivery despite cluster-wide outages
-func TestJetStreamChaosConsumerAsync(t *testing.T) {
-
-	const numMessages = 30_000
-	const timeout = 30 * time.Second // No (new) messages for 30s => terminate
-	const maxRetries = 25
-	const retryDelay = 500 * time.Millisecond
-	const clusterSize = 3
-	const replicas = 3
-
-	c := createJetStreamClusterExplicit(t, chaosConsumerTestsClusterName, clusterSize)
-	defer c.shutdown()
-
-	createStreamForConsumerChaosTest(t, c, replicas, numMessages)
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: clusterSize,
-			maxDownServers: clusterSize,
-			pause:          2 * time.Second,
-		},
-	)
-
-	subNc, subJs := jsClientConnectCluster(t, c)
-	defer subNc.Close()
-
-	timeoutTimer := time.NewTimer(timeout)
-	deliveryCount := uint64(0)
-	received := NewBitset(numMessages)
-
-	handleMsg := func(msg *nats.Msg) {
-		deliveryCount += 1
-
-		metadata, err := msg.Metadata()
-		if err != nil {
-			t.Fatalf("Failed to get message metadata: %v", err)
-		}
-		seq := metadata.Sequence.Stream
-
-		var expectedMsgData = []byte(fmt.Sprintf("%d", seq))
-		if !bytes.Equal(msg.Data, expectedMsgData) {
-			t.Fatalf("Expecting message content '%s', got '%s' instead", expectedMsgData, msg.Data)
-		}
-
-		isDupe := received.get(seq - 1)
-
-		if isDupe {
-			if chaosConsumerTestsDebug {
-				t.Logf("Duplicate message delivery, seq: %d", seq)
-			}
-			return
-		}
-
-		// Mark this sequence as received
-		received.set(seq-1, true)
-		if received.count() < numMessages {
-			// Reset timeout
-			timeoutTimer.Reset(timeout)
-		} else {
-			// All received, speed up the shutdown
-			timeoutTimer.Reset(1 * time.Second)
-		}
-
-		if received.count()%1000 == 0 {
-			t.Logf("Consumed %d/%d", received.count(), numMessages)
-		}
-
-		// Simulate application processing (and gives the monkey some time to brew chaos)
-		time.Sleep(10 * time.Millisecond)
-
-	ackRetryLoop:
-		for i := 0; i <= maxRetries; i++ {
-			ackErr := msg.Ack()
-			if ackErr == nil {
-				break ackRetryLoop
-			} else if i == maxRetries {
-				t.Fatalf("Failed to ACK message %d (retried %d times)", seq, maxRetries)
-			} else {
-				time.Sleep(retryDelay)
-			}
-		}
-	}
-
-	subOpts := []nats.SubOpt{}
-	sub, err := subJs.Subscribe(chaosConsumerTestsSubject, handleMsg, subOpts...)
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	defer sub.Unsubscribe()
-
-	chaos.start()
-	defer chaos.stop()
-
-	// Wait for long enough silence.
-	// Either a stall, or all messages received
-	<-timeoutTimer.C
-
-	// Shut down consumer
-	sub.Unsubscribe()
-
-	uniqueDeliveredCount := received.count()
-
-	t.Logf(
-		"Delivered %d/%d messages %d duplicate deliveries",
-		uniqueDeliveredCount,
-		numMessages,
-		deliveryCount-uniqueDeliveredCount,
-	)
-
-	if uniqueDeliveredCount != numMessages {
-		t.Fatalf("No new message delivered in the last %s, %d/%d messages never delivered", timeout, numMessages-uniqueDeliveredCount, numMessages)
-	}
-}
-
-// Verify durable consumer retains state despite cluster-wide outages
-// The consumer connection is also periodically closed, and the consumer 'resumes' on a different one
-func TestJetStreamChaosConsumerDurable(t *testing.T) {
-
-	const numMessages = 30_000
-	const timeout = 30 * time.Second // No (new) messages for 60s => terminate
-	const clusterSize = 3
-	const replicas = 3
-	const maxRetries = 25
-	const retryDelay = 500 * time.Millisecond
-	const durableConsumerName = "durable"
-
-	c := createJetStreamClusterExplicit(t, chaosConsumerTestsClusterName, clusterSize)
-	defer c.shutdown()
-
-	createStreamForConsumerChaosTest(t, c, replicas, numMessages)
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: 1,
-			maxDownServers: clusterSize,
-			pause:          3 * time.Second,
-		},
-	)
-
-	var nc *nats.Conn
-	var sub *nats.Subscription
-	var subLock sync.Mutex
-
-	var handleMsgFun func(msg *nats.Msg)
-	var natsURL string
-
-	{
-		var sb strings.Builder
-		for _, s := range c.servers {
-			sb.WriteString(s.ClientURL())
-			sb.WriteString(",")
-		}
-		natsURL = sb.String()
-	}
-
-	resetDurableConsumer := func() {
-		subLock.Lock()
-		defer subLock.Unlock()
-
-		if nc != nil {
-			nc.Close()
-		}
-
-		var newNc *nats.Conn
-	connectRetryLoop:
-		for r := 0; r <= maxRetries; r++ {
-			var connErr error
-			newNc, connErr = nats.Connect(natsURL)
-			if connErr == nil {
-				break connectRetryLoop
-			} else if r == maxRetries {
-				t.Fatalf("Failed to connect, exceeded max retries, last error: %s", connErr)
-			} else {
-				time.Sleep(retryDelay)
-			}
-		}
-
-		var newJs nats.JetStreamContext
-	jsRetryLoop:
-		for r := 0; r <= maxRetries; r++ {
-			var jsErr error
-			newJs, jsErr = newNc.JetStream(nats.MaxWait(10 * time.Second))
-			if jsErr == nil {
-				break jsRetryLoop
-			} else if r == maxRetries {
-				t.Fatalf("Failed to get JS, exceeded max retries, last error: %s", jsErr)
-			} else {
-				time.Sleep(retryDelay)
-			}
-		}
-
-		subOpts := []nats.SubOpt{
-			nats.Durable(durableConsumerName),
-		}
-
-		var newSub *nats.Subscription
-	subscribeRetryLoop:
-		for i := 0; i <= maxRetries; i++ {
-			var subErr error
-			newSub, subErr = newJs.Subscribe(chaosConsumerTestsSubject, handleMsgFun, subOpts...)
-			if subErr == nil {
-				ci, err := newJs.ConsumerInfo(chaosConsumerTestsStreamName, durableConsumerName)
-				if err == nil {
-					if chaosConsumerTestsDebug {
-						t.Logf("Consumer info:\n %s", toIndentedJsonString(ci))
-					}
-				} else {
-					t.Logf("Failed to retrieve consumer info: %s", err)
-				}
-
-				break subscribeRetryLoop
-			} else if i == maxRetries {
-				t.Fatalf("Exceeded max retries creating subscription: %v", subErr)
-			} else {
-				time.Sleep(retryDelay)
-			}
-		}
-
-		nc, sub = newNc, newSub
-	}
-
-	timeoutTimer := time.NewTimer(timeout)
-	deliveryCount := uint64(0)
-	received := NewBitset(numMessages)
-
-	handleMsgFun = func(msg *nats.Msg) {
-
-		subLock.Lock()
-		if msg.Sub != sub {
-			// Message from a previous instance of durable consumer, drop
-			defer subLock.Unlock()
-			return
-		}
-		subLock.Unlock()
-
-		deliveryCount += 1
-
-		metadata, err := msg.Metadata()
-		if err != nil {
-			t.Fatalf("Failed to get message metadata: %v", err)
-		}
-		seq := metadata.Sequence.Stream
-
-		var expectedMsgData = []byte(fmt.Sprintf("%d", seq))
-		if !bytes.Equal(msg.Data, expectedMsgData) {
-			t.Fatalf("Expecting message content '%s', got '%s' instead", expectedMsgData, msg.Data)
-		}
-
-		isDupe := received.get(seq - 1)
-
-		if isDupe {
-			if chaosConsumerTestsDebug {
-				t.Logf("Duplicate message delivery, seq: %d", seq)
-			}
-			return
-		}
-
-		// Mark this sequence as received
-		received.set(seq-1, true)
-		if received.count() < numMessages {
-			// Reset timeout
-			timeoutTimer.Reset(timeout)
-		} else {
-			// All received, speed up the shutdown
-			timeoutTimer.Reset(1 * time.Second)
-		}
-
-		// Simulate application processing (and gives the monkey some time to brew chaos)
-		time.Sleep(10 * time.Millisecond)
-
-	ackRetryLoop:
-		for i := 0; i <= maxRetries; i++ {
-			ackErr := msg.Ack()
-			if ackErr == nil {
-				break ackRetryLoop
-			} else if i == maxRetries {
-				t.Fatalf("Failed to ACK message %d (retried %d times)", seq, maxRetries)
-			} else {
-				time.Sleep(retryDelay)
-			}
-		}
-
-		if received.count()%1000 == 0 {
-			t.Logf("Consumed %d/%d, duplicate deliveries: %d", received.count(), numMessages, deliveryCount-received.count())
-			// Close connection and resume consuming on a different one
-			resetDurableConsumer()
-		}
-	}
-
-	resetDurableConsumer()
-
-	chaos.start()
-	defer chaos.stop()
-
-	// Wait for long enough silence.
-	// Either a stall, or all messages received
-	<-timeoutTimer.C
-
-	// Shut down consumer
-	if sub != nil {
-		sub.Unsubscribe()
-	}
-
-	uniqueDeliveredCount := received.count()
-
-	t.Logf(
-		"Delivered %d/%d messages %d duplicate deliveries",
-		uniqueDeliveredCount,
-		numMessages,
-		deliveryCount-uniqueDeliveredCount,
-	)
-
-	if uniqueDeliveredCount != numMessages {
-		t.Fatalf("No new message delivered in the last %s, %d/%d messages never delivered", timeout, numMessages-uniqueDeliveredCount, numMessages)
-	}
-}
-
-func TestJetStreamChaosConsumerPull(t *testing.T) {
-
-	const numMessages = 10_000
-	const maxRetries = 100
-	const retryDelay = 500 * time.Millisecond
-	const fetchTimeout = 250 * time.Millisecond
-	const fetchBatchSize = 100
-	const clusterSize = 3
-	const replicas = 3
-	const durableConsumerName = "durable"
-
-	c := createJetStreamClusterExplicit(t, chaosConsumerTestsClusterName, clusterSize)
-	defer c.shutdown()
-
-	createStreamForConsumerChaosTest(t, c, replicas, numMessages)
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: clusterSize, // Whole cluster outage
-			maxDownServers: clusterSize,
-			pause:          1 * time.Second,
-		},
-	)
-
-	subNc, subJs := jsClientConnectCluster(t, c)
-	defer subNc.Close()
-
-	sub, err := subJs.PullSubscribe(
-		chaosConsumerTestsSubject,
-		durableConsumerName,
-	)
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	defer sub.Unsubscribe()
-
-	if chaosConsumerTestsDebug {
-		t.Logf("Initial subscription: %s", toIndentedJsonString(sub))
-	}
-
-	chaos.start()
-	defer chaos.stop()
-
-	fetchMaxWait := nats.MaxWait(fetchTimeout)
-	received := NewBitset(numMessages)
-	deliveredCount := uint64(0)
-
-	for received.count() < numMessages {
-
-		var msgs []*nats.Msg
-		var fetchErr error
-
-	fetchRetryLoop:
-		for r := 0; r <= maxRetries; r++ {
-			msgs, fetchErr = sub.Fetch(fetchBatchSize, fetchMaxWait)
-			if fetchErr == nil {
-				break fetchRetryLoop
-			} else if r == maxRetries {
-				t.Fatalf("Exceeded max retries for Fetch, last error: %s", fetchErr)
-			} else if fetchErr == nats.ErrBadSubscription {
-				t.Fatalf("Subscription is invalid: %s", toIndentedJsonString(sub))
-			} else {
-				// t.Logf("Fetch error: %v", fetchErr)
-				time.Sleep(retryDelay)
-			}
-		}
-
-		for _, msg := range msgs {
-
-			deliveredCount += 1
-
-			metadata, err := msg.Metadata()
-			if err != nil {
-				t.Fatalf("Failed to get message metadata: %v", err)
-			}
-
-			streamSeq := metadata.Sequence.Stream
-
-			expectedMsgData := []byte(fmt.Sprintf("%d", streamSeq))
-
-			if !bytes.Equal(msg.Data, expectedMsgData) {
-				t.Fatalf("Expecting message %s, got %s instead", expectedMsgData, msg.Data)
-			}
-
-			isDupe := received.get(streamSeq - 1)
-
-			received.set(streamSeq-1, true)
-
-			// Simulate application processing (and gives the monkey some time to brew chaos)
-			time.Sleep(10 * time.Millisecond)
-
-		ackRetryLoop:
-			for r := 0; r <= maxRetries; r++ {
-				ackErr := msg.Ack()
-				if ackErr == nil {
-					break ackRetryLoop
-				} else if r == maxRetries {
-					t.Fatalf("Failed to ACK message %d, last error: %s", streamSeq, ackErr)
-				} else {
-					time.Sleep(retryDelay)
-				}
-			}
-
-			if !isDupe && received.count()%1000 == 0 {
-				t.Logf("Consumed %d/%d (duplicates: %d)", received.count(), numMessages, deliveredCount-received.count())
-			}
-		}
-	}
-}
diff --git a/server/jetstream_chaos_helpers_test.go b/server/jetstream_chaos_helpers_test.go
deleted file mode 100644
index 5b3f9001c..000000000
--- a/server/jetstream_chaos_helpers_test.go
+++ /dev/null
@@ -1,177 +0,0 @@
-// Copyright 2022 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build js_chaos_tests
-// +build js_chaos_tests
-
-package server
-
-import (
-	"fmt"
-	"math/rand"
-	"sync"
-	"testing"
-	"time"
-)
-
-// Additional cluster helpers
-
-func (c *cluster) waitOnClusterHealthz() {
-	c.t.Helper()
-	for _, cs := range c.servers {
-		c.waitOnServerHealthz(cs)
-	}
-}
-
-func (c *cluster) stopSubset(toStop []*Server) {
-	c.t.Helper()
-	for _, s := range toStop {
-		s.Shutdown()
-	}
-}
-
-func (c *cluster) selectRandomServers(numServers int) []*Server {
-	c.t.Helper()
-	if numServers > len(c.servers) {
-		panic(fmt.Sprintf("Can't select %d servers in a cluster of %d", numServers, len(c.servers)))
-	}
-	var selectedServers []*Server
-	selectedServers = append(selectedServers, c.servers...)
-	rand.Shuffle(len(selectedServers), func(x, y int) {
-		selectedServers[x], selectedServers[y] = selectedServers[y], selectedServers[x]
-	})
-	return selectedServers[0:numServers]
-}
-
-// Support functions for "chaos" testing (random injected failures)
-
-type ChaosMonkeyController interface {
-	// Launch the monkey as background routine and return
-	start()
-	// Stop a monkey that was previously started
-	stop()
-	// Run the monkey synchronously, until it is manually stopped via stopCh
-	run()
-}
-
-type ClusterChaosMonkey interface {
-	// Set defaults and validates the monkey parameters
-	validate(t *testing.T, c *cluster)
-	// Run the monkey synchronously, until it is manually stopped via stopCh
-	run(t *testing.T, c *cluster, stopCh <-chan bool)
-}
-
-// Chaos Monkey Controller that acts on a cluster
-type clusterChaosMonkeyController struct {
-	t       *testing.T
-	cluster *cluster
-	wg      sync.WaitGroup
-	stopCh  chan bool
-	ccm     ClusterChaosMonkey
-}
-
-func createClusterChaosMonkeyController(t *testing.T, c *cluster, ccm ClusterChaosMonkey) ChaosMonkeyController {
-	ccm.validate(t, c)
-	return &clusterChaosMonkeyController{
-		t:       t,
-		cluster: c,
-		stopCh:  make(chan bool, 3),
-		ccm:     ccm,
-	}
-}
-
-func (m *clusterChaosMonkeyController) start() {
-	m.t.Logf("🐵 Starting monkey")
-	m.wg.Add(1)
-	go func() {
-		defer m.wg.Done()
-		m.run()
-	}()
-}
-
-func (m *clusterChaosMonkeyController) stop() {
-	m.t.Logf("🐵 Stopping monkey")
-	m.stopCh <- true
-	m.wg.Wait()
-	m.t.Logf("🐵 Monkey stopped")
-}
-
-func (m *clusterChaosMonkeyController) run() {
-	m.ccm.run(m.t, m.cluster, m.stopCh)
-}
-
-// Cluster Chaos Monkey that selects a random subset of the nodes in a cluster (according to min/max provided),
-// shuts them down for a given duration (according to min/max provided), then brings them back up.
-// Then sleeps for a given time, and does it again until stopped.
-type clusterBouncerChaosMonkey struct {
-	minDowntime    time.Duration
-	maxDowntime    time.Duration
-	minDownServers int
-	maxDownServers int
-	pause          time.Duration
-}
-
-func (m *clusterBouncerChaosMonkey) validate(t *testing.T, c *cluster) {
-	if m.minDowntime > m.maxDowntime {
-		t.Fatalf("Min downtime %v cannot be larger than max downtime %v", m.minDowntime, m.maxDowntime)
-	}
-
-	if m.minDownServers > m.maxDownServers {
-		t.Fatalf("Min down servers %v cannot be larger than max down servers %v", m.minDownServers, m.maxDownServers)
-	}
-}
-
-func (m *clusterBouncerChaosMonkey) run(t *testing.T, c *cluster, stopCh <-chan bool) {
-	for {
-		// Pause between actions
-		select {
-		case <-stopCh:
-			return
-		case <-time.After(m.pause):
-		}
-
-		// Pick a random subset of servers
-		numServersDown := rand.Intn(1+m.maxDownServers-m.minDownServers) + m.minDownServers
-		servers := c.selectRandomServers(numServersDown)
-		serverNames := []string{}
-		for _, s := range servers {
-			serverNames = append(serverNames, s.info.Name)
-		}
-
-		// Pick a random outage interval
-		minOutageNanos := m.minDowntime.Nanoseconds()
-		maxOutageNanos := m.maxDowntime.Nanoseconds()
-		outageDurationNanos := rand.Int63n(1+maxOutageNanos-minOutageNanos) + minOutageNanos
-		outageDuration := time.Duration(outageDurationNanos)
-
-		// Take down selected servers
-		t.Logf("🐵 Taking down %d/%d servers for %v (%v)", numServersDown, len(c.servers), outageDuration, serverNames)
-		c.stopSubset(servers)
-
-		// Wait for the "outage" duration
-		select {
-		case <-stopCh:
-			return
-		case <-time.After(outageDuration):
-		}
-
-		// Restart servers and wait for cluster to be healthy
-		t.Logf("🐵 Restoring cluster")
-		c.restartAllSamePorts()
-		c.waitOnClusterHealthz()
-
-		c.waitOnClusterReady()
-		c.waitOnAllCurrent()
-		c.waitOnLeader()
-	}
-}
diff --git a/server/jetstream_chaos_kv_test.go b/server/jetstream_chaos_kv_test.go
deleted file mode 100644
index 6c177a9ad..000000000
--- a/server/jetstream_chaos_kv_test.go
+++ /dev/null
@@ -1,456 +0,0 @@
-// Copyright 2022 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build js_chaos_tests
-// +build js_chaos_tests
-
-package server
-
-import (
-	"fmt"
-	"math/rand"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/nats-io/nats.go"
-)
-
-const (
-	chaosKvTestsClusterName = "KV_CHAOS_TEST"
-	chaosKvTestsBucketName  = "KV_CHAOS_TEST_BUCKET"
-	chaosKvTestsSubject     = "foo"
-	chaosKvTestsDebug       = false
-)
-
-// Creates KV store (a.k.a. bucket).
-func createBucketForKvChaosTest(t *testing.T, c *cluster, replicas int) {
-	t.Helper()
-
-	pubNc, pubJs := jsClientConnectCluster(t, c)
-	defer pubNc.Close()
-
-	config := nats.KeyValueConfig{
-		Bucket:      chaosKvTestsBucketName,
-		Replicas:    replicas,
-		Description: "Test bucket",
-	}
-
-	kvs, err := pubJs.CreateKeyValue(&config)
-	if err != nil {
-		t.Fatalf("Error creating bucket: %v", err)
-	}
-
-	status, err := kvs.Status()
-	if err != nil {
-		t.Fatalf("Error retrieving bucket status: %v", err)
-	}
-	t.Logf("Bucket created: %s", status.Bucket())
-}
-
-// Single client performs a set of PUT on a single key.
-// If PUT is successful, perform a GET on the same key.
-// If GET is successful, ensure key revision and value match the most recent successful write.
-func TestJetStreamChaosKvPutGet(t *testing.T) {
-
-	const numOps = 100_000
-	const clusterSize = 3
-	const replicas = 3
-	const key = "key"
-	const staleReadsOk = true // Set to false to check for violations of 'read committed' consistency
-
-	c := createJetStreamClusterExplicit(t, chaosKvTestsClusterName, clusterSize)
-	defer c.shutdown()
-
-	createBucketForKvChaosTest(t, c, replicas)
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: clusterSize, // Whole cluster outage
-			maxDownServers: clusterSize,
-			pause:          1 * time.Second,
-		},
-	)
-
-	nc, js := jsClientConnectCluster(t, c)
-	defer nc.Close()
-
-	// Create KV bucket
-	kv, err := js.KeyValue(chaosKvTestsBucketName)
-	if err != nil {
-		t.Fatalf("Failed to get KV store: %v", err)
-	}
-
-	// Initialize the only key
-	firstRevision, err := kv.Create(key, []byte("INITIAL VALUE"))
-	if err != nil {
-		t.Fatalf("Failed to create key: %v", err)
-	} else if firstRevision != 1 {
-		t.Fatalf("Unexpected revision: %d", firstRevision)
-	}
-
-	// Start chaos
-	chaos.start()
-	defer chaos.stop()
-
-	staleReadsCount := uint64(0)
-	successCount := uint64(0)
-
-	previousRevision := firstRevision
-
-putGetLoop:
-	for i := 1; i <= numOps; i++ {
-
-		if i%1000 == 0 {
-			t.Logf("Completed %d/%d PUT+GET operations", i, numOps)
-		}
-
-		// PUT a value
-		putValue := fmt.Sprintf("value-%d", i)
-		putRevision, err := kv.Put(key, []byte(putValue))
-		if err != nil {
-			t.Logf("PUT error: %v", err)
-			continue putGetLoop
-		}
-
-		// Check revision is monotonically increasing
-		if putRevision <= previousRevision {
-			t.Fatalf("PUT produced revision %d which is not greater than the previous successful PUT revision: %d", putRevision, previousRevision)
-		}
-
-		previousRevision = putRevision
-
-		// If PUT was successful, GET the same
-		kve, err := kv.Get(key)
-		if err == nats.ErrKeyNotFound {
-			t.Fatalf("GET key not found, but key does exists (last PUT revision: %d)", putRevision)
-		} else if err != nil {
-			t.Logf("GET error: %v", err)
-			continue putGetLoop
-		}
-
-		getValue := string(kve.Value())
-		getRevision := kve.Revision()
-
-		if putRevision > getRevision {
-			// Stale read, violates 'read committed' consistency criteria
-			if !staleReadsOk {
-				t.Fatalf("PUT value %s (rev: %d) then read value %s (rev: %d)", putValue, putRevision, getValue, getRevision)
-			} else {
-				staleReadsCount += 1
-			}
-		} else if putRevision < getRevision {
-			// Returned revision is higher than any ever written, this should never happen
-			t.Fatalf("GET returned revision %d, but most recent expected revision is %d", getRevision, putRevision)
-		} else if putValue != getValue {
-			// Returned revision matches latest, but values do not, this should never happen
-			t.Fatalf("GET returned revision %d with value %s, but value %s was just committed for that same revision", getRevision, getValue, putValue)
-		} else {
-			// Get returned the latest revision/value
-			successCount += 1
-			if chaosKvTestsDebug {
-				t.Logf("PUT+GET %s=%s (rev: %d)", key, putValue, putRevision)
-			}
-		}
-	}
-
-	t.Logf("Completed %d PUT+GET cycles of which %d successful, %d GETs returned a stale value", numOps, successCount, staleReadsCount)
-}
-
-// A variant TestJetStreamChaosKvPutGet where PUT is retried until successful, and GET is retried until it returns the latest known key revision.
-// This validates than a confirmed PUT value is never lost, and becomes eventually visible.
-func TestJetStreamChaosKvPutGetWithRetries(t *testing.T) {
-
-	const numOps = 10_000
-	const maxRetries = 20
-	const retryDelay = 100 * time.Millisecond
-	const clusterSize = 3
-	const replicas = 3
-	const key = "key"
-
-	c := createJetStreamClusterExplicit(t, chaosKvTestsClusterName, clusterSize)
-	defer c.shutdown()
-
-	createBucketForKvChaosTest(t, c, replicas)
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: clusterSize, // Whole cluster outage
-			maxDownServers: clusterSize,
-			pause:          1 * time.Second,
-		},
-	)
-
-	nc, js := jsClientConnectCluster(t, c)
-	defer nc.Close()
-
-	kv, err := js.KeyValue(chaosKvTestsBucketName)
-	if err != nil {
-		t.Fatalf("Failed to get KV store: %v", err)
-	}
-
-	// Initialize key value
-	firstRevision, err := kv.Create(key, []byte("INITIAL VALUE"))
-	if err != nil {
-		t.Fatalf("Failed to create key: %v", err)
-	} else if firstRevision != 1 {
-		t.Fatalf("Unexpected revision: %d", firstRevision)
-	}
-
-	// Start chaos
-	chaos.start()
-	defer chaos.stop()
-
-	staleReadCount := 0
-	previousRevision := firstRevision
-
-putGetLoop:
-	for i := 1; i <= numOps; i++ {
-
-		if i%1000 == 0 {
-			t.Logf("Completed %d/%d PUT+GET operations", i, numOps)
-		}
-
-		putValue := fmt.Sprintf("value-%d", i)
-		putRevision := uint64(0)
-
-		// Put new value for key, retry until successful or out of retries
-	putRetryLoop:
-		for r := 0; r <= maxRetries; r++ {
-			var putErr error
-			putRevision, putErr = kv.Put(key, []byte(putValue))
-			if putErr == nil {
-				break putRetryLoop
-			} else if r == maxRetries {
-				t.Fatalf("Failed to PUT (retried %d times): %v", maxRetries, putErr)
-			} else {
-				if chaosKvTestsDebug {
-					t.Logf("PUT error: %v", putErr)
-				}
-				time.Sleep(retryDelay)
-			}
-		}
-
-		// Ensure key version is monotonically increasing
-		if putRevision <= previousRevision {
-			t.Fatalf("Latest PUT created revision %d which is not greater than the previous revision: %d", putRevision, previousRevision)
-		}
-		previousRevision = putRevision
-
-		// Read value for key, retry until successful, and validate corresponding version and value
-	getRetryLoop:
-		for r := 0; r <= maxRetries; r++ {
-			var getErr error
-			kve, getErr := kv.Get(key)
-			if getErr != nil && r == maxRetries {
-				t.Fatalf("Failed to GET (retried %d times): %v", maxRetries, getErr)
-			} else if getErr != nil {
-				if chaosKvTestsDebug {
-					t.Logf("GET error: %v", getErr)
-				}
-				time.Sleep(retryDelay)
-				continue getRetryLoop
-			}
-
-			// GET successful, check revision and value
-			getValue := string(kve.Value())
-			getRevision := kve.Revision()
-
-			if putRevision == getRevision {
-				if putValue != getValue {
-					t.Fatalf("Unexpected value %s for revision %d, expected: %s", getValue, getRevision, putValue)
-				}
-				if chaosKvTestsDebug {
-					t.Logf("PUT+GET %s=%s (rev: %d) (retry: %d)", key, putValue, putRevision, r)
-				}
-				continue putGetLoop
-			} else if getRevision > putRevision {
-				t.Fatalf("GET returned version that should not exist yet: %d, last created: %d", getRevision, putRevision)
-			} else { // get revision < put revision
-				staleReadCount += 1
-				if chaosKvTestsDebug {
-					t.Logf("GET got stale value: %v (rev: %d, latest: %d)", getValue, getRevision, putRevision)
-				}
-				time.Sleep(retryDelay)
-				continue getRetryLoop
-			}
-		}
-	}
-
-	t.Logf("Client completed %d PUT+GET cycles, %d GET returned a stale value", numOps, staleReadCount)
-}
-
-// Multiple clients updating a finite set of keys with CAS semantics.
-// TODO check that revision is never lower than last one seen
-// TODO check that KeyNotFound is never returned, as keys are initialized beforehand
-func TestJetStreamChaosKvCAS(t *testing.T) {
-	const numOps = 10_000
-	const maxRetries = 50
-	const retryDelay = 300 * time.Millisecond
-	const clusterSize = 3
-	const replicas = 3
-	const numKeys = 15
-	const numClients = 5
-
-	c := createJetStreamClusterExplicit(t, chaosKvTestsClusterName, clusterSize)
-	defer c.shutdown()
-
-	createBucketForKvChaosTest(t, c, replicas)
-
-	chaos := createClusterChaosMonkeyController(
-		t,
-		c,
-		&clusterBouncerChaosMonkey{
-			minDowntime:    0 * time.Second,
-			maxDowntime:    2 * time.Second,
-			minDownServers: clusterSize, // Whole cluster outage
-			maxDownServers: clusterSize,
-			pause:          1 * time.Second,
-		},
-	)
-
-	nc, js := jsClientConnectCluster(t, c)
-	defer nc.Close()
-
-	// Create bucket
-	kv, err := js.KeyValue(chaosKvTestsBucketName)
-	if err != nil {
-		t.Fatalf("Failed to get KV store: %v", err)
-	}
-
-	// Create set of keys and initialize them with dummy value
-	keys := make([]string, numKeys)
-	for k := 0; k < numKeys; k++ {
-		key := fmt.Sprintf("key-%d", k)
-		keys[k] = key
-
-		_, err := kv.Create(key, []byte("Initial value"))
-		if err != nil {
-			t.Fatalf("Failed to create key: %v", err)
-		}
-	}
-
-	wgStart := sync.WaitGroup{}
-	wgComplete := sync.WaitGroup{}
-
-	// Client routine
-	client := func(clientId int, kv nats.KeyValue) {
-		defer wgComplete.Done()
-
-		rng := rand.New(rand.NewSource(int64(clientId)))
-		successfulUpdates := 0
-		casRejectUpdates := 0
-		otherUpdateErrors := 0
-
-		// Map to track last known revision for each of the keys
-		knownRevisions := map[string]uint64{}
-		for _, key := range keys {
-			knownRevisions[key] = 0
-		}
-
-		// Wait for all clients to reach this point before proceeding
-		wgStart.Done()
-		wgStart.Wait()
-
-		for i := 1; i <= numOps; i++ {
-
-			if i%1000 == 0 {
-				t.Logf("Client %d completed %d/%d updates", clientId, i, numOps)
-			}
-
-			// Pick random key from the set
-			key := keys[rng.Intn(numKeys)]
-
-			// Prepare unique value to be written
-			value := fmt.Sprintf("client: %d operation %d", clientId, i)
-
-			// Try to update a key with CAS
-			newRevision, updateErr := kv.Update(key, []byte(value), knownRevisions[key])
-			if updateErr == nil {
-				// Update successful
-				knownRevisions[key] = newRevision
-				successfulUpdates += 1
-				if chaosKvTestsDebug {
-					t.Logf("Client %d updated key %s, new revision: %d", clientId, key, newRevision)
-				}
-			} else if updateErr != nil && strings.Contains(fmt.Sprint(updateErr), "wrong last sequence") {
-				// CAS rejected update, learn current revision for this key
-				casRejectUpdates += 1
-
-				for r := 0; r <= maxRetries; r++ {
-					kve, getErr := kv.Get(key)
-					if getErr == nil {
-						currentRevision := kve.Revision()
-						if currentRevision < knownRevisions[key] {
-							// Revision number moved backward, this should never happen
-							t.Fatalf("Current revision for key %s is %d, which is lower than the last known revision %d", key, currentRevision, knownRevisions[key])
-
-						}
-
-						knownRevisions[key] = currentRevision
-						if chaosKvTestsDebug {
-							t.Logf("Client %d learn key %s revision: %d", clientId, key, currentRevision)
-						}
-						break
-					} else if r == maxRetries {
-						t.Fatalf("Failed to GET (retried %d times): %v", maxRetries, getErr)
-					} else {
-						time.Sleep(retryDelay)
-					}
-				}
-			} else {
-				// Other update error
-				otherUpdateErrors += 1
-				if chaosKvTestsDebug {
-					t.Logf("Client %d update error for key %s: %v", clientId, key, updateErr)
-				}
-				time.Sleep(retryDelay)
-			}
-		}
-		t.Logf("Client %d done, %d kv updates, %d CAS rejected, %d other errors", clientId, successfulUpdates, casRejectUpdates, otherUpdateErrors)
-	}
-
-	// Launch all clients
-	for i := 1; i <= numClients; i++ {
-		cNc, cJs := jsClientConnectCluster(t, c)
-		defer cNc.Close()
-
-		cKv, err := cJs.KeyValue(chaosKvTestsBucketName)
-		if err != nil {
-			t.Fatalf("Failed to get KV store: %v", err)
-		}
-
-		wgStart.Add(1)
-		wgComplete.Add(1)
-		go client(i, cKv)
-	}
-
-	// Wait for clients to be connected and ready
-	wgStart.Wait()
-
-	// Start failures
-	chaos.start()
-	defer chaos.stop()
-
-	// Wait for all clients to be done
-	wgComplete.Wait()
-}
diff --git a/server/jetstream_chaos_test.go b/server/jetstream_chaos_test.go
new file mode 100644
index 000000000..b08733828
--- /dev/null
+++ b/server/jetstream_chaos_test.go
@@ -0,0 +1,1285 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build js_chaos_tests
+// +build js_chaos_tests
+
+package server
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"math/rand"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/nats-io/nats.go"
+)
+
+// Support functions for "chaos" testing (random injected failures)
+
+type ChaosMonkeyController interface {
+	// Launch the monkey as background routine and return
+	start()
+	// Stop a monkey that was previously started
+	stop()
+	// Run the monkey synchronously, until it is manually stopped via stopCh
+	run()
+}
+
+type ClusterChaosMonkey interface {
+	// Set defaults and validates the monkey parameters
+	validate(t *testing.T, c *cluster)
+	// Run the monkey synchronously, until it is manually stopped via stopCh
+	run(t *testing.T, c *cluster, stopCh <-chan bool)
+}
+
+// Chaos Monkey Controller that acts on a cluster
+type clusterChaosMonkeyController struct {
+	t       *testing.T
+	cluster *cluster
+	wg      sync.WaitGroup
+	stopCh  chan bool
+	ccm     ClusterChaosMonkey
+}
+
+func createClusterChaosMonkeyController(t *testing.T, c *cluster, ccm ClusterChaosMonkey) ChaosMonkeyController {
+	ccm.validate(t, c)
+	return &clusterChaosMonkeyController{
+		t:       t,
+		cluster: c,
+		stopCh:  make(chan bool, 3),
+		ccm:     ccm,
+	}
+}
+
+func (m *clusterChaosMonkeyController) start() {
+	m.t.Logf("🐵 Starting monkey")
+	m.wg.Add(1)
+	go func() {
+		defer m.wg.Done()
+		m.run()
+	}()
+}
+
+func (m *clusterChaosMonkeyController) stop() {
+	m.t.Logf("🐵 Stopping monkey")
+	m.stopCh <- true
+	m.wg.Wait()
+	m.t.Logf("🐵 Monkey stopped")
+}
+
+func (m *clusterChaosMonkeyController) run() {
+	m.ccm.run(m.t, m.cluster, m.stopCh)
+}
+
+// Cluster Chaos Monkey that selects a random subset of the nodes in a cluster (according to min/max provided),
+// shuts them down for a given duration (according to min/max provided), then brings them back up.
+// Then sleeps for a given time, and does it again until stopped.
+type clusterBouncerChaosMonkey struct {
+	minDowntime    time.Duration
+	maxDowntime    time.Duration
+	minDownServers int
+	maxDownServers int
+	pause          time.Duration
+}
+
+func (m *clusterBouncerChaosMonkey) validate(t *testing.T, c *cluster) {
+	if m.minDowntime > m.maxDowntime {
+		t.Fatalf("Min downtime %v cannot be larger than max downtime %v", m.minDowntime, m.maxDowntime)
+	}
+
+	if m.minDownServers > m.maxDownServers {
+		t.Fatalf("Min down servers %v cannot be larger than max down servers %v", m.minDownServers, m.maxDownServers)
+	}
+}
+
+func (m *clusterBouncerChaosMonkey) run(t *testing.T, c *cluster, stopCh <-chan bool) {
+	for {
+		// Pause between actions
+		select {
+		case <-stopCh:
+			return
+		case <-time.After(m.pause):
+		}
+
+		// Pick a random subset of servers
+		numServersDown := rand.Intn(1+m.maxDownServers-m.minDownServers) + m.minDownServers
+		servers := c.selectRandomServers(numServersDown)
+		serverNames := []string{}
+		for _, s := range servers {
+			serverNames = append(serverNames, s.info.Name)
+		}
+
+		// Pick a random outage interval
+		minOutageNanos := m.minDowntime.Nanoseconds()
+		maxOutageNanos := m.maxDowntime.Nanoseconds()
+		outageDurationNanos := rand.Int63n(1+maxOutageNanos-minOutageNanos) + minOutageNanos
+		outageDuration := time.Duration(outageDurationNanos)
+
+		// Take down selected servers
+		t.Logf("🐵 Taking down %d/%d servers for %v (%v)", numServersDown, len(c.servers), outageDuration, serverNames)
+		c.stopSubset(servers)
+
+		// Wait for the "outage" duration
+		select {
+		case <-stopCh:
+			return
+		case <-time.After(outageDuration):
+		}
+
+		// Restart servers and wait for cluster to be healthy
+		t.Logf("🐵 Restoring cluster")
+		c.restartAllSamePorts()
+		c.waitOnClusterHealthz()
+
+		c.waitOnClusterReady()
+		c.waitOnAllCurrent()
+		c.waitOnLeader()
+	}
+}
+
+// Additional cluster methods for chaos testing
+
+func (c *cluster) waitOnClusterHealthz() {
+	c.t.Helper()
+	for _, cs := range c.servers {
+		c.waitOnServerHealthz(cs)
+	}
+}
+
+func (c *cluster) stopSubset(toStop []*Server) {
+	c.t.Helper()
+	for _, s := range toStop {
+		s.Shutdown()
+	}
+}
+
+func (c *cluster) selectRandomServers(numServers int) []*Server {
+	c.t.Helper()
+	if numServers > len(c.servers) {
+		panic(fmt.Sprintf("Can't select %d servers in a cluster of %d", numServers, len(c.servers)))
+	}
+	var selectedServers []*Server
+	selectedServers = append(selectedServers, c.servers...)
+	rand.Shuffle(len(selectedServers), func(x, y int) {
+		selectedServers[x], selectedServers[y] = selectedServers[y], selectedServers[x]
+	})
+	return selectedServers[0:numServers]
+}
+
+// Other helpers
+
+func jsClientConnectCluster(t testing.TB, c *cluster) (*nats.Conn, nats.JetStreamContext) {
+	serverConnectURLs := make([]string, len(c.servers))
+	for i, server := range c.servers {
+		serverConnectURLs[i] = server.ClientURL()
+	}
+	connectURL := strings.Join(serverConnectURLs, ",")
+
+	nc, err := nats.Connect(connectURL)
+	if err != nil {
+		t.Fatalf("Failed to connect: %s", err)
+	}
+
+	js, err := nc.JetStream()
+	if err != nil {
+		t.Fatalf("Failed to init JetStream context: %s", err)
+	}
+
+	return nc, js
+}
+
+func toIndentedJsonString(v any) string {
+	s, err := json.MarshalIndent(v, "", "  ")
+	if err != nil {
+		panic(err)
+	}
+	return string(s)
+}
+
+// Bounces the entire set of nodes, then brings them back up.
+// Fail if some nodes don't come back online.
+func TestJetStreamChaosClusterBounce(t *testing.T) {
+
+	const duration = 60 * time.Second
+	const clusterSize = 3
+
+	c := createJetStreamClusterExplicit(t, "R3", clusterSize)
+	defer c.shutdown()
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: clusterSize,
+			maxDownServers: clusterSize,
+			pause:          3 * time.Second,
+		},
+	)
+	chaos.start()
+	defer chaos.stop()
+
+	<-time.After(duration)
+}
+
+// Bounces a subset of the nodes, then brings them back up.
+// Fails if some nodes don't come back online.
+func TestJetStreamChaosClusterBounceSubset(t *testing.T) {
+
+	const duration = 60 * time.Second
+	const clusterSize = 3
+
+	c := createJetStreamClusterExplicit(t, "R3", clusterSize)
+	defer c.shutdown()
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: 1,
+			maxDownServers: clusterSize,
+			pause:          3 * time.Second,
+		},
+	)
+	chaos.start()
+	defer chaos.stop()
+
+	<-time.After(duration)
+}
+
+const (
+	chaosConsumerTestsClusterName = "CONSUMERS_CHAOS_TEST"
+	chaosConsumerTestsStreamName  = "CONSUMER_CHAOS_TEST_STREAM"
+	chaosConsumerTestsSubject     = "foo"
+	chaosConsumerTestsDebug       = false
+)
+
+// Creates stream and fills it with the given number of messages.
+// Each message is the string representation of the stream sequence number,
+// e.g. the first message (seqno: 1) contains data "1".
+// This allows consumers to verify the content of each message without tracking additional state
+func createStreamForConsumerChaosTest(t *testing.T, c *cluster, replicas, numMessages int) {
+	t.Helper()
+
+	const publishBatchSize = 1_000
+
+	pubNc, pubJs := jsClientConnectCluster(t, c)
+	defer pubNc.Close()
+
+	_, err := pubJs.AddStream(&nats.StreamConfig{
+		Name:     chaosConsumerTestsStreamName,
+		Subjects: []string{chaosConsumerTestsSubject},
+		Replicas: replicas,
+	})
+	if err != nil {
+		t.Fatalf("Error creating stream: %v", err)
+	}
+
+	ackFutures := make([]nats.PubAckFuture, 0, publishBatchSize)
+
+	for i := 1; i <= numMessages; i++ {
+		message := []byte(fmt.Sprintf("%d", i))
+		pubAckFuture, err := pubJs.PublishAsync(chaosConsumerTestsSubject, message, nats.ExpectLastSequence(uint64(i-1)))
+		if err != nil {
+			t.Fatalf("Publish error: %s", err)
+		}
+		ackFutures = append(ackFutures, pubAckFuture)
+
+		if (i > 0 && i%publishBatchSize == 0) || i == numMessages {
+			select {
+			case <-pubJs.PublishAsyncComplete():
+				for _, pubAckFuture := range ackFutures {
+					select {
+					case <-pubAckFuture.Ok():
+						// Noop
+					case pubAckErr := <-pubAckFuture.Err():
+						t.Fatalf("Error publishing: %s", pubAckErr)
+					case <-time.After(30 * time.Second):
+						t.Fatalf("Timeout verifying pubAck for message: %s", pubAckFuture.Msg().Data)
+					}
+				}
+				ackFutures = make([]nats.PubAckFuture, 0, publishBatchSize)
+				t.Logf("Published %d/%d messages", i, numMessages)
+
+			case <-time.After(30 * time.Second):
+				t.Fatalf("Publish timed out")
+			}
+		}
+	}
+}
+
+// Verify ordered delivery despite cluster-wide outages
+func TestJetStreamChaosConsumerOrdered(t *testing.T) {
+
+	const numMessages = 5_000
+	const numBatch = 500
+	const maxRetries = 100
+	const retryDelay = 500 * time.Millisecond
+	const fetchTimeout = 250 * time.Millisecond
+	const clusterSize = 3
+	const replicas = 3
+
+	c := createJetStreamClusterExplicit(t, chaosConsumerTestsClusterName, clusterSize)
+	defer c.shutdown()
+
+	createStreamForConsumerChaosTest(t, c, replicas, numMessages)
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: clusterSize, // Whole cluster outage
+			maxDownServers: clusterSize,
+			pause:          1 * time.Second,
+		},
+	)
+
+	subNc, subJs := jsClientConnectCluster(t, c)
+	defer subNc.Close()
+
+	sub, err := subJs.SubscribeSync(
+		chaosConsumerTestsSubject,
+		nats.OrderedConsumer(),
+	)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	defer sub.Unsubscribe()
+
+	if chaosConsumerTestsDebug {
+		t.Logf("Initial subscription: %s", toIndentedJsonString(sub))
+	}
+
+	chaos.start()
+	defer chaos.stop()
+
+	for i := 1; i <= numMessages; i++ {
+		var msg *nats.Msg
+		var nextMsgErr error
+		var expectedMsgData = []byte(fmt.Sprintf("%d", i))
+
+	nextMsgRetryLoop:
+		for r := 0; r <= maxRetries; r++ {
+			msg, nextMsgErr = sub.NextMsg(fetchTimeout)
+			if nextMsgErr == nil {
+				break nextMsgRetryLoop
+			} else if r == maxRetries {
+				t.Fatalf("Exceeded max retries for NextMsg")
+			} else if nextMsgErr == nats.ErrBadSubscription {
+				t.Fatalf("Subscription is invalid: %s", toIndentedJsonString(sub))
+			} else {
+				time.Sleep(retryDelay)
+			}
+		}
+
+		metadata, err := msg.Metadata()
+		if err != nil {
+			t.Fatalf("Failed to get message metadata: %v", err)
+		}
+
+		if metadata.Sequence.Stream != uint64(i) {
+			t.Fatalf("Expecting stream sequence %d, got %d instead", i, metadata.Sequence.Stream)
+		}
+
+		if !bytes.Equal(msg.Data, expectedMsgData) {
+			t.Fatalf("Expecting message %s, got %s instead", expectedMsgData, msg.Data)
+		}
+
+		// Simulate application processing (and gives the monkey some time to brew chaos)
+		time.Sleep(10 * time.Millisecond)
+
+		if i%numBatch == 0 {
+			t.Logf("Consumed %d/%d", i, numMessages)
+		}
+	}
+}
+
+// Verify ordered delivery despite cluster-wide outages
+func TestJetStreamChaosConsumerAsync(t *testing.T) {
+
+	const numMessages = 5_000
+	const numBatch = 500
+	const timeout = 30 * time.Second // No (new) messages for 30s => terminate
+	const maxRetries = 25
+	const retryDelay = 500 * time.Millisecond
+	const clusterSize = 3
+	const replicas = 3
+
+	c := createJetStreamClusterExplicit(t, chaosConsumerTestsClusterName, clusterSize)
+	defer c.shutdown()
+
+	createStreamForConsumerChaosTest(t, c, replicas, numMessages)
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: clusterSize,
+			maxDownServers: clusterSize,
+			pause:          2 * time.Second,
+		},
+	)
+
+	subNc, subJs := jsClientConnectCluster(t, c)
+	defer subNc.Close()
+
+	timeoutTimer := time.NewTimer(timeout)
+	deliveryCount := uint64(0)
+	received := NewBitset(numMessages)
+
+	handleMsg := func(msg *nats.Msg) {
+		deliveryCount += 1
+
+		metadata, err := msg.Metadata()
+		if err != nil {
+			t.Fatalf("Failed to get message metadata: %v", err)
+		}
+		seq := metadata.Sequence.Stream
+
+		var expectedMsgData = []byte(fmt.Sprintf("%d", seq))
+		if !bytes.Equal(msg.Data, expectedMsgData) {
+			t.Fatalf("Expecting message content '%s', got '%s' instead", expectedMsgData, msg.Data)
+		}
+
+		isDupe := received.get(seq - 1)
+
+		if isDupe {
+			if chaosConsumerTestsDebug {
+				t.Logf("Duplicate message delivery, seq: %d", seq)
+			}
+			return
+		}
+
+		// Mark this sequence as received
+		received.set(seq-1, true)
+		if received.count() < numMessages {
+			// Reset timeout
+			timeoutTimer.Reset(timeout)
+		} else {
+			// All received, speed up the shutdown
+			timeoutTimer.Reset(1 * time.Second)
+		}
+
+		if received.count()%numBatch == 0 {
+			t.Logf("Consumed %d/%d", received.count(), numMessages)
+		}
+
+		// Simulate application processing (and gives the monkey some time to brew chaos)
+		time.Sleep(10 * time.Millisecond)
+
+	ackRetryLoop:
+		for i := 0; i <= maxRetries; i++ {
+			ackErr := msg.Ack()
+			if ackErr == nil {
+				break ackRetryLoop
+			} else if i == maxRetries {
+				t.Fatalf("Failed to ACK message %d (retried %d times)", seq, maxRetries)
+			} else {
+				time.Sleep(retryDelay)
+			}
+		}
+	}
+
+	subOpts := []nats.SubOpt{}
+	sub, err := subJs.Subscribe(chaosConsumerTestsSubject, handleMsg, subOpts...)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	defer sub.Unsubscribe()
+
+	chaos.start()
+	defer chaos.stop()
+
+	// Wait for long enough silence.
+	// Either a stall, or all messages received
+	<-timeoutTimer.C
+
+	// Shut down consumer
+	sub.Unsubscribe()
+
+	uniqueDeliveredCount := received.count()
+
+	t.Logf(
+		"Delivered %d/%d messages %d duplicate deliveries",
+		uniqueDeliveredCount,
+		numMessages,
+		deliveryCount-uniqueDeliveredCount,
+	)
+
+	if uniqueDeliveredCount != numMessages {
+		t.Fatalf("No new message delivered in the last %s, %d/%d messages never delivered", timeout, numMessages-uniqueDeliveredCount, numMessages)
+	}
+}
+
+// Verify durable consumer retains state despite cluster-wide outages
+// The consumer connection is also periodically closed, and the consumer 'resumes' on a different one
+func TestJetStreamChaosConsumerDurable(t *testing.T) {
+
+	const numMessages = 5_000
+	const numBatch = 500
+	const timeout = 30 * time.Second // No (new) messages for 60s => terminate
+	const clusterSize = 3
+	const replicas = 3
+	const maxRetries = 25
+	const retryDelay = 500 * time.Millisecond
+	const durableConsumerName = "durable"
+
+	c := createJetStreamClusterExplicit(t, chaosConsumerTestsClusterName, clusterSize)
+	defer c.shutdown()
+
+	createStreamForConsumerChaosTest(t, c, replicas, numMessages)
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: 1,
+			maxDownServers: clusterSize,
+			pause:          3 * time.Second,
+		},
+	)
+
+	var nc *nats.Conn
+	var sub *nats.Subscription
+	var subLock sync.Mutex
+
+	var handleMsgFun func(msg *nats.Msg)
+	var natsURL string
+
+	{
+		var sb strings.Builder
+		for _, s := range c.servers {
+			sb.WriteString(s.ClientURL())
+			sb.WriteString(",")
+		}
+		natsURL = sb.String()
+	}
+
+	resetDurableConsumer := func() {
+		subLock.Lock()
+		defer subLock.Unlock()
+
+		if nc != nil {
+			nc.Close()
+		}
+
+		var newNc *nats.Conn
+	connectRetryLoop:
+		for r := 0; r <= maxRetries; r++ {
+			var connErr error
+			newNc, connErr = nats.Connect(natsURL)
+			if connErr == nil {
+				break connectRetryLoop
+			} else if r == maxRetries {
+				t.Fatalf("Failed to connect, exceeded max retries, last error: %s", connErr)
+			} else {
+				time.Sleep(retryDelay)
+			}
+		}
+
+		var newJs nats.JetStreamContext
+	jsRetryLoop:
+		for r := 0; r <= maxRetries; r++ {
+			var jsErr error
+			newJs, jsErr = newNc.JetStream(nats.MaxWait(10 * time.Second))
+			if jsErr == nil {
+				break jsRetryLoop
+			} else if r == maxRetries {
+				t.Fatalf("Failed to get JS, exceeded max retries, last error: %s", jsErr)
+			} else {
+				time.Sleep(retryDelay)
+			}
+		}
+
+		subOpts := []nats.SubOpt{
+			nats.Durable(durableConsumerName),
+		}
+
+		var newSub *nats.Subscription
+	subscribeRetryLoop:
+		for i := 0; i <= maxRetries; i++ {
+			var subErr error
+			newSub, subErr = newJs.Subscribe(chaosConsumerTestsSubject, handleMsgFun, subOpts...)
+			if subErr == nil {
+				ci, err := newJs.ConsumerInfo(chaosConsumerTestsStreamName, durableConsumerName)
+				if err == nil {
+					if chaosConsumerTestsDebug {
+						t.Logf("Consumer info:\n %s", toIndentedJsonString(ci))
+					}
+				} else {
+					t.Logf("Failed to retrieve consumer info: %s", err)
+				}
+
+				break subscribeRetryLoop
+			} else if i == maxRetries {
+				t.Fatalf("Exceeded max retries creating subscription: %v", subErr)
+			} else {
+				time.Sleep(retryDelay)
+			}
+		}
+
+		nc, sub = newNc, newSub
+	}
+
+	timeoutTimer := time.NewTimer(timeout)
+	deliveryCount := uint64(0)
+	received := NewBitset(numMessages)
+
+	handleMsgFun = func(msg *nats.Msg) {
+
+		subLock.Lock()
+		if msg.Sub != sub {
+			// Message from a previous instance of durable consumer, drop
+			defer subLock.Unlock()
+			return
+		}
+		subLock.Unlock()
+
+		deliveryCount += 1
+
+		metadata, err := msg.Metadata()
+		if err != nil {
+			t.Fatalf("Failed to get message metadata: %v", err)
+		}
+		seq := metadata.Sequence.Stream
+
+		var expectedMsgData = []byte(fmt.Sprintf("%d", seq))
+		if !bytes.Equal(msg.Data, expectedMsgData) {
+			t.Fatalf("Expecting message content '%s', got '%s' instead", expectedMsgData, msg.Data)
+		}
+
+		isDupe := received.get(seq - 1)
+
+		if isDupe {
+			if chaosConsumerTestsDebug {
+				t.Logf("Duplicate message delivery, seq: %d", seq)
+			}
+			return
+		}
+
+		// Mark this sequence as received
+		received.set(seq-1, true)
+		if received.count() < numMessages {
+			// Reset timeout
+			timeoutTimer.Reset(timeout)
+		} else {
+			// All received, speed up the shutdown
+			timeoutTimer.Reset(1 * time.Second)
+		}
+
+		// Simulate application processing (and gives the monkey some time to brew chaos)
+		time.Sleep(10 * time.Millisecond)
+
+	ackRetryLoop:
+		for i := 0; i <= maxRetries; i++ {
+			ackErr := msg.Ack()
+			if ackErr == nil {
+				break ackRetryLoop
+			} else if i == maxRetries {
+				t.Fatalf("Failed to ACK message %d (retried %d times)", seq, maxRetries)
+			} else {
+				time.Sleep(retryDelay)
+			}
+		}
+
+		if received.count()%numBatch == 0 {
+			t.Logf("Consumed %d/%d, duplicate deliveries: %d", received.count(), numMessages, deliveryCount-received.count())
+			// Close connection and resume consuming on a different one
+			resetDurableConsumer()
+		}
+	}
+
+	resetDurableConsumer()
+
+	chaos.start()
+	defer chaos.stop()
+
+	// Wait for long enough silence.
+	// Either a stall, or all messages received
+	<-timeoutTimer.C
+
+	// Shut down consumer
+	if sub != nil {
+		sub.Unsubscribe()
+	}
+
+	uniqueDeliveredCount := received.count()
+
+	t.Logf(
+		"Delivered %d/%d messages %d duplicate deliveries",
+		uniqueDeliveredCount,
+		numMessages,
+		deliveryCount-uniqueDeliveredCount,
+	)
+
+	if uniqueDeliveredCount != numMessages {
+		t.Fatalf("No new message delivered in the last %s, %d/%d messages never delivered", timeout, numMessages-uniqueDeliveredCount, numMessages)
+	}
+}
+
+func TestJetStreamChaosConsumerPull(t *testing.T) {
+
+	const numMessages = 5_000
+	const numBatch = 500
+	const maxRetries = 100
+	const retryDelay = 500 * time.Millisecond
+	const fetchTimeout = 250 * time.Millisecond
+	const fetchBatchSize = 100
+	const clusterSize = 3
+	const replicas = 3
+	const durableConsumerName = "durable"
+
+	c := createJetStreamClusterExplicit(t, chaosConsumerTestsClusterName, clusterSize)
+	defer c.shutdown()
+
+	createStreamForConsumerChaosTest(t, c, replicas, numMessages)
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: clusterSize, // Whole cluster outage
+			maxDownServers: clusterSize,
+			pause:          1 * time.Second,
+		},
+	)
+
+	subNc, subJs := jsClientConnectCluster(t, c)
+	defer subNc.Close()
+
+	sub, err := subJs.PullSubscribe(
+		chaosConsumerTestsSubject,
+		durableConsumerName,
+	)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	defer sub.Unsubscribe()
+
+	if chaosConsumerTestsDebug {
+		t.Logf("Initial subscription: %s", toIndentedJsonString(sub))
+	}
+
+	chaos.start()
+	defer chaos.stop()
+
+	fetchMaxWait := nats.MaxWait(fetchTimeout)
+	received := NewBitset(numMessages)
+	deliveredCount := uint64(0)
+
+	for received.count() < numMessages {
+
+		var msgs []*nats.Msg
+		var fetchErr error
+
+	fetchRetryLoop:
+		for r := 0; r <= maxRetries; r++ {
+			msgs, fetchErr = sub.Fetch(fetchBatchSize, fetchMaxWait)
+			if fetchErr == nil {
+				break fetchRetryLoop
+			} else if r == maxRetries {
+				t.Fatalf("Exceeded max retries for Fetch, last error: %s", fetchErr)
+			} else if fetchErr == nats.ErrBadSubscription {
+				t.Fatalf("Subscription is invalid: %s", toIndentedJsonString(sub))
+			} else {
+				// t.Logf("Fetch error: %v", fetchErr)
+				time.Sleep(retryDelay)
+			}
+		}
+
+		for _, msg := range msgs {
+
+			deliveredCount += 1
+
+			metadata, err := msg.Metadata()
+			if err != nil {
+				t.Fatalf("Failed to get message metadata: %v", err)
+			}
+
+			streamSeq := metadata.Sequence.Stream
+
+			expectedMsgData := []byte(fmt.Sprintf("%d", streamSeq))
+
+			if !bytes.Equal(msg.Data, expectedMsgData) {
+				t.Fatalf("Expecting message %s, got %s instead", expectedMsgData, msg.Data)
+			}
+
+			isDupe := received.get(streamSeq - 1)
+
+			received.set(streamSeq-1, true)
+
+			// Simulate application processing (and gives the monkey some time to brew chaos)
+			time.Sleep(10 * time.Millisecond)
+
+		ackRetryLoop:
+			for r := 0; r <= maxRetries; r++ {
+				ackErr := msg.Ack()
+				if ackErr == nil {
+					break ackRetryLoop
+				} else if r == maxRetries {
+					t.Fatalf("Failed to ACK message %d, last error: %s", streamSeq, ackErr)
+				} else {
+					time.Sleep(retryDelay)
+				}
+			}
+
+			if !isDupe && received.count()%numBatch == 0 {
+				t.Logf("Consumed %d/%d (duplicates: %d)", received.count(), numMessages, deliveredCount-received.count())
+			}
+		}
+	}
+}
+
+const (
+	chaosKvTestsClusterName = "KV_CHAOS_TEST"
+	chaosKvTestsBucketName  = "KV_CHAOS_TEST_BUCKET"
+	chaosKvTestsSubject     = "foo"
+	chaosKvTestsDebug       = false
+)
+
+// Creates KV store (a.k.a. bucket).
+func createBucketForKvChaosTest(t *testing.T, c *cluster, replicas int) {
+	t.Helper()
+
+	pubNc, pubJs := jsClientConnectCluster(t, c)
+	defer pubNc.Close()
+
+	config := nats.KeyValueConfig{
+		Bucket:      chaosKvTestsBucketName,
+		Replicas:    replicas,
+		Description: "Test bucket",
+	}
+
+	kvs, err := pubJs.CreateKeyValue(&config)
+	if err != nil {
+		t.Fatalf("Error creating bucket: %v", err)
+	}
+
+	status, err := kvs.Status()
+	if err != nil {
+		t.Fatalf("Error retrieving bucket status: %v", err)
+	}
+	t.Logf("Bucket created: %s", status.Bucket())
+}
+
+// Single client performs a set of PUT on a single key.
+// If PUT is successful, perform a GET on the same key.
+// If GET is successful, ensure key revision and value match the most recent successful write.
+func TestJetStreamChaosKvPutGet(t *testing.T) {
+
+	const numOps = 100_000
+	const clusterSize = 3
+	const replicas = 3
+	const key = "key"
+	const staleReadsOk = true // Set to false to check for violations of 'read committed' consistency
+
+	c := createJetStreamClusterExplicit(t, chaosKvTestsClusterName, clusterSize)
+	defer c.shutdown()
+
+	createBucketForKvChaosTest(t, c, replicas)
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: clusterSize, // Whole cluster outage
+			maxDownServers: clusterSize,
+			pause:          1 * time.Second,
+		},
+	)
+
+	nc, js := jsClientConnectCluster(t, c)
+	defer nc.Close()
+
+	// Create KV bucket
+	kv, err := js.KeyValue(chaosKvTestsBucketName)
+	if err != nil {
+		t.Fatalf("Failed to get KV store: %v", err)
+	}
+
+	// Initialize the only key
+	firstRevision, err := kv.Create(key, []byte("INITIAL VALUE"))
+	if err != nil {
+		t.Fatalf("Failed to create key: %v", err)
+	} else if firstRevision != 1 {
+		t.Fatalf("Unexpected revision: %d", firstRevision)
+	}
+
+	// Start chaos
+	chaos.start()
+	defer chaos.stop()
+
+	staleReadsCount := uint64(0)
+	successCount := uint64(0)
+
+	previousRevision := firstRevision
+
+putGetLoop:
+	for i := 1; i <= numOps; i++ {
+
+		if i%1000 == 0 {
+			t.Logf("Completed %d/%d PUT+GET operations", i, numOps)
+		}
+
+		// PUT a value
+		putValue := fmt.Sprintf("value-%d", i)
+		putRevision, err := kv.Put(key, []byte(putValue))
+		if err != nil {
+			t.Logf("PUT error: %v", err)
+			continue putGetLoop
+		}
+
+		// Check revision is monotonically increasing
+		if putRevision <= previousRevision {
+			t.Fatalf("PUT produced revision %d which is not greater than the previous successful PUT revision: %d", putRevision, previousRevision)
+		}
+
+		previousRevision = putRevision
+
+		// If PUT was successful, GET the same
+		kve, err := kv.Get(key)
+		if err == nats.ErrKeyNotFound {
+			t.Fatalf("GET key not found, but key does exists (last PUT revision: %d)", putRevision)
+		} else if err != nil {
+			t.Logf("GET error: %v", err)
+			continue putGetLoop
+		}
+
+		getValue := string(kve.Value())
+		getRevision := kve.Revision()
+
+		if putRevision > getRevision {
+			// Stale read, violates 'read committed' consistency criteria
+			if !staleReadsOk {
+				t.Fatalf("PUT value %s (rev: %d) then read value %s (rev: %d)", putValue, putRevision, getValue, getRevision)
+			} else {
+				staleReadsCount += 1
+			}
+		} else if putRevision < getRevision {
+			// Returned revision is higher than any ever written, this should never happen
+			t.Fatalf("GET returned revision %d, but most recent expected revision is %d", getRevision, putRevision)
+		} else if putValue != getValue {
+			// Returned revision matches latest, but values do not, this should never happen
+			t.Fatalf("GET returned revision %d with value %s, but value %s was just committed for that same revision", getRevision, getValue, putValue)
+		} else {
+			// Get returned the latest revision/value
+			successCount += 1
+			if chaosKvTestsDebug {
+				t.Logf("PUT+GET %s=%s (rev: %d)", key, putValue, putRevision)
+			}
+		}
+	}
+
+	t.Logf("Completed %d PUT+GET cycles of which %d successful, %d GETs returned a stale value", numOps, successCount, staleReadsCount)
+}
+
+// A variant TestJetStreamChaosKvPutGet where PUT is retried until successful, and GET is retried until it returns the latest known key revision.
+// This validates than a confirmed PUT value is never lost, and becomes eventually visible.
+func TestJetStreamChaosKvPutGetWithRetries(t *testing.T) {
+
+	const numOps = 10_000
+	const maxRetries = 20
+	const retryDelay = 100 * time.Millisecond
+	const clusterSize = 3
+	const replicas = 3
+	const key = "key"
+
+	c := createJetStreamClusterExplicit(t, chaosKvTestsClusterName, clusterSize)
+	defer c.shutdown()
+
+	createBucketForKvChaosTest(t, c, replicas)
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: clusterSize, // Whole cluster outage
+			maxDownServers: clusterSize,
+			pause:          1 * time.Second,
+		},
+	)
+
+	nc, js := jsClientConnectCluster(t, c)
+	defer nc.Close()
+
+	kv, err := js.KeyValue(chaosKvTestsBucketName)
+	if err != nil {
+		t.Fatalf("Failed to get KV store: %v", err)
+	}
+
+	// Initialize key value
+	firstRevision, err := kv.Create(key, []byte("INITIAL VALUE"))
+	if err != nil {
+		t.Fatalf("Failed to create key: %v", err)
+	} else if firstRevision != 1 {
+		t.Fatalf("Unexpected revision: %d", firstRevision)
+	}
+
+	// Start chaos
+	chaos.start()
+	defer chaos.stop()
+
+	staleReadCount := 0
+	previousRevision := firstRevision
+
+putGetLoop:
+	for i := 1; i <= numOps; i++ {
+
+		if i%1000 == 0 {
+			t.Logf("Completed %d/%d PUT+GET operations", i, numOps)
+		}
+
+		putValue := fmt.Sprintf("value-%d", i)
+		putRevision := uint64(0)
+
+		// Put new value for key, retry until successful or out of retries
+	putRetryLoop:
+		for r := 0; r <= maxRetries; r++ {
+			var putErr error
+			putRevision, putErr = kv.Put(key, []byte(putValue))
+			if putErr == nil {
+				break putRetryLoop
+			} else if r == maxRetries {
+				t.Fatalf("Failed to PUT (retried %d times): %v", maxRetries, putErr)
+			} else {
+				if chaosKvTestsDebug {
+					t.Logf("PUT error: %v", putErr)
+				}
+				time.Sleep(retryDelay)
+			}
+		}
+
+		// Ensure key version is monotonically increasing
+		if putRevision <= previousRevision {
+			t.Fatalf("Latest PUT created revision %d which is not greater than the previous revision: %d", putRevision, previousRevision)
+		}
+		previousRevision = putRevision
+
+		// Read value for key, retry until successful, and validate corresponding version and value
+	getRetryLoop:
+		for r := 0; r <= maxRetries; r++ {
+			var getErr error
+			kve, getErr := kv.Get(key)
+			if getErr != nil && r == maxRetries {
+				t.Fatalf("Failed to GET (retried %d times): %v", maxRetries, getErr)
+			} else if getErr != nil {
+				if chaosKvTestsDebug {
+					t.Logf("GET error: %v", getErr)
+				}
+				time.Sleep(retryDelay)
+				continue getRetryLoop
+			}
+
+			// GET successful, check revision and value
+			getValue := string(kve.Value())
+			getRevision := kve.Revision()
+
+			if putRevision == getRevision {
+				if putValue != getValue {
+					t.Fatalf("Unexpected value %s for revision %d, expected: %s", getValue, getRevision, putValue)
+				}
+				if chaosKvTestsDebug {
+					t.Logf("PUT+GET %s=%s (rev: %d) (retry: %d)", key, putValue, putRevision, r)
+				}
+				continue putGetLoop
+			} else if getRevision > putRevision {
+				t.Fatalf("GET returned version that should not exist yet: %d, last created: %d", getRevision, putRevision)
+			} else { // get revision < put revision
+				staleReadCount += 1
+				if chaosKvTestsDebug {
+					t.Logf("GET got stale value: %v (rev: %d, latest: %d)", getValue, getRevision, putRevision)
+				}
+				time.Sleep(retryDelay)
+				continue getRetryLoop
+			}
+		}
+	}
+
+	t.Logf("Client completed %d PUT+GET cycles, %d GET returned a stale value", numOps, staleReadCount)
+}
+
+// Multiple clients updating a finite set of keys with CAS semantics.
+// TODO check that revision is never lower than last one seen
+// TODO check that KeyNotFound is never returned, as keys are initialized beforehand
+func TestJetStreamChaosKvCAS(t *testing.T) {
+	const numOps = 10_000
+	const maxRetries = 50
+	const retryDelay = 300 * time.Millisecond
+	const clusterSize = 3
+	const replicas = 3
+	const numKeys = 15
+	const numClients = 5
+
+	c := createJetStreamClusterExplicit(t, chaosKvTestsClusterName, clusterSize)
+	defer c.shutdown()
+
+	createBucketForKvChaosTest(t, c, replicas)
+
+	chaos := createClusterChaosMonkeyController(
+		t,
+		c,
+		&clusterBouncerChaosMonkey{
+			minDowntime:    0 * time.Second,
+			maxDowntime:    2 * time.Second,
+			minDownServers: clusterSize, // Whole cluster outage
+			maxDownServers: clusterSize,
+			pause:          1 * time.Second,
+		},
+	)
+
+	nc, js := jsClientConnectCluster(t, c)
+	defer nc.Close()
+
+	// Create bucket
+	kv, err := js.KeyValue(chaosKvTestsBucketName)
+	if err != nil {
+		t.Fatalf("Failed to get KV store: %v", err)
+	}
+
+	// Create set of keys and initialize them with dummy value
+	keys := make([]string, numKeys)
+	for k := 0; k < numKeys; k++ {
+		key := fmt.Sprintf("key-%d", k)
+		keys[k] = key
+
+		_, err := kv.Create(key, []byte("Initial value"))
+		if err != nil {
+			t.Fatalf("Failed to create key: %v", err)
+		}
+	}
+
+	wgStart := sync.WaitGroup{}
+	wgComplete := sync.WaitGroup{}
+
+	// Client routine
+	client := func(clientId int, kv nats.KeyValue) {
+		defer wgComplete.Done()
+
+		rng := rand.New(rand.NewSource(int64(clientId)))
+		successfulUpdates := 0
+		casRejectUpdates := 0
+		otherUpdateErrors := 0
+
+		// Map to track last known revision for each of the keys
+		knownRevisions := map[string]uint64{}
+		for _, key := range keys {
+			knownRevisions[key] = 0
+		}
+
+		// Wait for all clients to reach this point before proceeding
+		wgStart.Done()
+		wgStart.Wait()
+
+		for i := 1; i <= numOps; i++ {
+
+			if i%1000 == 0 {
+				t.Logf("Client %d completed %d/%d updates", clientId, i, numOps)
+			}
+
+			// Pick random key from the set
+			key := keys[rng.Intn(numKeys)]
+
+			// Prepare unique value to be written
+			value := fmt.Sprintf("client: %d operation %d", clientId, i)
+
+			// Try to update a key with CAS
+			newRevision, updateErr := kv.Update(key, []byte(value), knownRevisions[key])
+			if updateErr == nil {
+				// Update successful
+				knownRevisions[key] = newRevision
+				successfulUpdates += 1
+				if chaosKvTestsDebug {
+					t.Logf("Client %d updated key %s, new revision: %d", clientId, key, newRevision)
+				}
+			} else if updateErr != nil && strings.Contains(fmt.Sprint(updateErr), "wrong last sequence") {
+				// CAS rejected update, learn current revision for this key
+				casRejectUpdates += 1
+
+				for r := 0; r <= maxRetries; r++ {
+					kve, getErr := kv.Get(key)
+					if getErr == nil {
+						currentRevision := kve.Revision()
+						if currentRevision < knownRevisions[key] {
+							// Revision number moved backward, this should never happen
+							t.Fatalf("Current revision for key %s is %d, which is lower than the last known revision %d", key, currentRevision, knownRevisions[key])
+
+						}
+
+						knownRevisions[key] = currentRevision
+						if chaosKvTestsDebug {
+							t.Logf("Client %d learn key %s revision: %d", clientId, key, currentRevision)
+						}
+						break
+					} else if r == maxRetries {
+						t.Fatalf("Failed to GET (retried %d times): %v", maxRetries, getErr)
+					} else {
+						time.Sleep(retryDelay)
+					}
+				}
+			} else {
+				// Other update error
+				otherUpdateErrors += 1
+				if chaosKvTestsDebug {
+					t.Logf("Client %d update error for key %s: %v", clientId, key, updateErr)
+				}
+				time.Sleep(retryDelay)
+			}
+		}
+		t.Logf("Client %d done, %d kv updates, %d CAS rejected, %d other errors", clientId, successfulUpdates, casRejectUpdates, otherUpdateErrors)
+	}
+
+	// Launch all clients
+	for i := 1; i <= numClients; i++ {
+		cNc, cJs := jsClientConnectCluster(t, c)
+		defer cNc.Close()
+
+		cKv, err := cJs.KeyValue(chaosKvTestsBucketName)
+		if err != nil {
+			t.Fatalf("Failed to get KV store: %v", err)
+		}
+
+		wgStart.Add(1)
+		wgComplete.Add(1)
+		go client(i, cKv)
+	}
+
+	// Wait for clients to be connected and ready
+	wgStart.Wait()
+
+	// Start failures
+	chaos.start()
+	defer chaos.stop()
+
+	// Wait for all clients to be done
+	wgComplete.Wait()
+}
diff --git a/server/jetstream_cluster.go b/server/jetstream_cluster.go
index 2d9f39679..e3c552069 100644
--- a/server/jetstream_cluster.go
+++ b/server/jetstream_cluster.go
@@ -281,6 +281,37 @@ func (s *Server) JetStreamStepdownStream(account, stream string) error {
 	return nil
 }
 
+func (s *Server) JetStreamStepdownConsumer(account, stream, consumer string) error {
+	js, cc := s.getJetStreamCluster()
+	if js == nil {
+		return NewJSNotEnabledError()
+	}
+	if cc == nil {
+		return NewJSClusterNotActiveError()
+	}
+	// Grab account
+	acc, err := s.LookupAccount(account)
+	if err != nil {
+		return err
+	}
+	// Grab stream
+	mset, err := acc.lookupStream(stream)
+	if err != nil {
+		return err
+	}
+
+	o := mset.lookupConsumer(consumer)
+	if o == nil {
+		return NewJSConsumerNotFoundError()
+	}
+
+	if node := o.raftNode(); node != nil && node.Leader() {
+		node.StepDown()
+	}
+
+	return nil
+}
+
 func (s *Server) JetStreamSnapshotStream(account, stream string) error {
 	js, cc := s.getJetStreamCluster()
 	if js == nil {
@@ -320,7 +351,7 @@ func (s *Server) JetStreamClusterPeers() []string {
 	defer js.mu.RUnlock()
 
 	cc := js.cluster
-	if !cc.isLeader() {
+	if !cc.isLeader() || cc.meta == nil {
 		return nil
 	}
 	peers := cc.meta.Peers()
@@ -403,42 +434,106 @@ func (cc *jetStreamCluster) isStreamCurrent(account, stream string) bool {
 	return false
 }
 
+// Restart the stream in question.
+// Should only be called when the stream is know in a bad state.
+func (js *jetStream) restartStream(acc *Account, csa *streamAssignment) {
+	js.mu.Lock()
+	cc := js.cluster
+	if cc == nil {
+		js.mu.Unlock()
+		return
+	}
+	// Need to lookup the one directly from the meta layer, what we get handed is a copy if coming from isStreamHealthy.
+	asa := cc.streams[acc.Name]
+	if asa == nil {
+		js.mu.Unlock()
+		return
+	}
+	sa := asa[csa.Config.Name]
+	if sa == nil {
+		js.mu.Unlock()
+		return
+	}
+	// Make sure to clear out the raft node if still present in the meta layer.
+	if rg := sa.Group; rg != nil && rg.node != nil {
+		if rg.node.State() != Closed {
+			rg.node.Stop()
+		}
+		rg.node = nil
+	}
+	js.mu.Unlock()
+
+	// Process stream assignment to recreate.
+	js.processStreamAssignment(sa)
+
+	// If we had consumers assigned to this server they will be present in the copy, csa.
+	// They also need to be processed. The csa consumers is a copy of only our consumers,
+	// those assigned to us, but the consumer assignment's there are direct from the meta
+	// layer to make this part much easier and avoid excessive lookups.
+	for _, cca := range csa.consumers {
+		if cca.deleted {
+			continue
+		}
+		// Need to look up original as well here to make sure node is nil.
+		js.mu.Lock()
+		ca := sa.consumers[cca.Name]
+		if ca != nil && ca.Group != nil {
+			// Make sure the node is stopped if still running.
+			if node := ca.Group.node; node != nil && node.State() != Closed {
+				node.Stop()
+			}
+			// Make sure node is wiped.
+			ca.Group.node = nil
+		}
+		js.mu.Unlock()
+		if ca != nil {
+			js.processConsumerAssignment(ca)
+		}
+	}
+}
+
 // isStreamHealthy will determine if the stream is up to date or very close.
 // For R1 it will make sure the stream is present on this server.
-// Read lock should be held.
-func (cc *jetStreamCluster) isStreamHealthy(account, stream string) bool {
+func (js *jetStream) isStreamHealthy(acc *Account, sa *streamAssignment) bool {
+	js.mu.Lock()
+	s, cc := js.srv, js.cluster
 	if cc == nil {
 		// Non-clustered mode
+		js.mu.Unlock()
 		return true
 	}
-	as := cc.streams[account]
-	if as == nil {
-		return false
-	}
-	sa := as[stream]
-	if sa == nil {
-		return false
-	}
+
+	// Pull the group out.
 	rg := sa.Group
 	if rg == nil {
+		js.mu.Unlock()
+		return false
+	}
+
+	streamName := sa.Config.Name
+	node := rg.node
+	js.mu.Unlock()
+
+	// First lookup stream and make sure its there.
+	mset, err := acc.lookupStream(streamName)
+	if err != nil {
+		js.restartStream(acc, sa)
 		return false
 	}
 
-	if rg.node == nil || rg.node.Healthy() {
+	if node == nil || node.Healthy() {
 		// Check if we are processing a snapshot and are catching up.
-		acc, err := cc.s.LookupAccount(account)
-		if err != nil {
-			return false
-		}
-		mset, err := acc.lookupStream(stream)
-		if err != nil {
-			return false
+		if !mset.isCatchingUp() {
+			return true
 		}
-		if mset.isCatchingUp() {
-			return false
+	} else if node != nil {
+		if node != mset.raftNode() {
+			s.Warnf("Detected stream cluster node skew '%s > %s'", acc.GetName(), streamName)
+			node.Delete()
+			mset.resetClusteredState(nil)
+		} else if node.State() == Closed {
+			js.restartStream(acc, sa)
 		}
-		// Success.
-		return true
 	}
 
 	return false
@@ -446,28 +541,71 @@ func (cc *jetStreamCluster) isStreamHealthy(account, stream string) bool {
 
 // isConsumerCurrent will determine if the consumer is up to date.
 // For R1 it will make sure the consunmer is present on this server.
-// Read lock should be held.
-func (cc *jetStreamCluster) isConsumerCurrent(account, stream, consumer string) bool {
+func (js *jetStream) isConsumerHealthy(mset *stream, consumer string, ca *consumerAssignment) bool {
+	if mset == nil {
+		return false
+	}
+
+	js.mu.RLock()
+	cc := js.cluster
 	if cc == nil {
 		// Non-clustered mode
+		js.mu.RUnlock()
 		return true
 	}
-	acc, err := cc.s.LookupAccount(account)
-	if err != nil {
+	// These are required.
+	if ca == nil || ca.Group == nil {
+		js.mu.RUnlock()
 		return false
 	}
-	mset, err := acc.lookupStream(stream)
-	if err != nil {
-		return false
+	s := js.srv
+	js.mu.RUnlock()
+
+	// Capture RAFT node from assignment.
+	node := ca.Group.node
+
+	// When we try to restart we nil out the node if applicable
+	// and reprocess the consumer assignment.
+	restartConsumer := func() {
+		js.mu.Lock()
+		// Make sure the node is stopped if still running.
+		if node != nil && node.State() != Closed {
+			node.Stop()
+		}
+		ca.Group.node = nil
+		deleted := ca.deleted
+		js.mu.Unlock()
+		if !deleted {
+			js.processConsumerAssignment(ca)
+		}
 	}
+
+	// Check if not running at all.
 	o := mset.lookupConsumer(consumer)
 	if o == nil {
+		restartConsumer()
 		return false
 	}
-	if n := o.raftNode(); n != nil && !n.Current() {
-		return false
+
+	// Check RAFT node state.
+	if node == nil || node.Healthy() {
+		return true
+	} else if node != nil {
+		if node != o.raftNode() {
+			mset.mu.RLock()
+			accName, streamName := mset.acc.GetName(), mset.cfg.Name
+			mset.mu.RUnlock()
+			s.Warnf("Detected consumer cluster node skew '%s > %s'", accName, streamName, consumer)
+			node.Delete()
+			o.deleteWithoutAdvisory()
+			restartConsumer()
+		} else if node.State() == Closed {
+			// We have a consumer, and it should have a running node but it is closed.
+			o.stop()
+			restartConsumer()
+		}
 	}
-	return true
+	return false
 }
 
 // subjectsOverlap checks all existing stream assignments for the account cross-cluster for subject overlap
@@ -622,11 +760,14 @@ func (js *jetStream) setupMetaGroup() error {
 		return err
 	}
 
+	// Register our server.
+	fs.registerServer(s)
+
 	cfg := &RaftConfig{Name: defaultMetaGroupName, Store: storeDir, Log: fs}
 
 	// If we are soliciting leafnode connections and we are sharing a system account and do not disable it with a hint,
 	// we want to move to observer mode so that we extend the solicited cluster or supercluster but do not form our own.
-	cfg.Observer = s.canExtendOtherDomain() && s.opts.JetStreamExtHint != jsNoExtend
+	cfg.Observer = s.canExtendOtherDomain() && s.getOpts().JetStreamExtHint != jsNoExtend
 
 	var bootstrap bool
 	if ps, err := readPeerState(storeDir); err != nil {
@@ -754,7 +895,7 @@ func (js *jetStream) isGroupLeaderless(rg *raftGroup) bool {
 	// If we don't have a leader.
 	if rg.node.GroupLeader() == _EMPTY_ {
 		// Threshold for jetstream startup.
-		const startupThreshold = 5 * time.Second
+		const startupThreshold = 10 * time.Second
 
 		if rg.node.HadPreviousLeader() {
 			// Make sure we have been running long enough to intelligently determine this.
@@ -960,36 +1101,62 @@ type recoveryUpdates struct {
 // Streams and consumers are recovered from disk, and the meta layer's mappings
 // should clean them up, but under crash scenarios there could be orphans.
 func (js *jetStream) checkForOrphans() {
-	js.mu.Lock()
-	defer js.mu.Unlock()
-
 	consumerName := func(o *consumer) string {
 		o.mu.RLock()
 		defer o.mu.RUnlock()
 		return o.name
 	}
 
+	// Can not hold jetstream lock while trying to delete streams or consumers.
+	js.mu.Lock()
 	s, cc := js.srv, js.cluster
 	s.Debugf("JetStream cluster checking for orphans")
 
+	var streams []*stream
+	var consumers []*consumer
+
 	for accName, jsa := range js.accounts {
 		asa := cc.streams[accName]
 		for stream, mset := range jsa.streams {
 			if sa := asa[stream]; sa == nil {
-				s.Warnf("Detected orphaned stream '%s > %s', will cleanup", accName, stream)
-				mset.delete()
+				streams = append(streams, mset)
 			} else {
 				// This one is good, check consumers now.
 				for _, o := range mset.getConsumers() {
 					consumer := consumerName(o)
 					if sa.consumers[consumer] == nil {
-						s.Warnf("Detected orphaned consumer '%s > %s > %s', will cleanup", accName, stream, consumer)
-						o.delete()
+						consumers = append(consumers, o)
 					}
 				}
 			}
 		}
 	}
+	js.mu.Unlock()
+
+	for _, mset := range streams {
+		mset.mu.RLock()
+		accName, stream := mset.acc.Name, mset.cfg.Name
+		mset.mu.RUnlock()
+		s.Warnf("Detected orphaned stream '%s > %s', will cleanup", accName, stream)
+		if err := mset.delete(); err != nil {
+			s.Warnf("Deleting stream encountered an error: %v", err)
+		}
+	}
+	for _, o := range consumers {
+		o.mu.RLock()
+		accName, mset, consumer := o.acc.Name, o.mset, o.name
+		o.mu.RUnlock()
+		stream := "N/A"
+		if mset != nil {
+			mset.mu.RLock()
+			stream = mset.cfg.Name
+			mset.mu.RUnlock()
+		}
+		s.Warnf("Detected orphaned consumer '%s > %s > %s', will cleanup", accName, stream, consumer)
+		if err := o.delete(); err != nil {
+			s.Warnf("Deleting consumer encountered an error: %v", err)
+		}
+	}
 }
 
 func (js *jetStream) monitorCluster() {
@@ -1004,7 +1171,7 @@ func (js *jetStream) monitorCluster() {
 	// Make sure to stop the raft group on exit to prevent accidental memory bloat.
 	defer n.Stop()
 
-	const compactInterval = 2 * time.Minute
+	const compactInterval = time.Minute
 	t := time.NewTicker(compactInterval)
 	defer t.Stop()
 
@@ -1013,11 +1180,22 @@ func (js *jetStream) monitorCluster() {
 	lt := time.NewTicker(leaderCheckInterval)
 	defer lt.Stop()
 
+	const healthCheckInterval = 2 * time.Minute
+	ht := time.NewTicker(healthCheckInterval)
+	defer ht.Stop()
+
+	// Utility to check health.
+	checkHealth := func() {
+		if hs := s.healthz(nil); hs.Error != _EMPTY_ {
+			s.Warnf("%v", hs.Error)
+		}
+	}
+
 	var (
-		isLeader     bool
-		lastSnap     []byte
-		lastSnapTime time.Time
-		minSnapDelta = 10 * time.Second
+		isLeader       bool
+		lastSnapTime   time.Time
+		compactSizeMin = uint64(8 * 1024 * 1024) // 8MB
+		minSnapDelta   = 10 * time.Second
 	)
 
 	// Highwayhash key for generating hashes.
@@ -1033,10 +1211,10 @@ func (js *jetStream) monitorCluster() {
 		if js.isMetaRecovering() {
 			return
 		}
-		snap := js.metaSnapshot()
-		if hash := highwayhash.Sum(snap, key); !bytes.Equal(hash[:], lastSnap) {
-			if err := n.InstallSnapshot(snap); err == nil {
-				lastSnap, lastSnapTime = hash[:], time.Now()
+		// For the meta layer we want to snapshot when asked if we need one or have any entries that we can compact.
+		if ne, _ := n.Size(); ne > 0 || n.NeedSnapshot() {
+			if err := n.InstallSnapshot(js.metaSnapshot()); err == nil {
+				lastSnapTime = time.Now()
 			} else if err != errNoSnapAvailable && err != errNodeClosed {
 				s.Warnf("Error snapshotting JetStream cluster state: %v", err)
 			}
@@ -1087,26 +1265,32 @@ func (js *jetStream) monitorCluster() {
 					ru = nil
 					s.Debugf("Recovered JetStream cluster metadata")
 					js.checkForOrphans()
+					// Do a health check here as well.
+					go checkHealth()
 					continue
 				}
 				// FIXME(dlc) - Deal with errors.
 				if didSnap, didStreamRemoval, didConsumerRemoval, err := js.applyMetaEntries(ce.Entries, ru); err == nil {
 					_, nb := n.Applied(ce.Index)
-					if js.hasPeerEntries(ce.Entries) || didSnap || didStreamRemoval {
-						// Since we received one make sure we have our own since we do not store
-						// our meta state outside of raft.
+					if js.hasPeerEntries(ce.Entries) || didStreamRemoval || (didSnap && !isLeader) {
 						doSnapshot()
 					} else if didConsumerRemoval && time.Since(lastSnapTime) > minSnapDelta/2 {
 						doSnapshot()
-					} else if lls := len(lastSnap); nb > uint64(lls*8) && lls > 0 && time.Since(lastSnapTime) > minSnapDelta {
+					} else if nb > compactSizeMin && time.Since(lastSnapTime) > minSnapDelta {
 						doSnapshot()
 					}
+					ce.ReturnToPool()
 				}
 			}
 			aq.recycle(&ces)
+
 		case isLeader = <-lch:
+			// For meta layer synchronize everyone to our state on becoming leader.
+			if isLeader {
+				n.SendSnapshot(js.metaSnapshot())
+			}
+			// Process the change.
 			js.processLeaderChange(isLeader)
-
 			if isLeader {
 				s.sendInternalMsgLocked(serverStatsPingReqSubj, _EMPTY_, nil, nil)
 				// Install a snapshot as we become leader.
@@ -1120,6 +1304,10 @@ func (js *jetStream) monitorCluster() {
 			if n.Leader() {
 				js.checkClusterSize()
 			}
+		case <-ht.C:
+			// Do this in a separate go routine.
+			go checkHealth()
+
 		case <-lt.C:
 			s.Debugf("Checking JetStream cluster state")
 			// If we have a current leader or had one in the past we can cancel this here since the metaleader
@@ -1427,6 +1615,9 @@ func (js *jetStream) processAddPeer(peer string) {
 	defer js.mu.Unlock()
 
 	s, cc := js.srv, js.cluster
+	if cc == nil || cc.meta == nil {
+		return
+	}
 	isLeader := cc.isLeader()
 
 	// Now check if we are meta-leader. We will check for any re-assignments.
@@ -1468,7 +1659,7 @@ func (js *jetStream) processAddPeer(peer string) {
 func (js *jetStream) processRemovePeer(peer string) {
 	js.mu.Lock()
 	s, cc := js.srv, js.cluster
-	if cc.meta == nil {
+	if cc == nil || cc.meta == nil {
 		js.mu.Unlock()
 		return
 	}
@@ -1532,6 +1723,9 @@ func (js *jetStream) removePeerFromStreamLocked(sa *streamAssignment, peer strin
 	}
 
 	s, cc, csa := js.srv, js.cluster, sa.copyGroup()
+	if cc == nil || cc.meta == nil {
+		return false
+	}
 	replaced := cc.remapStreamAssignment(csa, peer)
 	if !replaced {
 		s.Warnf("JetStream cluster could not replace peer for stream '%s > %s'", sa.Client.serviceAccount(), sa.Config.Name)
@@ -1685,7 +1879,7 @@ func (js *jetStream) applyMetaEntries(entries []*Entry, ru *recoveryUpdates) (bo
 					js.processUpdateStreamAssignment(sa)
 				}
 			default:
-				panic("JetStream Cluster Unknown meta entry op type")
+				panic(fmt.Sprintf("JetStream Cluster Unknown meta entry op type: %v", entryOp(buf[0])))
 			}
 		}
 	}
@@ -1773,6 +1967,8 @@ func (js *jetStream) createRaftGroup(accName string, rg *raftGroup, storage Stor
 			s.Errorf("Error creating filestore WAL: %v", err)
 			return err
 		}
+		// Register our server.
+		fs.registerServer(s)
 		store = fs
 	} else {
 		ms, err := newMemStore(&StreamConfig{Name: rg.Name, Storage: MemoryStorage})
@@ -1869,14 +2065,24 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 		return
 	}
 
+	// Make sure only one is running.
+	if mset != nil {
+		if mset.checkInMonitor() {
+			return
+		}
+		defer mset.clearMonitorRunning()
+	}
+
+	// Make sure to stop the raft group on exit to prevent accidental memory bloat.
+	// This should be below the checkInMonitor call though to avoid stopping it out
+	// from underneath the one that is running since it will be the same raft node.
+	defer n.Stop()
+
 	qch, lch, aq, uch, ourPeerId := n.QuitC(), n.LeadChangeC(), n.ApplyQ(), mset.updateC(), meta.ID()
 
 	s.Debugf("Starting stream monitor for '%s > %s' [%s]", sa.Client.serviceAccount(), sa.Config.Name, n.Group())
 	defer s.Debugf("Exiting stream monitor for '%s > %s' [%s]", sa.Client.serviceAccount(), sa.Config.Name, n.Group())
 
-	// Make sure to stop the raft group on exit to prevent accidental memory bloat.
-	defer n.Stop()
-
 	// Make sure we do not leave the apply channel to fill up and block the raft layer.
 	defer func() {
 		if n.State() == Closed {
@@ -1913,33 +2119,37 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 	}
 	accName := acc.GetName()
 
-	// Hash of the last snapshot (fixed size in memory).
-	var lastSnap []byte
+	// Used to represent how we can detect a changed state quickly and without representing
+	// a complete and detailed state which could be costly in terms of memory, cpu and GC.
+	// This only entails how many messages, and the first and last sequence of the stream.
+	// This is all that is needed to detect a change, and we can get this from FilteredState()
+	// with and empty filter.
+	var lastState SimpleState
 	var lastSnapTime time.Time
 
-	// Highwayhash key for generating hashes.
-	key := make([]byte, 32)
-	rand.Read(key)
-
 	// Should only to be called from leader.
 	doSnapshot := func() {
 		if mset == nil || isRestore || time.Since(lastSnapTime) < minSnapDelta {
 			return
 		}
 
-		snap := mset.stateSnapshot()
-		ne, nb := n.Size()
-		hash := highwayhash.Sum(snap, key)
+		// Before we actually calculate the detailed state and encode it, let's check the
+		// simple state to detect any changes.
+		curState := mset.store.FilteredState(0, _EMPTY_)
+
 		// If the state hasn't changed but the log has gone way over
 		// the compaction size then we will want to compact anyway.
 		// This shouldn't happen for streams like it can for pull
 		// consumers on idle streams but better to be safe than sorry!
-		if !bytes.Equal(hash[:], lastSnap) || ne >= compactNumMin || nb >= compactSizeMin {
-			if err := n.InstallSnapshot(snap); err == nil {
-				lastSnap, lastSnapTime = hash[:], time.Now()
-			} else if err != errNoSnapAvailable && err != errNodeClosed {
-				s.Warnf("Failed to install snapshot for '%s > %s' [%s]: %v", mset.acc.Name, mset.name(), n.Group(), err)
-			}
+		ne, nb := n.Size()
+		if curState == lastState && ne < compactNumMin && nb < compactSizeMin {
+			return
+		}
+
+		if err := n.InstallSnapshot(mset.stateSnapshot()); err == nil {
+			lastState, lastSnapTime = curState, time.Now()
+		} else if err != errNoSnapAvailable && err != errNodeClosed {
+			s.Warnf("Failed to install snapshot for '%s > %s' [%s]: %v", mset.acc.Name, mset.name(), n.Group(), err)
 		}
 	}
 
@@ -1987,6 +2197,31 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 	}
 	defer stopDirectMonitoring()
 
+	// Check if we are interest based and if so and we have an active stream wait until we
+	// have the consumers attached. This can become important when a server has lots of assets
+	// since we process streams first then consumers as an asset class.
+	if mset != nil && mset.isInterestRetention() {
+		js.mu.RLock()
+		numExpectedConsumers := len(sa.consumers)
+		js.mu.RUnlock()
+		if mset.numConsumers() < numExpectedConsumers {
+			s.Debugf("Waiting for consumers for interest based stream '%s > %s'", accName, mset.name())
+			// Wait up to 10s
+			const maxWaitTime = 10 * time.Second
+			const sleepTime = 250 * time.Millisecond
+			timeout := time.Now().Add(maxWaitTime)
+			for time.Now().Before(timeout) {
+				if mset.numConsumers() >= numExpectedConsumers {
+					break
+				}
+				time.Sleep(sleepTime)
+			}
+			if actual := mset.numConsumers(); actual < numExpectedConsumers {
+				s.Warnf("All consumers not online for '%s > %s': expected %d but only have %d", accName, mset.name(), numExpectedConsumers, actual)
+			}
+		}
+	}
+
 	// This is triggered during a scale up from R1 to clustered mode. We need the new followers to catchup,
 	// similar to how we trigger the catchup mechanism post a backup/restore.
 	// We can arrive here NOT being the leader, so we send the snapshot only if we are, and in this case
@@ -1996,6 +2231,7 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 		n.SendSnapshot(mset.stateSnapshot())
 		sendSnapshot = false
 	}
+
 	for {
 		select {
 		case <-s.quitCh:
@@ -2019,6 +2255,7 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 				if err := js.applyStreamEntries(mset, ce, isRecovering); err == nil {
 					// Update our applied.
 					ne, nb = n.Applied(ce.Index)
+					ce.ReturnToPool()
 				} else {
 					s.Warnf("Error applying entries to '%s > %s': %v", accName, sa.Config.Name, err)
 					if isClusterResetErr(err) {
@@ -2047,9 +2284,13 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 
 		case isLeader = <-lch:
 			if isLeader {
-				if sendSnapshot && mset != nil && n != nil {
-					n.SendSnapshot(mset.stateSnapshot())
-					sendSnapshot = false
+				if mset != nil && n != nil {
+					// Send a snapshot if being asked or if we are tracking
+					// a failed state so that followers sync.
+					if clfs := mset.clearCLFS(); clfs > 0 || sendSnapshot {
+						n.SendSnapshot(mset.stateSnapshot())
+						sendSnapshot = false
+					}
 				}
 				if isRestore {
 					acc, _ := s.LookupAccount(sa.Client.serviceAccount())
@@ -2082,27 +2323,19 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 			// Here we are checking if we are not the leader but we have been asked to allow
 			// direct access. We now allow non-leaders to participate in the queue group.
 			if !isLeader && mset != nil {
-				mset.mu.Lock()
-				// Check direct gets first.
-				if mset.cfg.AllowDirect {
-					if mset.directSub == nil && mset.isCurrent() {
-						mset.subscribeToDirect()
-					} else {
-						startDirectAccessMonitoring()
-					}
-				}
-				// Now check for mirror directs as well.
-				if mset.cfg.MirrorDirect {
-					if mset.mirror != nil && mset.mirror.dsub == nil && mset.isCurrent() {
-						mset.subscribeToMirrorDirect()
-					} else {
-						startDirectAccessMonitoring()
-					}
-				}
-				mset.mu.Unlock()
+				startDirectAccessMonitoring()
 			}
 
 		case <-datc:
+			if mset == nil || isRecovering {
+				return
+			}
+			// If we are leader we can stop, we know this is setup now.
+			if isLeader {
+				stopDirectMonitoring()
+				return
+			}
+
 			mset.mu.Lock()
 			ad, md, current := mset.cfg.AllowDirect, mset.cfg.MirrorDirect, mset.isCurrent()
 			if !current {
@@ -2126,11 +2359,12 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 				mset.subscribeToMirrorDirect()
 			}
 			mset.mu.Unlock()
-			// Stop monitoring.
+			// Stop direct monitoring.
 			stopDirectMonitoring()
 
 		case <-t.C:
 			doSnapshot()
+
 		case <-uch:
 			// keep stream assignment current
 			sa = mset.streamAssignment()
@@ -2155,8 +2389,6 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 
 			// Check to see where we are..
 			rg := mset.raftGroup()
-			ci := js.clusterInfo(rg)
-			mset.checkClusterInfo(ci)
 
 			// Track the new peers and check the ones that are current.
 			mset.mu.RLock()
@@ -2168,6 +2400,10 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 				continue
 			}
 
+			// Make sure we have correct cluster information on the other peers.
+			ci := js.clusterInfo(rg)
+			mset.checkClusterInfo(ci)
+
 			newPeers, oldPeers, newPeerSet, oldPeerSet := genPeerInfo(rg.Peers, len(rg.Peers)-replicas)
 
 			// If we are part of the new peerset and we have been passed the baton.
@@ -2205,12 +2441,12 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 				csa.Group.Cluster = s.cachedClusterName()
 				cc.meta.ForwardProposal(encodeUpdateStreamAssignment(csa))
 				s.Noticef("Scaling down '%s > %s' to %+v", accName, sa.Config.Name, s.peerSetToNames(newPeers))
-
 			} else {
 				// We are the old leader here, from the original peer set.
 				// We are simply waiting on the new peerset to be caught up so we can transfer leadership.
 				var newLeaderPeer, newLeader string
 				neededCurrent, current := replicas/2+1, 0
+
 				for _, r := range ci.Replicas {
 					if r.Current && newPeerSet[r.Peer] {
 						current++
@@ -2222,6 +2458,7 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps
 				// Check if we have a quorom.
 				if current >= neededCurrent {
 					s.Noticef("Transfer of stream leader for '%s > %s' to '%s'", accName, sa.Config.Name, newLeader)
+					n.UpdateKnownPeers(newPeers)
 					n.StepDown(newLeaderPeer)
 				}
 			}
@@ -2364,6 +2601,12 @@ func (mset *stream) resetClusteredState(err error) bool {
 		node.StepDown()
 	}
 
+	// If we detect we are shutting down just return.
+	if js != nil && js.isShuttingDown() {
+		s.Debugf("Will not reset stream, jetstream shutting down")
+		return false
+	}
+
 	// Server
 	if js.limitsExceeded(stype) {
 		s.Debugf("Will not reset stream, server resources exceeded")
@@ -2383,41 +2626,42 @@ func (mset *stream) resetClusteredState(err error) bool {
 
 	// Preserve our current state and messages unless we have a first sequence mismatch.
 	shouldDelete := err == errFirstSequenceMismatch
-	mset.stop(shouldDelete, false)
 
-	if sa != nil {
-		s.Warnf("Resetting stream cluster state for '%s > %s'", sa.Client.serviceAccount(), sa.Config.Name)
-		js.mu.Lock()
-		sa.Group.node = nil
-		js.mu.Unlock()
-		go js.restartClustered(acc, sa)
-	}
-	return true
-}
+	// Need to do the rest in a separate Go routine.
+	go func() {
+		mset.monitorWg.Wait()
+		mset.resetAndWaitOnConsumers()
+		// Stop our stream.
+		mset.stop(shouldDelete, false)
 
-// This will reset the stream and consumers.
-// Should be done in separate go routine.
-func (js *jetStream) restartClustered(acc *Account, sa *streamAssignment) {
-	// Check and collect consumers first.
-	js.mu.RLock()
-	var consumers []*consumerAssignment
-	if cc := js.cluster; cc != nil && cc.meta != nil {
-		ourID := cc.meta.ID()
-		for _, ca := range sa.consumers {
-			if rg := ca.Group; rg != nil && rg.isMember(ourID) {
-				rg.node = nil // Erase group raft/node state.
-				consumers = append(consumers, ca)
+		if sa != nil {
+			js.mu.Lock()
+			s.Warnf("Resetting stream cluster state for '%s > %s'", sa.Client.serviceAccount(), sa.Config.Name)
+			// Now wipe groups from assignments.
+			sa.Group.node = nil
+			var consumers []*consumerAssignment
+			if cc := js.cluster; cc != nil && cc.meta != nil {
+				ourID := cc.meta.ID()
+				for _, ca := range sa.consumers {
+					if rg := ca.Group; rg != nil && rg.isMember(ourID) {
+						rg.node = nil // Erase group raft/node state.
+						consumers = append(consumers, ca)
+					}
+				}
+			}
+			js.mu.Unlock()
+
+			// This will reset the stream and consumers.
+			// Reset stream.
+			js.processClusterCreateStream(acc, sa)
+			// Reset consumers.
+			for _, ca := range consumers {
+				js.processClusterCreateConsumer(ca, nil, false)
 			}
 		}
-	}
-	js.mu.RUnlock()
+	}()
 
-	// Reset stream.
-	js.processClusterCreateStream(acc, sa)
-	// Reset consumers.
-	for _, ca := range consumers {
-		js.processClusterCreateConsumer(ca, nil, false)
-	}
+	return true
 }
 
 func isControlHdr(hdr []byte) bool {
@@ -2464,11 +2708,15 @@ func (js *jetStream) applyStreamEntries(mset *stream, ce *CommittedEntry, isReco
 
 				// Grab last sequence and CLFS.
 				last, clfs := mset.lastSeqAndCLFS()
-
 				// We can skip if we know this is less than what we already have.
 				if lseq-clfs < last {
 					s.Debugf("Apply stream entries for '%s > %s' skipping message with sequence %d with last of %d",
 						mset.account(), mset.name(), lseq+1-clfs, last)
+
+					mset.mu.Lock()
+					// Check for any preAcks in case we are interest based.
+					mset.clearAllPreAcks(lseq + 1 - mset.clfs)
+					mset.mu.Unlock()
 					continue
 				}
 
@@ -2482,7 +2730,9 @@ func (js *jetStream) applyStreamEntries(mset *stream, ce *CommittedEntry, isReco
 				// Messages to be skipped have no subject or timestamp or msg or hdr.
 				if subject == _EMPTY_ && ts == 0 && len(msg) == 0 && len(hdr) == 0 {
 					// Skip and update our lseq.
-					mset.setLastSeq(mset.store.SkipMsg())
+					last := mset.store.SkipMsg()
+					mset.setLastSeq(last)
+					mset.clearAllPreAcks(last)
 					continue
 				}
 
@@ -2551,13 +2801,16 @@ func (js *jetStream) applyStreamEntries(mset *stream, ce *CommittedEntry, isReco
 					}
 					panic(err.Error())
 				}
-				// Ignore if we are recovering and we have already processed.
-				if isRecovering {
-					if mset.state().FirstSeq <= sp.LastSeq {
-						// Make sure all messages from the purge are gone.
-						mset.store.Compact(sp.LastSeq + 1)
+				// If no explicit request, fill in with leader stamped last sequence to protect ourselves on replay during server start.
+				if sp.Request == nil || sp.Request.Sequence == 0 {
+					purgeSeq := sp.LastSeq + 1
+					if sp.Request == nil {
+						sp.Request = &JSApiStreamPurgeRequest{Sequence: purgeSeq}
+					} else if sp.Request.Keep == 0 {
+						sp.Request.Sequence = purgeSeq
+					} else if isRecovering {
+						continue
 					}
-					continue
 				}
 
 				s := js.server()
@@ -2582,7 +2835,7 @@ func (js *jetStream) applyStreamEntries(mset *stream, ce *CommittedEntry, isReco
 					}
 				}
 			default:
-				panic("JetStream Cluster Unknown group entry op type!")
+				panic(fmt.Sprintf("JetStream Cluster Unknown group entry op type: %v", op))
 			}
 		} else if e.Type == EntrySnapshot {
 			if !isRecovering && mset != nil {
@@ -2857,7 +3110,9 @@ func (js *jetStream) processStreamAssignment(sa *streamAssignment) bool {
 		accStreams = make(map[string]*streamAssignment)
 	} else if osa := accStreams[stream]; osa != nil && osa != sa {
 		// Copy over private existing state from former SA.
-		sa.Group.node = osa.Group.node
+		if sa.Group != nil {
+			sa.Group.node = osa.Group.node
+		}
 		sa.consumers = osa.consumers
 		sa.responded = osa.responded
 		sa.err = osa.err
@@ -2948,7 +3203,9 @@ func (js *jetStream) processUpdateStreamAssignment(sa *streamAssignment) {
 	}
 
 	// Copy over private existing state from former SA.
-	sa.Group.node = osa.Group.node
+	if sa.Group != nil {
+		sa.Group.node = osa.Group.node
+	}
 	sa.consumers = osa.consumers
 	sa.err = osa.err
 
@@ -2966,7 +3223,9 @@ func (js *jetStream) processUpdateStreamAssignment(sa *streamAssignment) {
 		sa.responded = false
 	} else {
 		// Make sure to clean up any old node in case this stream moves back here.
-		sa.Group.node = nil
+		if sa.Group != nil {
+			sa.Group.node = nil
+		}
 	}
 	js.mu.Unlock()
 
@@ -2998,19 +3257,23 @@ func (s *Server) removeStream(ourID string, mset *stream, nsa *streamAssignment)
 			node.StepDown(nsa.Group.Preferred)
 		}
 		node.ProposeRemovePeer(ourID)
-		// shut down monitor by shutting down raft
+		// shutdown monitor by shutting down raft.
 		node.Delete()
 	}
 
+	var isShuttingDown bool
 	// Make sure this node is no longer attached to our stream assignment.
 	if js, _ := s.getJetStreamCluster(); js != nil {
 		js.mu.Lock()
 		nsa.Group.node = nil
+		isShuttingDown = js.shuttingDown
 		js.mu.Unlock()
 	}
 
-	// wait for monitor to be shut down
-	mset.monitorWg.Wait()
+	if !isShuttingDown {
+		// wait for monitor to be shutdown.
+		mset.monitorWg.Wait()
+	}
 	mset.stop(true, false)
 }
 
@@ -3146,6 +3409,7 @@ func (js *jetStream) processClusterCreateStream(acc *Account, sa *streamAssignme
 	s, rg := js.srv, sa.Group
 	alreadyRunning := rg.node != nil
 	storage := sa.Config.Storage
+	restore := sa.Restore
 	js.mu.RUnlock()
 
 	// Process the raft group and make sure it's running if needed.
@@ -3154,11 +3418,13 @@ func (js *jetStream) processClusterCreateStream(acc *Account, sa *streamAssignme
 	// If we are restoring, create the stream if we are R>1 and not the preferred who handles the
 	// receipt of the snapshot itself.
 	shouldCreate := true
-	if sa.Restore != nil {
+	if restore != nil {
 		if len(rg.Peers) == 1 || rg.node != nil && rg.node.ID() == rg.Preferred {
 			shouldCreate = false
 		} else {
+			js.mu.Lock()
 			sa.Restore = nil
+			js.mu.Unlock()
 		}
 	}
 
@@ -3428,7 +3694,12 @@ func (js *jetStream) processClusterDeleteStream(sa *streamAssignment, isMember,
 			mset.monitorWg.Wait()
 			err = mset.stop(true, wasLeader)
 			stopped = true
+		} else if isMember {
+			s.Warnf("JetStream failed to lookup running stream while removing stream '%s > %s' from this server",
+				sa.Client.serviceAccount(), sa.Config.Name)
 		}
+	} else if isMember {
+		s.Warnf("JetStream failed to lookup account while removing stream '%s > %s' from this server", sa.Client.serviceAccount(), sa.Config.Name)
 	}
 
 	// Always delete the node if present.
@@ -3441,11 +3712,16 @@ func (js *jetStream) processClusterDeleteStream(sa *streamAssignment, isMember,
 	// 2) node was nil (and couldn't be deleted)
 	if !stopped || node == nil {
 		if sacc := s.SystemAccount(); sacc != nil {
-			os.RemoveAll(filepath.Join(js.config.StoreDir, sacc.GetName(), defaultStoreDirName, sa.Group.Name))
+			saccName := sacc.GetName()
+			os.RemoveAll(filepath.Join(js.config.StoreDir, saccName, defaultStoreDirName, sa.Group.Name))
 			// cleanup dependent consumer groups
 			if !stopped {
 				for _, ca := range sa.consumers {
-					os.RemoveAll(filepath.Join(js.config.StoreDir, sacc.GetName(), defaultStoreDirName, ca.Group.Name))
+					// Make sure we cleanup any possible running nodes for the consumers.
+					if isMember && ca.Group != nil && ca.Group.node != nil {
+						ca.Group.node.Delete()
+					}
+					os.RemoveAll(filepath.Join(js.config.StoreDir, saccName, defaultStoreDirName, ca.Group.Name))
 				}
 			}
 		}
@@ -3520,7 +3796,9 @@ func (js *jetStream) processConsumerAssignment(ca *consumerAssignment) {
 	} else if oca := sa.consumers[ca.Name]; oca != nil {
 		wasExisting = true
 		// Copy over private existing state from former SA.
-		ca.Group.node = oca.Group.node
+		if ca.Group != nil {
+			ca.Group.node = oca.Group.node
+		}
 		ca.responded = oca.responded
 		ca.err = oca.err
 	}
@@ -3635,8 +3913,12 @@ func (js *jetStream) processConsumerRemoval(ca *consumerAssignment) {
 	var needDelete bool
 	if accStreams := cc.streams[ca.Client.serviceAccount()]; accStreams != nil {
 		if sa := accStreams[ca.Stream]; sa != nil && sa.consumers != nil && sa.consumers[ca.Name] != nil {
-			needDelete = true
-			delete(sa.consumers, ca.Name)
+			oca := sa.consumers[ca.Name]
+			// Make sure this removal is for what we have, otherwise ignore.
+			if ca.Group != nil && oca.Group != nil && ca.Group.Name == oca.Group.Name {
+				needDelete = true
+				delete(sa.consumers, ca.Name)
+			}
 		}
 	}
 	js.mu.Unlock()
@@ -3700,6 +3982,7 @@ func (js *jetStream) processClusterCreateConsumer(ca *consumerAssignment, state
 		if ca.Config.MemoryStorage {
 			storage = MemoryStorage
 		}
+		// No-op if R1.
 		js.createRaftGroup(accName, rg, storage)
 	} else {
 		// If we are clustered update the known peers.
@@ -3714,7 +3997,7 @@ func (js *jetStream) processClusterCreateConsumer(ca *consumerAssignment, state
 	var didCreate, isConfigUpdate, needsLocalResponse bool
 	if o == nil {
 		// Add in the consumer if needed.
-		if o, err = mset.addConsumerWithAssignment(ca.Config, ca.Name, ca, false); err == nil {
+		if o, err = mset.addConsumerWithAssignment(ca.Config, ca.Name, ca, wasExisting); err == nil {
 			didCreate = true
 		}
 	} else {
@@ -3803,6 +4086,13 @@ func (js *jetStream) processClusterCreateConsumer(ca *consumerAssignment, state
 
 		if rg.node != nil {
 			rg.node.Delete()
+			// Clear the node here.
+			rg.node = nil
+		}
+
+		// If we did seem to create a consumer make sure to stop it.
+		if o != nil {
+			o.stop()
 		}
 
 		var result *consumerAssignmentResult
@@ -3859,6 +4149,7 @@ func (js *jetStream) processClusterCreateConsumer(ca *consumerAssignment, state
 			// Clustered consumer.
 			// Start our monitoring routine if needed.
 			if !alreadyRunning && !o.isMonitorRunning() {
+				o.monitorWg.Add(1)
 				s.startGoRoutine(func() { js.monitorConsumer(o, ca) })
 			}
 			// For existing consumer, only send response if not recovering.
@@ -4057,6 +4348,8 @@ func (js *jetStream) monitorConsumer(o *consumer, ca *consumerAssignment) {
 	s, n, cc := js.server(), o.raftNode(), js.cluster
 	defer s.grWG.Done()
 
+	defer o.monitorWg.Done()
+
 	if n == nil {
 		s.Warnf("No RAFT group for '%s > %s > %s'", o.acc.Name, ca.Stream, ca.Name)
 		return
@@ -4068,14 +4361,16 @@ func (js *jetStream) monitorConsumer(o *consumer, ca *consumerAssignment) {
 	}
 	defer o.clearMonitorRunning()
 
+	// Make sure to stop the raft group on exit to prevent accidental memory bloat.
+	// This should be below the checkInMonitor call though to avoid stopping it out
+	// from underneath the one that is running since it will be the same raft node.
+	defer n.Stop()
+
 	qch, lch, aq, uch, ourPeerId := n.QuitC(), n.LeadChangeC(), n.ApplyQ(), o.updateC(), cc.meta.ID()
 
 	s.Debugf("Starting consumer monitor for '%s > %s > %s' [%s]", o.acc.Name, ca.Stream, ca.Name, n.Group())
 	defer s.Debugf("Exiting consumer monitor for '%s > %s > %s' [%s]", o.acc.Name, ca.Stream, ca.Name, n.Group())
 
-	// Make sure to stop the raft group on exit to prevent accidental memory bloat.
-	defer n.Stop()
-
 	const (
 		compactInterval = 2 * time.Minute
 		compactSizeMin  = 64 * 1024 // What is stored here is always small for consumers.
@@ -4096,9 +4391,9 @@ func (js *jetStream) monitorConsumer(o *consumer, ca *consumerAssignment) {
 	var lastSnap []byte
 	var lastSnapTime time.Time
 
-	doSnapshot := func() {
+	doSnapshot := func(force bool) {
 		// Bail if trying too fast and not in a forced situation.
-		if time.Since(lastSnapTime) < minSnapDelta {
+		if !force && time.Since(lastSnapTime) < minSnapDelta {
 			return
 		}
 
@@ -4106,7 +4401,7 @@ func (js *jetStream) monitorConsumer(o *consumer, ca *consumerAssignment) {
 		ne, nb := n.Size()
 		if !n.NeedSnapshot() {
 			// Check if we should compact etc. based on size of log.
-			if ne < compactNumMin && nb < compactSizeMin {
+			if !force && ne < compactNumMin && nb < compactSizeMin {
 				return
 			}
 		}
@@ -4164,15 +4459,16 @@ func (js *jetStream) monitorConsumer(o *consumer, ca *consumerAssignment) {
 				if ce == nil {
 					recovering = false
 					if n.NeedSnapshot() {
-						doSnapshot()
+						doSnapshot(true)
 					}
-					continue
-				}
-				if err := js.applyConsumerEntries(o, ce, isLeader); err == nil {
+					// Check our state if we are under an interest based stream.
+					o.checkStateForInterestStream()
+				} else if err := js.applyConsumerEntries(o, ce, isLeader); err == nil {
 					ne, nb := n.Applied(ce.Index)
+					ce.ReturnToPool()
 					// If we have at least min entries to compact, go ahead and snapshot/compact.
 					if nb > 0 && ne >= compactNumMin || nb > compactSizeMin {
-						doSnapshot()
+						doSnapshot(false)
 					}
 				} else {
 					s.Warnf("Error applying consumer entries to '%s > %s'", ca.Client.serviceAccount(), ca.Name)
@@ -4183,8 +4479,20 @@ func (js *jetStream) monitorConsumer(o *consumer, ca *consumerAssignment) {
 			if recovering && !isLeader {
 				js.setConsumerAssignmentRecovering(ca)
 			}
+
+			// Synchronize everyone to our state.
+			if isLeader && n != nil {
+				// Only send out if we have state.
+				if _, _, applied := n.Progress(); applied > 0 {
+					if snap, err := o.store.EncodedState(); err == nil {
+						n.SendSnapshot(snap)
+					}
+				}
+			}
+
+			// Process the change.
 			if err := js.processConsumerLeaderChange(o, isLeader); err == nil && isLeader {
-				doSnapshot()
+				doSnapshot(true)
 			}
 
 			// We may receive a leader change after the consumer assignment which would cancel us
@@ -4273,7 +4581,7 @@ func (js *jetStream) monitorConsumer(o *consumer, ca *consumerAssignment) {
 			}
 
 		case <-t.C:
-			doSnapshot()
+			doSnapshot(false)
 		}
 	}
 }
@@ -4281,24 +4589,29 @@ func (js *jetStream) monitorConsumer(o *consumer, ca *consumerAssignment) {
 func (js *jetStream) applyConsumerEntries(o *consumer, ce *CommittedEntry, isLeader bool) error {
 	for _, e := range ce.Entries {
 		if e.Type == EntrySnapshot {
-			// No-op needed?
-			state, err := decodeConsumerState(e.Data)
-			if err != nil {
-				if mset, node := o.streamAndNode(); mset != nil && node != nil {
-					s := js.srv
-					s.Errorf("JetStream cluster could not decode consumer snapshot for '%s > %s > %s' [%s]",
-						mset.account(), mset.name(), o, node.Group())
+			if !isLeader {
+				// No-op needed?
+				state, err := decodeConsumerState(e.Data)
+				if err != nil {
+					if mset, node := o.streamAndNode(); mset != nil && node != nil {
+						s := js.srv
+						s.Errorf("JetStream cluster could not decode consumer snapshot for '%s > %s > %s' [%s]",
+							mset.account(), mset.name(), o, node.Group())
+					}
+					panic(err.Error())
 				}
-				panic(err.Error())
-			}
-			if err = o.store.Update(state); err != nil {
-				o.mu.RLock()
-				s, acc, mset, name := o.srv, o.acc, o.mset, o.name
-				o.mu.RUnlock()
-				if s != nil && mset != nil {
-					s.Warnf("Consumer '%s > %s > %s' error on store update from snapshot entry: %v", acc, mset.name(), name, err)
+				if err = o.store.Update(state); err != nil {
+					o.mu.RLock()
+					s, acc, mset, name := o.srv, o.acc, o.mset, o.name
+					o.mu.RUnlock()
+					if s != nil && mset != nil {
+						s.Warnf("Consumer '%s > %s > %s' error on store update from snapshot entry: %v", acc, mset.name(), name, err)
+					}
+				} else {
+					o.checkStateForInterestStream()
 				}
 			}
+
 		} else if e.Type == EntryRemovePeer {
 			js.mu.RLock()
 			var ourID string
@@ -4384,7 +4697,7 @@ func (js *jetStream) applyConsumerEntries(o *consumer, ce *CommittedEntry, isLea
 				}
 				o.mu.Unlock()
 			default:
-				panic(fmt.Sprintf("JetStream Cluster Unknown group entry op type! %v", entryOp(buf[0])))
+				panic(fmt.Sprintf("JetStream Cluster Unknown group entry op type: %v", entryOp(buf[0])))
 			}
 		}
 	}
@@ -4393,13 +4706,20 @@ func (js *jetStream) applyConsumerEntries(o *consumer, ce *CommittedEntry, isLea
 
 func (o *consumer) processReplicatedAck(dseq, sseq uint64) {
 	o.mu.Lock()
+
+	mset := o.mset
+	if o.closed || mset == nil {
+		o.mu.Unlock()
+		return
+	}
+
 	// Update activity.
 	o.lat = time.Now()
+
 	// Do actual ack update to store.
 	o.store.UpdateAcks(dseq, sseq)
 
-	mset := o.mset
-	if mset == nil || o.retention == LimitsPolicy {
+	if o.retention == LimitsPolicy {
 		o.mu.Unlock()
 		return
 	}
@@ -4473,29 +4793,34 @@ func (js *jetStream) processConsumerLeaderChange(o *consumer, isLeader bool) err
 		return errors.New("failed to update consumer leader status")
 	}
 
+	if o == nil || o.isClosed() {
+		return stepDownIfLeader()
+	}
+
 	ca := o.consumerAssignment()
 	if ca == nil {
 		return stepDownIfLeader()
 	}
 	js.mu.Lock()
 	s, account, err := js.srv, ca.Client.serviceAccount(), ca.err
-	client, subject, reply := ca.Client, ca.Subject, ca.Reply
+	client, subject, reply, streamName, consumerName := ca.Client, ca.Subject, ca.Reply, ca.Stream, ca.Name
 	hasResponded := ca.responded
 	ca.responded = true
 	js.mu.Unlock()
 
-	streamName, consumerName := o.streamName(), o.String()
 	acc, _ := s.LookupAccount(account)
 	if acc == nil {
 		return stepDownIfLeader()
 	}
 
 	if isLeader {
+		// ** added by Memphis
 		logFunc := s.Noticef
 		if strings.Contains(streamName, "$memphis") ||
 			strings.Contains(consumerName, "$memphis") {
 			logFunc = s.Debugf
 		}
+		// ** added by Memphis
 		logFunc("JetStream cluster new consumer leader for '%s > %s > %s'", ca.Client.serviceAccount(), streamName, consumerName)
 		s.sendConsumerLeaderElectAdvisory(o)
 		// Check for peer removal and process here if needed.
@@ -4643,6 +4968,9 @@ func (js *jetStream) processStreamAssignmentResults(sub *subscription, c *client
 	defer js.mu.Unlock()
 
 	s, cc := js.srv, js.cluster
+	if cc == nil || cc.meta == nil {
+		return
+	}
 
 	// This should have been done already in processStreamAssignment, but in
 	// case we have a code path that gets here with no processStreamAssignment,
@@ -4716,6 +5044,9 @@ func (js *jetStream) processConsumerAssignmentResults(sub *subscription, c *clie
 	defer js.mu.Unlock()
 
 	s, cc := js.srv, js.cluster
+	if cc == nil || cc.meta == nil {
+		return
+	}
 
 	if sa := js.streamAssignment(result.Account, result.Stream); sa != nil && sa.consumers != nil {
 		if ca := sa.consumers[result.Consumer]; ca != nil && !ca.responded {
@@ -4869,7 +5200,12 @@ func (cc *jetStreamCluster) remapStreamAssignment(sa *streamAssignment, removePe
 		return true
 	}
 
-	// If we are here let's remove the peer at least.
+	// If R1 just return to avoid bricking the stream.
+	if sa.Group.node == nil || len(sa.Group.Peers) == 1 {
+		return false
+	}
+
+	// If we are here let's remove the peer at least, as long as we are R>1
 	for i, peer := range sa.Group.Peers {
 		if peer == removePeer {
 			sa.Group.Peers[i] = sa.Group.Peers[len(sa.Group.Peers)-1]
@@ -5432,19 +5768,20 @@ var (
 
 // blocking utility call to perform requests on the system account
 // returns (synchronized) v or error
-func (s *Server) sysRequest(v interface{}, subjFormat string, args ...interface{}) (interface{}, error) {
+func sysRequest[T any](s *Server, subjFormat string, args ...interface{}) (*T, error) {
 	isubj := fmt.Sprintf(subjFormat, args...)
+
 	s.mu.Lock()
 	inbox := s.newRespInbox()
-	results := make(chan interface{}, 1)
-	// Store our handler.
-	s.sys.replies[inbox] = func(sub *subscription, _ *client, _ *Account, subject, _ string, msg []byte) {
-		if err := json.Unmarshal(msg, v); err != nil {
+	results := make(chan *T, 1)
+	s.sys.replies[inbox] = func(_ *subscription, _ *client, _ *Account, _, _ string, msg []byte) {
+		var v T
+		if err := json.Unmarshal(msg, &v); err != nil {
 			s.Warnf("Error unmarshalling response for request '%s':%v", isubj, err)
 			return
 		}
 		select {
-		case results <- v:
+		case results <- &v:
 		default:
 			s.Warnf("Failed placing request response on internal channel")
 		}
@@ -5453,27 +5790,22 @@ func (s *Server) sysRequest(v interface{}, subjFormat string, args ...interface{
 
 	s.sendInternalMsgLocked(isubj, inbox, nil, nil)
 
-	const timeout = 2 * time.Second
-	notActive := time.NewTimer(timeout)
-	defer notActive.Stop()
-
-	var err error
-	var data interface{}
+	defer func() {
+		s.mu.Lock()
+		defer s.mu.Unlock()
+		if s.sys != nil && s.sys.replies != nil {
+			delete(s.sys.replies, inbox)
+		}
+	}()
 
 	select {
 	case <-s.quitCh:
-		err = errReqSrvExit
-	case <-notActive.C:
-		err = errReqTimeout
-	case data = <-results:
+		return nil, errReqSrvExit
+	case <-time.After(2 * time.Second):
+		return nil, errReqTimeout
+	case data := <-results:
+		return data, nil
 	}
-	// Clean up here.
-	s.mu.Lock()
-	if s.sys != nil && s.sys.replies != nil {
-		delete(s.sys.replies, inbox)
-	}
-	s.mu.Unlock()
-	return data, err
 }
 
 func (s *Server) jsClusteredStreamUpdateRequest(ci *ClientInfo, acc *Account, subject, reply string, rmsg []byte, cfg *StreamConfig, peerSet []string) {
@@ -5485,6 +5817,10 @@ func (s *Server) jsClusteredStreamUpdateRequest(ci *ClientInfo, acc *Account, su
 	// Now process the request and proposal.
 	js.mu.Lock()
 	defer js.mu.Unlock()
+	meta := cc.meta
+	if meta == nil {
+		return
+	}
 
 	var resp = JSApiStreamUpdateResponse{ApiResponse: ApiResponse{Type: JSApiStreamUpdateResponseType}}
 
@@ -5563,9 +5899,9 @@ func (s *Server) jsClusteredStreamUpdateRequest(ci *ClientInfo, acc *Account, su
 		} else {
 			// Need to release js lock.
 			js.mu.Unlock()
-			if si, err := s.sysRequest(&StreamInfo{}, clusterStreamInfoT, ci.serviceAccount(), cfg.Name); err != nil {
+			if si, err := sysRequest[StreamInfo](s, clusterStreamInfoT, ci.serviceAccount(), cfg.Name); err != nil {
 				msg = fmt.Sprintf("error retrieving info: %s", err.Error())
-			} else if si := si.(*StreamInfo); si != nil {
+			} else if si != nil {
 				currentCount := 0
 				if si.Cluster.Leader != _EMPTY_ {
 					currentCount++
@@ -5598,6 +5934,18 @@ func (s *Server) jsClusteredStreamUpdateRequest(ci *ClientInfo, acc *Account, su
 	if isReplicaChange {
 		// We are adding new peers here.
 		if newCfg.Replicas > len(rg.Peers) {
+			// Check if we do not have a cluster assigned, and if we do not make sure we
+			// try to pick one. This could happen with older streams that were assigned by
+			// previous servers.
+			if rg.Cluster == _EMPTY_ {
+				// Prefer placement directrives if we have them.
+				if newCfg.Placement != nil && newCfg.Placement.Cluster != _EMPTY_ {
+					rg.Cluster = newCfg.Placement.Cluster
+				} else {
+					// Fall back to the cluster assignment from the client.
+					rg.Cluster = ci.Cluster
+				}
+			}
 			peers, err := cc.selectPeerGroup(newCfg.Replicas, rg.Cluster, newCfg, rg.Peers, 0, nil)
 			if err != nil {
 				resp.Error = NewJSClusterNoPeersError(err)
@@ -5620,10 +5968,12 @@ func (s *Server) jsClusteredStreamUpdateRequest(ci *ClientInfo, acc *Account, su
 			if !s.allPeersOffline(rg) {
 				// Need to release js lock.
 				js.mu.Unlock()
-				if si, err := s.sysRequest(&StreamInfo{}, clusterStreamInfoT, ci.serviceAccount(), cfg.Name); err != nil {
+				if si, err := sysRequest[StreamInfo](s, clusterStreamInfoT, ci.serviceAccount(), cfg.Name); err != nil {
 					s.Warnf("Did not receive stream info results for '%s > %s' due to: %s", acc, cfg.Name, err)
-				} else if cl := si.(*StreamInfo).Cluster; cl != nil && cl.Leader != _EMPTY_ {
-					curLeader = getHash(cl.Leader)
+				} else if si != nil {
+					if cl := si.Cluster; cl != nil && cl.Leader != _EMPTY_ {
+						curLeader = getHash(cl.Leader)
+					}
 				}
 				// Re-acquire here.
 				js.mu.Lock()
@@ -5653,9 +6003,9 @@ func (s *Server) jsClusteredStreamUpdateRequest(ci *ClientInfo, acc *Account, su
 
 		// Need to remap any consumers.
 		for _, ca := range osa.consumers {
-			// Ephemerals are R=1, so only auto-remap durables, or R>1.
+			// Ephemerals are R=1, so only auto-remap durables, or R>1, unless stream is interest or workqueue policy.
 			numPeers := len(ca.Group.Peers)
-			if ca.Config.Durable != _EMPTY_ || numPeers > 1 {
+			if ca.Config.Durable != _EMPTY_ || numPeers > 1 || cfg.Retention != LimitsPolicy {
 				cca := ca.copyGroup()
 				// Adjust preferred as needed.
 				if numPeers == 1 && len(rg.Peers) > 1 {
@@ -5748,13 +6098,12 @@ func (s *Server) jsClusteredStreamUpdateRequest(ci *ClientInfo, acc *Account, su
 	}
 
 	sa := &streamAssignment{Group: rg, Sync: osa.Sync, Created: osa.Created, Config: newCfg, Subject: subject, Reply: reply, Client: ci}
-	cc.meta.Propose(encodeUpdateStreamAssignment(sa))
+	meta.Propose(encodeUpdateStreamAssignment(sa))
 
 	// Process any staged consumers.
 	for _, ca := range consumers {
-		cc.meta.Propose(encodeAddConsumerAssignment(ca))
+		meta.Propose(encodeAddConsumerAssignment(ca))
 	}
-
 }
 
 func (s *Server) jsClusteredStreamDeleteRequest(ci *ClientInfo, acc *Account, stream, subject, reply string, rmsg []byte) {
@@ -5766,6 +6115,10 @@ func (s *Server) jsClusteredStreamDeleteRequest(ci *ClientInfo, acc *Account, st
 	js.mu.Lock()
 	defer js.mu.Unlock()
 
+	if cc.meta == nil {
+		return
+	}
+
 	osa := js.streamAssignment(acc.Name, stream)
 	if osa == nil {
 		var resp = JSApiStreamDeleteResponse{ApiResponse: ApiResponse{Type: JSApiStreamDeleteResponseType}}
@@ -5839,6 +6192,10 @@ func (s *Server) jsClusteredStreamRestoreRequest(
 	js.mu.Lock()
 	defer js.mu.Unlock()
 
+	if cc.meta == nil {
+		return
+	}
+
 	cfg := &req.Config
 	resp := JSApiStreamRestoreResponse{ApiResponse: ApiResponse{Type: JSApiStreamRestoreResponseType}}
 
@@ -6181,7 +6538,7 @@ LOOP:
 		})
 	}
 
-	resp.Total = len(resp.Consumers)
+	resp.Total = ocnt
 	resp.Limit = JSApiListLimit
 	resp.Offset = offset
 	resp.Missing = missingNames
@@ -6210,6 +6567,10 @@ func (s *Server) jsClusteredConsumerDeleteRequest(ci *ClientInfo, acc *Account,
 	js.mu.Lock()
 	defer js.mu.Unlock()
 
+	if cc.meta == nil {
+		return
+	}
+
 	var resp = JSApiConsumerDeleteResponse{ApiResponse: ApiResponse{Type: JSApiConsumerDeleteResponseType}}
 
 	sa := js.streamAssignment(acc.Name, stream)
@@ -6401,6 +6762,10 @@ func (s *Server) jsClusteredConsumerRequest(ci *ClientInfo, acc *Account, subjec
 	js.mu.Lock()
 	defer js.mu.Unlock()
 
+	if cc.meta == nil {
+		return
+	}
+
 	// Lookup the stream assignment.
 	sa := js.streamAssignment(acc.Name, stream)
 	if sa == nil {
@@ -6552,10 +6917,12 @@ func (s *Server) jsClusteredConsumerRequest(ci *ClientInfo, acc *Account, subjec
 			if !s.allPeersOffline(ca.Group) {
 				// Need to release js lock.
 				js.mu.Unlock()
-				if ci, err := s.sysRequest(&ConsumerInfo{}, clusterConsumerInfoT, ci.serviceAccount(), sa.Config.Name, cfg.Durable); err != nil {
+				if ci, err := sysRequest[ConsumerInfo](s, clusterConsumerInfoT, ci.serviceAccount(), sa.Config.Name, cfg.Durable); err != nil {
 					s.Warnf("Did not receive consumer info results for '%s > %s > %s' due to: %s", acc, sa.Config.Name, cfg.Durable, err)
-				} else if cl := ci.(*ConsumerInfo).Cluster; cl != nil {
-					curLeader = getHash(cl.Leader)
+				} else if ci != nil {
+					if cl := ci.Cluster; cl != nil {
+						curLeader = getHash(cl.Leader)
+					}
 				}
 				// Re-acquire here.
 				js.mu.Lock()
@@ -6740,7 +7107,7 @@ func encodeStreamMsg(subject, reply string, hdr, msg []byte, lseq uint64, ts int
 
 // Threshold for compression.
 // TODO(dlc) - Eventually make configurable.
-const compressThreshold = 4 * 1024
+const compressThreshold = 256
 
 // If allowed and contents over the threshold we will compress.
 func encodeStreamMsgAllowCompress(subject, reply string, hdr, msg []byte, lseq uint64, ts int64, compressOK bool) []byte {
@@ -6883,7 +7250,7 @@ func (mset *stream) processClusteredInboundMsg(subject, reply string, hdr, msg [
 
 	// Check here pre-emptively if we have exceeded this server limits.
 	if js.limitsExceeded(stype) {
-		s.resourcesExeededError()
+		s.resourcesExceededError()
 		if canRespond {
 			b, _ := json.Marshal(&JSPubAckResponse{PubAck: &PubAck{Stream: name}, Error: NewJSInsufficientResourcesError()})
 			outq.send(newJSPubMsg(reply, _EMPTY_, _EMPTY_, nil, b, nil, 0))
@@ -7027,7 +7394,7 @@ func (mset *stream) processClusteredInboundMsg(subject, reply string, hdr, msg [
 	// Check to see if we are being overrun.
 	// TODO(dlc) - Make this a limit where we drop messages to protect ourselves, but allow to be configured.
 	if mset.clseq-(lseq+clfs) > streamLagWarnThreshold {
-		lerr := fmt.Errorf("JetStream stream '%s > %s' has high message lag", jsa.acc().Name, mset.cfg.Name)
+		lerr := fmt.Errorf("JetStream stream '%s > %s' has high message lag", jsa.acc().Name, name)
 		s.RateLimitWarnf(lerr.Error())
 	}
 	mset.clMu.Unlock()
@@ -7069,15 +7436,18 @@ func (mset *stream) calculateSyncRequest(state *StreamState, snap *streamSnapsho
 // processSnapshotDeletes will update our current store based on the snapshot
 // but only processing deletes and new FirstSeq / purges.
 func (mset *stream) processSnapshotDeletes(snap *streamSnapshot) {
+	mset.mu.Lock()
 	var state StreamState
 	mset.store.FastState(&state)
-
 	// Always adjust if FirstSeq has moved beyond our state.
 	if snap.FirstSeq > state.FirstSeq {
 		mset.store.Compact(snap.FirstSeq)
 		mset.store.FastState(&state)
-		mset.setLastSeq(state.LastSeq)
+		mset.lseq = state.LastSeq
+		mset.clearAllPreAcksBelowFloor(state.FirstSeq)
 	}
+	mset.mu.Unlock()
+
 	// Range the deleted and delete if applicable.
 	for _, dseq := range snap.Deleted {
 		if dseq > state.FirstSeq && dseq <= state.LastSeq {
@@ -7262,28 +7632,47 @@ func (mset *stream) processSnapshot(snap *streamSnapshot) (e error) {
 	// we are synched for the next message sequence properly.
 	lastRequested := sreq.LastSeq
 	checkFinalState := func() {
-		if mset != nil {
-			mset.mu.Lock()
-			var state StreamState
+		// Bail if no stream.
+		if mset == nil {
+			return
+		}
+
+		mset.mu.Lock()
+		var state StreamState
+		mset.store.FastState(&state)
+		var didReset bool
+		firstExpected := lastRequested + 1
+		if state.FirstSeq != firstExpected {
+			// Reset our notion of first.
+			mset.store.Compact(firstExpected)
 			mset.store.FastState(&state)
-			var didReset bool
-			firstExpected := lastRequested + 1
-			if state.FirstSeq != firstExpected {
-				// Reset our notion of first.
-				mset.store.Compact(firstExpected)
-				mset.store.FastState(&state)
-				// Make sure last is also correct in case this also moved.
-				mset.lseq = state.LastSeq
-				didReset = true
-			}
-			mset.mu.Unlock()
-			if didReset {
-				s.Warnf("Catchup for stream '%s > %s' resetting first sequence: %d on catchup complete",
-					mset.account(), mset.name(), firstExpected)
-			}
+			// Make sure last is also correct in case this also moved.
+			mset.lseq = state.LastSeq
+			mset.clearAllPreAcksBelowFloor(state.FirstSeq)
+			didReset = true
+		}
+		mset.mu.Unlock()
+
+		if didReset {
+			s.Warnf("Catchup for stream '%s > %s' resetting first sequence: %d on catchup complete",
+				mset.account(), mset.name(), firstExpected)
+		}
+
+		mset.mu.RLock()
+		consumers := make([]*consumer, 0, len(mset.consumers))
+		for _, o := range mset.consumers {
+			consumers = append(consumers, o)
+		}
+		mset.mu.RUnlock()
+		for _, o := range consumers {
+			o.checkStateForInterestStream()
 		}
 	}
 
+	// Do not let this go on forever.
+	const maxRetries = 3
+	var numRetries int
+
 RETRY:
 	// On retry, we need to release the semaphore we got. Call will be no-op
 	// if releaseSem boolean has not been set to true on successfully getting
@@ -7300,13 +7689,20 @@ RETRY:
 		sub = nil
 	}
 
-	// Block here if we have too many requests in flight.
-	<-s.syncOutSem
-	releaseSem = true
 	if !s.isRunning() {
 		return ErrServerNotRunning
 	}
 
+	numRetries++
+	if numRetries >= maxRetries {
+		// Force a hard reset here.
+		return errFirstSequenceMismatch
+	}
+
+	// Block here if we have too many requests in flight.
+	<-s.syncOutSem
+	releaseSem = true
+
 	// We may have been blocked for a bit, so the reset need to ensure that we
 	// consume the already fired timer.
 	if !notActive.Stop() {
@@ -7400,7 +7796,7 @@ RETRY:
 				} else if err == NewJSInsufficientResourcesError() {
 					notifyLeaderStopCatchup(mrec, err)
 					if mset.js.limitsExceeded(mset.cfg.Storage) {
-						s.resourcesExeededError()
+						s.resourcesExceededError()
 					} else {
 						s.Warnf("Catchup for stream '%s > %s' errored, account resources exceeded: %v", mset.account(), mset.name(), err)
 					}
@@ -7472,11 +7868,17 @@ func (mset *stream) processCatchupMsg(msg []byte) (uint64, error) {
 		return 0, errCatchupBadMsg
 	}
 
-	mset.mu.RLock()
+	mset.mu.Lock()
 	st := mset.cfg.Storage
 	ddloaded := mset.ddloaded
 	tierName := mset.tier
-	mset.mu.RUnlock()
+
+	if mset.hasAllPreAcks(seq, subj) {
+		mset.clearAllPreAcks(seq)
+		// Mark this to be skipped
+		subj, ts = _EMPTY_, 0
+	}
+	mset.mu.Unlock()
 
 	if mset.js.limitsExceeded(st) {
 		return 0, NewJSInsufficientResourcesError()
@@ -7693,9 +8095,9 @@ func (mset *stream) processClusterStreamInfoRequest(reply string) {
 		return
 	}
 
-	// If we are not the leader let someone else possible respond first.
+	// If we are not the leader let someone else possibly respond first.
 	if !isLeader {
-		time.Sleep(200 * time.Millisecond)
+		time.Sleep(500 * time.Millisecond)
 	}
 
 	si := &StreamInfo{
diff --git a/server/jetstream_cluster_1_test.go b/server/jetstream_cluster_1_test.go
index b899f0e3d..8df84b379 100644
--- a/server/jetstream_cluster_1_test.go
+++ b/server/jetstream_cluster_1_test.go
@@ -971,6 +971,7 @@ func TestJetStreamClusterRestoreSingleConsumer(t *testing.T) {
 	c.stopAll()
 	c.restartAll()
 	c.waitOnLeader()
+	c.waitOnStreamLeader("$G", "foo")
 
 	s = c.randomServer()
 	nc, js = jsClientConnect(t, s)
@@ -3719,6 +3720,7 @@ func TestJetStreamClusterAccountPurge(t *testing.T) {
 				resolver: {
 					type: full
 					dir: '%s/jwt'
+					timeout: "10ms"
 				}`, ojwt, syspub, storeDir)
 		})
 	defer c.shutdown()
@@ -3891,7 +3893,6 @@ func TestJetStreamClusterAccountPurge(t *testing.T) {
 		}
 		c.restartAll()
 		checkForDirs(t, 6, 4)
-		c.waitOnClusterReady() // unfortunately, this does not wait until leader is not catching up.
 		purge(t)
 		checkForDirs(t, 0, 0)
 		c.stopAll()
@@ -5818,18 +5819,6 @@ func TestJetStreamClusterFailMirrorsAndSources(t *testing.T) {
 		})
 	}
 
-	testPrefix("mirror-bad-deliverprefix", JSStreamExternalDelPrefixOverlapsErrF, StreamConfig{
-		Name:    "MY_MIRROR_TEST",
-		Storage: FileStorage,
-		Mirror: &StreamSource{
-			Name: "TEST",
-			External: &ExternalStream{
-				ApiPrefix: "RI.JS.API",
-				// this will result in test.test.> which test.> would match
-				DeliverPrefix: "test",
-			},
-		},
-	})
 	testPrefix("mirror-bad-apiprefix", JSStreamExternalApiOverlapErrF, StreamConfig{
 		Name:    "MY_MIRROR_TEST",
 		Storage: FileStorage,
@@ -5841,18 +5830,6 @@ func TestJetStreamClusterFailMirrorsAndSources(t *testing.T) {
 			},
 		},
 	})
-	testPrefix("source-bad-deliverprefix", JSStreamExternalDelPrefixOverlapsErrF, StreamConfig{
-		Name:    "MY_SOURCE_TEST",
-		Storage: FileStorage,
-		Sources: []*StreamSource{{
-			Name: "TEST",
-			External: &ExternalStream{
-				ApiPrefix:     "RI.JS.API",
-				DeliverPrefix: "test",
-			},
-		},
-		},
-	})
 	testPrefix("source-bad-apiprefix", JSStreamExternalApiOverlapErrF, StreamConfig{
 		Name:    "MY_SOURCE_TEST",
 		Storage: FileStorage,
diff --git a/server/jetstream_cluster_2_test.go b/server/jetstream_cluster_2_test.go
index bd530ca10..e927742f6 100644
--- a/server/jetstream_cluster_2_test.go
+++ b/server/jetstream_cluster_2_test.go
@@ -3305,6 +3305,7 @@ func TestJetStreamClusterStreamUpdateSyncBug(t *testing.T) {
 	}
 
 	// We need to snapshot to force upper layer catchup vs RAFT layer.
+	c.waitOnAllCurrent()
 	mset, err := c.streamLeader("$G", "TEST").GlobalAccount().lookupStream("TEST")
 	if err != nil {
 		t.Fatalf("Expected to find a stream for %q", "TEST")
@@ -3313,6 +3314,7 @@ func TestJetStreamClusterStreamUpdateSyncBug(t *testing.T) {
 		t.Fatalf("Unexpected error: %v", err)
 	}
 
+	c.waitOnAllCurrent()
 	nsl = c.restartServer(nsl)
 	c.waitOnStreamCurrent(nsl, "$G", "TEST")
 
@@ -4322,7 +4324,7 @@ func TestJetStreamClusterStreamReplicaUpdates(t *testing.T) {
 		require_NoError(t, err)
 		c.waitOnStreamLeader("$G", "TEST")
 
-		checkFor(t, 5*time.Second, 100*time.Millisecond, func() error {
+		checkFor(t, 10*time.Second, 100*time.Millisecond, func() error {
 			si, err = js.StreamInfo("TEST")
 			require_NoError(t, err)
 			if len(si.Cluster.Replicas) != r-1 {
@@ -4936,11 +4938,11 @@ func TestJetStreamClusterDuplicateMsgIdsOnCatchupAndLeaderTakeover(t *testing.T)
 	// Now restart
 	sr = c.restartServer(sr)
 	c.waitOnStreamCurrent(sr, "$G", "TEST")
+	c.waitOnStreamLeader("$G", "TEST")
 
 	// Now make them the leader.
 	for sr != c.streamLeader("$G", "TEST") {
-		_, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second)
-		require_NoError(t, err)
+		nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second)
 		c.waitOnStreamLeader("$G", "TEST")
 	}
 
@@ -5238,12 +5240,14 @@ func TestJetStreamClusterDeleteAndRestoreAndRestart(t *testing.T) {
 	nc, js = jsClientConnect(t, c.randomServer())
 	defer nc.Close()
 
-	si, err := js.StreamInfo("TEST")
-	require_NoError(t, err)
-
-	if si.State.Msgs != 22 {
-		t.Fatalf("State is not correct after restart")
-	}
+	checkFor(t, 2*time.Second, 100*time.Millisecond, func() error {
+		si, err := js.StreamInfo("TEST")
+		require_NoError(t, err)
+		if si.State.Msgs != 22 {
+			return fmt.Errorf("State is not correct after restart, expected 22 msgs, got %d", si.State.Msgs)
+		}
+		return nil
+	})
 
 	ci, err := js.ConsumerInfo("TEST", "dlc")
 	require_NoError(t, err)
@@ -5782,9 +5786,6 @@ func TestJetStreamClusterConsumerDeliverNewMaxRedeliveriesAndServerRestart(t *te
 		t.Fatalf("Expected timeout, got msg=%+v err=%v", msg, err)
 	}
 
-	// Give a chance to things to be persisted
-	time.Sleep(300 * time.Millisecond)
-
 	// Check server restart
 	nc.Close()
 	c.stopAll()
diff --git a/server/jetstream_cluster_3_test.go b/server/jetstream_cluster_3_test.go
index 03e1e52e8..7786f414b 100644
--- a/server/jetstream_cluster_3_test.go
+++ b/server/jetstream_cluster_3_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 The NATS Authors
+// Copyright 2022-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -27,9 +27,11 @@ import (
 	"reflect"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
+	"github.com/nats-io/jwt/v2"
 	"github.com/nats-io/nats.go"
 )
 
@@ -313,7 +315,7 @@ func TestJetStreamClusterDeleteConsumerWhileServerDown(t *testing.T) {
 
 	// Restart.
 	s = c.restartServer(s)
-	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+	checkFor(t, 10*time.Second, 200*time.Millisecond, func() error {
 		hs := s.healthz(&HealthzOptions{
 			JSEnabledOnly: false,
 			JSServerOnly:  false,
@@ -355,7 +357,7 @@ func TestJetStreamClusterDeleteConsumerWhileServerDown(t *testing.T) {
 
 	// Restart.
 	s = c.restartServer(s)
-	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+	checkFor(t, time.Second*2, 200*time.Millisecond, func() error {
 		hs := s.healthz(&HealthzOptions{
 			JSEnabledOnly: false,
 			JSServerOnly:  false,
@@ -398,7 +400,7 @@ func TestJetStreamClusterNegativeReplicas(t *testing.T) {
 		})
 		require_NoError(t, err)
 
-		// Check upadte now.
+		// Check update now.
 		_, err = js.UpdateStream(&nats.StreamConfig{
 			Name:     name,
 			Replicas: -11,
@@ -1046,6 +1048,7 @@ func TestJetStreamClusterSourceWithOptStartTime(t *testing.T) {
 			sd := s.JetStreamConfig().StoreDir
 			s.Shutdown()
 			s = RunJetStreamServerOnPort(-1, sd)
+			defer s.Shutdown()
 		}
 
 		// Wait a bit before checking because sync'ing (even with the defect)
@@ -1590,7 +1593,7 @@ func TestJetStreamGhostEphemeralsAfterRestart(t *testing.T) {
 	defer nc.Close()
 
 	subj := fmt.Sprintf(JSApiConsumerListT, "TEST")
-	checkFor(t, 5*time.Second, 200*time.Millisecond, func() error {
+	checkFor(t, 10*time.Second, 200*time.Millisecond, func() error {
 		m, err := nc.Request(subj, nil, time.Second)
 		if err != nil {
 			return err
@@ -2241,14 +2244,15 @@ func TestJetStreamClusterMemLeaderRestart(t *testing.T) {
 
 	// Make sure that we have a META leader (there can always be a re-election)
 	c.waitOnLeader()
+	c.waitOnStreamLeader(globalAccountName, "foo")
 
 	// Should still have quorum and a new leader
-	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+	checkFor(t, 5*time.Second, 200*time.Millisecond, func() error {
 		osi, err = jsc.StreamInfo("foo")
 		if err != nil {
 			return fmt.Errorf("expected healthy stream asset, got %s", err.Error())
 		}
-		if osi.Cluster.Leader == "" {
+		if osi.Cluster.Leader == _EMPTY_ {
 			return fmt.Errorf("expected healthy stream asset with new leader")
 		}
 		if osi.State.Msgs != uint64(toSend) {
@@ -2728,13 +2732,16 @@ func TestJetStreamClusterInterestPolicyEphemeral(t *testing.T) {
 			}
 
 			const msgs = 5_000
-			done, count := make(chan bool), 0
+			done, count := make(chan bool, 1), 0
 
 			sub, err := js.Subscribe(_EMPTY_, func(msg *nats.Msg) {
 				require_NoError(t, msg.Ack())
 				count++
 				if count >= msgs {
-					done <- true
+					select {
+					case done <- true:
+					default:
+					}
 				}
 			}, nats.Bind(test.stream, name), nats.ManualAck())
 			require_NoError(t, err)
@@ -2923,3 +2930,2457 @@ func TestJetStreamClusterStreamMaxAgeScaleUp(t *testing.T) {
 		})
 	}
 }
+
+func TestJetStreamClusterWorkQueueConsumerReplicatedAfterScaleUp(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Replicas:  1,
+		Subjects:  []string{"WQ"},
+		Retention: nats.WorkQueuePolicy,
+	})
+	require_NoError(t, err)
+
+	// Create an ephemeral consumer.
+	sub, err := js.SubscribeSync("WQ")
+	require_NoError(t, err)
+
+	// Scale up to R3.
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Replicas:  3,
+		Subjects:  []string{"WQ"},
+		Retention: nats.WorkQueuePolicy,
+	})
+	require_NoError(t, err)
+	c.waitOnStreamLeader(globalAccountName, "TEST")
+
+	ci, err := sub.ConsumerInfo()
+	require_NoError(t, err)
+
+	require_True(t, ci.Config.Replicas == 0 || ci.Config.Replicas == 3)
+
+	c.waitOnConsumerLeader(globalAccountName, "TEST", ci.Name)
+	s := c.consumerLeader(globalAccountName, "TEST", ci.Name)
+	require_NotNil(t, s)
+
+	mset, err := s.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+
+	o := mset.lookupConsumer(ci.Name)
+	require_NotNil(t, o)
+	require_NotNil(t, o.raftNode())
+}
+
+// https://github.com/nats-io/nats-server/issues/3953
+func TestJetStreamClusterWorkQueueAfterScaleUp(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Replicas:  1,
+		Subjects:  []string{"WQ"},
+		Retention: nats.WorkQueuePolicy,
+	})
+	require_NoError(t, err)
+
+	_, err = js.AddConsumer("TEST", &nats.ConsumerConfig{
+		Durable:        "d1",
+		DeliverSubject: "d1",
+		AckPolicy:      nats.AckExplicitPolicy,
+	})
+	require_NoError(t, err)
+
+	wch := make(chan bool, 1)
+	_, err = nc.Subscribe("d1", func(msg *nats.Msg) {
+		msg.AckSync()
+		wch <- true
+	})
+	require_NoError(t, err)
+
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Replicas:  3,
+		Subjects:  []string{"WQ"},
+		Retention: nats.WorkQueuePolicy,
+	})
+	require_NoError(t, err)
+	c.waitOnStreamLeader(globalAccountName, "TEST")
+
+	sendStreamMsg(t, nc, "WQ", "SOME WORK")
+	<-wch
+
+	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+		si, err := js.StreamInfo("TEST")
+		require_NoError(t, err)
+		if si.State.Msgs == 0 {
+			return nil
+		}
+		return fmt.Errorf("Still have %d msgs left", si.State.Msgs)
+	})
+}
+
+func TestJetStreamClusterInterestBasedStreamAndConsumerSnapshots(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Replicas:  3,
+		Subjects:  []string{"foo"},
+		Retention: nats.InterestPolicy,
+	})
+	require_NoError(t, err)
+
+	sub, err := js.SubscribeSync("foo", nats.Durable("d22"))
+	require_NoError(t, err)
+
+	num := 200
+	for i := 0; i < num; i++ {
+		js.PublishAsync("foo", []byte("ok"))
+	}
+	select {
+	case <-js.PublishAsyncComplete():
+	case <-time.After(5 * time.Second):
+		t.Fatalf("Did not receive completion signal")
+	}
+
+	checkSubsPending(t, sub, num)
+
+	// Shutdown one server.
+	s := c.randomServer()
+	s.Shutdown()
+
+	c.waitOnStreamLeader(globalAccountName, "TEST")
+
+	nc, js = jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	// Now ack all messages while the other server is down.
+	for i := 0; i < num; i++ {
+		m, err := sub.NextMsg(time.Second)
+		require_NoError(t, err)
+		m.AckSync()
+	}
+
+	// Wait for all message acks to be processed and all messages to be removed.
+	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+		si, err := js.StreamInfo("TEST")
+		require_NoError(t, err)
+		if si.State.Msgs == 0 {
+			return nil
+		}
+		return fmt.Errorf("Still have %d msgs left", si.State.Msgs)
+	})
+
+	// Force a snapshot on the consumer leader before restarting the downed server.
+	cl := c.consumerLeader(globalAccountName, "TEST", "d22")
+	require_NotNil(t, cl)
+
+	mset, err := cl.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+
+	o := mset.lookupConsumer("d22")
+	require_NotNil(t, o)
+
+	snap, err := o.store.EncodedState()
+	require_NoError(t, err)
+
+	n := o.raftNode()
+	require_NotNil(t, n)
+	require_NoError(t, n.InstallSnapshot(snap))
+
+	// Now restart the downed server.
+	s = c.restartServer(s)
+
+	// Make the restarted server the eventual leader.
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnStreamLeader(globalAccountName, "TEST")
+		if sl := c.streamLeader(globalAccountName, "TEST"); sl != s {
+			sl.JetStreamStepdownStream(globalAccountName, "TEST")
+			return fmt.Errorf("Server %s is not leader yet", s)
+		}
+		return nil
+	})
+
+	si, err := js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, si.State.Msgs == 0)
+}
+
+func TestJetStreamClusterConsumerFollowerStoreStateAckFloorBug(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Replicas: 3,
+		Subjects: []string{"foo"},
+	})
+	require_NoError(t, err)
+
+	sub, err := js.PullSubscribe(_EMPTY_, "C", nats.BindStream("TEST"), nats.ManualAck())
+	require_NoError(t, err)
+
+	num := 100
+	for i := 0; i < num; i++ {
+		sendStreamMsg(t, nc, "foo", "data")
+	}
+
+	// This one prevents the state for pending from reaching 0 and resetting, which would not show the bug.
+	sendStreamMsg(t, nc, "foo", "data")
+
+	// Ack all but one and out of order and make sure all consumers have the same stored state.
+	msgs, err := sub.Fetch(num, nats.MaxWait(time.Second))
+	require_NoError(t, err)
+	require_True(t, len(msgs) == num)
+
+	_, err = sub.Fetch(1, nats.MaxWait(time.Second))
+	require_NoError(t, err)
+
+	rand.Shuffle(len(msgs), func(i, j int) { msgs[i], msgs[j] = msgs[j], msgs[i] })
+	for _, m := range msgs {
+		if err := m.AckSync(); err != nil {
+			t.Fatalf("Ack failed :%+v", err)
+		}
+	}
+
+	checkConsumerState := func(delivered, ackFloor nats.SequenceInfo, numAckPending int) error {
+		expectedDelivered := uint64(num) + 1
+		if delivered.Stream != expectedDelivered || delivered.Consumer != expectedDelivered {
+			return fmt.Errorf("Wrong delivered, expected %d got %+v", expectedDelivered, delivered)
+		}
+		expectedAck := uint64(num)
+		if ackFloor.Stream != expectedAck || ackFloor.Consumer != expectedAck {
+			return fmt.Errorf("Wrong ackFloor, expected %d got %+v", expectedAck, ackFloor)
+		}
+		if numAckPending != 1 {
+			return errors.New("Expected num ack pending to be 1")
+		}
+		return nil
+	}
+
+	ci, err := js.ConsumerInfo("TEST", "C")
+	require_NoError(t, err)
+	require_NoError(t, checkConsumerState(ci.Delivered, ci.AckFloor, ci.NumAckPending))
+
+	// Check each consumer on each server for it's store state and make sure it matches as well.
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		for _, s := range c.servers {
+			mset, err := s.GlobalAccount().lookupStream("TEST")
+			if err != nil {
+				return err
+			}
+			if mset == nil {
+				return errors.New("Mset should not be nil")
+			}
+			o := mset.lookupConsumer("C")
+			if o == nil {
+				return errors.New("Consumer should not be nil")
+			}
+
+			state, err := o.store.State()
+			if err != nil {
+				return err
+			}
+			delivered := nats.SequenceInfo{Stream: state.Delivered.Stream, Consumer: state.Delivered.Consumer}
+			ackFloor := nats.SequenceInfo{Stream: state.AckFloor.Stream, Consumer: state.AckFloor.Consumer}
+			if err := checkConsumerState(delivered, ackFloor, len(state.Pending)); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+
+	// Now stepdown the consumer and move its leader and check the state after transition.
+	// Make the restarted server the eventual leader.
+	seen := make(map[*Server]bool)
+	cl := c.consumerLeader(globalAccountName, "TEST", "C")
+	require_NotNil(t, cl)
+	seen[cl] = true
+
+	allSeen := func() bool {
+		for _, s := range c.servers {
+			if !seen[s] {
+				return false
+			}
+		}
+		return true
+	}
+
+	checkAllLeaders := func() {
+		t.Helper()
+		checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+			c.waitOnConsumerLeader(globalAccountName, "TEST", "C")
+			if allSeen() {
+				return nil
+			}
+			cl := c.consumerLeader(globalAccountName, "TEST", "C")
+			seen[cl] = true
+			ci, err := js.ConsumerInfo("TEST", "C")
+			if err != nil {
+				return err
+			}
+			if err := checkConsumerState(ci.Delivered, ci.AckFloor, ci.NumAckPending); err != nil {
+				return err
+			}
+			cl.JetStreamStepdownConsumer(globalAccountName, "TEST", "C")
+			return fmt.Errorf("Not all servers have been consumer leader yet")
+		})
+	}
+
+	checkAllLeaders()
+
+	// No restart all servers and check again.
+	c.stopAll()
+	c.restartAll()
+	c.waitOnLeader()
+
+	nc, js = jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	seen = make(map[*Server]bool)
+	checkAllLeaders()
+}
+
+func TestJetStreamClusterInterestLeakOnDisableJetStream(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.leader())
+	defer nc.Close()
+
+	for i := 1; i <= 5; i++ {
+		_, err := js.AddStream(&nats.StreamConfig{
+			Name:     fmt.Sprintf("test_%d", i),
+			Subjects: []string{fmt.Sprintf("test_%d", i)},
+			Replicas: 3,
+		})
+		require_NoError(t, err)
+	}
+
+	c.waitOnAllCurrent()
+
+	server := c.randomNonLeader()
+	account := server.SystemAccount()
+
+	server.DisableJetStream()
+
+	var sublist []*subscription
+	account.sl.localSubs(&sublist, false)
+
+	var danglingJSC, danglingRaft int
+	for _, sub := range sublist {
+		if strings.HasPrefix(string(sub.subject), "$JSC.") {
+			danglingJSC++
+		} else if strings.HasPrefix(string(sub.subject), "$NRG.") {
+			danglingRaft++
+		}
+	}
+	if danglingJSC > 0 || danglingRaft > 0 {
+		t.Fatalf("unexpected dangling interests for JetStream assets after shutdown (%d $JSC, %d $NRG)", danglingJSC, danglingRaft)
+	}
+}
+
+func TestJetStreamClusterNoLeadersDuringLameDuck(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	// Grab the first server and set lameduck option directly.
+	s := c.servers[0]
+	s.optsMu.Lock()
+	s.opts.LameDuckDuration = 5 * time.Second
+	s.opts.LameDuckGracePeriod = -5 * time.Second
+	s.optsMu.Unlock()
+
+	// Connect to the third server.
+	nc, js := jsClientConnect(t, c.servers[2])
+	defer nc.Close()
+
+	allServersHaveLeaders := func() bool {
+		haveLeader := make(map[*Server]bool)
+		for _, s := range c.servers {
+			s.rnMu.RLock()
+			for _, n := range s.raftNodes {
+				if n.Leader() {
+					haveLeader[s] = true
+					break
+				}
+			}
+			s.rnMu.RUnlock()
+		}
+		return len(haveLeader) == len(c.servers)
+	}
+
+	// Create streams until we have a leader on all the servers.
+	var index int
+	checkFor(t, 10*time.Second, time.Millisecond, func() error {
+		if allServersHaveLeaders() {
+			return nil
+		}
+		index++
+		_, err := js.AddStream(&nats.StreamConfig{
+			Name:     fmt.Sprintf("TEST_%d", index),
+			Subjects: []string{fmt.Sprintf("foo.%d", index)},
+			Replicas: 3,
+		})
+		require_NoError(t, err)
+		return fmt.Errorf("All servers do not have at least one leader")
+	})
+
+	// Put our server into lameduck mode.
+	// Need a client.
+	dummy, _ := jsClientConnect(t, s)
+	defer dummy.Close()
+	go s.lameDuckMode()
+
+	// Wait for all leaders to move off.
+	checkFor(t, 2*time.Second, 50*time.Millisecond, func() error {
+		s.rnMu.RLock()
+		defer s.rnMu.RUnlock()
+		for _, n := range s.raftNodes {
+			if n.Leader() {
+				return fmt.Errorf("Server still has a leader")
+			}
+		}
+		return nil
+	})
+
+	// All leader evacuated.
+
+	// Create a go routine that will create streams constantly.
+	qch := make(chan bool)
+	go func() {
+		var index int
+		for {
+			select {
+			case <-time.After(time.Millisecond):
+				index++
+				_, err := js.AddStream(&nats.StreamConfig{
+					Name:     fmt.Sprintf("NEW_TEST_%d", index),
+					Subjects: []string{fmt.Sprintf("bar.%d", index)},
+					Replicas: 3,
+				})
+				if err != nil {
+					return
+				}
+			case <-qch:
+				return
+			}
+		}
+	}()
+	defer close(qch)
+
+	// Make sure we do not have any leaders placed on the lameduck server.
+	for s.isRunning() {
+		var hasLeader bool
+		s.rnMu.RLock()
+		for _, n := range s.raftNodes {
+			hasLeader = hasLeader || n.Leader()
+		}
+		s.rnMu.RUnlock()
+		if hasLeader {
+			t.Fatalf("Server had a leader when it should not due to lameduck mode")
+		}
+	}
+}
+
+func TestJetStreamClusterNoR1AssetsDuringLameDuck(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	// Grab the first server and set lameduck option directly.
+	s := c.servers[0]
+	s.optsMu.Lock()
+	s.opts.LameDuckDuration = 5 * time.Second
+	s.opts.LameDuckGracePeriod = -5 * time.Second
+	s.optsMu.Unlock()
+
+	// Connect to the server to keep it alive when we go into LDM.
+	dummy, _ := jsClientConnect(t, s)
+	defer dummy.Close()
+
+	// Connect to the third server.
+	nc, js := jsClientConnect(t, c.servers[2])
+	defer nc.Close()
+
+	// Now put the first server into lame duck mode.
+	go s.lameDuckMode()
+
+	// Wait for news to arrive that the first server has gone into
+	// lame duck mode and been marked offline.
+	checkFor(t, 2*time.Second, 50*time.Millisecond, func() error {
+		id := s.info.ID
+		s := c.servers[2]
+		s.mu.RLock()
+		defer s.mu.RUnlock()
+
+		var isOffline bool
+		s.nodeToInfo.Range(func(_, v any) bool {
+			ni := v.(nodeInfo)
+			if ni.id == id {
+				isOffline = ni.offline
+				return false
+			}
+			return true
+		})
+
+		if !isOffline {
+			return fmt.Errorf("first node is still online unexpectedly")
+		}
+		return nil
+	})
+
+	// Create a go routine that will create streams constantly.
+	qch := make(chan bool)
+	go func() {
+		var index int
+		for {
+			select {
+			case <-time.After(time.Millisecond * 25):
+				index++
+				_, err := js.AddStream(&nats.StreamConfig{
+					Name:     fmt.Sprintf("NEW_TEST_%d", index),
+					Subjects: []string{fmt.Sprintf("bar.%d", index)},
+					Replicas: 1,
+				})
+				if err != nil {
+					return
+				}
+			case <-qch:
+				return
+			}
+		}
+	}()
+	defer close(qch)
+
+	// Make sure we do not have any R1 assets placed on the lameduck server.
+	for s.isRunning() {
+		s.rnMu.RLock()
+		if s.js == nil || s.js.srv == nil || s.js.srv.gacc == nil {
+			s.rnMu.RUnlock()
+			break
+		}
+		hasAsset := len(s.js.srv.gacc.streams()) > 0
+		s.rnMu.RUnlock()
+		if hasAsset {
+			t.Fatalf("Server had an R1 asset when it should not due to lameduck mode")
+		}
+	}
+}
+
+// If a consumer has not been registered (possible in heavily loaded systems with lots  of assets)
+// it could miss the signal of a message going away. If that message was pending and expires the
+// ack floor could fall below the stream first sequence. This test will force that condition and
+// make sure the system resolves itself.
+func TestJetStreamClusterConsumerAckFloorDrift(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+		MaxAge:   200 * time.Millisecond,
+		MaxMsgs:  10,
+	})
+	require_NoError(t, err)
+
+	sub, err := js.PullSubscribe("foo", "C")
+	require_NoError(t, err)
+
+	for i := 0; i < 10; i++ {
+		sendStreamMsg(t, nc, "foo", "HELLO")
+	}
+
+	// No-op but will surface as delivered.
+	_, err = sub.Fetch(10)
+	require_NoError(t, err)
+
+	// We will grab the state with delivered being 10 and ackfloor being 0 directly.
+	cl := c.consumerLeader(globalAccountName, "TEST", "C")
+	require_NotNil(t, cl)
+
+	mset, err := cl.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+	o := mset.lookupConsumer("C")
+	require_NotNil(t, o)
+	o.mu.RLock()
+	state, err := o.store.State()
+	o.mu.RUnlock()
+	require_NoError(t, err)
+	require_NotNil(t, state)
+
+	// Now let messages expire.
+	checkFor(t, time.Second, 100*time.Millisecond, func() error {
+		si, err := js.StreamInfo("TEST")
+		require_NoError(t, err)
+		if si.State.Msgs == 0 {
+			return nil
+		}
+		return fmt.Errorf("stream still has msgs")
+	})
+
+	// Set state to ackfloor of 5 and no pending.
+	state.AckFloor.Consumer = 5
+	state.AckFloor.Stream = 5
+	state.Pending = nil
+
+	// Now put back the state underneath of the consumers.
+	for _, s := range c.servers {
+		mset, err := s.GlobalAccount().lookupStream("TEST")
+		require_NoError(t, err)
+		o := mset.lookupConsumer("C")
+		require_NotNil(t, o)
+		o.mu.Lock()
+		err = o.setStoreState(state)
+		cfs := o.store.(*consumerFileStore)
+		o.mu.Unlock()
+		require_NoError(t, err)
+		// The lower layer will ignore, so set more directly.
+		cfs.mu.Lock()
+		cfs.state = *state
+		cfs.mu.Unlock()
+		// Also snapshot to remove any raft entries that could affect it.
+		snap, err := o.store.EncodedState()
+		require_NoError(t, err)
+		require_NoError(t, o.raftNode().InstallSnapshot(snap))
+	}
+
+	cl.JetStreamStepdownConsumer(globalAccountName, "TEST", "C")
+	c.waitOnConsumerLeader(globalAccountName, "TEST", "C")
+
+	checkFor(t, 5*time.Second, 100*time.Millisecond, func() error {
+		ci, err := js.ConsumerInfo("TEST", "C")
+		require_NoError(t, err)
+		// Make sure we catch this and adjust.
+		if ci.AckFloor.Stream == 10 && ci.AckFloor.Consumer == 10 {
+			return nil
+		}
+		return fmt.Errorf("AckFloor not correct, expected 10, got %+v", ci.AckFloor)
+	})
+}
+
+func TestJetStreamClusterInterestStreamFilteredConsumersWithNoInterest(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R5S", 5)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Subjects:  []string{"*"},
+		Retention: nats.InterestPolicy,
+		Replicas:  3,
+	})
+	require_NoError(t, err)
+
+	// Create three subscribers.
+	ackCb := func(m *nats.Msg) { m.Ack() }
+
+	_, err = js.Subscribe("foo", ackCb, nats.BindStream("TEST"), nats.ManualAck())
+	require_NoError(t, err)
+
+	_, err = js.Subscribe("bar", ackCb, nats.BindStream("TEST"), nats.ManualAck())
+	require_NoError(t, err)
+
+	_, err = js.Subscribe("baz", ackCb, nats.BindStream("TEST"), nats.ManualAck())
+	require_NoError(t, err)
+
+	// Now send 100 messages, randomly picking foo or bar, but never baz.
+	for i := 0; i < 100; i++ {
+		if rand.Intn(2) > 0 {
+			sendStreamMsg(t, nc, "foo", "HELLO")
+		} else {
+			sendStreamMsg(t, nc, "bar", "WORLD")
+		}
+	}
+
+	// Messages are expected to go to 0.
+	checkFor(t, time.Second, 100*time.Millisecond, func() error {
+		si, err := js.StreamInfo("TEST")
+		require_NoError(t, err)
+		if si.State.Msgs == 0 {
+			return nil
+		}
+		return fmt.Errorf("stream still has msgs")
+	})
+}
+
+func TestJetStreamClusterChangeClusterAfterStreamCreate(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "NATS", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	for i := 0; i < 1000; i++ {
+		sendStreamMsg(t, nc, "foo", "HELLO")
+	}
+
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 1,
+	})
+	require_NoError(t, err)
+
+	c.stopAll()
+
+	c.name = "FOO"
+	for _, o := range c.opts {
+		buf, err := os.ReadFile(o.ConfigFile)
+		require_NoError(t, err)
+		nbuf := bytes.Replace(buf, []byte("name: NATS"), []byte("name: FOO"), 1)
+		err = os.WriteFile(o.ConfigFile, nbuf, 0640)
+		require_NoError(t, err)
+	}
+
+	c.restartAll()
+	c.waitOnLeader()
+	c.waitOnStreamLeader(globalAccountName, "TEST")
+
+	nc, js = jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	// This should fail with no suitable peers, since the asset was created under the NATS cluster which has no peers.
+	require_Error(t, err, errors.New("nats: no suitable peers for placement"))
+
+	// Make sure we can swap the cluster.
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Subjects:  []string{"*"},
+		Placement: &nats.Placement{Cluster: "FOO"},
+	})
+	require_NoError(t, err)
+}
+
+// The consumer info() call does not take into account whether a consumer
+// is a leader or not, so results would be very different when asking servers
+// that housed consumer followers vs leaders.
+func TestJetStreamClusterConsumerInfoForJszForFollowers(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "NATS", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	for i := 0; i < 1000; i++ {
+		sendStreamMsg(t, nc, "foo", "HELLO")
+	}
+
+	sub, err := js.PullSubscribe("foo", "d")
+	require_NoError(t, err)
+
+	fetch, ack := 122, 22
+	msgs, err := sub.Fetch(fetch, nats.MaxWait(10*time.Second))
+	require_NoError(t, err)
+	require_True(t, len(msgs) == fetch)
+	for _, m := range msgs[:ack] {
+		m.AckSync()
+	}
+	// Let acks propagate.
+	time.Sleep(100 * time.Millisecond)
+
+	for _, s := range c.servers {
+		jsz, err := s.Jsz(&JSzOptions{Accounts: true, Consumer: true})
+		require_NoError(t, err)
+		require_True(t, len(jsz.AccountDetails) == 1)
+		require_True(t, len(jsz.AccountDetails[0].Streams) == 1)
+		require_True(t, len(jsz.AccountDetails[0].Streams[0].Consumer) == 1)
+		consumer := jsz.AccountDetails[0].Streams[0].Consumer[0]
+		if consumer.Delivered.Consumer != uint64(fetch) || consumer.Delivered.Stream != uint64(fetch) {
+			t.Fatalf("Incorrect delivered for %v: %+v", s, consumer.Delivered)
+		}
+		if consumer.AckFloor.Consumer != uint64(ack) || consumer.AckFloor.Stream != uint64(ack) {
+			t.Fatalf("Incorrect ackfloor for %v: %+v", s, consumer.AckFloor)
+		}
+	}
+}
+
+// Under certain scenarios we have seen consumers become stopped and cause healthz to fail.
+// The specific scneario is heavy loads, and stream resets on upgrades that could orphan consumers.
+func TestJetStreamClusterHealthzCheckForStoppedAssets(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "NATS", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	for i := 0; i < 1000; i++ {
+		sendStreamMsg(t, nc, "foo", "HELLO")
+	}
+
+	sub, err := js.PullSubscribe("foo", "d")
+	require_NoError(t, err)
+
+	fetch, ack := 122, 22
+	msgs, err := sub.Fetch(fetch, nats.MaxWait(10*time.Second))
+	require_NoError(t, err)
+	require_True(t, len(msgs) == fetch)
+	for _, m := range msgs[:ack] {
+		m.AckSync()
+	}
+	// Let acks propagate.
+	time.Sleep(100 * time.Millisecond)
+
+	// We will now stop a stream on a given server.
+	s := c.randomServer()
+	mset, err := s.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+	// Stop the stream
+	mset.stop(false, false)
+
+	// Wait for exit.
+	time.Sleep(100 * time.Millisecond)
+
+	checkFor(t, 5*time.Second, 500*time.Millisecond, func() error {
+		hs := s.healthz(nil)
+		if hs.Error != _EMPTY_ {
+			return errors.New(hs.Error)
+		}
+		return nil
+	})
+
+	// Now take out the consumer.
+	mset, err = s.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+
+	o := mset.lookupConsumer("d")
+	require_NotNil(t, o)
+
+	o.stop()
+	// Wait for exit.
+	time.Sleep(100 * time.Millisecond)
+
+	checkFor(t, 5*time.Second, 500*time.Millisecond, func() error {
+		hs := s.healthz(nil)
+		if hs.Error != _EMPTY_ {
+			return errors.New(hs.Error)
+		}
+		return nil
+	})
+
+	// Now just stop the raft node from underneath the consumer.
+	o = mset.lookupConsumer("d")
+	require_NotNil(t, o)
+	node := o.raftNode()
+	require_NotNil(t, node)
+	node.Stop()
+
+	checkFor(t, 5*time.Second, 500*time.Millisecond, func() error {
+		hs := s.healthz(nil)
+		if hs.Error != _EMPTY_ {
+			return errors.New(hs.Error)
+		}
+		return nil
+	})
+}
+
+// Make sure that stopping a stream shutdowns down it's raft node.
+func TestJetStreamClusterStreamNodeShutdownBugOnStop(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "NATS", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	for i := 0; i < 100; i++ {
+		sendStreamMsg(t, nc, "foo", "HELLO")
+	}
+
+	s := c.randomServer()
+	numNodesStart := s.numRaftNodes()
+	mset, err := s.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+	node := mset.raftNode()
+	require_NotNil(t, node)
+	node.InstallSnapshot(mset.stateSnapshot())
+	// Stop the stream
+	mset.stop(false, false)
+
+	if numNodes := s.numRaftNodes(); numNodes != numNodesStart-1 {
+		t.Fatalf("RAFT nodes after stream stop incorrect: %d vs %d", numNodesStart, numNodes)
+	}
+}
+
+func TestJetStreamClusterStreamAccountingOnStoreError(t *testing.T) {
+	c := createJetStreamClusterWithTemplate(t, jsClusterMaxBytesAccountLimitTempl, "NATS", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		MaxBytes: 1 * 1024 * 1024 * 1024,
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	msg := strings.Repeat("Z", 32*1024)
+	for i := 0; i < 10; i++ {
+		sendStreamMsg(t, nc, "foo", msg)
+	}
+	s := c.randomServer()
+	acc, err := s.LookupAccount("$U")
+	require_NoError(t, err)
+	mset, err := acc.lookupStream("TEST")
+	require_NoError(t, err)
+	mset.mu.Lock()
+	mset.store.Stop()
+	sjs := mset.js
+	mset.mu.Unlock()
+
+	// Now delete the stream
+	js.DeleteStream("TEST")
+
+	// Wait for this to propgate.
+	// The bug will have us not release reserved resources properly.
+	checkFor(t, 10*time.Second, 200*time.Millisecond, func() error {
+		info, err := js.AccountInfo()
+		require_NoError(t, err)
+		// Default tier
+		if info.Store != 0 {
+			return fmt.Errorf("Expected store to be 0 but got %v", friendlyBytes(info.Store))
+		}
+		return nil
+	})
+
+	// Now check js from server directly regarding reserved.
+	sjs.mu.RLock()
+	reserved := sjs.storeReserved
+	sjs.mu.RUnlock()
+	// Under bug will show 1GB
+	if reserved != 0 {
+		t.Fatalf("Expected store reserved to be 0 after stream delete, got %v", friendlyBytes(reserved))
+	}
+}
+
+func TestJetStreamClusterStreamAccountingDriftFixups(t *testing.T) {
+	c := createJetStreamClusterWithTemplate(t, jsClusterMaxBytesAccountLimitTempl, "NATS", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		MaxBytes: 2 * 1024 * 1024,
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	msg := strings.Repeat("Z", 32*1024)
+	for i := 0; i < 100; i++ {
+		sendStreamMsg(t, nc, "foo", msg)
+	}
+
+	err = js.PurgeStream("TEST")
+	require_NoError(t, err)
+
+	checkFor(t, 5*time.Second, 200*time.Millisecond, func() error {
+		info, err := js.AccountInfo()
+		require_NoError(t, err)
+		if info.Store != 0 {
+			return fmt.Errorf("Store usage not 0: %d", info.Store)
+		}
+		return nil
+	})
+
+	s := c.leader()
+	jsz, err := s.Jsz(nil)
+	require_NoError(t, err)
+	require_True(t, jsz.JetStreamStats.Store == 0)
+
+	acc, err := s.LookupAccount("$U")
+	require_NoError(t, err)
+	mset, err := acc.lookupStream("TEST")
+	require_NoError(t, err)
+	mset.mu.RLock()
+	jsa, tier, stype := mset.jsa, mset.tier, mset.stype
+	mset.mu.RUnlock()
+	// Drift the usage.
+	jsa.updateUsage(tier, stype, -100)
+
+	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+		info, err := js.AccountInfo()
+		require_NoError(t, err)
+		if info.Store != 0 {
+			return fmt.Errorf("Store usage not 0: %d", info.Store)
+		}
+		return nil
+	})
+	jsz, err = s.Jsz(nil)
+	require_NoError(t, err)
+	require_True(t, jsz.JetStreamStats.Store == 0)
+}
+
+// Some older streams seem to have been created or exist with no explicit cluster setting.
+// For server <= 2.9.16 you could not scale the streams up since we could not place them in another cluster.
+func TestJetStreamClusterStreamScaleUpNoGroupCluster(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "NATS", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+	})
+	require_NoError(t, err)
+
+	// Manually going to grab stream assignment and update it to be without the group cluster.
+	s := c.streamLeader(globalAccountName, "TEST")
+	mset, err := s.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+
+	sa := mset.streamAssignment()
+	require_NotNil(t, sa)
+	// Make copy to not change stream's
+	sa = sa.copyGroup()
+	// Remove cluster and preferred.
+	sa.Group.Cluster = _EMPTY_
+	sa.Group.Preferred = _EMPTY_
+	// Insert into meta layer.
+	s.mu.RLock()
+	s.js.cluster.meta.ForwardProposal(encodeUpdateStreamAssignment(sa))
+	s.mu.RUnlock()
+	// Make sure it got propagated..
+	checkFor(t, 10*time.Second, 200*time.Millisecond, func() error {
+		sa := mset.streamAssignment().copyGroup()
+		require_NotNil(t, sa)
+		if sa.Group.Cluster != _EMPTY_ {
+			return fmt.Errorf("Cluster still not cleared")
+		}
+		return nil
+	})
+	// Now we know it has been nil'd out. Make sure we can scale up.
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+}
+
+// https://github.com/nats-io/nats-server/issues/4162
+func TestJetStreamClusterStaleDirectGetOnRestart(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "NATS", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	kv, err := js.CreateKeyValue(&nats.KeyValueConfig{
+		Bucket:   "TEST",
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	_, err = kv.PutString("foo", "bar")
+	require_NoError(t, err)
+
+	// Close client in case we were connected to server below.
+	// We will recreate.
+	nc.Close()
+
+	// Shutdown a non-leader.
+	s := c.randomNonStreamLeader(globalAccountName, "KV_TEST")
+	s.Shutdown()
+
+	nc, js = jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	kv, err = js.KeyValue("TEST")
+	require_NoError(t, err)
+
+	_, err = kv.PutString("foo", "baz")
+	require_NoError(t, err)
+
+	errCh := make(chan error, 100)
+	done := make(chan struct{})
+
+	go func() {
+		nc, js := jsClientConnect(t, c.randomServer())
+		defer nc.Close()
+
+		kv, err := js.KeyValue("TEST")
+		if err != nil {
+			errCh <- err
+			return
+		}
+
+		for {
+			select {
+			case <-done:
+				return
+			default:
+				entry, err := kv.Get("foo")
+				if err != nil {
+					errCh <- err
+					return
+				}
+				if v := string(entry.Value()); v != "baz" {
+					errCh <- fmt.Errorf("Got wrong value: %q", v)
+				}
+			}
+		}
+	}()
+
+	// Restart
+	c.restartServer(s)
+	// Wait for a bit to make sure as this server participates in direct gets
+	// it does not server stale reads.
+	time.Sleep(2 * time.Second)
+	close(done)
+
+	if len(errCh) > 0 {
+		t.Fatalf("Expected no errors but got %v", <-errCh)
+	}
+}
+
+// This test mimics a user's setup where there is a cloud cluster/domain, and one for eu and ap that are leafnoded into the
+// cloud cluster, and one for cn that is leafnoded into the ap cluster.
+// We broke basic connectivity in 2.9.17 from publishing in eu for delivery in cn on same account which is daisy chained through ap.
+// We will also test cross account delivery in this test as well.
+func TestJetStreamClusterLeafnodePlusDaisyChainSetup(t *testing.T) {
+	var cloudTmpl = `
+		listen: 127.0.0.1:-1
+		server_name: %s
+		jetstream: {max_mem_store: 256MB, max_file_store: 2GB, domain: CLOUD, store_dir: '%s'}
+
+		leaf { listen: 127.0.0.1:-1 }
+
+		cluster {
+			name: %s
+			listen: 127.0.0.1:%d
+			routes = [%s]
+		}
+
+		accounts {
+			F {
+				jetstream: enabled
+				users = [ { user: "F", pass: "pass" } ]
+				exports [ { stream: "F.>" } ]
+			}
+			T {
+				jetstream: enabled
+				users = [ { user: "T", pass: "pass" } ]
+				imports [ { stream: { account: F, subject: "F.>"} } ]
+			}
+			$SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }
+		}`
+
+	// Now create the cloud and make sure we are connected.
+	// Cloud
+	c := createJetStreamCluster(t, cloudTmpl, "CLOUD", _EMPTY_, 3, 22020, false)
+	defer c.shutdown()
+
+	var lnTmpl = `
+		listen: 127.0.0.1:-1
+		server_name: %s
+		jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+		{{leaf}}
+
+		cluster {
+			name: %s
+			listen: 127.0.0.1:%d
+			routes = [%s]
+		}
+
+		accounts {
+			F {
+				jetstream: enabled
+				users = [ { user: "F", pass: "pass" } ]
+				exports [ { stream: "F.>" } ]
+			}
+			T {
+				jetstream: enabled
+				users = [ { user: "T", pass: "pass" } ]
+				imports [ { stream: { account: F, subject: "F.>"} } ]
+			}
+			$SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }
+		}`
+
+	var leafFrag = `
+			leaf {
+				listen: 127.0.0.1:-1
+				remotes [ { urls: [ %s ], account: "T" }, { urls: [ %s ], account: "F" } ]
+			}`
+
+	genLeafTmpl := func(tmpl string, c *cluster) string {
+		t.Helper()
+		// Create our leafnode cluster template first.
+		var lnt, lnf []string
+		for _, s := range c.servers {
+			if s.ClusterName() != c.name {
+				continue
+			}
+			ln := s.getOpts().LeafNode
+			lnt = append(lnt, fmt.Sprintf("nats://T:pass@%s:%d", ln.Host, ln.Port))
+			lnf = append(lnf, fmt.Sprintf("nats://F:pass@%s:%d", ln.Host, ln.Port))
+		}
+		lntc := strings.Join(lnt, ", ")
+		lnfc := strings.Join(lnf, ", ")
+		return strings.Replace(tmpl, "{{leaf}}", fmt.Sprintf(leafFrag, lntc, lnfc), 1)
+	}
+
+	// Cluster EU
+	// Domain is "EU'
+	tmpl := strings.Replace(lnTmpl, "store_dir:", fmt.Sprintf(`domain: "%s", store_dir:`, "EU"), 1)
+	tmpl = genLeafTmpl(tmpl, c)
+	lceu := createJetStreamCluster(t, tmpl, "EU", "EU-", 3, 22110, false)
+	lceu.waitOnClusterReady()
+	defer lceu.shutdown()
+
+	for _, s := range lceu.servers {
+		checkLeafNodeConnectedCount(t, s, 2)
+	}
+
+	// Cluster AP
+	// Domain is "AP'
+	tmpl = strings.Replace(lnTmpl, "store_dir:", fmt.Sprintf(`domain: "%s", store_dir:`, "AP"), 1)
+	tmpl = genLeafTmpl(tmpl, c)
+	lcap := createJetStreamCluster(t, tmpl, "AP", "AP-", 3, 22180, false)
+	lcap.waitOnClusterReady()
+	defer lcap.shutdown()
+
+	for _, s := range lcap.servers {
+		checkLeafNodeConnectedCount(t, s, 2)
+	}
+
+	// Cluster CN
+	// Domain is "CN'
+	// This one connects to AP, not the cloud hub.
+	tmpl = strings.Replace(lnTmpl, "store_dir:", fmt.Sprintf(`domain: "%s", store_dir:`, "CN"), 1)
+	tmpl = genLeafTmpl(tmpl, lcap)
+	lccn := createJetStreamCluster(t, tmpl, "CN", "CN-", 3, 22280, false)
+	lccn.waitOnClusterReady()
+	defer lccn.shutdown()
+
+	for _, s := range lccn.servers {
+		checkLeafNodeConnectedCount(t, s, 2)
+	}
+
+	// Now connect to CN on account F and subscribe to data.
+	nc, _ := jsClientConnect(t, lccn.randomServer(), nats.UserInfo("F", "pass"))
+	defer nc.Close()
+	fsub, err := nc.SubscribeSync("F.EU.>")
+	require_NoError(t, err)
+
+	// Same for account T where the import is.
+	nc, _ = jsClientConnect(t, lccn.randomServer(), nats.UserInfo("T", "pass"))
+	defer nc.Close()
+	tsub, err := nc.SubscribeSync("F.EU.>")
+	require_NoError(t, err)
+
+	// Let sub propagate.
+	time.Sleep(500 * time.Millisecond)
+
+	// Now connect to EU on account F and generate data.
+	nc, _ = jsClientConnect(t, lceu.randomServer(), nats.UserInfo("F", "pass"))
+	defer nc.Close()
+
+	num := 10
+	for i := 0; i < num; i++ {
+		err := nc.Publish("F.EU.DATA", []byte(fmt.Sprintf("MSG-%d", i)))
+		require_NoError(t, err)
+	}
+
+	checkSubsPending(t, fsub, num)
+	// Since we export and import in each cluster, we will receive 4x.
+	// First hop from EU -> CLOUD is 1F and 1T
+	// Second hop from CLOUD -> AP is 1F, 1T and another 1T
+	// Third hop from AP -> CN is 1F, 1T, 1T and 1T
+	// Each cluster hop that has the export/import mapping will add another T message copy.
+	checkSubsPending(t, tsub, num*4)
+
+	// Create stream in cloud.
+	nc, js := jsClientConnect(t, c.randomServer(), nats.UserInfo("F", "pass"))
+	defer nc.Close()
+
+	_, err = js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"TEST.>"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	for i := 0; i < 100; i++ {
+		sendStreamMsg(t, nc, fmt.Sprintf("TEST.%d", i), "OK")
+	}
+
+	// Now connect to EU.
+	nc, js = jsClientConnect(t, lceu.randomServer(), nats.UserInfo("F", "pass"))
+	defer nc.Close()
+
+	// Create a mirror.
+	_, err = js.AddStream(&nats.StreamConfig{
+		Name: "M",
+		Mirror: &nats.StreamSource{
+			Name:   "TEST",
+			Domain: "CLOUD",
+		},
+	})
+	require_NoError(t, err)
+
+	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+		si, err := js.StreamInfo("M")
+		require_NoError(t, err)
+		if si.State.Msgs == 100 {
+			return nil
+		}
+		return fmt.Errorf("State not current: %+v", si.State)
+	})
+}
+
+// https://github.com/nats-io/nats-server/pull/4197
+func TestJetStreamClusterPurgeExReplayAfterRestart(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "P3F", 3)
+	defer c.shutdown()
+
+	// Client based API
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"TEST.>"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	sendStreamMsg(t, nc, "TEST.0", "OK")
+	sendStreamMsg(t, nc, "TEST.1", "OK")
+	sendStreamMsg(t, nc, "TEST.2", "OK")
+
+	runTest := func(f func(js nats.JetStreamManager)) *nats.StreamInfo {
+		nc, js := jsClientConnect(t, c.randomServer())
+		defer nc.Close()
+
+		// install snapshot, then execute interior func, ensuring the purge will be recovered later
+		fsl := c.streamLeader(globalAccountName, "TEST")
+		fsl.JetStreamSnapshotStream(globalAccountName, "TEST")
+
+		f(js)
+		time.Sleep(250 * time.Millisecond)
+
+		fsl.Shutdown()
+		fsl.WaitForShutdown()
+		fsl = c.restartServer(fsl)
+		c.waitOnServerCurrent(fsl)
+
+		nc, js = jsClientConnect(t, c.randomServer())
+		defer nc.Close()
+
+		c.waitOnStreamLeader(globalAccountName, "TEST")
+		sl := c.streamLeader(globalAccountName, "TEST")
+
+		// keep stepping down so the stream leader matches the initial leader
+		// we need to check if it restored from the snapshot properly
+		for sl != fsl {
+			_, err := nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second)
+			require_NoError(t, err)
+			c.waitOnStreamLeader(globalAccountName, "TEST")
+			sl = c.streamLeader(globalAccountName, "TEST")
+		}
+
+		si, err := js.StreamInfo("TEST")
+		require_NoError(t, err)
+		return si
+	}
+	si := runTest(func(js nats.JetStreamManager) {
+		err = js.PurgeStream("TEST", &nats.StreamPurgeRequest{Subject: "TEST.0"})
+		require_NoError(t, err)
+	})
+	if si.State.Msgs != 2 {
+		t.Fatalf("Expected 2 msgs after restart, got %d", si.State.Msgs)
+	}
+	if si.State.FirstSeq != 2 || si.State.LastSeq != 3 {
+		t.Fatalf("Expected FirstSeq=2, LastSeq=3 after restart, got FirstSeq=%d, LastSeq=%d",
+			si.State.FirstSeq, si.State.LastSeq)
+	}
+
+	si = runTest(func(js nats.JetStreamManager) {
+		err = js.PurgeStream("TEST")
+		require_NoError(t, err)
+		// Send 2 more messages.
+		sendStreamMsg(t, nc, "TEST.1", "OK")
+		sendStreamMsg(t, nc, "TEST.2", "OK")
+	})
+	if si.State.Msgs != 2 {
+		t.Fatalf("Expected 2 msgs after restart, got %d", si.State.Msgs)
+	}
+	if si.State.FirstSeq != 4 || si.State.LastSeq != 5 {
+		t.Fatalf("Expected FirstSeq=4, LastSeq=5 after restart, got FirstSeq=%d, LastSeq=%d",
+			si.State.FirstSeq, si.State.LastSeq)
+	}
+
+	// Now test a keep
+	si = runTest(func(js nats.JetStreamManager) {
+		err = js.PurgeStream("TEST", &nats.StreamPurgeRequest{Keep: 1})
+		require_NoError(t, err)
+		// Send 4 more messages.
+		sendStreamMsg(t, nc, "TEST.1", "OK")
+		sendStreamMsg(t, nc, "TEST.2", "OK")
+		sendStreamMsg(t, nc, "TEST.3", "OK")
+		sendStreamMsg(t, nc, "TEST.1", "OK")
+	})
+	if si.State.Msgs != 5 {
+		t.Fatalf("Expected 5 msgs after restart, got %d", si.State.Msgs)
+	}
+	if si.State.FirstSeq != 5 || si.State.LastSeq != 9 {
+		t.Fatalf("Expected FirstSeq=5, LastSeq=9 after restart, got FirstSeq=%d, LastSeq=%d",
+			si.State.FirstSeq, si.State.LastSeq)
+	}
+
+	// Now test a keep on a subject
+	si = runTest(func(js nats.JetStreamManager) {
+		err = js.PurgeStream("TEST", &nats.StreamPurgeRequest{Subject: "TEST.1", Keep: 1})
+		require_NoError(t, err)
+		// Send 3 more messages.
+		sendStreamMsg(t, nc, "TEST.1", "OK")
+		sendStreamMsg(t, nc, "TEST.2", "OK")
+		sendStreamMsg(t, nc, "TEST.3", "OK")
+	})
+	if si.State.Msgs != 7 {
+		t.Fatalf("Expected 7 msgs after restart, got %d", si.State.Msgs)
+	}
+	if si.State.FirstSeq != 5 || si.State.LastSeq != 12 {
+		t.Fatalf("Expected FirstSeq=5, LastSeq=12 after restart, got FirstSeq=%d, LastSeq=%d",
+			si.State.FirstSeq, si.State.LastSeq)
+	}
+}
+
+func TestJetStreamClusterConsumerCleanupWithSameName(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3F", 3)
+	defer c.shutdown()
+
+	// Client based API
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "UPDATES",
+		Subjects: []string{"DEVICE.*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	// Create a consumer that will be an R1 that we will auto-recreate but using the same name.
+	// We want to make sure that the system does not continually try to cleanup the new one from the old one.
+
+	// Track the sequence for restart etc.
+	var seq atomic.Uint64
+
+	msgCB := func(msg *nats.Msg) {
+		msg.AckSync()
+		meta, err := msg.Metadata()
+		require_NoError(t, err)
+		seq.Store(meta.Sequence.Stream)
+	}
+
+	waitOnSeqDelivered := func(expected uint64) {
+		checkFor(t, 10*time.Second, 200*time.Millisecond, func() error {
+			received := seq.Load()
+			if received == expected {
+				return nil
+			}
+			return fmt.Errorf("Seq is %d, want %d", received, expected)
+		})
+	}
+
+	doSub := func() {
+		_, err = js.Subscribe(
+			"DEVICE.22",
+			msgCB,
+			nats.ConsumerName("dlc"),
+			nats.SkipConsumerLookup(),
+			nats.StartSequence(seq.Load()+1),
+			nats.MaxAckPending(1), // One at a time.
+			nats.ManualAck(),
+			nats.ConsumerReplicas(1),
+			nats.ConsumerMemoryStorage(),
+			nats.MaxDeliver(1),
+			nats.InactiveThreshold(time.Second),
+			nats.IdleHeartbeat(250*time.Millisecond),
+		)
+		require_NoError(t, err)
+	}
+
+	// Track any errors for consumer not active so we can recreate the consumer.
+	errCh := make(chan error, 10)
+	nc.SetErrorHandler(func(c *nats.Conn, s *nats.Subscription, err error) {
+		if errors.Is(err, nats.ErrConsumerNotActive) {
+			s.Unsubscribe()
+			errCh <- err
+			doSub()
+		}
+	})
+
+	doSub()
+
+	sendStreamMsg(t, nc, "DEVICE.22", "update-1")
+	sendStreamMsg(t, nc, "DEVICE.22", "update-2")
+	sendStreamMsg(t, nc, "DEVICE.22", "update-3")
+	waitOnSeqDelivered(3)
+
+	// Shutdown the consumer's leader.
+	s := c.consumerLeader(globalAccountName, "UPDATES", "dlc")
+	s.Shutdown()
+	c.waitOnStreamLeader(globalAccountName, "UPDATES")
+
+	// In case our client connection was to the same server.
+	nc, _ = jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	sendStreamMsg(t, nc, "DEVICE.22", "update-4")
+	sendStreamMsg(t, nc, "DEVICE.22", "update-5")
+	sendStreamMsg(t, nc, "DEVICE.22", "update-6")
+
+	// Wait for the consumer not active error.
+	<-errCh
+	// Now restart server with the old consumer.
+	c.restartServer(s)
+	// Wait on all messages delivered.
+	waitOnSeqDelivered(6)
+	// Make sure no other errors showed up
+	require_True(t, len(errCh) == 0)
+}
+
+func TestJetStreamClusterSnapshotAndRestoreWithHealthz(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	toSend, msg := 1000, bytes.Repeat([]byte("Z"), 1024)
+	for i := 0; i < toSend; i++ {
+		_, err := js.PublishAsync("foo", msg)
+		require_NoError(t, err)
+	}
+	select {
+	case <-js.PublishAsyncComplete():
+	case <-time.After(5 * time.Second):
+		t.Fatalf("Did not receive completion signal")
+	}
+
+	sreq := &JSApiStreamSnapshotRequest{
+		DeliverSubject: nats.NewInbox(),
+		ChunkSize:      512,
+	}
+	req, _ := json.Marshal(sreq)
+	rmsg, err := nc.Request(fmt.Sprintf(JSApiStreamSnapshotT, "TEST"), req, time.Second)
+	require_NoError(t, err)
+
+	var resp JSApiStreamSnapshotResponse
+	json.Unmarshal(rmsg.Data, &resp)
+	require_True(t, resp.Error == nil)
+
+	state := *resp.State
+	cfg := *resp.Config
+
+	var snapshot []byte
+	done := make(chan bool)
+
+	sub, _ := nc.Subscribe(sreq.DeliverSubject, func(m *nats.Msg) {
+		// EOF
+		if len(m.Data) == 0 {
+			done <- true
+			return
+		}
+		// Could be writing to a file here too.
+		snapshot = append(snapshot, m.Data...)
+		// Flow ack
+		m.Respond(nil)
+	})
+	defer sub.Unsubscribe()
+
+	// Wait to receive the snapshot.
+	select {
+	case <-done:
+	case <-time.After(5 * time.Second):
+		t.Fatalf("Did not receive our snapshot in time")
+	}
+
+	// Delete before we try to restore.
+	require_NoError(t, js.DeleteStream("TEST"))
+
+	checkHealth := func() {
+		for _, s := range c.servers {
+			s.healthz(nil)
+		}
+	}
+
+	var rresp JSApiStreamRestoreResponse
+	rreq := &JSApiStreamRestoreRequest{
+		Config: cfg,
+		State:  state,
+	}
+	req, _ = json.Marshal(rreq)
+
+	rmsg, err = nc.Request(fmt.Sprintf(JSApiStreamRestoreT, "TEST"), req, 5*time.Second)
+	require_NoError(t, err)
+
+	rresp.Error = nil
+	json.Unmarshal(rmsg.Data, &rresp)
+	require_True(t, resp.Error == nil)
+
+	checkHealth()
+
+	// We will now chunk the snapshot responses (and EOF).
+	var chunk [1024]byte
+	for i, r := 0, bytes.NewReader(snapshot); ; {
+		n, err := r.Read(chunk[:])
+		if err != nil {
+			break
+		}
+		nc.Request(rresp.DeliverSubject, chunk[:n], time.Second)
+		i++
+		// We will call healthz for all servers half way through the restore.
+		if i%100 == 0 {
+			checkHealth()
+		}
+	}
+	rmsg, err = nc.Request(rresp.DeliverSubject, nil, time.Second)
+	require_NoError(t, err)
+	rresp.Error = nil
+	json.Unmarshal(rmsg.Data, &rresp)
+	require_True(t, resp.Error == nil)
+
+	si, err := js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, si.State.Msgs == uint64(toSend))
+
+	// Make sure stepdown works, this would fail before the fix.
+	_, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, 5*time.Second)
+	require_NoError(t, err)
+
+	si, err = js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, si.State.Msgs == uint64(toSend))
+}
+
+func TestJetStreamClusterBadEncryptKey(t *testing.T) {
+	c := createJetStreamClusterWithTemplate(t, jsClusterEncryptedTempl, "JSC", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	// Create 10 streams.
+	for i := 0; i < 10; i++ {
+		_, err := js.AddStream(&nats.StreamConfig{
+			Name:     fmt.Sprintf("TEST-%d", i),
+			Replicas: 3,
+		})
+		require_NoError(t, err)
+	}
+
+	// Grab random server.
+	s := c.randomServer()
+	s.Shutdown()
+	s.WaitForShutdown()
+
+	var opts *Options
+	for i := 0; i < len(c.servers); i++ {
+		if c.servers[i] == s {
+			opts = c.opts[i]
+			break
+		}
+	}
+	require_NotNil(t, opts)
+
+	// Replace key with an empty key.
+	buf, err := os.ReadFile(opts.ConfigFile)
+	require_NoError(t, err)
+	nbuf := bytes.Replace(buf, []byte("key: \"s3cr3t!\""), []byte("key: \"\""), 1)
+	err = os.WriteFile(opts.ConfigFile, nbuf, 0640)
+	require_NoError(t, err)
+
+	// Make sure trying to start the server now fails.
+	s, err = NewServer(LoadConfig(opts.ConfigFile))
+	require_NoError(t, err)
+	require_NotNil(t, s)
+	s.Start()
+	if err := s.readyForConnections(1 * time.Second); err == nil {
+		t.Fatalf("Expected server not to start")
+	}
+}
+
+func TestJetStreamAccountUsageDrifts(t *testing.T) {
+	tmpl := `
+			listen: 127.0.0.1:-1
+			server_name: %s
+			jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+			leaf {
+				listen: 127.0.0.1:-1
+			}
+			cluster {
+				name: %s
+				listen: 127.0.0.1:%d
+				routes = [%s]
+			}
+	`
+	opFrag := `
+			operator: %s
+			system_account: %s
+			resolver: { type: MEM }
+			resolver_preload = {
+				%s : %s
+				%s : %s
+			}
+		`
+
+	_, syspub := createKey(t)
+	sysJwt := encodeClaim(t, jwt.NewAccountClaims(syspub), syspub)
+
+	accKp, aExpPub := createKey(t)
+	accClaim := jwt.NewAccountClaims(aExpPub)
+	accClaim.Limits.JetStreamTieredLimits["R1"] = jwt.JetStreamLimits{
+		DiskStorage: -1, Consumer: 1, Streams: 1}
+	accClaim.Limits.JetStreamTieredLimits["R3"] = jwt.JetStreamLimits{
+		DiskStorage: -1, Consumer: 1, Streams: 1}
+	accJwt := encodeClaim(t, accClaim, aExpPub)
+	accCreds := newUser(t, accKp)
+
+	template := tmpl + fmt.Sprintf(opFrag, ojwt, syspub, syspub, sysJwt, aExpPub, accJwt)
+	c := createJetStreamClusterWithTemplate(t, template, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer(), nats.UserCredentials(accCreds))
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST1",
+		Subjects: []string{"foo"},
+		MaxBytes: 1 * 1024 * 1024 * 1024,
+		MaxMsgs:  1000,
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	_, err = js.AddStream(&nats.StreamConfig{
+		Name:     "TEST2",
+		Subjects: []string{"bar"},
+	})
+	require_NoError(t, err)
+
+	// These expected store values can come directory from stream info's state bytes.
+	// We will *= 3 for R3
+	checkAccount := func(r1u, r3u uint64) {
+		t.Helper()
+		r3u *= 3
+
+		// Remote usage updates can be delayed, so wait for a bit for values we want.
+		checkFor(t, 5*time.Second, 250*time.Millisecond, func() error {
+			info, err := js.AccountInfo()
+			require_NoError(t, err)
+			require_True(t, len(info.Tiers) >= 2)
+			// These can move.
+			if u := info.Tiers["R1"].Store; u != r1u {
+				return fmt.Errorf("Expected R1 to be %v, got %v", friendlyBytes(r1u), friendlyBytes(u))
+			}
+			if u := info.Tiers["R3"].Store; u != r3u {
+				return fmt.Errorf("Expected R3 to be %v, got %v", friendlyBytes(r3u), friendlyBytes(u))
+			}
+			return nil
+		})
+	}
+
+	checkAccount(0, 0)
+
+	// Now add in some R3 data.
+	msg := bytes.Repeat([]byte("Z"), 32*1024)     // 32k
+	smallMsg := bytes.Repeat([]byte("Z"), 4*1024) // 4k
+
+	for i := 0; i < 1000; i++ {
+		js.Publish("foo", msg)
+	}
+	sir3, err := js.StreamInfo("TEST1")
+	require_NoError(t, err)
+
+	checkAccount(0, sir3.State.Bytes)
+
+	// Now add in some R1 data.
+	for i := 0; i < 100; i++ {
+		js.Publish("bar", msg)
+	}
+
+	sir1, err := js.StreamInfo("TEST2")
+	require_NoError(t, err)
+
+	checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+
+	// We will now test a bunch of scenarios to see that we are doing accounting correctly.
+
+	// Since our R3 has a limit of 1000 msgs, let's add in more msgs and drop older ones.
+	for i := 0; i < 100; i++ {
+		js.Publish("foo", smallMsg)
+	}
+	sir3, err = js.StreamInfo("TEST1")
+	require_NoError(t, err)
+
+	checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+
+	// Move our R3 stream leader and make sure acounting is correct.
+	_, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST1"), nil, time.Second)
+	require_NoError(t, err)
+
+	checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+
+	// Now scale down.
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:     "TEST1",
+		Subjects: []string{"foo"},
+		MaxBytes: 1 * 1024 * 1024 * 1024,
+		MaxMsgs:  1000,
+		Replicas: 1,
+	})
+	require_NoError(t, err)
+
+	checkAccount(sir1.State.Bytes+sir3.State.Bytes, 0)
+
+	// Add in more msgs which will replace the older and bigger ones.
+	for i := 0; i < 100; i++ {
+		js.Publish("foo", smallMsg)
+	}
+	sir3, err = js.StreamInfo("TEST1")
+	require_NoError(t, err)
+
+	// Now scale back up.
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:     "TEST1",
+		Subjects: []string{"foo"},
+		MaxBytes: 1 * 1024 * 1024 * 1024,
+		MaxMsgs:  1000,
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+
+	// Test Purge.
+	err = js.PurgeStream("TEST1")
+	require_NoError(t, err)
+
+	checkAccount(sir1.State.Bytes, 0)
+
+	for i := 0; i < 1000; i++ {
+		js.Publish("foo", smallMsg)
+	}
+	sir3, err = js.StreamInfo("TEST1")
+	require_NoError(t, err)
+
+	checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+
+	requestLeaderStepDown := func() {
+		ml := c.leader()
+		checkFor(t, 5*time.Second, 250*time.Millisecond, func() error {
+			if cml := c.leader(); cml == ml {
+				nc.Request(JSApiLeaderStepDown, nil, time.Second)
+				return fmt.Errorf("Metaleader has not moved yet")
+			}
+			return nil
+		})
+	}
+
+	// Test meta leader stepdowns.
+	for i := 0; i < len(c.servers); i++ {
+		requestLeaderStepDown()
+		checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+	}
+
+	// Now test cluster reset operations where we internally reset the NRG and optionally the stream too.
+	nl := c.randomNonStreamLeader(aExpPub, "TEST1")
+	acc, err := nl.LookupAccount(aExpPub)
+	require_NoError(t, err)
+	mset, err := acc.lookupStream("TEST1")
+	require_NoError(t, err)
+	// NRG only
+	mset.resetClusteredState(nil)
+	checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+	// Now NRG and Stream state itself.
+	mset.resetClusteredState(errFirstSequenceMismatch)
+	checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+
+	// Now test server restart
+	for _, s := range c.servers {
+		s.Shutdown()
+		s.WaitForShutdown()
+		s = c.restartServer(s)
+
+		// Wait on healthz and leader etc.
+		checkFor(t, 10*time.Second, 200*time.Millisecond, func() error {
+			if hs := s.healthz(nil); hs.Error != _EMPTY_ {
+				return errors.New(hs.Error)
+			}
+			return nil
+		})
+		c.waitOnLeader()
+		c.waitOnStreamLeader(aExpPub, "TEST1")
+		c.waitOnStreamLeader(aExpPub, "TEST2")
+
+		// Now check account again.
+		checkAccount(sir1.State.Bytes, sir3.State.Bytes)
+	}
+}
+
+func TestJetStreamClusterStreamFailTracking(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	m := nats.NewMsg("foo")
+	m.Data = []byte("OK")
+
+	b, bsz := 0, 5
+	sendBatch := func() {
+		for i := b * bsz; i < b*bsz+bsz; i++ {
+			msgId := fmt.Sprintf("ID:%d", i)
+			m.Header.Set(JSMsgId, msgId)
+			// Send it twice on purpose.
+			js.PublishMsg(m)
+			js.PublishMsg(m)
+		}
+		b++
+	}
+
+	sendBatch()
+
+	_, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second)
+	require_NoError(t, err)
+	c.waitOnStreamLeader(globalAccountName, "TEST")
+
+	sendBatch()
+
+	// Now stop one and restart.
+	nl := c.randomNonStreamLeader(globalAccountName, "TEST")
+	mset, err := nl.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+	// Reset raft
+	mset.resetClusteredState(nil)
+	time.Sleep(100 * time.Millisecond)
+
+	nl.Shutdown()
+	nl.WaitForShutdown()
+
+	sendBatch()
+
+	nl = c.restartServer(nl)
+
+	sendBatch()
+
+	for {
+		_, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second)
+		require_NoError(t, err)
+		c.waitOnStreamLeader(globalAccountName, "TEST")
+		if nl == c.streamLeader(globalAccountName, "TEST") {
+			break
+		}
+	}
+
+	sendBatch()
+
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo"},
+		Replicas: 1,
+	})
+	require_NoError(t, err)
+
+	// Make sure all in order.
+	errCh := make(chan error, 100)
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	expected, seen := b*bsz, 0
+
+	sub, err := js.Subscribe("foo", func(msg *nats.Msg) {
+		expectedID := fmt.Sprintf("ID:%d", seen)
+		if v := msg.Header.Get(JSMsgId); v != expectedID {
+			errCh <- err
+			wg.Done()
+			msg.Sub.Unsubscribe()
+			return
+		}
+		seen++
+		if seen >= expected {
+			wg.Done()
+			msg.Sub.Unsubscribe()
+		}
+	})
+	require_NoError(t, err)
+	defer sub.Unsubscribe()
+
+	wg.Wait()
+	if len(errCh) > 0 {
+		t.Fatalf("Expected no errors, got %d", len(errCh))
+	}
+}
+
+func TestJetStreamClusterStreamFailTrackingSnapshots(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	m := nats.NewMsg("foo")
+	m.Data = []byte("OK")
+
+	// Send 1000 a dupe every msgID.
+	for i := 0; i < 1000; i++ {
+		msgId := fmt.Sprintf("ID:%d", i)
+		m.Header.Set(JSMsgId, msgId)
+		// Send it twice on purpose.
+		js.PublishMsg(m)
+		js.PublishMsg(m)
+	}
+
+	// Now stop one.
+	nl := c.randomNonStreamLeader(globalAccountName, "TEST")
+	nl.Shutdown()
+	nl.WaitForShutdown()
+
+	// Now send more and make sure leader snapshots.
+	for i := 1000; i < 2000; i++ {
+		msgId := fmt.Sprintf("ID:%d", i)
+		m.Header.Set(JSMsgId, msgId)
+		// Send it twice on purpose.
+		js.PublishMsg(m)
+		js.PublishMsg(m)
+	}
+
+	sl := c.streamLeader(globalAccountName, "TEST")
+	mset, err := sl.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+	node := mset.raftNode()
+	require_NotNil(t, node)
+	node.InstallSnapshot(mset.stateSnapshot())
+
+	// Now restart nl
+	nl = c.restartServer(nl)
+	c.waitOnServerCurrent(nl)
+
+	// Move leader to NL
+	for {
+		_, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second)
+		require_NoError(t, err)
+		c.waitOnStreamLeader(globalAccountName, "TEST")
+		if nl == c.streamLeader(globalAccountName, "TEST") {
+			break
+		}
+	}
+
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo"},
+		Replicas: 1,
+	})
+	require_NoError(t, err)
+
+	// Make sure all in order.
+	errCh := make(chan error, 100)
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	expected, seen := 2000, 0
+
+	sub, err := js.Subscribe("foo", func(msg *nats.Msg) {
+		expectedID := fmt.Sprintf("ID:%d", seen)
+		if v := msg.Header.Get(JSMsgId); v != expectedID {
+			errCh <- err
+			wg.Done()
+			msg.Sub.Unsubscribe()
+			return
+		}
+		seen++
+		if seen >= expected {
+			wg.Done()
+			msg.Sub.Unsubscribe()
+		}
+	})
+	require_NoError(t, err)
+	defer sub.Unsubscribe()
+
+	wg.Wait()
+	if len(errCh) > 0 {
+		t.Fatalf("Expected no errors, got %d", len(errCh))
+	}
+}
+
+func TestJetStreamClusterOrphanConsumerSubjects(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo.>", "bar.>"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	_, err = js.AddConsumer("TEST", &nats.ConsumerConfig{
+		Name:          "consumer_foo",
+		Durable:       "consumer_foo",
+		FilterSubject: "foo.something",
+	})
+	require_NoError(t, err)
+
+	for _, replicas := range []int{3, 1, 3} {
+		_, err = js.UpdateStream(&nats.StreamConfig{
+			Name:     "TEST",
+			Subjects: []string{"bar.>"},
+			Replicas: replicas,
+		})
+		require_NoError(t, err)
+		c.waitOnAllCurrent()
+	}
+
+	c.waitOnStreamLeader("$G", "TEST")
+	c.waitOnConsumerLeader("$G", "TEST", "consumer_foo")
+
+	info, err := js.ConsumerInfo("TEST", "consumer_foo")
+	require_NoError(t, err)
+	require_True(t, info.Cluster != nil)
+	require_NotEqual(t, info.Cluster.Leader, "")
+	require_Equal(t, len(info.Cluster.Replicas), 2)
+}
+
+func TestJetStreamClusterDurableConsumerInactiveThresholdLeaderSwitch(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	// Queue a msg.
+	sendStreamMsg(t, nc, "foo", "ok")
+
+	thresh := 250 * time.Millisecond
+
+	// This will start the timer.
+	sub, err := js.PullSubscribe("foo", "dlc", nats.InactiveThreshold(thresh))
+	require_NoError(t, err)
+
+	// Switch over leader.
+	cl := c.consumerLeader(globalAccountName, "TEST", "dlc")
+	cl.JetStreamStepdownConsumer(globalAccountName, "TEST", "dlc")
+	c.waitOnConsumerLeader(globalAccountName, "TEST", "dlc")
+
+	// Create activity on this consumer.
+	msgs, err := sub.Fetch(1)
+	require_NoError(t, err)
+	require_True(t, len(msgs) == 1)
+
+	// This is consider activity as well. So we can watch now up to thresh to make sure consumer still active.
+	msgs[0].AckSync()
+
+	// The consumer should not disappear for next `thresh` interval unless old leader does so.
+	timeout := time.Now().Add(thresh)
+	for time.Now().Before(timeout) {
+		_, err := js.ConsumerInfo("TEST", "dlc")
+		if err == nats.ErrConsumerNotFound {
+			t.Fatalf("Consumer deleted when it should not have been")
+		}
+	}
+}
+
+func TestJetStreamClusterConsumerMaxDeliveryNumAckPendingBug(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	// send 50 msgs
+	for i := 0; i < 50; i++ {
+		_, err := js.Publish("foo", []byte("ok"))
+		require_NoError(t, err)
+	}
+
+	// File based.
+	_, err = js.Subscribe("foo",
+		func(msg *nats.Msg) {},
+		nats.Durable("file"),
+		nats.ManualAck(),
+		nats.MaxDeliver(1),
+		nats.AckWait(time.Second),
+		nats.MaxAckPending(10),
+	)
+	require_NoError(t, err)
+
+	// Let first batch retry and expire.
+	time.Sleep(1200 * time.Millisecond)
+
+	cia, err := js.ConsumerInfo("TEST", "file")
+	require_NoError(t, err)
+
+	// Make sure followers will have exact same state.
+	_, err = nc.Request(fmt.Sprintf(JSApiConsumerLeaderStepDownT, "TEST", "file"), nil, time.Second)
+	require_NoError(t, err)
+	c.waitOnConsumerLeader(globalAccountName, "TEST", "file")
+
+	cib, err := js.ConsumerInfo("TEST", "file")
+	require_NoError(t, err)
+
+	// Want to compare sans cluster details which we know will change due to leader change.
+	// Also last activity for delivered can be slightly off so nil out as well.
+	checkConsumerInfo := func(a, b *nats.ConsumerInfo) {
+		t.Helper()
+		a.Cluster, b.Cluster = nil, nil
+		a.Delivered.Last, b.Delivered.Last = nil, nil
+		if !reflect.DeepEqual(a, b) {
+			t.Fatalf("ConsumerInfo do not match\n\t%+v\n\t%+v", a, b)
+		}
+	}
+
+	checkConsumerInfo(cia, cib)
+
+	// Memory based.
+	_, err = js.Subscribe("foo",
+		func(msg *nats.Msg) {},
+		nats.Durable("mem"),
+		nats.ManualAck(),
+		nats.MaxDeliver(1),
+		nats.AckWait(time.Second),
+		nats.MaxAckPending(10),
+		nats.ConsumerMemoryStorage(),
+	)
+	require_NoError(t, err)
+
+	// Let first batch retry and expire.
+	time.Sleep(1200 * time.Millisecond)
+
+	cia, err = js.ConsumerInfo("TEST", "mem")
+	require_NoError(t, err)
+
+	// Make sure followers will have exact same state.
+	_, err = nc.Request(fmt.Sprintf(JSApiConsumerLeaderStepDownT, "TEST", "mem"), nil, time.Second)
+	require_NoError(t, err)
+	c.waitOnConsumerLeader(globalAccountName, "TEST", "mem")
+
+	cib, err = js.ConsumerInfo("TEST", "mem")
+	require_NoError(t, err)
+
+	checkConsumerInfo(cia, cib)
+
+	// Now file based but R1 and server restart.
+	_, err = js.Subscribe("foo",
+		func(msg *nats.Msg) {},
+		nats.Durable("r1"),
+		nats.ManualAck(),
+		nats.MaxDeliver(1),
+		nats.AckWait(time.Second),
+		nats.MaxAckPending(10),
+		nats.ConsumerReplicas(1),
+	)
+	require_NoError(t, err)
+
+	// Let first batch retry and expire.
+	time.Sleep(1200 * time.Millisecond)
+
+	cia, err = js.ConsumerInfo("TEST", "r1")
+	require_NoError(t, err)
+
+	cl := c.consumerLeader(globalAccountName, "TEST", "r1")
+	cl.Shutdown()
+	cl.WaitForShutdown()
+	cl = c.restartServer(cl)
+	c.waitOnServerCurrent(cl)
+
+	cib, err = js.ConsumerInfo("TEST", "r1")
+	require_NoError(t, err)
+
+	// Created can skew a small bit due to server restart, this is expected.
+	now := time.Now()
+	cia.Created, cib.Created = now, now
+	checkConsumerInfo(cia, cib)
+}
+
+// Discovered that we are not properly setting certain default filestore blkSizes.
+func TestJetStreamClusterCheckFileStoreBlkSizes(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	// Nowmal Stream
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	_, err = js.AddConsumer("TEST", &nats.ConsumerConfig{
+		Durable:   "C3",
+		AckPolicy: nats.AckExplicitPolicy,
+	})
+	require_NoError(t, err)
+
+	// KV
+	_, err = js.CreateKeyValue(&nats.KeyValueConfig{
+		Bucket:   "TEST",
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	blkSize := func(fs *fileStore) uint64 {
+		fs.mu.RLock()
+		defer fs.mu.RUnlock()
+		return fs.fcfg.BlockSize
+	}
+
+	// We will check now the following filestores.
+	//  meta
+	//  TEST stream and NRG
+	//  C3 NRG
+	//  KV_TEST stream and NRG
+	for _, s := range c.servers {
+		js, cc := s.getJetStreamCluster()
+		// META
+		js.mu.RLock()
+		meta := cc.meta
+		js.mu.RUnlock()
+		require_True(t, meta != nil)
+		fs := meta.(*raft).wal.(*fileStore)
+		require_True(t, blkSize(fs) == defaultMetaFSBlkSize)
+
+		// TEST STREAM
+		mset, err := s.GlobalAccount().lookupStream("TEST")
+		require_NoError(t, err)
+		mset.mu.RLock()
+		fs = mset.store.(*fileStore)
+		mset.mu.RUnlock()
+		require_True(t, blkSize(fs) == defaultLargeBlockSize)
+
+		// KV STREAM
+		// Now the KV which is different default size.
+		kv, err := s.GlobalAccount().lookupStream("KV_TEST")
+		require_NoError(t, err)
+		kv.mu.RLock()
+		fs = kv.store.(*fileStore)
+		kv.mu.RUnlock()
+		require_True(t, blkSize(fs) == defaultKVBlockSize)
+
+		// Now check NRGs
+		// TEST Stream
+		n := mset.raftNode()
+		require_True(t, n != nil)
+		fs = n.(*raft).wal.(*fileStore)
+		require_True(t, blkSize(fs) == defaultMediumBlockSize)
+		// KV TEST Stream
+		n = kv.raftNode()
+		require_True(t, n != nil)
+		fs = n.(*raft).wal.(*fileStore)
+		require_True(t, blkSize(fs) == defaultMediumBlockSize)
+		// Consumer
+		o := mset.lookupConsumer("C3")
+		require_True(t, o != nil)
+		n = o.raftNode()
+		require_True(t, n != nil)
+		fs = n.(*raft).wal.(*fileStore)
+		require_True(t, blkSize(fs) == defaultMediumBlockSize)
+	}
+}
diff --git a/server/jetstream_errors.go b/server/jetstream_errors.go
index a80a48bbd..781f98568 100644
--- a/server/jetstream_errors.go
+++ b/server/jetstream_errors.go
@@ -1,15 +1,3 @@
-// Copyright 2012-2018 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
 package server
 
 import (
diff --git a/server/jetstream_errors_generated.go b/server/jetstream_errors_generated.go
index 637893746..58bdfe305 100644
--- a/server/jetstream_errors_generated.go
+++ b/server/jetstream_errors_generated.go
@@ -1,16 +1,3 @@
-// Copyright 2012-2018 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
 // Generated code, do not edit. See errors.json and run go generate to update
 
 package server
diff --git a/server/jetstream_errors_test.go b/server/jetstream_errors_test.go
index 48c64fe7b..c7adcee33 100644
--- a/server/jetstream_errors_test.go
+++ b/server/jetstream_errors_test.go
@@ -1,15 +1,3 @@
-// Copyright 2012-2018 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
 package server
 
 import (
diff --git a/server/jetstream_helpers_test.go b/server/jetstream_helpers_test.go
index 9b9a8230b..505b82930 100644
--- a/server/jetstream_helpers_test.go
+++ b/server/jetstream_helpers_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2022 The NATS Authors
+// Copyright 2020-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -37,12 +37,21 @@ import (
 func init() {
 	// Speed up raft for tests.
 	hbInterval = 50 * time.Millisecond
-	minElectionTimeout = 1 * time.Second
-	maxElectionTimeout = 3 * time.Second
-	lostQuorumInterval = time.Second
+	minElectionTimeout = 750 * time.Millisecond
+	maxElectionTimeout = 2500 * time.Millisecond
+	lostQuorumInterval = 500 * time.Millisecond
 	lostQuorumCheck = 4 * hbInterval
 }
 
+// Used to setup clusters of clusters for tests.
+type cluster struct {
+	servers  []*Server
+	opts     []*Options
+	name     string
+	t        testing.TB
+	nproxies []*netProxy
+}
+
 // Used to setup superclusters for tests.
 type supercluster struct {
 	t        *testing.T
@@ -106,6 +115,13 @@ var jsClusterAccountsTempl = `
 		routes = [%s]
 	}
 
+	websocket {
+		listen: 127.0.0.1:-1
+		compression: true
+		handshake_timeout: "5s"
+		no_tls: true
+	}
+
 	no_auth_user: one
 
 	accounts {
@@ -351,6 +367,9 @@ type gwProxy struct {
 	down int
 }
 
+// For use in normal clusters.
+type clusterProxy = gwProxy
+
 // Maps cluster names to proxy settings.
 type gwProxyMap map[string]*gwProxy
 
@@ -497,7 +516,7 @@ func (sc *supercluster) leader() *Server {
 
 func (sc *supercluster) waitOnLeader() {
 	sc.t.Helper()
-	expires := time.Now().Add(10 * time.Second)
+	expires := time.Now().Add(30 * time.Second)
 	for time.Now().Before(expires) {
 		for _, c := range sc.clusters {
 			if leader := c.leader(); leader != nil {
@@ -536,7 +555,7 @@ func (sc *supercluster) waitOnPeerCount(n int) {
 	sc.t.Helper()
 	sc.waitOnLeader()
 	leader := sc.leader()
-	expires := time.Now().Add(20 * time.Second)
+	expires := time.Now().Add(30 * time.Second)
 	for time.Now().Before(expires) {
 		peers := leader.JetStreamClusterPeers()
 		if len(peers) == n {
@@ -692,9 +711,19 @@ func createJetStreamCluster(t testing.TB, tmpl string, clusterName, snPre string
 
 type modifyCb func(serverName, clusterName, storeDir, conf string) string
 
-func createJetStreamClusterAndModHook(t testing.TB, tmpl string, clusterName, snPre string, numServers int, portStart int, waitOnReady bool, modify modifyCb) *cluster {
+func createJetStreamClusterAndModHook(t testing.TB, tmpl, cName, snPre string, numServers int, portStart int, waitOnReady bool, modify modifyCb) *cluster {
+	return createJetStreamClusterEx(t, tmpl, cName, snPre, numServers, portStart, waitOnReady, modify, nil)
+}
+
+func createJetStreamClusterWithNetProxy(t testing.TB, cName string, numServers int, cnp *clusterProxy) *cluster {
+	startPorts := []int{7_122, 9_122, 11_122, 15_122}
+	port := startPorts[rand.Intn(len(startPorts))]
+	return createJetStreamClusterEx(t, jsClusterTempl, cName, _EMPTY_, numServers, port, true, nil, cnp)
+}
+
+func createJetStreamClusterEx(t testing.TB, tmpl, cName, snPre string, numServers int, portStart int, wait bool, modify modifyCb, cnp *clusterProxy) *cluster {
 	t.Helper()
-	if clusterName == _EMPTY_ || numServers < 1 {
+	if cName == _EMPTY_ || numServers < 1 {
 		t.Fatalf("Bad params")
 	}
 
@@ -715,20 +744,32 @@ func createJetStreamClusterAndModHook(t testing.TB, tmpl string, clusterName, sn
 
 	// Build out the routes that will be shared with all configs.
 	var routes []string
+	var nproxies []*netProxy
 	for cp := portStart; cp < portStart+numServers; cp++ {
-		routes = append(routes, fmt.Sprintf("nats-route://127.0.0.1:%d", cp))
+		routeURL := fmt.Sprintf("nats-route://127.0.0.1:%d", cp)
+		if cnp != nil {
+			np := createNetProxy(cnp.rtt, cnp.up, cnp.down, routeURL, false)
+			nproxies = append(nproxies, np)
+			routeURL = np.routeURL()
+		}
+		routes = append(routes, routeURL)
 	}
 	routeConfig := strings.Join(routes, ",")
 
 	// Go ahead and build configurations and start servers.
-	c := &cluster{servers: make([]*Server, 0, numServers), opts: make([]*Options, 0, numServers), name: clusterName}
+	c := &cluster{servers: make([]*Server, 0, numServers), opts: make([]*Options, 0, numServers), name: cName, nproxies: nproxies}
+
+	// Start any proxies.
+	for _, np := range nproxies {
+		np.start()
+	}
 
 	for cp := portStart; cp < portStart+numServers; cp++ {
 		storeDir := t.TempDir()
 		sn := fmt.Sprintf("%sS-%d", snPre, cp-portStart+1)
-		conf := fmt.Sprintf(tmpl, sn, storeDir, clusterName, cp, routeConfig)
+		conf := fmt.Sprintf(tmpl, sn, storeDir, cName, cp, routeConfig)
 		if modify != nil {
-			conf = modify(sn, clusterName, storeDir, conf)
+			conf = modify(sn, cName, storeDir, conf)
 		}
 		s, o := RunServerWithConfig(createConfFile(t, []byte(conf)))
 		c.servers = append(c.servers, s)
@@ -738,7 +779,7 @@ func createJetStreamClusterAndModHook(t testing.TB, tmpl string, clusterName, sn
 
 	// Wait til we are formed and have a leader.
 	c.checkClusterFormed()
-	if waitOnReady {
+	if wait {
 		c.waitOnClusterReady()
 	}
 
@@ -870,6 +911,18 @@ var jsClusterTemplWithSingleLeafNode = `
 	accounts { $SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] } }
 `
 
+var jsClusterTemplWithSingleFleetLeafNode = `
+	listen: 127.0.0.1:-1
+	server_name: %s
+	cluster: { name: fleet }
+	jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+	{{leaf}}
+
+	# For access to system account.
+	accounts { $SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] } }
+`
+
 var jsClusterTemplWithSingleLeafNodeNoJS = `
 	listen: 127.0.0.1:-1
 	server_name: %s
@@ -938,8 +991,12 @@ func (c *cluster) createLeafNodeWithTemplate(name, template string) *Server {
 }
 
 func (c *cluster) createLeafNodeWithTemplateNoSystem(name, template string) *Server {
+	return c.createLeafNodeWithTemplateNoSystemWithProto(name, template, "nats")
+}
+
+func (c *cluster) createLeafNodeWithTemplateNoSystemWithProto(name, template, proto string) *Server {
 	c.t.Helper()
-	tmpl := c.createLeafSolicitNoSystem(template)
+	tmpl := c.createLeafSolicitNoSystemWithProto(template, proto)
 	conf := fmt.Sprintf(tmpl, name, c.t.TempDir())
 	s, o := RunServerWithConfig(createConfFile(c.t, []byte(conf)))
 	c.servers = append(c.servers, s)
@@ -949,6 +1006,10 @@ func (c *cluster) createLeafNodeWithTemplateNoSystem(name, template string) *Ser
 
 // Helper to generate the leaf solicit configs.
 func (c *cluster) createLeafSolicit(tmpl string) string {
+	return c.createLeafSolicitWithProto(tmpl, "nats")
+}
+
+func (c *cluster) createLeafSolicitWithProto(tmpl, proto string) string {
 	c.t.Helper()
 
 	// Create our leafnode cluster template first.
@@ -958,8 +1019,8 @@ func (c *cluster) createLeafSolicit(tmpl string) string {
 			continue
 		}
 		ln := s.getOpts().LeafNode
-		lns = append(lns, fmt.Sprintf("nats://%s:%d", ln.Host, ln.Port))
-		lnss = append(lnss, fmt.Sprintf("nats://admin:s3cr3t!@%s:%d", ln.Host, ln.Port))
+		lns = append(lns, fmt.Sprintf("%s://%s:%d", proto, ln.Host, ln.Port))
+		lnss = append(lnss, fmt.Sprintf("%s://admin:s3cr3t!@%s:%d", proto, ln.Host, ln.Port))
 	}
 	lnc := strings.Join(lns, ", ")
 	lnsc := strings.Join(lnss, ", ")
@@ -967,19 +1028,26 @@ func (c *cluster) createLeafSolicit(tmpl string) string {
 	return strings.Replace(tmpl, "{{leaf}}", lconf, 1)
 }
 
-func (c *cluster) createLeafSolicitNoSystem(tmpl string) string {
+func (c *cluster) createLeafSolicitNoSystemWithProto(tmpl, proto string) string {
 	c.t.Helper()
 
 	// Create our leafnode cluster template first.
-	var lns string
+	var lns []string
 	for _, s := range c.servers {
 		if s.ClusterName() != c.name {
 			continue
 		}
-		ln := s.getOpts().LeafNode
-		lns = fmt.Sprintf("nats://%s:%d", ln.Host, ln.Port)
+		switch proto {
+		case "nats", "tls":
+			ln := s.getOpts().LeafNode
+			lns = append(lns, fmt.Sprintf("%s://%s:%d", proto, ln.Host, ln.Port))
+		case "ws", "wss":
+			ln := s.getOpts().Websocket
+			lns = append(lns, fmt.Sprintf("%s://%s:%d", proto, ln.Host, ln.Port))
+		}
 	}
-	return strings.Replace(tmpl, "{{leaf}}", fmt.Sprintf(jsLeafNoSysFrag, lns), 1)
+	lnc := strings.Join(lns, ", ")
+	return strings.Replace(tmpl, "{{leaf}}", fmt.Sprintf(jsLeafNoSysFrag, lnc), 1)
 }
 
 func (c *cluster) createLeafNodesWithTemplateMixedMode(template, clusterName string, numJsServers, numNonServers int, doJSConfig bool) *cluster {
@@ -1203,7 +1271,7 @@ func (c *cluster) waitOnPeerCount(n int) {
 
 func (c *cluster) waitOnConsumerLeader(account, stream, consumer string) {
 	c.t.Helper()
-	expires := time.Now().Add(20 * time.Second)
+	expires := time.Now().Add(30 * time.Second)
 	for time.Now().Before(expires) {
 		if leader := c.consumerLeader(account, stream, consumer); leader != nil {
 			time.Sleep(200 * time.Millisecond)
@@ -1295,7 +1363,7 @@ func (c *cluster) waitOnServerHealthz(s *Server) {
 
 func (c *cluster) waitOnServerCurrent(s *Server) {
 	c.t.Helper()
-	expires := time.Now().Add(20 * time.Second)
+	expires := time.Now().Add(30 * time.Second)
 	for time.Now().Before(expires) {
 		time.Sleep(100 * time.Millisecond)
 		if !s.JetStreamEnabled() || s.JetStreamIsCurrent() {
@@ -1621,18 +1689,14 @@ func (np *netProxy) loop(rtt time.Duration, tbw int, r, w net.Conn) {
 
 	rl := rate.NewLimiter(rate.Limit(tbw), rbl)
 
-	for fr := true; ; {
-		sr := time.Now()
+	for {
 		n, err := r.Read(buf[:])
 		if err != nil {
 			return
 		}
 		// RTT delays
-		if fr || time.Since(sr) > 250*time.Millisecond {
-			fr = false
-			if delay > 0 {
-				time.Sleep(delay)
-			}
+		if delay > 0 {
+			time.Sleep(delay)
 		}
 		if err := rl.WaitN(ctx, n); err != nil {
 			return
diff --git a/server/jetstream_leafnode_test.go b/server/jetstream_leafnode_test.go
index abc789a9b..509827572 100644
--- a/server/jetstream_leafnode_test.go
+++ b/server/jetstream_leafnode_test.go
@@ -298,8 +298,8 @@ jetstream :{
 server_name: A
 cluster: {
 	name: clust1
-	listen: 127.0.0.1:50554
-	routes=[nats-route://127.0.0.1:50555]
+	listen: 127.0.0.1:20104
+	routes=[nats-route://127.0.0.1:20105]
 	no_advertise: true
 }
 `
@@ -327,8 +327,8 @@ jetstream: {
 server_name: B
 cluster: {
 	name: clust1
-	listen: 127.0.0.1:50555
-	routes=[nats-route://127.0.0.1:50554]
+	listen: 127.0.0.1:20105
+	routes=[nats-route://127.0.0.1:20104]
 	no_advertise: true
 }
 `
@@ -350,8 +350,8 @@ jetstream: {
 server_name: LA
 cluster: {
 	name: clustL
-	listen: 127.0.0.1:50556
-	routes=[nats-route://127.0.0.1:50557]
+	listen: 127.0.0.1:20106
+	routes=[nats-route://127.0.0.1:20107]
 	no_advertise: true
 }
 leafnodes:{
@@ -378,8 +378,8 @@ jetstream: {
 server_name: LB
 cluster: {
 	name: clustL
-	listen: 127.0.0.1:50557
-	routes=[nats-route://127.0.0.1:50556]
+	listen: 127.0.0.1:20107
+	routes=[nats-route://127.0.0.1:20106]
 	no_advertise: true
 }
 leafnodes:{
@@ -568,8 +568,8 @@ jetstream: { %s store_dir: '%s'; max_mem: 50Mb, max_file: 50Mb }
 server_name: A
 cluster: {
 	name: clust1
-	listen: 127.0.0.1:50554
-	routes=[nats-route://127.0.0.1:50555,nats-route://127.0.0.1:50556]
+	listen: 127.0.0.1:20114
+	routes=[nats-route://127.0.0.1:20115,nats-route://127.0.0.1:20116]
 	no_advertise: true
 }
 `
@@ -592,8 +592,8 @@ jetstream: { %s store_dir: '%s'; max_mem: 50Mb, max_file: 50Mb }
 server_name: B
 cluster: {
 	name: clust1
-	listen: 127.0.0.1:50555
-	routes=[nats-route://127.0.0.1:50554,nats-route://127.0.0.1:50556]
+	listen: 127.0.0.1:20115
+	routes=[nats-route://127.0.0.1:20114,nats-route://127.0.0.1:20116]
 	no_advertise: true
 }
 `
@@ -619,8 +619,8 @@ jetstream: {
 server_name: C
 cluster: {
 	name: clust1
-	listen: 127.0.0.1:50556
-	routes=[nats-route://127.0.0.1:50554,nats-route://127.0.0.1:50555]
+	listen: 127.0.0.1:20116
+	routes=[nats-route://127.0.0.1:20114,nats-route://127.0.0.1:20115]
 	no_advertise: true
 }
 `
@@ -741,8 +741,8 @@ jetstream: {
     max_file: 50Mb
 }
 leafnodes:{
-    remotes:[{url:nats://a1:a1@127.0.0.1:50555, account: A, credentials: '%s' },
-		     {url:nats://s1:s1@127.0.0.1:50555, account: SYS, credentials: '%s', deny_imports: foo, deny_exports: bar}]
+    remotes:[{url:nats://a1:a1@127.0.0.1:20125, account: A, credentials: '%s' },
+		     {url:nats://s1:s1@127.0.0.1:20125, account: SYS, credentials: '%s', deny_imports: foo, deny_exports: bar}]
 }
 `
 	akp, err := nkeys.CreateAccount()
@@ -1052,8 +1052,8 @@ jetstream : { domain: "DHUB", store_dir: '%s', max_mem: 100Mb, max_file: 100Mb }
 server_name: HUB1
 cluster: {
 	name: HUB
-	listen: 127.0.0.1:50554
-	routes=[nats-route://127.0.0.1:50555]
+	listen: 127.0.0.1:20134
+	routes=[nats-route://127.0.0.1:20135]
 }
 leafnodes: {
 	listen:127.0.0.1:-1
@@ -1070,8 +1070,8 @@ jetstream : { domain: "DHUB", store_dir: '%s', max_mem: 100Mb, max_file: 100Mb }
 server_name: HUB2
 cluster: {
 	name: HUB
-	listen: 127.0.0.1:50555
-	routes=[nats-route://127.0.0.1:50554]
+	listen: 127.0.0.1:20135
+	routes=[nats-route://127.0.0.1:20134]
 }
 leafnodes: {
 	listen:127.0.0.1:-1
@@ -1088,8 +1088,8 @@ jetstream: { domain: "DLEAF", store_dir: '%s', max_mem: 100Mb, max_file: 100Mb }
 server_name: LEAF1
 cluster: {
 	name: LEAF
-	listen: 127.0.0.1:50556
-	routes=[nats-route://127.0.0.1:50557]
+	listen: 127.0.0.1:20136
+	routes=[nats-route://127.0.0.1:20137]
 }
 leafnodes: {
     remotes:[{url:nats://a1:a1@127.0.0.1:%d, account: A},{url:nats://b1:b1@127.0.0.1:%d, account: B}]
@@ -1107,8 +1107,8 @@ jetstream: { domain: "DLEAF", store_dir: '%s', max_mem: 100Mb, max_file: 100Mb }
 server_name: LEAF2
 cluster: {
 	name: LEAF
-	listen: 127.0.0.1:50557
-	routes=[nats-route://127.0.0.1:50556]
+	listen: 127.0.0.1:20137
+	routes=[nats-route://127.0.0.1:20136]
 }
 leafnodes: {
     remotes:[{url:nats://a1:a1@127.0.0.1:%d, account: A},{url:nats://b1:b1@127.0.0.1:%d, account: B}]
diff --git a/server/jetstream_super_cluster_test.go b/server/jetstream_super_cluster_test.go
index 8abbe17c4..f229d46aa 100644
--- a/server/jetstream_super_cluster_test.go
+++ b/server/jetstream_super_cluster_test.go
@@ -3953,3 +3953,97 @@ func TestJetStreamSuperClusterGWOfflineSatus(t *testing.T) {
 		return nil
 	})
 }
+
+func TestJetStreamSuperClusterMovingR1Stream(t *testing.T) {
+	// Make C2 have some latency.
+	gwm := gwProxyMap{
+		"C2": &gwProxy{
+			rtt:  10 * time.Millisecond,
+			up:   1 * 1024 * 1024 * 1024, // 1gbit
+			down: 1 * 1024 * 1024 * 1024, // 1gbit
+		},
+	}
+	sc := createJetStreamTaggedSuperClusterWithGWProxy(t, gwm)
+	defer sc.shutdown()
+
+	nc, js := jsClientConnect(t, sc.clusterForName("C1").randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name: "TEST",
+	})
+	require_NoError(t, err)
+
+	toSend := 10_000
+	for i := 0; i < toSend; i++ {
+		_, err := js.PublishAsync("TEST", []byte("HELLO WORLD"))
+		require_NoError(t, err)
+	}
+	select {
+	case <-js.PublishAsyncComplete():
+	case <-time.After(5 * time.Second):
+		t.Fatalf("Did not receive completion signal")
+	}
+
+	// Have it move to GCP.
+	_, err = js.UpdateStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Placement: &nats.Placement{Tags: []string{"cloud:gcp"}},
+	})
+	require_NoError(t, err)
+
+	checkFor(t, 5*time.Second, 100*time.Millisecond, func() error {
+		sc.waitOnStreamLeader(globalAccountName, "TEST")
+		si, err := js.StreamInfo("TEST")
+		if err != nil {
+			return err
+		}
+		if si.Cluster.Name != "C2" {
+			return fmt.Errorf("Wrong cluster: %q", si.Cluster.Name)
+		}
+		if si.Cluster.Leader == _EMPTY_ {
+			return fmt.Errorf("No leader yet")
+		} else if !strings.HasPrefix(si.Cluster.Leader, "C2") {
+			return fmt.Errorf("Wrong leader: %q", si.Cluster.Leader)
+		}
+		// Now we want to see that we shrink back to original.
+		if len(si.Cluster.Replicas) != 0 {
+			return fmt.Errorf("Expected 0 replicas, got %d", len(si.Cluster.Replicas))
+		}
+		if si.State.Msgs != uint64(toSend) {
+			return fmt.Errorf("Only see %d msgs", si.State.Msgs)
+		}
+		return nil
+	})
+}
+
+// https://github.com/nats-io/nats-server/issues/4396
+func TestJetStreamSuperClusterR1StreamPeerRemove(t *testing.T) {
+	sc := createJetStreamSuperCluster(t, 1, 3)
+	defer sc.shutdown()
+
+	nc, js := jsClientConnect(t, sc.serverByName("C1-S1"))
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo"},
+		Replicas: 1,
+	})
+	require_NoError(t, err)
+
+	si, err := js.StreamInfo("TEST")
+	require_NoError(t, err)
+
+	// Call peer remove on the only peer the leader.
+	resp, err := nc.Request(fmt.Sprintf(JSApiStreamRemovePeerT, "TEST"), []byte(`{"peer":"`+si.Cluster.Leader+`"}`), time.Second)
+	require_NoError(t, err)
+	var rpr JSApiStreamRemovePeerResponse
+	require_NoError(t, json.Unmarshal(resp.Data, &rpr))
+	require_False(t, rpr.Success)
+	require_True(t, rpr.Error.ErrCode == 10075)
+
+	// Stream should still be in place and useable.
+	_, err = js.StreamInfo("TEST")
+	require_NoError(t, err)
+}
diff --git a/server/jetstream_test.go b/server/jetstream_test.go
index 4373632a8..78987d9b5 100644
--- a/server/jetstream_test.go
+++ b/server/jetstream_test.go
@@ -3527,10 +3527,14 @@ func TestJetStreamConsumerRateLimit(t *testing.T) {
 		nc.Publish(mname, msg)
 	}
 	nc.Flush()
-	state := mset.state()
-	if state.Msgs != uint64(toSend) {
-		t.Fatalf("Expected %d messages, got %d", toSend, state.Msgs)
-	}
+
+	checkFor(t, 5*time.Second, 100*time.Millisecond, func() error {
+		state := mset.state()
+		if state.Msgs != uint64(toSend) {
+			return fmt.Errorf("Expected %d messages, got %d", toSend, state.Msgs)
+		}
+		return nil
+	})
 
 	// 100Mbit
 	rateLimit := uint64(100 * 1024 * 1024)
@@ -5336,13 +5340,15 @@ func TestJetStreamRedeliverCount(t *testing.T) {
 			nc, js := jsClientConnect(t, s)
 			defer nc.Close()
 
-			// Send 10 msgs
-			for i := 0; i < 10; i++ {
-				js.Publish("DC", []byte("OK!"))
-			}
-			if state := mset.state(); state.Msgs != 10 {
-				t.Fatalf("Expected %d messages, got %d", 10, state.Msgs)
+			if _, err = js.Publish("DC", []byte("OK!")); err != nil {
+				t.Fatal(err)
 			}
+			checkFor(t, time.Second, time.Millisecond*250, func() error {
+				if state := mset.state(); state.Msgs != 1 {
+					return fmt.Errorf("Expected %d messages, got %d", 1, state.Msgs)
+				}
+				return nil
+			})
 
 			o, err := mset.addConsumer(workerModeConfig("WQ"))
 			if err != nil {
@@ -8703,13 +8709,16 @@ func TestJetStreamMsgHeaders(t *testing.T) {
 			nc.PublishMsg(m)
 			nc.Flush()
 
-			state := mset.state()
-			if state.Msgs != 1 {
-				t.Fatalf("Expected 1 message, got %d", state.Msgs)
-			}
-			if state.Bytes == 0 {
-				t.Fatalf("Expected non-zero bytes")
-			}
+			checkFor(t, time.Second*2, time.Millisecond*250, func() error {
+				state := mset.state()
+				if state.Msgs != 1 {
+					return fmt.Errorf("Expected 1 message, got %d", state.Msgs)
+				}
+				if state.Bytes == 0 {
+					return fmt.Errorf("Expected non-zero bytes")
+				}
+				return nil
+			})
 
 			// Now access raw from stream.
 			sm, err := mset.getMsg(1)
@@ -10723,6 +10732,222 @@ func TestJetStreamAccountImportBasics(t *testing.T) {
 	}
 }
 
+// This tests whether we are able to aggregate all JetStream advisory events
+// from all accounts into a single account. Config for this test uses
+// service imports and exports as that allows for gathering all events
+// without having to know the account name and without separate entries
+// for each account in aggregate account config.
+// This test fails as it is not receiving the api audit event ($JS.EVENT.ADVISORY.API).
+func TestJetStreamAccountImportJSAdvisoriesAsService(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+		listen=127.0.0.1:-1
+		no_auth_user: pp
+		jetstream: {max_mem_store: 64GB, max_file_store: 10TB}
+		accounts {
+			JS {
+				jetstream: enabled
+				users: [ {user: pp, password: foo} ]
+				imports [
+					{ service: { account: AGG, subject: '$JS.EVENT.ADVISORY.ACC.JS.>' }, to: '$JS.EVENT.ADVISORY.>' }
+				]
+			}
+			AGG {
+				users: [ {user: agg, password: foo} ]
+				exports: [
+					{ service: '$JS.EVENT.ADVISORY.ACC.*.>', response: Singleton, account_token_position: 5 }
+				]
+			}
+		}
+	`))
+
+	s, _ := RunServerWithConfig(conf)
+	if config := s.JetStreamConfig(); config != nil {
+		defer removeDir(t, config.StoreDir)
+	}
+	defer s.Shutdown()
+
+	// This should be the pp user, one which manages JetStream assets
+	ncJS, err := nats.Connect(s.ClientURL())
+	if err != nil {
+		t.Fatalf("Unexpected error during connect: %v", err)
+	}
+	defer ncJS.Close()
+
+	// This is the agg user, which should aggregate all JS advisory events.
+	ncAgg, err := nats.Connect(s.ClientURL(), nats.UserInfo("agg", "foo"))
+	if err != nil {
+		t.Fatalf("Unexpected error during connect: %v", err)
+	}
+	defer ncAgg.Close()
+
+	js, err := ncJS.JetStream()
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	// user from JS account should receive events on $JS.EVENT.ADVISORY.> subject
+	subJS, err := ncJS.SubscribeSync("$JS.EVENT.ADVISORY.>")
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	defer subJS.Unsubscribe()
+
+	// user from AGG account should receive events on mapped $JS.EVENT.ADVISORY.ACC.JS.> subject (with account name)
+	subAgg, err := ncAgg.SubscribeSync("$JS.EVENT.ADVISORY.ACC.JS.>")
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	// add stream using JS account
+	// this should trigger 2 events:
+	// - an action event on $JS.EVENT.ADVISORY.STREAM.CREATED.ORDERS
+	// - an api audit event on $JS.EVENT.ADVISORY.API
+	_, err = js.AddStream(&nats.StreamConfig{Name: "ORDERS", Subjects: []string{"ORDERS.*"}})
+	if err != nil {
+		t.Fatalf("Unexpected error adding stream: %v", err)
+	}
+
+	gotEvents := map[string]int{}
+	for i := 0; i < 2; i++ {
+		msg, err := subJS.NextMsg(time.Second * 2)
+		if err != nil {
+			t.Fatalf("Unexpected error: %v", err)
+		}
+		gotEvents[msg.Subject]++
+	}
+	if c := gotEvents["$JS.EVENT.ADVISORY.STREAM.CREATED.ORDERS"]; c != 1 {
+		t.Fatalf("Should have received one advisory from $JS.EVENT.ADVISORY.STREAM.CREATED.ORDERS but got %d", c)
+	}
+	if c := gotEvents["$JS.EVENT.ADVISORY.API"]; c != 1 {
+		t.Fatalf("Should have received one advisory from $JS.EVENT.ADVISORY.API but got %d", c)
+	}
+
+	// same set of events should be received by AGG account
+	// on subjects containing account name (ACC.JS)
+	gotEvents = map[string]int{}
+	for i := 0; i < 2; i++ {
+		msg, err := subAgg.NextMsg(time.Second * 2)
+		if err != nil {
+			t.Fatalf("Unexpected error: %v", err)
+		}
+		gotEvents[msg.Subject]++
+	}
+	if c := gotEvents["$JS.EVENT.ADVISORY.ACC.JS.STREAM.CREATED.ORDERS"]; c != 1 {
+		t.Fatalf("Should have received one advisory from $JS.EVENT.ADVISORY.ACC.JS.STREAM.CREATED.ORDERS but got %d", c)
+	}
+	if c := gotEvents["$JS.EVENT.ADVISORY.ACC.JS.API"]; c != 1 {
+		t.Fatalf("Should have received one advisory from $JS.EVENT.ADVISORY.ACC.JS.API but got %d", c)
+	}
+}
+
+// This tests whether we are able to aggregate all JetStream advisory events
+// from all accounts into a single account. Config for this test uses
+// stream imports and exports as that allows for gathering all events
+// as long as there is a separate stream import entry for each account
+// in aggregate account config.
+func TestJetStreamAccountImportJSAdvisoriesAsStream(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+		listen=127.0.0.1:-1
+		no_auth_user: pp
+		jetstream: {max_mem_store: 64GB, max_file_store: 10TB}
+		accounts {
+			JS {
+				jetstream: enabled
+				users: [ {user: pp, password: foo} ]
+				exports [
+					{ stream: '$JS.EVENT.ADVISORY.>' }
+				]
+			}
+			AGG {
+				users: [ {user: agg, password: foo} ]
+				imports: [
+					{ stream: { account: JS, subject: '$JS.EVENT.ADVISORY.>' }, to: '$JS.EVENT.ADVISORY.ACC.JS.>' }
+				]
+			}
+		}
+	`))
+
+	s, _ := RunServerWithConfig(conf)
+	if config := s.JetStreamConfig(); config != nil {
+		defer removeDir(t, config.StoreDir)
+	}
+	defer s.Shutdown()
+
+	// This should be the pp user, one which manages JetStream assets
+	ncJS, err := nats.Connect(s.ClientURL())
+	if err != nil {
+		t.Fatalf("Unexpected error during connect: %v", err)
+	}
+	defer ncJS.Close()
+
+	// This is the agg user, which should aggregate all JS advisory events.
+	ncAgg, err := nats.Connect(s.ClientURL(), nats.UserInfo("agg", "foo"))
+	if err != nil {
+		t.Fatalf("Unexpected error during connect: %v", err)
+	}
+	defer ncAgg.Close()
+
+	js, err := ncJS.JetStream()
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	// user from JS account should receive events on $JS.EVENT.ADVISORY.> subject
+	subJS, err := ncJS.SubscribeSync("$JS.EVENT.ADVISORY.>")
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	defer subJS.Unsubscribe()
+
+	// user from AGG account should receive events on mapped $JS.EVENT.ADVISORY.ACC.JS.> subject (with account name)
+	subAgg, err := ncAgg.SubscribeSync("$JS.EVENT.ADVISORY.ACC.JS.>")
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	// add stream using JS account
+	// this should trigger 2 events:
+	// - an action event on $JS.EVENT.ADVISORY.STREAM.CREATED.ORDERS
+	// - an api audit event on $JS.EVENT.ADVISORY.API
+	_, err = js.AddStream(&nats.StreamConfig{Name: "ORDERS", Subjects: []string{"ORDERS.*"}})
+	if err != nil {
+		t.Fatalf("Unexpected error adding stream: %v", err)
+	}
+	msg, err := subJS.NextMsg(time.Second)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	if msg.Subject != "$JS.EVENT.ADVISORY.STREAM.CREATED.ORDERS" {
+		t.Fatalf("Unexpected subject: %q", msg.Subject)
+	}
+	msg, err = subJS.NextMsg(time.Second)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	if msg.Subject != "$JS.EVENT.ADVISORY.API" {
+		t.Fatalf("Unexpected subject: %q", msg.Subject)
+	}
+
+	// same set of events should be received by AGG account
+	// on subjects containing account name (ACC.JS)
+	msg, err = subAgg.NextMsg(time.Second)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	if msg.Subject != "$JS.EVENT.ADVISORY.ACC.JS.STREAM.CREATED.ORDERS" {
+		t.Fatalf("Unexpected subject: %q", msg.Subject)
+	}
+
+	// when using stream instead of service, we get all events
+	msg, err = subAgg.NextMsg(time.Second)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	if msg.Subject != "$JS.EVENT.ADVISORY.ACC.JS.API" {
+		t.Fatalf("Unexpected subject: %q", msg.Subject)
+	}
+}
+
 // This is for importing all of JetStream into another account for admin purposes.
 func TestJetStreamAccountImportAll(t *testing.T) {
 	conf := createConfFile(t, []byte(`
@@ -16732,6 +16957,63 @@ func TestJetStreamDisabledHealthz(t *testing.T) {
 	t.Fatalf("Expected healthz to return error if JetStream is disabled, got status: %s", hs.Status)
 }
 
+func TestJetStreamPullTimeout(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, js := jsClientConnect(t, s)
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name: "TEST",
+	})
+	require_NoError(t, err)
+
+	_, err = js.AddConsumer("TEST", &nats.ConsumerConfig{
+		Durable:   "pr",
+		AckPolicy: nats.AckExplicitPolicy,
+	})
+	require_NoError(t, err)
+
+	const numMessages = 1000
+	// Send messages in small intervals.
+	go func() {
+		for i := 0; i < numMessages; i++ {
+			time.Sleep(time.Millisecond * 10)
+			sendStreamMsg(t, nc, "TEST", "data")
+		}
+	}()
+
+	// Prepare manual Pull Request.
+	req := &JSApiConsumerGetNextRequest{Batch: 200, NoWait: false, Expires: time.Millisecond * 100}
+	jreq, _ := json.Marshal(req)
+
+	subj := fmt.Sprintf(JSApiRequestNextT, "TEST", "pr")
+	reply := "_pr_"
+	var got atomic.Int32
+	nc.PublishRequest(subj, reply, jreq)
+
+	// Manually subscribe to inbox subject and send new request only if we get `408 Request Timeout`.
+	sub, _ := nc.Subscribe(reply, func(msg *nats.Msg) {
+		if msg.Header.Get("Status") == "408" && msg.Header.Get("Description") == "Request Timeout" {
+			nc.PublishRequest(subj, reply, jreq)
+			nc.Flush()
+		} else {
+			got.Add(1)
+			msg.Ack()
+		}
+	})
+	defer sub.Unsubscribe()
+
+	// Check if we're not stuck.
+	checkFor(t, time.Second*30, time.Second*1, func() error {
+		if got.Load() < int32(numMessages) {
+			return fmt.Errorf("expected %d messages", numMessages)
+		}
+		return nil
+	})
+}
+
 func TestJetStreamPullMaxBytes(t *testing.T) {
 	s := RunBasicJetStreamServer(t)
 	defer s.Shutdown()
@@ -18785,6 +19067,7 @@ func TestJetStreamAccountPurge(t *testing.T) {
 	require_NoError(t, os.Remove(storeDir+"/jwt/"+accpub+".jwt"))
 
 	s, o = RunServerWithConfig(o.ConfigFile)
+	defer s.Shutdown()
 	inspectDirs(t, 1)
 	purge(t)
 	inspectDirs(t, 0)
@@ -19202,6 +19485,45 @@ func TestJetStreamMetaDataFailOnKernelFault(t *testing.T) {
 	require_True(t, si.State.Msgs == 10)
 }
 
+func TestJetstreamConsumerSingleTokenSubject(t *testing.T) {
+
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, js := jsClientConnect(t, s)
+	defer nc.Close()
+
+	filterSubject := "foo"
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{filterSubject},
+	})
+	require_NoError(t, err)
+
+	req, err := json.Marshal(&CreateConsumerRequest{Stream: "TEST", Config: ConsumerConfig{
+		FilterSubject: filterSubject,
+		Name:          "name",
+	}})
+
+	if err != nil {
+		t.Fatalf("failed to marshal consumer create request: %v", err)
+	}
+
+	resp, err := nc.Request(fmt.Sprintf("$JS.API.CONSUMER.CREATE.%s.%s.%s", "TEST", "name", "not_filter_subject"), req, time.Second*10)
+
+	var apiResp ApiResponse
+	json.Unmarshal(resp.Data, &apiResp)
+	if err != nil {
+		t.Fatalf("failed to unmarshal response: %v", err)
+	}
+	if apiResp.Error == nil {
+		t.Fatalf("expected error, got nil")
+	}
+	if apiResp.Error.ErrCode != 10131 {
+		t.Fatalf("expected error 10131, got %v", apiResp.Error)
+	}
+}
+
 // https://github.com/nats-io/nats-server/issues/3734
 func TestJetStreamMsgBlkFailOnKernelFault(t *testing.T) {
 	s := RunBasicJetStreamServer(t)
@@ -19726,3 +20048,451 @@ func TestJetStreamConsumerAckFloorWithExpired(t *testing.T) {
 	require_True(t, ci.NumPending == 0)
 	require_True(t, ci.NumRedelivered == 0)
 }
+
+func TestJetStreamConsumerWithFormattingSymbol(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, js := jsClientConnect(t, s)
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "Test%123",
+		Subjects: []string{"foo"},
+	})
+	require_NoError(t, err)
+
+	for i := 0; i < 10; i++ {
+		sendStreamMsg(t, nc, "foo", "OK")
+	}
+
+	_, err = js.AddConsumer("Test%123", &nats.ConsumerConfig{
+		Durable:        "Test%123",
+		FilterSubject:  "foo",
+		DeliverSubject: "bar",
+	})
+	require_NoError(t, err)
+
+	sub, err := js.SubscribeSync("foo", nats.Bind("Test%123", "Test%123"))
+	require_NoError(t, err)
+
+	_, err = sub.NextMsg(time.Second * 5)
+	require_NoError(t, err)
+}
+
+func TestJetStreamStreamUpdateWithExternalSource(t *testing.T) {
+	ho := DefaultTestOptions
+	ho.Port = -1
+	ho.LeafNode.Host = "127.0.0.1"
+	ho.LeafNode.Port = -1
+	ho.JetStream = true
+	ho.JetStreamDomain = "hub"
+	ho.StoreDir = t.TempDir()
+	hs := RunServer(&ho)
+	defer hs.Shutdown()
+
+	lu, err := url.Parse(fmt.Sprintf("nats://127.0.0.1:%d", ho.LeafNode.Port))
+	require_NoError(t, err)
+
+	lo1 := DefaultTestOptions
+	lo1.Port = -1
+	lo1.ServerName = "a-leaf"
+	lo1.JetStream = true
+	lo1.StoreDir = t.TempDir()
+	lo1.JetStreamDomain = "a-leaf"
+	lo1.LeafNode.Remotes = []*RemoteLeafOpts{{URLs: []*url.URL{lu}}}
+	l1 := RunServer(&lo1)
+	defer l1.Shutdown()
+
+	checkLeafNodeConnected(t, l1)
+
+	// Test sources with `External` provided
+	ncl, jsl := jsClientConnect(t, l1)
+	defer ncl.Close()
+
+	// Hub stream.
+	_, err = jsl.AddStream(&nats.StreamConfig{Name: "stream", Subjects: []string{"leaf"}})
+	require_NoError(t, err)
+
+	nch, jsh := jsClientConnect(t, hs)
+	defer nch.Close()
+
+	// Leaf stream.
+	// Both streams uses the same name, as we're testing if overlap does not check against itself
+	// if `External` stream has the same name.
+	_, err = jsh.AddStream(&nats.StreamConfig{
+		Name:     "stream",
+		Subjects: []string{"hub"},
+	})
+	require_NoError(t, err)
+
+	// Add `Sources`.
+	// This should not validate subjects overlap against itself.
+	_, err = jsh.UpdateStream(&nats.StreamConfig{
+		Name:     "stream",
+		Subjects: []string{"hub"},
+		Sources: []*nats.StreamSource{
+			{
+				Name:          "stream",
+				FilterSubject: "leaf",
+				External: &nats.ExternalStream{
+					APIPrefix: "$JS.a-leaf.API",
+				},
+			},
+		},
+	})
+	require_NoError(t, err)
+
+	// Specifying not existing FilterSubject should also be fine, as we do not validate `External` stream.
+	_, err = jsh.UpdateStream(&nats.StreamConfig{
+		Name:     "stream",
+		Subjects: []string{"hub"},
+		Sources: []*nats.StreamSource{
+			{
+				Name:          "stream",
+				FilterSubject: "foo",
+				External: &nats.ExternalStream{
+					APIPrefix: "$JS.a-leaf.API",
+				},
+			},
+		},
+	})
+	require_NoError(t, err)
+
+	// Add one more stream to the Hub, so when we source it, it is not `External`.
+	_, err = jsh.AddStream(&nats.StreamConfig{Name: "other", Subjects: []string{"other"}})
+	require_NoError(t, err)
+
+	_, err = jsh.UpdateStream(&nats.StreamConfig{
+		Name:     "stream",
+		Subjects: []string{"hub"},
+		Sources: []*nats.StreamSource{
+			{
+				Name:          "other",
+				FilterSubject: "foo",
+			},
+		},
+	})
+	require_Error(t, err)
+	require_True(t, strings.Contains(err.Error(), "does not overlap"))
+}
+
+func TestJetStreamKVHistoryRegression(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, js := jsClientConnect(t, s)
+	defer nc.Close()
+
+	for _, storage := range []nats.StorageType{nats.FileStorage, nats.MemoryStorage} {
+		t.Run(storage.String(), func(t *testing.T) {
+			js.DeleteKeyValue("TEST")
+
+			kv, err := js.CreateKeyValue(&nats.KeyValueConfig{
+				Bucket:  "TEST",
+				History: 4,
+				Storage: storage,
+			})
+			require_NoError(t, err)
+
+			r1, err := kv.Create("foo", []byte("a"))
+			require_NoError(t, err)
+
+			_, err = kv.Update("foo", []byte("ab"), r1)
+			require_NoError(t, err)
+
+			err = kv.Delete("foo")
+			require_NoError(t, err)
+
+			_, err = kv.Create("foo", []byte("abc"))
+			require_NoError(t, err)
+
+			err = kv.Delete("foo")
+			require_NoError(t, err)
+
+			history, err := kv.History("foo")
+			require_NoError(t, err)
+			require_True(t, len(history) == 4)
+
+			_, err = kv.Update("foo", []byte("abcd"), history[len(history)-1].Revision())
+			require_NoError(t, err)
+
+			err = kv.Purge("foo")
+			require_NoError(t, err)
+
+			_, err = kv.Create("foo", []byte("abcde"))
+			require_NoError(t, err)
+
+			err = kv.Purge("foo")
+			require_NoError(t, err)
+
+			history, err = kv.History("foo")
+			require_NoError(t, err)
+			require_True(t, len(history) == 1)
+		})
+	}
+}
+
+func TestJetStreamSnapshotRestoreStallAndHealthz(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, js := jsClientConnect(t, s)
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "ORDERS",
+		Subjects: []string{"orders.*"},
+	})
+	require_NoError(t, err)
+
+	for i := 0; i < 1000; i++ {
+		sendStreamMsg(t, nc, "orders.created", "new order")
+	}
+
+	hs := s.healthz(nil)
+	if hs.Status != "ok" || hs.Error != _EMPTY_ {
+		t.Fatalf("Expected health to be ok, got %+v", hs)
+	}
+
+	// Simulate the staging directory for restores. This is normally cleaned up
+	// but since its at the root of the storage directory make sure healthz is not affected.
+	snapDir := filepath.Join(s.getJetStream().config.StoreDir, snapStagingDir)
+	require_NoError(t, os.MkdirAll(snapDir, defaultDirPerms))
+
+	// Make sure healthz ok.
+	hs = s.healthz(nil)
+	if hs.Status != "ok" || hs.Error != _EMPTY_ {
+		t.Fatalf("Expected health to be ok, got %+v", hs)
+	}
+}
+
+// https://github.com/nats-io/nats-server/pull/4163
+func TestJetStreamMaxBytesIgnored(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, js := jsClientConnect(t, s)
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+		MaxBytes: 10 * 1024 * 1024,
+	})
+	require_NoError(t, err)
+
+	msg := bytes.Repeat([]byte("A"), 1024*1024)
+
+	for i := 0; i < 10; i++ {
+		_, err := js.Publish("x", msg)
+		require_NoError(t, err)
+	}
+
+	si, err := js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, si.State.Msgs == 9)
+
+	// Stop current
+	sd := s.JetStreamConfig().StoreDir
+	s.Shutdown()
+
+	// We will remove the idx file and truncate the blk and fss files.
+	mdir := filepath.Join(sd, "$G", "streams", "TEST", "msgs")
+	// Remove idx
+	err = os.Remove(filepath.Join(mdir, "1.idx"))
+	require_NoError(t, err)
+	// Truncate fss
+	err = os.WriteFile(filepath.Join(mdir, "1.fss"), nil, defaultFilePerms)
+	require_NoError(t, err)
+	// Truncate blk
+	err = os.WriteFile(filepath.Join(mdir, "1.blk"), nil, defaultFilePerms)
+	require_NoError(t, err)
+
+	// Restart.
+	s = RunJetStreamServerOnPort(-1, sd)
+	defer s.Shutdown()
+
+	nc, js = jsClientConnect(t, s)
+	defer nc.Close()
+
+	for i := 0; i < 10; i++ {
+		_, err := js.Publish("x", msg)
+		require_NoError(t, err)
+	}
+
+	si, err = js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, si.State.Bytes <= 10*1024*1024)
+}
+
+func TestJetStreamLastSequenceBySubjectConcurrent(t *testing.T) {
+	for _, st := range []StorageType{FileStorage, MemoryStorage} {
+		t.Run(st.String(), func(t *testing.T) {
+			c := createJetStreamClusterExplicit(t, "JSC", 3)
+			defer c.shutdown()
+
+			nc0, js0 := jsClientConnect(t, c.randomServer())
+			defer nc0.Close()
+
+			nc1, js1 := jsClientConnect(t, c.randomServer())
+			defer nc1.Close()
+
+			cfg := StreamConfig{
+				Name:     "KV",
+				Subjects: []string{"kv.>"},
+				Storage:  st,
+				Replicas: 3,
+			}
+
+			req, err := json.Marshal(cfg)
+			if err != nil {
+				t.Fatalf("Unexpected error: %v", err)
+			}
+			// Do manually for now.
+			m, err := nc0.Request(fmt.Sprintf(JSApiStreamCreateT, cfg.Name), req, time.Second)
+			require_NoError(t, err)
+			si, err := js0.StreamInfo("KV")
+			if err != nil {
+				t.Fatalf("Unexpected error: %v, respmsg: %q", err, string(m.Data))
+			}
+			if si == nil || si.Config.Name != "KV" {
+				t.Fatalf("StreamInfo is not correct %+v", si)
+			}
+
+			pub := func(js nats.JetStreamContext, subj, data, seq string) {
+				t.Helper()
+				m := nats.NewMsg(subj)
+				m.Data = []byte(data)
+				m.Header.Set(JSExpectedLastSubjSeq, seq)
+				js.PublishMsg(m)
+			}
+
+			ready := make(chan struct{})
+			wg := &sync.WaitGroup{}
+			wg.Add(2)
+
+			go func() {
+				<-ready
+				pub(js0, "kv.foo", "0-0", "0")
+				pub(js0, "kv.foo", "0-1", "1")
+				pub(js0, "kv.foo", "0-2", "2")
+				wg.Done()
+			}()
+
+			go func() {
+				<-ready
+				pub(js1, "kv.foo", "1-0", "0")
+				pub(js1, "kv.foo", "1-1", "1")
+				pub(js1, "kv.foo", "1-2", "2")
+				wg.Done()
+			}()
+
+			time.Sleep(50 * time.Millisecond)
+			close(ready)
+			wg.Wait()
+
+			// Read the messages.
+			sub, err := js0.PullSubscribe(_EMPTY_, _EMPTY_, nats.BindStream("KV"))
+			require_NoError(t, err)
+			msgs, err := sub.Fetch(10)
+			require_NoError(t, err)
+			if len(msgs) != 3 {
+				t.Errorf("Expected 3 messages, got %d", len(msgs))
+			}
+			for i, m := range msgs {
+				if m.Header.Get(JSExpectedLastSubjSeq) != fmt.Sprint(i) {
+					t.Errorf("Expected %d for last sequence, got %q", i, m.Header.Get(JSExpectedLastSubjSeq))
+				}
+			}
+		})
+	}
+}
+
+func TestJetStreamUsageSyncDeadlock(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, js := jsClientConnect(t, s)
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"*"},
+	})
+	require_NoError(t, err)
+
+	sendStreamMsg(t, nc, "foo", "hello")
+
+	// Now purposely mess up the usage that will force a sync.
+	// Without the fix this will deadlock.
+	jsa := s.getJetStream().lookupAccount(s.GlobalAccount())
+	jsa.usageMu.Lock()
+	st, ok := jsa.usage[_EMPTY_]
+	require_True(t, ok)
+	st.local.store = -1000
+	jsa.usageMu.Unlock()
+
+	sendStreamMsg(t, nc, "foo", "hello")
+}
+
+// https://github.com/nats-io/nats.go/issues/1382
+// https://github.com/nats-io/nats-server/issues/4445
+func TestJetStreamChangeMaxMessagesPerSubject(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, js := jsClientConnect(t, s)
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:              "TEST",
+		Subjects:          []string{"one.>"},
+		MaxMsgsPerSubject: 5,
+	})
+	require_NoError(t, err)
+
+	for i := 0; i < 10; i++ {
+		sendStreamMsg(t, nc, "one.data", "data")
+	}
+
+	expectMsgs := func(num int32) error {
+		t.Helper()
+
+		var msgs atomic.Int32
+		sub, err := js.Subscribe("one.>", func(msg *nats.Msg) {
+			msgs.Add(1)
+			msg.Ack()
+		})
+		require_NoError(t, err)
+		defer sub.Unsubscribe()
+
+		checkFor(t, 5*time.Second, 100*time.Millisecond, func() error {
+			if nm := msgs.Load(); nm != num {
+				return fmt.Errorf("expected to get %v messages, got %v instead", num, nm)
+			}
+			return nil
+		})
+		return nil
+	}
+
+	require_NoError(t, expectMsgs(5))
+
+	js.UpdateStream(&nats.StreamConfig{
+		Name:              "TEST",
+		Subjects:          []string{"one.>"},
+		MaxMsgsPerSubject: 3,
+	})
+
+	info, err := js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, info.Config.MaxMsgsPerSubject == 3)
+	require_True(t, info.State.Msgs == 3)
+
+	require_NoError(t, expectMsgs(3))
+
+	for i := 0; i < 10; i++ {
+		sendStreamMsg(t, nc, "one.data", "data")
+	}
+
+	require_NoError(t, expectMsgs(3))
+}
diff --git a/server/jwt_test.go b/server/jwt_test.go
index 108589243..58884b97c 100644
--- a/server/jwt_test.go
+++ b/server/jwt_test.go
@@ -3692,7 +3692,7 @@ func TestJWTAccountNATSResolverCrossClusterFetch(t *testing.T) {
 			listen: 127.0.0.1:-1
 			no_advertise: true
 		}
-    `, ojwt, syspub, dirAA)))
+       `, ojwt, syspub, dirAA)))
 	sAA, _ := RunServerWithConfig(confAA)
 	defer sAA.Shutdown()
 	// Create Server B (using no_advertise to prevent fail over)
@@ -3718,7 +3718,7 @@ func TestJWTAccountNATSResolverCrossClusterFetch(t *testing.T) {
 				nats-route://127.0.0.1:%d
 			]
 		}
-    `, ojwt, syspub, dirAB, sAA.opts.Cluster.Port)))
+       `, ojwt, syspub, dirAB, sAA.opts.Cluster.Port)))
 	sAB, _ := RunServerWithConfig(confAB)
 	defer sAB.Shutdown()
 	// Create Server C (using no_advertise to prevent fail over)
@@ -3744,10 +3744,10 @@ func TestJWTAccountNATSResolverCrossClusterFetch(t *testing.T) {
 			listen: 127.0.0.1:-1
 			no_advertise: true
 		}
-    `, ojwt, syspub, dirBA, sAA.opts.Gateway.Port)))
+       `, ojwt, syspub, dirBA, sAA.opts.Gateway.Port)))
 	sBA, _ := RunServerWithConfig(confBA)
 	defer sBA.Shutdown()
-	// Create Sever BA  (using no_advertise to prevent fail over)
+	// Create Server BA (using no_advertise to prevent fail over)
 	confBB := createConfFile(t, []byte(fmt.Sprintf(`
 		listen: 127.0.0.1:-1
 		server_name: srv-B-B
@@ -3773,7 +3773,7 @@ func TestJWTAccountNATSResolverCrossClusterFetch(t *testing.T) {
 				{name: "clust-A", url: "nats://127.0.0.1:%d"},
 			]
 		}
-    `, ojwt, syspub, dirBB, sBA.opts.Cluster.Port, sAA.opts.Cluster.Port)))
+       `, ojwt, syspub, dirBB, sBA.opts.Cluster.Port, sAA.opts.Cluster.Port)))
 	sBB, _ := RunServerWithConfig(confBB)
 	defer sBB.Shutdown()
 	// Assert topology
@@ -6592,3 +6592,190 @@ func TestServerOperatorModeNoAuthRequired(t *testing.T) {
 
 	require_True(t, nc.AuthRequired())
 }
+
+func TestJWTAccountNATSResolverWrongCreds(t *testing.T) {
+	require_NoLocalOrRemoteConnections := func(account string, srvs ...*Server) {
+		t.Helper()
+		for _, srv := range srvs {
+			if acc, ok := srv.accounts.Load(account); ok {
+				checkAccClientsCount(t, acc.(*Account), 0)
+			}
+		}
+	}
+	connect := func(url string, credsfile string, acc string, srvs ...*Server) {
+		t.Helper()
+		nc := natsConnect(t, url, nats.UserCredentials(credsfile), nats.Timeout(5*time.Second))
+		nc.Close()
+		require_NoLocalOrRemoteConnections(acc, srvs...)
+	}
+	createAccountAndUser := func(limit bool, done chan struct{}, pubKey, jwt1, jwt2, creds *string) {
+		t.Helper()
+		kp, _ := nkeys.CreateAccount()
+		*pubKey, _ = kp.PublicKey()
+		claim := jwt.NewAccountClaims(*pubKey)
+		var err error
+		*jwt1, err = claim.Encode(oKp)
+		require_NoError(t, err)
+		*jwt2, err = claim.Encode(oKp)
+		require_NoError(t, err)
+		ukp, _ := nkeys.CreateUser()
+		seed, _ := ukp.Seed()
+		upub, _ := ukp.PublicKey()
+		uclaim := newJWTTestUserClaims()
+		uclaim.Subject = upub
+		ujwt, err := uclaim.Encode(kp)
+		require_NoError(t, err)
+		*creds = genCredsFile(t, ujwt, seed)
+		done <- struct{}{}
+	}
+	// Create Accounts and corresponding user creds.
+	doneChan := make(chan struct{}, 4)
+	defer close(doneChan)
+	var syspub, sysjwt, dummy1, sysCreds string
+	createAccountAndUser(false, doneChan, &syspub, &sysjwt, &dummy1, &sysCreds)
+
+	var apub, ajwt1, ajwt2, aCreds string
+	createAccountAndUser(true, doneChan, &apub, &ajwt1, &ajwt2, &aCreds)
+
+	var bpub, bjwt1, bjwt2, bCreds string
+	createAccountAndUser(true, doneChan, &bpub, &bjwt1, &bjwt2, &bCreds)
+
+	// The one that is going to be missing.
+	var cpub, cjwt1, cjwt2, cCreds string
+	createAccountAndUser(true, doneChan, &cpub, &cjwt1, &cjwt2, &cCreds)
+	for i := 0; i < cap(doneChan); i++ {
+		<-doneChan
+	}
+	// Create one directory for each server
+	dirA := t.TempDir()
+	dirB := t.TempDir()
+	dirC := t.TempDir()
+
+	// Store accounts on servers A and B, then let C sync on its own.
+	writeJWT(t, dirA, apub, ajwt1)
+	writeJWT(t, dirB, bpub, bjwt1)
+
+	/////////////////////////////////////////
+	//                                     //
+	//   Server A: has creds from client A //
+	//                                     //
+	/////////////////////////////////////////
+	confA := createConfFile(t, []byte(fmt.Sprintf(`
+		listen: 127.0.0.1:-1
+		server_name: srv-A
+		operator: %s
+		system_account: %s
+                debug: true
+		resolver: {
+			type: full
+			dir: '%s'
+			allow_delete: true
+			timeout: "1.5s"
+			interval: "200ms"
+		}
+		resolver_preload: {
+			%s: %s
+		}
+		cluster {
+			name: clust
+			listen: 127.0.0.1:-1
+			no_advertise: true
+		}
+       `, ojwt, syspub, dirA, apub, ajwt1)))
+	sA, _ := RunServerWithConfig(confA)
+	defer sA.Shutdown()
+	require_JWTPresent(t, dirA, apub)
+
+	/////////////////////////////////////////
+	//                                     //
+	//   Server B: has creds from client B //
+	//                                     //
+	/////////////////////////////////////////
+	confB := createConfFile(t, []byte(fmt.Sprintf(`
+		listen: 127.0.0.1:-1
+		server_name: srv-B
+		operator: %s
+		system_account: %s
+		resolver: {
+			type: full
+			dir: '%s'
+			allow_delete: true
+			timeout: "1.5s"
+			interval: "200ms"
+		}
+		cluster {
+			name: clust
+			listen: 127.0.0.1:-1
+			no_advertise: true
+			routes [
+				nats-route://127.0.0.1:%d
+			]
+		}
+        `, ojwt, syspub, dirB, sA.opts.Cluster.Port)))
+	sB, _ := RunServerWithConfig(confB)
+	defer sB.Shutdown()
+
+	/////////////////////////////////////////
+	//                                     //
+	//   Server C: has no creds            //
+	//                                     //
+	/////////////////////////////////////////
+	fmtC := `
+		listen: 127.0.0.1:-1
+		server_name: srv-C
+		operator: %s
+		system_account: %s
+		resolver: {
+			type: full
+			dir: '%s'
+			allow_delete: true
+			timeout: "1.5s"
+			interval: "200ms"
+		}
+		cluster {
+			name: clust
+			listen: 127.0.0.1:-1
+			no_advertise: true
+			routes [
+				nats-route://127.0.0.1:%d
+			]
+		}
+    `
+	confClongTTL := createConfFile(t, []byte(fmt.Sprintf(fmtC, ojwt, syspub, dirC, sA.opts.Cluster.Port)))
+	sC, _ := RunServerWithConfig(confClongTTL) // use long ttl to assure it is not kicking
+	defer sC.Shutdown()
+
+	// startup cluster
+	checkClusterFormed(t, sA, sB, sC)
+	time.Sleep(1 * time.Second) // wait for the protocol to converge
+	// // Check all accounts
+	require_JWTPresent(t, dirA, apub) // was already present on startup
+	require_JWTPresent(t, dirB, apub) // was copied from server A
+	require_JWTPresent(t, dirA, bpub) // was copied from server B
+	require_JWTPresent(t, dirB, bpub) // was already present on startup
+
+	// There should be no state about the missing account.
+	require_JWTAbsent(t, dirA, cpub)
+	require_JWTAbsent(t, dirB, cpub)
+	require_JWTAbsent(t, dirC, cpub)
+
+	// system account client can connect to every server
+	connect(sA.ClientURL(), sysCreds, "")
+	connect(sB.ClientURL(), sysCreds, "")
+	connect(sC.ClientURL(), sysCreds, "")
+
+	// A and B clients can connect to any server.
+	connect(sA.ClientURL(), aCreds, "")
+	connect(sB.ClientURL(), aCreds, "")
+	connect(sC.ClientURL(), aCreds, "")
+	connect(sA.ClientURL(), bCreds, "")
+	connect(sB.ClientURL(), bCreds, "")
+	connect(sC.ClientURL(), bCreds, "")
+
+	// Check that trying to connect with bad credentials should not hang until the fetch timeout
+	// and instead return a faster response when an account is not found.
+	_, err := nats.Connect(sC.ClientURL(), nats.UserCredentials(cCreds), nats.Timeout(500*time.Second))
+	if err != nil && !errors.Is(err, nats.ErrAuthorization) {
+		t.Fatalf("Expected auth error: %v", err)
+	}
+}
diff --git a/server/leafnode.go b/server/leafnode.go
index 7716c719b..3f7c445e6 100644
--- a/server/leafnode.go
+++ b/server/leafnode.go
@@ -1,4 +1,4 @@
-// Copyright 2019-2022 The NATS Authors
+// Copyright 2019-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -39,29 +39,31 @@ import (
 	"github.com/nats-io/nuid"
 )
 
-// Warning when user configures leafnode TLS insecure
-const leafnodeTLSInsecureWarning = "TLS certificate chain and hostname of solicited leafnodes will not be verified. DO NOT USE IN PRODUCTION!"
+const (
+	// Warning when user configures leafnode TLS insecure
+	leafnodeTLSInsecureWarning = "TLS certificate chain and hostname of solicited leafnodes will not be verified. DO NOT USE IN PRODUCTION!"
 
-// When a loop is detected, delay the reconnect of solicited connection.
-const leafNodeReconnectDelayAfterLoopDetected = 30 * time.Second
+	// When a loop is detected, delay the reconnect of solicited connection.
+	leafNodeReconnectDelayAfterLoopDetected = 30 * time.Second
 
-// When a server receives a message causing a permission violation, the
-// connection is closed and it won't attempt to reconnect for that long.
-const leafNodeReconnectAfterPermViolation = 30 * time.Second
+	// When a server receives a message causing a permission violation, the
+	// connection is closed and it won't attempt to reconnect for that long.
+	leafNodeReconnectAfterPermViolation = 30 * time.Second
 
-// When we have the same cluster name as the hub.
-const leafNodeReconnectDelayAfterClusterNameSame = 30 * time.Second
+	// When we have the same cluster name as the hub.
+	leafNodeReconnectDelayAfterClusterNameSame = 30 * time.Second
 
-// Prefix for loop detection subject
-const leafNodeLoopDetectionSubjectPrefix = "$LDS."
+	// Prefix for loop detection subject
+	leafNodeLoopDetectionSubjectPrefix = "$LDS."
 
-// Path added to URL to indicate to WS server that the connection is a
-// LEAF connection as opposed to a CLIENT.
-const leafNodeWSPath = "/leafnode"
+	// Path added to URL to indicate to WS server that the connection is a
+	// LEAF connection as opposed to a CLIENT.
+	leafNodeWSPath = "/leafnode"
 
-// This is the time the server will wait, when receiving a CONNECT,
-// before closing the connection if the required minimum version is not met.
-const leafNodeWaitBeforeClose = 5 * time.Second
+	// This is the time the server will wait, when receiving a CONNECT,
+	// before closing the connection if the required minimum version is not met.
+	leafNodeWaitBeforeClose = 5 * time.Second
+)
 
 type leaf struct {
 	// We have any auth stuff here for solicited connections.
@@ -695,7 +697,7 @@ func (s *Server) startLeafNodeAcceptLoop() {
 	s.leafNodeInfo = info
 	// Possibly override Host/Port and set IP based on Cluster.Advertise
 	if err := s.setLeafNodeInfoHostPortAndIP(); err != nil {
-		s.Fatalf("Error setting leafnode INFO with LeafNode.Advertise value of %s, err=%v", s.opts.LeafNode.Advertise, err)
+		s.Fatalf("Error setting leafnode INFO with LeafNode.Advertise value of %s, err=%v", opts.LeafNode.Advertise, err)
 		l.Close()
 		s.mu.Unlock()
 		return
@@ -1420,7 +1422,7 @@ func (s *Server) addLeafNodeConnection(c *client, srvName, clusterName string, c
 	}
 	// If we have a specified JetStream domain we will want to add a mapping to
 	// allow access cross domain for each non-system account.
-	if opts.JetStreamDomain != _EMPTY_ && acc != sysAcc && opts.JetStream {
+	if opts.JetStreamDomain != _EMPTY_ && opts.JetStream && acc != nil && acc != sysAcc {
 		for src, dest := range generateJSMappingTable(opts.JetStreamDomain) {
 			if err := acc.AddMapping(src, dest); err != nil {
 				c.Debugf("Error adding JetStream domain mapping: %s", err.Error())
@@ -1579,6 +1581,11 @@ func (c *client) processLeafNodeConnect(s *Server, arg []byte, lang string) erro
 
 	c.mu.Unlock()
 
+	// Register the cluster, even if empty, as long as we are acting as a hub.
+	if !proto.Hub {
+		c.acc.registerLeafNodeCluster(proto.Cluster)
+	}
+
 	// Add in the leafnode here since we passed through auth at this point.
 	s.addLeafNodeConnection(c, proto.Name, proto.Cluster, true)
 
@@ -1632,11 +1639,15 @@ func (s *Server) initLeafNodeSmapAndSendSubs(c *client) {
 		return
 	}
 	// Collect all account subs here.
-	_subs := [32]*subscription{}
+	_subs := [1024]*subscription{}
 	subs := _subs[:0]
 	ims := []string{}
 
-	acc.mu.Lock()
+	// Hold the client lock otherwise there can be a race and miss some subs.
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	acc.mu.RLock()
 	accName := acc.Name
 	accNTag := acc.nameTag
 
@@ -1675,11 +1686,15 @@ func (s *Server) initLeafNodeSmapAndSendSubs(c *client) {
 
 	// Create a unique subject that will be used for loop detection.
 	lds := acc.lds
+	acc.mu.RUnlock()
+
+	// Check if we have to create the LDS.
 	if lds == _EMPTY_ {
 		lds = leafNodeLoopDetectionSubjectPrefix + nuid.Next()
+		acc.mu.Lock()
 		acc.lds = lds
+		acc.mu.Unlock()
 	}
-	acc.mu.Unlock()
 
 	// Now check for gateway interest. Leafnodes will put this into
 	// the proper mode to propagate, but they are not held in the account.
@@ -1707,7 +1722,6 @@ func (s *Server) initLeafNodeSmapAndSendSubs(c *client) {
 	}
 
 	// Now walk the results and add them to our smap
-	c.mu.Lock()
 	rc := c.leaf.remoteCluster
 	c.leaf.smap = make(map[string]int32)
 	for _, sub := range subs {
@@ -1773,7 +1787,6 @@ func (s *Server) initLeafNodeSmapAndSendSubs(c *client) {
 			c.mu.Unlock()
 		})
 	}
-	c.mu.Unlock()
 }
 
 // updateInterestForAccountOnGateway called from gateway code when processing RS+ and RS-.
@@ -1783,53 +1796,76 @@ func (s *Server) updateInterestForAccountOnGateway(accName string, sub *subscrip
 		s.Debugf("No or bad account for %q, failed to update interest from gateway", accName)
 		return
 	}
-	s.updateLeafNodes(acc, sub, delta)
+	acc.updateLeafNodes(sub, delta)
 }
 
-// updateLeafNodes will make sure to update the smap for the subscription. Will
-// also forward to all leaf nodes as needed.
-func (s *Server) updateLeafNodes(acc *Account, sub *subscription, delta int32) {
+// updateLeafNodes will make sure to update the account smap for the subscription.
+// Will also forward to all leaf nodes as needed.
+func (acc *Account) updateLeafNodes(sub *subscription, delta int32) {
 	if acc == nil || sub == nil {
 		return
 	}
 
-	_l := [32]*client{}
-	leafs := _l[:0]
+	// We will do checks for no leafnodes and same cluster here inline and under the
+	// general account read lock.
+	// If we feel we need to update the leafnodes we will do that out of line to avoid
+	// blocking routes or GWs.
 
-	// Grab all leaf nodes. Ignore a leafnode if sub's client is a leafnode and matches.
 	acc.mu.RLock()
-	for _, ln := range acc.lleafs {
-		if ln != sub.client {
-			leafs = append(leafs, ln)
-		}
+	// First check if we even have leafnodes here.
+	if acc.nleafs == 0 {
+		acc.mu.RUnlock()
+		return
+	}
+
+	// Is this a loop detection subject.
+	isLDS := bytes.HasPrefix(sub.subject, []byte(leafNodeLoopDetectionSubjectPrefix))
+
+	// Capture the cluster even if its empty.
+	cluster := _EMPTY_
+	if sub.origin != nil {
+		cluster = string(sub.origin)
 	}
+
+	// If we have an isolated cluster we can return early, as long as it is not a loop detection subject.
+	// Empty clusters will return false for the check.
+	if !isLDS && acc.isLeafNodeClusterIsolated(cluster) {
+		acc.mu.RUnlock()
+		return
+	}
+
+	// We can release the general account lock.
 	acc.mu.RUnlock()
 
-	for _, ln := range leafs {
-		// Check to make sure this sub does not have an origin cluster than matches the leafnode.
+	// We can hold the list lock here to avoid having to copy a large slice.
+	acc.lmu.RLock()
+	defer acc.lmu.RUnlock()
+
+	// Do this once.
+	subject := string(sub.subject)
+
+	// Walk the connected leafnodes.
+	for _, ln := range acc.lleafs {
+		if ln == sub.client {
+			continue
+		}
+		// Check to make sure this sub does not have an origin cluster that matches the leafnode.
 		ln.mu.Lock()
-		skip := (sub.origin != nil && string(sub.origin) == ln.remoteCluster()) || !ln.canSubscribe(string(sub.subject))
+		skip := (cluster != _EMPTY_ && cluster == ln.remoteCluster()) || (delta > 0 && !ln.canSubscribe(subject))
 		// If skipped, make sure that we still let go the "$LDS." subscription that allows
 		// the detection of a loop.
-		if skip && bytes.HasPrefix(sub.subject, []byte(leafNodeLoopDetectionSubjectPrefix)) {
-			skip = false
+		if isLDS || !skip {
+			ln.updateSmap(sub, delta)
 		}
 		ln.mu.Unlock()
-		if skip {
-			continue
-		}
-		ln.updateSmap(sub, delta)
 	}
 }
 
 // This will make an update to our internal smap and determine if we should send out
 // an interest update to the remote side.
+// Lock should be held.
 func (c *client) updateSmap(sub *subscription, delta int32) {
-	key := keyFromSub(sub)
-
-	c.mu.Lock()
 	if c.leaf.smap == nil {
-		c.mu.Unlock()
 		return
 	}
 
@@ -1837,7 +1873,6 @@ func (c *client) updateSmap(sub *subscription, delta int32) {
 	skind := sub.client.kind
 	updateClient := skind == CLIENT || skind == SYSTEM || skind == JETSTREAM || skind == ACCOUNT
 	if c.isSpokeLeafNode() && !(updateClient || (skind == LEAF && !sub.client.isSpokeLeafNode())) {
-		c.mu.Unlock()
 		return
 	}
 
@@ -1850,12 +1885,16 @@ func (c *client) updateSmap(sub *subscription, delta int32) {
 				c.leaf.tsubt.Stop()
 				c.leaf.tsubt = nil
 			}
-			c.mu.Unlock()
 			return
 		}
 	}
 
-	n := c.leaf.smap[key]
+	key := keyFromSub(sub)
+	n, ok := c.leaf.smap[key]
+	if delta < 0 && !ok {
+		return
+	}
+
 	// We will update if its a queue, if count is zero (or negative), or we were 0 and are N > 0.
 	update := sub.queue != nil || n == 0 || n+delta <= 0
 	n += delta
@@ -1867,7 +1906,6 @@ func (c *client) updateSmap(sub *subscription, delta int32) {
 	if update {
 		c.sendLeafNodeSubUpdate(key, n)
 	}
-	c.mu.Unlock()
 }
 
 // Used to force add subjects to the subject map.
@@ -2065,8 +2103,11 @@ func (c *client) processLeafSub(argo []byte) (err error) {
 	spoke := c.isSpokeLeafNode()
 	c.mu.Unlock()
 
-	if err := c.addShadowSubscriptions(acc, sub); err != nil {
-		c.Errorf(err.Error())
+	// Only add in shadow subs if a new sub or qsub.
+	if osub == nil {
+		if err := c.addShadowSubscriptions(acc, sub); err != nil {
+			c.Errorf(err.Error())
+		}
 	}
 
 	// If we are not solicited, treat leaf node subscriptions similar to a
@@ -2081,7 +2122,7 @@ func (c *client) processLeafSub(argo []byte) (err error) {
 	}
 	// Now check on leafnode updates for other leaf nodes. We understand solicited
 	// and non-solicited state in this call so we will do the right thing.
-	srv.updateLeafNodes(acc, sub, delta)
+	acc.updateLeafNodes(sub, delta)
 
 	return nil
 }
@@ -2138,7 +2179,7 @@ func (c *client) processLeafUnsub(arg []byte) error {
 		}
 	}
 	// Now check on leafnode updates for other leaf nodes.
-	srv.updateLeafNodes(acc, sub, -1)
+	acc.updateLeafNodes(sub, -1)
 	return nil
 }
 
diff --git a/server/leafnode_test.go b/server/leafnode_test.go
index 3f7016651..92a8314df 100644
--- a/server/leafnode_test.go
+++ b/server/leafnode_test.go
@@ -1,4 +1,4 @@
-// Copyright 2019-2021 The NATS Authors
+// Copyright 2019-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -2540,7 +2540,7 @@ func TestLeafNodeOperatorBadCfg(t *testing.T) {
 			cfg: `
 			port: -1
 			authorization {
-				users = [{user: "u", password: "p"}]}
+				users = [{user: "u", password: "p"}]
 			}`,
 		},
 		{
@@ -3876,9 +3876,9 @@ func TestLeafNodeInterestPropagationDaisychain(t *testing.T) {
 	aTmpl := `
 		port: %d
 		leafnodes {
-			port: %d
-		   }
-		}`
+		  port: %d
+		}
+		`
 
 	confA := createConfFile(t, []byte(fmt.Sprintf(aTmpl, -1, -1)))
 	sA, _ := RunServerWithConfig(confA)
@@ -4846,3 +4846,718 @@ func TestLeafNodeDuplicateMsg(t *testing.T) {
 	t.Run("sub_b2_pub_a1", func(t *testing.T) { check(t, b2, a1) })
 	t.Run("sub_b2_pub_a2", func(t *testing.T) { check(t, b2, a2) })
 }
+
+func TestLeafNodeWithWeightedDQRequestsToSuperClusterWithSeparateAccounts(t *testing.T) {
+	sc := createJetStreamSuperClusterWithTemplate(t, jsClusterAccountsTempl, 3, 2)
+	defer sc.shutdown()
+
+	// Now create a leafnode cluster that has 2 LNs, one to each cluster but on separate accounts, ONE and TWO.
+	var lnTmpl = `
+		listen: 127.0.0.1:-1
+		server_name: %s
+		jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+		{{leaf}}
+
+		cluster {
+			name: %s
+			listen: 127.0.0.1:%d
+			routes = [%s]
+		}
+
+		accounts { $SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }}
+		`
+
+	var leafFrag = `
+		leaf {
+			listen: 127.0.0.1:-1
+			remotes [
+				{ urls: [ %s ] }
+				{ urls: [ %s ] }
+			]
+		}`
+
+	// We want to have two leaf node connections that join to the same local account on the leafnode servers,
+	// but connect to different accounts in different clusters.
+	c1 := sc.clusters[0] // Will connect to account ONE
+	c2 := sc.clusters[1] // Will connect to account TWO
+
+	genLeafTmpl := func(tmpl string) string {
+		t.Helper()
+
+		var ln1, ln2 []string
+		for _, s := range c1.servers {
+			if s.ClusterName() != c1.name {
+				continue
+			}
+			ln := s.getOpts().LeafNode
+			ln1 = append(ln1, fmt.Sprintf("nats://one:p@%s:%d", ln.Host, ln.Port))
+		}
+
+		for _, s := range c2.servers {
+			if s.ClusterName() != c2.name {
+				continue
+			}
+			ln := s.getOpts().LeafNode
+			ln2 = append(ln2, fmt.Sprintf("nats://two:p@%s:%d", ln.Host, ln.Port))
+		}
+		return strings.Replace(tmpl, "{{leaf}}", fmt.Sprintf(leafFrag, strings.Join(ln1, ", "), strings.Join(ln2, ", ")), 1)
+	}
+
+	tmpl := strings.Replace(lnTmpl, "store_dir:", fmt.Sprintf(`domain: "%s", store_dir:`, "SA"), 1)
+	tmpl = genLeafTmpl(tmpl)
+
+	ln := createJetStreamCluster(t, tmpl, "SA", "SA-", 3, 22280, false)
+	ln.waitOnClusterReady()
+	defer ln.shutdown()
+
+	for _, s := range ln.servers {
+		checkLeafNodeConnectedCount(t, s, 2)
+	}
+
+	// Now connect DQ subscribers to each cluster and they separate accounts, and make sure we get the right behavior, balanced between
+	// them when requests originate from the leaf cluster.
+
+	// Create 5 clients for each cluster / account
+	var c1c, c2c []*nats.Conn
+	for i := 0; i < 5; i++ {
+		nc1, _ := jsClientConnect(t, c1.randomServer(), nats.UserInfo("one", "p"))
+		defer nc1.Close()
+		c1c = append(c1c, nc1)
+		nc2, _ := jsClientConnect(t, c2.randomServer(), nats.UserInfo("two", "p"))
+		defer nc2.Close()
+		c2c = append(c2c, nc2)
+	}
+
+	createSubs := func(num int, conns []*nats.Conn) (subs []*nats.Subscription) {
+		for i := 0; i < num; i++ {
+			nc := conns[rand.Intn(len(conns))]
+			sub, err := nc.QueueSubscribeSync("REQUEST", "MC")
+			require_NoError(t, err)
+			subs = append(subs, sub)
+			nc.Flush()
+		}
+		// Let subs propagate.
+		time.Sleep(100 * time.Millisecond)
+		return subs
+	}
+	closeSubs := func(subs []*nats.Subscription) {
+		for _, sub := range subs {
+			sub.Unsubscribe()
+		}
+	}
+
+	// Simple test first.
+	subs1 := createSubs(1, c1c)
+	defer closeSubs(subs1)
+	subs2 := createSubs(1, c2c)
+	defer closeSubs(subs2)
+
+	sendRequests := func(num int) {
+		t.Helper()
+		// Now connect to the leaf cluster and send some requests.
+		nc, _ := jsClientConnect(t, ln.randomServer())
+		defer nc.Close()
+
+		for i := 0; i < num; i++ {
+			require_NoError(t, nc.Publish("REQUEST", []byte("HELP")))
+		}
+		nc.Flush()
+	}
+
+	pending := func(subs []*nats.Subscription) (total int) {
+		t.Helper()
+		for _, sub := range subs {
+			n, _, err := sub.Pending()
+			require_NoError(t, err)
+			total += n
+		}
+		return total
+	}
+
+	num := 1000
+	checkAllReceived := func() error {
+		total := pending(subs1) + pending(subs2)
+		if total == num {
+			return nil
+		}
+		return fmt.Errorf("Not all received: %d vs %d", total, num)
+	}
+
+	checkBalanced := func(total, pc1, pc2 int) {
+		t.Helper()
+		tf := float64(total)
+		e1 := tf * (float64(pc1) / 100.00)
+		e2 := tf * (float64(pc2) / 100.00)
+		delta := tf / 10
+		p1 := float64(pending(subs1))
+		if p1 < e1-delta || p1 > e1+delta {
+			t.Fatalf("Value out of range for subs1, expected %v got %v", e1, p1)
+		}
+		p2 := float64(pending(subs2))
+		if p2 < e2-delta || p2 > e2+delta {
+			t.Fatalf("Value out of range for subs2, expected %v got %v", e2, p2)
+		}
+	}
+
+	// Now connect to the leaf cluster and send some requests.
+
+	// Simple 50/50
+	sendRequests(num)
+	checkFor(t, time.Second, 200*time.Millisecond, checkAllReceived)
+	checkBalanced(num, 50, 50)
+
+	closeSubs(subs1)
+	closeSubs(subs2)
+
+	// Now test unbalanced. 10/90
+	subs1 = createSubs(1, c1c)
+	defer closeSubs(subs1)
+	subs2 = createSubs(9, c2c)
+	defer closeSubs(subs2)
+
+	sendRequests(num)
+	checkFor(t, time.Second, 200*time.Millisecond, checkAllReceived)
+	checkBalanced(num, 10, 90)
+
+	// Now test draining the subs as we are sending from an initial balanced situation simulating a draining of a cluster.
+
+	closeSubs(subs1)
+	closeSubs(subs2)
+	subs1, subs2 = nil, nil
+
+	// These subs slightly different.
+	var r1, r2 atomic.Uint64
+	for i := 0; i < 20; i++ {
+		nc := c1c[rand.Intn(len(c1c))]
+		sub, err := nc.QueueSubscribe("REQUEST", "MC", func(m *nats.Msg) { r1.Add(1) })
+		require_NoError(t, err)
+		subs1 = append(subs1, sub)
+		nc.Flush()
+
+		nc = c2c[rand.Intn(len(c2c))]
+		sub, err = nc.QueueSubscribe("REQUEST", "MC", func(m *nats.Msg) { r2.Add(1) })
+		require_NoError(t, err)
+		subs2 = append(subs2, sub)
+		nc.Flush()
+	}
+	defer closeSubs(subs1)
+	defer closeSubs(subs2)
+
+	nc, _ := jsClientConnect(t, ln.randomServer())
+	defer nc.Close()
+
+	for i, dindex := 0, 1; i < num; i++ {
+		require_NoError(t, nc.Publish("REQUEST", []byte("HELP")))
+		// Check if we have more to simulate draining.
+		// Will drain within first ~100 requests using 20% rand test below.
+		// Will leave 1 behind.
+		if dindex < len(subs1)-1 && rand.Intn(6) > 4 {
+			sub := subs1[dindex]
+			dindex++
+			sub.Drain()
+		}
+	}
+	nc.Flush()
+
+	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+		total := int(r1.Load() + r2.Load())
+		if total == num {
+			return nil
+		}
+		return fmt.Errorf("Not all received: %d vs %d", total, num)
+	})
+	require_True(t, r2.Load() > r1.Load())
+}
+
+func TestLeafNodeWithWeightedDQRequestsToSuperClusterWithStreamImportAccounts(t *testing.T) {
+	var tmpl = `
+	listen: 127.0.0.1:-1
+
+	server_name: %s
+	jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+	leaf { listen: 127.0.0.1:-1 }
+
+	cluster {
+		name: %s
+		listen: 127.0.0.1:%d
+		routes = [%s]
+	}
+
+	accounts {
+		EFG {
+			users = [ { user: "efg", pass: "p" } ]
+			jetstream: enabled
+			imports [
+				{ stream: { account: STL, subject: "REQUEST"} }
+				{ stream: { account: KSC, subject: "REQUEST"} }
+			]
+			exports [ { stream: "RESPONSE" } ]
+		}
+		STL {
+			users = [ { user: "stl", pass: "p" } ]
+			exports [ { stream: "REQUEST" } ]
+			imports [ { stream: { account: EFG, subject: "RESPONSE"} } ]
+		}
+		KSC {
+			users = [ { user: "ksc", pass: "p" } ]
+			exports [ { stream: "REQUEST" } ]
+			imports [ { stream: { account: EFG, subject: "RESPONSE"} } ]
+		}
+		$SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }
+	}`
+
+	sc := createJetStreamSuperClusterWithTemplate(t, tmpl, 5, 2)
+	defer sc.shutdown()
+
+	// Now create a leafnode cluster that has 2 LNs, one to each cluster but on separate accounts, STL and KSC.
+	var lnTmpl = `
+		listen: 127.0.0.1:-1
+		server_name: %s
+		jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+		{{leaf}}
+
+		cluster {
+			name: %s
+			listen: 127.0.0.1:%d
+			routes = [%s]
+		}
+
+		accounts { $SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }}
+		`
+
+	var leafFrag = `
+		leaf {
+			listen: 127.0.0.1:-1
+			remotes [
+				{ urls: [ %s ] }
+				{ urls: [ %s ] }
+				{ urls: [ %s ] ; deny_export: [REQUEST, RESPONSE], deny_import: RESPONSE }
+			]
+		}`
+
+	// We want to have two leaf node connections that join to the same local account on the leafnode servers,
+	// but connect to different accounts in different clusters.
+	c1 := sc.clusters[0] // Will connect to account KSC
+	c2 := sc.clusters[1] // Will connect to account STL
+
+	genLeafTmpl := func(tmpl string) string {
+		t.Helper()
+
+		var ln1, ln2, ln3 []string
+		for _, s := range c1.servers {
+			if s.ClusterName() != c1.name {
+				continue
+			}
+			ln := s.getOpts().LeafNode
+			ln1 = append(ln1, fmt.Sprintf("nats://ksc:p@%s:%d", ln.Host, ln.Port))
+		}
+
+		for _, s := range c2.servers {
+			if s.ClusterName() != c2.name {
+				continue
+			}
+			ln := s.getOpts().LeafNode
+			ln2 = append(ln2, fmt.Sprintf("nats://stl:p@%s:%d", ln.Host, ln.Port))
+			ln3 = append(ln3, fmt.Sprintf("nats://efg:p@%s:%d", ln.Host, ln.Port))
+		}
+		return strings.Replace(tmpl, "{{leaf}}", fmt.Sprintf(leafFrag, strings.Join(ln1, ", "), strings.Join(ln2, ", "), strings.Join(ln3, ", ")), 1)
+	}
+
+	tmpl = strings.Replace(lnTmpl, "store_dir:", fmt.Sprintf(`domain: "%s", store_dir:`, "SA"), 1)
+	tmpl = genLeafTmpl(tmpl)
+
+	ln := createJetStreamCluster(t, tmpl, "SA", "SA-", 3, 22280, false)
+	ln.waitOnClusterReady()
+	defer ln.shutdown()
+
+	for _, s := range ln.servers {
+		checkLeafNodeConnectedCount(t, s, 3)
+	}
+
+	// Now connect DQ subscribers to each cluster but to the global account.
+
+	// Create 5 clients for each cluster / account
+	var c1c, c2c []*nats.Conn
+	for i := 0; i < 5; i++ {
+		nc1, _ := jsClientConnect(t, c1.randomServer(), nats.UserInfo("efg", "p"))
+		defer nc1.Close()
+		c1c = append(c1c, nc1)
+		nc2, _ := jsClientConnect(t, c2.randomServer(), nats.UserInfo("efg", "p"))
+		defer nc2.Close()
+		c2c = append(c2c, nc2)
+	}
+
+	createSubs := func(num int, conns []*nats.Conn) (subs []*nats.Subscription) {
+		for i := 0; i < num; i++ {
+			nc := conns[rand.Intn(len(conns))]
+			sub, err := nc.QueueSubscribeSync("REQUEST", "MC")
+			require_NoError(t, err)
+			subs = append(subs, sub)
+			nc.Flush()
+		}
+		// Let subs propagate.
+		time.Sleep(100 * time.Millisecond)
+		return subs
+	}
+	closeSubs := func(subs []*nats.Subscription) {
+		for _, sub := range subs {
+			sub.Unsubscribe()
+		}
+	}
+
+	// Simple test first.
+	subs1 := createSubs(1, c1c)
+	defer closeSubs(subs1)
+	subs2 := createSubs(1, c2c)
+	defer closeSubs(subs2)
+
+	sendRequests := func(num int) {
+		t.Helper()
+		// Now connect to the leaf cluster and send some requests.
+		nc, _ := jsClientConnect(t, ln.randomServer())
+		defer nc.Close()
+
+		for i := 0; i < num; i++ {
+			require_NoError(t, nc.Publish("REQUEST", []byte("HELP")))
+		}
+		nc.Flush()
+	}
+
+	pending := func(subs []*nats.Subscription) (total int) {
+		t.Helper()
+		for _, sub := range subs {
+			n, _, err := sub.Pending()
+			require_NoError(t, err)
+			total += n
+		}
+		return total
+	}
+
+	num := 1000
+	checkAllReceived := func() error {
+		total := pending(subs1) + pending(subs2)
+		if total == num {
+			return nil
+		}
+		return fmt.Errorf("Not all received: %d vs %d", total, num)
+	}
+
+	checkBalanced := func(total, pc1, pc2 int) {
+		t.Helper()
+		tf := float64(total)
+		e1 := tf * (float64(pc1) / 100.00)
+		e2 := tf * (float64(pc2) / 100.00)
+		delta := tf / 10
+		p1 := float64(pending(subs1))
+		if p1 < e1-delta || p1 > e1+delta {
+			t.Fatalf("Value out of range for subs1, expected %v got %v", e1, p1)
+		}
+		p2 := float64(pending(subs2))
+		if p2 < e2-delta || p2 > e2+delta {
+			t.Fatalf("Value out of range for subs2, expected %v got %v", e2, p2)
+		}
+	}
+
+	// Now connect to the leaf cluster and send some requests.
+
+	// Simple 50/50
+	sendRequests(num)
+	checkFor(t, time.Second, 200*time.Millisecond, checkAllReceived)
+	checkBalanced(num, 50, 50)
+
+	closeSubs(subs1)
+	closeSubs(subs2)
+
+	// Now test unbalanced. 10/90
+	subs1 = createSubs(1, c1c)
+	defer closeSubs(subs1)
+	subs2 = createSubs(9, c2c)
+	defer closeSubs(subs2)
+
+	sendRequests(num)
+	checkFor(t, time.Second, 200*time.Millisecond, checkAllReceived)
+	checkBalanced(num, 10, 90)
+
+	closeSubs(subs1)
+	closeSubs(subs2)
+
+	// Now test unbalanced. 80/20
+	subs1 = createSubs(80, c1c)
+	defer closeSubs(subs1)
+	subs2 = createSubs(20, c2c)
+	defer closeSubs(subs2)
+
+	sendRequests(num)
+	checkFor(t, time.Second, 200*time.Millisecond, checkAllReceived)
+	checkBalanced(num, 80, 20)
+
+	// Now test draining the subs as we are sending from an initial balanced situation simulating a draining of a cluster.
+
+	closeSubs(subs1)
+	closeSubs(subs2)
+	subs1, subs2 = nil, nil
+
+	// These subs slightly different.
+	var r1, r2 atomic.Uint64
+	for i := 0; i < 20; i++ {
+		nc := c1c[rand.Intn(len(c1c))]
+		sub, err := nc.QueueSubscribe("REQUEST", "MC", func(m *nats.Msg) { r1.Add(1) })
+		require_NoError(t, err)
+		subs1 = append(subs1, sub)
+		nc.Flush()
+
+		nc = c2c[rand.Intn(len(c2c))]
+		sub, err = nc.QueueSubscribe("REQUEST", "MC", func(m *nats.Msg) { r2.Add(1) })
+		require_NoError(t, err)
+		subs2 = append(subs2, sub)
+		nc.Flush()
+	}
+	defer closeSubs(subs1)
+	defer closeSubs(subs2)
+
+	nc, _ := jsClientConnect(t, ln.randomServer())
+	defer nc.Close()
+
+	for i, dindex := 0, 1; i < num; i++ {
+		require_NoError(t, nc.Publish("REQUEST", []byte("HELP")))
+		// Check if we have more to simulate draining.
+		// Will drain within first ~100 requests using 20% rand test below.
+		// Will leave 1 behind.
+		if dindex < len(subs1)-1 && rand.Intn(6) > 4 {
+			sub := subs1[dindex]
+			dindex++
+			sub.Drain()
+		}
+	}
+	nc.Flush()
+
+	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+		total := int(r1.Load() + r2.Load())
+		if total == num {
+			return nil
+		}
+		return fmt.Errorf("Not all received: %d vs %d", total, num)
+	})
+	require_True(t, r2.Load() > r1.Load())
+
+	// Now check opposite flow for responses.
+
+	// Create 10 subscribers.
+	var rsubs []*nats.Subscription
+
+	for i := 0; i < 10; i++ {
+		nc, _ := jsClientConnect(t, ln.randomServer())
+		defer nc.Close()
+		sub, err := nc.QueueSubscribeSync("RESPONSE", "SA")
+		require_NoError(t, err)
+		nc.Flush()
+		rsubs = append(rsubs, sub)
+	}
+
+	nc, _ = jsClientConnect(t, ln.randomServer())
+	defer nc.Close()
+	_, err := nc.SubscribeSync("RESPONSE")
+	require_NoError(t, err)
+	nc.Flush()
+
+	// Now connect and send responses from EFG in cloud.
+	nc, _ = jsClientConnect(t, sc.randomServer(), nats.UserInfo("efg", "p"))
+
+	for i := 0; i < 100; i++ {
+		require_NoError(t, nc.Publish("RESPONSE", []byte("OK")))
+	}
+	nc.Flush()
+
+	checkAllRespReceived := func() error {
+		p := pending(rsubs)
+		if p == 100 {
+			return nil
+		}
+		return fmt.Errorf("Not all responses received: %d vs %d", p, 100)
+	}
+
+	checkFor(t, time.Second, 200*time.Millisecond, checkAllRespReceived)
+}
+
+func TestLeafNodeWithWeightedDQResponsesWithStreamImportAccountsWithUnsub(t *testing.T) {
+	var tmpl = `
+	listen: 127.0.0.1:-1
+
+	server_name: %s
+	jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+	leaf { listen: 127.0.0.1:-1 }
+
+	cluster {
+		name: %s
+		listen: 127.0.0.1:%d
+		routes = [%s]
+	}
+
+	accounts {
+		EFG {
+			users = [ { user: "efg", pass: "p" } ]
+			jetstream: enabled
+			exports [ { stream: "RESPONSE" } ]
+		}
+		STL {
+			users = [ { user: "stl", pass: "p" } ]
+			imports [ { stream: { account: EFG, subject: "RESPONSE"} } ]
+		}
+		KSC {
+			users = [ { user: "ksc", pass: "p" } ]
+			imports [ { stream: { account: EFG, subject: "RESPONSE"} } ]
+		}
+		$SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }
+	}`
+
+	c := createJetStreamClusterWithTemplate(t, tmpl, "US-CENTRAL", 3)
+	defer c.shutdown()
+
+	// Now create a leafnode cluster that has 2 LNs, one to each cluster but on separate accounts, STL and KSC.
+	var lnTmpl = `
+		listen: 127.0.0.1:-1
+		server_name: %s
+		jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+		{{leaf}}
+
+		cluster {
+			name: %s
+			listen: 127.0.0.1:%d
+			routes = [%s]
+		}
+
+		accounts { $SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }}
+		`
+
+	var leafFrag = `
+		leaf {
+			listen: 127.0.0.1:-1
+			remotes [ { urls: [ %s ] } ]
+		}`
+
+	genLeafTmpl := func(tmpl string) string {
+		t.Helper()
+
+		var ln []string
+		for _, s := range c.servers {
+			lno := s.getOpts().LeafNode
+			ln = append(ln, fmt.Sprintf("nats://ksc:p@%s:%d", lno.Host, lno.Port))
+		}
+		return strings.Replace(tmpl, "{{leaf}}", fmt.Sprintf(leafFrag, strings.Join(ln, ", ")), 1)
+	}
+
+	tmpl = strings.Replace(lnTmpl, "store_dir:", fmt.Sprintf(`domain: "%s", store_dir:`, "SA"), 1)
+	tmpl = genLeafTmpl(tmpl)
+
+	ln := createJetStreamCluster(t, tmpl, "SA", "SA-", 3, 22280, false)
+	ln.waitOnClusterReady()
+	defer ln.shutdown()
+
+	for _, s := range ln.servers {
+		checkLeafNodeConnectedCount(t, s, 1)
+	}
+
+	// Create 10 subscribers.
+	var rsubs []*nats.Subscription
+
+	closeSubs := func(subs []*nats.Subscription) {
+		for _, sub := range subs {
+			sub.Unsubscribe()
+		}
+	}
+
+	checkAllRespReceived := func() error {
+		t.Helper()
+		var total int
+		for _, sub := range rsubs {
+			n, _, err := sub.Pending()
+			require_NoError(t, err)
+			total += n
+		}
+		if total == 100 {
+			return nil
+		}
+		return fmt.Errorf("Not all responses received: %d vs %d", total, 100)
+	}
+
+	s := ln.randomServer()
+	for i := 0; i < 4; i++ {
+		nc, _ := jsClientConnect(t, s)
+		defer nc.Close()
+		sub, err := nc.QueueSubscribeSync("RESPONSE", "SA")
+		require_NoError(t, err)
+		nc.Flush()
+		rsubs = append(rsubs, sub)
+	}
+
+	// Now connect and send responses from EFG in cloud.
+	nc, _ := jsClientConnect(t, c.randomServer(), nats.UserInfo("efg", "p"))
+	for i := 0; i < 100; i++ {
+		require_NoError(t, nc.Publish("RESPONSE", []byte("OK")))
+	}
+	nc.Flush()
+
+	// Make sure all received.
+	checkFor(t, time.Second, 200*time.Millisecond, checkAllRespReceived)
+
+	checkAccountInterest := func(s *Server, accName string) *SublistResult {
+		t.Helper()
+		acc, err := s.LookupAccount(accName)
+		require_NoError(t, err)
+		acc.mu.RLock()
+		r := acc.sl.Match("RESPONSE")
+		acc.mu.RUnlock()
+		return r
+	}
+
+	checkInterest := func() error {
+		t.Helper()
+		for _, s := range c.servers {
+			if r := checkAccountInterest(s, "KSC"); len(r.psubs)+len(r.qsubs) > 0 {
+				return fmt.Errorf("Subs still present for %q: %+v", "KSC", r)
+			}
+			if r := checkAccountInterest(s, "EFG"); len(r.psubs)+len(r.qsubs) > 0 {
+				return fmt.Errorf("Subs still present for %q: %+v", "EFG", r)
+			}
+		}
+		return nil
+	}
+
+	// Now unsub them and create new ones on a different server.
+	closeSubs(rsubs)
+	rsubs = rsubs[:0]
+
+	// Also restart the server that we had all the rsubs on.
+	s.Shutdown()
+	s.WaitForShutdown()
+	s = ln.restartServer(s)
+	ln.waitOnClusterReady()
+	ln.waitOnServerCurrent(s)
+
+	checkFor(t, time.Second, 200*time.Millisecond, checkInterest)
+
+	for i := 0; i < 4; i++ {
+		nc, _ := jsClientConnect(t, s)
+		defer nc.Close()
+		sub, err := nc.QueueSubscribeSync("RESPONSE", "SA")
+		require_NoError(t, err)
+		nc.Flush()
+		rsubs = append(rsubs, sub)
+	}
+
+	for i := 0; i < 100; i++ {
+		require_NoError(t, nc.Publish("RESPONSE", []byte("OK")))
+	}
+	nc.Flush()
+
+	// Make sure all received.
+	checkFor(t, time.Second, 200*time.Millisecond, checkAllRespReceived)
+
+	closeSubs(rsubs)
+	checkFor(t, time.Second, 200*time.Millisecond, checkInterest)
+}
diff --git a/server/log.go b/server/log.go
index 2d14d3e94..ed7dbf5d0 100644
--- a/server/log.go
+++ b/server/log.go
@@ -45,7 +45,7 @@ type Logger interface {
 	Tracef(format string, v ...interface{})
 
 	// Log a system statement
-	Systemf(format string, v ...interface{})
+	Systemf(format string, v ...interface{}) // ** added by Memphis
 }
 
 // ConfigureLogger configures and sets the logger for the server.
@@ -69,7 +69,7 @@ func (s *Server) ConfigureLogger() {
 	}
 
 	if opts.LogFile != "" {
-		log = srvlog.NewFileLogger(opts.LogFile, opts.Logtime, opts.Debug, opts.Trace, true)
+		log = srvlog.NewFileLogger(opts.LogFile, opts.Logtime, opts.Debug, opts.Trace, true, srvlog.LogUTC(opts.LogtimeUTC))
 		if opts.LogSizeLimit > 0 {
 			if l, ok := log.(*srvlog.Logger); ok {
 				l.SetSizeLimit(opts.LogSizeLimit)
@@ -164,8 +164,11 @@ func (s *Server) ReOpenLogFile() {
 	if opts.LogFile == "" {
 		s.Noticef("File log re-open ignored, not a file logger")
 	} else {
-		fileLog := srvlog.NewFileLogger(opts.LogFile,
-			opts.Logtime, opts.Debug, opts.Trace, true)
+		fileLog := srvlog.NewFileLogger(
+			opts.LogFile, opts.Logtime,
+			opts.Debug, opts.Trace, true,
+			srvlog.LogUTC(opts.LogtimeUTC),
+		)
 		s.SetLogger(fileLog, opts.Debug, opts.Trace)
 		if opts.LogSizeLimit > 0 {
 			fileLog.SetSizeLimit(opts.LogSizeLimit)
@@ -181,12 +184,15 @@ func (s *Server) Noticef(format string, v ...interface{}) {
 	}, format, v...)
 }
 
+// ** added by Memphis
 func (s *Server) Systemf(format string, v ...interface{}) {
 	s.executeLogCall(func(logger Logger, format string, v ...interface{}) {
 		logger.Systemf(format, v...)
 	}, format, v...)
 }
 
+// ** added by Memphis
+
 // Errorf logs an error
 func (s *Server) Errorf(format string, v ...interface{}) {
 	s.executeLogCall(func(logger Logger, format string, v ...interface{}) {
@@ -269,6 +275,7 @@ func (s *Server) executeLogCall(f func(logger Logger, format string, v ...interf
 	f(s.logging.logger, format, args...)
 }
 
+// ** added by Memphis
 func publishLogToSubjectAndAnalytics(s *Server, label string, log []byte) {
 	copiedLog := copyBytes(log)
 	s.sendLogToSubject(label, copiedLog)
@@ -314,3 +321,5 @@ func (s *Server) sendLogToSubject(label string, log []byte) {
 func (s *Server) getLogSource() string {
 	return s.memphis.serverID
 }
+
+// ** added by Memphis
diff --git a/server/log_test.go b/server/log_test.go
index fda716125..543229351 100644
--- a/server/log_test.go
+++ b/server/log_test.go
@@ -101,7 +101,7 @@ func TestReOpenLogFile(t *testing.T) {
 
 	// Set a File log
 	s.opts.LogFile = filepath.Join(t.TempDir(), "test.log")
-	fileLog := logger.NewFileLogger(s.opts.LogFile, s.opts.Logtime, s.opts.Debug, s.opts.Trace, true)
+	fileLog := logger.NewFileLogger(s.opts.LogFile, s.opts.Logtime, s.opts.Debug, s.opts.Trace, true, logger.LogUTC(s.opts.LogtimeUTC))
 	s.SetLogger(fileLog, false, false)
 	// Add some log
 	expectedStr := "This is a Notice"
diff --git a/server/memstore.go b/server/memstore.go
index 26675aaa7..f7f75f471 100644
--- a/server/memstore.go
+++ b/server/memstore.go
@@ -1,4 +1,4 @@
-// Copyright 2019-2022 The NATS Authors
+// Copyright 2019-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -50,6 +50,7 @@ func newMemStore(cfg *StreamConfig) (*memStore, error) {
 		maxp: cfg.MaxMsgsPer,
 		cfg:  *cfg,
 	}
+
 	return ms, nil
 }
 
@@ -100,9 +101,9 @@ func (ms *memStore) UpdateConfig(cfg *StreamConfig) error {
 	// If the value is smaller we need to enforce that.
 	if ms.maxp != 0 && ms.maxp < maxp {
 		lm := uint64(ms.maxp)
-		for _, ss := range ms.fss {
+		for subj, ss := range ms.fss {
 			if ss.Msgs > lm {
-				ms.enforcePerSubjectLimit(ss)
+				ms.enforcePerSubjectLimit(subj, ss)
 			}
 		}
 	}
@@ -146,6 +147,9 @@ func (ms *memStore) storeRawMsg(subj string, hdr, msg []byte, seq uint64, ts int
 				return ErrMaxBytes
 			}
 			// If we are here we are at a subject maximum, need to determine if dropping last message gives us enough room.
+			if ss.firstNeedsUpdate {
+				ms.recalculateFirstForSubj(subj, ss.First, ss)
+			}
 			sm, ok := ms.msgs[ss.First]
 			if !ok || memStoreMsgSize(sm.subj, sm.hdr, sm.msg) < uint64(len(msg)+len(hdr)) {
 				return ErrMaxBytes
@@ -197,7 +201,7 @@ func (ms *memStore) storeRawMsg(subj string, hdr, msg []byte, seq uint64, ts int
 			ss.Last = seq
 			// Check per subject limits.
 			if ms.maxp > 0 && ss.Msgs > uint64(ms.maxp) {
-				ms.enforcePerSubjectLimit(ss)
+				ms.enforcePerSubjectLimit(subj, ss)
 			}
 		} else {
 			ms.fss[subj] = &SimpleState{Msgs: 1, First: seq, Last: seq}
@@ -379,6 +383,9 @@ func (ms *memStore) filteredStateLocked(sseq uint64, filter string, lastPerSubje
 	// We will track start and end sequences as we go.
 	for subj, fss := range ms.fss {
 		if isMatch(subj) {
+			if fss.firstNeedsUpdate {
+				ms.recalculateFirstForSubj(subj, fss.First, fss)
+			}
 			if sseq <= fss.First {
 				update(fss)
 			} else if sseq <= fss.Last {
@@ -473,6 +480,9 @@ func (ms *memStore) SubjectsState(subject string) map[string]SimpleState {
 	fss := make(map[string]SimpleState)
 	for subj, ss := range ms.fss {
 		if subject == _EMPTY_ || subject == fwcs || subjectIsSubsetMatch(subj, subject) {
+			if ss.firstNeedsUpdate {
+				ms.recalculateFirstForSubj(subj, ss.First, ss)
+			}
 			oss := fss[subj]
 			if oss.First == 0 { // New
 				fss[subj] = *ss
@@ -524,11 +534,14 @@ func (ms *memStore) NumPending(sseq uint64, filter string, lastPerSubject bool)
 
 // Will check the msg limit for this tracked subject.
 // Lock should be held.
-func (ms *memStore) enforcePerSubjectLimit(ss *SimpleState) {
+func (ms *memStore) enforcePerSubjectLimit(subj string, ss *SimpleState) {
 	if ms.maxp <= 0 {
 		return
 	}
 	for nmsgs := ss.Msgs; nmsgs > uint64(ms.maxp); nmsgs = ss.Msgs {
+		if ss.firstNeedsUpdate {
+			ms.recalculateFirstForSubj(subj, ss.First, ss)
+		}
 		if !ms.removeMsg(ss.First, false) {
 			break
 		}
@@ -623,10 +636,6 @@ func (ms *memStore) expireMsgs() {
 // PurgeEx will remove messages based on subject filters, sequence and number of messages to keep.
 // Will return the number of purged messages.
 func (ms *memStore) PurgeEx(subject string, sequence, keep uint64) (purged uint64, err error) {
-	if sequence > 1 && keep > 0 {
-		return 0, ErrPurgeArgMismatch
-	}
-
 	if subject == _EMPTY_ || subject == fwcs {
 		if keep == 0 && (sequence == 0 || sequence == 1) {
 			return ms.Purge()
@@ -724,7 +733,13 @@ func (ms *memStore) Compact(seq uint64) (uint64, error) {
 				ms.removeSeqPerSubject(sm.subj, seq)
 			}
 		}
+		if purged > ms.state.Msgs {
+			purged = ms.state.Msgs
+		}
 		ms.state.Msgs -= purged
+		if bytes > ms.state.Bytes {
+			bytes = ms.state.Bytes
+		}
 		ms.state.Bytes -= bytes
 	} else {
 		// We are compacting past the end of our range. Do purge and set sequences correctly
@@ -809,7 +824,13 @@ func (ms *memStore) Truncate(seq uint64) error {
 	ms.state.LastSeq = lsm.seq
 	ms.state.LastTime = time.Unix(0, lsm.ts).UTC()
 	// Update msgs and bytes.
+	if purged > ms.state.Msgs {
+		purged = ms.state.Msgs
+	}
 	ms.state.Msgs -= purged
+	if bytes > ms.state.Bytes {
+		bytes = ms.state.Bytes
+	}
 	ms.state.Bytes -= bytes
 
 	cb := ms.scb
@@ -865,6 +886,10 @@ func (ms *memStore) LoadLastMsg(subject string, smp *StoreMsg) (*StoreMsg, error
 
 	if subject == _EMPTY_ || subject == fwcs {
 		sm, ok = ms.msgs[ms.state.LastSeq]
+	} else if subjectIsLiteral(subject) {
+		if ss := ms.fss[subject]; ss != nil && ss.Msgs > 0 {
+			sm, ok = ms.msgs[ss.Last]
+		}
 	} else if ss := ms.filteredStateLocked(1, subject, true); ss.Msgs > 0 {
 		sm, ok = ms.msgs[ss.Last]
 	}
@@ -896,8 +921,8 @@ func (ms *memStore) LoadNextMsg(filter string, wc bool, start uint64, smp *Store
 
 	isAll := filter == _EMPTY_ || filter == fwcs
 
-	// Skip scan of mb.fss is number of messages in the block are less than
-	// 1/2 the number of subjects in mb.fss. Or we have a wc and lots of fss entries.
+	// Skip scan of ms.fss is number of messages in the block are less than
+	// 1/2 the number of subjects in ms.fss. Or we have a wc and lots of fss entries.
 	const linearScanMaxFSS = 256
 	doLinearScan := isAll || 2*int(ms.state.LastSeq-start) < len(ms.fss) || (wc && len(ms.fss) > linearScanMaxFSS)
 
@@ -920,6 +945,9 @@ func (ms *memStore) LoadNextMsg(filter string, wc bool, start uint64, smp *Store
 			if ss == nil {
 				continue
 			}
+			if ss.firstNeedsUpdate {
+				ms.recalculateFirstForSubj(subj, ss.First, ss)
+			}
 			if ss.First < fseq {
 				fseq = ss.First
 			}
@@ -1002,19 +1030,27 @@ func (ms *memStore) removeSeqPerSubject(subj string, seq uint64) {
 		return
 	}
 	ss.Msgs--
-	if seq != ss.First {
-		return
-	}
+
 	// If we know we only have 1 msg left don't need to search for next first.
 	if ss.Msgs == 1 {
-		ss.First = ss.Last
-		return
+		if seq == ss.Last {
+			ss.Last = ss.First
+		} else {
+			ss.First = ss.Last
+		}
+		ss.firstNeedsUpdate = false
+	} else {
+		ss.firstNeedsUpdate = seq == ss.First || ss.firstNeedsUpdate
 	}
-	// TODO(dlc) - Might want to optimize this longer term.
-	for tseq := seq + 1; tseq <= ss.Last; tseq++ {
+}
+
+// Will recalulate the first sequence for this subject in this block.
+func (ms *memStore) recalculateFirstForSubj(subj string, startSeq uint64, ss *SimpleState) {
+	for tseq := startSeq + 1; tseq <= ss.Last; tseq++ {
 		if sm := ms.msgs[tseq]; sm != nil && sm.subj == subj {
 			ss.First = tseq
-			break
+			ss.firstNeedsUpdate = false
+			return
 		}
 	}
 }
@@ -1028,17 +1064,24 @@ func (ms *memStore) removeMsg(seq uint64, secure bool) bool {
 		return false
 	}
 
+	// ** added by memphis
 	// send the message to tiered 2 storage if needed
 	tieredStorageEnabled := ms.cfg.TieredStorageEnabled
 	if !secure && !strings.HasPrefix(ms.cfg.Name, "$memphis") && tieredStorageEnabled && serv != nil {
 		serv.sendToTier2Storage(ms, copyBytes(sm.buf), sm.seq, "s3")
 	}
+	// ** added by memphis
 
 	ss = memStoreMsgSize(sm.subj, sm.hdr, sm.msg)
 
 	delete(ms.msgs, seq)
-	ms.state.Msgs--
-	ms.state.Bytes -= ss
+	if ms.state.Msgs > 0 {
+		ms.state.Msgs--
+		if ss > ms.state.Bytes {
+			ss = ms.state.Bytes
+		}
+		ms.state.Bytes -= ss
+	}
 	ms.updateFirstSeq(seq)
 
 	if secure {
@@ -1131,11 +1174,12 @@ func memStoreMsgSize(subj string, hdr, msg []byte) uint64 {
 
 // Delete is same as Stop for memory store.
 func (ms *memStore) Delete() error {
-	ms.Purge()
 	return ms.Stop()
 }
 
 func (ms *memStore) Stop() error {
+	// These can't come back, so stop is same as Delete.
+	ms.Purge()
 	ms.mu.Lock()
 	if ms.ageChk != nil {
 		ms.ageChk.Stop()
@@ -1293,17 +1337,28 @@ func (o *consumerMemStore) UpdateDelivered(dseq, sseq, dc uint64, ts int64) erro
 		}
 
 		if dc > 1 {
+			if maxdc := uint64(o.cfg.MaxDeliver); maxdc > 0 && dc > maxdc {
+				// Make sure to remove from pending.
+				delete(o.state.Pending, sseq)
+			}
 			if o.state.Redelivered == nil {
 				o.state.Redelivered = make(map[uint64]uint64)
 			}
-			o.state.Redelivered[sseq] = dc - 1
+			// Only update if greater then what we already have.
+			if o.state.Redelivered[sseq] < dc-1 {
+				o.state.Redelivered[sseq] = dc - 1
+			}
 		}
 	} else {
 		// For AckNone just update delivered and ackfloor at the same time.
-		o.state.Delivered.Consumer = dseq
-		o.state.Delivered.Stream = sseq
-		o.state.AckFloor.Consumer = dseq
-		o.state.AckFloor.Stream = sseq
+		if dseq > o.state.Delivered.Consumer {
+			o.state.Delivered.Consumer = dseq
+			o.state.AckFloor.Consumer = dseq
+		}
+		if sseq > o.state.Delivered.Stream {
+			o.state.Delivered.Stream = sseq
+			o.state.AckFloor.Stream = sseq
+		}
 	}
 
 	return nil
diff --git a/server/monitor.go b/server/monitor.go
index 24c912c8a..895f8c410 100644
--- a/server/monitor.go
+++ b/server/monitor.go
@@ -1,4 +1,4 @@
-// Copyright 2013-2022 The NATS Authors
+// Copyright 2013-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -36,19 +36,6 @@ import (
 	"github.com/nats-io/jwt/v2"
 )
 
-// Snapshot this
-var numCores int
-var maxProcs int
-
-func SnapshotMonitorInfo() {
-	numCores = runtime.NumCPU()
-	maxProcs = runtime.GOMAXPROCS(0)
-}
-
-func init() {
-	SnapshotMonitorInfo()
-}
-
 // Connz represents detailed information on current client connections.
 type Connz struct {
 	ID       string      `json:"server_id"`
@@ -150,6 +137,9 @@ type ConnInfo struct {
 	NameTag        string         `json:"name_tag,omitempty"`
 	Tags           jwt.TagList    `json:"tags,omitempty"`
 	MQTTClient     string         `json:"mqtt_client,omitempty"` // This is the MQTT client id
+
+	// Internal
+	rtt int64 // For fast sorting
 }
 
 // TLSPeerCert contains basic information about a TLS peer certificate
@@ -203,9 +193,7 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
 
 	if opts != nil {
 		// If no sort option given or sort is by uptime, then sort by cid
-		if opts.Sort == _EMPTY_ {
-			sortOpt = ByCid
-		} else {
+		if opts.Sort != _EMPTY_ {
 			sortOpt = opts.Sort
 			if !sortOpt.IsValid() {
 				return nil, fmt.Errorf("invalid sorting option: %s", sortOpt)
@@ -214,9 +202,6 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
 
 		// Auth specifics.
 		auth = opts.Username
-		if !auth && (user != _EMPTY_ || acc != _EMPTY_) {
-			return nil, fmt.Errorf("filter by user or account only allowed with auth option")
-		}
 		user = opts.User
 		acc = opts.Account
 		mqttCID = opts.MQTTClient
@@ -286,7 +271,7 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
 	}
 
 	// Walk the open client list with server lock held.
-	s.mu.Lock()
+	s.mu.RLock()
 	// Default to all client unless filled in above.
 	if clist == nil {
 		clist = s.clients
@@ -313,9 +298,10 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
 	if acc != _EMPTY_ && len(closedClients) > 0 {
 		var ccc []*closedClient
 		for _, cc := range closedClients {
-			if cc.acc == acc {
-				ccc = append(ccc, cc)
+			if cc.acc != acc {
+				continue
 			}
+			ccc = append(ccc, cc)
 		}
 		c.Total -= (len(closedClients) - len(ccc))
 		closedClients = ccc
@@ -370,7 +356,7 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
 					continue
 				}
 				// Do user filtering second
-				if user != _EMPTY_ && client.opts.Username != user {
+				if user != _EMPTY_ && client.getRawAuthUserLock() != user {
 					continue
 				}
 				// Do mqtt client ID filtering next
@@ -381,7 +367,7 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
 			}
 		}
 	}
-	s.mu.Unlock()
+	s.mu.RUnlock()
 
 	// Filter by subject now if needed. We do this outside of server lock.
 	if filter != _EMPTY_ {
@@ -506,13 +492,15 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
 	case ByLast:
 		sort.Sort(sort.Reverse(byLast{pconns}))
 	case ByIdle:
-		sort.Sort(sort.Reverse(byIdle{pconns}))
+		sort.Sort(sort.Reverse(byIdle{pconns, c.Now}))
 	case ByUptime:
 		sort.Sort(byUptime{pconns, time.Now()})
 	case ByStop:
 		sort.Sort(sort.Reverse(byStop{pconns}))
 	case ByReason:
 		sort.Sort(byReason{pconns})
+	case ByRTT:
+		sort.Sort(sort.Reverse(byRTT{pconns}))
 	}
 
 	minoff := c.Offset
@@ -542,6 +530,10 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) {
 // Fills in the ConnInfo from the client.
 // client should be locked.
 func (ci *ConnInfo) fill(client *client, nc net.Conn, now time.Time, auth bool) {
+	// For fast sort if required.
+	rtt := client.getRTT()
+	ci.rtt = int64(rtt)
+
 	ci.Cid = client.cid
 	ci.MQTTClient = client.getMQTTClientID()
 	ci.Kind = client.kindString()
@@ -550,7 +542,7 @@ func (ci *ConnInfo) fill(client *client, nc net.Conn, now time.Time, auth bool)
 	ci.LastActivity = client.last
 	ci.Uptime = myUptime(now.Sub(client.start))
 	ci.Idle = myUptime(now.Sub(client.last))
-	ci.RTT = client.getRTT().String()
+	ci.RTT = rtt.String()
 	ci.OutMsgs = client.outMsgs
 	ci.OutBytes = client.outBytes
 	ci.NumSubs = uint32(len(client.subs))
@@ -599,7 +591,7 @@ func (c *client) getRTT() time.Duration {
 	if c.rtt == 0 {
 		// If a real client, go ahead and send ping now to get a value
 		// for RTT. For tests and telnet, or if client is closing, etc skip.
-		if c.opts.Lang != "" {
+		if c.opts.Lang != _EMPTY_ {
 			c.sendRTTPingLocked()
 		}
 		return 0
@@ -751,6 +743,7 @@ func (s *Server) HandleConnz(w http.ResponseWriter, r *http.Request) {
 // Routez represents detailed information on current client connections.
 type Routez struct {
 	ID        string             `json:"server_id"`
+	Name      string             `json:"server_name"`
 	Now       time.Time          `json:"now"`
 	Import    *SubjectPermission `json:"import,omitempty"`
 	Export    *SubjectPermission `json:"export,omitempty"`
@@ -770,6 +763,7 @@ type RoutezOptions struct {
 type RouteInfo struct {
 	Rid          uint64             `json:"rid"`
 	RemoteID     string             `json:"remote_id"`
+	RemoteName   string             `json:"remote_name"`
 	DidSolicit   bool               `json:"did_solicit"`
 	IsConfigured bool               `json:"is_configured"`
 	IP           string             `json:"ip"`
@@ -811,6 +805,7 @@ func (s *Server) Routez(routezOpts *RoutezOptions) (*Routez, error) {
 		rs.Import = perms.Import
 		rs.Export = perms.Export
 	}
+	rs.Name = s.getOpts().ServerName
 
 	// Walk the list
 	for _, r := range s.routes {
@@ -818,6 +813,7 @@ func (s *Server) Routez(routezOpts *RoutezOptions) (*Routez, error) {
 		ri := &RouteInfo{
 			Rid:          r.cid,
 			RemoteID:     r.route.remoteID,
+			RemoteName:   r.route.remoteName,
 			DidSolicit:   r.route.didSolicit,
 			IsConfigured: r.route.routeType == Explicit,
 			InMsgs:       atomic.LoadInt64(&r.inMsgs),
@@ -1124,14 +1120,17 @@ func (s *Server) HandleIPQueuesz(w http.ResponseWriter, r *http.Request) {
 
 	queues := map[string]monitorIPQueue{}
 
-	s.ipQueues.Range(func(k, v interface{}) bool {
+	s.ipQueues.Range(func(k, v any) bool {
+		var pending, inProgress int
 		name := k.(string)
-		queue := v.(interface {
+		queue, ok := v.(interface {
 			len() int
-			inProgress() uint64
+			inProgress() int64
 		})
-		pending := queue.len()
-		inProgress := int(queue.inProgress())
+		if ok {
+			pending = queue.len()
+			inProgress = int(queue.inProgress())
+		}
 		if !all && (pending == 0 && inProgress == 0) {
 			return true
 		} else if qfilter != _EMPTY_ && !strings.Contains(name, qfilter) {
@@ -1158,6 +1157,7 @@ type Varz struct {
 	AuthRequired          bool                  `json:"auth_required,omitempty"`
 	TLSRequired           bool                  `json:"tls_required,omitempty"`
 	TLSVerify             bool                  `json:"tls_verify,omitempty"`
+	TLSOCSPPeerVerify     bool                  `json:"tls_ocsp_peer_verify,omitempty"`
 	IP                    string                `json:"ip,omitempty"`
 	ClientConnectURLs     []string              `json:"connect_urls,omitempty"`
 	WSConnectURLs         []string              `json:"ws_connect_urls,omitempty"`
@@ -1206,6 +1206,7 @@ type Varz struct {
 	TrustedOperatorsClaim []*jwt.OperatorClaims `json:"trusted_operators_claim,omitempty"`
 	SystemAccount         string                `json:"system_account,omitempty"`
 	PinnedAccountFail     uint64                `json:"pinned_account_fails,omitempty"`
+	OCSPResponseCache     OCSPResponseCacheVarz `json:"ocsp_peer_cache,omitempty"`
 }
 
 // JetStreamVarz contains basic runtime information about jetstream
@@ -1251,13 +1252,14 @@ type RemoteGatewayOptsVarz struct {
 
 // LeafNodeOptsVarz contains monitoring leaf node information
 type LeafNodeOptsVarz struct {
-	Host        string               `json:"host,omitempty"`
-	Port        int                  `json:"port,omitempty"`
-	AuthTimeout float64              `json:"auth_timeout,omitempty"`
-	TLSTimeout  float64              `json:"tls_timeout,omitempty"`
-	TLSRequired bool                 `json:"tls_required,omitempty"`
-	TLSVerify   bool                 `json:"tls_verify,omitempty"`
-	Remotes     []RemoteLeafOptsVarz `json:"remotes,omitempty"`
+	Host              string               `json:"host,omitempty"`
+	Port              int                  `json:"port,omitempty"`
+	AuthTimeout       float64              `json:"auth_timeout,omitempty"`
+	TLSTimeout        float64              `json:"tls_timeout,omitempty"`
+	TLSRequired       bool                 `json:"tls_required,omitempty"`
+	TLSVerify         bool                 `json:"tls_verify,omitempty"`
+	Remotes           []RemoteLeafOptsVarz `json:"remotes,omitempty"`
+	TLSOCSPPeerVerify bool                 `json:"tls_ocsp_peer_verify,omitempty"`
 }
 
 // DenyRules Contains lists of subjects not allowed to be imported/exported
@@ -1268,41 +1270,55 @@ type DenyRules struct {
 
 // RemoteLeafOptsVarz contains monitoring remote leaf node information
 type RemoteLeafOptsVarz struct {
-	LocalAccount string     `json:"local_account,omitempty"`
-	TLSTimeout   float64    `json:"tls_timeout,omitempty"`
-	URLs         []string   `json:"urls,omitempty"`
-	Deny         *DenyRules `json:"deny,omitempty"`
+	LocalAccount      string     `json:"local_account,omitempty"`
+	TLSTimeout        float64    `json:"tls_timeout,omitempty"`
+	URLs              []string   `json:"urls,omitempty"`
+	Deny              *DenyRules `json:"deny,omitempty"`
+	TLSOCSPPeerVerify bool       `json:"tls_ocsp_peer_verify,omitempty"`
 }
 
 // MQTTOptsVarz contains monitoring MQTT information
 type MQTTOptsVarz struct {
-	Host           string        `json:"host,omitempty"`
-	Port           int           `json:"port,omitempty"`
-	NoAuthUser     string        `json:"no_auth_user,omitempty"`
-	AuthTimeout    float64       `json:"auth_timeout,omitempty"`
-	TLSMap         bool          `json:"tls_map,omitempty"`
-	TLSTimeout     float64       `json:"tls_timeout,omitempty"`
-	TLSPinnedCerts []string      `json:"tls_pinned_certs,omitempty"`
-	JsDomain       string        `json:"js_domain,omitempty"`
-	AckWait        time.Duration `json:"ack_wait,omitempty"`
-	MaxAckPending  uint16        `json:"max_ack_pending,omitempty"`
+	Host              string        `json:"host,omitempty"`
+	Port              int           `json:"port,omitempty"`
+	NoAuthUser        string        `json:"no_auth_user,omitempty"`
+	AuthTimeout       float64       `json:"auth_timeout,omitempty"`
+	TLSMap            bool          `json:"tls_map,omitempty"`
+	TLSTimeout        float64       `json:"tls_timeout,omitempty"`
+	TLSPinnedCerts    []string      `json:"tls_pinned_certs,omitempty"`
+	JsDomain          string        `json:"js_domain,omitempty"`
+	AckWait           time.Duration `json:"ack_wait,omitempty"`
+	MaxAckPending     uint16        `json:"max_ack_pending,omitempty"`
+	TLSOCSPPeerVerify bool          `json:"tls_ocsp_peer_verify,omitempty"`
 }
 
 // WebsocketOptsVarz contains monitoring websocket information
 type WebsocketOptsVarz struct {
-	Host             string        `json:"host,omitempty"`
-	Port             int           `json:"port,omitempty"`
-	Advertise        string        `json:"advertise,omitempty"`
-	NoAuthUser       string        `json:"no_auth_user,omitempty"`
-	JWTCookie        string        `json:"jwt_cookie,omitempty"`
-	HandshakeTimeout time.Duration `json:"handshake_timeout,omitempty"`
-	AuthTimeout      float64       `json:"auth_timeout,omitempty"`
-	NoTLS            bool          `json:"no_tls,omitempty"`
-	TLSMap           bool          `json:"tls_map,omitempty"`
-	TLSPinnedCerts   []string      `json:"tls_pinned_certs,omitempty"`
-	SameOrigin       bool          `json:"same_origin,omitempty"`
-	AllowedOrigins   []string      `json:"allowed_origins,omitempty"`
-	Compression      bool          `json:"compression,omitempty"`
+	Host              string        `json:"host,omitempty"`
+	Port              int           `json:"port,omitempty"`
+	Advertise         string        `json:"advertise,omitempty"`
+	NoAuthUser        string        `json:"no_auth_user,omitempty"`
+	JWTCookie         string        `json:"jwt_cookie,omitempty"`
+	HandshakeTimeout  time.Duration `json:"handshake_timeout,omitempty"`
+	AuthTimeout       float64       `json:"auth_timeout,omitempty"`
+	NoTLS             bool          `json:"no_tls,omitempty"`
+	TLSMap            bool          `json:"tls_map,omitempty"`
+	TLSPinnedCerts    []string      `json:"tls_pinned_certs,omitempty"`
+	SameOrigin        bool          `json:"same_origin,omitempty"`
+	AllowedOrigins    []string      `json:"allowed_origins,omitempty"`
+	Compression       bool          `json:"compression,omitempty"`
+	TLSOCSPPeerVerify bool          `json:"tls_ocsp_peer_verify,omitempty"`
+}
+
+// OCSPResponseCacheVarz contains OCSP response cache information
+type OCSPResponseCacheVarz struct {
+	Type      string `json:"cache_type,omitempty"`
+	Hits      int64  `json:"cache_hits,omitempty"`
+	Misses    int64  `json:"cache_misses,omitempty"`
+	Responses int64  `json:"cached_responses,omitempty"`
+	Revokes   int64  `json:"cached_revoked_responses,omitempty"`
+	Goods     int64  `json:"cached_good_responses,omitempty"`
+	Unknowns  int64  `json:"cached_unknown_responses,omitempty"`
 }
 
 // VarzOptions are the options passed to Varz().
@@ -1456,6 +1472,9 @@ func (s *Server) createVarz(pcpu float64, rss int64) *Varz {
 	gatewayTlsReq := gw.TLSConfig != nil
 	leafTlsReq := ln.TLSConfig != nil
 	leafTlsVerify := leafTlsReq && ln.TLSConfig.ClientAuth == tls.RequireAndVerifyClientCert
+	leafTlsOCSPPeerVerify := s.ocspPeerVerify && leafTlsReq && ln.tlsConfigOpts.OCSPPeerConfig != nil && ln.tlsConfigOpts.OCSPPeerConfig.Verify
+	mqttTlsOCSPPeerVerify := s.ocspPeerVerify && mqtt.TLSConfig != nil && mqtt.tlsConfigOpts.OCSPPeerConfig != nil && mqtt.tlsConfigOpts.OCSPPeerConfig.Verify
+	wsTlsOCSPPeerVerify := s.ocspPeerVerify && ws.TLSConfig != nil && ws.tlsConfigOpts.OCSPPeerConfig != nil && ws.tlsConfigOpts.OCSPPeerConfig.Verify
 	varz := &Varz{
 		ID:           info.ID,
 		Version:      info.Version,
@@ -1493,43 +1512,46 @@ func (s *Server) createVarz(pcpu float64, rss int64) *Varz {
 			RejectUnknown:  gw.RejectUnknown,
 		},
 		LeafNode: LeafNodeOptsVarz{
-			Host:        ln.Host,
-			Port:        ln.Port,
-			AuthTimeout: ln.AuthTimeout,
-			TLSTimeout:  ln.TLSTimeout,
-			TLSRequired: leafTlsReq,
-			TLSVerify:   leafTlsVerify,
-			Remotes:     []RemoteLeafOptsVarz{},
+			Host:              ln.Host,
+			Port:              ln.Port,
+			AuthTimeout:       ln.AuthTimeout,
+			TLSTimeout:        ln.TLSTimeout,
+			TLSRequired:       leafTlsReq,
+			TLSVerify:         leafTlsVerify,
+			TLSOCSPPeerVerify: leafTlsOCSPPeerVerify,
+			Remotes:           []RemoteLeafOptsVarz{},
 		},
 		MQTT: MQTTOptsVarz{
-			Host:          mqtt.Host,
-			Port:          mqtt.Port,
-			NoAuthUser:    mqtt.NoAuthUser,
-			AuthTimeout:   mqtt.AuthTimeout,
-			TLSMap:        mqtt.TLSMap,
-			TLSTimeout:    mqtt.TLSTimeout,
-			JsDomain:      mqtt.JsDomain,
-			AckWait:       mqtt.AckWait,
-			MaxAckPending: mqtt.MaxAckPending,
+			Host:              mqtt.Host,
+			Port:              mqtt.Port,
+			NoAuthUser:        mqtt.NoAuthUser,
+			AuthTimeout:       mqtt.AuthTimeout,
+			TLSMap:            mqtt.TLSMap,
+			TLSTimeout:        mqtt.TLSTimeout,
+			JsDomain:          mqtt.JsDomain,
+			AckWait:           mqtt.AckWait,
+			MaxAckPending:     mqtt.MaxAckPending,
+			TLSOCSPPeerVerify: mqttTlsOCSPPeerVerify,
 		},
 		Websocket: WebsocketOptsVarz{
-			Host:             ws.Host,
-			Port:             ws.Port,
-			Advertise:        ws.Advertise,
-			NoAuthUser:       ws.NoAuthUser,
-			JWTCookie:        ws.JWTCookie,
-			AuthTimeout:      ws.AuthTimeout,
-			NoTLS:            ws.NoTLS,
-			TLSMap:           ws.TLSMap,
-			SameOrigin:       ws.SameOrigin,
-			AllowedOrigins:   copyStrings(ws.AllowedOrigins),
-			Compression:      ws.Compression,
-			HandshakeTimeout: ws.HandshakeTimeout,
+			Host:              ws.Host,
+			Port:              ws.Port,
+			Advertise:         ws.Advertise,
+			NoAuthUser:        ws.NoAuthUser,
+			JWTCookie:         ws.JWTCookie,
+			AuthTimeout:       ws.AuthTimeout,
+			NoTLS:             ws.NoTLS,
+			TLSMap:            ws.TLSMap,
+			SameOrigin:        ws.SameOrigin,
+			AllowedOrigins:    copyStrings(ws.AllowedOrigins),
+			Compression:       ws.Compression,
+			HandshakeTimeout:  ws.HandshakeTimeout,
+			TLSOCSPPeerVerify: wsTlsOCSPPeerVerify,
 		},
-		Start:                 s.start,
+		Start:                 s.start.UTC(),
 		MaxSubs:               opts.MaxSubs,
-		Cores:                 numCores,
-		MaxProcs:              maxProcs,
+		Cores:                 runtime.NumCPU(),
+		MaxProcs:              runtime.GOMAXPROCS(0),
 		Tags:                  opts.Tags,
 		TrustedOperatorsJwt:   opts.operatorJWT,
 		TrustedOperatorsClaim: opts.TrustedOperators,
@@ -1557,11 +1579,14 @@ func (s *Server) createVarz(pcpu float64, rss int64) *Varz {
 					Exports: r.DenyExports,
 				}
 			}
+			remoteTlsOCSPPeerVerify := s.ocspPeerVerify && r.tlsConfigOpts != nil && r.tlsConfigOpts.OCSPPeerConfig != nil && r.tlsConfigOpts.OCSPPeerConfig.Verify
+
 			rlna[i] = RemoteLeafOptsVarz{
-				LocalAccount: r.LocalAccount,
-				URLs:         urlsToStrings(r.URLs),
-				TLSTimeout:   r.TLSTimeout,
-				Deny:         deny,
+				LocalAccount:      r.LocalAccount,
+				URLs:              urlsToStrings(r.URLs),
+				TLSTimeout:        r.TLSTimeout,
+				Deny:              deny,
+				TLSOCSPPeerVerify: remoteTlsOCSPPeerVerify,
 			}
 		}
 		varz.LeafNode.Remotes = rlna
@@ -1604,7 +1629,7 @@ func (s *Server) updateVarzConfigReloadableFields(v *Varz) {
 	v.MaxPending = opts.MaxPending
 	v.TLSTimeout = opts.TLSTimeout
 	v.WriteDeadline = opts.WriteDeadline
-	v.ConfigLoadTime = s.configTime
+	v.ConfigLoadTime = s.configTime.UTC()
 	// Update route URLs if applicable
 	if s.varzUpdateRouteURLs {
 		v.Cluster.URLs = urlsToStrings(opts.Routes)
@@ -1615,6 +1640,8 @@ func (s *Server) updateVarzConfigReloadableFields(v *Varz) {
 	}
 	v.MQTT.TLSPinnedCerts = getPinnedCertsAsSlice(opts.MQTT.TLSPinnedCerts)
 	v.Websocket.TLSPinnedCerts = getPinnedCertsAsSlice(opts.Websocket.TLSPinnedCerts)
+
+	v.TLSOCSPPeerVerify = s.ocspPeerVerify && v.TLSRequired && s.opts.tlsConfigOpts != nil && s.opts.tlsConfigOpts.OCSPPeerConfig != nil && s.opts.tlsConfigOpts.OCSPPeerConfig.Verify
 }
 
 func getPinnedCertsAsSlice(certs PinnedCertSet) []string {
@@ -1706,6 +1733,21 @@ func (s *Server) updateVarzRuntimeFields(v *Varz, forceUpdate bool, pcpu float64
 		}
 	}
 	gw.RUnlock()
+
+	if s.ocsprc != nil && s.ocsprc.Type() != "none" {
+		stats := s.ocsprc.Stats()
+		if stats != nil {
+			v.OCSPResponseCache = OCSPResponseCacheVarz{
+				s.ocsprc.Type(),
+				stats.Hits,
+				stats.Misses,
+				stats.Responses,
+				stats.Revokes,
+				stats.Goods,
+				stats.Unknowns,
+			}
+		}
+	}
 }
 
 // HandleVarz will process HTTP requests for server information.
@@ -2262,18 +2304,26 @@ func (s *Server) HandleAccountStatz(w http.ResponseWriter, r *http.Request) {
 	ResponseHandler(w, r, b)
 }
 
-// ResponseHandler handles responses for monitoring routes
+// ResponseHandler handles responses for monitoring routes.
 func ResponseHandler(w http.ResponseWriter, r *http.Request, data []byte) {
+	handleResponse(http.StatusOK, w, r, data)
+}
+
+// handleResponse handles responses for monitoring routes with a specific HTTP status code.
+func handleResponse(code int, w http.ResponseWriter, r *http.Request, data []byte) {
 	// Get callback from request
 	callback := r.URL.Query().Get("callback")
 	// If callback is not empty then
 	if callback != "" {
 		// Response for JSONP
 		w.Header().Set("Content-Type", "application/javascript")
+		w.WriteHeader(code)
 		fmt.Fprintf(w, "%s(%s)", callback, data)
 	} else {
 		// Otherwise JSON
 		w.Header().Set("Content-Type", "application/json")
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.WriteHeader(code)
 		w.Write(data)
 	}
 }
@@ -2450,19 +2500,20 @@ func (s *Server) Accountz(optz *AccountzOptions) (*Accountz, error) {
 	if sacc := s.SystemAccount(); sacc != nil {
 		a.SystemAccount = sacc.GetName()
 	}
-	if optz.Account == "" {
+	if optz == nil || optz.Account == _EMPTY_ {
 		a.Accounts = []string{}
 		s.accounts.Range(func(key, value interface{}) bool {
 			a.Accounts = append(a.Accounts, key.(string))
 			return true
 		})
 		return a, nil
-	} else if aInfo, err := s.accountInfo(optz.Account); err != nil {
+	}
+	aInfo, err := s.accountInfo(optz.Account)
+	if err != nil {
 		return nil, err
-	} else {
-		a.Account = aInfo
-		return a, nil
 	}
+	a.Account = aInfo
+	return a, nil
 }
 
 func newExtImport(v *serviceImport) ExtImport {
@@ -2475,10 +2526,12 @@ func newExtImport(v *serviceImport) ExtImport {
 		imp.Tracking = v.tracking
 		imp.Invalid = v.invalid
 		imp.Import = jwt.Import{
-			Subject: jwt.Subject(v.from),
+			Subject: jwt.Subject(v.to),
 			Account: v.acc.Name,
 			Type:    jwt.Service,
-			To:      jwt.Subject(v.to),
+			// Deprecated so we duplicate. Use LocalSubject.
+			To:           jwt.Subject(v.from),
+			LocalSubject: jwt.RenamingSubject(v.from),
 		}
 		imp.TrackingHdr = v.trackingHdr
 		imp.Latency = newExtServiceLatency(v.latency)
@@ -2607,7 +2660,7 @@ func (s *Server) accountInfo(accName string) (*AccountInfo, error) {
 	}
 	return &AccountInfo{
 		accName,
-		a.updated,
+		a.updated.UTC(),
 		isSys,
 		a.expired,
 		!a.incomplete,
@@ -3005,7 +3058,7 @@ type HealthStatus struct {
 	Error  string `json:"error,omitempty"`
 }
 
-// https://tools.ietf.org/id/draft-inadarei-api-health-check-05.html
+// https://datatracker.ietf.org/doc/html/draft-inadarei-api-health-check
 func (s *Server) HandleHealthz(w http.ResponseWriter, r *http.Request) {
 	s.mu.Lock()
 	s.httpReqStats[HealthzPath]++
@@ -3032,16 +3085,19 @@ func (s *Server) HandleHealthz(w http.ResponseWriter, r *http.Request) {
 		JSEnabledOnly: jsEnabledOnly,
 		JSServerOnly:  jsServerOnly,
 	})
+
+	code := http.StatusOK
+
 	if hs.Error != _EMPTY_ {
 		s.Warnf("Healthcheck failed: %q", hs.Error)
-		w.WriteHeader(http.StatusServiceUnavailable)
+		code = http.StatusServiceUnavailable
 	}
 	b, err := json.Marshal(hs)
 	if err != nil {
 		s.Errorf("Error marshaling response to /healthz request: %v", err)
 	}
 
-	ResponseHandler(w, r, b)
+	handleResponse(code, w, r, b)
 }
 
 // Generate health status.
@@ -3081,18 +3137,20 @@ func (s *Server) healthz(opts *HealthzOptions) *HealthStatus {
 
 	// Clustered JetStream
 	js.mu.RLock()
-	defer js.mu.RUnlock()
-
 	cc := js.cluster
+	js.mu.RUnlock()
 
 	const na = "unavailable"
 
 	// Currently single server we make sure the streams were recovered.
-	if cc == nil || cc.meta == nil {
+	if cc == nil {
 		sdir := js.config.StoreDir
 		// Whip through account folders and pull each stream name.
 		fis, _ := os.ReadDir(sdir)
 		for _, fi := range fis {
+			if fi.Name() == snapStagingDir {
+				continue
+			}
 			acc, err := s.LookupAccount(fi.Name())
 			if err != nil {
 				health.Status = na
@@ -3113,17 +3171,19 @@ func (s *Server) healthz(opts *HealthzOptions) *HealthStatus {
 	}
 
 	// If we are here we want to check for any assets assigned to us.
-	meta := cc.meta
-	ourID := meta.ID()
+	var meta RaftNode
+	js.mu.RLock()
+	meta = cc.meta
+	js.mu.RUnlock()
 
 	// If no meta leader.
-	if meta.GroupLeader() == _EMPTY_ {
+	if meta == nil || meta.GroupLeader() == _EMPTY_ {
 		health.Status = na
 		health.Error = "JetStream has not established contact with a meta leader"
 		return health
 	}
 	// If we are not current with the meta leader.
-	if !meta.Current() {
+	if !meta.Healthy() {
 		health.Status = na
 		health.Error = "JetStream is not current with the meta leader"
 		return health
@@ -3136,29 +3196,58 @@ func (s *Server) healthz(opts *HealthzOptions) *HealthStatus {
 
 	// Range across all accounts, the streams assigned to them, and the consumers.
 	// If they are assigned to this server check their status.
+	ourID := meta.ID()
+
+	// Copy the meta layer so we do not need to hold the js read lock for an extended period of time.
+	js.mu.RLock()
+	streams := make(map[string]map[string]*streamAssignment, len(cc.streams))
 	for acc, asa := range cc.streams {
+		nasa := make(map[string]*streamAssignment)
 		for stream, sa := range asa {
-			if sa.Group.isMember(ourID) {
-				// Make sure we can look up
-				if !cc.isStreamHealthy(acc, stream) {
-					health.Status = na
-					health.Error = fmt.Sprintf("JetStream stream '%s > %s' is not current", acc, stream)
-					return health
-				}
-				// Now check consumers.
+			// If we are a member and we are not being restored, select for check.
+			if sa.Group.isMember(ourID) && sa.Restore == nil {
+				csa := sa.copyGroup()
+				csa.consumers = make(map[string]*consumerAssignment)
 				for consumer, ca := range sa.consumers {
 					if ca.Group.isMember(ourID) {
-						if !cc.isConsumerCurrent(acc, stream, consumer) {
-							health.Status = na
-							health.Error = fmt.Sprintf("JetStream consumer '%s > %s > %s' is not current", acc, stream, consumer)
-							return health
-						}
+						// Use original here. Not a copy.
+						csa.consumers[consumer] = ca
 					}
 				}
+				nasa[stream] = csa
 			}
 		}
+		streams[acc] = nasa
 	}
+	js.mu.RUnlock()
+
+	// Use our copy to traverse so we do not need to hold the js lock.
+	for accName, asa := range streams {
+		acc, err := s.LookupAccount(accName)
+		if err != nil && len(asa) > 0 {
+			health.Status = na
+			health.Error = fmt.Sprintf("JetStream can not lookup account %q: %v", accName, err)
+			return health
+		}
 
+		for stream, sa := range asa {
+			// Make sure we can look up
+			if !js.isStreamHealthy(acc, sa) {
+				health.Status = na
+				health.Error = fmt.Sprintf("JetStream stream '%s > %s' is not current", accName, stream)
+				return health
+			}
+			mset, _ := acc.lookupStream(stream)
+			// Now check consumers.
+			for consumer, ca := range sa.consumers {
+				if !js.isConsumerHealthy(mset, consumer, ca) {
+					health.Status = na
+					health.Error = fmt.Sprintf("JetStream consumer '%s > %s > %s' is not current", acc, stream, consumer)
+					return health
+				}
+			}
+		}
+	}
 	// Success.
 	return health
 }
diff --git a/server/monitor_sort_opts.go b/server/monitor_sort_opts.go
index 10258d26c..2fcaf2e9f 100644
--- a/server/monitor_sort_opts.go
+++ b/server/monitor_sort_opts.go
@@ -45,7 +45,7 @@ const (
 	ByUptime   SortOpt = "uptime"     // By the amount of time connections exist
 	ByStop     SortOpt = "stop"       // By the stop time for a closed connection
 	ByReason   SortOpt = "reason"     // By the reason for a closed connection
-
+	ByRTT      SortOpt = "rtt"        // By the round trip time
 )
 
 // Individual sort options provide the Less for sort.Interface. Len and Swap are on cList.
@@ -92,12 +92,13 @@ func (l byLast) Less(i, j int) bool {
 }
 
 // Idle time
-type byIdle struct{ ConnInfos }
+type byIdle struct {
+	ConnInfos
+	now time.Time
+}
 
 func (l byIdle) Less(i, j int) bool {
-	ii := l.ConnInfos[i].LastActivity.Sub(l.ConnInfos[i].Start)
-	ij := l.ConnInfos[j].LastActivity.Sub(l.ConnInfos[j].Start)
-	return ii < ij
+	return l.now.Sub(l.ConnInfos[i].LastActivity) < l.now.Sub(l.ConnInfos[j].LastActivity)
 }
 
 // Uptime
@@ -139,10 +140,15 @@ func (l byReason) Less(i, j int) bool {
 	return l.ConnInfos[i].Reason < l.ConnInfos[j].Reason
 }
 
+// RTT - Default is descending
+type byRTT struct{ ConnInfos }
+
+func (l byRTT) Less(i, j int) bool { return l.ConnInfos[i].rtt < l.ConnInfos[j].rtt }
+
 // IsValid determines if a sort option is valid
 func (s SortOpt) IsValid() bool {
 	switch s {
-	case "", ByCid, ByStart, BySubs, ByPending, ByOutMsgs, ByInMsgs, ByOutBytes, ByInBytes, ByLast, ByIdle, ByUptime, ByStop, ByReason:
+	case _EMPTY_, ByCid, ByStart, BySubs, ByPending, ByOutMsgs, ByInMsgs, ByOutBytes, ByInBytes, ByLast, ByIdle, ByUptime, ByStop, ByReason, ByRTT:
 		return true
 	default:
 		return false
diff --git a/server/monitor_test.go b/server/monitor_test.go
index fc4b95f85..d5cd9ff6a 100644
--- a/server/monitor_test.go
+++ b/server/monitor_test.go
@@ -1,4 +1,4 @@
-// Copyright 2013-2022 The NATS Authors
+// Copyright 2013-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -157,7 +157,14 @@ func readBodyEx(t *testing.T, url string, status int, content string) []byte {
 	}
 	ct := resp.Header.Get("Content-Type")
 	if ct != content {
-		stackFatalf(t, "Expected %s content-type, got %s\n", content, ct)
+		stackFatalf(t, "Expected %q content-type, got %q\n", content, ct)
+	}
+	// Check the CORS header for "application/json" requests only.
+	if ct == appJSONContent {
+		acao := resp.Header.Get("Access-Control-Allow-Origin")
+		if acao != "*" {
+			stackFatalf(t, "Expected with %q Content-Type an Access-Control-Allow-Origin header with value %q, got %q\n", appJSONContent, "*", acao)
+		}
 	}
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -1179,77 +1186,167 @@ func TestConnzSortedByIdle(t *testing.T) {
 	s := runMonitorServer()
 	defer s.Shutdown()
 
-	url := fmt.Sprintf("http://127.0.0.1:%d/", s.MonitorAddr().Port)
+	url := fmt.Sprintf("http://%s/connz?sort=idle", s.MonitorAddr())
+	now := time.Now()
 
-	testIdle := func(mode int) {
-		firstClient := createClientConnSubscribeAndPublish(t, s)
-		defer firstClient.Close()
-		firstClient.Subscribe("client.1", func(m *nats.Msg) {})
-		firstClient.Flush()
-
-		secondClient := createClientConnSubscribeAndPublish(t, s)
-		defer secondClient.Close()
-
-		// Make it such that the second client started 10 secs ago. 10 is important since bug
-		// was strcmp, e.g. 1s vs 11s
-		var cid uint64
-		switch mode {
-		case 0:
-			cid = uint64(2)
-		case 1:
-			cid = uint64(4)
-		}
-		client := s.getClient(cid)
-		if client == nil {
-			t.Fatalf("Error looking up client %v\n", 2)
-		}
+	clients := []struct {
+		start time.Time // Client start time.
+		last  time.Time // Client last activity time.
+	}{
+		{start: now.Add(-10 * time.Second), last: now.Add(-5 * time.Second)},
+		{start: now.Add(-20 * time.Second), last: now.Add(-10 * time.Second)},
+		{start: now.Add(-3 * time.Second), last: now.Add(-2 * time.Second)},
+		{start: now.Add(-30 * time.Second), last: now.Add(-20 * time.Second)},
+	}
 
-		// We want to make sure that we set start/last after the server has finished
-		// updating this client's last activity. Doing another Flush() now (even though
-		// one is done in createClientConnSubscribeAndPublish) ensures that server has
-		// finished updating the client's last activity, since for that last flush there
-		// should be no new message/sub/unsub activity.
-		secondClient.Flush()
+	testIdle := func(mode int) {
+		// Connect the specified number of clients.
+		for _, c := range clients {
+			clientConn := createClientConnSubscribeAndPublish(t, s)
+			defer clientConn.Close()
 
-		client.mu.Lock()
-		client.start = client.start.Add(-10 * time.Second)
-		client.last = client.start
-		client.mu.Unlock()
+			cid, err := clientConn.GetClientID()
+			if err != nil {
+				t.Fatalf("error getting the client CID: %v", err)
+			}
 
-		// The Idle granularity is a whole second
-		time.Sleep(time.Second)
-		firstClient.Publish("client.1", []byte("new message"))
+			client := s.getClient(cid)
+			if client == nil {
+				t.Fatalf("error looking up client %d", cid)
+			}
 
-		c := pollConz(t, s, mode, url+"connz?sort=idle", &ConnzOptions{Sort: ByIdle})
-		// Make sure we are returned 2 connections...
-		if len(c.Conns) != 2 {
-			t.Fatalf("Expected to get two connections, got %v", len(c.Conns))
+			// Change the client's start and last activity times.
+			client.mu.Lock()
+			client.start = c.start
+			client.last = c.last
+			client.mu.Unlock()
 		}
 
-		// And that the Idle time is valid (even if equal to "0s")
-		if c.Conns[0].Idle == "" || c.Conns[1].Idle == "" {
-			t.Fatal("Expected Idle value to be valid")
-		}
+		connz := pollConz(t, s, mode, url, &ConnzOptions{Sort: ByIdle})
 
-		idle1, err := time.ParseDuration(c.Conns[0].Idle)
-		if err != nil {
-			t.Fatalf("Unable to parse duration %v, err=%v", c.Conns[0].Idle, err)
-		}
-		idle2, err := time.ParseDuration(c.Conns[1].Idle)
-		if err != nil {
-			t.Fatalf("Unable to parse duration %v, err=%v", c.Conns[0].Idle, err)
+		wantConns := len(clients)
+		gotConns := len(connz.Conns)
+
+		if gotConns != wantConns {
+			t.Fatalf("want %d connections, got %d", wantConns, gotConns)
 		}
 
-		if idle2 < idle1 {
-			t.Fatalf("Expected conns sorted in descending order by Idle, got %v < %v\n",
-				idle2, idle1)
+		idleDurations := getConnsIdleDurations(t, connz.Conns)
+
+		if !sortedDurationsDesc(idleDurations) {
+			t.Errorf("want durations sorted in descending order, got %v", idleDurations)
 		}
 	}
+
 	for mode := 0; mode < 2; mode++ {
 		testIdle(mode)
 	}
 }
 
+// getConnsIdleDurations returns a slice of parsed idle durations from a connection info slice.
+func getConnsIdleDurations(t *testing.T, conns []*ConnInfo) []time.Duration {
+	t.Helper()
+
+	durations := make([]time.Duration, 0, len(conns))
+
+	for _, conn := range conns {
+		idle, err := time.ParseDuration(conn.Idle)
+		if err != nil {
+			t.Fatalf("error parsing duration %q: %v", conn.Idle, err)
+		}
+		durations = append(durations, idle)
+	}
+
+	return durations
+}
+
+// sortedDurationsDesc checks if a time.Duration slice is sorted in descending order.
+func sortedDurationsDesc(durations []time.Duration) bool {
+	return sort.SliceIsSorted(durations, func(i, j int) bool {
+		// Must be longer than the next duration.
+		return durations[i] > durations[j]
+	})
+}
+
+func TestConnzSortByIdleTime(t *testing.T) {
+	now := time.Now().UTC()
+
+	cases := map[string]ConnInfos{
+		"zero values": {{}, {}, {}, {}},
+		"equal last activity times": {
+			{Start: now.Add(-50 * time.Minute), LastActivity: now.Add(-time.Minute)},
+			{Start: now.Add(-30 * time.Minute), LastActivity: now.Add(-time.Minute)},
+			{Start: now.Add(-10 * time.Second), LastActivity: now.Add(-time.Minute)},
+			{Start: now.Add(-2 * time.Hour), LastActivity: now.Add(-time.Minute)},
+		},
+		"last activity in the future": {
+			{Start: now.Add(-50 * time.Minute), LastActivity: now.Add(10 * time.Minute)}, // +10m
+			{Start: now.Add(-30 * time.Minute), LastActivity: now.Add(5 * time.Minute)},  // +5m
+			{Start: now.Add(-24 * time.Hour), LastActivity: now.Add(2 * time.Second)},    // +2s
+			{Start: now.Add(-10 * time.Second), LastActivity: now.Add(15 * time.Minute)}, // +15m
+			{Start: now.Add(-2 * time.Hour), LastActivity: now.Add(time.Minute)},         // +1m
+		},
+		"unsorted": {
+			{Start: now.Add(-50 * time.Minute), LastActivity: now.Add(-10 * time.Minute)}, // 10m ago
+			{Start: now.Add(-30 * time.Minute), LastActivity: now.Add(-5 * time.Minute)},  // 5m ago
+			{Start: now.Add(-24 * time.Hour), LastActivity: now.Add(-2 * time.Second)},    // 2s ago
+			{Start: now.Add(-10 * time.Second), LastActivity: now.Add(-15 * time.Minute)}, // 15m ago
+			{Start: now.Add(-2 * time.Hour), LastActivity: now.Add(-time.Minute)},         // 1m ago
+		},
+		"unsorted with zero value start time": {
+			{LastActivity: now.Add(-10 * time.Minute)}, // 10m ago
+			{LastActivity: now.Add(-5 * time.Minute)},  // 5m ago
+			{LastActivity: now.Add(-2 * time.Second)},  // 2s ago
+			{LastActivity: now.Add(-15 * time.Minute)}, // 15m ago
+			{LastActivity: now.Add(-time.Minute)},      // 1m ago
+		},
+		"sorted": {
+			{Start: now.Add(-24 * time.Hour), LastActivity: now.Add(-2 * time.Second)},    // 2s ago
+			{Start: now.Add(-2 * time.Hour), LastActivity: now.Add(-time.Minute)},         // 1m ago
+			{Start: now.Add(-30 * time.Minute), LastActivity: now.Add(-5 * time.Minute)},  // 5m ago
+			{Start: now.Add(-50 * time.Minute), LastActivity: now.Add(-10 * time.Minute)}, // 10m ago
+			{Start: now.Add(-10 * time.Second), LastActivity: now.Add(-15 * time.Minute)}, // 15m ago
+		},
+		"sorted with zero value start time": {
+			{LastActivity: now.Add(-2 * time.Second)},  // 2s ago
+			{LastActivity: now.Add(-time.Minute)},      // 1m ago
+			{LastActivity: now.Add(-5 * time.Minute)},  // 5m ago
+			{LastActivity: now.Add(-10 * time.Minute)}, // 10m ago
+			{LastActivity: now.Add(-15 * time.Minute)}, // 15m ago
+		},
+	}
+
+	for name, conns := range cases {
+		t.Run(name, func(t *testing.T) {
+			sort.Sort(byIdle{conns, now})
+
+			idleDurations := getIdleDurations(conns, now)
+
+			if !sortedDurationsAsc(idleDurations) {
+				t.Errorf("want durations sorted in ascending order, got %v", idleDurations)
+			}
+		})
+	}
+}
+
+// getIdleDurations returns a slice of idle durations from a connection info list up until now time.
+func getIdleDurations(conns ConnInfos, now time.Time) []time.Duration {
+	durations := make([]time.Duration, 0, len(conns))
+
+	for _, conn := range conns {
+		durations = append(durations, now.Sub(conn.LastActivity))
+	}
+
+	return durations
+}
+
+// sortedDurationsAsc checks if a time.Duration slice is sorted in ascending order.
+func sortedDurationsAsc(durations []time.Duration) bool {
+	return sort.SliceIsSorted(durations, func(i, j int) bool {
+		return durations[i] < durations[j]
+	})
+}
+
 func TestConnzSortBadRequest(t *testing.T) {
 	s := runMonitorServer()
 	defer s.Shutdown()
@@ -2966,9 +3063,10 @@ func TestMonitorLeafNode(t *testing.T) {
 		opts.LeafNode.TLSConfig != nil,
 		[]RemoteLeafOptsVarz{
 			{
-				"acc", 1, []string{"localhost:1234"}, nil,
+				"acc", 1, []string{"localhost:1234"}, nil, false,
 			},
 		},
+		false,
 	}
 
 	varzURL := fmt.Sprintf("http://127.0.0.1:%d/varz", s.MonitorAddr().Port)
@@ -2985,7 +3083,7 @@ func TestMonitorLeafNode(t *testing.T) {
 
 		// Having this here to make sure that if fields are added in ClusterOptsVarz,
 		// we make sure to update this test (compiler will report an error if we don't)
-		_ = LeafNodeOptsVarz{"", 0, 0, 0, false, false, []RemoteLeafOptsVarz{{"", 0, nil, nil}}}
+		_ = LeafNodeOptsVarz{"", 0, 0, 0, false, false, []RemoteLeafOptsVarz{{"", 0, nil, nil, false}}, false}
 
 		// Alter the fields to make sure that we have a proper deep copy
 		// of what may be stored in the server. Anything we change here
@@ -3941,7 +4039,7 @@ func TestMonitorAccountz(t *testing.T) {
 	body = string(readBody(t, fmt.Sprintf("http://127.0.0.1:%d%s?acc=$SYS", s.MonitorAddr().Port, AccountzPath)))
 	require_Contains(t, body, `"account_detail": {`)
 	require_Contains(t, body, `"account_name": "$SYS",`)
-	require_Contains(t, body, `"subscriptions": 40,`)
+	require_Contains(t, body, `"subscriptions": 41,`)
 	require_Contains(t, body, `"is_system": true,`)
 	require_Contains(t, body, `"system_account": "$SYS"`)
 
@@ -4427,7 +4525,7 @@ func TestMonitorJsz(t *testing.T) {
 				t.Fatal("expected stream raft group info to be included")
 			}
 			crgroup := si.ConsumerRaftGroups[0]
-			if crgroup.Name != "my-consumer-replicated" {
+			if crgroup.Name != "my-consumer-replicated" && crgroup.Name != "my-consumer-mirror" {
 				t.Fatalf("expected consumer name to be included in raft group info, got: %v", crgroup.Name)
 			}
 			if len(crgroup.RaftGroup) == 0 {
@@ -4600,3 +4698,305 @@ func TestMonitorWebsocket(t *testing.T) {
 		}
 	}
 }
+
+func TestMonitorConnzOperatorModeFilterByUser(t *testing.T) {
+	accKp, accPub := createKey(t)
+	accClaim := jwt.NewAccountClaims(accPub)
+	accJwt := encodeClaim(t, accClaim, accPub)
+
+	conf := createConfFile(t, []byte(fmt.Sprintf(`
+		listen: 127.0.0.1:-1
+		http: 127.0.0.1:-1
+		operator = %s
+		resolver = MEMORY
+		resolver_preload = {
+			%s : %s
+		}
+	`, ojwt, accPub, accJwt)))
+
+	s, _ := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	createUser := func() (string, string) {
+		ukp, _ := nkeys.CreateUser()
+		seed, _ := ukp.Seed()
+		upub, _ := ukp.PublicKey()
+		uclaim := newJWTTestUserClaims()
+		uclaim.Subject = upub
+		ujwt, err := uclaim.Encode(accKp)
+		require_NoError(t, err)
+		return upub, genCredsFile(t, ujwt, seed)
+	}
+
+	// Now create 2 users.
+	aUser, aCreds := createUser()
+	bUser, bCreds := createUser()
+
+	var users []*nats.Conn
+
+	// Create 2 for A
+	for i := 0; i < 2; i++ {
+		nc, err := nats.Connect(s.ClientURL(), nats.UserCredentials(aCreds))
+		require_NoError(t, err)
+		defer nc.Close()
+		users = append(users, nc)
+	}
+	// Create 5 for B
+	for i := 0; i < 5; i++ {
+		nc, err := nats.Connect(s.ClientURL(), nats.UserCredentials(bCreds))
+		require_NoError(t, err)
+		defer nc.Close()
+		users = append(users, nc)
+	}
+
+	// Test A
+	connz := pollConz(t, s, 1, _EMPTY_, &ConnzOptions{User: aUser, Username: true})
+	require_True(t, connz.NumConns == 2)
+	for _, ci := range connz.Conns {
+		require_True(t, ci.AuthorizedUser == aUser)
+	}
+	// Test B
+	connz = pollConz(t, s, 1, _EMPTY_, &ConnzOptions{User: bUser, Username: true})
+	require_True(t, connz.NumConns == 5)
+	for _, ci := range connz.Conns {
+		require_True(t, ci.AuthorizedUser == bUser)
+	}
+
+	// Make sure URL access is the same.
+	url := fmt.Sprintf("http://127.0.0.1:%d/", s.MonitorAddr().Port)
+	urlFull := url + fmt.Sprintf("connz?auth=true&user=%s", aUser)
+	connz = pollConz(t, s, 0, urlFull, nil)
+	require_True(t, connz.NumConns == 2)
+	for _, ci := range connz.Conns {
+		require_True(t, ci.AuthorizedUser == aUser)
+	}
+
+	// Now test closed filtering as well.
+	for _, nc := range users {
+		nc.Close()
+	}
+	// Let them process and be moved to closed ring buffer in server.
+	time.Sleep(100 * time.Millisecond)
+
+	connz = pollConz(t, s, 1, _EMPTY_, &ConnzOptions{User: aUser, Username: true, State: ConnClosed})
+	require_True(t, connz.NumConns == 2)
+	for _, ci := range connz.Conns {
+		require_True(t, ci.AuthorizedUser == aUser)
+	}
+}
+
+func TestMonitorConnzSortByRTT(t *testing.T) {
+	s := runMonitorServer()
+	defer s.Shutdown()
+
+	for i := 0; i < 10; i++ {
+		nc, err := nats.Connect(s.ClientURL())
+		require_NoError(t, err)
+		defer nc.Close()
+	}
+
+	connz := pollConz(t, s, 1, _EMPTY_, &ConnzOptions{Sort: ByRTT})
+	require_True(t, connz.NumConns == 10)
+
+	var rtt int64
+	for _, ci := range connz.Conns {
+		if rtt == 0 {
+			rtt = ci.rtt
+		} else {
+			if ci.rtt > rtt {
+				t.Fatalf("RTT not in descending order: %v vs %v",
+					time.Duration(rtt), time.Duration(ci.rtt))
+			}
+			rtt = ci.rtt
+		}
+	}
+
+	// Make sure url works as well.
+	url := fmt.Sprintf("http://127.0.0.1:%d/connz?sort=rtt", s.MonitorAddr().Port)
+	connz = pollConz(t, s, 0, url, nil)
+	require_True(t, connz.NumConns == 10)
+
+	rtt = 0
+	for _, ci := range connz.Conns {
+		crttd, err := time.ParseDuration(ci.RTT)
+		require_NoError(t, err)
+		crtt := int64(crttd)
+		if rtt == 0 {
+			rtt = crtt
+		} else {
+			if crtt > rtt {
+				t.Fatalf("RTT not in descending order: %v vs %v",
+					time.Duration(rtt), time.Duration(crtt))
+			}
+			rtt = ci.rtt
+		}
+	}
+}
+
+// https://github.com/nats-io/nats-server/issues/4144
+func TestMonitorAccountszMappingOrderReporting(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+	listen: 127.0.0.1:-1
+	server_name: SR22
+	accounts {
+		CLOUD {
+			exports [ { service: "downlink.>" } ]
+		}
+		APP {
+			imports [ { service: { account: CLOUD, subject: "downlink.>"}, to: "event.>"} ]
+		}
+	}`))
+
+	s, _ := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	az, err := s.Accountz(&AccountzOptions{"APP"})
+	require_NoError(t, err)
+	require_NotNil(t, az.Account)
+	require_True(t, len(az.Account.Imports) > 0)
+
+	var found bool
+	for _, si := range az.Account.Imports {
+		if si.Import.Subject == "downlink.>" {
+			found = true
+			require_True(t, si.Import.LocalSubject == "event.>")
+			break
+		}
+	}
+	require_True(t, found)
+}
+
+// createCallbackURL adds a callback query parameter for JSONP requests.
+func createCallbackURL(t *testing.T, endpoint string) string {
+	t.Helper()
+
+	u, err := url.Parse(endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	params := u.Query()
+	params.Set("callback", "callback")
+
+	u.RawQuery = params.Encode()
+
+	return u.String()
+}
+
+// stripCallback removes the JSONP callback function from the response.
+// Returns the JSON body without the wrapping callback function.
+// If there's no callback function, the data is returned as is.
+func stripCallback(data []byte) []byte {
+	// Cut the JSONP callback function with the opening parentheses.
+	_, after, found := bytes.Cut(data, []byte("("))
+
+	if found {
+		return bytes.TrimSuffix(after, []byte(")"))
+	}
+
+	return data
+}
+
+// expectHealthStatus makes 1 regular and 1 JSONP request to the URL and checks the
+// HTTP status code, Content-Type header and health status string.
+func expectHealthStatus(t *testing.T, url string, statusCode int, wantStatus string) {
+	t.Helper()
+
+	// First check for regular requests.
+	body := readBodyEx(t, url, statusCode, appJSONContent)
+	checkHealthStatus(t, body, wantStatus)
+
+	// Another check for JSONP requests.
+	jsonpURL := createCallbackURL(t, url) // Adds a callback query param.
+	jsonpBody := readBodyEx(t, jsonpURL, statusCode, appJSContent)
+	checkHealthStatus(t, stripCallback(jsonpBody), wantStatus)
+}
+
+// checkHealthStatus checks the health status from a JSON response.
+func checkHealthStatus(t *testing.T, body []byte, wantStatus string) {
+	t.Helper()
+
+	h := &HealthStatus{}
+
+	if err := json.Unmarshal(body, h); err != nil {
+		t.Fatalf("error unmarshalling the body: %v", err)
+	}
+
+	if h.Status != wantStatus {
+		t.Errorf("want health status %q, got %q", wantStatus, h.Status)
+	}
+}
+
+// checkHealthzEndpoint makes requests to the /healthz endpoint and checks the health status.
+func checkHealthzEndpoint(t *testing.T, address string, statusCode int, wantStatus string) {
+	t.Helper()
+
+	cases := map[string]string{
+		"healthz":         fmt.Sprintf("http://%s/healthz", address),
+		"js-enabled-only": fmt.Sprintf("http://%s/healthz?js-enabled-only=true", address),
+		"js-server-only":  fmt.Sprintf("http://%s/healthz?js-server-only=true", address),
+	}
+
+	for name, url := range cases {
+		t.Run(name, func(t *testing.T) {
+			expectHealthStatus(t, url, statusCode, wantStatus)
+		})
+	}
+}
+
+func TestHealthzStatusOK(t *testing.T) {
+	s := runMonitorServer()
+	defer s.Shutdown()
+
+	checkHealthzEndpoint(t, s.MonitorAddr().String(), http.StatusOK, "ok")
+}
+
+func TestHealthzStatusError(t *testing.T) {
+	s := runMonitorServer()
+	defer s.Shutdown()
+
+	// Intentionally causing an error in readyForConnections().
+	// Note: Private field access, taking advantage of having the tests in the same package.
+	s.listener = nil
+
+	checkHealthzEndpoint(t, s.MonitorAddr().String(), http.StatusServiceUnavailable, "error")
+}
+
+func TestHealthzStatusUnavailable(t *testing.T) {
+	opts := DefaultMonitorOptions()
+	opts.JetStream = true
+
+	s := RunServer(opts)
+	defer s.Shutdown()
+
+	if !s.JetStreamEnabled() {
+		t.Fatalf("want JetStream to be enabled first")
+	}
+
+	err := s.DisableJetStream()
+
+	if err != nil {
+		t.Fatalf("got an error disabling JetStream: %v", err)
+	}
+
+	checkHealthzEndpoint(t, s.MonitorAddr().String(), http.StatusServiceUnavailable, "unavailable")
+}
+
+// When we converted ipq to use generics we still were using sync.Map. Currently you can not convert
+// interface{} or any to a generic parameterized type. So this stopped working and panics.
+func TestIpqzWithGenerics(t *testing.T) {
+	opts := DefaultMonitorOptions()
+	opts.JetStream = true
+
+	s := RunServer(opts)
+	defer s.Shutdown()
+
+	url := fmt.Sprintf("http://%s/ipqueuesz?all=1", s.MonitorAddr().String())
+	body := readBody(t, url)
+	require_True(t, len(body) > 0)
+
+	queues := map[string]*monitorIPQueue{}
+	require_NoError(t, json.Unmarshal(body, &queues))
+	require_True(t, len(queues) >= 4)
+	require_True(t, queues["SendQ"] != nil)
+}
diff --git a/server/mqtt.go b/server/mqtt.go
index 9353563a1..8680e8dde 100644
--- a/server/mqtt.go
+++ b/server/mqtt.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 The NATS Authors
+// Copyright 2020-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -422,7 +422,7 @@ func (s *Server) createMQTTClient(conn net.Conn, ws *websocket) *client {
 	if maxSubs == 0 {
 		maxSubs = -1
 	}
-	now := time.Now().UTC()
+	now := time.Now()
 
 	c := &client{srv: s, nc: conn, mpay: maxPay, msubs: maxSubs, start: now, last: now, mqtt: &mqtt{}, ws: ws}
 	c.headers = true
@@ -3407,8 +3407,8 @@ func mqttSubscribeTrace(pi uint16, filters []*mqttFilter) string {
 // message and this is the callback for a QoS1 subscription because in
 // that case, it will be handled by the other callback. This avoid getting
 // duplicate deliveries.
-func mqttDeliverMsgCbQos0(sub *subscription, pc *client, _ *Account, subject, _ string, rmsg []byte) {
-	if pc.kind == JETSTREAM {
+func mqttDeliverMsgCbQos0(sub *subscription, pc *client, _ *Account, subject, reply string, rmsg []byte) {
+	if pc.kind == JETSTREAM && len(reply) > 0 && strings.HasPrefix(reply, jsAckPre) {
 		return
 	}
 
diff --git a/server/mqtt_test.go b/server/mqtt_test.go
index 0c659df0e..625c206b4 100644
--- a/server/mqtt_test.go
+++ b/server/mqtt_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020 The NATS Authors
+// Copyright 2020-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -319,7 +319,7 @@ func testMQTTRunServer(t testing.TB, o *Options) *Server {
 	}
 	l := &DummyLogger{}
 	s.SetLogger(l, true, true)
-	go s.Start()
+	s.Start()
 	if err := s.readyForConnections(3 * time.Second); err != nil {
 		testMQTTShutdownServer(s)
 		t.Fatal(err)
@@ -6367,6 +6367,49 @@ func TestMQTTSubjectWildcardStart(t *testing.T) {
 	require_True(t, si.State.Msgs == 0)
 }
 
+// Issue https://github.com/nats-io/nats-server/issues/4291
+func TestMQTTJetStreamRepublishAndQoS0Subscribers(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+		listen: 127.0.0.1:-1
+		server_name: mqtt
+		jetstream: enabled
+		mqtt {
+			listen: 127.0.0.1:-1
+		}
+	`))
+	s, o := RunServerWithConfig(conf)
+	defer testMQTTShutdownServer(s)
+
+	nc, js := jsClientConnect(t, s)
+	defer nc.Close()
+
+	// Setup stream with republish on it.
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo"},
+		RePublish: &nats.RePublish{
+			Source:      "foo",
+			Destination: "mqtt.foo",
+		},
+	})
+	require_NoError(t, err)
+
+	// Create QoS0 subscriber to catch re-publishes.
+	mc, r := testMQTTConnect(t, &mqttConnInfo{cleanSess: true}, o.MQTT.Host, o.MQTT.Port)
+	defer mc.Close()
+	testMQTTCheckConnAck(t, r, mqttConnAckRCConnectionAccepted, false)
+
+	testMQTTSub(t, 1, mc, r, []*mqttFilter{{filter: "mqtt/foo", qos: 0}}, []byte{0})
+	testMQTTFlush(t, mc, nil, r)
+
+	msg := []byte("HELLO WORLD")
+	_, err = js.Publish("foo", msg)
+	require_NoError(t, err)
+
+	testMQTTCheckPubMsg(t, mc, r, "mqtt/foo", 0, msg)
+	testMQTTExpectNothing(t, r)
+}
+
 //////////////////////////////////////////////////////////////////////////
 //
 // Benchmarks
diff --git a/server/nkey.go b/server/nkey.go
index 8604c4413..5b45edf75 100644
--- a/server/nkey.go
+++ b/server/nkey.go
@@ -34,7 +34,7 @@ func (s *Server) NonceRequired() bool {
 // nonceRequired tells us if we should send a nonce.
 // Lock should be held on entry.
 func (s *Server) nonceRequired() bool {
-	return s.opts.AlwaysEnableNonce || len(s.nkeys) > 0 || s.trustedKeys != nil
+	return s.getOpts().AlwaysEnableNonce || len(s.nkeys) > 0 || s.trustedKeys != nil
 }
 
 // Generate a nonce for INFO challenge.
diff --git a/server/norace_test.go b/server/norace_test.go
index 787a6e5f8..473576bd1 100644
--- a/server/norace_test.go
+++ b/server/norace_test.go
@@ -26,6 +26,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"math/rand"
 	"net"
 	"net/http"
@@ -49,6 +50,7 @@ import (
 	"github.com/nats-io/jwt/v2"
 	"github.com/nats-io/nats.go"
 	"github.com/nats-io/nkeys"
+	"github.com/nats-io/nuid"
 )
 
 // IMPORTANT: Tests in this file are not executed when running with the -race flag.
@@ -2422,7 +2424,7 @@ func TestNoRaceJetStreamSlowFilteredInititalPendingAndFirstMsg(t *testing.T) {
 	})
 
 	// Threshold for taking too long.
-	const thresh = 50 * time.Millisecond
+	const thresh = 150 * time.Millisecond
 
 	var dindex int
 	testConsumerCreate := func(subj string, startSeq, expectedNumPending uint64) {
@@ -3605,7 +3607,7 @@ func TestNoRaceJetStreamClusterCorruptWAL(t *testing.T) {
 	fs = o.raftNode().(*raft).wal.(*fileStore)
 	state = fs.State()
 	err = fs.Truncate(state.FirstSeq)
-	require_NoError(t, err)
+	require_True(t, err == nil || err == ErrInvalidSequence)
 	state = fs.State()
 
 	sub, err = js.PullSubscribe("foo", "dlc")
@@ -3798,13 +3800,16 @@ func TestNoRaceJetStreamClusterStreamReset(t *testing.T) {
 		return err
 	})
 
-	// Grab number go routines.
-	if after := runtime.NumGoroutine(); base > after {
-		t.Fatalf("Expected %d go routines, got %d", base, after)
-	}
+	checkFor(t, 5*time.Second, 200*time.Millisecond, func() error {
+		if after := runtime.NumGoroutine(); base > after {
+			return fmt.Errorf("Expected %d go routines, got %d", base, after)
+		}
+		return nil
+	})
 
 	// Simulate a low level write error on our consumer and make sure we can recover etc.
 	cl = c.consumerLeader("$G", "TEST", "d1")
+	require_True(t, cl != nil)
 	mset, err = cl.GlobalAccount().lookupStream("TEST")
 	if err != nil {
 		t.Fatalf("Unexpected error: %v", err)
@@ -5200,16 +5205,15 @@ func TestNoRaceJetStreamClusterDirectAccessAllPeersSubs(t *testing.T) {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			nc, _ := jsClientConnect(t, c.randomServer())
+			nc, js := jsClientConnect(t, c.randomServer())
 			defer nc.Close()
-			js, _ := nc.JetStream(nats.MaxWait(500 * time.Millisecond))
 			for {
 				select {
 				case <-qch:
 					return
 				default:
 					// Send as fast as we can.
-					js.PublishAsync(fmt.Sprintf("kv.%d", rand.Intn(1000)), msg)
+					js.Publish(fmt.Sprintf("kv.%d", rand.Intn(1000)), msg)
 				}
 			}
 		}()
@@ -5265,7 +5269,7 @@ func TestNoRaceJetStreamClusterDirectAccessAllPeersSubs(t *testing.T) {
 		t.Fatalf("Expected to see messages increase, got %d", si.State.Msgs)
 	}
 
-	checkFor(t, 2*time.Second, 100*time.Millisecond, func() error {
+	checkFor(t, 10*time.Second, 100*time.Millisecond, func() error {
 		// Make sure they are all the same from a state perspective.
 		// Leader will have the expected state.
 		lmset, err := c.streamLeader("$G", "TEST").GlobalAccount().lookupStream("TEST")
@@ -5383,6 +5387,9 @@ func TestNoRaceJetStreamClusterConsumerListPaging(t *testing.T) {
 		if resp.Limit < len(resp.Consumers) {
 			t.Fatalf("Expected total limited to %d but got %d", resp.Limit, len(resp.Consumers))
 		}
+		if resp.Total != numConsumers {
+			t.Fatalf("Invalid total response: expected %d got %d", numConsumers, resp.Total)
+		}
 		return resp.Consumers
 	}
 
@@ -5412,6 +5419,9 @@ func TestNoRaceJetStreamClusterConsumerListPaging(t *testing.T) {
 		if resp.Limit < len(resp.Consumers) {
 			t.Fatalf("Expected total limited to %d but got %d", resp.Limit, len(resp.Consumers))
 		}
+		if resp.Total != numConsumers {
+			t.Fatalf("Invalid total response: expected %d got %d", numConsumers, resp.Total)
+		}
 		return resp.Consumers
 	}
 
@@ -5428,6 +5438,10 @@ func TestNoRaceJetStreamClusterConsumerListPaging(t *testing.T) {
 			results[name] = true
 		}
 	}
+
+	if len(results) != numConsumers {
+		t.Fatalf("Received %d / %d consumers", len(results), numConsumers)
+	}
 }
 
 func TestNoRaceJetStreamFileStoreLargeKVAccessTiming(t *testing.T) {
@@ -5564,7 +5578,7 @@ func TestNoRaceJetStreamSuperClusterStreamMoveLongRTT(t *testing.T) {
 	// Make C2 far away.
 	gwm := gwProxyMap{
 		"C2": &gwProxy{
-			rtt:  400 * time.Millisecond,
+			rtt:  20 * time.Millisecond,
 			up:   1 * 1024 * 1024 * 1024, // 1gbit
 			down: 1 * 1024 * 1024 * 1024, // 1gbit
 		},
@@ -5583,7 +5597,7 @@ func TestNoRaceJetStreamSuperClusterStreamMoveLongRTT(t *testing.T) {
 	}
 
 	// Place a stream in C1.
-	_, err := js.AddStream(cfg)
+	_, err := js.AddStream(cfg, nats.MaxWait(10*time.Second))
 	require_NoError(t, err)
 
 	chunk := bytes.Repeat([]byte("Z"), 1000*1024) // ~1MB
@@ -5594,7 +5608,7 @@ func TestNoRaceJetStreamSuperClusterStreamMoveLongRTT(t *testing.T) {
 	}
 	select {
 	case <-js.PublishAsyncComplete():
-	case <-time.After(5 * time.Second):
+	case <-time.After(10 * time.Second):
 		t.Fatalf("Did not receive completion signal")
 	}
 
@@ -5603,7 +5617,7 @@ func TestNoRaceJetStreamSuperClusterStreamMoveLongRTT(t *testing.T) {
 	_, err = js.UpdateStream(cfg)
 	require_NoError(t, err)
 
-	checkFor(t, 10*time.Second, time.Second, func() error {
+	checkFor(t, 20*time.Second, time.Second, func() error {
 		si, err := js.StreamInfo("TEST", nats.MaxWait(time.Second))
 		if err != nil {
 			return err
@@ -5835,7 +5849,7 @@ func TestNoRaceEncodeConsumerStateBug(t *testing.T) {
 }
 
 // Performance impact on stream ingress with large number of consumers.
-func TestJetStreamLargeNumConsumersPerfImpact(t *testing.T) {
+func TestNoRaceJetStreamLargeNumConsumersPerfImpact(t *testing.T) {
 	skip(t)
 
 	s := RunBasicJetStreamServer(t)
@@ -5927,7 +5941,7 @@ func TestJetStreamLargeNumConsumersPerfImpact(t *testing.T) {
 }
 
 // Performance impact on large number of consumers but sparse delivery.
-func TestJetStreamLargeNumConsumersSparseDelivery(t *testing.T) {
+func TestNoRaceJetStreamLargeNumConsumersSparseDelivery(t *testing.T) {
 	skip(t)
 
 	s := RunBasicJetStreamServer(t)
@@ -6120,12 +6134,15 @@ func TestNoRaceJetStreamClusterEnsureWALCompact(t *testing.T) {
 	err = node.InstallSnapshot(snap)
 	require_NoError(t, err)
 
-	received, done := 0, make(chan bool)
+	received, done := 0, make(chan bool, 1)
 
 	nc.Subscribe("zz", func(m *nats.Msg) {
 		received++
 		if received >= ns {
-			done <- true
+			select {
+			case done <- true:
+			default:
+			}
 		}
 		m.Ack()
 	})
@@ -6390,8 +6407,8 @@ func TestNoRaceJetStreamConsumerCreateTimeNumPending(t *testing.T) {
 	case <-time.After(5 * time.Second):
 	}
 
-	// Should stay under 5ms now, but for Travis variability say 25ms.
-	threshold := 25 * time.Millisecond
+	// Should stay under 5ms now, but for Travis variability say 50ms.
+	threshold := 50 * time.Millisecond
 
 	start := time.Now()
 	_, err = js.PullSubscribe("events.*", "dlc")
@@ -6527,3 +6544,1667 @@ func TestNoRaceJetStreamClusterGhostConsumers(t *testing.T) {
 		return fmt.Errorf("Still have missing: %+v", missing)
 	})
 }
+
+// This is to test a publish slowdown and general instability experienced in a setup simular to this.
+// We have feeder streams that are all sourced to an aggregate stream. All streams are interest retention.
+// We want to monitor the avg publish time for the sync publishers to the feeder streams, the ingest rate to
+// the aggregate stream, and general health of the consumers on the aggregate stream.
+// Target publish rate is ~2k/s with publish time being ~40-60ms but remaining stable.
+// We can also simulate max redeliveries that create interior deletes in streams.
+func TestNoRaceJetStreamClusterF3Setup(t *testing.T) {
+	// Uncomment to run. Needs to be on a pretty big machine. Do not want as part of Travis tests atm.
+	skip(t)
+
+	// These and the settings below achieve ~60ms pub time on avg and ~2k msgs per sec inbound to the aggregate stream.
+	// On my machine though.
+	np := clusterProxy{
+		rtt:  2 * time.Millisecond,
+		up:   1 * 1024 * 1024 * 1024, // 1gbit
+		down: 1 * 1024 * 1024 * 1024, // 1gbit
+	}
+
+	// Test params.
+	numSourceStreams := 20
+	numConsumersPerSource := 1
+	numPullersPerConsumer := 50
+	numPublishers := 100
+	setHighStartSequence := false
+	simulateMaxRedeliveries := false
+	maxBadPubTimes := uint32(20)
+	badPubThresh := 500 * time.Millisecond
+	testTime := 5 * time.Minute // make sure to do --timeout=65m
+
+	t.Logf("Starting Test: Total Test Time %v", testTime)
+
+	c := createJetStreamClusterWithNetProxy(t, "R3S", 3, &np)
+	defer c.shutdown()
+
+	// Do some quick sanity checking for latency stuff.
+	{
+		nc, js := jsClientConnect(t, c.randomServer())
+		defer nc.Close()
+
+		_, err := js.AddStream(&nats.StreamConfig{
+			Name:      "TEST",
+			Replicas:  3,
+			Subjects:  []string{"foo"},
+			Retention: nats.InterestPolicy,
+		})
+		require_NoError(t, err)
+		defer js.DeleteStream("TEST")
+
+		sl := c.streamLeader(globalAccountName, "TEST")
+		nc, js = jsClientConnect(t, sl)
+		defer nc.Close()
+		start := time.Now()
+		_, err = js.Publish("foo", []byte("hello"))
+		require_NoError(t, err)
+		// This is best case, and with client connection being close to free, this should be at least > rtt
+		if elapsed := time.Since(start); elapsed < np.rtt {
+			t.Fatalf("Expected publish time to be > %v, got %v", np.rtt, elapsed)
+		}
+
+		nl := c.randomNonStreamLeader(globalAccountName, "TEST")
+		nc, js = jsClientConnect(t, nl)
+		defer nc.Close()
+		start = time.Now()
+		_, err = js.Publish("foo", []byte("hello"))
+		require_NoError(t, err)
+		// This is worst case, meaning message has to travel to leader, then to fastest replica, then back.
+		// So should be at 3x rtt, so check at least > 2x rtt.
+		if elapsed := time.Since(start); elapsed < 2*np.rtt {
+			t.Fatalf("Expected publish time to be > %v, got %v", 2*np.rtt, elapsed)
+		}
+	}
+
+	// Setup source streams.
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	t.Logf("Creating %d Source Streams", numSourceStreams)
+
+	var sources []string
+	wg := sync.WaitGroup{}
+	for i := 0; i < numSourceStreams; i++ {
+		sname := fmt.Sprintf("EVENT-%s", nuid.Next())
+		sources = append(sources, sname)
+		wg.Add(1)
+		go func(stream string) {
+			defer wg.Done()
+			t.Logf("  %q", stream)
+			subj := fmt.Sprintf("%s.>", stream)
+			_, err := js.AddStream(&nats.StreamConfig{
+				Name:      stream,
+				Subjects:  []string{subj},
+				Replicas:  3,
+				Retention: nats.InterestPolicy,
+			})
+			require_NoError(t, err)
+			for j := 0; j < numConsumersPerSource; j++ {
+				consumer := fmt.Sprintf("C%d", j)
+				_, err := js.Subscribe(_EMPTY_, func(msg *nats.Msg) {
+					msg.Ack()
+				}, nats.BindStream(stream), nats.Durable(consumer), nats.ManualAck())
+				require_NoError(t, err)
+			}
+		}(sname)
+	}
+	wg.Wait()
+
+	var streamSources []*nats.StreamSource
+	for _, src := range sources {
+		streamSources = append(streamSources, &nats.StreamSource{Name: src})
+
+	}
+
+	t.Log("Creating Aggregate Stream")
+
+	// Now create the aggregate stream.
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "EVENTS",
+		Replicas:  3,
+		Retention: nats.InterestPolicy,
+		Sources:   streamSources,
+	})
+	require_NoError(t, err)
+
+	// Set first sequence to a high number.
+	if setHighStartSequence {
+		require_NoError(t, js.PurgeStream("EVENTS", &nats.StreamPurgeRequest{Sequence: 32_000_001}))
+	}
+
+	// Now create 2 pull consumers.
+	_, err = js.PullSubscribe(_EMPTY_, "C1",
+		nats.BindStream("EVENTS"),
+		nats.MaxDeliver(1),
+		nats.AckWait(10*time.Second),
+		nats.ManualAck(),
+	)
+	require_NoError(t, err)
+
+	_, err = js.PullSubscribe(_EMPTY_, "C2",
+		nats.BindStream("EVENTS"),
+		nats.MaxDeliver(1),
+		nats.AckWait(10*time.Second),
+		nats.ManualAck(),
+	)
+	require_NoError(t, err)
+
+	t.Logf("Creating %d x 2 Pull Subscribers", numPullersPerConsumer)
+
+	// Now create the pullers.
+	for _, subName := range []string{"C1", "C2"} {
+		for i := 0; i < numPullersPerConsumer; i++ {
+			go func(subName string) {
+				nc, js := jsClientConnect(t, c.randomServer())
+				defer nc.Close()
+
+				sub, err := js.PullSubscribe(_EMPTY_, subName,
+					nats.BindStream("EVENTS"),
+					nats.MaxDeliver(1),
+					nats.AckWait(10*time.Second),
+					nats.ManualAck(),
+				)
+				require_NoError(t, err)
+
+				for {
+					msgs, err := sub.Fetch(25, nats.MaxWait(2*time.Second))
+					if err != nil && err != nats.ErrTimeout {
+						t.Logf("Exiting pull subscriber %q: %v", subName, err)
+						return
+					}
+					// Shuffle
+					rand.Shuffle(len(msgs), func(i, j int) { msgs[i], msgs[j] = msgs[j], msgs[i] })
+
+					// Wait for a random interval up to 100ms.
+					time.Sleep(time.Duration(rand.Intn(100)) * time.Millisecond)
+
+					for _, m := range msgs {
+						// If we want to simulate max redeliveries being hit, since not acking
+						// once will cause it due to subscriber setup.
+						// 100_000 == 0.01%
+						if simulateMaxRedeliveries && rand.Intn(100_000) == 0 {
+							md, err := m.Metadata()
+							require_NoError(t, err)
+							t.Logf("** Skipping Ack: %d **", md.Sequence.Stream)
+						} else {
+							m.Ack()
+						}
+					}
+				}
+			}(subName)
+		}
+	}
+
+	// Now create feeder publishers.
+	eventTypes := []string{"PAYMENT", "SUBMISSION", "CANCEL"}
+
+	msg := make([]byte, 2*1024) // 2k payload
+	rand.Read(msg)
+
+	// For tracking pub times.
+	var pubs int
+	var totalPubTime time.Duration
+	var pmu sync.Mutex
+	last := time.Now()
+
+	updatePubStats := func(elapsed time.Duration) {
+		pmu.Lock()
+		defer pmu.Unlock()
+		// Reset every 5s
+		if time.Since(last) > 5*time.Second {
+			pubs = 0
+			totalPubTime = 0
+			last = time.Now()
+		}
+		pubs++
+		totalPubTime += elapsed
+	}
+	avgPubTime := func() time.Duration {
+		pmu.Lock()
+		np := pubs
+		tpt := totalPubTime
+		pmu.Unlock()
+		return tpt / time.Duration(np)
+	}
+
+	t.Logf("Creating %d Publishers", numPublishers)
+
+	var numLimitsExceeded atomic.Uint32
+	errCh := make(chan error, 100)
+
+	for i := 0; i < numPublishers; i++ {
+		go func() {
+			nc, js := jsClientConnect(t, c.randomServer())
+			defer nc.Close()
+
+			for {
+				// Grab a random source stream
+				stream := sources[rand.Intn(len(sources))]
+				// Grab random event type.
+				evt := eventTypes[rand.Intn(len(eventTypes))]
+				subj := fmt.Sprintf("%s.%s", stream, evt)
+				start := time.Now()
+				_, err := js.Publish(subj, msg)
+				if err != nil {
+					t.Logf("Exiting publisher: %v", err)
+					return
+				}
+				elapsed := time.Since(start)
+				if elapsed > badPubThresh {
+					t.Logf("Publish time took more than expected: %v", elapsed)
+					numLimitsExceeded.Add(1)
+					if ne := numLimitsExceeded.Load(); ne > maxBadPubTimes {
+						errCh <- fmt.Errorf("Too many exceeded times on publish: %d", ne)
+						return
+					}
+				}
+				updatePubStats(elapsed)
+			}
+		}()
+	}
+
+	t.Log("Creating Monitoring Routine - Data in ~10s")
+
+	// Create monitoring routine.
+	go func() {
+		nc, js := jsClientConnect(t, c.randomServer())
+		defer nc.Close()
+
+		fseq, lseq := uint64(0), uint64(0)
+		for {
+			// Grab consumers
+			var minAckFloor uint64 = math.MaxUint64
+			for _, consumer := range []string{"C1", "C2"} {
+				ci, err := js.ConsumerInfo("EVENTS", consumer)
+				if err != nil {
+					t.Logf("Exiting Monitor: %v", err)
+					return
+				}
+				if lseq > 0 {
+					t.Logf("%s:\n  Delivered:\t%d\n  AckFloor:\t%d\n  AckPending:\t%d\n  NumPending:\t%d",
+						consumer, ci.Delivered.Stream, ci.AckFloor.Stream, ci.NumAckPending, ci.NumPending)
+				}
+				if ci.AckFloor.Stream < minAckFloor {
+					minAckFloor = ci.AckFloor.Stream
+				}
+			}
+			// Now grab aggregate stream state.
+			si, err := js.StreamInfo("EVENTS")
+			if err != nil {
+				t.Logf("Exiting Monitor: %v", err)
+				return
+			}
+			state := si.State
+			if lseq != 0 {
+				t.Logf("Stream:\n  Msgs: \t%d\n  First:\t%d\n  Last: \t%d\n  Deletes:\t%d\n",
+					state.Msgs, state.FirstSeq, state.LastSeq, state.NumDeleted)
+				t.Logf("Publish Stats:\n  Msgs/s:\t%0.2f\n  Avg Pub:\t%v\n\n", float64(si.State.LastSeq-lseq)/5.0, avgPubTime())
+				if si.State.FirstSeq < minAckFloor && si.State.FirstSeq == fseq {
+					t.Log("Stream first seq < minimum ack floor")
+				}
+			}
+			fseq, lseq = si.State.FirstSeq, si.State.LastSeq
+			time.Sleep(5 * time.Second)
+		}
+
+	}()
+
+	select {
+	case e := <-errCh:
+		t.Fatal(e)
+	case <-time.After(testTime):
+		t.Fatalf("Did not receive completion signal")
+	}
+}
+
+// Unbalanced stretch cluster.
+// S2 (stream leader) will have a slow path to S1 (via proxy) and S3 (consumer leader) will have a fast path.
+//
+//	 Route Ports
+//		"S1": 14622
+//		"S2": 15622
+//		"S3": 16622
+func createStretchUnbalancedCluster(t testing.TB) (c *cluster, np *netProxy) {
+	t.Helper()
+
+	tmpl := `
+	listen: 127.0.0.1:-1
+	server_name: %s
+	jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+	cluster {
+		name: "F3"
+		listen: 127.0.0.1:%d
+		routes = [%s]
+	}
+
+	accounts {
+		$SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }
+	}
+	`
+	// Do these in order, S1, S2 (proxy) then S3.
+	c = &cluster{t: t, servers: make([]*Server, 3), opts: make([]*Options, 3), name: "F3"}
+
+	// S1
+	conf := fmt.Sprintf(tmpl, "S1", t.TempDir(), 14622, "route://127.0.0.1:15622, route://127.0.0.1:16622")
+	c.servers[0], c.opts[0] = RunServerWithConfig(createConfFile(t, []byte(conf)))
+
+	// S2
+	// Create the proxy first. Connect this to S1. Make it slow, e.g. 5ms RTT.
+	np = createNetProxy(1*time.Millisecond, 1024*1024*1024, 1024*1024*1024, "route://127.0.0.1:14622", true)
+	routes := fmt.Sprintf("%s, route://127.0.0.1:16622", np.routeURL())
+	conf = fmt.Sprintf(tmpl, "S2", t.TempDir(), 15622, routes)
+	c.servers[1], c.opts[1] = RunServerWithConfig(createConfFile(t, []byte(conf)))
+
+	// S3
+	conf = fmt.Sprintf(tmpl, "S3", t.TempDir(), 16622, "route://127.0.0.1:14622, route://127.0.0.1:15622")
+	c.servers[2], c.opts[2] = RunServerWithConfig(createConfFile(t, []byte(conf)))
+
+	c.checkClusterFormed()
+	c.waitOnClusterReady()
+
+	return c, np
+}
+
+// We test an interest based stream that has a cluster with a node with asymmetric paths from
+// the stream leader and the consumer leader such that the consumer leader path is fast and
+// replicated acks arrive sooner then the actual message. This path was considered, but also
+// categorized as very rare and was expensive as it tried to forward a new stream msg delete
+// proposal to the original stream leader. It now will deal with the issue locally and not
+// slow down the ingest rate to the stream's publishers.
+func TestNoRaceJetStreamClusterDifferentRTTInterestBasedStreamSetup(t *testing.T) {
+	// Uncomment to run. Do not want as part of Travis tests atm.
+	skip(t)
+
+	c, np := createStretchUnbalancedCluster(t)
+	defer c.shutdown()
+	defer np.stop()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	// Now create the stream.
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "EVENTS",
+		Subjects:  []string{"EV.>"},
+		Replicas:  3,
+		Retention: nats.InterestPolicy,
+	})
+	require_NoError(t, err)
+
+	// Make sure it's leader is on S2.
+	sl := c.servers[1]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnStreamLeader(globalAccountName, "EVENTS")
+		if s := c.streamLeader(globalAccountName, "EVENTS"); s != sl {
+			s.JetStreamStepdownStream(globalAccountName, "EVENTS")
+			return fmt.Errorf("Server %s is not stream leader yet", sl)
+		}
+		return nil
+	})
+
+	// Now create the consumer.
+	_, err = js.PullSubscribe(_EMPTY_, "C", nats.BindStream("EVENTS"), nats.ManualAck())
+	require_NoError(t, err)
+
+	// Make sure the consumer leader is on S3.
+	cl := c.servers[2]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnConsumerLeader(globalAccountName, "EVENTS", "C")
+		if s := c.consumerLeader(globalAccountName, "EVENTS", "C"); s != cl {
+			s.JetStreamStepdownConsumer(globalAccountName, "EVENTS", "C")
+			return fmt.Errorf("Server %s is not consumer leader yet", cl)
+		}
+		return nil
+	})
+
+	go func(js nats.JetStream) {
+		sub, err := js.PullSubscribe(_EMPTY_, "C", nats.BindStream("EVENTS"), nats.ManualAck())
+		require_NoError(t, err)
+
+		for {
+			msgs, err := sub.Fetch(100, nats.MaxWait(2*time.Second))
+			if err != nil && err != nats.ErrTimeout {
+				return
+			}
+			// Shuffle
+			rand.Shuffle(len(msgs), func(i, j int) { msgs[i], msgs[j] = msgs[j], msgs[i] })
+			for _, m := range msgs {
+				m.Ack()
+			}
+		}
+	}(js)
+
+	numPublishers := 25
+	pubThresh := 2 * time.Second
+	var maxExceeded atomic.Int64
+	errCh := make(chan error, numPublishers)
+	wg := sync.WaitGroup{}
+
+	msg := make([]byte, 2*1024) // 2k payload
+	rand.Read(msg)
+
+	// Publishers.
+	for i := 0; i < numPublishers; i++ {
+		wg.Add(1)
+		go func(iter int) {
+			defer wg.Done()
+
+			// Connect to random, the slow ones will be connected to the slow node.
+			// But if you connect them all there it will pass.
+			s := c.randomServer()
+			nc, js := jsClientConnect(t, s)
+			defer nc.Close()
+
+			for i := 0; i < 1_000; i++ {
+				start := time.Now()
+				_, err := js.Publish("EV.PAID", msg)
+				if err != nil {
+					errCh <- fmt.Errorf("Publish error: %v", err)
+					return
+				}
+				if elapsed := time.Since(start); elapsed > pubThresh {
+					errCh <- fmt.Errorf("Publish time exceeded")
+					if int64(elapsed) > maxExceeded.Load() {
+						maxExceeded.Store(int64(elapsed))
+					}
+					return
+				}
+			}
+		}(i)
+	}
+
+	wg.Wait()
+
+	select {
+	case e := <-errCh:
+		t.Fatalf("%v: threshold is %v, maximum seen: %v", e, pubThresh, time.Duration(maxExceeded.Load()))
+	default:
+	}
+}
+
+func TestNoRaceJetStreamInterestStreamCheckInterestRaceBug(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Subjects:  []string{"foo"},
+		Replicas:  3,
+		Retention: nats.InterestPolicy,
+	})
+	require_NoError(t, err)
+
+	numConsumers := 10
+	for i := 0; i < numConsumers; i++ {
+		nc, js := jsClientConnect(t, c.randomServer())
+		defer nc.Close()
+
+		_, err = js.Subscribe("foo", func(m *nats.Msg) {
+			m.Ack()
+		}, nats.Durable(fmt.Sprintf("C%d", i)), nats.ManualAck())
+		require_NoError(t, err)
+	}
+
+	numToSend := 10_000
+	for i := 0; i < numToSend; i++ {
+		_, err := js.PublishAsync("foo", nil)
+		require_NoError(t, err)
+	}
+	select {
+	case <-js.PublishAsyncComplete():
+	case <-time.After(20 * time.Second):
+		t.Fatalf("Did not receive completion signal")
+	}
+
+	// Wait til ackfloor is correct for all consumers.
+	checkFor(t, 20*time.Second, 100*time.Millisecond, func() error {
+		for _, s := range c.servers {
+			mset, err := s.GlobalAccount().lookupStream("TEST")
+			require_NoError(t, err)
+
+			mset.mu.RLock()
+			defer mset.mu.RUnlock()
+
+			require_True(t, len(mset.consumers) == numConsumers)
+
+			for _, o := range mset.consumers {
+				state, err := o.store.State()
+				require_NoError(t, err)
+				if state.AckFloor.Stream != uint64(numToSend) {
+					return fmt.Errorf("Ackfloor not correct yet")
+				}
+			}
+		}
+		return nil
+	})
+
+	for _, s := range c.servers {
+		mset, err := s.GlobalAccount().lookupStream("TEST")
+		require_NoError(t, err)
+
+		mset.mu.RLock()
+		defer mset.mu.RUnlock()
+
+		state := mset.state()
+		require_True(t, state.Msgs == 0)
+		require_True(t, state.FirstSeq == uint64(numToSend+1))
+	}
+}
+
+func TestNoRaceJetStreamClusterInterestStreamConsistencyAfterRollingRestart(t *testing.T) {
+	// Uncomment to run. Needs to be on a big machine. Do not want as part of Travis tests atm.
+	skip(t)
+
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	numStreams := 200
+	numConsumersPer := 5
+	numPublishers := 10
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	qch := make(chan bool)
+
+	var mm sync.Mutex
+	ackMap := make(map[string]map[uint64][]string)
+
+	addAckTracking := func(seq uint64, stream, consumer string) {
+		mm.Lock()
+		defer mm.Unlock()
+		sam := ackMap[stream]
+		if sam == nil {
+			sam = make(map[uint64][]string)
+			ackMap[stream] = sam
+		}
+		sam[seq] = append(sam[seq], consumer)
+	}
+
+	doPullSubscriber := func(stream, consumer, filter string) {
+		nc, js := jsClientConnect(t, c.randomServer())
+		defer nc.Close()
+
+		var err error
+		var sub *nats.Subscription
+		timeout := time.Now().Add(5 * time.Second)
+		for time.Now().Before(timeout) {
+			sub, err = js.PullSubscribe(filter, consumer, nats.BindStream(stream), nats.ManualAck())
+			if err == nil {
+				break
+			}
+		}
+		if err != nil {
+			t.Logf("Error on pull subscriber: %v", err)
+			return
+		}
+
+		for {
+			select {
+			case <-time.After(500 * time.Millisecond):
+				msgs, err := sub.Fetch(100, nats.MaxWait(time.Second))
+				if err != nil {
+					continue
+				}
+				// Shuffle
+				rand.Shuffle(len(msgs), func(i, j int) { msgs[i], msgs[j] = msgs[j], msgs[i] })
+				for _, m := range msgs {
+					meta, err := m.Metadata()
+					require_NoError(t, err)
+					m.Ack()
+					addAckTracking(meta.Sequence.Stream, stream, consumer)
+					if meta.NumDelivered > 1 {
+						t.Logf("Got a msg redelivered %d for sequence %d on %q %q\n", meta.NumDelivered, meta.Sequence.Stream, stream, consumer)
+					}
+				}
+			case <-qch:
+				nc.Flush()
+				return
+			}
+		}
+	}
+
+	// Setup
+	wg := sync.WaitGroup{}
+	for i := 0; i < numStreams; i++ {
+		wg.Add(1)
+		go func(stream string) {
+			defer wg.Done()
+			subj := fmt.Sprintf("%s.>", stream)
+			_, err := js.AddStream(&nats.StreamConfig{
+				Name:      stream,
+				Subjects:  []string{subj},
+				Replicas:  3,
+				Retention: nats.InterestPolicy,
+			})
+			require_NoError(t, err)
+			for i := 0; i < numConsumersPer; i++ {
+				consumer := fmt.Sprintf("C%d", i)
+				filter := fmt.Sprintf("%s.%d", stream, i)
+				_, err = js.AddConsumer(stream, &nats.ConsumerConfig{
+					Durable:       consumer,
+					FilterSubject: filter,
+					AckPolicy:     nats.AckExplicitPolicy,
+					AckWait:       2 * time.Second,
+				})
+				require_NoError(t, err)
+				c.waitOnConsumerLeader(globalAccountName, stream, consumer)
+				go doPullSubscriber(stream, consumer, filter)
+			}
+		}(fmt.Sprintf("A-%d", i))
+	}
+	wg.Wait()
+
+	msg := make([]byte, 2*1024) // 2k payload
+	rand.Read(msg)
+
+	// Controls if publishing is on or off.
+	var pubActive atomic.Bool
+
+	doPublish := func() {
+		nc, js := jsClientConnect(t, c.randomServer())
+		defer nc.Close()
+
+		for {
+			select {
+			case <-time.After(100 * time.Millisecond):
+				if pubActive.Load() {
+					for i := 0; i < numStreams; i++ {
+						for j := 0; j < numConsumersPer; j++ {
+							subj := fmt.Sprintf("A-%d.%d", i, j)
+							// Don't care about errors here for this test.
+							js.Publish(subj, msg)
+						}
+					}
+				}
+			case <-qch:
+				return
+			}
+		}
+	}
+
+	pubActive.Store(true)
+
+	for i := 0; i < numPublishers; i++ {
+		go doPublish()
+	}
+
+	// Let run for a bit.
+	time.Sleep(20 * time.Second)
+
+	// Do a rolling restart.
+	for _, s := range c.servers {
+		t.Logf("Shutdown %v\n", s)
+		s.Shutdown()
+		s.WaitForShutdown()
+		time.Sleep(20 * time.Second)
+		t.Logf("Restarting %v\n", s)
+		s = c.restartServer(s)
+		c.waitOnServerHealthz(s)
+	}
+
+	// Let run for a bit longer.
+	time.Sleep(10 * time.Second)
+
+	// Stop pubs.
+	pubActive.Store(false)
+
+	// Let settle.
+	time.Sleep(10 * time.Second)
+	close(qch)
+	time.Sleep(20 * time.Second)
+
+	nc, js = jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	minAckFloor := func(stream string) (uint64, string) {
+		var maf uint64 = math.MaxUint64
+		var consumer string
+		for i := 0; i < numConsumersPer; i++ {
+			cname := fmt.Sprintf("C%d", i)
+			ci, err := js.ConsumerInfo(stream, cname)
+			require_NoError(t, err)
+			if ci.AckFloor.Stream < maf {
+				maf = ci.AckFloor.Stream
+				consumer = cname
+			}
+		}
+		return maf, consumer
+	}
+
+	checkStreamAcks := func(stream string) {
+		mm.Lock()
+		defer mm.Unlock()
+		if sam := ackMap[stream]; sam != nil {
+			for seq := 1; ; seq++ {
+				acks := sam[uint64(seq)]
+				if acks == nil {
+					if sam[uint64(seq+1)] != nil {
+						t.Logf("Missing an ack on stream %q for sequence %d\n", stream, seq)
+					} else {
+						break
+					}
+				}
+				if len(acks) > 1 {
+					t.Logf("Multiple acks for %d which is not expected: %+v", seq, acks)
+				}
+			}
+		}
+	}
+
+	// Now check all streams such that their first sequence is equal to the minimum of all consumers.
+	for i := 0; i < numStreams; i++ {
+		stream := fmt.Sprintf("A-%d", i)
+		si, err := js.StreamInfo(stream)
+		require_NoError(t, err)
+
+		if maf, consumer := minAckFloor(stream); maf > si.State.FirstSeq {
+			t.Logf("\nBAD STATE DETECTED FOR %q, CHECKING OTHER SERVERS! ACK %d vs %+v LEADER %v, CL FOR %q %v\n",
+				stream, maf, si.State, c.streamLeader(globalAccountName, stream), consumer, c.consumerLeader(globalAccountName, stream, consumer))
+
+			t.Logf("TEST ACKS %+v\n", ackMap)
+
+			checkStreamAcks(stream)
+
+			for _, s := range c.servers {
+				mset, err := s.GlobalAccount().lookupStream(stream)
+				require_NoError(t, err)
+				state := mset.state()
+				t.Logf("Server %v Stream STATE %+v\n", s, state)
+
+				var smv StoreMsg
+				if sm, err := mset.store.LoadMsg(state.FirstSeq, &smv); err == nil {
+					t.Logf("Subject for msg %d is %q", state.FirstSeq, sm.subj)
+				} else {
+					t.Logf("Could not retrieve msg for %d: %v", state.FirstSeq, err)
+				}
+
+				if len(mset.preAcks) > 0 {
+					t.Logf("%v preAcks %+v\n", s, mset.preAcks)
+				}
+
+				for _, o := range mset.consumers {
+					ostate, err := o.store.State()
+					require_NoError(t, err)
+					t.Logf("Consumer STATE for %q is %+v\n", o.name, ostate)
+				}
+			}
+			t.Fatalf("BAD STATE: ACKFLOOR > FIRST %d vs %d\n", maf, si.State.FirstSeq)
+		}
+	}
+}
+
+func TestNoRaceFileStoreNumPending(t *testing.T) {
+	// No need for all permutations here.
+	storeDir := t.TempDir()
+	fcfg := FileStoreConfig{
+		StoreDir:  storeDir,
+		BlockSize: 2 * 1024, // Create many blocks on purpose.
+	}
+	fs, err := newFileStore(fcfg, StreamConfig{Name: "zzz", Subjects: []string{"*.*.*.*"}, Storage: FileStorage})
+	require_NoError(t, err)
+	defer fs.Stop()
+
+	tokens := []string{"foo", "bar", "baz"}
+	genSubj := func() string {
+		return fmt.Sprintf("%s.%s.%s.%s",
+			tokens[rand.Intn(len(tokens))],
+			tokens[rand.Intn(len(tokens))],
+			tokens[rand.Intn(len(tokens))],
+			tokens[rand.Intn(len(tokens))],
+		)
+	}
+
+	for i := 0; i < 50_000; i++ {
+		subj := genSubj()
+		_, _, err := fs.StoreMsg(subj, nil, []byte("Hello World"))
+		require_NoError(t, err)
+	}
+
+	state := fs.State()
+
+	// Scan one by one for sanity check against other calculations.
+	sanityCheck := func(sseq uint64, filter string) SimpleState {
+		t.Helper()
+		var ss SimpleState
+		var smv StoreMsg
+		// For here we know 0 is invalid, set to 1.
+		if sseq == 0 {
+			sseq = 1
+		}
+		for seq := sseq; seq <= state.LastSeq; seq++ {
+			sm, err := fs.LoadMsg(seq, &smv)
+			if err != nil {
+				t.Logf("Encountered error %v loading sequence: %d", err, seq)
+				continue
+			}
+			if subjectIsSubsetMatch(sm.subj, filter) {
+				ss.Msgs++
+				ss.Last = seq
+				if ss.First == 0 || seq < ss.First {
+					ss.First = seq
+				}
+			}
+		}
+		return ss
+	}
+
+	check := func(sseq uint64, filter string) {
+		t.Helper()
+		np, lvs := fs.NumPending(sseq, filter, false)
+		ss := fs.FilteredState(sseq, filter)
+		sss := sanityCheck(sseq, filter)
+		if lvs != state.LastSeq {
+			t.Fatalf("Expected NumPending to return valid through last of %d but got %d", state.LastSeq, lvs)
+		}
+		if ss.Msgs != np {
+			t.Fatalf("NumPending of %d did not match ss.Msgs of %d", np, ss.Msgs)
+		}
+		if ss != sss {
+			t.Fatalf("Failed sanity check, expected %+v got %+v", sss, ss)
+		}
+	}
+
+	sanityCheckLastOnly := func(sseq uint64, filter string) SimpleState {
+		t.Helper()
+		var ss SimpleState
+		var smv StoreMsg
+		// For here we know 0 is invalid, set to 1.
+		if sseq == 0 {
+			sseq = 1
+		}
+		seen := make(map[string]bool)
+		for seq := state.LastSeq; seq >= sseq; seq-- {
+			sm, err := fs.LoadMsg(seq, &smv)
+			if err != nil {
+				t.Logf("Encountered error %v loading sequence: %d", err, seq)
+				continue
+			}
+			if !seen[sm.subj] && subjectIsSubsetMatch(sm.subj, filter) {
+				ss.Msgs++
+				if ss.Last == 0 {
+					ss.Last = seq
+				}
+				if ss.First == 0 || seq < ss.First {
+					ss.First = seq
+				}
+				seen[sm.subj] = true
+			}
+		}
+		return ss
+	}
+
+	checkLastOnly := func(sseq uint64, filter string) {
+		t.Helper()
+		np, lvs := fs.NumPending(sseq, filter, true)
+		ss := sanityCheckLastOnly(sseq, filter)
+		if lvs != state.LastSeq {
+			t.Fatalf("Expected NumPending to return valid through last of %d but got %d", state.LastSeq, lvs)
+		}
+		if ss.Msgs != np {
+			t.Fatalf("NumPending of %d did not match ss.Msgs of %d", np, ss.Msgs)
+		}
+	}
+
+	startSeqs := []uint64{0, 1, 2, 200, 444, 555, 2222, 8888, 12_345, 28_222, 33_456, 44_400, 49_999}
+	checkSubs := []string{"foo.>", "*.bar.>", "foo.bar.*.baz", "*.bar.>", "*.foo.bar.*", "foo.foo.bar.baz"}
+
+	for _, filter := range checkSubs {
+		for _, start := range startSeqs {
+			check(start, filter)
+			checkLastOnly(start, filter)
+		}
+	}
+}
+
+func TestNoRaceJetStreamClusterUnbalancedInterestMultipleConsumers(t *testing.T) {
+	c, np := createStretchUnbalancedCluster(t)
+	defer c.shutdown()
+	defer np.stop()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	// Now create the stream.
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "EVENTS",
+		Subjects:  []string{"EV.>"},
+		Replicas:  3,
+		Retention: nats.InterestPolicy,
+	})
+	require_NoError(t, err)
+
+	// Make sure it's leader is on S2.
+	sl := c.servers[1]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnStreamLeader(globalAccountName, "EVENTS")
+		if s := c.streamLeader(globalAccountName, "EVENTS"); s != sl {
+			s.JetStreamStepdownStream(globalAccountName, "EVENTS")
+			return fmt.Errorf("Server %s is not stream leader yet", sl)
+		}
+		return nil
+	})
+
+	// Create a fast ack consumer.
+	_, err = js.Subscribe("EV.NEW", func(m *nats.Msg) {
+		m.Ack()
+	}, nats.Durable("C"), nats.ManualAck())
+	require_NoError(t, err)
+
+	// Make sure the consumer leader is on S3.
+	cl := c.servers[2]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnConsumerLeader(globalAccountName, "EVENTS", "C")
+		if s := c.consumerLeader(globalAccountName, "EVENTS", "C"); s != cl {
+			s.JetStreamStepdownConsumer(globalAccountName, "EVENTS", "C")
+			return fmt.Errorf("Server %s is not consumer leader yet", cl)
+		}
+		return nil
+	})
+
+	// Connect a client directly to the stream leader.
+	nc, js = jsClientConnect(t, sl)
+	defer nc.Close()
+
+	// Now create a pull subscriber.
+	sub, err := js.PullSubscribe("EV.NEW", "D", nats.ManualAck())
+	require_NoError(t, err)
+
+	// Make sure this consumer leader is on S1.
+	cl = c.servers[0]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnConsumerLeader(globalAccountName, "EVENTS", "D")
+		if s := c.consumerLeader(globalAccountName, "EVENTS", "D"); s != cl {
+			s.JetStreamStepdownConsumer(globalAccountName, "EVENTS", "D")
+			return fmt.Errorf("Server %s is not consumer leader yet", cl)
+		}
+		return nil
+	})
+
+	numToSend := 1000
+	for i := 0; i < numToSend; i++ {
+		_, err := js.PublishAsync("EV.NEW", nil)
+		require_NoError(t, err)
+	}
+	select {
+	case <-js.PublishAsyncComplete():
+	case <-time.After(20 * time.Second):
+		t.Fatalf("Did not receive completion signal")
+	}
+
+	// Now make sure we can pull messages since we have not acked.
+	// The bug is that the acks arrive on S1 faster then the messages but we want to
+	// make sure we do not remove prematurely.
+	msgs, err := sub.Fetch(100, nats.MaxWait(time.Second))
+	require_NoError(t, err)
+	require_True(t, len(msgs) == 100)
+	for _, m := range msgs {
+		m.AckSync()
+	}
+
+	ci, err := js.ConsumerInfo("EVENTS", "D")
+	require_NoError(t, err)
+	require_True(t, ci.NumPending == uint64(numToSend-100))
+	require_True(t, ci.NumAckPending == 0)
+	require_True(t, ci.Delivered.Stream == 100)
+	require_True(t, ci.AckFloor.Stream == 100)
+
+	// Check stream state on all servers.
+	for _, s := range c.servers {
+		mset, err := s.GlobalAccount().lookupStream("EVENTS")
+		require_NoError(t, err)
+		state := mset.state()
+		require_True(t, state.Msgs == 900)
+		require_True(t, state.FirstSeq == 101)
+		require_True(t, state.LastSeq == 1000)
+		require_True(t, state.Consumers == 2)
+	}
+
+	msgs, err = sub.Fetch(900, nats.MaxWait(time.Second))
+	require_NoError(t, err)
+	require_True(t, len(msgs) == 900)
+	for _, m := range msgs {
+		m.AckSync()
+	}
+
+	// Let acks propagate.
+	time.Sleep(250 * time.Millisecond)
+
+	// Check final stream state on all servers.
+	for _, s := range c.servers {
+		mset, err := s.GlobalAccount().lookupStream("EVENTS")
+		require_NoError(t, err)
+		state := mset.state()
+		require_True(t, state.Msgs == 0)
+		require_True(t, state.FirstSeq == 1001)
+		require_True(t, state.LastSeq == 1000)
+		require_True(t, state.Consumers == 2)
+		// Now check preAcks
+		mset.mu.RLock()
+		numPreAcks := len(mset.preAcks)
+		mset.mu.RUnlock()
+		require_True(t, numPreAcks == 0)
+	}
+}
+
+func TestNoRaceJetStreamClusterUnbalancedInterestMultipleFilteredConsumers(t *testing.T) {
+	c, np := createStretchUnbalancedCluster(t)
+	defer c.shutdown()
+	defer np.stop()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	// Now create the stream.
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "EVENTS",
+		Subjects:  []string{"EV.>"},
+		Replicas:  3,
+		Retention: nats.InterestPolicy,
+	})
+	require_NoError(t, err)
+
+	// Make sure it's leader is on S2.
+	sl := c.servers[1]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnStreamLeader(globalAccountName, "EVENTS")
+		if s := c.streamLeader(globalAccountName, "EVENTS"); s != sl {
+			s.JetStreamStepdownStream(globalAccountName, "EVENTS")
+			return fmt.Errorf("Server %s is not stream leader yet", sl)
+		}
+		return nil
+	})
+
+	// Create a fast ack consumer.
+	_, err = js.Subscribe("EV.NEW", func(m *nats.Msg) {
+		m.Ack()
+	}, nats.Durable("C"), nats.ManualAck())
+	require_NoError(t, err)
+
+	// Make sure the consumer leader is on S3.
+	cl := c.servers[2]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnConsumerLeader(globalAccountName, "EVENTS", "C")
+		if s := c.consumerLeader(globalAccountName, "EVENTS", "C"); s != cl {
+			s.JetStreamStepdownConsumer(globalAccountName, "EVENTS", "C")
+			return fmt.Errorf("Server %s is not consumer leader yet", cl)
+		}
+		return nil
+	})
+
+	// Connect a client directly to the stream leader.
+	nc, js = jsClientConnect(t, sl)
+	defer nc.Close()
+
+	// Now create another fast ack consumer.
+	_, err = js.Subscribe("EV.UPDATED", func(m *nats.Msg) {
+		m.Ack()
+	}, nats.Durable("D"), nats.ManualAck())
+	require_NoError(t, err)
+
+	// Make sure this consumer leader is on S1.
+	cl = c.servers[0]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnConsumerLeader(globalAccountName, "EVENTS", "D")
+		if s := c.consumerLeader(globalAccountName, "EVENTS", "D"); s != cl {
+			s.JetStreamStepdownConsumer(globalAccountName, "EVENTS", "D")
+			return fmt.Errorf("Server %s is not consumer leader yet", cl)
+		}
+		return nil
+	})
+
+	numToSend := 500
+	for i := 0; i < numToSend; i++ {
+		_, err := js.PublishAsync("EV.NEW", nil)
+		require_NoError(t, err)
+		_, err = js.PublishAsync("EV.UPDATED", nil)
+		require_NoError(t, err)
+	}
+	select {
+	case <-js.PublishAsyncComplete():
+	case <-time.After(20 * time.Second):
+		t.Fatalf("Did not receive completion signal")
+	}
+
+	// Let acks propagate.
+	time.Sleep(250 * time.Millisecond)
+
+	ci, err := js.ConsumerInfo("EVENTS", "D")
+	require_NoError(t, err)
+	require_True(t, ci.NumPending == 0)
+	require_True(t, ci.NumAckPending == 0)
+	require_True(t, ci.Delivered.Consumer == 500)
+	require_True(t, ci.Delivered.Stream == 1000)
+	require_True(t, ci.AckFloor.Consumer == 500)
+	require_True(t, ci.AckFloor.Stream == 1000)
+
+	// Check final stream state on all servers.
+	for _, s := range c.servers {
+		mset, err := s.GlobalAccount().lookupStream("EVENTS")
+		require_NoError(t, err)
+		state := mset.state()
+		require_True(t, state.Msgs == 0)
+		require_True(t, state.FirstSeq == 1001)
+		require_True(t, state.LastSeq == 1000)
+		require_True(t, state.Consumers == 2)
+		// Now check preAcks
+		mset.mu.RLock()
+		numPreAcks := len(mset.preAcks)
+		mset.mu.RUnlock()
+		require_True(t, numPreAcks == 0)
+	}
+}
+
+func TestNoRaceParallelStreamAndConsumerCreation(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	// stream config.
+	scfg := &StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo", "bar"},
+		MaxMsgs:  10,
+		Storage:  FileStorage,
+		Replicas: 1,
+	}
+
+	// Will do these direct against the low level API to really make
+	// sure parallel creation ok.
+	np := 1000
+	startCh := make(chan bool)
+	errCh := make(chan error, np)
+	wg := sync.WaitGroup{}
+	wg.Add(np)
+
+	var streams sync.Map
+
+	for i := 0; i < np; i++ {
+		go func() {
+			defer wg.Done()
+
+			// Make them all fire at once.
+			<-startCh
+
+			if mset, err := s.GlobalAccount().addStream(scfg); err != nil {
+				t.Logf("Stream create got an error: %v", err)
+				errCh <- err
+			} else {
+				streams.Store(mset, true)
+			}
+		}()
+	}
+	time.Sleep(100 * time.Millisecond)
+	close(startCh)
+	wg.Wait()
+
+	// Check for no errors.
+	if len(errCh) > 0 {
+		t.Fatalf("Expected no errors, got %d", len(errCh))
+	}
+
+	// Now make sure we really only created one stream.
+	var numStreams int
+	streams.Range(func(k, v any) bool {
+		numStreams++
+		return true
+	})
+	if numStreams > 1 {
+		t.Fatalf("Expected only one stream to be really created, got %d out of %d attempts", numStreams, np)
+	}
+
+	// Also make sure we cleanup the inflight entries for streams.
+	gacc := s.GlobalAccount()
+	_, jsa, err := gacc.checkForJetStream()
+	require_NoError(t, err)
+	var numEntries int
+	jsa.inflight.Range(func(k, v any) bool {
+		numEntries++
+		return true
+	})
+	if numEntries > 0 {
+		t.Fatalf("Expected no inflight entries to be left over, got %d", numEntries)
+	}
+
+	// Now do consumers.
+	mset, err := gacc.lookupStream("TEST")
+	require_NoError(t, err)
+
+	cfg := &ConsumerConfig{
+		DeliverSubject: "to",
+		Name:           "DLC",
+		AckPolicy:      AckExplicit,
+	}
+
+	startCh = make(chan bool)
+	errCh = make(chan error, np)
+	wg.Add(np)
+
+	var consumers sync.Map
+
+	for i := 0; i < np; i++ {
+		go func() {
+			defer wg.Done()
+
+			// Make them all fire at once.
+			<-startCh
+
+			if _, err = mset.addConsumer(cfg); err != nil {
+				t.Logf("Consumer create got an error: %v", err)
+				errCh <- err
+			} else {
+				consumers.Store(mset, true)
+			}
+		}()
+	}
+	time.Sleep(100 * time.Millisecond)
+	close(startCh)
+	wg.Wait()
+
+	// Check for no errors.
+	if len(errCh) > 0 {
+		t.Fatalf("Expected no errors, got %d", len(errCh))
+	}
+
+	// Now make sure we really only created one stream.
+	var numConsumers int
+	consumers.Range(func(k, v any) bool {
+		numConsumers++
+		return true
+	})
+	if numConsumers > 1 {
+		t.Fatalf("Expected only one consumer to be really created, got %d out of %d attempts", numConsumers, np)
+	}
+}
+
+func TestNoRaceJetStreamClusterLeafnodeConnectPerf(t *testing.T) {
+	// Uncomment to run. Needs to be on a big machine. Do not want as part of Travis tests atm.
+	skip(t)
+
+	tmpl := strings.Replace(jsClusterAccountsTempl, "store_dir:", "domain: cloud, store_dir:", 1)
+	c := createJetStreamCluster(t, tmpl, "CLOUD", _EMPTY_, 3, 18033, true)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "STATE",
+		Subjects: []string{"STATE.GLOBAL.CELL1.*.>"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	tmpl = strings.Replace(jsClusterTemplWithSingleFleetLeafNode, "store_dir:", "domain: vehicle, store_dir:", 1)
+
+	var vinSerial int
+	genVIN := func() string {
+		vinSerial++
+		return fmt.Sprintf("7PDSGAALXNN%06d", vinSerial)
+	}
+
+	numVehicles := 500
+	for i := 0; i < numVehicles; i++ {
+		start := time.Now()
+		vin := genVIN()
+		ln := c.createLeafNodeWithTemplateNoSystemWithProto(vin, tmpl, "ws")
+		nc, js := jsClientConnect(t, ln)
+		_, err := js.AddStream(&nats.StreamConfig{
+			Name:     "VEHICLE",
+			Subjects: []string{"STATE.GLOBAL.LOCAL.>"},
+			Sources: []*nats.StreamSource{{
+				Name:          "STATE",
+				FilterSubject: fmt.Sprintf("STATE.GLOBAL.CELL1.%s.>", vin),
+				External: &nats.ExternalStream{
+					APIPrefix:     "$JS.cloud.API",
+					DeliverPrefix: fmt.Sprintf("DELIVER.STATE.GLOBAL.CELL1.%s", vin),
+				},
+			}},
+		})
+		require_NoError(t, err)
+		// Create the sourced stream.
+		checkLeafNodeConnectedCount(t, ln, 1)
+		if elapsed := time.Since(start); elapsed > 2*time.Second {
+			t.Fatalf("Took too long to create leafnode %d connection: %v", i+1, elapsed)
+		}
+		nc.Close()
+	}
+}
+
+// This test ensures that outbound queues don't cause a run on
+// memory when sending something to lots of clients.
+func TestNoRaceClientOutboundQueueMemory(t *testing.T) {
+	opts := DefaultOptions()
+	s := RunServer(opts)
+	defer s.Shutdown()
+
+	var before runtime.MemStats
+	var after runtime.MemStats
+
+	var err error
+	clients := make([]*nats.Conn, 50000)
+	wait := &sync.WaitGroup{}
+	wait.Add(len(clients))
+
+	for i := 0; i < len(clients); i++ {
+		clients[i], err = nats.Connect(fmt.Sprintf("nats://%s:%d", opts.Host, opts.Port), nats.InProcessServer(s))
+		if err != nil {
+			t.Fatalf("Error on connect: %v", err)
+		}
+		defer clients[i].Close()
+
+		clients[i].Subscribe("test", func(m *nats.Msg) {
+			wait.Done()
+		})
+	}
+
+	runtime.GC()
+	runtime.ReadMemStats(&before)
+
+	nc, err := nats.Connect(fmt.Sprintf("nats://%s:%d", opts.Host, opts.Port), nats.InProcessServer(s))
+	if err != nil {
+		t.Fatalf("Error on connect: %v", err)
+	}
+	defer nc.Close()
+
+	var m [48000]byte
+	if err = nc.Publish("test", m[:]); err != nil {
+		t.Fatal(err)
+	}
+
+	wait.Wait()
+
+	runtime.GC()
+	runtime.ReadMemStats(&after)
+
+	hb, ha := float64(before.HeapAlloc), float64(after.HeapAlloc)
+	ms := float64(len(m))
+	diff := float64(ha) - float64(hb)
+	inc := (diff / float64(hb)) * 100
+
+	if inc > 10 {
+		t.Logf("Message size:       %.1fKB\n", ms/1024)
+		t.Logf("Subscribed clients: %d\n", len(clients))
+		t.Logf("Heap allocs before: %.1fMB\n", hb/1024/1024)
+		t.Logf("Heap allocs after:  %.1fMB\n", ha/1024/1024)
+		t.Logf("Heap allocs delta:  %.1f%%\n", inc)
+
+		t.Fatalf("memory increase was %.1f%% (should be <= 10%%)", inc)
+	}
+}
+
+func TestNoRaceJetStreamClusterDifferentRTTInterestBasedStreamPreAck(t *testing.T) {
+	tmpl := `
+	listen: 127.0.0.1:-1
+	server_name: %s
+	jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+	cluster {
+		name: "F3"
+		listen: 127.0.0.1:%d
+		routes = [%s]
+	}
+
+	accounts {
+		$SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] }
+	}
+	`
+
+	//  Route Ports
+	//	"S1": 14622,
+	//	"S2": 15622,
+	//	"S3": 16622,
+
+	// S2 (stream leader) will have a slow path to S1 (via proxy) and S3 (consumer leader) will have a fast path.
+
+	// Do these in order, S1, S2 (proxy) then S3.
+	c := &cluster{t: t, servers: make([]*Server, 3), opts: make([]*Options, 3), name: "F3"}
+
+	// S1
+	conf := fmt.Sprintf(tmpl, "S1", t.TempDir(), 14622, "route://127.0.0.1:15622, route://127.0.0.1:16622")
+	c.servers[0], c.opts[0] = RunServerWithConfig(createConfFile(t, []byte(conf)))
+
+	// S2
+	// Create the proxy first. Connect this to S1. Make it slow, e.g. 5ms RTT.
+	np := createNetProxy(1*time.Millisecond, 1024*1024*1024, 1024*1024*1024, "route://127.0.0.1:14622", true)
+	routes := fmt.Sprintf("%s, route://127.0.0.1:16622", np.routeURL())
+	conf = fmt.Sprintf(tmpl, "S2", t.TempDir(), 15622, routes)
+	c.servers[1], c.opts[1] = RunServerWithConfig(createConfFile(t, []byte(conf)))
+
+	// S3
+	conf = fmt.Sprintf(tmpl, "S3", t.TempDir(), 16622, "route://127.0.0.1:14622, route://127.0.0.1:15622")
+	c.servers[2], c.opts[2] = RunServerWithConfig(createConfFile(t, []byte(conf)))
+
+	c.checkClusterFormed()
+	c.waitOnClusterReady()
+	defer c.shutdown()
+	defer np.stop()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	// Now create the stream.
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "EVENTS",
+		Subjects:  []string{"EV.>"},
+		Replicas:  3,
+		Retention: nats.InterestPolicy,
+	})
+	require_NoError(t, err)
+
+	// Make sure it's leader is on S2.
+	sl := c.servers[1]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnStreamLeader(globalAccountName, "EVENTS")
+		if s := c.streamLeader(globalAccountName, "EVENTS"); s != sl {
+			s.JetStreamStepdownStream(globalAccountName, "EVENTS")
+			return fmt.Errorf("Server %s is not stream leader yet", sl)
+		}
+		return nil
+	})
+
+	// Now create the consumer.
+	_, err = js.AddConsumer("EVENTS", &nats.ConsumerConfig{
+		Durable:        "C",
+		AckPolicy:      nats.AckExplicitPolicy,
+		DeliverSubject: "dx",
+	})
+	require_NoError(t, err)
+
+	// Make sure the consumer leader is on S3.
+	cl := c.servers[2]
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		c.waitOnConsumerLeader(globalAccountName, "EVENTS", "C")
+		if s := c.consumerLeader(globalAccountName, "EVENTS", "C"); s != cl {
+			s.JetStreamStepdownConsumer(globalAccountName, "EVENTS", "C")
+			return fmt.Errorf("Server %s is not consumer leader yet", sl)
+		}
+		return nil
+	})
+
+	// Create the real consumer on the consumer leader to make it efficient.
+	nc, js = jsClientConnect(t, cl)
+	defer nc.Close()
+
+	_, err = js.Subscribe(_EMPTY_, func(msg *nats.Msg) {
+		msg.Ack()
+	}, nats.BindStream("EVENTS"), nats.Durable("C"), nats.ManualAck())
+	require_NoError(t, err)
+
+	for i := 0; i < 1_000; i++ {
+		_, err := js.PublishAsync("EVENTS.PAID", []byte("ok"))
+		require_NoError(t, err)
+	}
+	select {
+	case <-js.PublishAsyncComplete():
+	case <-time.After(5 * time.Second):
+		t.Fatalf("Did not receive completion signal")
+	}
+
+	slow := c.servers[0]
+	mset, err := slow.GlobalAccount().lookupStream("EVENTS")
+	require_NoError(t, err)
+
+	// Make sure preAck is non-nil, so we know the logic has kicked in.
+	mset.mu.RLock()
+	preAcks := mset.preAcks
+	mset.mu.RUnlock()
+	require_NotNil(t, preAcks)
+
+	checkFor(t, 5*time.Second, 200*time.Millisecond, func() error {
+		state := mset.state()
+		if state.Msgs == 0 {
+			mset.mu.RLock()
+			lp := len(mset.preAcks)
+			mset.mu.RUnlock()
+			if lp == 0 {
+				return nil
+			} else {
+				t.Fatalf("Expected no preAcks with no msgs, but got %d", lp)
+			}
+		}
+		return fmt.Errorf("Still have %d msgs left", state.Msgs)
+	})
+
+}
+
+func TestNoRaceCheckAckFloorWithVeryLargeFirstSeqAndNewConsumers(t *testing.T) {
+	s := RunBasicJetStreamServer(t)
+	defer s.Shutdown()
+
+	nc, _ := jsClientConnect(t, s)
+	defer nc.Close()
+
+	// Make sure to time bound here for the acksync call below.
+	js, err := nc.JetStream(nats.MaxWait(200 * time.Millisecond))
+	require_NoError(t, err)
+
+	_, err = js.AddStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Subjects:  []string{"wq-req"},
+		Retention: nats.WorkQueuePolicy,
+	})
+	require_NoError(t, err)
+
+	largeFirstSeq := uint64(1_200_000_000)
+	err = js.PurgeStream("TEST", &nats.StreamPurgeRequest{Sequence: largeFirstSeq})
+	require_NoError(t, err)
+	si, err := js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, si.State.FirstSeq == largeFirstSeq)
+
+	// Add a simple request to the stream.
+	sendStreamMsg(t, nc, "wq-req", "HELP")
+
+	sub, err := js.PullSubscribe("wq-req", "dlc")
+	require_NoError(t, err)
+
+	msgs, err := sub.Fetch(1)
+	require_NoError(t, err)
+	require_True(t, len(msgs) == 1)
+
+	// The bug is around the checkAckFloor walking the sequences from current ackfloor
+	// to the first sequence of the stream. We time bound the max wait with the js context
+	// to 200ms. Since checkAckFloor is spinning and holding up processing of acks this will fail.
+	// We will short circuit new consumers to fix this one.
+	require_NoError(t, msgs[0].AckSync())
+
+	// Now do again so we move past the new consumer with no ack floor situation.
+	err = js.PurgeStream("TEST", &nats.StreamPurgeRequest{Sequence: 2 * largeFirstSeq})
+	require_NoError(t, err)
+	si, err = js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, si.State.FirstSeq == 2*largeFirstSeq)
+
+	sendStreamMsg(t, nc, "wq-req", "MORE HELP")
+
+	// We check this one directly for this use case.
+	mset, err := s.GlobalAccount().lookupStream("TEST")
+	require_NoError(t, err)
+	o := mset.lookupConsumer("dlc")
+	require_True(t, o != nil)
+
+	// Purge will move the stream floor by default, so force into the situation where it is back to largeFirstSeq.
+	// This will not trigger the new consumer logic, but will trigger a walk of the sequence space.
+	// Fix will be to walk the lesser of the two linear spaces.
+	o.mu.Lock()
+	o.asflr = largeFirstSeq
+	o.mu.Unlock()
+
+	done := make(chan bool)
+	go func() {
+		o.checkAckFloor()
+		done <- true
+	}()
+
+	select {
+	case <-done:
+		return
+	case <-time.After(time.Second):
+		t.Fatalf("Check ack floor taking too long!")
+	}
+}
+
+func TestNoRaceReplicatedMirrorWithLargeStartingSequenceOverLeafnode(t *testing.T) {
+	// Cluster B
+	tmpl := strings.Replace(jsClusterTempl, "store_dir:", "domain: B, store_dir:", 1)
+	c := createJetStreamCluster(t, tmpl, "B", _EMPTY_, 3, 22020, true)
+	defer c.shutdown()
+
+	// Cluster A
+	// Domain is "A'
+	lc := c.createLeafNodesWithStartPortAndDomain("A", 3, 22110, "A")
+	defer lc.shutdown()
+
+	lc.waitOnClusterReady()
+
+	// Create a stream on B (HUB/CLOUD) and set its starting sequence very high.
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:     "TEST",
+		Subjects: []string{"foo"},
+		Replicas: 3,
+	})
+	require_NoError(t, err)
+
+	err = js.PurgeStream("TEST", &nats.StreamPurgeRequest{Sequence: 1_000_000_000})
+	require_NoError(t, err)
+
+	// Send in a small amount of messages.
+	for i := 0; i < 1000; i++ {
+		sendStreamMsg(t, nc, "foo", "Hello")
+	}
+
+	si, err := js.StreamInfo("TEST")
+	require_NoError(t, err)
+	require_True(t, si.State.FirstSeq == 1_000_000_000)
+
+	// Now try to create a replicated mirror on the leaf cluster.
+	lnc, ljs := jsClientConnect(t, lc.randomServer())
+	defer lnc.Close()
+
+	_, err = ljs.AddStream(&nats.StreamConfig{
+		Name: "TEST",
+		Mirror: &nats.StreamSource{
+			Name:   "TEST",
+			Domain: "B",
+		},
+	})
+	require_NoError(t, err)
+
+	// Make sure we sync quickly.
+	checkFor(t, time.Second, 200*time.Millisecond, func() error {
+		si, err = ljs.StreamInfo("TEST")
+		require_NoError(t, err)
+		if si.State.Msgs == 1000 && si.State.FirstSeq == 1_000_000_000 {
+			return nil
+		}
+		return fmt.Errorf("Mirror state not correct: %+v", si.State)
+	})
+}
diff --git a/server/ocsp.go b/server/ocsp.go
index fa8b21134..1c5e3a81d 100644
--- a/server/ocsp.go
+++ b/server/ocsp.go
@@ -30,6 +30,9 @@ import (
 	"time"
 
 	"golang.org/x/crypto/ocsp"
+
+	"github.com/memphisdev/memphis/server/certidp"
+	"github.com/memphisdev/memphis/server/certstore"
 )
 
 const (
@@ -389,7 +392,7 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
 		}
 
 		// TODO: Add OCSP 'responder_cert' option in case CA cert not available.
-		issuers, err := getOCSPIssuer(caFile, cert.Certificate)
+		issuer, err := getOCSPIssuer(caFile, cert.Certificate)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -402,7 +405,7 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
 			certFile:         certFile,
 			stopCh:           make(chan struct{}, 1),
 			Leaf:             cert.Leaf,
-			Issuer:           issuers[len(issuers)-1],
+			Issuer:           issuer,
 		}
 
 		// Get the certificate status from the memory, then remote OCSP responder.
@@ -433,36 +436,35 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
 			}, nil
 		}
 
-		// Check whether need to verify staples from a client connection depending on the type.
+		// Check whether need to verify staples from a peer router or gateway connection.
 		switch kind {
-		case kindStringMap[ROUTER], kindStringMap[GATEWAY], kindStringMap[LEAF]:
+		case kindStringMap[ROUTER], kindStringMap[GATEWAY]:
 			tc.VerifyConnection = func(s tls.ConnectionState) error {
 				oresp := s.OCSPResponse
 				if oresp == nil {
-					return fmt.Errorf("%s client missing OCSP Staple", kind)
+					return fmt.Errorf("%s peer missing OCSP Staple", kind)
 				}
 
-				// Client route connections will verify the response of the staple.
+				// Peer connections will verify the response of the staple.
 				if len(s.VerifiedChains) == 0 {
-					return fmt.Errorf("%s client missing TLS verified chains", kind)
+					return fmt.Errorf("%s peer missing TLS verified chains", kind)
 				}
 
 				chain := s.VerifiedChains[0]
-				leaf := chain[0]
-				parent := issuers[len(issuers)-1]
+				peerLeaf := chain[0]
+				peerIssuer := certidp.GetLeafIssuerCert(chain, 0)
+				if peerIssuer == nil {
+					return fmt.Errorf("failed to get issuer certificate for %s peer", kind)
+				}
 
-				resp, err := ocsp.ParseResponseForCert(oresp, leaf, parent)
+				// Response signature of issuer or issuer delegate is checked in the library parse
+				resp, err := ocsp.ParseResponseForCert(oresp, peerLeaf, peerIssuer)
 				if err != nil {
-					return fmt.Errorf("failed to parse OCSP response from %s client: %w", kind, err)
+					return fmt.Errorf("failed to parse OCSP response from %s peer: %w", kind, err)
 				}
-				if resp.Certificate == nil {
-					if err := resp.CheckSignatureFrom(parent); err != nil {
-						return fmt.Errorf("OCSP staple not issued by issuer: %w", err)
-					}
-				} else {
-					if err := resp.Certificate.CheckSignatureFrom(parent); err != nil {
-						return fmt.Errorf("OCSP staple's signer not signed by issuer: %w", err)
-					}
+
+				// If signer was issuer delegate double-check issuer delegate authorization
+				if resp.Certificate != nil {
 					ok := false
 					for _, eku := range resp.Certificate.ExtKeyUsage {
 						if eku == x509.ExtKeyUsageOCSPSigning {
@@ -474,14 +476,22 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
 						return fmt.Errorf("OCSP staple's signer missing authorization by CA to act as OCSP signer")
 					}
 				}
+
+				// Check that the OCSP response is effective, take defaults for clockskew and default validity
+				peerOpts := certidp.OCSPPeerConfig{ClockSkew: -1, TTLUnsetNextUpdate: -1}
+				sLog := certidp.Log{Debugf: srv.Debugf}
+				if !certidp.OCSPResponseCurrent(resp, &peerOpts, &sLog) {
+					return fmt.Errorf("OCSP staple from %s peer not current", kind)
+				}
+
 				if resp.Status != ocsp.Good {
-					return fmt.Errorf("bad status for OCSP Staple from %s client: %s", kind, ocspStatusString(resp.Status))
+					return fmt.Errorf("bad status for OCSP Staple from %s peer: %s", kind, ocspStatusString(resp.Status))
 				}
 
 				return nil
 			}
 
-			// When server makes a client connection, need to also present an OCSP Staple.
+			// When server makes a peer connection, need to also present an OCSP Staple.
 			tc.GetClientCertificate = func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
 				raw, _, err := mon.getStatus()
 				if err != nil {
@@ -520,10 +530,11 @@ func (s *Server) setupOCSPStapleStoreDir() error {
 }
 
 type tlsConfigKind struct {
-	tlsConfig *tls.Config
-	tlsOpts   *TLSConfigOpts
-	kind      string
-	apply     func(*tls.Config)
+	tlsConfig   *tls.Config
+	tlsOpts     *TLSConfigOpts
+	kind        string
+	isLeafSpoke bool
+	apply       func(*tls.Config)
 }
 
 func (s *Server) configureOCSP() []*tlsConfigKind {
@@ -541,6 +552,26 @@ func (s *Server) configureOCSP() []*tlsConfigKind {
 		}
 		configs = append(configs, o)
 	}
+	if config := sopts.Websocket.TLSConfig; config != nil {
+		opts := sopts.Websocket.tlsConfigOpts
+		o := &tlsConfigKind{
+			kind:      kindStringMap[CLIENT],
+			tlsConfig: config,
+			tlsOpts:   opts,
+			apply:     func(tc *tls.Config) { sopts.Websocket.TLSConfig = tc },
+		}
+		configs = append(configs, o)
+	}
+	if config := sopts.MQTT.TLSConfig; config != nil {
+		opts := sopts.tlsConfigOpts
+		o := &tlsConfigKind{
+			kind:      kindStringMap[CLIENT],
+			tlsConfig: config,
+			tlsOpts:   opts,
+			apply:     func(tc *tls.Config) { sopts.MQTT.TLSConfig = tc },
+		}
+		configs = append(configs, o)
+	}
 	if config := sopts.Cluster.TLSConfig; config != nil {
 		opts := sopts.Cluster.tlsConfigOpts
 		o := &tlsConfigKind{
@@ -557,16 +588,7 @@ func (s *Server) configureOCSP() []*tlsConfigKind {
 			kind:      kindStringMap[LEAF],
 			tlsConfig: config,
 			tlsOpts:   opts,
-			apply: func(tc *tls.Config) {
-
-				// RequireAndVerifyClientCert is used to tell a client that it
-				// should send the client cert to the server.
-				tc.ClientAuth = tls.RequireAndVerifyClientCert
-				// GetClientCertificate is used by a client to send the client cert
-				// to a server. We're a server, so we must not set this.
-				tc.GetClientCertificate = nil
-				sopts.LeafNode.TLSConfig = tc
-			},
+			apply:     func(tc *tls.Config) { sopts.LeafNode.TLSConfig = tc },
 		}
 		configs = append(configs, o)
 	}
@@ -576,15 +598,11 @@ func (s *Server) configureOCSP() []*tlsConfigKind {
 			// in the apply func callback below.
 			r, opts := remote, remote.tlsConfigOpts
 			o := &tlsConfigKind{
-				kind:      kindStringMap[LEAF],
-				tlsConfig: config,
-				tlsOpts:   opts,
-				apply: func(tc *tls.Config) {
-					// GetCertificate is used by a server to send the server cert to a
-					// client. We're a client, so we must not set this.
-					tc.GetCertificate = nil
-					r.TLSConfig = tc
-				},
+				kind:        kindStringMap[LEAF],
+				tlsConfig:   config,
+				tlsOpts:     opts,
+				isLeafSpoke: true,
+				apply:       func(tc *tls.Config) { r.TLSConfig = tc },
 			}
 			configs = append(configs, o)
 		}
@@ -606,9 +624,7 @@ func (s *Server) configureOCSP() []*tlsConfigKind {
 				kind:      kindStringMap[GATEWAY],
 				tlsConfig: config,
 				tlsOpts:   opts,
-				apply: func(tc *tls.Config) {
-					gw.TLSConfig = tc
-				},
+				apply:     func(tc *tls.Config) { gw.TLSConfig = tc },
 			}
 			configs = append(configs, o)
 		}
@@ -620,16 +636,33 @@ func (s *Server) enableOCSP() error {
 	configs := s.configureOCSP()
 
 	for _, config := range configs {
-		tc, mon, err := s.NewOCSPMonitor(config)
-		if err != nil {
-			return err
+
+		// We do not staple Leaf Hub and Leaf Spokes, use ocsp_peer
+		if config.kind != kindStringMap[LEAF] {
+			// OCSP Stapling feature, will also enable tls server peer check for gateway and route peers
+			tc, mon, err := s.NewOCSPMonitor(config)
+			if err != nil {
+				return err
+			}
+			// Check if an OCSP stapling monitor is required for this certificate.
+			if mon != nil {
+				s.ocsps = append(s.ocsps, mon)
+
+				// Override the TLS config with one that follows OCSP stapling
+				config.apply(tc)
+			}
 		}
-		// Check if an OCSP stapling monitor is required for this certificate.
-		if mon != nil {
-			s.ocsps = append(s.ocsps, mon)
 
-			// Override the TLS config with one that follows OCSP.
-			config.apply(tc)
+		// OCSP peer check (client mTLS, leaf mTLS, leaf remote TLS)
+		if config.kind == kindStringMap[CLIENT] || config.kind == kindStringMap[LEAF] {
+			tc, plugged, err := s.plugTLSOCSPPeer(config)
+			if err != nil {
+				return err
+			}
+			if plugged && tc != nil {
+				s.ocspPeerVerify = true
+				config.apply(tc)
+			}
 		}
 	}
 
@@ -671,17 +704,39 @@ func (s *Server) reloadOCSP() error {
 
 	// Restart the monitors under the new configuration.
 	ocspm := make([]*OCSPMonitor, 0)
+
+	// Reset server's ocspPeerVerify flag to re-detect at least one plugged OCSP peer
+	s.mu.Lock()
+	s.ocspPeerVerify = false
+	s.mu.Unlock()
+	s.stopOCSPResponseCache()
+
 	for _, config := range configs {
-		tc, mon, err := s.NewOCSPMonitor(config)
-		if err != nil {
-			return err
+		// We do not staple Leaf Hub and Leaf Spokes, use ocsp_peer
+		if config.kind != kindStringMap[LEAF] {
+			tc, mon, err := s.NewOCSPMonitor(config)
+			if err != nil {
+				return err
+			}
+			// Check if an OCSP stapling monitor is required for this certificate.
+			if mon != nil {
+				ocspm = append(ocspm, mon)
+
+				// Apply latest TLS configuration.
+				config.apply(tc)
+			}
 		}
-		// Check if an OCSP stapling monitor is required for this certificate.
-		if mon != nil {
-			ocspm = append(ocspm, mon)
 
-			// Apply latest TLS configuration.
-			config.apply(tc)
+		// OCSP peer check (client mTLS, leaf mTLS, leaf remote TLS)
+		if config.kind == kindStringMap[CLIENT] || config.kind == kindStringMap[LEAF] {
+			tc, plugged, err := s.plugTLSOCSPPeer(config)
+			if err != nil {
+				return err
+			}
+			if plugged && tc != nil {
+				s.ocspPeerVerify = true
+				config.apply(tc)
+			}
 		}
 	}
 
@@ -693,6 +748,11 @@ func (s *Server) reloadOCSP() error {
 	// Dispatch all goroutines once again.
 	s.startOCSPMonitoring()
 
+	// Init and restart OCSP responder cache
+	s.stopOCSPResponseCache()
+	s.initOCSPResponseCache()
+	s.startOCSPResponseCache()
+
 	return nil
 }
 
@@ -783,37 +843,81 @@ func parseCertPEM(name string) ([]*x509.Certificate, error) {
 	return x509.ParseCertificates(pemBytes)
 }
 
-// getOCSPIssuer returns a CA cert from the given path. If the path is empty,
-// then this checks a given cert chain. If both are empty, then it returns an
-// error.
-func getOCSPIssuer(issuerCert string, chain [][]byte) ([]*x509.Certificate, error) {
-	var issuers []*x509.Certificate
-	var err error
-	switch {
-	case len(chain) == 1 && issuerCert == _EMPTY_:
-		err = fmt.Errorf("ocsp ca required in chain or configuration")
-	case issuerCert != _EMPTY_:
-		issuers, err = parseCertPEM(issuerCert)
-	case len(chain) > 1 && issuerCert == _EMPTY_:
-		issuers, err = x509.ParseCertificates(chain[1])
-	default:
-		err = fmt.Errorf("invalid ocsp ca configuration")
+// getOCSPIssuerLocally determines a leaf's issuer from locally configured certificates
+func getOCSPIssuerLocally(trustedCAs []*x509.Certificate, certBundle []*x509.Certificate) (*x509.Certificate, error) {
+	var vOpts x509.VerifyOptions
+	var leaf *x509.Certificate
+	trustedCAPool := x509.NewCertPool()
+
+	// Require Leaf as first cert in bundle
+	if len(certBundle) > 0 {
+		leaf = certBundle[0]
+	} else {
+		return nil, fmt.Errorf("invalid ocsp ca configuration")
 	}
-	if err != nil {
-		return nil, err
+
+	// Allow Issuer to be configured as second cert in bundle
+	if len(certBundle) > 1 {
+		// The operator may have misconfigured the cert bundle
+		issuerCandidate := certBundle[1]
+		err := issuerCandidate.CheckSignature(leaf.SignatureAlgorithm, leaf.RawTBSCertificate, leaf.Signature)
+		if err != nil {
+			return nil, fmt.Errorf("invalid issuer configuration: %w", err)
+		} else {
+			return issuerCandidate, nil
+		}
 	}
 
-	if len(issuers) == 0 {
-		return nil, fmt.Errorf("no issuers found")
+	// Operator did not provide the Leaf Issuer in cert bundle second position
+	// so we will attempt to create at least one ordered verified chain from the
+	// trusted CA pool.
+
+	// Specify CA trust store to validator; if unset, system trust store used
+	if len(trustedCAs) > 0 {
+		for _, ca := range trustedCAs {
+			trustedCAPool.AddCert(ca)
+		}
+		vOpts.Roots = trustedCAPool
+	}
+
+	return certstore.GetLeafIssuer(leaf, vOpts), nil
+}
+
+// getOCSPIssuer determines an issuer certificate from the cert (bundle) or the file-based CA trust store
+func getOCSPIssuer(caFile string, chain [][]byte) (*x509.Certificate, error) {
+	var issuer *x509.Certificate
+	var trustedCAs []*x509.Certificate
+	var certBundle []*x509.Certificate
+	var err error
+
+	// FIXME(tgb): extend if pluggable CA store provider added to NATS (i.e. other than PEM file)
+
+	// Non-system default CA trust store passed
+	if caFile != _EMPTY_ {
+		trustedCAs, err = parseCertPEM(caFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse ca_file: %v", err)
+		}
 	}
 
-	for _, issuer := range issuers {
-		if !issuer.IsCA {
-			return nil, fmt.Errorf("%s invalid ca basic constraints: is not ca", issuer.Subject)
+	// Specify bundled intermediate CA store
+	for _, certBytes := range chain {
+		cert, err := x509.ParseCertificate(certBytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse cert: %v", err)
 		}
+		certBundle = append(certBundle, cert)
 	}
 
-	return issuers, nil
+	issuer, err = getOCSPIssuerLocally(trustedCAs, certBundle)
+	if err != nil || issuer == nil {
+		return nil, fmt.Errorf("no issuers found")
+	}
+
+	if !issuer.IsCA {
+		return nil, fmt.Errorf("%s invalid ca basic constraints: is not ca", issuer.Subject)
+	}
+	return issuer, nil
 }
 
 func ocspStatusString(n int) string {
diff --git a/server/ocsp_peer.go b/server/ocsp_peer.go
new file mode 100644
index 000000000..3550fc27a
--- /dev/null
+++ b/server/ocsp_peer.go
@@ -0,0 +1,405 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package server
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"golang.org/x/crypto/ocsp"
+
+	"github.com/memphisdev/memphis/server/certidp"
+)
+
+func parseOCSPPeer(v interface{}) (pcfg *certidp.OCSPPeerConfig, retError error) {
+	var lt token
+	defer convertPanicToError(&lt, &retError)
+	tk, v := unwrapValue(v, &lt)
+	cm, ok := v.(map[string]interface{})
+	if !ok {
+		return nil, &configErr{tk, fmt.Sprintf(certidp.ErrIllegalPeerOptsConfig, v)}
+	}
+	pcfg = certidp.NewOCSPPeerConfig()
+	retError = nil
+	for mk, mv := range cm {
+		tk, mv = unwrapValue(mv, &lt)
+		switch strings.ToLower(mk) {
+		case "verify":
+			verify, ok := mv.(bool)
+			if !ok {
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldGeneric, mk)}
+			}
+			pcfg.Verify = verify
+		case "allowed_clockskew":
+			at := float64(0)
+			switch mv := mv.(type) {
+			case int64:
+				at = float64(mv)
+			case float64:
+				at = mv
+			case string:
+				d, err := time.ParseDuration(mv)
+				if err != nil {
+					return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldTypeConversion, "unexpected type")}
+				}
+				at = d.Seconds()
+			default:
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldTypeConversion, "unexpected type")}
+			}
+			if at >= 0 {
+				pcfg.ClockSkew = at
+			}
+		case "ca_timeout":
+			at := float64(0)
+			switch mv := mv.(type) {
+			case int64:
+				at = float64(mv)
+			case float64:
+				at = mv
+			case string:
+				d, err := time.ParseDuration(mv)
+				if err != nil {
+					return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldTypeConversion, err)}
+				}
+				at = d.Seconds()
+			default:
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldTypeConversion, "unexpected type")}
+			}
+			if at >= 0 {
+				pcfg.Timeout = at
+			}
+		case "cache_ttl_when_next_update_unset":
+			at := float64(0)
+			switch mv := mv.(type) {
+			case int64:
+				at = float64(mv)
+			case float64:
+				at = mv
+			case string:
+				d, err := time.ParseDuration(mv)
+				if err != nil {
+					return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldTypeConversion, err)}
+				}
+				at = d.Seconds()
+			default:
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldTypeConversion, "unexpected type")}
+			}
+			if at >= 0 {
+				pcfg.TTLUnsetNextUpdate = at
+			}
+		case "warn_only":
+			warnOnly, ok := mv.(bool)
+			if !ok {
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldGeneric, mk)}
+			}
+			pcfg.WarnOnly = warnOnly
+		case "unknown_is_good":
+			unknownIsGood, ok := mv.(bool)
+			if !ok {
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldGeneric, mk)}
+			}
+			pcfg.UnknownIsGood = unknownIsGood
+		case "allow_when_ca_unreachable":
+			allowWhenCAUnreachable, ok := mv.(bool)
+			if !ok {
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldGeneric, mk)}
+			}
+			pcfg.AllowWhenCAUnreachable = allowWhenCAUnreachable
+		default:
+			return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldGeneric, mk)}
+		}
+	}
+	return pcfg, nil
+}
+
+func peerFromVerifiedChains(chains [][]*x509.Certificate) *x509.Certificate {
+	if len(chains) == 0 || len(chains[0]) == 0 {
+		return nil
+	}
+	return chains[0][0]
+}
+
+// plugTLSOCSPPeer will plug the TLS handshake lifecycle for client mTLS connections and Leaf connections
+func (s *Server) plugTLSOCSPPeer(config *tlsConfigKind) (*tls.Config, bool, error) {
+	if config == nil || config.tlsConfig == nil {
+		return nil, false, errors.New(certidp.ErrUnableToPlugTLSEmptyConfig)
+	}
+	kind := config.kind
+	isSpoke := config.isLeafSpoke
+	tcOpts := config.tlsOpts
+	if tcOpts == nil || tcOpts.OCSPPeerConfig == nil || !tcOpts.OCSPPeerConfig.Verify {
+		return nil, false, nil
+	}
+	s.Debugf(certidp.DbgPlugTLSForKind, config.kind)
+	// peer is a tls client
+	if kind == kindStringMap[CLIENT] || (kind == kindStringMap[LEAF] && !isSpoke) {
+		if !tcOpts.Verify {
+			return nil, false, errors.New(certidp.ErrMTLSRequired)
+		}
+		return s.plugClientTLSOCSPPeer(config)
+	}
+	// peer is a tls server
+	if kind == kindStringMap[LEAF] && isSpoke {
+		return s.plugServerTLSOCSPPeer(config)
+	}
+	return nil, false, nil
+}
+
+func (s *Server) plugClientTLSOCSPPeer(config *tlsConfigKind) (*tls.Config, bool, error) {
+	if config == nil || config.tlsConfig == nil || config.tlsOpts == nil {
+		return nil, false, errors.New(certidp.ErrUnableToPlugTLSClient)
+	}
+	tc := config.tlsConfig
+	tcOpts := config.tlsOpts
+	kind := config.kind
+	if tcOpts.OCSPPeerConfig == nil || !tcOpts.OCSPPeerConfig.Verify {
+		return tc, false, nil
+	}
+	tc.VerifyConnection = func(cs tls.ConnectionState) error {
+		if !s.tlsClientOCSPValid(cs.VerifiedChains, tcOpts.OCSPPeerConfig) {
+			s.sendOCSPPeerRejectEvent(kind, peerFromVerifiedChains(cs.VerifiedChains), certidp.MsgTLSClientRejectConnection)
+			return errors.New(certidp.MsgTLSClientRejectConnection)
+		}
+		return nil
+	}
+	return tc, true, nil
+}
+
+func (s *Server) plugServerTLSOCSPPeer(config *tlsConfigKind) (*tls.Config, bool, error) {
+	if config == nil || config.tlsConfig == nil || config.tlsOpts == nil {
+		return nil, false, errors.New(certidp.ErrUnableToPlugTLSServer)
+	}
+	tc := config.tlsConfig
+	tcOpts := config.tlsOpts
+	kind := config.kind
+	if tcOpts.OCSPPeerConfig == nil || !tcOpts.OCSPPeerConfig.Verify {
+		return tc, false, nil
+	}
+	tc.VerifyConnection = func(cs tls.ConnectionState) error {
+		if !s.tlsServerOCSPValid(cs.VerifiedChains, tcOpts.OCSPPeerConfig) {
+			s.sendOCSPPeerRejectEvent(kind, peerFromVerifiedChains(cs.VerifiedChains), certidp.MsgTLSServerRejectConnection)
+			return errors.New(certidp.MsgTLSServerRejectConnection)
+		}
+		return nil
+	}
+	return tc, true, nil
+}
+
+// tlsServerOCSPValid evaluates verified chains (post successful TLS handshake) against OCSP
+// eligibility. A verified chain is considered OCSP Valid if either none of the links are
+// OCSP eligible, or current "good" responses from the CA can be obtained for each eligible link.
+// Upon first OCSP Valid chain found, the Server is deemed OCSP Valid. If none of the chains are
+// OCSP Valid, the Server is deemed OCSP Invalid. A verified self-signed certificate (chain length 1)
+// is also considered OCSP Valid.
+func (s *Server) tlsServerOCSPValid(chains [][]*x509.Certificate, opts *certidp.OCSPPeerConfig) bool {
+	s.Debugf(certidp.DbgNumServerChains, len(chains))
+	return s.peerOCSPValid(chains, opts)
+}
+
+// tlsClientOCSPValid evaluates verified chains (post successful TLS handshake) against OCSP
+// eligibility. A verified chain is considered OCSP Valid if either none of the links are
+// OCSP eligible, or current "good" responses from the CA can be obtained for each eligible link.
+// Upon first OCSP Valid chain found, the Client is deemed OCSP Valid. If none of the chains are
+// OCSP Valid, the Client is deemed OCSP Invalid. A verified self-signed certificate (chain length 1)
+// is also considered OCSP Valid.
+func (s *Server) tlsClientOCSPValid(chains [][]*x509.Certificate, opts *certidp.OCSPPeerConfig) bool {
+	s.Debugf(certidp.DbgNumClientChains, len(chains))
+	return s.peerOCSPValid(chains, opts)
+}
+
+func (s *Server) peerOCSPValid(chains [][]*x509.Certificate, opts *certidp.OCSPPeerConfig) bool {
+	peer := peerFromVerifiedChains(chains)
+	if peer == nil {
+		s.Errorf(certidp.ErrPeerEmptyAutoReject)
+		return false
+	}
+	for ci, chain := range chains {
+		s.Debugf(certidp.DbgLinksInChain, ci, len(chain))
+		// Self-signed certificate is Client OCSP Valid (no CA)
+		if len(chain) == 1 {
+			s.Debugf(certidp.DbgSelfSignedValid, ci)
+			return true
+		}
+		// Check if any of the links in the chain are OCSP eligible
+		chainEligible := false
+		var eligibleLinks []*certidp.ChainLink
+		// Iterate over links skipping the root cert which is not OCSP eligible (self == issuer)
+		for linkPos := 0; linkPos < len(chain)-1; linkPos++ {
+			cert := chain[linkPos]
+			link := &certidp.ChainLink{
+				Leaf: cert,
+			}
+			if certidp.CertOCSPEligible(link) {
+				chainEligible = true
+				issuerCert := certidp.GetLeafIssuerCert(chain, linkPos)
+				if issuerCert == nil {
+					// unexpected chain condition, reject Client as OCSP Invalid
+					return false
+				}
+				link.Issuer = issuerCert
+				eligibleLinks = append(eligibleLinks, link)
+			}
+		}
+		// A trust-store verified chain that is not OCSP eligible is always OCSP Valid
+		if !chainEligible {
+			s.Debugf(certidp.DbgValidNonOCSPChain, ci)
+			return true
+		}
+		s.Debugf(certidp.DbgChainIsOCSPEligible, ci, len(eligibleLinks))
+		// Chain has at least one OCSP eligible link, so check each eligible link;
+		// any link with a !good OCSP response chain OCSP Invalid
+		chainValid := true
+		for _, link := range eligibleLinks {
+			// if option selected, good could reflect either ocsp.Good or ocsp.Unknown
+			if badReason, good := s.certOCSPGood(link, opts); !good {
+				s.Debugf(badReason)
+				s.sendOCSPPeerChainlinkInvalidEvent(peer, link.Leaf, badReason)
+				chainValid = false
+				break
+			}
+		}
+		if chainValid {
+			s.Debugf(certidp.DbgChainIsOCSPValid, ci)
+			return true
+		}
+	}
+	// If we are here, all chains had OCSP eligible links, but none of the chains achieved OCSP valid
+	s.Debugf(certidp.DbgNoOCSPValidChains)
+	return false
+}
+
+func (s *Server) certOCSPGood(link *certidp.ChainLink, opts *certidp.OCSPPeerConfig) (string, bool) {
+	if link == nil || link.Leaf == nil || link.Issuer == nil || link.OCSPWebEndpoints == nil || len(*link.OCSPWebEndpoints) < 1 {
+		return "Empty chainlink found", false
+	}
+	var err error
+	sLogs := &certidp.Log{
+		Debugf:  s.Debugf,
+		Noticef: s.Noticef,
+		Warnf:   s.Warnf,
+		Errorf:  s.Errorf,
+		Tracef:  s.Tracef,
+	}
+	fingerprint := certidp.GenerateFingerprint(link.Leaf)
+	// Used for debug/operator only, not match
+	subj := certidp.GetSubjectDNForm(link.Leaf)
+	var rawResp []byte
+	var ocspr *ocsp.Response
+	var useCachedResp bool
+	var rc = s.ocsprc
+	var cachedRevocation bool
+	// Check our cache before calling out to the CA OCSP responder
+	s.Debugf(certidp.DbgCheckingCacheForCert, subj, fingerprint)
+	if rawResp = rc.Get(fingerprint, sLogs); len(rawResp) > 0 {
+		// Signature validation of CA's OCSP response occurs in ParseResponse
+		ocspr, err = ocsp.ParseResponse(rawResp, link.Issuer)
+		if err == nil && ocspr != nil {
+			// Check if OCSP Response delegation present and if so is valid
+			if !certidp.ValidDelegationCheck(link.Issuer, ocspr) {
+				// Invalid delegation was already in cache, purge it and don't use it
+				s.Debugf(certidp.MsgCachedOCSPResponseInvalid, subj)
+				rc.Delete(fingerprint, true, sLogs)
+				goto AFTERCACHE
+			}
+			if certidp.OCSPResponseCurrent(ocspr, opts, sLogs) {
+				s.Debugf(certidp.DbgCurrentResponseCached, certidp.GetStatusAssertionStr(ocspr.Status))
+				useCachedResp = true
+			} else {
+				// Cached response is not current, delete it and tidy runtime stats to reflect a miss;
+				// if preserve_revoked is enabled, the cache will not delete the cached response
+				s.Debugf(certidp.DbgExpiredResponseCached, certidp.GetStatusAssertionStr(ocspr.Status))
+				rc.Delete(fingerprint, true, sLogs)
+			}
+			// Regardless of currency, record a cached revocation found in case AllowWhenCAUnreachable is set
+			if ocspr.Status == ocsp.Revoked {
+				cachedRevocation = true
+			}
+		} else {
+			// Bogus cached assertion, purge it and don't use it
+			s.Debugf(certidp.MsgCachedOCSPResponseInvalid, subj, fingerprint)
+			rc.Delete(fingerprint, true, sLogs)
+			goto AFTERCACHE
+		}
+	}
+AFTERCACHE:
+	if !useCachedResp {
+		// CA OCSP responder callout needed
+		rawResp, err = certidp.FetchOCSPResponse(link, opts, sLogs)
+		if err != nil || rawResp == nil || len(rawResp) == 0 {
+			s.Warnf(certidp.ErrCAResponderCalloutFail, subj, err)
+			if opts.WarnOnly {
+				s.Warnf(certidp.MsgAllowWarnOnlyOccurred, subj)
+				return _EMPTY_, true
+			}
+			if opts.AllowWhenCAUnreachable && !cachedRevocation {
+				// Link has no cached history of revocation, so allow it to pass
+				s.Warnf(certidp.MsgAllowWhenCAUnreachableOccurred, subj)
+				return _EMPTY_, true
+			} else if opts.AllowWhenCAUnreachable {
+				// Link has cached but expired revocation so reject when CA is unreachable
+				s.Warnf(certidp.MsgAllowWhenCAUnreachableOccurredCachedRevoke, subj)
+			}
+			return certidp.MsgFailedOCSPResponseFetch, false
+		}
+		// Signature validation of CA's OCSP response occurs in ParseResponse
+		ocspr, err = ocsp.ParseResponse(rawResp, link.Issuer)
+		if err == nil && ocspr != nil {
+			// Check if OCSP Response delegation present and if so is valid
+			if !certidp.ValidDelegationCheck(link.Issuer, ocspr) {
+				s.Warnf(certidp.MsgOCSPResponseDelegationInvalid, subj)
+				if opts.WarnOnly {
+					// Can't use bogus assertion, but warn-only set so allow link to pass
+					s.Warnf(certidp.MsgAllowWarnOnlyOccurred, subj)
+					return _EMPTY_, true
+				}
+				return fmt.Sprintf(certidp.MsgOCSPResponseDelegationInvalid, subj), false
+			}
+			if !certidp.OCSPResponseCurrent(ocspr, opts, sLogs) {
+				s.Warnf(certidp.ErrNewCAResponseNotCurrent, subj)
+				if opts.WarnOnly {
+					// Can't use non-effective assertion, but warn-only set so allow link to pass
+					s.Warnf(certidp.MsgAllowWarnOnlyOccurred, subj)
+					return _EMPTY_, true
+				}
+				return certidp.MsgOCSPResponseNotEffective, false
+			}
+		} else {
+			s.Errorf(certidp.ErrCAResponseParseFailed, subj, err)
+			if opts.WarnOnly {
+				// Can't use bogus assertion, but warn-only set so allow link to pass
+				s.Warnf(certidp.MsgAllowWarnOnlyOccurred, subj)
+				return _EMPTY_, true
+			}
+			return certidp.MsgFailedOCSPResponseParse, false
+		}
+		// cache the valid fetched CA OCSP Response
+		rc.Put(fingerprint, ocspr, subj, sLogs)
+	}
+
+	// Whether through valid cache response available or newly fetched valid response, now check the status
+	if ocspr.Status == ocsp.Revoked || (ocspr.Status == ocsp.Unknown && !opts.UnknownIsGood) {
+		s.Warnf(certidp.ErrOCSPInvalidPeerLink, subj, certidp.GetStatusAssertionStr(ocspr.Status))
+		if opts.WarnOnly {
+			s.Warnf(certidp.MsgAllowWarnOnlyOccurred, subj)
+			return _EMPTY_, true
+		}
+		return fmt.Sprintf(certidp.MsgOCSPResponseInvalidStatus, certidp.GetStatusAssertionStr(ocspr.Status)), false
+	}
+	s.Debugf(certidp.DbgOCSPValidPeerLink, subj)
+	return _EMPTY_, true
+}
diff --git a/server/ocsp_responsecache.go b/server/ocsp_responsecache.go
new file mode 100644
index 000000000..eb692437f
--- /dev/null
+++ b/server/ocsp_responsecache.go
@@ -0,0 +1,636 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package server
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/klauspost/compress/s2"
+	"golang.org/x/crypto/ocsp"
+
+	"github.com/memphisdev/memphis/server/certidp"
+)
+
+const (
+	OCSPResponseCacheDefaultDir            = "_rc_"
+	OCSPResponseCacheDefaultFilename       = "cache.json"
+	OCSPResponseCacheDefaultTempFilePrefix = "ocsprc-*"
+	OCSPResponseCacheMinimumSaveInterval   = 1 * time.Second
+	OCSPResponseCacheDefaultSaveInterval   = 5 * time.Minute
+)
+
+type OCSPResponseCacheType int
+
+const (
+	NONE OCSPResponseCacheType = iota + 1
+	LOCAL
+)
+
+var OCSPResponseCacheTypeMap = map[string]OCSPResponseCacheType{
+	"none":  NONE,
+	"local": LOCAL,
+}
+
+type OCSPResponseCacheConfig struct {
+	Type            OCSPResponseCacheType
+	LocalStore      string
+	PreserveRevoked bool
+	SaveInterval    float64
+}
+
+func NewOCSPResponseCacheConfig() *OCSPResponseCacheConfig {
+	return &OCSPResponseCacheConfig{
+		Type:            LOCAL,
+		LocalStore:      OCSPResponseCacheDefaultDir,
+		PreserveRevoked: false,
+		SaveInterval:    OCSPResponseCacheDefaultSaveInterval.Seconds(),
+	}
+}
+
+type OCSPResponseCacheStats struct {
+	Responses int64 `json:"size"`
+	Hits      int64 `json:"hits"`
+	Misses    int64 `json:"misses"`
+	Revokes   int64 `json:"revokes"`
+	Goods     int64 `json:"goods"`
+	Unknowns  int64 `json:"unknowns"`
+}
+
+type OCSPResponseCacheItem struct {
+	Subject     string                  `json:"subject,omitempty"`
+	CachedAt    time.Time               `json:"cached_at"`
+	RespStatus  certidp.StatusAssertion `json:"resp_status"`
+	RespExpires time.Time               `json:"resp_expires,omitempty"`
+	Resp        []byte                  `json:"resp"`
+}
+
+type OCSPResponseCache interface {
+	Put(key string, resp *ocsp.Response, subj string, log *certidp.Log)
+	Get(key string, log *certidp.Log) []byte
+	Delete(key string, miss bool, log *certidp.Log)
+	Type() string
+	Start(s *Server)
+	Stop(s *Server)
+	Online() bool
+	Config() *OCSPResponseCacheConfig
+	Stats() *OCSPResponseCacheStats
+}
+
+// NoOpCache is a no-op implementation of OCSPResponseCache
+type NoOpCache struct {
+	config *OCSPResponseCacheConfig
+	stats  *OCSPResponseCacheStats
+	online bool
+	mu     *sync.RWMutex
+}
+
+func (c *NoOpCache) Put(_ string, _ *ocsp.Response, _ string, _ *certidp.Log) {}
+
+func (c *NoOpCache) Get(_ string, _ *certidp.Log) []byte {
+	return nil
+}
+
+func (c *NoOpCache) Delete(_ string, _ bool, _ *certidp.Log) {}
+
+func (c *NoOpCache) Start(_ *Server) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.stats = &OCSPResponseCacheStats{}
+	c.online = true
+}
+
+func (c *NoOpCache) Stop(_ *Server) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.online = false
+}
+
+func (c *NoOpCache) Online() bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.online
+}
+
+func (c *NoOpCache) Type() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return "none"
+}
+
+func (c *NoOpCache) Config() *OCSPResponseCacheConfig {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.config
+}
+
+func (c *NoOpCache) Stats() *OCSPResponseCacheStats {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.stats
+}
+
+// LocalCache is a local file implementation of OCSPResponseCache
+type LocalCache struct {
+	config       *OCSPResponseCacheConfig
+	stats        *OCSPResponseCacheStats
+	online       bool
+	cache        map[string]OCSPResponseCacheItem
+	mu           *sync.RWMutex
+	saveInterval time.Duration
+	dirty        bool
+	timer        *time.Timer
+}
+
+// Put captures a CA OCSP response to the OCSP peer cache indexed by response fingerprint (a hash)
+func (c *LocalCache) Put(key string, caResp *ocsp.Response, subj string, log *certidp.Log) {
+	c.mu.RLock()
+	if !c.online || caResp == nil || key == "" {
+		c.mu.RUnlock()
+		return
+	}
+	c.mu.RUnlock()
+	log.Debugf(certidp.DbgCachingResponse, subj, key)
+	rawC, err := c.Compress(caResp.Raw)
+	if err != nil {
+		log.Errorf(certidp.ErrResponseCompressFail, key, err)
+		return
+	}
+	log.Debugf(certidp.DbgAchievedCompression, float64(len(rawC))/float64(len(caResp.Raw)))
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	// check if we are replacing and do stats
+	item, ok := c.cache[key]
+	if ok {
+		c.adjustStats(-1, item.RespStatus)
+	}
+	item = OCSPResponseCacheItem{
+		Subject:     subj,
+		CachedAt:    time.Now().UTC().Round(time.Second),
+		RespStatus:  certidp.StatusAssertionIntToVal[caResp.Status],
+		RespExpires: caResp.NextUpdate,
+		Resp:        rawC,
+	}
+	c.cache[key] = item
+	c.adjustStats(1, item.RespStatus)
+	c.dirty = true
+}
+
+// Get returns a CA OCSP response from the OCSP peer cache matching the response fingerprint (a hash)
+func (c *LocalCache) Get(key string, log *certidp.Log) []byte {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	if !c.online || key == "" {
+		return nil
+	}
+	val, ok := c.cache[key]
+	if ok {
+		atomic.AddInt64(&c.stats.Hits, 1)
+		log.Debugf(certidp.DbgCacheHit, key)
+	} else {
+		atomic.AddInt64(&c.stats.Misses, 1)
+		log.Debugf(certidp.DbgCacheMiss, key)
+		return nil
+	}
+	resp, err := c.Decompress(val.Resp)
+	if err != nil {
+		log.Errorf(certidp.ErrResponseDecompressFail, key, err)
+		return nil
+	}
+	return resp
+}
+
+func (c *LocalCache) adjustStatsHitToMiss() {
+	atomic.AddInt64(&c.stats.Misses, 1)
+	atomic.AddInt64(&c.stats.Hits, -1)
+}
+
+func (c *LocalCache) adjustStats(delta int64, rs certidp.StatusAssertion) {
+	if delta == 0 {
+		return
+	}
+	atomic.AddInt64(&c.stats.Responses, delta)
+	switch rs {
+	case ocsp.Good:
+		atomic.AddInt64(&c.stats.Goods, delta)
+	case ocsp.Revoked:
+		atomic.AddInt64(&c.stats.Revokes, delta)
+	case ocsp.Unknown:
+		atomic.AddInt64(&c.stats.Unknowns, delta)
+	}
+}
+
+// Delete removes a CA OCSP response from the OCSP peer cache matching the response fingerprint (a hash)
+func (c *LocalCache) Delete(key string, wasMiss bool, log *certidp.Log) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if !c.online || key == "" || c.config == nil {
+		return
+	}
+	item, ok := c.cache[key]
+	if !ok {
+		return
+	}
+	if item.RespStatus == ocsp.Revoked && c.config.PreserveRevoked {
+		log.Debugf(certidp.DbgPreservedRevocation, key)
+		if wasMiss {
+			c.adjustStatsHitToMiss()
+		}
+		return
+	}
+	log.Debugf(certidp.DbgDeletingCacheResponse, key)
+	delete(c.cache, key)
+	c.adjustStats(-1, item.RespStatus)
+	if wasMiss {
+		c.adjustStatsHitToMiss()
+	}
+	c.dirty = true
+}
+
+// Start initializes the configured OCSP peer cache, loads a saved cache from disk (if present), and initializes runtime statistics
+func (c *LocalCache) Start(s *Server) {
+	s.Debugf(certidp.DbgStartingCache)
+	c.loadCache(s)
+	c.initStats()
+	c.mu.Lock()
+	c.online = true
+	c.mu.Unlock()
+}
+
+func (c *LocalCache) Stop(s *Server) {
+	c.mu.Lock()
+	s.Debugf(certidp.DbgStoppingCache)
+	c.online = false
+	c.timer.Stop()
+	c.mu.Unlock()
+	c.saveCache(s)
+}
+
+func (c *LocalCache) Online() bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.online
+}
+
+func (c *LocalCache) Type() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return "local"
+}
+
+func (c *LocalCache) Config() *OCSPResponseCacheConfig {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.config
+}
+
+func (c *LocalCache) Stats() *OCSPResponseCacheStats {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	if c.stats == nil {
+		return nil
+	}
+	stats := OCSPResponseCacheStats{
+		Responses: c.stats.Responses,
+		Hits:      c.stats.Hits,
+		Misses:    c.stats.Misses,
+		Revokes:   c.stats.Revokes,
+		Goods:     c.stats.Goods,
+		Unknowns:  c.stats.Unknowns,
+	}
+	return &stats
+}
+
+func (c *LocalCache) initStats() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.stats = &OCSPResponseCacheStats{}
+	c.stats.Hits = 0
+	c.stats.Misses = 0
+	c.stats.Responses = int64(len(c.cache))
+	for _, resp := range c.cache {
+		switch resp.RespStatus {
+		case ocsp.Good:
+			c.stats.Goods++
+		case ocsp.Revoked:
+			c.stats.Revokes++
+		case ocsp.Unknown:
+			c.stats.Unknowns++
+		}
+	}
+}
+
+func (c *LocalCache) Compress(buf []byte) ([]byte, error) {
+	bodyLen := int64(len(buf))
+	var output bytes.Buffer
+	writer := s2.NewWriter(&output)
+	input := bytes.NewReader(buf[:bodyLen])
+	if n, err := io.CopyN(writer, input, bodyLen); err != nil {
+		return nil, fmt.Errorf(certidp.ErrCannotWriteCompressed, err)
+	} else if n != bodyLen {
+		return nil, fmt.Errorf(certidp.ErrTruncatedWrite, n, bodyLen)
+	}
+	if err := writer.Close(); err != nil {
+		return nil, fmt.Errorf(certidp.ErrCannotCloseWriter, err)
+	}
+	return output.Bytes(), nil
+}
+
+func (c *LocalCache) Decompress(buf []byte) ([]byte, error) {
+	bodyLen := int64(len(buf))
+	input := bytes.NewReader(buf[:bodyLen])
+	reader := io.NopCloser(s2.NewReader(input))
+	output, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, fmt.Errorf(certidp.ErrCannotReadCompressed, err)
+	}
+	return output, reader.Close()
+}
+
+func (c *LocalCache) loadCache(s *Server) {
+	d := s.opts.OCSPCacheConfig.LocalStore
+	if d == _EMPTY_ {
+		d = OCSPResponseCacheDefaultDir
+	}
+	f := OCSPResponseCacheDefaultFilename
+	store, err := filepath.Abs(path.Join(d, f))
+	if err != nil {
+		s.Errorf(certidp.ErrLoadCacheFail, err)
+		return
+	}
+	s.Debugf(certidp.DbgLoadingCache, store)
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.cache = make(map[string]OCSPResponseCacheItem)
+	dat, err := os.ReadFile(store)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			s.Debugf(certidp.DbgNoCacheFound)
+		} else {
+			s.Warnf(certidp.ErrLoadCacheFail, err)
+		}
+		return
+	}
+	err = json.Unmarshal(dat, &c.cache)
+	if err != nil {
+		// make sure clean cache
+		c.cache = make(map[string]OCSPResponseCacheItem)
+		s.Warnf(certidp.ErrLoadCacheFail, err)
+		c.dirty = true
+		return
+	}
+	c.dirty = false
+}
+
+func (c *LocalCache) saveCache(s *Server) {
+	c.mu.RLock()
+	dirty := c.dirty
+	c.mu.RUnlock()
+	if !dirty {
+		return
+	}
+	s.Debugf(certidp.DbgCacheDirtySave)
+	var d string
+	if c.config.LocalStore != _EMPTY_ {
+		d = c.config.LocalStore
+	} else {
+		d = OCSPResponseCacheDefaultDir
+	}
+	f := OCSPResponseCacheDefaultFilename
+	store, err := filepath.Abs(path.Join(d, f))
+	if err != nil {
+		s.Errorf(certidp.ErrSaveCacheFail, err)
+		return
+	}
+	s.Debugf(certidp.DbgSavingCache, store)
+	if _, err := os.Stat(d); os.IsNotExist(err) {
+		err = os.Mkdir(d, defaultDirPerms)
+		if err != nil {
+			s.Errorf(certidp.ErrSaveCacheFail, err)
+			return
+		}
+	}
+	tmp, err := os.CreateTemp(d, OCSPResponseCacheDefaultTempFilePrefix)
+	if err != nil {
+		s.Errorf(certidp.ErrSaveCacheFail, err)
+		return
+	}
+	defer func() {
+		tmp.Close()
+		os.Remove(tmp.Name())
+	}() // clean up any temp files
+
+	// RW lock here because we're going to snapshot the cache to disk and mark as clean if successful
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	dat, err := json.MarshalIndent(c.cache, "", " ")
+	if err != nil {
+		s.Errorf(certidp.ErrSaveCacheFail, err)
+		return
+	}
+	cacheSize, err := tmp.Write(dat)
+	if err != nil {
+		s.Errorf(certidp.ErrSaveCacheFail, err)
+		return
+	}
+	err = tmp.Sync()
+	if err != nil {
+		s.Errorf(certidp.ErrSaveCacheFail, err)
+		return
+	}
+	err = tmp.Close()
+	if err != nil {
+		s.Errorf(certidp.ErrSaveCacheFail, err)
+		return
+	}
+	// do the final swap and overwrite any old saved peer cache
+	err = os.Rename(tmp.Name(), store)
+	if err != nil {
+		s.Errorf(certidp.ErrSaveCacheFail, err)
+		return
+	}
+	c.dirty = false
+	s.Debugf(certidp.DbgCacheSaved, cacheSize)
+}
+
+var OCSPResponseCacheUsage = `
+You may enable OCSP peer response cacheing at server configuration root level:
+
+(If no TLS blocks are configured with OCSP peer verification, ocsp_cache is ignored.)
+
+    ...
+    # short form enables with defaults
+    ocsp_cache: true
+
+    # if false or undefined and one or more TLS blocks are configured with OCSP peer verification, "none" is implied
+
+    # long form includes settable options
+    ocsp_cache {
+
+        # Cache type <none, local> (default local)
+        type: local
+
+        # Cache file directory for local-type cache (default _rc_ in current working directory)
+        local_store: "_rc_"
+
+        # Ignore cache deletes if cached OCSP response is Revoked status (default false)
+        preserve_revoked: false
+
+        # For local store, interval to save in-memory cache to disk in seconds (default 300 seconds, minimum 1 second)
+        save_interval: 300
+    }
+    ...
+
+Note: Cache of server's own OCSP response (staple) is enabled using the 'ocsp' configuration option.
+`
+
+func (s *Server) initOCSPResponseCache() {
+	// No mTLS OCSP or Leaf OCSP enablements, so no need to init cache
+	s.mu.RLock()
+	if !s.ocspPeerVerify {
+		s.mu.RUnlock()
+		return
+	}
+	s.mu.RUnlock()
+	so := s.getOpts()
+	if so.OCSPCacheConfig == nil {
+		so.OCSPCacheConfig = NewOCSPResponseCacheConfig()
+	}
+	var cc = so.OCSPCacheConfig
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	switch cc.Type {
+	case NONE:
+		s.ocsprc = &NoOpCache{config: cc, online: true, mu: &sync.RWMutex{}}
+	case LOCAL:
+		c := &LocalCache{
+			config: cc,
+			online: false,
+			cache:  make(map[string]OCSPResponseCacheItem),
+			mu:     &sync.RWMutex{},
+			dirty:  false,
+		}
+		c.saveInterval = time.Duration(cc.SaveInterval) * time.Second
+		c.timer = time.AfterFunc(c.saveInterval, func() {
+			s.Debugf(certidp.DbgCacheSaveTimerExpired)
+			c.saveCache(s)
+			c.timer.Reset(c.saveInterval)
+		})
+		s.ocsprc = c
+	default:
+		s.Fatalf(certidp.ErrBadCacheTypeConfig, cc.Type)
+	}
+}
+
+func (s *Server) startOCSPResponseCache() {
+	// No mTLS OCSP or Leaf OCSP enablements, so no need to start cache
+	s.mu.RLock()
+	if !s.ocspPeerVerify || s.ocsprc == nil {
+		s.mu.RUnlock()
+		return
+	}
+	s.mu.RUnlock()
+
+	// Could be heavier operation depending on cache implementation
+	s.ocsprc.Start(s)
+	if s.ocsprc.Online() {
+		s.Noticef(certidp.MsgCacheOnline, s.ocsprc.Type())
+	} else {
+		s.Noticef(certidp.MsgCacheOffline, s.ocsprc.Type())
+	}
+}
+
+func (s *Server) stopOCSPResponseCache() {
+	s.mu.RLock()
+	if s.ocsprc == nil {
+		s.mu.RUnlock()
+		return
+	}
+	s.mu.RUnlock()
+	s.ocsprc.Stop(s)
+}
+
+func parseOCSPResponseCache(v interface{}) (pcfg *OCSPResponseCacheConfig, retError error) {
+	var lt token
+	defer convertPanicToError(&lt, &retError)
+	tk, v := unwrapValue(v, &lt)
+	cm, ok := v.(map[string]interface{})
+	if !ok {
+		return nil, &configErr{tk, fmt.Sprintf(certidp.ErrIllegalCacheOptsConfig, v)}
+	}
+	pcfg = NewOCSPResponseCacheConfig()
+	retError = nil
+	for mk, mv := range cm {
+		// Again, unwrap token value if line check is required.
+		tk, mv = unwrapValue(mv, &lt)
+		switch strings.ToLower(mk) {
+		case "type":
+			cache, ok := mv.(string)
+			if !ok {
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingCacheOptFieldGeneric, mk)}
+			}
+			cacheType, exists := OCSPResponseCacheTypeMap[strings.ToLower(cache)]
+			if !exists {
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrUnknownCacheType, cache)}
+			}
+			pcfg.Type = cacheType
+		case "local_store":
+			store, ok := mv.(string)
+			if !ok {
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingCacheOptFieldGeneric, mk)}
+			}
+			pcfg.LocalStore = store
+		case "preserve_revoked":
+			preserve, ok := mv.(bool)
+			if !ok {
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingCacheOptFieldGeneric, mk)}
+			}
+			pcfg.PreserveRevoked = preserve
+		case "save_interval":
+			at := float64(0)
+			switch mv := mv.(type) {
+			case int64:
+				at = float64(mv)
+			case float64:
+				at = mv
+			case string:
+				d, err := time.ParseDuration(mv)
+				if err != nil {
+					return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingPeerOptFieldTypeConversion, err)}
+				}
+				at = d.Seconds()
+			default:
+				return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingCacheOptFieldTypeConversion, "unexpected type")}
+			}
+			si := time.Duration(at) * time.Second
+			if si < OCSPResponseCacheMinimumSaveInterval {
+				si = OCSPResponseCacheMinimumSaveInterval
+			}
+			pcfg.SaveInterval = si.Seconds()
+		default:
+			return nil, &configErr{tk, fmt.Sprintf(certidp.ErrParsingCacheOptFieldGeneric, mk)}
+		}
+	}
+	return pcfg, nil
+}
diff --git a/server/opts.go b/server/opts.go
index 2f023daa0..09d3a482b 100644
--- a/server/opts.go
+++ b/server/opts.go
@@ -1,4 +1,4 @@
-// Copyright 2012-2022 The NATS Authors
+// Copyright 2012-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -33,10 +33,11 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/memphisdev/memphis/conf"
+	"github.com/memphisdev/memphis/server/certidp"
+	"github.com/memphisdev/memphis/server/certstore"
 	"github.com/nats-io/jwt/v2"
 	"github.com/nats-io/nkeys"
-
-	"github.com/memphisdev/memphis/conf"
 )
 
 var allowUnknownTopLevelField = int32(0)
@@ -53,7 +54,7 @@ func NoErrOnUnknownFields(noError bool) {
 	atomic.StoreInt32(&allowUnknownTopLevelField, val)
 }
 
-// Set of lower case hex-encoded sha256 of DER encoded SubjectPublicKeyInfo
+// PinnedCertSet is a set of lower case hex-encoded sha256 of DER encoded SubjectPublicKeyInfo
 type PinnedCertSet map[string]struct{}
 
 // ClusterOpts are options for clusters.
@@ -221,6 +222,7 @@ type Options struct {
 	NoHeaderSupport       bool          `json:"-"`
 	DisableShortFirstPing bool          `json:"-"`
 	Logtime               bool          `json:"-"`
+	LogtimeUTC            bool          `json:"-"`
 	MaxConn               int           `json:"max_connections"`
 	MaxSubs               int           `json:"max_subscriptions,omitempty"`
 	MaxSubTokens          uint8         `json:"-"`
@@ -285,7 +287,7 @@ type Options struct {
 	LameDuckDuration      time.Duration     `json:"-"`
 	LameDuckGracePeriod   time.Duration     `json:"-"`
 
-	// memphis options
+	// ** added by Memphis
 	UiPort                             int            `json:"-"`
 	RestGwPort                         int            `json:"-"`
 	K8sNamespace                       string         `json:"-"`
@@ -296,6 +298,7 @@ type Options struct {
 	UiHost                             string         `json:"-"`
 	RestGwHost                         string         `json:"-"`
 	BrokerHost                         string         `json:"-"`
+	// ** added by Memphis
 
 	// MaxTracedMsgLen is the maximum printable length for traced messages.
 	MaxTracedMsgLen int `json:"-"`
@@ -352,6 +355,9 @@ type Options struct {
 	// JetStream
 	maxMemSet   bool
 	maxStoreSet bool
+
+	// OCSP Cache config enables next-gen cache for OCSP features
+	OCSPCacheConfig *OCSPResponseCacheConfig
 }
 
 // WebsocketOpts are options for websocket
@@ -415,6 +421,9 @@ type WebsocketOpts struct {
 	// and write the response back to the client. This include the
 	// time needed for the TLS Handshake.
 	HandshakeTimeout time.Duration
+
+	// Snapshot of configured TLS options.
+	tlsConfigOpts *TLSConfigOpts
 }
 
 // MQTTOpts are options for MQTT
@@ -495,6 +504,9 @@ type MQTTOpts struct {
 	// subscription ending with "#" will use 2 times the MaxAckPending value.
 	// Note that changes to this option is applied only to new subscriptions.
 	MaxAckPending uint16
+
+	// Snapshot of configured TLS options.
+	tlsConfigOpts *TLSConfigOpts
 }
 
 type netResolver interface {
@@ -586,6 +598,10 @@ type TLSConfigOpts struct {
 	Ciphers           []uint16
 	CurvePreferences  []tls.CurveID
 	PinnedCerts       PinnedCertSet
+	CertStore         certstore.StoreType
+	CertMatchBy       certstore.MatchByType
+	CertMatch         string
+	OCSPPeerConfig    *certidp.OCSPPeerConfig
 }
 
 // OCSPConfig represents the options of OCSP stapling options.
@@ -627,7 +643,7 @@ Available cipher suites include:
 // FIXME(dlc): A bit hacky
 func ProcessConfigFile(configFile string) (*Options, error) {
 	opts := &Options{}
-	if err := opts.ProcessConfigFile(configFile, true); err != nil {
+	if err := opts.ProcessConfigFile(configFile, true); err != nil { // ** true added by memphis
 		// If only warnings then continue and return the options.
 		if cerr, ok := err.(*processConfigErr); ok && len(cerr.Errors()) == 0 {
 			return opts, nil
@@ -729,7 +745,7 @@ func configureSystemAccount(o *Options, m map[string]interface{}) (retErr error)
 // achieve that with the non receiver ProcessConfigFile() version,
 // since one would not know after the call if "debug" was not present
 // or was present but set to false.
-func (o *Options) ProcessConfigFile(configFile string, reload bool) error {
+func (o *Options) ProcessConfigFile(configFile string, reload bool) error { // ** reload added by memphis
 	o.ConfigFile = configFile
 	if configFile == _EMPTY_ {
 		return nil
@@ -768,6 +784,9 @@ func (o *Options) ProcessConfigFile(configFile string, reload bool) error {
 	// Collect all errors and warnings and report them all together.
 	errors := make([]error, 0)
 	warnings := make([]error, 0)
+	if len(m) == 0 {
+		warnings = append(warnings, fmt.Errorf("%s: config has no values or is empty", configFile))
+	}
 
 	// First check whether a system account has been defined,
 	// as that is a condition for other features to be enabled.
@@ -825,6 +844,9 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error
 	case "logtime":
 		o.Logtime = v.(bool)
 		trackExplicitVal(o, &o.inConfig, "Logtime", o.Logtime)
+	case "logtime_utc":
+		o.LogtimeUTC = v.(bool)
+		trackExplicitVal(o, &o.inConfig, "LogtimeUTC", o.LogtimeUTC)
 	case "mappings", "maps":
 		gacc := NewAccount(globalAccountName)
 		o.Accounts = append(o.Accounts, gacc)
@@ -1169,8 +1191,10 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error
 			}
 		case map[string]interface{}:
 			del := false
-			dir := ""
-			dirType := ""
+			hdel := false
+			hdel_set := false
+			dir := _EMPTY_
+			dirType := _EMPTY_
 			limit := int64(0)
 			ttl := time.Duration(0)
 			sync := time.Duration(0)
@@ -1188,6 +1212,11 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error
 				_, v := unwrapValue(v, &lt)
 				del = v.(bool)
 			}
+			if v, ok := v["hard_delete"]; ok {
+				_, v := unwrapValue(v, &lt)
+				hdel_set = true
+				hdel = v.(bool)
+			}
 			if v, ok := v["limit"]; ok {
 				_, v := unwrapValue(v, &lt)
 				limit = v.(int64)
@@ -1211,29 +1240,51 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error
 				*errors = append(*errors, &configErr{tk, err.Error()})
 				return
 			}
-			if dir == "" {
-				*errors = append(*errors, &configErr{tk, "dir has no value and needs to point to a directory"})
-				return
-			}
-			if info, _ := os.Stat(dir); info != nil && (!info.IsDir() || info.Mode().Perm()&(1<<(uint(7))) == 0) {
-				*errors = append(*errors, &configErr{tk, "dir needs to point to an accessible directory"})
-				return
+
+			checkDir := func() {
+				if dir == _EMPTY_ {
+					*errors = append(*errors, &configErr{tk, "dir has no value and needs to point to a directory"})
+					return
+				}
+				if info, _ := os.Stat(dir); info != nil && (!info.IsDir() || info.Mode().Perm()&(1<<(uint(7))) == 0) {
+					*errors = append(*errors, &configErr{tk, "dir needs to point to an accessible directory"})
+					return
+				}
 			}
+
 			var res AccountResolver
 			switch strings.ToUpper(dirType) {
 			case "CACHE":
+				checkDir()
 				if sync != 0 {
 					*errors = append(*errors, &configErr{tk, "CACHE does not accept sync"})
 				}
 				if del {
 					*errors = append(*errors, &configErr{tk, "CACHE does not accept allow_delete"})
 				}
+				if hdel_set {
+					*errors = append(*errors, &configErr{tk, "CACHE does not accept hard_delete"})
+				}
 				res, err = NewCacheDirAccResolver(dir, limit, ttl, opts...)
 			case "FULL":
+				checkDir()
 				if ttl != 0 {
 					*errors = append(*errors, &configErr{tk, "FULL does not accept ttl"})
 				}
-				res, err = NewDirAccResolver(dir, limit, sync, del, opts...)
+				if hdel_set && !del {
+					*errors = append(*errors, &configErr{tk, "hard_delete has no effect without delete"})
+				}
+				delete := NoDelete
+				if del {
+					if hdel {
+						delete = HardDelete
+					} else {
+						delete = RenameDeleted
+					}
+				}
+				res, err = NewDirAccResolver(dir, limit, sync, delete, opts...)
+			case "MEM", "MEMORY":
+				res = &MemAccResolver{}
 			}
 			if err != nil {
 				*errors = append(*errors, &configErr{tk, err.Error()})
@@ -1411,6 +1462,36 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error
 			m[kk] = v.(string)
 		}
 		o.JsAccDefaultDomain = m
+	case "ocsp_cache":
+		var err error
+		switch vv := v.(type) {
+		case bool:
+			pc := NewOCSPResponseCacheConfig()
+			if vv {
+				// Set enabled
+				pc.Type = LOCAL
+				o.OCSPCacheConfig = pc
+			} else {
+				// Set disabled (none cache)
+				pc.Type = NONE
+				o.OCSPCacheConfig = pc
+			}
+		case map[string]interface{}:
+			pc, err := parseOCSPResponseCache(v)
+			if err != nil {
+				*errors = append(*errors, err)
+				return
+			}
+			o.OCSPCacheConfig = pc
+		default:
+			err = &configErr{tk, fmt.Sprintf("error parsing tags: unsupported type %T", v)}
+		}
+		if err != nil {
+			*errors = append(*errors, err)
+			return
+		}
+
+	// ** added by Memphis
 	case "ui_port":
 		o.UiPort = int(v.(int64))
 	case "rest_gw_port":
@@ -1473,6 +1554,7 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error
 			return
 		}
 		o.BrokerHost = value
+	// ** added by Memphis
 	default:
 		if au := atomic.LoadInt32(&allowUnknownTopLevelField); au == 0 && !tk.IsUsedVariable() {
 			err := &unknownConfigFieldErr{
@@ -3927,6 +4009,11 @@ func PrintTLSHelpAndDie() {
 	for k := range curvePreferenceMap {
 		fmt.Printf("    %s\n", k)
 	}
+	if runtime.GOOS == "windows" {
+		fmt.Printf("%s\n", certstore.Usage)
+	}
+	fmt.Printf("%s", certidp.OCSPPeerUsage)
+	fmt.Printf("%s", OCSPResponseCacheUsage)
 	os.Exit(0)
 }
 
@@ -4084,6 +4171,54 @@ func parseTLS(v interface{}, isClientCtx bool) (t *TLSConfigOpts, retErr error)
 				}
 				tc.PinnedCerts = wl
 			}
+		case "cert_store":
+			certStore, ok := mv.(string)
+			if !ok || certStore == _EMPTY_ {
+				return nil, &configErr{tk, certstore.ErrBadCertStoreField.Error()}
+			}
+			certStoreType, err := certstore.ParseCertStore(certStore)
+			if err != nil {
+				return nil, &configErr{tk, err.Error()}
+			}
+			tc.CertStore = certStoreType
+		case "cert_match_by":
+			certMatchBy, ok := mv.(string)
+			if !ok || certMatchBy == _EMPTY_ {
+				return nil, &configErr{tk, certstore.ErrBadCertMatchByField.Error()}
+			}
+			certMatchByType, err := certstore.ParseCertMatchBy(certMatchBy)
+			if err != nil {
+				return nil, &configErr{tk, err.Error()}
+			}
+			tc.CertMatchBy = certMatchByType
+		case "cert_match":
+			certMatch, ok := mv.(string)
+			if !ok || certMatch == _EMPTY_ {
+				return nil, &configErr{tk, certstore.ErrBadCertMatchField.Error()}
+			}
+			tc.CertMatch = certMatch
+		case "ocsp_peer":
+			switch vv := mv.(type) {
+			case bool:
+				pc := certidp.NewOCSPPeerConfig()
+				if vv {
+					// Set enabled
+					pc.Verify = true
+					tc.OCSPPeerConfig = pc
+				} else {
+					// Set disabled
+					pc.Verify = false
+					tc.OCSPPeerConfig = pc
+				}
+			case map[string]interface{}:
+				pc, err := parseOCSPPeer(mv)
+				if err != nil {
+					return nil, &configErr{tk, err.Error()}
+				}
+				tc.OCSPPeerConfig = pc
+			default:
+				return nil, &configErr{tk, fmt.Sprintf("error parsing ocsp peer config: unsupported type %T", v)}
+			}
 		default:
 			return nil, &configErr{tk, fmt.Sprintf("error parsing tls config, unknown field [%q]", mk)}
 		}
@@ -4214,6 +4349,7 @@ func parseWebsocket(v interface{}, o *Options, errors *[]error, warnings *[]erro
 			}
 			o.Websocket.TLSMap = tc.Map
 			o.Websocket.TLSPinnedCerts = tc.PinnedCerts
+			o.Websocket.tlsConfigOpts = tc
 		case "same_origin":
 			o.Websocket.SameOrigin = mv.(bool)
 		case "allowed_origins", "allowed_origin", "allow_origins", "allow_origin", "origins", "origin":
@@ -4304,6 +4440,7 @@ func parseMQTT(v interface{}, o *Options, errors *[]error, warnings *[]error) er
 			o.MQTT.TLSTimeout = tc.Timeout
 			o.MQTT.TLSMap = tc.Map
 			o.MQTT.TLSPinnedCerts = tc.PinnedCerts
+			o.MQTT.tlsConfigOpts = tc
 		case "authorization", "authentication":
 			auth := parseSimpleAuth(tk, errors, warnings)
 			o.MQTT.Username = auth.user
@@ -4370,11 +4507,13 @@ func GenTLSConfig(tc *TLSConfigOpts) (*tls.Config, error) {
 	}
 
 	switch {
-	case tc.CertFile != "" && tc.KeyFile == "":
+	case tc.CertFile != _EMPTY_ && tc.CertStore != certstore.STOREEMPTY:
+		return nil, certstore.ErrConflictCertFileAndStore
+	case tc.CertFile != _EMPTY_ && tc.KeyFile == _EMPTY_:
 		return nil, fmt.Errorf("missing 'key_file' in TLS configuration")
-	case tc.CertFile == "" && tc.KeyFile != "":
+	case tc.CertFile == _EMPTY_ && tc.KeyFile != _EMPTY_:
 		return nil, fmt.Errorf("missing 'cert_file' in TLS configuration")
-	case tc.CertFile != "" && tc.KeyFile != "":
+	case tc.CertFile != _EMPTY_ && tc.KeyFile != _EMPTY_:
 		// Now load in cert and private key
 		cert, err := tls.LoadX509KeyPair(tc.CertFile, tc.KeyFile)
 		if err != nil {
@@ -4385,6 +4524,11 @@ func GenTLSConfig(tc *TLSConfigOpts) (*tls.Config, error) {
 			return nil, fmt.Errorf("error parsing certificate: %v", err)
 		}
 		config.Certificates = []tls.Certificate{cert}
+	case tc.CertStore != certstore.STOREEMPTY:
+		err := certstore.TLSConfig(tc.CertStore, tc.CertMatchBy, tc.CertMatch, &config)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	// Require client certificates as needed
@@ -4721,7 +4865,7 @@ func setBaselineOptions(opts *Options) {
 		opts.JetStreamMaxStore = -1
 	}
 
-	// Memphis
+	// ** added by Memphis
 	if !opts.JetStream { // enable JS by default
 		opts.JetStream = true
 	}
@@ -4786,6 +4930,7 @@ func setBaselineOptions(opts *Options) {
 			opts.RestGwHost = fmt.Sprintf("http://memphis-rest-gateway.%s.svc.cluster.local:%v", opts.K8sNamespace, opts.RestGwPort)
 		}
 	}
+	// ** added by Memphis
 }
 
 func getDefaultAuthTimeout(tls *tls.Config, tlsTimeout float64) float64 {
@@ -4836,9 +4981,10 @@ func ConfigureOptions(fs *flag.FlagSet, args []string, printVersion, printHelp,
 	fs.BoolVar(&dbgAndTrcAndVerboseTrc, "DVV", false, "Enable Debug and Verbose Trace logging. (Traces system account as well)")
 	fs.BoolVar(&opts.Logtime, "T", true, "Timestamp log entries.")
 	fs.BoolVar(&opts.Logtime, "logtime", true, "Timestamp log entries.")
-	fs.StringVar(&opts.Username, "user", "", "Username required for connection.")
-	fs.StringVar(&opts.Password, "pass", "", "Password required for connection.")
-	fs.StringVar(&opts.Authorization, "auth", "", "Authorization token required for connection.")
+	fs.BoolVar(&opts.LogtimeUTC, "logtime_utc", false, "Timestamps in UTC instead of local timezone.")
+	fs.StringVar(&opts.Username, "user", _EMPTY_, "Username required for connection.")
+	fs.StringVar(&opts.Password, "pass", _EMPTY_, "Password required for connection.")
+	fs.StringVar(&opts.Authorization, "auth", _EMPTY_, "Authorization token required for connection.")
 	fs.IntVar(&opts.HTTPPort, "m", 0, "HTTP Port for /varz, /connz endpoints.")
 	fs.IntVar(&opts.HTTPPort, "http_port", 0, "HTTP Port for /varz, /connz endpoints.")
 	fs.IntVar(&opts.HTTPSPort, "ms", 0, "HTTPS Port for /varz, /connz endpoints.")
@@ -4975,7 +5121,7 @@ func ConfigureOptions(fs *flag.FlagSet, args []string, printVersion, printHelp,
 	// Parse config if given
 	if configFile != _EMPTY_ {
 		// This will update the options with values from the config file.
-		err := opts.ProcessConfigFile(configFile, false)
+		err := opts.ProcessConfigFile(configFile, false) // ** false added by Memphis
 		if err != nil {
 			if opts.CheckConfig {
 				return nil, err
diff --git a/server/opts_test.go b/server/opts_test.go
index 1a149925f..a473d7efc 100644
--- a/server/opts_test.go
+++ b/server/opts_test.go
@@ -1348,7 +1348,7 @@ func TestPanic(t *testing.T) {
 func TestPingIntervalOld(t *testing.T) {
 	conf := createConfFile(t, []byte(`ping_interval: 5`))
 	opts := &Options{}
-	err := opts.ProcessConfigFile(conf, false)
+	err := opts.ProcessConfigFile(conf, false) // ** false added by Memphis
 	if err == nil {
 		t.Fatalf("expected an error")
 	}
@@ -1370,7 +1370,7 @@ func TestPingIntervalOld(t *testing.T) {
 func TestPingIntervalNew(t *testing.T) {
 	conf := createConfFile(t, []byte(`ping_interval: "5m"`))
 	opts := &Options{}
-	if err := opts.ProcessConfigFile(conf, false); err != nil {
+	if err := opts.ProcessConfigFile(conf, false); err != nil { // ** false added by Memphis
 		t.Fatalf("expected no error")
 	}
 	if opts.PingInterval != 5*time.Minute {
@@ -1389,7 +1389,7 @@ func TestOptionsProcessConfigFile(t *testing.T) {
 		LogFile: logFileName,
 	}
 	configFileName := "./configs/test.conf"
-	if err := opts.ProcessConfigFile(configFileName, false); err != nil {
+	if err := opts.ProcessConfigFile(configFileName, false); err != nil { // ** false added by Memphis
 		t.Fatalf("Error processing config file: %v", err)
 	}
 	// Verify that values are as expected
@@ -2533,13 +2533,9 @@ func TestParsingLeafNodeRemotes(t *testing.T) {
 }
 
 func TestLargeMaxControlLine(t *testing.T) {
-	confFileName := "big_mcl.conf"
-	content := `
-    max_control_line = 3000000000
-    `
-	if err := os.WriteFile(confFileName, []byte(content), 0666); err != nil {
-		t.Fatalf("Error writing config file: %v", err)
-	}
+	confFileName := createConfFile(t, []byte(`
+		max_control_line = 3000000000
+	`))
 	if _, err := ProcessConfigFile(confFileName); err == nil {
 		t.Fatalf("Expected an error from too large of a max_control_line entry")
 	}
@@ -2577,7 +2573,7 @@ func TestHandleUnknownTopLevelConfigurationField(t *testing.T) {
 
 	// Verify that we get an error because of unknown "streaming" field.
 	opts := &Options{}
-	if err := opts.ProcessConfigFile(conf, false); err == nil || !strings.Contains(err.Error(), "streaming") {
+	if err := opts.ProcessConfigFile(conf, false); err == nil || !strings.Contains(err.Error(), "streaming") { // false added by Memphis
 		t.Fatal("Expected error, got none")
 	}
 
@@ -2585,7 +2581,7 @@ func TestHandleUnknownTopLevelConfigurationField(t *testing.T) {
 	NoErrOnUnknownFields(true)
 	defer NoErrOnUnknownFields(false)
 
-	if err := opts.ProcessConfigFile(conf, false); err != nil {
+	if err := opts.ProcessConfigFile(conf, false); err != nil { // false added by Memphis
 		t.Fatalf("Unexpected error: %v", err)
 	}
 	if opts.Port != 1234 {
@@ -2602,7 +2598,7 @@ func TestHandleUnknownTopLevelConfigurationField(t *testing.T) {
 			id: "me"
 		}
 	`))
-	if err := opts.ProcessConfigFile(conf, false); err == nil || !strings.Contains(err.Error(), "non_top_level") {
+	if err := opts.ProcessConfigFile(conf, false); err == nil || !strings.Contains(err.Error(), "non_top_level") { // false added by Memphis
 		t.Fatal("Expected error, got none")
 	}
 }
diff --git a/server/parser.go b/server/parser.go
index 3c6b360a1..8501879ab 100644
--- a/server/parser.go
+++ b/server/parser.go
@@ -16,7 +16,6 @@ package server
 import (
 	"bufio"
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/textproto"
@@ -920,15 +919,7 @@ func (c *client) parse(buf []byte) error {
 					c.argBuf = nil
 				} else {
 					arg = buf[c.as : i-c.drop]
-
-					d := json.NewDecoder(strings.NewReader(string(arg)))
-					err := d.Decode(&c.opts)
-
-					if err != nil {
-						return err
-					}
 				}
-
 				if err := c.overMaxControlLineLimit(arg, mcl); err != nil {
 					return err
 				}
@@ -959,6 +950,7 @@ func (c *client) parse(buf []byte) error {
 				authSet = c.awaitingAuth()
 				c.mu.Unlock()
 
+				// ** added by Memphis
 				if c.kind == CLIENT &&
 					!strings.Contains(c.opts.Name, "NATS CLI") &&
 					!c.isWebsocket() &&
@@ -974,6 +966,7 @@ func (c *client) parse(buf []byte) error {
 						goto authErr
 					}
 				}
+				// ** added by Memphis
 			default:
 				if c.argBuf != nil {
 					c.argBuf = append(c.argBuf, b)
@@ -1259,7 +1252,7 @@ accountIdErr:
 parseErr:
 	c.sendErr("Unknown Protocol Operation")
 	snip := protoSnippet(i, PROTO_SNIPPET_SIZE, buf)
-	err := fmt.Errorf("%s parser ERROR, state=%d, i=%d:, name=%s, proto='%s...'", c.kindString(), c.state, i, c.opts.Name, snip)
+	err := fmt.Errorf("%s parser ERROR, state=%d, i=%d:, name=%s, proto='%s...'", c.kindString(), c.state, i, c.opts.Name, snip) // ** name added by Memphis
 	return err
 }
 
diff --git a/server/raft.go b/server/raft.go
index 6a4ed96b7..bee20a1fc 100644
--- a/server/raft.go
+++ b/server/raft.go
@@ -25,6 +25,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -346,16 +347,16 @@ func (s *Server) startRaftNode(accName string, cfg *RaftConfig) (RaftNode, error
 	if cfg == nil {
 		return nil, errNilCfg
 	}
-	s.mu.Lock()
+	s.mu.RLock()
 	if s.sys == nil {
-		s.mu.Unlock()
+		s.mu.RUnlock()
 		return nil, ErrNoSysAccount
 	}
 	sq := s.sys.sq
 	sacc := s.sys.account
 	hash := s.sys.shash
 	pub := s.info.ID
-	s.mu.Unlock()
+	s.mu.RUnlock()
 
 	ps, err := readPeerState(cfg.Store)
 	if err != nil {
@@ -485,6 +486,12 @@ func (s *Server) startRaftNode(accName string, cfg *RaftConfig) (RaftNode, error
 
 	n.debug("Started")
 
+	// Check if we need to start in observer mode due to lame duck status.
+	if s.isLameDuckMode() {
+		n.debug("Will start in observer mode due to lame duck status")
+		n.SetObserver(true)
+	}
+
 	n.Lock()
 	n.resetElectionTimeout()
 	n.llqrt = time.Now()
@@ -556,11 +563,10 @@ func (s *Server) lookupRaftNode(group string) RaftNode {
 	return n
 }
 
-func (s *Server) reloadDebugRaftNodes() {
+func (s *Server) reloadDebugRaftNodes(debug bool) {
 	if s == nil {
 		return
 	}
-	debug := atomic.LoadInt32(&s.logging.debug) > 0
 	s.rnMu.RLock()
 	for _, ni := range s.raftNodes {
 		n := ni.(*raft)
@@ -611,6 +617,9 @@ func (s *Server) shutdownRaftNodes() {
 	}
 }
 
+// Used in lameduck mode to move off the leaders.
+// We also put all nodes in observer mode so new leaders
+// can not be placed on this server.
 func (s *Server) transferRaftLeaders() bool {
 	if s == nil {
 		return false
@@ -631,6 +640,7 @@ func (s *Server) transferRaftLeaders() bool {
 			node.StepDown()
 			didTransfer = true
 		}
+		node.SetObserver(true)
 	}
 	return didTransfer
 }
@@ -654,7 +664,7 @@ func (n *raft) Propose(data []byte) error {
 	prop := n.prop
 	n.RUnlock()
 
-	prop.push(&Entry{EntryNormal, data})
+	prop.push(newEntry(EntryNormal, data))
 	return nil
 }
 
@@ -706,7 +716,7 @@ func (n *raft) ProposeAddPeer(peer string) error {
 	prop := n.prop
 	n.RUnlock()
 
-	prop.push(&Entry{EntryAddPeer, []byte(peer)})
+	prop.push(newEntry(EntryAddPeer, []byte(peer)))
 	return nil
 }
 
@@ -739,7 +749,7 @@ func (n *raft) ProposeRemovePeer(peer string) error {
 	}
 
 	if isLeader {
-		prop.push(&Entry{EntryRemovePeer, []byte(peer)})
+		prop.push(newEntry(EntryRemovePeer, []byte(peer)))
 		n.doRemovePeerAsLeader(peer)
 		return nil
 	}
@@ -845,7 +855,13 @@ func (n *raft) ResumeApply() {
 		}
 	}
 	n.hcommit = 0
-	n.resetElectionTimeout()
+
+	// If we had been selected to be the next leader campaign here now that we have resumed.
+	if n.lxfer {
+		n.xferCampaign()
+	} else {
+		n.resetElectionTimeout()
+	}
 }
 
 // Applied is to be called when the FSM has applied the committed entries.
@@ -855,6 +871,11 @@ func (n *raft) Applied(index uint64) (entries uint64, bytes uint64) {
 	n.Lock()
 	defer n.Unlock()
 
+	// Ignore if not applicable. This can happen during a reset.
+	if index > n.commit {
+		return 0, 0
+	}
+
 	// Ignore if already applied.
 	if index > n.applied {
 		n.applied = index
@@ -939,7 +960,7 @@ func (n *raft) InstallSnapshot(data []byte) error {
 	var state StreamState
 	n.wal.FastState(&state)
 
-	if n.applied == 0 || len(data) == 0 {
+	if n.applied == 0 {
 		n.Unlock()
 		return errNoSnapAvailable
 	}
@@ -1074,7 +1095,7 @@ func (n *raft) setupLastSnapshot() {
 		n.pterm = snap.lastTerm
 		n.commit = snap.lastIndex
 		n.applied = snap.lastIndex
-		n.apply.push(&CommittedEntry{n.commit, []*Entry{{EntrySnapshot, snap.data}}})
+		n.apply.push(newCommittedEntry(n.commit, []*Entry{{EntrySnapshot, snap.data}}))
 		if _, err := n.wal.Compact(snap.lastIndex + 1); err != nil {
 			n.setWriteErrLocked(err)
 		}
@@ -1151,9 +1172,16 @@ func (n *raft) isCatchingUp() bool {
 	return n.catchup != nil
 }
 
-// Lock should be held. This function may block for up to ~5ms to check
+// This function may block for up to ~10ms to check
 // forward progress in some cases.
+// Lock should be held.
 func (n *raft) isCurrent(includeForwardProgress bool) bool {
+	// Check if we are closed.
+	if n.state == Closed {
+		n.debug("Not current, node is closed")
+		return false
+	}
+
 	// Check whether we've made progress on any state, 0 is invalid so not healthy.
 	if n.commit == 0 {
 		n.debug("Not current, no commits")
@@ -1197,9 +1225,9 @@ func (n *raft) isCurrent(includeForwardProgress bool) bool {
 	// forward progress.
 	if startDelta := n.commit - n.applied; startDelta > 0 {
 		for i := 0; i < 10; i++ { // 5ms, in 0.5ms increments
-			n.RUnlock()
-			time.Sleep(time.Millisecond / 2)
-			n.RLock()
+			n.Unlock()
+			time.Sleep(time.Millisecond)
+			n.Lock()
 			if n.commit-n.applied < startDelta {
 				// The gap is getting smaller, so we're making forward progress.
 				return true
@@ -1216,8 +1244,8 @@ func (n *raft) Current() bool {
 	if n == nil {
 		return false
 	}
-	n.RLock()
-	defer n.RUnlock()
+	n.Lock()
+	defer n.Unlock()
 	return n.isCurrent(false)
 }
 
@@ -1226,8 +1254,8 @@ func (n *raft) Healthy() bool {
 	if n == nil {
 		return false
 	}
-	n.RLock()
-	defer n.RUnlock()
+	n.Lock()
+	defer n.Unlock()
 	return n.isCurrent(true)
 }
 
@@ -1324,7 +1352,12 @@ func (n *raft) StepDown(preferred ...string) error {
 		}
 	}
 
+	// Clear our vote state.
+	n.vote = noVote
+	n.writeTermVote()
+
 	stepdown := n.stepdown
+	prop := n.prop
 	n.Unlock()
 
 	if len(preferred) > 0 && maybeLeader == noLeader {
@@ -1334,11 +1367,12 @@ func (n *raft) StepDown(preferred ...string) error {
 	// If we have a new leader selected, transfer over to them.
 	if maybeLeader != noLeader {
 		n.debug("Selected %q for new leader", maybeLeader)
-		n.sendAppendEntry([]*Entry{{EntryLeaderTransfer, []byte(maybeLeader)}})
+		prop.push(newEntry(EntryLeaderTransfer, []byte(maybeLeader)))
+	} else {
+		// Force us to stepdown here.
+		n.debug("Stepping down")
+		stepdown.push(noLeader)
 	}
-	// Force us to stepdown here.
-	n.debug("Stepping down")
-	stepdown.push(noLeader)
 
 	return nil
 }
@@ -1371,6 +1405,7 @@ func (n *raft) campaign() error {
 func (n *raft) xferCampaign() error {
 	n.debug("Starting transfer campaign")
 	if n.state == Leader {
+		n.lxfer = false
 		return errAlreadyLeader
 	}
 	n.resetElect(10 * time.Millisecond)
@@ -1439,12 +1474,6 @@ func (n *raft) Peers() []*Peer {
 // Update our known set of peers.
 func (n *raft) UpdateKnownPeers(knownPeers []string) {
 	n.Lock()
-	// If this is a scale up, let the normal add peer logic take precedence.
-	// Otherwise if the new peers are slow to start we stall ourselves.
-	if len(knownPeers) > len(n.peers) {
-		n.Unlock()
-		return
-	}
 	// Process like peer state update.
 	ps := &peerState{knownPeers, len(knownPeers), n.extSt}
 	n.processPeerState(ps)
@@ -1739,9 +1768,21 @@ func (n *raft) setObserver(isObserver bool, extSt extensionState) {
 
 // Invoked when being notified that there is something in the entryc's queue
 func (n *raft) processAppendEntries() {
+	canProcess := true
+	if n.isClosed() {
+		n.debug("AppendEntry not processing inbound, closed")
+		canProcess = false
+	}
+	if n.outOfResources() {
+		n.debug("AppendEntry not processing inbound, no resources")
+		canProcess = false
+	}
+	// Always pop the entries, but check if we can process them.
 	aes := n.entry.pop()
-	for _, ae := range aes {
-		n.processAppendEntry(ae, ae.sub)
+	if canProcess {
+		for _, ae := range aes {
+			n.processAppendEntry(ae, ae.sub)
+		}
 	}
 	n.entry.recycle(&aes)
 }
@@ -1768,6 +1809,13 @@ func (n *raft) runAsFollower() {
 				n.debug("Not switching to candidate, observer only")
 			} else if n.isCatchingUp() {
 				n.debug("Not switching to candidate, catching up")
+				// Check to see if our catchup has stalled.
+				n.Lock()
+				if n.catchupStalled() {
+					n.cancelCatchup()
+				}
+				n.resetElectionTimeout()
+				n.Unlock()
 			} else {
 				n.switchToCandidate()
 				return
@@ -1792,12 +1840,60 @@ func (n *raft) runAsFollower() {
 	}
 }
 
+// Pool for CommitedEntry re-use.
+var cePool = sync.Pool{
+	New: func() any {
+		return &CommittedEntry{}
+	},
+}
+
 // CommitEntry is handed back to the user to apply a commit to their FSM.
 type CommittedEntry struct {
 	Index   uint64
 	Entries []*Entry
 }
 
+// Create a new ComittedEntry.
+func newCommittedEntry(index uint64, entries []*Entry) *CommittedEntry {
+	ce := cePool.Get().(*CommittedEntry)
+	ce.Index, ce.Entries = index, entries
+	return ce
+}
+
+func (ce *CommittedEntry) ReturnToPool() {
+	if ce == nil {
+		return
+	}
+	if len(ce.Entries) > 0 {
+		for _, e := range ce.Entries {
+			entryPool.Put(e)
+		}
+	}
+	ce.Index, ce.Entries = 0, nil
+	cePool.Put(ce)
+}
+
+// Pool for Entry re-use.
+var entryPool = sync.Pool{
+	New: func() any {
+		return &Entry{}
+	},
+}
+
+// Helper to create new entries.
+func newEntry(t EntryType, data []byte) *Entry {
+	entry := entryPool.Get().(*Entry)
+	entry.Type, entry.Data = t, data
+	return entry
+}
+
+// Pool for appendEntry re-use.
+var aePool = sync.Pool{
+	New: func() any {
+		return &appendEntry{}
+	},
+}
+
 // appendEntry is the main struct that is used to sync raft peers.
 type appendEntry struct {
 	leader  string
@@ -1812,6 +1908,20 @@ type appendEntry struct {
 	buf   []byte
 }
 
+// Create a new appendEntry.
+func newAppendEntry(leader string, term, commit, pterm, pindex uint64, entries []*Entry) *appendEntry {
+	ae := aePool.Get().(*appendEntry)
+	ae.leader, ae.term, ae.commit, ae.pterm, ae.pindex, ae.entries = leader, term, commit, pterm, pindex, entries
+	ae.reply, ae.sub, ae.buf = _EMPTY_, nil, nil
+	return ae
+}
+
+// Will return this append entry, and its interior entries to their respective pools.
+func (ae *appendEntry) returnToPool() {
+	ae.entries, ae.buf, ae.sub, ae.reply = nil, nil, nil, _EMPTY_
+	aePool.Put(ae)
+}
+
 type EntryType uint8
 
 const (
@@ -1903,15 +2013,10 @@ func (n *raft) decodeAppendEntry(msg []byte, sub *subscription, reply string) (*
 	}
 
 	var le = binary.LittleEndian
-	ae := &appendEntry{
-		leader: string(msg[:idLen]),
-		term:   le.Uint64(msg[8:]),
-		commit: le.Uint64(msg[16:]),
-		pterm:  le.Uint64(msg[24:]),
-		pindex: le.Uint64(msg[32:]),
-		sub:    sub,
-		reply:  reply,
-	}
+
+	ae := newAppendEntry(string(msg[:idLen]), le.Uint64(msg[8:]), le.Uint64(msg[16:]), le.Uint64(msg[24:]), le.Uint64(msg[32:]), nil)
+	ae.reply, ae.sub = reply, sub
+
 	// Decode Entries.
 	ne, ri := int(le.Uint16(msg[40:])), 42
 	for i, max := 0, len(msg); i < ne; i++ {
@@ -1923,27 +2028,42 @@ func (n *raft) decodeAppendEntry(msg []byte, sub *subscription, reply string) (*
 		if le <= 0 || ri+le > max {
 			return nil, errBadAppendEntry
 		}
-		etype := EntryType(msg[ri])
-		ae.entries = append(ae.entries, &Entry{etype, msg[ri+1 : ri+le]})
+		entry := newEntry(EntryType(msg[ri]), msg[ri+1:ri+le])
+		ae.entries = append(ae.entries, entry)
 		ri += le
 	}
 	ae.buf = msg
 	return ae, nil
 }
 
+// Pool for appendEntryResponse re-use.
+var arPool = sync.Pool{
+	New: func() any {
+		return &appendEntryResponse{}
+	},
+}
+
+// We want to make sure this does not change from system changing length of syshash.
+const idLen = 8
+const appendEntryResponseLen = 24 + 1
+
 // appendEntryResponse is our response to a received appendEntry.
 type appendEntryResponse struct {
 	term    uint64
 	index   uint64
 	peer    string
+	reply   string // internal usage.
 	success bool
-	// internal
-	reply string
 }
 
-// We want to make sure this does not change from system changing length of syshash.
-const idLen = 8
-const appendEntryResponseLen = 24 + 1
+// Create a new appendEntryResponse.
+func newAppendEntryResponse(term, index uint64, peer string, success bool) *appendEntryResponse {
+	ar := arPool.Get().(*appendEntryResponse)
+	ar.term, ar.index, ar.peer, ar.success = term, index, peer, success
+	// Always empty out.
+	ar.reply = _EMPTY_
+	return ar
+}
 
 func (ar *appendEntryResponse) encode(b []byte) []byte {
 	var buf []byte
@@ -1964,16 +2084,25 @@ func (ar *appendEntryResponse) encode(b []byte) []byte {
 	return buf[:appendEntryResponseLen]
 }
 
+// Track all peers we may have ever seen to use an string interns for appendEntryResponse decoding.
+var peers sync.Map
+
 func (n *raft) decodeAppendEntryResponse(msg []byte) *appendEntryResponse {
 	if len(msg) != appendEntryResponseLen {
 		return nil
 	}
 	var le = binary.LittleEndian
-	ar := &appendEntryResponse{
-		term:  le.Uint64(msg[0:]),
-		index: le.Uint64(msg[8:]),
-		peer:  string(msg[16 : 16+idLen]),
+	ar := arPool.Get().(*appendEntryResponse)
+	ar.term = le.Uint64(msg[0:])
+	ar.index = le.Uint64(msg[8:])
+
+	peer, ok := peers.Load(string(msg[16 : 16+idLen]))
+	if !ok {
+		// We missed so store inline here.
+		peer = string(msg[16 : 16+idLen])
+		peers.Store(peer, peer)
 	}
+	ar.peer = peer.(string)
 	ar.success = msg[24] == 1
 	return ar
 }
@@ -1990,8 +2119,6 @@ func (n *raft) handleForwardedRemovePeerProposal(sub *subscription, c *client, _
 		n.warn("Received invalid peer name for remove proposal: %q", msg)
 		return
 	}
-	// Need to copy since this is underlying client/route buffer.
-	peer := string(copyBytes(msg))
 
 	n.RLock()
 	prop, werr := n.prop, n.werr
@@ -2002,7 +2129,9 @@ func (n *raft) handleForwardedRemovePeerProposal(sub *subscription, c *client, _
 		return
 	}
 
-	prop.push(&Entry{EntryRemovePeer, []byte(peer)})
+	// Need to copy since this is underlying client/route buffer.
+	peer := copyBytes(msg)
+	prop.push(newEntry(EntryRemovePeer, peer))
 }
 
 // Called when a peer has forwarded a proposal.
@@ -2023,7 +2152,7 @@ func (n *raft) handleForwardedProposal(sub *subscription, c *client, _ *Account,
 		return
 	}
 
-	prop.push(&Entry{EntryNormal, msg})
+	prop.push(newEntry(EntryNormal, msg))
 }
 
 func (n *raft) runAsLeader() {
@@ -2055,6 +2184,7 @@ func (n *raft) runAsLeader() {
 		n.Unlock()
 	}()
 
+	// To send out our initial peer state.
 	n.sendPeerState()
 
 	hb := time.NewTicker(hbInterval)
@@ -2092,11 +2222,20 @@ func (n *raft) runAsLeader() {
 					continue
 				}
 				n.sendAppendEntry(entries)
-				// We need to re-craete `entries` because there is a reference
+
+				// If this is us sending out a leadership transfer stepdown inline here.
+				if b.Type == EntryLeaderTransfer {
+					n.prop.recycle(&es)
+					n.debug("Stepping down due to leadership transfer")
+					n.switchToFollower(noLeader)
+					return
+				}
+				// We need to re-create `entries` because there is a reference
 				// to it in the node's pae map.
 				entries = nil
 			}
 			n.prop.recycle(&es)
+
 		case <-hb.C:
 			if n.notActive() {
 				n.sendHeartbeat()
@@ -2203,6 +2342,7 @@ func (n *raft) runCatchup(ar *appendEntryResponse, indexUpdatesQ *ipQueue[uint64
 	n.RUnlock()
 
 	defer s.grWG.Done()
+	defer arPool.Put(ar)
 
 	defer func() {
 		n.Lock()
@@ -2295,6 +2435,8 @@ func (n *raft) sendSnapshotToFollower(subject string) (uint64, error) {
 	if err != nil {
 		// We need to stepdown here when this happens.
 		n.stepdown.push(noLeader)
+		// We need to reset our state here as well.
+		n.resetWAL()
 		return 0, err
 	}
 	// Go ahead and send the snapshot and peerstate here as first append entry to the catchup follower.
@@ -2338,6 +2480,7 @@ func (n *raft) catchupFollower(ar *appendEntryResponse) {
 		if lastIndex, err := n.sendSnapshotToFollower(ar.reply); err != nil {
 			n.error("Error sending snapshot to follower [%s]: %v", ar.peer, err)
 			n.Unlock()
+			arPool.Put(ar)
 			return
 		} else {
 			start = lastIndex + 1
@@ -2345,6 +2488,7 @@ func (n *raft) catchupFollower(ar *appendEntryResponse) {
 			if state.Msgs == 0 || start > state.LastSeq {
 				n.debug("Finished catching up")
 				n.Unlock()
+				arPool.Put(ar)
 				return
 			}
 			n.debug("Snapshot sent, reset first catchup entry to %d", lastIndex)
@@ -2354,11 +2498,23 @@ func (n *raft) catchupFollower(ar *appendEntryResponse) {
 	ae, err := n.loadEntry(start)
 	if err != nil {
 		n.warn("Request from follower for entry at index [%d] errored for state %+v - %v", start, state, err)
+		if err == ErrStoreEOF {
+			// If we are here we are seeing a request for an item beyond our state, meaning we should stepdown.
+			n.stepdown.push(noLeader)
+			n.Unlock()
+			arPool.Put(ar)
+			return
+		}
 		ae, err = n.loadFirstEntry()
 	}
 	if err != nil || ae == nil {
 		n.warn("Could not find a starting entry for catchup request: %v", err)
+		// If we are here we are seeing a request for an item we do not have, meaning we should stepdown.
+		// This is possible on a reset of our WAL but the other side has a snapshot already.
+		// If we do not stepdown this can cycle.
+		n.stepdown.push(noLeader)
 		n.Unlock()
+		arPool.Put(ar)
 		return
 	}
 	if ae.pindex != ar.index || ae.pterm != ar.term {
@@ -2411,12 +2567,16 @@ func (n *raft) applyCommit(index uint64) error {
 		var err error
 		if ae, err = n.loadEntry(index); err != nil {
 			if err != ErrStoreClosed && err != ErrStoreEOF {
-				if err == errBadMsg {
-					n.setWriteErrLocked(err)
+				n.warn("Got an error loading %d index: %v - will reset", index, err)
+				if n.state == Leader {
+					n.stepdown.push(n.selectNextLeader())
 				}
-				n.warn("Got an error loading %d index: %v", index, err)
+				// Reset and cancel any catchup.
+				n.resetWAL()
+				n.cancelCatchup()
+			} else {
+				n.commit = original
 			}
-			n.commit = original
 			return errEntryLoadFailed
 		}
 	} else {
@@ -2432,7 +2592,7 @@ func (n *raft) applyCommit(index uint64) error {
 			committed = append(committed, e)
 		case EntryOldSnapshot:
 			// For old snapshots in our WAL.
-			committed = append(committed, &Entry{EntrySnapshot, e.Data})
+			committed = append(committed, newEntry(EntrySnapshot, e.Data))
 		case EntrySnapshot:
 			committed = append(committed, e)
 		case EntryPeerState:
@@ -2445,6 +2605,9 @@ func (n *raft) applyCommit(index uint64) error {
 			newPeer := string(e.Data)
 			n.debug("Added peer %q", newPeer)
 
+			// Store our peer in our global peer map for all peers.
+			peers.LoadOrStore(newPeer, newPeer)
+
 			// If we were on the removed list reverse that here.
 			if n.removed != nil {
 				delete(n.removed, newPeer)
@@ -2487,6 +2650,9 @@ func (n *raft) applyCommit(index uint64) error {
 				n.stepdown.push(n.selectNextLeader())
 			}
 
+			// Remove from string intern map.
+			peers.Delete(peer)
+
 			// We pass these up as well.
 			committed = append(committed, e)
 		}
@@ -2496,17 +2662,23 @@ func (n *raft) applyCommit(index uint64) error {
 		if fpae {
 			delete(n.pae, index)
 		}
-		n.apply.push(&CommittedEntry{index, committed})
+		n.apply.push(newCommittedEntry(index, committed))
 	} else {
 		// If we processed inline update our applied index.
 		n.applied = index
 	}
+	// Place back in the pool.
+	ae.returnToPool()
 	return nil
 }
 
 // Used to track a success response and apply entries.
 func (n *raft) trackResponse(ar *appendEntryResponse) {
 	n.Lock()
+	if n.state == Closed {
+		n.Unlock()
+		return
+	}
 
 	// Update peer's last index.
 	if ps := n.peers[ar.peer]; ps != nil && ar.index > ps.li {
@@ -2532,8 +2704,8 @@ func (n *raft) trackResponse(ar *appendEntryResponse) {
 		if nr := len(results); nr >= n.qn {
 			// We have a quorum.
 			for index := n.commit + 1; index <= ar.index; index++ {
-				if err := n.applyCommit(index); err != nil {
-					n.error("Got an error apply commit for %d: %v", index, err)
+				if err := n.applyCommit(index); err != nil && err != errNodeClosed {
+					n.error("Got an error applying commit for %d: %v", index, err)
 					break
 				}
 			}
@@ -2671,11 +2843,6 @@ func (n *raft) runAsCandidate() {
 
 // handleAppendEntry handles an append entry from the wire.
 func (n *raft) handleAppendEntry(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
-	if n.outOfResources() {
-		n.debug("AppendEntry not processing inbound, no resources")
-		return
-	}
-
 	msg = copyBytes(msg)
 	if ae, err := n.decodeAppendEntry(msg, sub, reply); err == nil {
 		n.entry.push(ae)
@@ -2760,7 +2927,7 @@ func (n *raft) truncateWAL(term, index uint64) {
 		if err == ErrInvalidSequence {
 			n.debug("Resetting WAL")
 			n.wal.Truncate(0)
-			index, n.pterm, n.pindex = 0, 0, 0
+			index, n.term, n.pterm, n.pindex = 0, 0, 0, 0
 		} else {
 			n.warn("Error truncating WAL: %v", err)
 			n.setWriteErrLocked(err)
@@ -2769,7 +2936,7 @@ func (n *raft) truncateWAL(term, index uint64) {
 	}
 
 	// Set after we know we have truncated properly.
-	n.pterm, n.pindex = term, index
+	n.term, n.pterm, n.pindex = term, term, index
 }
 
 // Reset our WAL.
@@ -2806,7 +2973,8 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 
 	// Are we receiving from another leader.
 	if n.state == Leader {
-		if ae.term > n.term {
+		// If we are the same we should step down to break the tie.
+		if ae.term >= n.term {
 			n.term = ae.term
 			n.vote = noVote
 			n.writeTermVote()
@@ -2814,9 +2982,10 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 			n.stepdown.push(ae.leader)
 		} else {
 			// Let them know we are the leader.
-			ar := &appendEntryResponse{n.term, n.pindex, n.id, false, _EMPTY_}
+			ar := newAppendEntryResponse(n.term, n.pindex, n.id, false)
 			n.debug("AppendEntry ignoring old term from another leader")
 			n.sendRPC(ae.reply, _EMPTY_, ar.encode(arbuf))
+			arPool.Put(ar)
 		}
 		// Always return here from processing.
 		n.Unlock()
@@ -2848,15 +3017,6 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 		}
 	}
 
-	// Ignore old terms.
-	if isNew && ae.term < n.term {
-		ar := &appendEntryResponse{n.term, n.pindex, n.id, false, _EMPTY_}
-		n.Unlock()
-		n.debug("AppendEntry ignoring old term")
-		n.sendRPC(ae.reply, _EMPTY_, ar.encode(arbuf))
-		return
-	}
-
 	// If we are catching up ignore old catchup subs.
 	// This could happen when we stall or cancel a catchup.
 	if !isNew && catchingUp && sub != n.catchup.sub {
@@ -2879,11 +3039,12 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 			if n.catchupStalled() {
 				n.debug("Catchup may be stalled, will request again")
 				inbox = n.createCatchup(ae)
-				ar = &appendEntryResponse{n.pterm, n.pindex, n.id, false, _EMPTY_}
+				ar = newAppendEntryResponse(n.pterm, n.pindex, n.id, false)
 			}
 			n.Unlock()
 			if ar != nil {
 				n.sendRPC(ae.reply, inbox, ar.encode(arbuf))
+				arPool.Put(ar)
 			}
 			// Ignore new while catching up or replaying.
 			return
@@ -2892,6 +3053,7 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 
 	// If this term is greater than ours.
 	if ae.term > n.term {
+		n.pterm = ae.pterm
 		n.term = ae.term
 		n.vote = noVote
 		if isNew {
@@ -2911,7 +3073,7 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 		n.updateLeadChange(false)
 	}
 
-	if ae.pterm != n.pterm || ae.pindex != n.pindex {
+	if (isNew && ae.pterm != n.pterm) || ae.pindex != n.pindex {
 		// Check if this is a lower or equal index than what we were expecting.
 		if ae.pindex <= n.pindex {
 			n.debug("AppendEntry detected pindex less than ours: %d:%d vs %d:%d", ae.pterm, ae.pindex, n.pterm, n.pindex)
@@ -2930,9 +3092,10 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 			n.cancelCatchup()
 
 			// Create response.
-			ar = &appendEntryResponse{ae.pterm, ae.pindex, n.id, success, _EMPTY_}
+			ar = newAppendEntryResponse(ae.pterm, ae.pindex, n.id, success)
 			n.Unlock()
 			n.sendRPC(ae.reply, _EMPTY_, ar.encode(arbuf))
+			arPool.Put(ar)
 			return
 		}
 
@@ -2980,7 +3143,7 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 			}
 
 			// Now send snapshot to upper levels. Only send the snapshot, not the peerstate entry.
-			n.apply.push(&CommittedEntry{n.commit, ae.entries[:1]})
+			n.apply.push(newCommittedEntry(n.commit, ae.entries[:1]))
 			n.Unlock()
 			return
 
@@ -2991,16 +3154,17 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 			if ae.pindex > n.pindex {
 				// Setup our state for catching up.
 				inbox := n.createCatchup(ae)
-				ar := &appendEntryResponse{n.pterm, n.pindex, n.id, false, _EMPTY_}
+				ar := newAppendEntryResponse(n.pterm, n.pindex, n.id, false)
 				n.Unlock()
 				n.sendRPC(ae.reply, inbox, ar.encode(arbuf))
+				arPool.Put(ar)
 				return
 			}
 		}
 	}
 
 	// Save to our WAL if we have entries.
-	if len(ae.entries) > 0 {
+	if ae.shouldStore() {
 		// Only store if an original which will have sub != nil
 		if sub != nil {
 			if err := n.storeToWAL(ae); err != nil {
@@ -3025,27 +3189,41 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 			n.pterm = ae.term
 			n.pindex = ae.pindex + 1
 		}
+	}
 
-		// Check to see if we have any related entries to process here.
-		for _, e := range ae.entries {
-			switch e.Type {
-			case EntryLeaderTransfer:
-				if isNew {
-					maybeLeader := string(e.Data)
-					if maybeLeader == n.id && !n.observer && !n.paused {
+	// Check to see if we have any related entries to process here.
+	for _, e := range ae.entries {
+		switch e.Type {
+		case EntryLeaderTransfer:
+			// Only process these if they are new, so no replays or catchups.
+			if isNew {
+				maybeLeader := string(e.Data)
+				// This is us. We need to check if we can become the leader.
+				if maybeLeader == n.id {
+					// If not an observer and not paused we are good to go.
+					if !n.observer && !n.paused {
 						n.lxfer = true
 						n.xferCampaign()
+					} else if n.paused && !n.pobserver {
+						// Here we can become a leader but need to wait for resume of the apply channel.
+						n.lxfer = true
 					}
+				} else {
+					// Since we are here we are not the chosen one but we should clear any vote preference.
+					n.vote = noVote
+					n.writeTermVote()
 				}
-			case EntryAddPeer:
-				if newPeer := string(e.Data); len(newPeer) == idLen {
-					// Track directly, but wait for commit to be official
-					if ps := n.peers[newPeer]; ps != nil {
-						ps.ts = time.Now().UnixNano()
-					} else {
-						n.peers[newPeer] = &lps{time.Now().UnixNano(), 0, false}
-					}
+			}
+		case EntryAddPeer:
+			if newPeer := string(e.Data); len(newPeer) == idLen {
+				// Track directly, but wait for commit to be official
+				if ps := n.peers[newPeer]; ps != nil {
+					ps.ts = time.Now().UnixNano()
+				} else {
+					n.peers[newPeer] = &lps{time.Now().UnixNano(), 0, false}
 				}
+				// Store our peer in our global peer map for all peers.
+				peers.LoadOrStore(newPeer, newPeer)
 			}
 		}
 	}
@@ -3066,13 +3244,14 @@ func (n *raft) processAppendEntry(ae *appendEntry, sub *subscription) {
 
 	var ar *appendEntryResponse
 	if sub != nil {
-		ar = &appendEntryResponse{n.pterm, n.pindex, n.id, true, _EMPTY_}
+		ar = newAppendEntryResponse(n.pterm, n.pindex, n.id, true)
 	}
 	n.Unlock()
 
 	// Success. Send our response.
 	if ar != nil {
 		n.sendRPC(ae.reply, _EMPTY_, ar.encode(arbuf))
+		arPool.Put(ar)
 	}
 }
 
@@ -3102,14 +3281,18 @@ func (n *raft) processAppendEntryResponse(ar *appendEntryResponse) {
 
 	if ar.success {
 		n.trackResponse(ar)
+		arPool.Put(ar)
 	} else if ar.term > n.term {
 		// False here and they have a higher term.
+		n.Lock()
 		n.term = ar.term
 		n.vote = noVote
 		n.writeTermVote()
 		n.warn("Detected another leader with higher term, will stepdown and reset")
 		n.stepdown.push(noLeader)
 		n.resetWAL()
+		n.Unlock()
+		arPool.Put(ar)
 	} else if ar.reply != _EMPTY_ {
 		n.catchupFollower(ar)
 	}
@@ -3117,14 +3300,18 @@ func (n *raft) processAppendEntryResponse(ar *appendEntryResponse) {
 
 // handleAppendEntryResponse processes responses to append entries.
 func (n *raft) handleAppendEntryResponse(sub *subscription, c *client, _ *Account, subject, reply string, msg []byte) {
-	msg = copyBytes(msg)
 	ar := n.decodeAppendEntryResponse(msg)
 	ar.reply = reply
 	n.resp.push(ar)
 }
 
 func (n *raft) buildAppendEntry(entries []*Entry) *appendEntry {
-	return &appendEntry{n.id, n.term, n.commit, n.pterm, n.pindex, entries, _EMPTY_, nil, nil}
+	return newAppendEntry(n.id, n.term, n.commit, n.pterm, n.pindex, entries)
+}
+
+// Determine if we should store an entry.
+func (ae *appendEntry) shouldStore() bool {
+	return ae != nil && len(ae.entries) > 0
 }
 
 // Store our append entry to our WAL.
@@ -3136,6 +3323,7 @@ func (n *raft) storeToWAL(ae *appendEntry) error {
 	if n.werr != nil {
 		return n.werr
 	}
+
 	seq, _, err := n.wal.StoreMsg(_EMPTY_, nil, ae.buf)
 	if err != nil {
 		n.setWriteErrLocked(err)
@@ -3144,17 +3332,13 @@ func (n *raft) storeToWAL(ae *appendEntry) error {
 
 	// Sanity checking for now.
 	if index := ae.pindex + 1; index != seq {
-		n.warn("Wrong index, ae is %+v, index stored was %d, n.pindex is %d", ae, seq, n.pindex)
-		if index > seq {
-			// We are missing store state from our state. We need to stepdown at this point.
-			if n.state == Leader {
-				n.stepdown.push(n.selectNextLeader())
-			}
-		} else {
-			// Truncate back to our last known.
-			n.truncateWAL(n.pterm, n.pindex)
-			n.cancelCatchup()
+		n.warn("Wrong index, ae is %+v, index stored was %d, n.pindex is %d, will reset", ae, seq, n.pindex)
+		if n.state == Leader {
+			n.stepdown.push(n.selectNextLeader())
 		}
+		// Reset and cancel any catchup.
+		n.resetWAL()
+		n.cancelCatchup()
 		return errEntryStoreFailed
 	}
 
@@ -3182,7 +3366,8 @@ func (n *raft) sendAppendEntry(entries []*Entry) {
 	}
 
 	// If we have entries store this in our wal.
-	if len(entries) > 0 {
+	shouldStore := ae.shouldStore()
+	if shouldStore {
 		if err := n.storeToWAL(ae); err != nil {
 			return
 		}
@@ -3197,6 +3382,9 @@ func (n *raft) sendAppendEntry(entries []*Entry) {
 		}
 	}
 	n.sendRPC(n.asubj, n.areply, ae.buf)
+	if !shouldStore {
+		ae.returnToPool()
+	}
 }
 
 type extensionState uint16
@@ -3402,8 +3590,17 @@ func (n *raft) setWriteErrLocked(err error) {
 	}
 	n.werr = err
 
-	// For now since this can be happening all under the covers, we will call up and disable JetStream.
-	go n.s.handleOutOfSpace(nil)
+	if isOutOfSpaceErr(err) {
+		// For now since this can be happening all under the covers, we will call up and disable JetStream.
+		go n.s.handleOutOfSpace(nil)
+	}
+}
+
+// Helper to check if we are closed when we do not hold a lock already.
+func (n *raft) isClosed() bool {
+	n.RLock()
+	defer n.RUnlock()
+	return n.state == Closed
 }
 
 // Capture our write error if any and hold.
@@ -3422,12 +3619,6 @@ func (n *raft) fileWriter() {
 	psf := filepath.Join(n.sd, peerStateFile)
 	n.RUnlock()
 
-	isClosed := func() bool {
-		n.RLock()
-		defer n.RUnlock()
-		return n.state == Closed
-	}
-
 	for s.isRunning() {
 		select {
 		case <-n.quit:
@@ -3440,7 +3631,7 @@ func (n *raft) fileWriter() {
 			<-dios
 			err := os.WriteFile(tvf, buf[:], 0640)
 			dios <- struct{}{}
-			if err != nil && !isClosed() {
+			if err != nil && !n.isClosed() {
 				n.setWriteErr(err)
 				n.warn("Error writing term and vote file for %q: %v", n.group, err)
 			}
@@ -3451,7 +3642,7 @@ func (n *raft) fileWriter() {
 			<-dios
 			err := os.WriteFile(psf, buf, 0640)
 			dios <- struct{}{}
-			if err != nil && !isClosed() {
+			if err != nil && !n.isClosed() {
 				n.setWriteErr(err)
 				n.warn("Error writing peer state file for %q: %v", n.group, err)
 			}
@@ -3556,10 +3747,11 @@ func (n *raft) processVoteRequest(vr *voteRequest) error {
 	// If this is a higher term go ahead and stepdown.
 	if vr.term > n.term {
 		if n.state != Follower {
-			n.debug("Stepping down from candidate, detected higher term: %d vs %d", vr.term, n.term)
+			n.debug("Stepping down from %s, detected higher term: %d vs %d",
+				strings.ToLower(n.state.String()), vr.term, n.term)
 			n.stepdown.push(noLeader)
+			n.term = vr.term
 		}
-		n.term = vr.term
 		n.vote = noVote
 		n.writeTermVote()
 	}
@@ -3568,6 +3760,7 @@ func (n *raft) processVoteRequest(vr *voteRequest) error {
 	voteOk := n.vote == noVote || n.vote == vr.candidate
 	if voteOk && (vr.lastTerm > n.pterm || vr.lastTerm == n.pterm && vr.lastIndex >= n.pindex) {
 		vresp.granted = true
+		n.term = vr.term
 		n.vote = vr.candidate
 		n.writeTermVote()
 	} else {
diff --git a/server/raft_helpers_test.go b/server/raft_helpers_test.go
new file mode 100644
index 000000000..6d235d35a
--- /dev/null
+++ b/server/raft_helpers_test.go
@@ -0,0 +1,276 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Do not exlude this file with the !skip_js_tests since those helpers
+// are also used by MQTT.
+
+package server
+
+import (
+	"encoding/binary"
+	"fmt"
+	"math/rand"
+	"sync"
+	"testing"
+	"time"
+)
+
+type stateMachine interface {
+	server() *Server
+	node() RaftNode
+	// This will call forward as needed so can be called on any node.
+	propose(data []byte)
+	// When entries have been committed and can be applied.
+	applyEntry(ce *CommittedEntry)
+	// When a leader change happens.
+	leaderChange(isLeader bool)
+	// Stop the raft group.
+	stop()
+	// Restart
+	restart()
+}
+
+// Factory function needed for constructor.
+type smFactory func(s *Server, cfg *RaftConfig, node RaftNode) stateMachine
+
+type smGroup []stateMachine
+
+// Leader of the group.
+func (sg smGroup) leader() stateMachine {
+	for _, sm := range sg {
+		if sm.node().Leader() {
+			return sm
+		}
+	}
+	return nil
+}
+
+// Wait on a leader to be elected.
+func (sg smGroup) waitOnLeader() {
+	expires := time.Now().Add(10 * time.Second)
+	for time.Now().Before(expires) {
+		for _, sm := range sg {
+			if sm.node().Leader() {
+				return
+			}
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+
+// Pick a random member.
+func (sg smGroup) randomMember() stateMachine {
+	return sg[rand.Intn(len(sg))]
+}
+
+// Return a non-leader
+func (sg smGroup) nonLeader() stateMachine {
+	for _, sm := range sg {
+		if !sm.node().Leader() {
+			return sm
+		}
+	}
+	return nil
+}
+
+// Create a raft group and place on numMembers servers at random.
+func (c *cluster) createRaftGroup(name string, numMembers int, smf smFactory) smGroup {
+	c.t.Helper()
+	if numMembers > len(c.servers) {
+		c.t.Fatalf("Members > Peers: %d vs  %d", numMembers, len(c.servers))
+	}
+	servers := append([]*Server{}, c.servers...)
+	rand.Shuffle(len(servers), func(i, j int) { servers[i], servers[j] = servers[j], servers[i] })
+	return c.createRaftGroupWithPeers(name, servers[:numMembers], smf)
+}
+
+func (c *cluster) createRaftGroupWithPeers(name string, servers []*Server, smf smFactory) smGroup {
+	c.t.Helper()
+
+	var sg smGroup
+	var peers []string
+
+	for _, s := range servers {
+		// generate peer names.
+		s.mu.RLock()
+		peers = append(peers, s.sys.shash)
+		s.mu.RUnlock()
+	}
+
+	for _, s := range servers {
+		fs, err := newFileStore(
+			FileStoreConfig{StoreDir: c.t.TempDir(), BlockSize: defaultMediumBlockSize, AsyncFlush: false, SyncInterval: 5 * time.Minute},
+			StreamConfig{Name: name, Storage: FileStorage},
+		)
+		require_NoError(c.t, err)
+		cfg := &RaftConfig{Name: name, Store: c.t.TempDir(), Log: fs}
+		s.bootstrapRaftNode(cfg, peers, true)
+		n, err := s.startRaftNode(globalAccountName, cfg)
+		require_NoError(c.t, err)
+		sm := smf(s, cfg, n)
+		sg = append(sg, sm)
+		go smLoop(sm)
+	}
+	return sg
+}
+
+// Driver program for the state machine.
+// Should be run in its own go routine.
+func smLoop(sm stateMachine) {
+	s, n := sm.server(), sm.node()
+	qch, lch, aq := n.QuitC(), n.LeadChangeC(), n.ApplyQ()
+
+	for {
+		select {
+		case <-s.quitCh:
+			return
+		case <-qch:
+			return
+		case <-aq.ch:
+			ces := aq.pop()
+			for _, ce := range ces {
+				sm.applyEntry(ce)
+			}
+			aq.recycle(&ces)
+
+		case isLeader := <-lch:
+			sm.leaderChange(isLeader)
+		}
+	}
+}
+
+// Simple implementation of a replicated state.
+// The adder state just sums up int64 values.
+type stateAdder struct {
+	sync.Mutex
+	s   *Server
+	n   RaftNode
+	cfg *RaftConfig
+	sum int64
+}
+
+// Simple getters for server and the raft node.
+func (a *stateAdder) server() *Server {
+	a.Lock()
+	defer a.Unlock()
+	return a.s
+}
+func (a *stateAdder) node() RaftNode {
+	a.Lock()
+	defer a.Unlock()
+	return a.n
+}
+
+func (a *stateAdder) propose(data []byte) {
+	a.Lock()
+	defer a.Unlock()
+	a.n.ForwardProposal(data)
+}
+
+func (a *stateAdder) applyEntry(ce *CommittedEntry) {
+	a.Lock()
+	defer a.Unlock()
+	if ce == nil {
+		// This means initial state is done/replayed.
+		return
+	}
+	for _, e := range ce.Entries {
+		if e.Type == EntryNormal {
+			delta, _ := binary.Varint(e.Data)
+			a.sum += delta
+		} else if e.Type == EntrySnapshot {
+			a.sum, _ = binary.Varint(e.Data)
+		}
+	}
+	// Update applied.
+	a.n.Applied(ce.Index)
+}
+
+func (a *stateAdder) leaderChange(isLeader bool) {}
+
+// Adder specific to change the total.
+func (a *stateAdder) proposeDelta(delta int64) {
+	data := make([]byte, binary.MaxVarintLen64)
+	n := binary.PutVarint(data, int64(delta))
+	a.propose(data[:n])
+}
+
+// Stop the group.
+func (a *stateAdder) stop() {
+	a.Lock()
+	defer a.Unlock()
+	a.n.Stop()
+}
+
+// Restart the group
+func (a *stateAdder) restart() {
+	a.Lock()
+	defer a.Unlock()
+
+	if a.n.State() != Closed {
+		return
+	}
+
+	// The filestore is stopped as well, so need to extract the parts to recreate it.
+	rn := a.n.(*raft)
+	fs := rn.wal.(*fileStore)
+
+	var err error
+	a.cfg.Log, err = newFileStore(fs.fcfg, fs.cfg.StreamConfig)
+	if err != nil {
+		panic(err)
+	}
+	a.n, err = a.s.startRaftNode(globalAccountName, a.cfg)
+	if err != nil {
+		panic(err)
+	}
+	// Finally restart the driver.
+	go smLoop(a)
+}
+
+// Total for the adder state machine.
+func (a *stateAdder) total() int64 {
+	a.Lock()
+	defer a.Unlock()
+	return a.sum
+}
+
+// Install a snapshot.
+func (a *stateAdder) snapshot(t *testing.T) {
+	a.Lock()
+	defer a.Unlock()
+	data := make([]byte, binary.MaxVarintLen64)
+	n := binary.PutVarint(data, a.sum)
+	snap := data[:n]
+	require_NoError(t, a.n.InstallSnapshot(snap))
+}
+
+// Helper to wait for a certain state.
+func (rg smGroup) waitOnTotal(t *testing.T, expected int64) {
+	t.Helper()
+	checkFor(t, 20*time.Second, 200*time.Millisecond, func() error {
+		for _, sm := range rg {
+			asm := sm.(*stateAdder)
+			if total := asm.total(); total != expected {
+				return fmt.Errorf("Adder on %v has wrong total: %d vs %d",
+					asm.server(), total, expected)
+			}
+		}
+		return nil
+	})
+}
+
+// Factory function.
+func newStateAdder(s *Server, cfg *RaftConfig, n RaftNode) stateMachine {
+	return &stateAdder{s: s, n: n, cfg: cfg}
+}
diff --git a/server/raft_test.go b/server/raft_test.go
index 89c983b99..bddce36fb 100644
--- a/server/raft_test.go
+++ b/server/raft_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021 The NATS Authors
+// Copyright 2021-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -17,8 +17,55 @@ import (
 	"math"
 	"math/rand"
 	"testing"
+	"time"
 )
 
+func TestNRGSimple(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	rg := c.createRaftGroup("TEST", 3, newStateAdder)
+	rg.waitOnLeader()
+	// Do several state transitions.
+	rg.randomMember().(*stateAdder).proposeDelta(11)
+	rg.randomMember().(*stateAdder).proposeDelta(11)
+	rg.randomMember().(*stateAdder).proposeDelta(-22)
+	// Wait for all members to have the correct state.
+	rg.waitOnTotal(t, 0)
+}
+
+func TestNRGSnapshotAndRestart(t *testing.T) {
+	c := createJetStreamClusterExplicit(t, "R3S", 3)
+	defer c.shutdown()
+
+	rg := c.createRaftGroup("TEST", 3, newStateAdder)
+	rg.waitOnLeader()
+
+	var expectedTotal int64
+
+	leader := rg.leader().(*stateAdder)
+	sm := rg.nonLeader().(*stateAdder)
+
+	for i := 0; i < 1000; i++ {
+		delta := rand.Int63n(222)
+		expectedTotal += delta
+		leader.proposeDelta(delta)
+
+		if i == 250 {
+			// Let some things catchup.
+			time.Sleep(50 * time.Millisecond)
+			// Snapshot leader and stop and snapshot a member.
+			leader.snapshot(t)
+			sm.snapshot(t)
+			sm.stop()
+		}
+	}
+	// Restart.
+	sm.restart()
+	// Wait for all members to have the correct state.
+	rg.waitOnTotal(t, expectedTotal)
+}
+
 func TestNRGAppendEntryEncode(t *testing.T) {
 	ae := &appendEntry{
 		term:   1,
diff --git a/server/reload.go b/server/reload.go
index 2755a93aa..953623429 100644
--- a/server/reload.go
+++ b/server/reload.go
@@ -1,4 +1,4 @@
-// Copyright 2017-2022 The NATS Authors
+// Copyright 2017-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -148,7 +148,7 @@ type debugOption struct {
 // However we will kick the raft nodes if they exist to reload.
 func (d *debugOption) Apply(server *Server) {
 	server.Noticef("Reloaded: debug = %v", d.newValue)
-	server.reloadDebugRaftNodes()
+	server.reloadDebugRaftNodes(d.newValue)
 }
 
 // logtimeOption implements the option interface for the `logtime` setting.
@@ -162,6 +162,17 @@ func (l *logtimeOption) Apply(server *Server) {
 	server.Noticef("Reloaded: logtime = %v", l.newValue)
 }
 
+// logtimeUTCOption implements the option interface for the `logtime_utc` setting.
+type logtimeUTCOption struct {
+	loggingOption
+	newValue bool
+}
+
+// Apply is a no-op because logging will be reloaded after options are applied.
+func (l *logtimeUTCOption) Apply(server *Server) {
+	server.Noticef("Reloaded: logtime_utc = %v", l.newValue)
+}
+
 // logfileOption implements the option interface for the `log_file` setting.
 type logfileOption struct {
 	loggingOption
@@ -609,7 +620,7 @@ func (jso jetStreamOption) IsStatszChange() bool {
 }
 
 type ocspOption struct {
-	noopOption
+	tlsOption
 	newValue *OCSPConfig
 }
 
@@ -617,6 +628,15 @@ func (a *ocspOption) Apply(s *Server) {
 	s.Noticef("Reloaded: OCSP")
 }
 
+type ocspResponseCacheOption struct {
+	tlsOption
+	newValue *OCSPResponseCacheConfig
+}
+
+func (a *ocspResponseCacheOption) Apply(s *Server) {
+	s.Noticef("Reloaded OCSP peer cache")
+}
+
 // connectErrorReports implements the option interface for the `connect_error_reports`
 // setting.
 type connectErrorReports struct {
@@ -710,6 +730,7 @@ func (o *mqttInactiveThresholdReload) Apply(s *Server) {
 	s.Noticef("Reloaded: MQTT consumer_inactive_threshold = %v", o.newValue)
 }
 
+// ** added by Memphis
 // dlsRetentionHoursOption implements the option interface for the `dls_retention_hours`
 // setting.
 type dlsRetentionHoursOption struct {
@@ -798,6 +819,8 @@ func (o *restGwOption) Apply(server *Server) {
 	server.Noticef("Reloaded: rest_gw_host = %v", o.newValue)
 }
 
+// ** added by Memphis
+
 // Compares options and disconnects clients that are no longer listed in pinned certs. Lock must not be held.
 func (s *Server) recheckPinnedCerts(curOpts *Options, newOpts *Options) {
 	s.mu.Lock()
@@ -884,13 +907,6 @@ func (s *Server) Reload() error {
 func (s *Server) ReloadOptions(newOpts *Options) error {
 	s.mu.Lock()
 
-	s.reloading = true
-	defer func() {
-		s.mu.Lock()
-		s.reloading = false
-		s.mu.Unlock()
-	}()
-
 	curOpts := s.getOpts()
 
 	// Wipe trusted keys if needed when we have an operator.
@@ -1051,7 +1067,7 @@ func imposeOrder(value interface{}) error {
 		sort.Strings(value.AllowedOrigins)
 	case string, bool, uint8, int, int32, int64, time.Duration, float64, nil, LeafNodeOpts, ClusterOpts, *tls.Config, PinnedCertSet,
 		*URLAccResolver, *MemAccResolver, *DirAccResolver, *CacheDirAccResolver, Authentication, MQTTOpts, jwt.TagList,
-		*OCSPConfig, map[string]string, JSLimitOpts, StoreCipher, map[string]int:
+		*OCSPConfig, map[string]string, JSLimitOpts, StoreCipher, *OCSPResponseCacheConfig:
 		// explicitly skipped types
 	default:
 		// this will fail during unit tests
@@ -1120,6 +1136,8 @@ func (s *Server) diffOptions(newOpts *Options) ([]option, error) {
 			diffOpts = append(diffOpts, &debugOption{newValue: newValue.(bool)})
 		case "logtime":
 			diffOpts = append(diffOpts, &logtimeOption{newValue: newValue.(bool)})
+		case "logtimeutc":
+			diffOpts = append(diffOpts, &logtimeUTCOption{newValue: newValue.(bool)})
 		case "logfile":
 			diffOpts = append(diffOpts, &logfileOption{newValue: newValue.(string)})
 		case "syslog":
@@ -1375,8 +1393,8 @@ func (s *Server) diffOptions(newOpts *Options) ([]option, error) {
 			// Similar to gateways
 			tmpOld := oldValue.(WebsocketOpts)
 			tmpNew := newValue.(WebsocketOpts)
-			tmpOld.TLSConfig = nil
-			tmpNew.TLSConfig = nil
+			tmpOld.TLSConfig, tmpOld.tlsConfigOpts = nil, nil
+			tmpNew.TLSConfig, tmpNew.tlsConfigOpts = nil, nil
 			// If there is really a change prevents reload.
 			if !reflect.DeepEqual(tmpOld, tmpNew) {
 				// See TODO(ik) note below about printing old/new values.
@@ -1395,9 +1413,9 @@ func (s *Server) diffOptions(newOpts *Options) ([]option, error) {
 			// we only fail reload if some that we don't support are changed.
 			tmpOld := oldValue.(MQTTOpts)
 			tmpNew := newValue.(MQTTOpts)
-			tmpOld.TLSConfig, tmpOld.AckWait, tmpOld.MaxAckPending, tmpOld.StreamReplicas, tmpOld.ConsumerReplicas, tmpOld.ConsumerMemoryStorage = nil, 0, 0, 0, 0, false
+			tmpOld.TLSConfig, tmpOld.tlsConfigOpts, tmpOld.AckWait, tmpOld.MaxAckPending, tmpOld.StreamReplicas, tmpOld.ConsumerReplicas, tmpOld.ConsumerMemoryStorage = nil, nil, 0, 0, 0, 0, false
 			tmpOld.ConsumerInactiveThreshold = 0
-			tmpNew.TLSConfig, tmpNew.AckWait, tmpNew.MaxAckPending, tmpNew.StreamReplicas, tmpNew.ConsumerReplicas, tmpNew.ConsumerMemoryStorage = nil, 0, 0, 0, 0, false
+			tmpNew.TLSConfig, tmpNew.tlsConfigOpts, tmpNew.AckWait, tmpNew.MaxAckPending, tmpNew.StreamReplicas, tmpNew.ConsumerReplicas, tmpNew.ConsumerMemoryStorage = nil, nil, 0, 0, 0, 0, false
 			tmpNew.ConsumerInactiveThreshold = 0
 
 			if !reflect.DeepEqual(tmpOld, tmpNew) {
@@ -1450,6 +1468,9 @@ func (s *Server) diffOptions(newOpts *Options) ([]option, error) {
 			}
 		case "ocspconfig":
 			diffOpts = append(diffOpts, &ocspOption{newValue: newValue.(*OCSPConfig)})
+		case "ocspcacheconfig":
+			diffOpts = append(diffOpts, &ocspResponseCacheOption{newValue: newValue.(*OCSPResponseCacheConfig)})
+		// ** added by Memphis
 		case "logsretentiondays":
 			diffOpts = append(diffOpts, &logsRetentionDaysOption{newValue: newValue.(int)})
 		case "dlsretentionhours":
@@ -1464,6 +1485,7 @@ func (s *Server) diffOptions(newOpts *Options) ([]option, error) {
 			diffOpts = append(diffOpts, &restGwOption{newValue: newValue.(string)})
 		case "gcproducersconsumersretentionhours":
 			diffOpts = append(diffOpts, &GCProducersConsumersRetentionHoursOption{newValue: newValue.(int)})
+		// ** added by Memphis
 		default:
 			// TODO(ik): Implement String() on those options to have a nice print.
 			// %v is difficult to figure what's what, %+v print private fields and
@@ -1601,10 +1623,12 @@ func (s *Server) applyOptions(ctx *reloadContext, opts []option) {
 		s.updateRemoteLeafNodesTLSConfig(newOpts)
 	}
 
+	// This will fire if TLS enabled at root (NATS listener) -or- if ocsp or ocsp_cache
+	// appear in the config.
 	if reloadTLS {
 		// Restart OCSP monitoring.
 		if err := s.reloadOCSP(); err != nil {
-			s.Warnf("Can't restart OCSP Stapling: %v", err)
+			s.Warnf("Can't restart OCSP features: %v", err)
 		}
 	}
 
@@ -1681,102 +1705,44 @@ func (s *Server) reloadClientTraceLevel() {
 func (s *Server) reloadAuthorization() {
 	// This map will contain the names of accounts that have their streams
 	// import configuration changed.
-	awcsti := make(map[string]struct{})
+	var awcsti map[string]struct{}
 	checkJetStream := false
+	opts := s.getOpts()
 	s.mu.Lock()
 
+	deletedAccounts := make(map[string]*Account)
+
 	// This can not be changed for now so ok to check server's trustedKeys unlocked.
 	// If plain configured accounts, process here.
 	if s.trustedKeys == nil {
-		// We need to drain the old accounts here since we have something
-		// new configured. We do not want s.accounts to change since that would
-		// mean adding a lock to lookupAccount which is what we are trying to
-		// optimize for with the change from a map to a sync.Map.
-		oldAccounts := make(map[string]*Account)
+		// Make a map of the configured account names so we figure out the accounts
+		// that should be removed later on.
+		configAccs := make(map[string]struct{}, len(opts.Accounts))
+		for _, acc := range opts.Accounts {
+			configAccs[acc.GetName()] = struct{}{}
+		}
+		// Now range over existing accounts and keep track of the ones deleted
+		// so some cleanup can be made after releasing the server lock.
 		s.accounts.Range(func(k, v interface{}) bool {
-			acc := v.(*Account)
-			if acc.GetName() == DEFAULT_GLOBAL_ACCOUNT {
+			an, acc := k.(string), v.(*Account)
+			// Exclude default and system account from this test since those
+			// may not actually be in opts.Accounts.
+			if an == DEFAULT_GLOBAL_ACCOUNT || an == DEFAULT_SYSTEM_ACCOUNT {
 				return true
 			}
-			acc.mu.Lock()
-			oldAccounts[acc.Name] = acc
-			// Need to clear out eventing timers since they close over this account and not the new one.
-			clearTimer(&acc.etmr)
-			clearTimer(&acc.ctmr)
-			acc.mu.Unlock()
-			s.accounts.Delete(k)
-			return true
-		})
-
-		s.gacc = nil
-		s.configureAccounts()
-		s.configureAuthorization()
-		s.mu.Unlock()
-
-		s.accounts.Range(func(k, v interface{}) bool {
-			newAcc := v.(*Account)
-			if acc, ok := oldAccounts[newAcc.Name]; ok {
-				// If account exist in latest config, "transfer" the account's
-				// sublist and client map to the new account.
-				acc.mu.RLock()
-				newAcc.mu.Lock()
-				if len(acc.clients) > 0 {
-					newAcc.clients = make(map[*client]struct{}, len(acc.clients))
-					for c := range acc.clients {
-						newAcc.clients[c] = struct{}{}
-					}
-				}
-				// Same for leafnodes
-				newAcc.lleafs = append([]*client(nil), acc.lleafs...)
-
-				newAcc.sl = acc.sl
-				if acc.rm != nil {
-					newAcc.rm = make(map[string]int32)
-				}
-				for k, v := range acc.rm {
-					newAcc.rm[k] = v
-				}
-				// Transfer internal client state. The configureAccounts call from above may have set up a new one.
-				// We need to use the old one, and the isid to not confuse internal subs.
-				newAcc.ic, newAcc.isid = acc.ic, acc.isid
-				// Transfer any JetStream state.
-				newAcc.js = acc.js
-				// Also transfer any internal accounting on different client types. We copy over all clients
-				// so need to copy this as well for proper accounting going forward.
-				newAcc.nrclients = acc.nrclients
-				newAcc.sysclients = acc.sysclients
-				newAcc.nleafs = acc.nleafs
-				newAcc.nrleafs = acc.nrleafs
-				// Process any reverse map entries.
-				if len(acc.imports.rrMap) > 0 {
-					newAcc.imports.rrMap = make(map[string][]*serviceRespEntry)
-					for k, v := range acc.imports.rrMap {
-						newAcc.imports.rrMap[k] = v
-					}
-				}
-				newAcc.mu.Unlock()
-				acc.mu.RUnlock()
-
-				// Check if current and new config of this account are same
-				// in term of stream imports.
-				if !acc.checkStreamImportsEqual(newAcc) {
-					awcsti[newAcc.Name] = struct{}{}
-				}
-
-				// We need to remove all old service import subs.
-				acc.removeAllServiceImportSubs()
-				newAcc.addAllServiceImportSubs()
+			// Check check if existing account is still in opts.Accounts.
+			if _, ok := configAccs[an]; !ok {
+				deletedAccounts[an] = acc
+				s.accounts.Delete(k)
 			}
 			return true
 		})
-		s.mu.Lock()
-		// Check if we had a default system account.
-		if s.sys != nil && s.sys.account != nil && !s.opts.NoSystemAccount {
-			s.accounts.Store(s.sys.account.Name, s.sys.account)
-		}
+		// This will update existing and add new ones.
+		awcsti, _ = s.configureAccounts(true)
+		s.configureAuthorization()
 		// Double check any JetStream configs.
 		checkJetStream = s.js != nil
-	} else if s.opts.AccountResolver != nil {
+	} else if opts.AccountResolver != nil {
 		s.configureResolver()
 		if _, ok := s.accResolver.(*MemAccResolver); ok {
 			// Check preloads so we can issue warnings etc if needed.
@@ -1832,7 +1798,7 @@ func (s *Server) reloadAuthorization() {
 		routes = append(routes, route)
 	}
 	// Check here for any system/internal clients which will not be in the servers map of normal clients.
-	if s.sys != nil && s.sys.account != nil && !s.opts.NoSystemAccount {
+	if s.sys != nil && s.sys.account != nil && !opts.NoSystemAccount {
 		s.accounts.Store(s.sys.account.Name, s.sys.account)
 	}
 
@@ -1858,6 +1824,18 @@ func (s *Server) reloadAuthorization() {
 	}
 	s.mu.Unlock()
 
+	// Clear some timers and remove service import subs for deleted accounts.
+	for _, acc := range deletedAccounts {
+		acc.mu.Lock()
+		clearTimer(&acc.etmr)
+		clearTimer(&acc.ctmr)
+		for _, se := range acc.exports.services {
+			se.clearResponseThresholdTimer()
+		}
+		acc.mu.Unlock()
+		acc.removeAllServiceImportSubs()
+	}
+
 	if resetCh != nil {
 		resetCh <- struct{}{}
 	}
diff --git a/server/reload_test.go b/server/reload_test.go
index 9f334db1d..946179008 100644
--- a/server/reload_test.go
+++ b/server/reload_test.go
@@ -308,6 +308,9 @@ func TestConfigReload(t *testing.T) {
 	if !updated.Logtime {
 		t.Fatal("Expected Logtime to be true")
 	}
+	if !updated.LogtimeUTC {
+		t.Fatal("Expected LogtimeUTC to be true")
+	}
 	if runtime.GOOS != "windows" {
 		if !updated.Syslog {
 			t.Fatal("Expected Syslog to be true")
@@ -2600,6 +2603,25 @@ func TestConfigReloadAccountUsers(t *testing.T) {
 		t.Fatalf("Error on subscribe: %v", err)
 	}
 
+	// confirm subscriptions before and after reload.
+	var expectedSubs uint32 = 4
+	sAcc, err := s.LookupAccount("synadia")
+	require_NoError(t, err)
+	sAcc.mu.RLock()
+	n := sAcc.sl.Count()
+	sAcc.mu.RUnlock()
+	if n != expectedSubs {
+		t.Errorf("Synadia account should have %d sub, got %v", expectedSubs, n)
+	}
+	nAcc, err := s.LookupAccount("nats.io")
+	require_NoError(t, err)
+	nAcc.mu.RLock()
+	n = nAcc.sl.Count()
+	nAcc.mu.RUnlock()
+	if n != expectedSubs {
+		t.Errorf("Nats.io account should have %d sub, got %v", expectedSubs, n)
+	}
+
 	// Remove user from account and whole account
 	reloadUpdateConfig(t, s, conf, `
 	listen: "127.0.0.1:-1"
@@ -2651,14 +2673,18 @@ func TestConfigReloadAccountUsers(t *testing.T) {
 	// being reconnected does not mean that resent of subscriptions
 	// has already been processed.
 	checkFor(t, 2*time.Second, 100*time.Millisecond, func() error {
-		gAcc, _ := s.LookupAccount(globalAccountName)
+		gAcc, err := s.LookupAccount(globalAccountName)
+		require_NoError(t, err)
 		gAcc.mu.RLock()
 		n := gAcc.sl.Count()
 		fooMatch := gAcc.sl.Match("foo")
 		bazMatch := gAcc.sl.Match("baz")
 		gAcc.mu.RUnlock()
-		if n != 2 {
-			return fmt.Errorf("Global account should have 2 subs, got %v", n)
+		// The number of subscriptions should be 3 ($SYS.REQ.ACCOUNT.PING.CONNZ,
+		// $SYS.REQ.ACCOUNT.PING.STATZ, $SYS.REQ.SERVER.PING.CONNZ)
+		// + 2 (foo and baz)
+		if n != 5 {
+			return fmt.Errorf("Global account should have 5 subs, got %v", n)
 		}
 		if len(fooMatch.psubs) != 1 {
 			return fmt.Errorf("Global account should have foo sub")
@@ -2667,25 +2693,28 @@ func TestConfigReloadAccountUsers(t *testing.T) {
 			return fmt.Errorf("Global account should have baz sub")
 		}
 
-		sAcc, _ := s.LookupAccount("synadia")
+		sAcc, err := s.LookupAccount("synadia")
+		require_NoError(t, err)
 		sAcc.mu.RLock()
 		n = sAcc.sl.Count()
 		barMatch := sAcc.sl.Match("bar")
+
 		sAcc.mu.RUnlock()
-		if n != 1 {
-			return fmt.Errorf("Synadia account should have 1 sub, got %v", n)
+		if n != expectedSubs {
+			return fmt.Errorf("Synadia account should have %d sub, got %v", expectedSubs, n)
 		}
 		if len(barMatch.psubs) != 1 {
 			return fmt.Errorf("Synadia account should have bar sub")
 		}
 
-		nAcc, _ := s.LookupAccount("nats.io")
+		nAcc, err := s.LookupAccount("nats.io")
+		require_NoError(t, err)
 		nAcc.mu.RLock()
 		n = nAcc.sl.Count()
 		batMatch := nAcc.sl.Match("bat")
 		nAcc.mu.RUnlock()
-		if n != 1 {
-			return fmt.Errorf("Nats.io account should have 1 sub, got %v", n)
+		if n != expectedSubs {
+			return fmt.Errorf("Nats.io account should have %d sub, got %v", expectedSubs, n)
 		}
 		if len(batMatch.psubs) != 1 {
 			return fmt.Errorf("Synadia account should have bar sub")
@@ -2694,6 +2723,85 @@ func TestConfigReloadAccountUsers(t *testing.T) {
 	})
 }
 
+func TestConfigReloadAccountWithNoChanges(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+	listen: "127.0.0.1:-1"
+        system_account: sys
+	accounts {
+		A {
+			users = [{ user: a }]
+		}
+		B {
+			users = [{ user: b }]
+		}
+		C {
+			users = [{ user: c }]
+		}
+		sys {
+			users = [{ user: sys }]
+		}
+	}
+	`))
+	s, opts := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	ncA, err := nats.Connect(fmt.Sprintf("nats://a:@%s:%d", opts.Host, opts.Port))
+	if err != nil {
+		t.Fatalf("Error on connect: %v", err)
+	}
+	defer ncA.Close()
+
+	// Confirm default service imports are ok.
+	checkSubs := func(t *testing.T) {
+		resp, err := ncA.Request("$SYS.REQ.ACCOUNT.PING.CONNZ", nil, time.Second)
+		if err != nil {
+			t.Error(err)
+		}
+		if resp == nil || !strings.Contains(string(resp.Data), `"num_connections":1`) {
+			t.Fatal("unexpected data in connz response")
+		}
+		resp, err = ncA.Request("$SYS.REQ.SERVER.PING.CONNZ", nil, time.Second)
+		if err != nil {
+			t.Error(err)
+		}
+		if resp == nil || !strings.Contains(string(resp.Data), `"num_connections":1`) {
+			t.Fatal("unexpected data in connz response")
+		}
+		resp, err = ncA.Request("$SYS.REQ.ACCOUNT.PING.STATZ", nil, time.Second)
+		if err != nil {
+			t.Error(err)
+		}
+		if resp == nil || !strings.Contains(string(resp.Data), `"conns":1`) {
+			t.Fatal("unexpected data in connz response")
+		}
+	}
+	checkSubs(t)
+	before := s.NumSubscriptions()
+	s.Reload()
+	after := s.NumSubscriptions()
+	if before != after {
+		t.Errorf("Number of subscriptions changed after reload: %d -> %d", before, after)
+	}
+
+	// Confirm this still works after a reload...
+	checkSubs(t)
+	before = s.NumSubscriptions()
+	s.Reload()
+	after = s.NumSubscriptions()
+	if before != after {
+		t.Errorf("Number of subscriptions changed after reload: %d -> %d", before, after)
+	}
+
+	// Do another extra reload just in case.
+	checkSubs(t)
+	before = s.NumSubscriptions()
+	s.Reload()
+	after = s.NumSubscriptions()
+	if before != after {
+		t.Errorf("Number of subscriptions changed after reload: %d -> %d", before, after)
+	}
+}
+
 func TestConfigReloadAccountNKeyUsers(t *testing.T) {
 	conf := createConfFile(t, []byte(`
 	listen: "127.0.0.1:-1"
@@ -3897,7 +4005,7 @@ func TestConfigReloadConnectErrReports(t *testing.T) {
 	}
 }
 
-func TestAuthReloadDoesNotBreakRouteInterest(t *testing.T) {
+func TestConfigReloadAuthDoesNotBreakRouteInterest(t *testing.T) {
 	s, opts := RunServerWithConfig("./configs/seed_tls.conf")
 	defer s.Shutdown()
 
@@ -4047,7 +4155,7 @@ func TestConfigReloadAccountResolverTLSConfig(t *testing.T) {
 	}
 }
 
-func TestLoggingReload(t *testing.T) {
+func TestConfigReloadLogging(t *testing.T) {
 	// This test basically starts a server and causes it's configuration to be reloaded 3 times.
 	// Each time, a new log file is created and trace levels are turned, off - on - off.
 
@@ -4174,7 +4282,7 @@ func TestLoggingReload(t *testing.T) {
 	check("off-post.log", tracingAbsent)
 }
 
-func TestReloadValidate(t *testing.T) {
+func TestConfigReloadValidate(t *testing.T) {
 	confFileName := createConfFile(t, []byte(`
 		listen: "127.0.0.1:-1"
 		no_auth_user: a
@@ -4234,12 +4342,14 @@ func TestConfigReloadAccounts(t *testing.T) {
 
 	urlSys := fmt.Sprintf("nats://sys:pwd@%s:%d", o.Host, o.Port)
 	urlUsr := fmt.Sprintf("nats://usr:pwd@%s:%d", o.Host, o.Port)
-	oldAcc, ok := s.accounts.Load("SYS")
+	oldAcci, ok := s.accounts.Load("SYS")
 	if !ok {
 		t.Fatal("No SYS account")
 	}
+	oldAcc := oldAcci.(*Account)
 
-	testSrvState := func(oldAcc interface{}) {
+	testSrvState := func(oldAcc *Account) {
+		t.Helper()
 		sysAcc := s.SystemAccount()
 		s.mu.Lock()
 		defer s.mu.Unlock()
@@ -4252,11 +4362,13 @@ func TestConfigReloadAccounts(t *testing.T) {
 		if s.opts.SystemAccount != "SYS" {
 			t.Fatal("Found wrong sys.account")
 		}
-		// This will fail prior to system account reload
-		if acc, ok := s.accounts.Load(s.opts.SystemAccount); !ok {
-			t.Fatal("Found different sys.account pointer")
-		} else if acc == oldAcc {
-			t.Fatal("System account is unaltered")
+		ai, ok := s.accounts.Load(s.opts.SystemAccount)
+		if !ok {
+			t.Fatalf("System account %q not found in s.accounts map", s.opts.SystemAccount)
+		}
+		acc := ai.(*Account)
+		if acc != oldAcc {
+			t.Fatalf("System account pointer was changed during reload, was %p now %p", oldAcc, acc)
 		}
 		if s.sys.client == nil {
 			t.Fatal("Expected sys.client to be non-nil")
@@ -4324,7 +4436,7 @@ func TestConfigReloadAccounts(t *testing.T) {
 		}
 	}
 
-	testSrvState(nil)
+	testSrvState(oldAcc)
 	c1, s1C, s1D := subscribe("SYS1")
 	defer c1.Close()
 	defer s1C.Unsubscribe()
@@ -4508,3 +4620,73 @@ func TestConfigReloadWithSysAccountOnly(t *testing.T) {
 		// ok
 	}
 }
+
+func TestConfigReloadGlobalAccountWithMappingAndJetStream(t *testing.T) {
+	tmpl := `
+		listen: 127.0.0.1:-1
+		server_name: %s
+		jetstream: {max_mem_store: 256MB, max_file_store: 2GB, store_dir: '%s'}
+
+		mappings {
+			subj.orig: subj.mapped.before.reload
+		}
+
+		leaf {
+			listen: 127.0.0.1:-1
+		}
+
+		cluster {
+			name: %s
+			listen: 127.0.0.1:%d
+			routes = [%s]
+		}
+
+		# For access to system account.
+		accounts { $SYS { users = [ { user: "admin", pass: "s3cr3t!" } ] } }
+	`
+	c := createJetStreamClusterWithTemplate(t, tmpl, "R3S", 3)
+	defer c.shutdown()
+
+	nc, js := jsClientConnect(t, c.randomServer())
+	defer nc.Close()
+
+	// Verify that mapping works
+	checkMapping := func(expectedSubj string) {
+		t.Helper()
+		sub := natsSubSync(t, nc, "subj.>")
+		defer sub.Unsubscribe()
+		natsPub(t, nc, "subj.orig", nil)
+		msg := natsNexMsg(t, sub, time.Second)
+		if msg.Subject != expectedSubj {
+			t.Fatalf("Expected subject to have been mapped to %q, got %q", expectedSubj, msg.Subject)
+		}
+	}
+	checkMapping("subj.mapped.before.reload")
+
+	// Create a stream and check that we can get the INFO
+	_, err := js.AddStream(&nats.StreamConfig{
+		Name:      "TEST",
+		Replicas:  3,
+		Subjects:  []string{"foo"},
+		Retention: nats.InterestPolicy,
+	})
+	require_NoError(t, err)
+	c.waitOnStreamLeader(globalAccountName, "TEST")
+
+	_, err = js.StreamInfo("TEST")
+	require_NoError(t, err)
+
+	// Change mapping on all servers and issue reload
+	for i, s := range c.servers {
+		opts := c.opts[i]
+		content, err := os.ReadFile(opts.ConfigFile)
+		require_NoError(t, err)
+		reloadUpdateConfig(t, s, opts.ConfigFile, strings.Replace(string(content), "subj.mapped.before.reload", "subj.mapped.after.reload", 1))
+	}
+	// Make sure the cluster is still formed
+	checkClusterFormed(t, c.servers...)
+	// Now repeat the test for the subject mapping and stream info
+	checkMapping("subj.mapped.after.reload")
+	_, err = js.StreamInfo("TEST")
+	require_NoError(t, err)
+}
diff --git a/server/route.go b/server/route.go
index 9b8450d5e..4703132eb 100644
--- a/server/route.go
+++ b/server/route.go
@@ -1,4 +1,4 @@
-// Copyright 2013-2022 The NATS Authors
+// Copyright 2013-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -530,7 +530,7 @@ func (c *client) processRouteInfo(info *Info) {
 		remoteID := c.route.remoteID
 
 		// Check if this is an INFO for gateways...
-		if info.Gateway != "" {
+		if info.Gateway != _EMPTY_ {
 			c.mu.Unlock()
 			// If this server has no gateway configured, report error and return.
 			if !s.gateway.enabled {
@@ -545,7 +545,7 @@ func (c *client) processRouteInfo(info *Info) {
 
 		// We receive an INFO from a server that informs us about another server,
 		// so the info.ID in the INFO protocol does not match the ID of this route.
-		if remoteID != "" && remoteID != info.ID {
+		if remoteID != _EMPTY_ && remoteID != info.ID {
 			c.mu.Unlock()
 
 			// Process this implicit route. We will check that it is not an explicit
@@ -653,7 +653,7 @@ func (c *client) processRouteInfo(info *Info) {
 			// The incoming INFO from the route will have IP set
 			// if it has Cluster.Advertise. In that case, use that
 			// otherwise construct it from the remote TCP address.
-			if info.IP == "" {
+			if info.IP == _EMPTY_ {
 				// Need to get the remote IP address.
 				c.mu.Lock()
 				switch conn := c.nc.(type) {
@@ -902,7 +902,7 @@ func (c *client) removeRemoteSubs() {
 		if srv.gateway.enabled {
 			srv.gatewayUpdateSubInterest(accountName, sub, -1)
 		}
-		srv.updateLeafNodes(ase.acc, sub, -1)
+		ase.acc.updateLeafNodes(sub, -1)
 	}
 
 	// Now remove the subs by batch for each account sublist.
@@ -972,7 +972,7 @@ func (c *client) processRemoteUnsub(arg []byte) (err error) {
 	}
 
 	// Now check on leafnode updates.
-	srv.updateLeafNodes(acc, sub, -1)
+	acc.updateLeafNodes(sub, -1)
 
 	if c.opts.Verbose {
 		c.sendOK()
@@ -1035,7 +1035,6 @@ func (c *client) processRemoteSub(argo []byte, hasOrigin bool) (err error) {
 		acc = v.(*Account)
 	}
 	if acc == nil {
-		isNew := false
 		// if the option of retrieving accounts later exists, create an expired one.
 		// When a client comes along, expiration will prevent it from being used,
 		// cause a fetch and update the account to what is should be.
@@ -1045,6 +1044,7 @@ func (c *client) processRemoteSub(argo []byte, hasOrigin bool) (err error) {
 		}
 		c.Debugf("Unknown account %q for remote subject %q", accountName, sub.subject)
 
+		var isNew bool
 		if acc, isNew = srv.LookupOrRegisterAccount(accountName); isNew {
 			acc.mu.Lock()
 			acc.expired = true
@@ -1109,7 +1109,7 @@ func (c *client) processRemoteSub(argo []byte, hasOrigin bool) (err error) {
 	}
 
 	// Now check on leafnode updates.
-	srv.updateLeafNodes(acc, sub, delta)
+	acc.updateLeafNodes(sub, delta)
 
 	if c.opts.Verbose {
 		c.sendOK()
@@ -1163,12 +1163,12 @@ func (c *client) addRouteSubOrUnsubProtoToBuf(buf []byte, accName string, sub *s
 // complete interest for all subjects, both normal as a binary
 // and queue group weights.
 func (s *Server) sendSubsToRoute(route *client) {
-	s.mu.Lock()
 	// Estimated size of all protocols. It does not have to be accurate at all.
-	eSize := 0
-	// Send over our account subscriptions.
-	// copy accounts into array first
+	var eSize int
+	// Copy of accounts.
 	accs := make([]*Account, 0, 32)
+
+	s.mu.RLock()
 	s.accounts.Range(func(k, v interface{}) bool {
 		a := v.(*Account)
 		accs = append(accs, a)
@@ -1188,7 +1188,7 @@ func (s *Server) sendSubsToRoute(route *client) {
 		a.mu.RUnlock()
 		return true
 	})
-	s.mu.Unlock()
+	s.mu.RUnlock()
 
 	buf := make([]byte, 0, eSize)
 
@@ -1446,7 +1446,7 @@ func (s *Server) addRoute(c *client, info *Info) (bool, bool) {
 		sendInfo = len(s.routes) > 1
 
 		// If the INFO contains a Gateway URL, add it to the list for our cluster.
-		if info.GatewayURL != "" && s.addGatewayURL(info.GatewayURL) {
+		if info.GatewayURL != _EMPTY_ && s.addGatewayURL(info.GatewayURL) {
 			s.sendAsyncGatewayInfo()
 		}
 	}
@@ -1589,12 +1589,12 @@ func (s *Server) updateRouteSubscriptionMap(acc *Account, sub *subscription, del
 	var _routes [32]*client
 	routes := _routes[:0]
 
-	s.mu.Lock()
+	s.mu.RLock()
 	for _, route := range s.routes {
 		routes = append(routes, route)
 	}
 	trace := atomic.LoadInt32(&s.logging.trace) == 1
-	s.mu.Unlock()
+	s.mu.RUnlock()
 
 	// If we are a queue subscriber we need to make sure our updates are serialized from
 	// potential multiple connections. We want to make sure that the order above is preserved
@@ -1732,7 +1732,7 @@ func (s *Server) startRouteAcceptLoop() {
 	s.routeInfo = info
 	// Possibly override Host/Port and set IP based on Cluster.Advertise
 	if err := s.setRouteInfoHostPortAndIP(); err != nil {
-		s.Fatalf("Error setting route INFO with Cluster.Advertise value of %s, err=%v", s.opts.Cluster.Advertise, err)
+		s.Fatalf("Error setting route INFO with Cluster.Advertise value of %s, err=%v", opts.Cluster.Advertise, err)
 		l.Close()
 		s.mu.Unlock()
 		return
@@ -1772,8 +1772,9 @@ func (s *Server) startRouteAcceptLoop() {
 
 // Similar to setInfoHostPortAndGenerateJSON, but for routeInfo.
 func (s *Server) setRouteInfoHostPortAndIP() error {
-	if s.opts.Cluster.Advertise != "" {
-		advHost, advPort, err := parseHostPort(s.opts.Cluster.Advertise, s.opts.Cluster.Port)
+	opts := s.getOpts()
+	if opts.Cluster.Advertise != _EMPTY_ {
+		advHost, advPort, err := parseHostPort(opts.Cluster.Advertise, opts.Cluster.Port)
 		if err != nil {
 			return err
 		}
@@ -1781,8 +1782,8 @@ func (s *Server) setRouteInfoHostPortAndIP() error {
 		s.routeInfo.Port = advPort
 		s.routeInfo.IP = fmt.Sprintf("nats-route://%s/", net.JoinHostPort(advHost, strconv.Itoa(advPort)))
 	} else {
-		s.routeInfo.Host = s.opts.Cluster.Host
-		s.routeInfo.Port = s.opts.Cluster.Port
+		s.routeInfo.Host = opts.Cluster.Host
+		s.routeInfo.Port = opts.Cluster.Port
 		s.routeInfo.IP = ""
 	}
 	// (re)generate the routeInfoJSON byte array
@@ -1937,7 +1938,7 @@ func (c *client) processRouteConnect(srv *Server, arg []byte, lang string) error
 	proto := &connectInfo{}
 
 	if err := json.Unmarshal(arg, proto); err != nil {
-		c.Errorf("processRouteConnect: ", err)
+		c.Errorf("processRouteConnect: ", err) // ** added by Memphis
 		return err
 	}
 	// Reject if this has Gateway which means that it would be from a gateway
@@ -1949,12 +1950,12 @@ func (c *client) processRouteConnect(srv *Server, arg []byte, lang string) error
 		c.closeConnection(WrongGateway)
 		return ErrWrongGateway
 	}
-	var perms *RoutePermissions
-	//TODO this check indicates srv may be nil. see srv usage below
-	if srv != nil {
-		perms = srv.getOpts().Cluster.Permissions
+
+	if srv == nil {
+		return ErrServerNotRunning
 	}
 
+	perms := srv.getOpts().Cluster.Permissions
 	clusterName := srv.ClusterName()
 
 	// If we have a cluster name set, make sure it matches ours.
diff --git a/server/routes_test.go b/server/routes_test.go
index afaf0ea4c..d6ff57522 100644
--- a/server/routes_test.go
+++ b/server/routes_test.go
@@ -14,9 +14,11 @@
 package server
 
 import (
+	"bufio"
 	"bytes"
 	"context"
 	"crypto/tls"
+	"encoding/json"
 	"fmt"
 	"net"
 	"net/url"
@@ -586,7 +588,7 @@ func TestBlockedShutdownOnRouteAcceptLoopFailure(t *testing.T) {
 	opts.Cluster.Port = 7222
 
 	s := New(opts)
-	go s.Start()
+	s.Start()
 	// Wait a second
 	time.Sleep(time.Second)
 	ch := make(chan bool)
@@ -701,7 +703,7 @@ func (l *checkDuplicateRouteLogger) Errorf(format string, v ...interface{})  {}
 func (l *checkDuplicateRouteLogger) Warnf(format string, v ...interface{})   {}
 func (l *checkDuplicateRouteLogger) Fatalf(format string, v ...interface{})  {}
 func (l *checkDuplicateRouteLogger) Tracef(format string, v ...interface{})  {}
-func (l *checkDuplicateRouteLogger) Systemf(format string, v ...interface{}) {}
+func (l *checkDuplicateRouteLogger) Systemf(format string, v ...interface{}) {} // ** added by Memphis
 func (l *checkDuplicateRouteLogger) Debugf(format string, v ...interface{}) {
 	l.Lock()
 	defer l.Unlock()
@@ -1344,9 +1346,7 @@ func TestRouteIPResolutionAndRouteToSelf(t *testing.T) {
 	defer s.Shutdown()
 	l := &routeHostLookupLogger{errCh: make(chan string, 1), ch: make(chan bool, 1)}
 	s.SetLogger(l, true, true)
-	go func() {
-		s.Start()
-	}()
+	s.Start()
 	if err := s.readyForConnections(time.Second); err != nil {
 		t.Fatal(err)
 	}
@@ -1758,3 +1758,81 @@ func TestRouteSaveTLSName(t *testing.T) {
 	reloadUpdateConfig(t, s2, c2And3Conf, fmt.Sprintf(tmpl, "localhost", o1.Cluster.Port))
 	checkClusterFormed(t, s1, s2, s3)
 }
+
+func TestRouteNoLeakOnSlowConsumer(t *testing.T) {
+	o1 := DefaultOptions()
+	s1 := RunServer(o1)
+	defer s1.Shutdown()
+
+	o2 := DefaultOptions()
+	o2.Routes = RoutesFromStr(fmt.Sprintf("nats://127.0.0.1:%d", o1.Cluster.Port))
+	s2 := RunServer(o2)
+	defer s2.Shutdown()
+
+	checkClusterFormed(t, s1, s2)
+
+	// For any route connections on the first server, drop the write
+	// deadline down and then get the client to try sending something.
+	// This should result in an effectively immediate write timeout,
+	// which will surface as a slow consumer.
+	s1.mu.Lock()
+	for _, cli := range s1.routes {
+		cli.out.wdl = time.Nanosecond
+		cli.sendRTTPing()
+	}
+	s1.mu.Unlock()
+
+	// By now the routes should have gone down, so check that there
+	// aren't any routes listed still.
+	checkFor(t, time.Millisecond*500, time.Millisecond*25, func() error {
+		if nc := s1.NumRoutes(); nc != 0 {
+			return fmt.Errorf("Server 1 should have no route connections, got %v", nc)
+		}
+		if nc := s2.NumRoutes(); nc != 0 {
+			return fmt.Errorf("Server 2 should have no route connections, got %v", nc)
+		}
+		return nil
+	})
+}
+
+func TestRouteNoLeakOnAuthTimeout(t *testing.T) {
+	opts := DefaultOptions()
+	opts.Cluster.Username = "foo"
+	opts.Cluster.Password = "bar"
+	opts.AuthTimeout = 0.01 // Deliberately short timeout
+	s := RunServer(opts)
+	defer s.Shutdown()
+
+	c, err := net.Dial("tcp", fmt.Sprintf("%s:%d", opts.Host, opts.Cluster.Port))
+	if err != nil {
+		t.Fatalf("Error connecting: %v", err)
+	}
+	defer c.Close()
+
+	cr := bufio.NewReader(c)
+
+	// Wait for INFO...
+	line, _, _ := cr.ReadLine()
+	var info serverInfo
+	if err = json.Unmarshal(line[5:], &info); err != nil {
+		t.Fatalf("Could not parse INFO json: %v\n", err)
+	}
+
+	// The server will send a PING, too
+	line, _, _ = cr.ReadLine()
+	if string(line) != "PING" {
+		t.Fatalf("Expected 'PING' but got %q", line)
+	}
+
+	// Wait out the clock so we hit the auth timeout
+	time.Sleep(secondsToDuration(opts.AuthTimeout) * 2)
+	line, _, _ = cr.ReadLine()
+	if string(line) != "-ERR 'Authentication Timeout'" {
+		t.Fatalf("Expected '-ERR 'Authentication Timeout'' but got %q", line)
+	}
+
+	// There shouldn't be a route entry as we didn't set up.
+	if nc := s.NumRoutes(); nc != 0 {
+		t.Fatalf("Server should have no route connections, got %v", nc)
+	}
+}
diff --git a/server/sendq.go b/server/sendq.go
index 2c4139710..0287c5548 100644
--- a/server/sendq.go
+++ b/server/sendq.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 The NATS Authors
+// Copyright 2020-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -50,6 +50,14 @@ func (sq *sendq) internalLoop() {
 
 	defer c.closeConnection(ClientClosed)
 
+	// To optimize for not converting a string to a []byte slice.
+	var (
+		subj [256]byte
+		rply [256]byte
+		szb  [10]byte
+		hdb  [10]byte
+	)
+
 	for s.isRunning() {
 		select {
 		case <-s.quitCh:
@@ -57,14 +65,18 @@ func (sq *sendq) internalLoop() {
 		case <-q.ch:
 			pms := q.pop()
 			for _, pm := range pms {
-				c.pa.subject = []byte(pm.subj)
+				c.pa.subject = append(subj[:0], pm.subj...)
 				c.pa.size = len(pm.msg) + len(pm.hdr)
-				c.pa.szb = []byte(strconv.Itoa(c.pa.size))
-				c.pa.reply = []byte(pm.rply)
+				c.pa.szb = append(szb[:0], strconv.Itoa(c.pa.size)...)
+				if len(pm.rply) > 0 {
+					c.pa.reply = append(rply[:0], pm.rply...)
+				} else {
+					c.pa.reply = nil
+				}
 				var msg []byte
 				if len(pm.hdr) > 0 {
 					c.pa.hdr = len(pm.hdr)
-					c.pa.hdb = []byte(strconv.Itoa(c.pa.hdr))
+					c.pa.hdb = append(hdb[:0], strconv.Itoa(c.pa.hdr)...)
 					msg = append(pm.hdr, pm.msg...)
 					msg = append(msg, _CRLF_...)
 				} else {
@@ -74,6 +86,7 @@ func (sq *sendq) internalLoop() {
 				}
 				c.processInboundClientMsg(msg)
 				c.pa.szb = nil
+				outMsgPool.Put(pm)
 			}
 			// TODO: should this be in the for-loop instead?
 			c.flushClients(0)
@@ -82,8 +95,20 @@ func (sq *sendq) internalLoop() {
 	}
 }
 
+var outMsgPool = sync.Pool{
+	New: func() any {
+		return &outMsg{}
+	},
+}
+
 func (sq *sendq) send(subj, rply string, hdr, msg []byte) {
-	out := &outMsg{subj, rply, nil, nil}
+	if sq == nil {
+		return
+	}
+	out := outMsgPool.Get().(*outMsg)
+	out.subj, out.rply = subj, rply
+	out.hdr, out.msg = nil, nil
+
 	// We will copy these for now.
 	if len(hdr) > 0 {
 		hdr = copyBytes(hdr)
diff --git a/server/server.go b/server/server.go
index 3fd161da9..1a645848c 100644
--- a/server/server.go
+++ b/server/server.go
@@ -85,7 +85,7 @@ type Info struct {
 	ClientConnectURLs []string `json:"connect_urls,omitempty"`    // Contains URLs a client can connect to.
 	WSConnectURLs     []string `json:"ws_connect_urls,omitempty"` // Contains URLs a ws client can connect to.
 	LameDuckMode      bool     `json:"ldm,omitempty"`
-	ConnectionId      string   `json:"connection_id"`
+	ConnectionId      string   `json:"connection_id"` // ** added by memphis
 
 	// Route Specific
 	Import        *SubjectPermission `json:"import,omitempty"`
@@ -123,7 +123,6 @@ type Server struct {
 	opts                *Options
 	running             bool
 	shutdown            bool
-	reloading           bool
 	listener            net.Listener
 	listenerErr         error
 	gacc                *Account
@@ -250,6 +249,12 @@ type Server struct {
 	// OCSP monitoring
 	ocsps []*OCSPMonitor
 
+	// OCSP peer verification (at least one TLS block)
+	ocspPeerVerify bool
+
+	// OCSP response cache
+	ocsprc OCSPResponseCache
+
 	// exporting account name the importer experienced issues with
 	incompleteAccExporterMap sync.Map
 
@@ -295,7 +300,7 @@ type Server struct {
 	// Queue to process JS API requests that come from routes (or gateways)
 	jsAPIRoutedReqs *ipQueue[*jsAPIRoutedReq]
 
-	memphis srvMemphis
+	memphis srvMemphis // ** added by memphis
 }
 
 // For tracking JS nodes.
@@ -414,7 +419,7 @@ func NewServer(opts *Options) (*Server, error) {
 		info.TLSAvailable = true
 	}
 
-	now := time.Now().UTC()
+	now := time.Now()
 
 	s := &Server{
 		kp:                 kp,
@@ -494,8 +499,8 @@ func NewServer(opts *Options) (*Server, error) {
 	// Ensure that non-exported options (used in tests) are properly set.
 	s.setLeafNodeNonExportedOptions()
 
-	// Setup OCSP Stapling. This will abort server from starting if there
-	// are no valid staples and OCSP policy is set to Always or MustStaple.
+	// Setup OCSP Stapling and OCSP Peer. This will abort server from starting if there
+	// are no valid staples and OCSP Stapling policy is set to Always or MustStaple.
 	if err := s.enableOCSP(); err != nil {
 		return nil, err
 	}
@@ -571,22 +576,22 @@ func NewServer(opts *Options) (*Server, error) {
 			s.mu.Unlock()
 			var a *Account
 			// perform direct lookup to avoid warning trace
-			if _, err := fetchAccount(ar, s.opts.SystemAccount); err == nil {
-				a, _ = s.lookupAccount(s.opts.SystemAccount)
+			if _, err := fetchAccount(ar, opts.SystemAccount); err == nil {
+				a, _ = s.lookupAccount(opts.SystemAccount)
 			}
 			s.mu.Lock()
 			if a == nil {
-				sac := NewAccount(s.opts.SystemAccount)
+				sac := NewAccount(opts.SystemAccount)
 				sac.Issuer = opts.TrustedOperators[0].Issuer
 				sac.signingKeys = map[string]jwt.Scope{}
-				sac.signingKeys[s.opts.SystemAccount] = nil
+				sac.signingKeys[opts.SystemAccount] = nil
 				s.registerAccountNoLock(sac)
 			}
 		}
 	}
 
 	// For tracking accounts
-	if err := s.configureAccounts(); err != nil {
+	if _, err := s.configureAccounts(false); err != nil {
 		return nil, err
 	}
 
@@ -779,6 +784,7 @@ func (s *Server) globalAccount() *Account {
 	return gacc
 }
 
+// ** added by Memphis
 func (s *Server) MemphisGlobalAccount() *Account {
 	acc := MEMPHIS_GLOBAL_ACCOUNT
 	if !configuration.USER_PASS_BASED_AUTH {
@@ -801,40 +807,89 @@ func (s *Server) MemphisGlobalAccountString() string {
 	return acc
 }
 
-// Used to setup Accounts.
-// Lock is held upon entry.
-func (s *Server) configureAccounts() error {
+// ** added by Memphis
+
+// Used to setup or update Accounts.
+// Returns a map that indicates which accounts have had their stream imports
+// changed (in case of an update in configuration reload).
+// Lock is held upon entry, but will be released/reacquired in this function.
+func (s *Server) configureAccounts(reloading bool) (map[string]struct{}, error) {
+	awcsti := make(map[string]struct{})
+
 	// Create the global account.
 	if s.gacc == nil {
 		s.gacc = NewAccount(globalAccountName)
 		s.registerAccountNoLock(s.gacc)
 	}
 
-	opts := s.opts
+	opts := s.getOpts()
+
+	// We need to track service imports since we can not swap them out (unsub and re-sub)
+	// until the proper server struct accounts have been swapped in properly. Doing it in
+	// place could lead to data loss or server panic since account under new si has no real
+	// account and hence no sublist, so will panic on inbound message.
+	siMap := make(map[*Account][][]byte)
 
 	// Check opts and walk through them. We need to copy them here
 	// so that we do not keep a real one sitting in the options.
-	for _, acc := range s.opts.Accounts {
+	for _, acc := range opts.Accounts {
 		var a *Account
-		if acc.Name == globalAccountName {
-			a = s.gacc
-		} else {
-			a = acc.shallowCopy()
+		create := true
+		// For the global account, we want to skip the reload process
+		// and fall back into the "create" case which will in that
+		// case really be just an update (shallowCopy will make sure
+		// that mappings are copied over).
+		if reloading && acc.Name != globalAccountName {
+			if ai, ok := s.accounts.Load(acc.Name); ok {
+				a = ai.(*Account)
+				a.mu.Lock()
+				// Before updating the account, check if stream imports have changed.
+				if !a.checkStreamImportsEqual(acc) {
+					awcsti[acc.Name] = struct{}{}
+				}
+				// Collect the sids for the service imports since we are going to
+				// replace with new ones.
+				var sids [][]byte
+				for _, si := range a.imports.services {
+					if si.sid != nil {
+						sids = append(sids, si.sid)
+					}
+				}
+				// Setup to process later if needed.
+				if len(sids) > 0 || len(acc.imports.services) > 0 {
+					siMap[a] = sids
+				}
+
+				// Now reset all export/imports fields since they are going to be
+				// filled in shallowCopy()
+				a.imports.streams, a.imports.services = nil, nil
+				a.exports.streams, a.exports.services = nil, nil
+				// We call shallowCopy from the account `acc` (the one in Options)
+				// and pass `a` (our existing account) to get it updated.
+				acc.shallowCopy(a)
+				a.mu.Unlock()
+				create = false
+			}
 		}
-		if acc.hasMappings() {
-			// For now just move and wipe from opts.Accounts version.
-			a.mappings = acc.mappings
-			acc.mappings = nil
-			// We use this for selecting between multiple weighted destinations.
-			a.prand = rand.New(rand.NewSource(time.Now().UnixNano()))
+		if create {
+			if acc.Name == globalAccountName {
+				a = s.gacc
+			} else {
+				a = NewAccount(acc.Name)
+			}
+			// Locking matters in the case of an update of the global account
+			a.mu.Lock()
+			acc.shallowCopy(a)
+			a.mu.Unlock()
+			// Will be a no-op in case of the global account since it is alrady registered.
+			s.registerAccountNoLock(a)
 		}
-		acc.sl = nil
-		acc.clients = nil
-		s.registerAccountNoLock(a)
+		// The `acc` account is stored in options, not in the server, and these can be cleared.
+		acc.sl, acc.clients, acc.mappings = nil, nil, nil
 
 		// If we see an account defined using $SYS we will make sure that is set as system account.
 		if acc.Name == DEFAULT_SYSTEM_ACCOUNT && opts.SystemAccount == _EMPTY_ {
-			s.opts.SystemAccount = DEFAULT_SYSTEM_ACCOUNT
+			opts.SystemAccount = DEFAULT_SYSTEM_ACCOUNT
 		}
 	}
 
@@ -853,6 +908,7 @@ func (s *Server) configureAccounts() error {
 	s.accounts.Range(func(k, v interface{}) bool {
 		numAccounts++
 		acc := v.(*Account)
+		acc.mu.Lock()
 		// Exports
 		for _, se := range acc.exports.streams {
 			if se != nil {
@@ -879,19 +935,47 @@ func (s *Server) configureAccounts() error {
 		for _, si := range acc.imports.services {
 			if v, ok := s.accounts.Load(si.acc.Name); ok {
 				si.acc = v.(*Account)
+
+				// It is possible to allow for latency tracking inside your
+				// own account, so lock only when not the same account.
+				if si.acc == acc {
+					si.se = si.acc.getServiceExport(si.to)
+					continue
+				}
+				si.acc.mu.RLock()
 				si.se = si.acc.getServiceExport(si.to)
+				si.acc.mu.RUnlock()
 			}
 		}
 		// Make sure the subs are running, but only if not reloading.
-		if len(acc.imports.services) > 0 && acc.ic == nil && !s.reloading {
+		if len(acc.imports.services) > 0 && acc.ic == nil && !reloading {
 			acc.ic = s.createInternalAccountClient()
 			acc.ic.acc = acc
+			// Need to release locks to invoke this function.
+			acc.mu.Unlock()
+			s.mu.Unlock()
 			acc.addAllServiceImportSubs()
+			s.mu.Lock()
+			acc.mu.Lock()
 		}
-		acc.updated = time.Now().UTC()
+		acc.updated = time.Now()
+		acc.mu.Unlock()
 		return true
 	})
 
+	// Check if we need to process service imports pending from above.
+	// This processing needs to be after we swap in the real accounts above.
+	for acc, sids := range siMap {
+		c := acc.ic
+		for _, sid := range sids {
+			c.processUnsub(sid)
+		}
+		acc.addAllServiceImportSubs()
+		s.mu.Unlock()
+		s.registerSystemImports(acc)
+		s.mu.Lock()
+	}
+
 	// Set the system account if it was configured.
 	// Otherwise create a default one.
 	if opts.SystemAccount != _EMPTY_ {
@@ -908,14 +992,14 @@ func (s *Server) configureAccounts() error {
 			s.mu.Lock()
 		}
 		if err != nil {
-			return fmt.Errorf("error resolving system account: %v", err)
+			return awcsti, fmt.Errorf("error resolving system account: %v", err)
 		}
 
 		// If we have defined a system account here check to see if its just us and the $G account.
 		// We would do this to add user/pass to the system account. If this is the case add in
 		// no-auth-user for $G.
 		// Only do this if non-operator mode.
-		if len(opts.TrustedOperators) == 0 && numAccounts == 2 && s.opts.NoAuthUser == _EMPTY_ {
+		if len(opts.TrustedOperators) == 0 && numAccounts == 2 && opts.NoAuthUser == _EMPTY_ {
 			// If we come here from config reload, let's not recreate the fake user name otherwise
 			// it will cause currently clients to be disconnected.
 			uname := s.sysAccOnlyNoAuthUser
@@ -930,12 +1014,12 @@ func (s *Server) configureAccounts() error {
 				uname = fmt.Sprintf("nats-%s", b[:])
 				s.sysAccOnlyNoAuthUser = uname
 			}
-			s.opts.Users = append(s.opts.Users, &User{Username: uname, Password: uname[6:], Account: s.gacc})
-			s.opts.NoAuthUser = uname
+			opts.Users = append(opts.Users, &User{Username: uname, Password: uname[6:], Account: s.gacc})
+			opts.NoAuthUser = uname
 		}
 	}
 
-	return nil
+	return awcsti, nil
 }
 
 // Setup the account resolver. For memory resolver, make sure the JWTs are
@@ -1064,16 +1148,17 @@ func (s *Server) isTrustedIssuer(issuer string) bool {
 // options-based trusted nkeys. Returns success.
 func (s *Server) processTrustedKeys() bool {
 	s.strictSigningKeyUsage = map[string]struct{}{}
+	opts := s.getOpts()
 	if trustedKeys != _EMPTY_ && !s.initStampedTrustedKeys() {
 		return false
-	} else if s.opts.TrustedKeys != nil {
-		for _, key := range s.opts.TrustedKeys {
+	} else if opts.TrustedKeys != nil {
+		for _, key := range opts.TrustedKeys {
 			if !nkeys.IsValidPublicOperatorKey(key) {
 				return false
 			}
 		}
-		s.trustedKeys = append([]string(nil), s.opts.TrustedKeys...)
-		for _, claim := range s.opts.TrustedOperators {
+		s.trustedKeys = append([]string(nil), opts.TrustedKeys...)
+		for _, claim := range opts.TrustedOperators {
 			if !claim.StrictSigningKeyUsage {
 				continue
 			}
@@ -1106,7 +1191,7 @@ func checkTrustedKeyString(keys string) []string {
 // it succeeded or not.
 func (s *Server) initStampedTrustedKeys() bool {
 	// Check to see if we have an override in options, which will cause us to fail.
-	if len(s.opts.TrustedKeys) > 0 {
+	if len(s.getOpts().TrustedKeys) > 0 {
 		return false
 	}
 	tks := checkTrustedKeyString(trustedKeys)
@@ -1322,13 +1407,13 @@ func (s *Server) setSystemAccount(acc *Account) error {
 		servers: make(map[string]*serverUpdate),
 		replies: make(map[string]msgHandler),
 		sendq:   newIPQueue[*pubMsg](s, "System sendQ"),
+		recvq:   newIPQueue[*inSysMsg](s, "System recvQ"),
 		resetCh: make(chan struct{}),
 		sq:      s.newSendQ(),
 		statsz:  eventsHBInterval,
 		orphMax: 5 * eventsHBInterval,
 		chkOrph: 3 * eventsHBInterval,
 	}
-
 	s.sys.wg.Add(1)
 	s.mu.Unlock()
 
@@ -1341,6 +1426,9 @@ func (s *Server) setSystemAccount(acc *Account) error {
 	// We do our own wg here since we will stop first during shutdown.
 	go s.internalSendLoop(&s.sys.wg)
 
+	// Start the internal loop for inbound messages.
+	go s.internalReceiveLoop()
+
 	// Start up our general subscriptions
 	s.initEventTracking()
 
@@ -1382,7 +1470,7 @@ func (s *Server) createInternalClient(kind int) *client {
 	if kind != SYSTEM && kind != JETSTREAM && kind != ACCOUNT {
 		return nil
 	}
-	now := time.Now().UTC()
+	now := time.Now()
 	c := &client{srv: s, kind: kind, opts: internalOpts, msubs: -1, mpay: -1, start: now, last: now}
 	c.initClient()
 	c.echo = false
@@ -1395,7 +1483,8 @@ func (s *Server) createInternalClient(kind int) *client {
 // efficient propagation.
 // Lock should be held on entry.
 func (s *Server) shouldTrackSubscriptions() bool {
-	return (s.opts.Cluster.Port != 0 || s.opts.Gateway.Port != 0)
+	opts := s.getOpts()
+	return (opts.Cluster.Port != 0 || opts.Gateway.Port != 0)
 }
 
 // Invokes registerAccountNoLock under the protection of the server lock.
@@ -1451,7 +1540,7 @@ func (s *Server) registerAccountNoLock(acc *Account) *Account {
 		acc.lqws = make(map[string]int32)
 	}
 	acc.srv = s
-	acc.updated = time.Now().UTC()
+	acc.updated = time.Now()
 	accName := acc.Name
 	jsEnabled := len(acc.jsLimits) > 0
 	acc.mu.Unlock()
@@ -1653,20 +1742,32 @@ func (s *Server) fetchAccount(name string) (*Account, error) {
 	}
 	// The sub imports may have been setup but will not have had their
 	// subscriptions properly setup. Do that here.
+	var needImportSubs bool
+
+	acc.mu.Lock()
 	if len(acc.imports.services) > 0 {
 		if acc.ic == nil {
 			acc.ic = s.createInternalAccountClient()
 			acc.ic.acc = acc
 		}
+		needImportSubs = true
+	}
+	acc.mu.Unlock()
+
+	// Do these outside the lock.
+	if needImportSubs {
 		acc.addAllServiceImportSubs()
 	}
+
 	return acc, nil
 }
 
-// Start up the server, this will block.
-// Start via a Go routine if needed.
+// Start up the server, this will not block.
+//
+// WaitForShutdown can be used to block and wait for the server to shutdown properly if needed
+// after calling s.Shutdown()
 func (s *Server) Start() {
-	s.Noticef("Starting Memphis{dev} broker")
+	s.Noticef("Starting Memphis{dev} broker") // ** changed by Memphis
 
 	gc := gitCommit
 	if gc == _EMPTY_ {
@@ -1677,10 +1778,19 @@ func (s *Server) Start() {
 	opts := s.getOpts()
 	clusterName := s.ClusterName()
 
-	s.Noticef("Version:  %s", s.MemphisVersion())
+	s.Noticef("Version:  %s", s.MemphisVersion()) // ** changed by Memphis
 	if clusterName != _EMPTY_ {
 		s.Noticef("  Cluster:  %s", clusterName)
 	}
+	// ** deleted by Memphis
+	// s.Noticef("  Name:     %s", s.info.Name)
+	// if opts.JetStream {
+	// 	s.Noticef("  Node:     %s", getHash(s.info.Name))
+	// }
+	// s.Noticef("  ID:       %s", s.info.ID)
+
+	// defer s.Noticef("Server is ready")
+	// ** deleted by Memphis
 
 	// Check for insecure configurations.
 	s.checkAuthforWarnings()
@@ -1780,8 +1890,9 @@ func (s *Server) Start() {
 		// In operator mode, when the account resolver depends on an external system and
 		// the system account is the bootstrapping account, start fetching it.
 		if len(opts.TrustedOperators) == 1 && opts.SystemAccount != _EMPTY_ && opts.SystemAccount != DEFAULT_SYSTEM_ACCOUNT {
+			opts := s.getOpts()
 			_, isMemResolver := ar.(*MemAccResolver)
-			if v, ok := s.accounts.Load(s.opts.SystemAccount); !isMemResolver && ok && v.(*Account).claimJWT == "" {
+			if v, ok := s.accounts.Load(opts.SystemAccount); !isMemResolver && ok && v.(*Account).claimJWT == _EMPTY_ {
 				s.Noticef("Using bootstrapping system account")
 				s.startGoRoutine(func() {
 					defer s.grWG.Done()
@@ -1793,7 +1904,7 @@ func (s *Server) Start() {
 							return
 						case <-t.C:
 							sacc := s.SystemAccount()
-							if claimJWT, err := fetchAccount(ar, s.opts.SystemAccount); err != nil {
+							if claimJWT, err := fetchAccount(ar, opts.SystemAccount); err != nil {
 								continue
 							} else if err = s.updateAccountWithClaimJWT(sacc, claimJWT); err != nil {
 								continue
@@ -1866,15 +1977,20 @@ func (s *Server) Start() {
 		}
 	}
 
-	// Start OCSP Stapling monitoring for TLS certificates if enabled.
+	// Start OCSP Stapling monitoring for TLS certificates if enabled. Hook TLS handshake for
+	// OCSP check on peers (LEAF and CLIENT kind) if enabled.
 	s.startOCSPMonitoring()
 
+	// Configure OCSP Response Cache for peer OCSP checks if enabled.
+	s.initOCSPResponseCache()
+
 	// Start up gateway if needed. Do this before starting the routes, because
 	// we want to resolve the gateway host:port so that this information can
 	// be sent to other routes.
 	if opts.Gateway.Port != 0 {
 		s.startGateways()
 	}
+
 	// Start websocket server if needed. Do this before starting the routes, and
 	// leaf node because we want to resolve the gateway host:port so that this
 	// information can be sent to other routes.
@@ -1934,6 +2050,10 @@ func (s *Server) Start() {
 	if !opts.DontListen {
 		s.AcceptLoop(clientListenReady)
 	}
+
+	// Bring OSCP Response cache online after accept loop started in anticipation of NATS-enabled cache types
+	s.startOCSPResponseCache()
+
 	//** added by memphis
 	s.initializeMemphis()
 	// added by memphis **
@@ -2097,6 +2217,12 @@ func (s *Server) Shutdown() {
 	}
 
 	s.Noticef("Server Exiting..")
+
+	// Stop OCSP Response Cache
+	if s.ocsprc != nil {
+		s.ocsprc.Stop(s)
+	}
+
 	// Close logger if applicable. It allows tests on Windows
 	// to be able to do proper cleanup (delete log file).
 	s.logging.RLock()
@@ -2164,7 +2290,7 @@ func (s *Server) AcceptLoop(clr chan struct{}) {
 	// server's info Host/Port with either values from Options or
 	// ClientAdvertise.
 	if err := s.setInfoHostPort(); err != nil {
-		s.Fatalf("Error setting server INFO with ClientAdvertise value of %s, err=%v", s.opts.ClientAdvertise, err)
+		s.Fatalf("Error setting server INFO with ClientAdvertise value of %s, err=%v", opts.ClientAdvertise, err)
 		l.Close()
 		s.mu.Unlock()
 		return
@@ -2199,7 +2325,7 @@ func (s *Server) AcceptLoop(clr chan struct{}) {
 func (s *Server) InProcessConn() (net.Conn, error) {
 	pl, pr := net.Pipe()
 	if !s.startGoRoutine(func() {
-		s.createClient(pl)
+		s.createClientInProcess(pl)
 		s.grWG.Done()
 	}) {
 		pl.Close()
@@ -2243,16 +2369,17 @@ func (s *Server) setInfoHostPort() error {
 	// When this function is called, opts.Port is set to the actual listen
 	// port (if option was originally set to RANDOM), even during a config
 	// reload. So use of s.opts.Port is safe.
-	if s.opts.ClientAdvertise != _EMPTY_ {
-		h, p, err := parseHostPort(s.opts.ClientAdvertise, s.opts.Port)
+	opts := s.getOpts()
+	if opts.ClientAdvertise != _EMPTY_ {
+		h, p, err := parseHostPort(opts.ClientAdvertise, opts.Port)
 		if err != nil {
 			return err
 		}
 		s.info.Host = h
 		s.info.Port = p
 	} else {
-		s.info.Host = s.opts.Host
-		s.info.Port = s.opts.Port
+		s.info.Host = opts.Host
+		s.info.Port = opts.Port
 	}
 	return nil
 }
@@ -2438,6 +2565,9 @@ func (s *Server) startMonitoring(secure bool) error {
 		return fmt.Errorf("can't listen to the monitor port: %v", err)
 	}
 
+	rport := httpListener.Addr().(*net.TCPAddr).Port
+	s.Noticef("Starting %s monitor on %s", monitorProtocol, net.JoinHostPort(opts.HTTPHost, strconv.Itoa(rport)))
+
 	mux := http.NewServeMux()
 
 	// Root
@@ -2550,6 +2680,14 @@ func (c *tlsMixConn) Read(b []byte) (int, error) {
 }
 
 func (s *Server) createClient(conn net.Conn) *client {
+	return s.createClientEx(conn, false)
+}
+
+func (s *Server) createClientInProcess(conn net.Conn) *client {
+	return s.createClientEx(conn, true)
+}
+
+func (s *Server) createClientEx(conn net.Conn, inProcess bool) *client {
 	// Snapshot server options.
 	opts := s.getOpts()
 
@@ -2559,7 +2697,7 @@ func (s *Server) createClient(conn net.Conn) *client {
 	if maxSubs == 0 {
 		maxSubs = -1
 	}
-	now := time.Now().UTC()
+	now := time.Now()
 
 	c := &client{srv: s, nc: conn, opts: defaultOpts, mpay: maxPay, msubs: maxSubs, start: now, last: now}
 
@@ -2587,6 +2725,13 @@ func (s *Server) createClient(conn net.Conn) *client {
 		info.AuthRequired = false
 	}
 
+	// Check to see if this is an in-process connection with tls_required.
+	// If so, set as not required, but available.
+	if inProcess && info.TLSRequired {
+		info.TLSRequired = false
+		info.TLSAvailable = true
+	}
+
 	s.totalClients++
 	s.mu.Unlock()
 
@@ -2648,8 +2793,9 @@ func (s *Server) createClient(conn net.Conn) *client {
 
 	var pre []byte
 	// If we have both TLS and non-TLS allowed we need to see which
-	// one the client wants.
-	if !isClosed && opts.TLSConfig != nil && opts.AllowNonTLS {
+	// one the client wants. We'll always allow this for in-process
+	// connections.
+	if !isClosed && opts.TLSConfig != nil && (inProcess || opts.AllowNonTLS) {
 		pre = make([]byte, 4)
 		c.nc.SetReadDeadline(time.Now().Add(secondsToDuration(opts.TLSTimeout)))
 		n, _ := io.ReadFull(c.nc, pre[:])
@@ -2707,9 +2853,7 @@ func (s *Server) createClient(conn net.Conn) *client {
 	c.setPingTimer()
 
 	// Spin up the read loop.
-	s.startGoRoutine(func() {
-		c.readLoop(pre)
-	})
+	s.startGoRoutine(func() { c.readLoop(pre) })
 
 	// Spin up the write loop.
 	s.startGoRoutine(func() { c.writeLoop() })
@@ -2728,7 +2872,7 @@ func (s *Server) createClient(conn net.Conn) *client {
 // This will save off a closed client in a ring buffer such that
 // /connz can inspect. Useful for debugging, etc.
 func (s *Server) saveClosedClient(c *client, nc net.Conn, reason ClosedState) {
-	now := time.Now().UTC()
+	now := time.Now()
 
 	s.accountDisconnectEvent(c, now, reason.String())
 
@@ -2747,7 +2891,7 @@ func (s *Server) saveClosedClient(c *client, nc net.Conn, reason ClosedState) {
 		}
 	}
 	// Hold user as well.
-	cc.user = c.opts.Username
+	cc.user = c.getRawAuthUser()
 	// Hold account name if not the global account.
 	if c.acc != nil && c.acc.Name != globalAccountName {
 		cc.acc = c.acc.Name
@@ -3051,7 +3195,7 @@ func (s *Server) readyForConnections(d time.Duration) error {
 		chk["server"] = info{ok: s.listener != nil || opts.DontListen, err: s.listenerErr}
 		chk["route"] = info{ok: (opts.Cluster.Port == 0 || s.routeListener != nil), err: s.routeListenerErr}
 		chk["gateway"] = info{ok: (opts.Gateway.Name == _EMPTY_ || s.gatewayListener != nil), err: s.gatewayListenerErr}
-		chk["leafNode"] = info{ok: (opts.LeafNode.Port == 0 || s.leafNodeListener != nil), err: s.leafNodeListenerErr}
+		chk["leafnode"] = info{ok: (opts.LeafNode.Port == 0 || s.leafNodeListener != nil), err: s.leafNodeListenerErr}
 		chk["websocket"] = info{ok: (opts.Websocket.Port == 0 || s.websocket.listener != nil), err: s.websocket.listenerErr}
 		chk["mqtt"] = info{ok: (opts.MQTT.Port == 0 || s.mqtt.listener != nil), err: s.mqtt.listenerErr}
 		s.mu.RUnlock()
@@ -3486,6 +3630,7 @@ func (s *Server) lameDuckMode() {
 	}
 	s.Noticef("Entering lame duck mode, stop accepting new clients")
 	s.ldm = true
+	s.sendLDMShutdownEventLocked()
 	expected := 1
 	s.listener.Close()
 	s.listener = nil
@@ -3540,7 +3685,10 @@ func (s *Server) lameDuckMode() {
 	numClients := int64(len(s.clients))
 	batch := 1
 	// Sleep interval between each client connection close.
-	si := dur / numClients
+	var si int64
+	if numClients != 0 {
+		si = dur / numClients
+	}
 	if si < 1 {
 		// Should not happen (except in test with very small LD duration), but
 		// if there are too many clients, batch the number of close and
@@ -3745,7 +3893,7 @@ func (s *Server) updateRemoteSubscription(acc *Account, sub *subscription, delta
 		s.gatewayUpdateSubInterest(acc.Name, sub, delta)
 	}
 
-	s.updateLeafNodes(acc, sub, delta)
+	acc.updateLeafNodes(sub, delta)
 }
 
 func (s *Server) startRateLimitLogExpiration() {
diff --git a/server/server_test.go b/server/server_test.go
index 27cce2354..467a08441 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -86,7 +86,7 @@ func RunServer(opts *Options) *Server {
 	}
 
 	// Run server in Go routine.
-	go s.Start()
+	s.Start()
 
 	// Wait for accept loop(s) to be started
 	if err := s.readyForConnections(10 * time.Second); err != nil {
diff --git a/server/signal_test.go b/server/signal_test.go
index 4a2064668..14a8e1d5b 100644
--- a/server/signal_test.go
+++ b/server/signal_test.go
@@ -44,7 +44,7 @@ func TestSignalToReOpenLogFile(t *testing.T) {
 	defer s.Shutdown()
 
 	// Set the file log
-	fileLog := logger.NewFileLogger(s.opts.LogFile, s.opts.Logtime, s.opts.Debug, s.opts.Trace, true)
+	fileLog := logger.NewFileLogger(s.opts.LogFile, s.opts.Logtime, s.opts.Debug, s.opts.Trace, true, logger.LogUTC(s.opts.LogtimeUTC))
 	s.SetLogger(fileLog, false, false)
 
 	// Add a trace
diff --git a/server/split_test.go b/server/split_test.go
index 76c40260a..571e9ff73 100644
--- a/server/split_test.go
+++ b/server/split_test.go
@@ -10,6 +10,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package server
 
 import (
diff --git a/server/store.go b/server/store.go
index 24326e604..3fdf1c868 100644
--- a/server/store.go
+++ b/server/store.go
@@ -61,8 +61,6 @@ var (
 	ErrInvalidSequence = errors.New("invalid sequence")
 	// ErrSequenceMismatch is returned when storing a raw message and the expected sequence is wrong.
 	ErrSequenceMismatch = errors.New("expected sequence does not match store")
-	// ErrPurgeArgMismatch is returned when PurgeEx is called with sequence > 1 and keep > 0.
-	ErrPurgeArgMismatch = errors.New("sequence > 1 && keep > 0 not allowed")
 )
 
 // StoreMsg is the stored message format for messages that are retained by the Store layer.
@@ -157,6 +155,9 @@ type SimpleState struct {
 	Msgs  uint64 `json:"messages"`
 	First uint64 `json:"first_seq"`
 	Last  uint64 `json:"last_seq"`
+
+	// Internal usage for when the first needs to be updated before use.
+	firstNeedsUpdate bool
 }
 
 // LostStreamData indicates msgs that have been lost.
diff --git a/server/stream.go b/server/stream.go
index 05fba073b..dd2c97bef 100644
--- a/server/stream.go
+++ b/server/stream.go
@@ -57,7 +57,7 @@ type StreamConfig struct {
 	Placement            *Placement      `json:"placement,omitempty"`
 	Mirror               *StreamSource   `json:"mirror,omitempty"`
 	Sources              []*StreamSource `json:"sources,omitempty"`
-	TieredStorageEnabled bool            `json:"tiered_storage_enabled"`
+	TieredStorageEnabled bool            `json:"tiered_storage_enabled"` // ** added by memphis
 
 	// Allow republish of the message after being sequenced and stored.
 	RePublish *RePublish `json:"republish,omitempty"`
@@ -194,6 +194,7 @@ type stream struct {
 	pubAck    []byte
 	outq      *jsOutQ
 	msgs      *ipQueue[*inMsg]
+	gets      *ipQueue[*directGetReq]
 	store     StreamStore
 	ackq      *ipQueue[uint64]
 	lseq      uint64
@@ -211,6 +212,7 @@ type stream struct {
 	qch       chan struct{}
 	active    bool
 	ddloaded  bool
+	closed    bool
 
 	// Mirror
 	mirror *sourceInfo
@@ -231,6 +233,10 @@ type stream struct {
 	sigq  *ipQueue[*cMsg]
 	csl   *Sublist
 
+	// For non limits policy streams when they process an ack before the actual msg.
+	// Can happen in stretch clusters, multi-cloud, or during catchup for a restarted server.
+	preAcks map[uint64]map[*consumer]struct{}
+
 	// TODO(dlc) - Hide everything below behind two pointers.
 	// Clustered mode.
 	sa         *streamAssignment
@@ -246,6 +252,7 @@ type stream struct {
 	catchups   map[string]uint64
 	uch        chan struct{}
 	compressOK bool
+	inMonitor  bool
 
 	// Direct get subscription.
 	directSub *subscription
@@ -282,7 +289,7 @@ const (
 
 // Headers for published messages.
 const (
-	JSMsgId               = "msg-id"
+	JSMsgId               = "msg-id" // ** changed by Memphis
 	JSExpectedStream      = "Nats-Expected-Stream"
 	JSExpectedLastSeq     = "Nats-Expected-Last-Sequence"
 	JSExpectedLastSubjSeq = "Nats-Expected-Last-Subject-Sequence"
@@ -361,10 +368,23 @@ func (a *Account) addStreamWithAssignment(config *StreamConfig, fsConfig *FileSt
 		return nil, ApiErrors[JSStreamReplicasNotSupportedErr]
 	}
 
+	// Make sure we are ok when these are done in parallel.
+	v, loaded := jsa.inflight.LoadOrStore(cfg.Name, &sync.WaitGroup{})
+	wg := v.(*sync.WaitGroup)
+	if loaded {
+		wg.Wait()
+	} else {
+		wg.Add(1)
+		defer func() {
+			jsa.inflight.Delete(cfg.Name)
+			wg.Done()
+		}()
+	}
+
 	js, isClustered := jsa.jetStreamAndClustered()
-	jsa.mu.RLock()
+	jsa.mu.Lock()
 	if mset, ok := jsa.streams[cfg.Name]; ok {
-		jsa.mu.RUnlock()
+		jsa.mu.Unlock()
 		// Check to see if configs are same.
 		ocfg := mset.config()
 		if reflect.DeepEqual(ocfg, cfg) {
@@ -383,7 +403,8 @@ func (a *Account) addStreamWithAssignment(config *StreamConfig, fsConfig *FileSt
 	if !isClustered {
 		reserved = jsa.tieredReservation(tier, &cfg)
 	}
-	jsa.mu.RUnlock()
+	jsa.mu.Unlock()
+
 	if !hasTier {
 		return nil, NewJSNoLimitsError()
 	}
@@ -441,6 +462,7 @@ func (a *Account) addStreamWithAssignment(config *StreamConfig, fsConfig *FileSt
 		stype:     cfg.Storage,
 		consumers: make(map[string]*consumer),
 		msgs:      newIPQueue[*inMsg](s, qpfx+"messages"),
+		gets:      newIPQueue[*directGetReq](s, qpfx+"direct gets"),
 		qch:       make(chan struct{}),
 		uch:       make(chan struct{}, 4),
 		sch:       make(chan struct{}, 1),
@@ -580,6 +602,20 @@ func (mset *stream) streamAssignment() *streamAssignment {
 }
 
 func (mset *stream) setStreamAssignment(sa *streamAssignment) {
+	var node RaftNode
+
+	mset.mu.RLock()
+	js := mset.js
+	mset.mu.RUnlock()
+
+	if js != nil {
+		js.mu.RLock()
+		if sa.Group != nil {
+			node = sa.Group.node
+		}
+		js.mu.RUnlock()
+	}
+
 	mset.mu.Lock()
 	defer mset.mu.Unlock()
 
@@ -589,7 +625,7 @@ func (mset *stream) setStreamAssignment(sa *streamAssignment) {
 	}
 
 	// Set our node.
-	mset.node = sa.Group.node
+	mset.node = node
 	if mset.node != nil {
 		mset.node.UpdateKnownPeers(sa.Group.Peers)
 	}
@@ -803,6 +839,14 @@ func (mset *stream) lastSeqAndCLFS() (uint64, uint64) {
 	return mset.lseq, mset.clfs
 }
 
+func (mset *stream) clearCLFS() uint64 {
+	mset.mu.Lock()
+	defer mset.mu.Unlock()
+	clfs := mset.clfs
+	mset.clfs, mset.clseq = 0, 0
+	return clfs
+}
+
 func (mset *stream) lastSeq() uint64 {
 	mset.mu.RLock()
 	lseq := mset.lseq
@@ -1077,62 +1121,68 @@ func (s *Server) checkStreamCfg(config *StreamConfig, acc *Account) (StreamConfi
 		if len(cfg.Sources) > 0 {
 			return StreamConfig{}, NewJSMirrorWithSourcesError()
 		}
-		// We do not require other stream to exist anymore, but if we can see it check payloads.
-		exists, maxMsgSize, subs := hasStream(cfg.Mirror.Name)
-		if len(subs) > 0 {
-			streamSubs = append(streamSubs, subs...)
-		}
-		if exists {
-			if cfg.MaxMsgSize > 0 && maxMsgSize > 0 && cfg.MaxMsgSize < maxMsgSize {
-				return StreamConfig{}, NewJSMirrorMaxMessageSizeTooBigError()
+		// Do not perform checks if External is provided, as it could lead to
+		// checking against itself (if sourced stream name is the same on different JetStream)
+		if cfg.Mirror.External == nil {
+			// We do not require other stream to exist anymore, but if we can see it check payloads.
+			exists, maxMsgSize, subs := hasStream(cfg.Mirror.Name)
+			if len(subs) > 0 {
+				streamSubs = append(streamSubs, subs...)
 			}
-			if !isRecovering && !hasFilterSubjectOverlap(cfg.Mirror.FilterSubject, subs) {
-				return StreamConfig{}, NewJSStreamInvalidConfigError(
-					fmt.Errorf("mirror '%s' filter subject '%s' does not overlap with any origin stream subject",
-						cfg.Mirror.Name, cfg.Mirror.FilterSubject))
+			if exists {
+				if cfg.MaxMsgSize > 0 && maxMsgSize > 0 && cfg.MaxMsgSize < maxMsgSize {
+					return StreamConfig{}, NewJSMirrorMaxMessageSizeTooBigError()
+				}
+				if !isRecovering && !hasFilterSubjectOverlap(cfg.Mirror.FilterSubject, subs) {
+					return StreamConfig{}, NewJSStreamInvalidConfigError(
+						fmt.Errorf("mirror '%s' filter subject '%s' does not overlap with any origin stream subject",
+							cfg.Mirror.Name, cfg.Mirror.FilterSubject))
+				}
 			}
-		}
-		if cfg.Mirror.External != nil {
+			// Determine if we are inheriting direct gets.
+			if exists, ocfg := getStream(cfg.Mirror.Name); exists {
+				cfg.MirrorDirect = ocfg.AllowDirect
+			} else if js := s.getJetStream(); js != nil && js.isClustered() {
+				// Could not find it here. If we are clustered we can look it up.
+				js.mu.RLock()
+				if cc := js.cluster; cc != nil {
+					if as := cc.streams[acc.Name]; as != nil {
+						if sa := as[cfg.Mirror.Name]; sa != nil {
+							cfg.MirrorDirect = sa.Config.AllowDirect
+						}
+					}
+				}
+				js.mu.RUnlock()
+			}
+		} else {
 			if cfg.Mirror.External.DeliverPrefix != _EMPTY_ {
 				deliveryPrefixes = append(deliveryPrefixes, cfg.Mirror.External.DeliverPrefix)
 			}
 			if cfg.Mirror.External.ApiPrefix != _EMPTY_ {
 				apiPrefixes = append(apiPrefixes, cfg.Mirror.External.ApiPrefix)
 			}
-		}
-		// Determine if we are inheriting direct gets.
-		if exists, ocfg := getStream(cfg.Mirror.Name); exists {
-			cfg.MirrorDirect = ocfg.AllowDirect
-		} else if js := s.getJetStream(); js != nil && js.isClustered() {
-			// Could not find it here. If we are clustered we can look it up.
-			js.mu.RLock()
-			if cc := js.cluster; cc != nil {
-				if as := cc.streams[acc.Name]; as != nil {
-					if sa := as[cfg.Mirror.Name]; sa != nil {
-						cfg.MirrorDirect = sa.Config.AllowDirect
-					}
-				}
-			}
-			js.mu.RUnlock()
+
 		}
 	}
 	if len(cfg.Sources) > 0 {
 		for _, src := range cfg.Sources {
-			exists, maxMsgSize, subs := hasStream(src.Name)
-			if len(subs) > 0 {
-				streamSubs = append(streamSubs, subs...)
-			}
-			if exists {
-				if cfg.MaxMsgSize > 0 && maxMsgSize > 0 && cfg.MaxMsgSize < maxMsgSize {
-					return StreamConfig{}, NewJSSourceMaxMessageSizeTooBigError()
+			// Do not perform checks if External is provided, as it could lead to
+			// checking against itself (if sourced stream name is the same on different JetStream)
+			if src.External == nil {
+				exists, maxMsgSize, subs := hasStream(src.Name)
+				if len(subs) > 0 {
+					streamSubs = append(streamSubs, subs...)
 				}
-				if !isRecovering && !hasFilterSubjectOverlap(src.FilterSubject, streamSubs) {
-					return StreamConfig{}, NewJSStreamInvalidConfigError(
-						fmt.Errorf("source '%s' filter subject '%s' does not overlap with any origin stream subject",
-							src.Name, src.FilterSubject))
+				if exists {
+					if cfg.MaxMsgSize > 0 && maxMsgSize > 0 && cfg.MaxMsgSize < maxMsgSize {
+						return StreamConfig{}, NewJSSourceMaxMessageSizeTooBigError()
+					}
+					if !isRecovering && !hasFilterSubjectOverlap(src.FilterSubject, streamSubs) {
+						return StreamConfig{}, NewJSStreamInvalidConfigError(
+							fmt.Errorf("source '%s' filter subject '%s' does not overlap with any origin stream subject",
+								src.Name, src.FilterSubject))
+					}
 				}
-			}
-			if src.External == nil {
 				continue
 			}
 			if src.External.DeliverPrefix != _EMPTY_ {
@@ -1574,14 +1624,14 @@ func (mset *stream) updateWithAdvisory(config *StreamConfig, sendAdvisory bool)
 
 	if targetTier := tierName(cfg); mset.tier != targetTier {
 		// In cases such as R1->R3, only one update is needed
-		mset.jsa.usageMu.RLock()
-		_, ok := mset.jsa.limits[targetTier]
-		mset.jsa.usageMu.RUnlock()
+		jsa.usageMu.RLock()
+		_, ok := jsa.limits[targetTier]
+		jsa.usageMu.RUnlock()
 		if ok {
 			// error never set
 			_, reported, _ := mset.store.Utilization()
-			mset.jsa.updateUsage(mset.tier, mset.stype, -int64(reported))
-			mset.jsa.updateUsage(targetTier, mset.stype, int64(reported))
+			jsa.updateUsage(mset.tier, mset.stype, -int64(reported))
+			jsa.updateUsage(targetTier, mset.stype, int64(reported))
 			mset.tier = targetTier
 		}
 		// else in case the new tier does not exist (say on move), keep the old tier around
@@ -1630,7 +1680,7 @@ func (mset *stream) purge(preq *JSApiStreamPurgeRequest) (purged uint64, err err
 		mset.mu.RUnlock()
 		return 0, errors.New("sealed stream")
 	}
-	store := mset.store
+	store, mlseq := mset.store, mset.lseq
 	mset.mu.RUnlock()
 
 	if preq != nil {
@@ -1642,11 +1692,17 @@ func (mset *stream) purge(preq *JSApiStreamPurgeRequest) (purged uint64, err err
 		return purged, err
 	}
 
-	// Purge consumers.
+	// Grab our stream state.
 	var state StreamState
 	store.FastState(&state)
 	fseq, lseq := state.FirstSeq, state.LastSeq
 
+	// Check if our last has moved past what our original last sequence was, if so reset.
+	if lseq > mlseq {
+		mset.setLastSeq(lseq)
+	}
+
+	// Purge consumers.
 	// Check for filtered purge.
 	if preq != nil && preq.Subject != _EMPTY_ {
 		ss := store.FilteredState(state.FirstSeq, preq.Subject)
@@ -1686,6 +1742,7 @@ func (mset *stream) deleteMsg(seq uint64) (bool, error) {
 		return false, fmt.Errorf("invalid stream")
 	}
 	mset.mu.RUnlock()
+
 	return mset.store.RemoveMsg(seq)
 }
 
@@ -1746,7 +1803,9 @@ func gatherSourceMirrorSubjects(subjects []string, cfg *StreamConfig, acc *Accou
 
 // Return the subjects for a stream source.
 func (a *Account) streamSourceSubjects(ss *StreamSource, seen map[string]bool) (subjects []string, hasExt bool) {
-	if ss != nil && ss.External != nil {
+	if ss == nil {
+		return nil, false
+	} else if ss.External != nil {
 		return nil, true
 	}
 
@@ -2043,7 +2102,7 @@ func (mset *stream) processInboundMirrorMsg(m *inMsg) bool {
 	var err error
 	if node != nil {
 		if js.limitsExceeded(stype) {
-			s.resourcesExeededError()
+			s.resourcesExceededError()
 			err = ApiErrors[JSInsufficientResourcesErr]
 		} else {
 			err = node.Propose(encodeStreamMsg(m.subj, _EMPTY_, m.hdr, m.msg, sseq-1, ts))
@@ -2355,7 +2414,14 @@ func (mset *stream) setupMirrorConsumer() error {
 
 				// Check if we need to skip messages.
 				if state.LastSeq != ccr.ConsumerInfo.Delivered.Stream {
-					mset.skipMsgs(state.LastSeq+1, ccr.ConsumerInfo.Delivered.Stream)
+					// Check to see if delivered is past our last and we have no msgs. This will help the
+					// case when mirroring a stream that has a very high starting sequence number.
+					if state.Msgs == 0 && ccr.ConsumerInfo.Delivered.Stream > state.LastSeq {
+						mset.store.PurgeEx(_EMPTY_, ccr.ConsumerInfo.Delivered.Stream+1, 0)
+						mset.lseq = ccr.ConsumerInfo.Delivered.Stream
+					} else {
+						mset.skipMsgs(state.LastSeq+1, ccr.ConsumerInfo.Delivered.Stream)
+					}
 				}
 
 				// Capture consumer name.
@@ -2918,7 +2984,7 @@ func streamAndSeq(shdr string) (string, uint64) {
 	}
 	// New version which is stream index name <SPC> sequence
 	fields := strings.Fields(shdr)
-	if len(fields) != 2 {
+	if len(fields) < 2 {
 		return _EMPTY_, 0
 	}
 	return fields[0], uint64(parseAckReplyNum(fields[1]))
@@ -3306,10 +3372,12 @@ func (mset *stream) setupStore(fsCfg *FileStoreConfig) error {
 			return err
 		}
 		mset.store = fs
+		// Register our server.
+		fs.registerServer(s)
 	}
-	mset.mu.Unlock()
-
+	// This will fire the callback but we do not require the lock since md will be 0 here.
 	mset.store.RegisterStorageUpdates(mset.storeUpdates)
+	mset.mu.Unlock()
 
 	return nil
 }
@@ -3508,12 +3576,25 @@ func (mset *stream) queueInboundMsg(subj, rply string, hdr, msg []byte) {
 	mset.queueInbound(mset.msgs, subj, rply, hdr, msg)
 }
 
+var dgPool = sync.Pool{
+	New: func() interface{} {
+		return &directGetReq{}
+	},
+}
+
+// For when we need to not inline the request.
+type directGetReq struct {
+	// Copy of this is correct for this.
+	req   JSApiMsgGetRequest
+	reply string
+}
+
 // processDirectGetRequest handles direct get request for stream messages.
 func (mset *stream) processDirectGetRequest(_ *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
-	_, msg := c.msgParts(rmsg)
 	if len(reply) == 0 {
 		return
 	}
+	_, msg := c.msgParts(rmsg)
 	if len(msg) == 0 {
 		hdr := []byte("NATS/1.0 408 Empty Request\r\n\r\n")
 		mset.outq.send(newJSPubMsg(reply, _EMPTY_, _EMPTY_, hdr, nil, nil, 0))
@@ -3546,26 +3627,20 @@ func (mset *stream) processDirectGetRequest(_ *subscription, c *client, _ *Accou
 
 	inlineOk := c.kind != ROUTER && c.kind != GATEWAY && c.kind != LEAF
 	if !inlineOk {
-		// Check how long we have been away from the readloop for the route or gateway or leafnode.
-		// If too long move to a separate go routine.
-		if elapsed := time.Since(c.in.start); elapsed < noBlockThresh {
-			inlineOk = true
-		}
-	}
-
-	if inlineOk {
-		mset.getDirectRequest(&req, reply)
+		dg := dgPool.Get().(*directGetReq)
+		dg.req, dg.reply = req, reply
+		mset.gets.push(dg)
 	} else {
-		go mset.getDirectRequest(&req, reply)
+		mset.getDirectRequest(&req, reply)
 	}
 }
 
 // This is for direct get by last subject which is part of the subject itself.
 func (mset *stream) processDirectGetLastBySubjectRequest(_ *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
-	_, msg := c.msgParts(rmsg)
 	if len(reply) == 0 {
 		return
 	}
+	_, msg := c.msgParts(rmsg)
 	// This version expects no payload.
 	if len(msg) != 0 {
 		hdr := []byte("NATS/1.0 408 Bad Request\r\n\r\n")
@@ -3591,19 +3666,15 @@ func (mset *stream) processDirectGetLastBySubjectRequest(_ *subscription, c *cli
 		return
 	}
 
+	req := JSApiMsgGetRequest{LastFor: key}
+
 	inlineOk := c.kind != ROUTER && c.kind != GATEWAY && c.kind != LEAF
 	if !inlineOk {
-		// Check how long we have been away from the readloop for the route or gateway or leafnode.
-		// If too long move to a separate go routine.
-		if elapsed := time.Since(c.in.start); elapsed < noBlockThresh {
-			inlineOk = true
-		}
-	}
-
-	if inlineOk {
-		mset.getDirectRequest(&JSApiMsgGetRequest{LastFor: key}, reply)
+		dg := dgPool.Get().(*directGetReq)
+		dg.req, dg.reply = req, reply
+		mset.gets.push(dg)
 	} else {
-		go mset.getDirectRequest(&JSApiMsgGetRequest{LastFor: key}, reply)
+		mset.getDirectRequest(&req, reply)
 	}
 }
 
@@ -3650,21 +3721,7 @@ func (mset *stream) getDirectRequest(req *JSApiMsgGetRequest, reply string) {
 // processInboundJetStreamMsg handles processing messages bound for a stream.
 func (mset *stream) processInboundJetStreamMsg(_ *subscription, c *client, _ *Account, subject, reply string, rmsg []byte) {
 	hdr, msg := c.msgParts(rmsg)
-
-	// If we are not receiving directly from a client we should move this to another Go routine.
-	// Make sure to grab no stream or js locks.
-	if c.kind != CLIENT {
-		mset.queueInboundMsg(subject, reply, hdr, msg)
-		return
-	}
-
-	// This is directly from a client so process inline.
-	// If we are clustered we need to propose this message to the underlying raft group.
-	if mset.IsClustered() {
-		mset.processClusteredInboundMsg(subject, reply, hdr, msg)
-	} else {
-		mset.processJetStreamMsg(subject, reply, hdr, msg, 0, 0)
-	}
+	mset.queueInboundMsg(subject, reply, hdr, msg)
 }
 
 var (
@@ -3676,7 +3733,7 @@ var (
 func (mset *stream) processJetStreamMsg(subject, reply string, hdr, msg []byte, lseq uint64, ts int64) error {
 	mset.mu.Lock()
 	c, s, store := mset.client, mset.srv, mset.store
-	if c == nil {
+	if mset.closed || c == nil {
 		mset.mu.Unlock()
 		return nil
 	}
@@ -3792,7 +3849,7 @@ func (mset *stream) processJetStreamMsg(subject, reply string, hdr, msg []byte,
 		}
 		// Expected last sequence per subject.
 		// If we are clustered we have prechecked seq > 0.
-		if seq, exists := getExpectedLastSeqPerSubject(hdr); exists && (!isClustered || seq == 0) {
+		if seq, exists := getExpectedLastSeqPerSubject(hdr); exists {
 			// TODO(dlc) - We could make a new store func that does this all in one.
 			var smv StoreMsg
 			var fseq uint64
@@ -3906,7 +3963,7 @@ func (mset *stream) processJetStreamMsg(subject, reply string, hdr, msg []byte,
 
 	// Check to see if we have exceeded our limits.
 	if js.limitsExceeded(stype) {
-		s.resourcesExeededError()
+		s.resourcesExceededError()
 		mset.clfs++
 		mset.mu.Unlock()
 		if canRespond {
@@ -3998,7 +4055,14 @@ func (mset *stream) processJetStreamMsg(subject, reply string, hdr, msg []byte,
 	} else {
 		// Make sure to take into account any message assignments that we had to skip (clfs).
 		seq = lseq + 1 - clfs
-		err = store.StoreRawMsg(subject, hdr, msg, seq, ts)
+		// Check for preAcks and the need to skip vs store.
+
+		if mset.hasAllPreAcks(seq, subject) {
+			mset.clearAllPreAcks(seq)
+			store.SkipMsg()
+		} else {
+			err = store.StoreRawMsg(subject, hdr, msg, seq, ts)
+		}
 	}
 
 	if err != nil {
@@ -4210,7 +4274,7 @@ func newJSPubMsg(dsubj, subj, reply string, hdr, msg []byte, o *consumer, seq ui
 	} else {
 		m = new(jsPubMsg)
 	}
-	// When getting something from a pool it is criticical that all fields are
+	// When getting something from a pool it is critical that all fields are
 	// initialized. Doing this way guarantees that if someone adds a field to
 	// the structure, the compiler will fail the build if this line is not updated.
 	(*m) = jsPubMsg{dsubj, reply, StoreMsg{subj, hdr, msg, buf, seq, 0}, o}
@@ -4277,8 +4341,8 @@ type StoredMsg struct {
 	Header       []byte    `json:"hdrs,omitempty"`
 	Data         []byte    `json:"data,omitempty"`
 	Time         time.Time `json:"time"`
-	ReplySubject string    `json:"reply_subject"`
-	TenantName   string    `json:"tenant_name"`
+	ReplySubject string    `json:"reply_subject"` // ** added by Memphis
+	TenantName   string    `json:"tenant_name"`   // ** added by Memphis
 }
 
 // This is similar to system semantics but did not want to overload the single system sendq,
@@ -4321,7 +4385,7 @@ func (mset *stream) internalLoop() {
 	c := s.createInternalJetStreamClient()
 	c.registerWithAccount(mset.acc)
 	defer c.closeConnection(ClientClosed)
-	outq, qch, msgs := mset.outq, mset.qch, mset.msgs
+	outq, qch, msgs, gets := mset.outq, mset.qch, mset.msgs, mset.gets
 
 	// For the ack msgs queue for interest retention.
 	var (
@@ -4337,16 +4401,29 @@ func (mset *stream) internalLoop() {
 	// This should be rarely used now so can be smaller.
 	var _r [1024]byte
 
+	// To optimize for not converting a string to a []byte slice.
+	var (
+		subj  [256]byte
+		dsubj [256]byte
+		rply  [256]byte
+		szb   [10]byte
+		hdb   [10]byte
+	)
+
 	for {
 		select {
 		case <-outq.ch:
 			pms := outq.pop()
 			for _, pm := range pms {
-				c.pa.subject = []byte(pm.dsubj)
-				c.pa.deliver = []byte(pm.subj)
+				c.pa.subject = append(dsubj[:0], pm.dsubj...)
+				c.pa.deliver = append(subj[:0], pm.subj...)
 				c.pa.size = len(pm.msg) + len(pm.hdr)
-				c.pa.szb = []byte(strconv.Itoa(c.pa.size))
-				c.pa.reply = []byte(pm.reply)
+				c.pa.szb = append(szb[:0], strconv.Itoa(c.pa.size)...)
+				if len(pm.reply) > 0 {
+					c.pa.reply = append(rply[:0], pm.reply...)
+				} else {
+					c.pa.reply = nil
+				}
 
 				// If we have an underlying buf that is the wire contents for hdr + msg, else construct on the fly.
 				var msg []byte
@@ -4369,6 +4446,7 @@ func (mset *stream) internalLoop() {
 				if len(pm.hdr) > 0 {
 					c.pa.hdr = len(pm.hdr)
 					c.pa.hdb = []byte(strconv.Itoa(c.pa.hdr))
+					c.pa.hdb = append(hdb[:0], strconv.Itoa(c.pa.hdr)...)
 				} else {
 					c.pa.hdr = -1
 					c.pa.hdb = nil
@@ -4382,7 +4460,7 @@ func (mset *stream) internalLoop() {
 				// Check to see if this is a delivery for a consumer and
 				// we failed to deliver the message. If so alert the consumer.
 				if pm.o != nil && pm.seq > 0 && !didDeliver {
-					pm.o.didNotDeliver(pm.seq)
+					pm.o.didNotDeliver(pm.seq, pm.dsubj)
 				}
 				pm.returnToPool()
 			}
@@ -4402,6 +4480,14 @@ func (mset *stream) internalLoop() {
 				}
 			}
 			msgs.recycle(&ims)
+		case <-gets.ch:
+			dgs := gets.pop()
+			for _, dg := range dgs {
+				mset.getDirectRequest(&dg.req, dg.reply)
+				dgPool.Put(dg)
+			}
+			gets.recycle(&dgs)
+
 		case <-amch:
 			seqs := ackq.pop()
 			for _, seq := range seqs {
@@ -4416,6 +4502,28 @@ func (mset *stream) internalLoop() {
 	}
 }
 
+// Used to break consumers out of their monitorConsumer go routines.
+func (mset *stream) resetAndWaitOnConsumers() {
+	mset.mu.RLock()
+	consumers := make([]*consumer, 0, len(mset.consumers))
+	for _, o := range mset.consumers {
+		consumers = append(consumers, o)
+	}
+	mset.mu.RUnlock()
+
+	for _, o := range consumers {
+		if node := o.raftNode(); node != nil {
+			if o.IsLeader() {
+				node.StepDown()
+			}
+			node.Delete()
+		}
+		if o.isMonitorRunning() {
+			o.monitorWg.Wait()
+		}
+	}
+}
+
 // Internal function to delete a stream.
 func (mset *stream) delete() error {
 	if mset == nil {
@@ -4427,21 +4535,22 @@ func (mset *stream) delete() error {
 // Internal function to stop or delete the stream.
 func (mset *stream) stop(deleteFlag, advisory bool) error {
 	mset.mu.RLock()
-	js, jsa := mset.js, mset.jsa
+	js, jsa, name := mset.js, mset.jsa, mset.cfg.Name
 	mset.mu.RUnlock()
 
 	if jsa == nil {
 		return NewJSNotEnabledForAccountError()
 	}
 
-	// Remove from our account map.
+	// Remove from our account map first.
 	jsa.mu.Lock()
-	delete(jsa.streams, mset.cfg.Name)
+	delete(jsa.streams, name)
 	accName := jsa.account.Name
 	jsa.mu.Unlock()
 
 	// Clean up consumers.
 	mset.mu.Lock()
+	mset.closed = true
 	var obs []*consumer
 	for _, o := range mset.consumers {
 		obs = append(obs, o)
@@ -4462,16 +4571,37 @@ func (mset *stream) stop(deleteFlag, advisory bool) error {
 			mset.cancelSourceConsumer(si.iname)
 		}
 	}
+
+	// Cluster cleanup
+	var sa *streamAssignment
+	if n := mset.node; n != nil {
+		if deleteFlag {
+			n.Delete()
+			sa = mset.sa
+		} else {
+			if n.NeedSnapshot() {
+				// Attempt snapshot on clean exit.
+				n.InstallSnapshot(mset.stateSnapshotLocked())
+			}
+			n.Stop()
+		}
+	}
 	mset.mu.Unlock()
 
+	isShuttingDown := js.isShuttingDown()
 	for _, o := range obs {
-		// Third flag says do not broadcast a signal.
-		// TODO(dlc) - If we have an err here we don't want to stop
-		// but should we log?
-		o.stopWithFlags(deleteFlag, deleteFlag, false, advisory)
+		if !o.isClosed() {
+			// Third flag says do not broadcast a signal.
+			// TODO(dlc) - If we have an err here we don't want to stop
+			// but should we log?
+			o.stopWithFlags(deleteFlag, deleteFlag, false, advisory)
+			if !isShuttingDown {
+				o.monitorWg.Wait()
+			}
+		}
 	}
-	mset.mu.Lock()
 
+	mset.mu.Lock()
 	// Stop responding to sync requests.
 	mset.stopClusterSubs()
 	// Unsubscribe from direct stream.
@@ -4483,19 +4613,6 @@ func (mset *stream) stop(deleteFlag, advisory bool) error {
 		mset.infoSub = nil
 	}
 
-	// Cluster cleanup
-	var sa *streamAssignment
-	if n := mset.node; n != nil {
-		if deleteFlag {
-			n.Delete()
-			sa = mset.sa
-		} else if n.NeedSnapshot() {
-			// Attempt snapshot on clean exit.
-			n.InstallSnapshot(mset.stateSnapshotLocked())
-			n.Stop()
-		}
-	}
-
 	// Send stream delete advisory after the consumers.
 	if deleteFlag && advisory {
 		mset.sendDeleteAdvisoryLocked()
@@ -4557,23 +4674,21 @@ func (mset *stream) stop(deleteFlag, advisory bool) error {
 		sysc.closeConnection(ClientClosed)
 	}
 
-	if store == nil {
-		return nil
-	}
-
 	if deleteFlag {
-		if err := store.Delete(); err != nil {
-			return err
+		if store != nil {
+			// Ignore errors.
+			store.Delete()
 		}
+		// Release any resources.
 		js.releaseStreamResources(&mset.cfg)
-
 		// cleanup directories after the stream
 		accDir := filepath.Join(js.config.StoreDir, accName)
 		// no op if not empty
 		os.Remove(filepath.Join(accDir, streamsDir))
 		os.Remove(accDir)
-	} else if err := store.Stop(); err != nil {
-		return err
+	} else if store != nil {
+		// Ignore errors.
+		store.Stop()
 	}
 
 	return nil
@@ -4621,6 +4736,12 @@ func (mset *stream) getPublicConsumers() []*consumer {
 	return obs
 }
 
+func (mset *stream) isInterestRetention() bool {
+	mset.mu.RLock()
+	defer mset.mu.RUnlock()
+	return mset.cfg.Retention != LimitsPolicy
+}
+
 // NumConsumers reports on number of active consumers for this stream.
 func (mset *stream) numConsumers() int {
 	mset.mu.RLock()
@@ -4810,35 +4931,162 @@ func (mset *stream) potentialFilteredConsumers() bool {
 	return false
 }
 
-func (mset *stream) checkInterest(seq uint64, obs *consumer) bool {
+// Check if there is no interest in this sequence number across our consumers.
+// The consumer passed is optional if we are processing the ack for that consumer.
+// Write lock should be held.
+func (mset *stream) noInterest(seq uint64, obs *consumer) bool {
+	return !mset.checkForInterest(seq, obs)
+}
+
+// Check if there is no interest in this sequence number and subject across our consumers.
+// The consumer passed is optional if we are processing the ack for that consumer.
+// Write lock should be held.
+func (mset *stream) noInterestWithSubject(seq uint64, subj string, obs *consumer) bool {
+	return !mset.checkForInterestWithSubject(seq, subj, obs)
+}
+
+// Write lock should be held here for the stream to avoid race conditions on state.
+func (mset *stream) checkForInterest(seq uint64, obs *consumer) bool {
 	var subj string
 	if mset.potentialFilteredConsumers() {
 		pmsg := getJSPubMsgFromPool()
 		defer pmsg.returnToPool()
 		sm, err := mset.store.LoadMsg(seq, &pmsg.StoreMsg)
 		if err != nil {
+			if err == ErrStoreEOF {
+				// Register this as a preAck.
+				mset.registerPreAck(obs, seq)
+				return true
+			}
+			mset.clearAllPreAcks(seq)
 			return false
 		}
 		subj = sm.subj
 	}
+	return mset.checkForInterestWithSubject(seq, subj, obs)
+}
+
+// Checks for interest given a sequence and subject.
+func (mset *stream) checkForInterestWithSubject(seq uint64, subj string, obs *consumer) bool {
 	for _, o := range mset.consumers {
-		if o != obs && o.needAck(seq, subj) {
+		// If this is us or we have a registered preAck for this consumer continue inspecting.
+		if o == obs || mset.hasPreAck(o, seq) {
+			continue
+		}
+		// Check if we need an ack.
+		if o.needAck(seq, subj) {
 			return true
 		}
 	}
+	mset.clearAllPreAcks(seq)
 	return false
 }
 
+// Check if we have a pre-registered ack for this sequence.
+// Write lock should be held.
+func (mset *stream) hasPreAck(o *consumer, seq uint64) bool {
+	if o == nil || len(mset.preAcks) == 0 {
+		return false
+	}
+	consumers := mset.preAcks[seq]
+	if len(consumers) == 0 {
+		return false
+	}
+	_, found := consumers[o]
+	return found
+}
+
+// Check if we have all consumers pre-acked for this sequence and subject.
+// Write lock should be held.
+func (mset *stream) hasAllPreAcks(seq uint64, subj string) bool {
+	if len(mset.preAcks) == 0 || len(mset.preAcks[seq]) == 0 {
+		return false
+	}
+	// Since these can be filtered and mutually exclusive,
+	// if we have some preAcks we need to check all interest here.
+	return mset.noInterestWithSubject(seq, subj, nil)
+}
+
+// Check if we have all consumers pre-acked.
+// Write lock should be held.
+func (mset *stream) clearAllPreAcks(seq uint64) {
+	delete(mset.preAcks, seq)
+}
+
+// Clear all preAcks below floor.
+// Write lock should be held.
+func (mset *stream) clearAllPreAcksBelowFloor(floor uint64) {
+	for seq := range mset.preAcks {
+		if seq < floor {
+			delete(mset.preAcks, seq)
+		}
+	}
+}
+
+// This will register an ack for a consumer if it arrives before the actual message.
+func (mset *stream) registerPreAckLock(o *consumer, seq uint64) {
+	mset.mu.Lock()
+	defer mset.mu.Unlock()
+	mset.registerPreAck(o, seq)
+}
+
+// This will register an ack for a consumer if it arrives before
+// the actual message.
+// Write lock should be held.
+func (mset *stream) registerPreAck(o *consumer, seq uint64) {
+	if o == nil {
+		return
+	}
+	if mset.preAcks == nil {
+		mset.preAcks = make(map[uint64]map[*consumer]struct{})
+	}
+	if mset.preAcks[seq] == nil {
+		mset.preAcks[seq] = make(map[*consumer]struct{})
+	}
+	mset.preAcks[seq][o] = struct{}{}
+}
+
+// This will clear an ack for a consumer.
+// Write lock should be held.
+func (mset *stream) clearPreAck(o *consumer, seq uint64) {
+	if o == nil || len(mset.preAcks) == 0 {
+		return
+	}
+	if consumers := mset.preAcks[seq]; len(consumers) > 0 {
+		delete(consumers, o)
+		if len(consumers) == 0 {
+			delete(mset.preAcks, seq)
+		}
+	}
+}
+
 // ackMsg is called into from a consumer when we have a WorkQueue or Interest Retention Policy.
 func (mset *stream) ackMsg(o *consumer, seq uint64) {
-	if mset.cfg.Retention == LimitsPolicy {
+	if seq == 0 {
+		return
+	}
+
+	// Don't make this RLock(). We need to have only 1 running at a time to gauge interest across all consumers.
+	mset.mu.Lock()
+	if mset.closed || mset.store == nil || mset.cfg.Retention == LimitsPolicy {
+		mset.mu.Unlock()
 		return
 	}
 
-	// Make sure this sequence is not below our first sequence.
 	var state StreamState
 	mset.store.FastState(&state)
+
+	// Make sure this sequence is not below our first sequence.
 	if seq < state.FirstSeq {
+		mset.clearPreAck(o, seq)
+		mset.mu.Unlock()
+		return
+	}
+
+	// If this has arrived before we have processed the message itself.
+	if seq > state.LastSeq {
+		mset.registerPreAck(o, seq)
+		mset.mu.Unlock()
 		return
 	}
 
@@ -4847,24 +5095,21 @@ func (mset *stream) ackMsg(o *consumer, seq uint64) {
 	case WorkQueuePolicy:
 		// Normally we just remove a message when its ack'd here but if we have direct consumers
 		// from sources and/or mirrors we need to make sure they have delivered the msg.
-		mset.mu.RLock()
-		shouldRemove = mset.directs <= 0 || !mset.checkInterest(seq, o)
-		mset.mu.RUnlock()
+		shouldRemove = mset.directs <= 0 || mset.noInterest(seq, o)
 	case InterestPolicy:
-		mset.mu.RLock()
-		shouldRemove = !mset.checkInterest(seq, o)
-		mset.mu.RUnlock()
+		shouldRemove = mset.noInterest(seq, o)
 	}
+	mset.mu.Unlock()
 
-	if shouldRemove {
-		if _, err := mset.store.RemoveMsg(seq); err == ErrStoreEOF {
-			// This should be rare but I have seen it.
-			// The ack reached us before the actual msg with AckNone and InterestPolicy.
-			if n := mset.raftNode(); n != nil {
-				md := streamMsgDelete{Seq: seq, NoErase: true, Stream: mset.cfg.Name}
-				n.ForwardProposal(encodeMsgDelete(&md))
-			}
-		}
+	// If nothing else to do.
+	if !shouldRemove {
+		return
+	}
+
+	// If we are here we should attempt to remove.
+	if _, err := mset.store.RemoveMsg(seq); err == ErrStoreEOF {
+		// This should not happen, but being pedantic.
+		mset.registerPreAckLock(o, seq)
 	}
 }
 
@@ -4936,7 +5181,7 @@ func (a *Account) RestoreStream(ncfg *StreamConfig, r io.Reader) (*stream, error
 		if err != nil {
 			return nil, err
 		}
-		if hdr.Typeflag != tar.TypeReg && hdr.Typeflag != tar.TypeRegA {
+		if hdr.Typeflag != tar.TypeReg {
 			return nil, logAndReturnError()
 		}
 		fpath := filepath.Join(sdir, filepath.Clean(hdr.Name))
@@ -5063,37 +5308,17 @@ func (a *Account) RestoreStream(ncfg *StreamConfig, r io.Reader) (*stream, error
 	return mset, nil
 }
 
-// This is to check for dangling messages.
+// This is to check for dangling messages on interest retention streams.
 // Issue https://github.com/nats-io/nats-server/issues/3612
 func (mset *stream) checkForOrphanMsgs() {
-	// We need to grab the low water mark for all consumers.
-	var ackFloor uint64
 	mset.mu.RLock()
+	consumers := make([]*consumer, 0, len(mset.consumers))
 	for _, o := range mset.consumers {
-		o.mu.RLock()
-		if o.store != nil {
-			if state, err := o.store.BorrowState(); err == nil {
-				if ackFloor == 0 || state.AckFloor.Stream < ackFloor {
-					ackFloor = state.AckFloor.Stream
-				}
-			}
-		}
-		o.mu.RUnlock()
+		consumers = append(consumers, o)
 	}
-	// Grabs stream state.
-	var state StreamState
-	mset.store.FastState(&state)
-	s, acc := mset.srv, mset.acc
 	mset.mu.RUnlock()
-
-	if ackFloor > state.FirstSeq {
-		req := &JSApiStreamPurgeRequest{Sequence: ackFloor + 1}
-		purged, err := mset.purge(req)
-		if err != nil {
-			s.Warnf("stream '%s > %s' could not auto purge orphaned messages: %v", acc, mset.name(), err)
-		} else {
-			s.Debugf("stream '%s > %s' auto purged %d messages", acc, mset.name(), purged)
-		}
+	for _, o := range consumers {
+		o.checkStateForInterestStream()
 	}
 }
 
@@ -5119,3 +5344,22 @@ func (mset *stream) checkConsumerReplication() {
 		o.mu.RUnlock()
 	}
 }
+
+// Will check if we are running in the monitor already and if not set the appropriate flag.
+func (mset *stream) checkInMonitor() bool {
+	mset.mu.Lock()
+	defer mset.mu.Unlock()
+
+	if mset.inMonitor {
+		return true
+	}
+	mset.inMonitor = true
+	return false
+}
+
+// Clear us being in the monitor routine.
+func (mset *stream) clearMonitorRunning() {
+	mset.mu.Lock()
+	defer mset.mu.Unlock()
+	mset.inMonitor = false
+}
diff --git a/server/sublist.go b/server/sublist.go
index a77f9f988..d7ffac0c9 100644
--- a/server/sublist.go
+++ b/server/sublist.go
@@ -1,4 +1,4 @@
-// Copyright 2016-2020 The NATS Authors
+// Copyright 2016-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -48,7 +48,7 @@ const (
 	// cacheMax is used to bound limit the frontend cache
 	slCacheMax = 1024
 	// If we run a sweeper we will drain to this count.
-	slCacheSweep = 512
+	slCacheSweep = 256
 	// plistMin is our lower bounds to create a fast plist for Match.
 	plistMin = 256
 )
@@ -615,7 +615,7 @@ func (s *Sublist) reduceCacheCount() {
 
 // Helper function for auto-expanding remote qsubs.
 func isRemoteQSub(sub *subscription) bool {
-	return sub != nil && sub.queue != nil && sub.client != nil && sub.client.kind == ROUTER
+	return sub != nil && sub.queue != nil && sub.client != nil && (sub.client.kind == ROUTER || sub.client.kind == LEAF)
 }
 
 // UpdateRemoteQSub should be called when we update the weight of an existing
@@ -820,9 +820,13 @@ func (s *Sublist) RemoveBatch(subs []*subscription) error {
 	// Turn off our cache if enabled.
 	wasEnabled := s.cache != nil
 	s.cache = nil
+	// We will try to remove all subscriptions but will report the first that caused
+	// an error. In other words, we don't bail out at the first error which would
+	// possibly leave a bunch of subscriptions that could have been removed.
+	var err error
 	for _, sub := range subs {
-		if err := s.remove(sub, false, false); err != nil {
-			return err
+		if lerr := s.remove(sub, false, false); lerr != nil && err == nil {
+			err = lerr
 		}
 	}
 	// Turn caching back on here.
@@ -830,7 +834,7 @@ func (s *Sublist) RemoveBatch(subs []*subscription) error {
 	if wasEnabled {
 		s.cache = make(map[string]*SublistResult)
 	}
-	return nil
+	return err
 }
 
 // pruneNode is used to prune an empty node from the tree.
@@ -1529,13 +1533,13 @@ func (s *Sublist) ReverseMatch(subject string) *SublistResult {
 
 	result := &SublistResult{}
 
-	s.Lock()
+	s.RLock()
 	reverseMatchLevel(s.root, tokens, nil, result)
 	// Check for empty result.
 	if len(result.psubs) == 0 && len(result.qsubs) == 0 {
 		result = emptyResult
 	}
-	s.Unlock()
+	s.RUnlock()
 
 	return result
 }
@@ -1553,9 +1557,22 @@ func reverseMatchLevel(l *level, toks []string, n *node, results *SublistResult)
 				for _, n := range l.nodes {
 					reverseMatchLevel(n.next, toks[i+1:], n, results)
 				}
+				if l.pwc != nil {
+					reverseMatchLevel(l.pwc.next, toks[i+1:], n, results)
+				}
+				if l.fwc != nil {
+					getAllNodes(l, results)
+				}
 				return
 			}
 		}
+		// If the sub tree has a fwc at this position, match as well.
+		if l.fwc != nil {
+			getAllNodes(l, results)
+			return
+		} else if l.pwc != nil {
+			reverseMatchLevel(l.pwc.next, toks[i+1:], n, results)
+		}
 		n = l.nodes[t]
 		if n == nil {
 			break
diff --git a/server/sublist_test.go b/server/sublist_test.go
index a302405ac..4d3e913f0 100644
--- a/server/sublist_test.go
+++ b/server/sublist_test.go
@@ -1,4 +1,4 @@
-// Copyright 2016-2020 The NATS Authors
+// Copyright 2016-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -370,6 +370,30 @@ func TestSublistNoCacheRemoveBatch(t *testing.T) {
 	}
 }
 
+func TestSublistRemoveBatchWithError(t *testing.T) {
+	s := NewSublistNoCache()
+	sub1 := newSub("foo")
+	sub2 := newSub("bar")
+	sub3 := newSub("baz")
+	s.Insert(sub1)
+	s.Insert(sub2)
+	s.Insert(sub3)
+	subNotPresent := newSub("not.inserted")
+	// Try to remove all subs, but include the sub that has not been inserted.
+	err := s.RemoveBatch([]*subscription{subNotPresent, sub1, sub3})
+	// We expect an error to be returned, but sub1,2 and 3 to have been removed.
+	require_Error(t, err, ErrNotFound)
+	// Make sure that we have only sub2 present
+	verifyCount(s, 1, t)
+	r := s.Match("bar")
+	verifyLen(r.psubs, 1, t)
+	verifyMember(r.psubs, sub2, t)
+	r = s.Match("foo")
+	verifyLen(r.psubs, 0, t)
+	r = s.Match("baz")
+	verifyLen(r.psubs, 0, t)
+}
+
 func testSublistInvalidSubjectsInsert(t *testing.T, s *Sublist) {
 	// Insert, or subscriptions, can have wildcards, but not empty tokens,
 	// and can not have a FWC that is not the terminal token.
@@ -1478,6 +1502,20 @@ func TestSublistReverseMatch(t *testing.T) {
 	verifyMember(r.psubs, fooBarBazSub, t)
 }
 
+func TestSublistReverseMatchWider(t *testing.T) {
+	s := NewSublistWithCache()
+	sub := newSub("uplink.*.*.>")
+	s.Insert(sub)
+
+	r := s.ReverseMatch("uplink.1.*.*.>")
+	verifyLen(r.psubs, 1, t)
+	verifyMember(r.psubs, sub, t)
+
+	r = s.ReverseMatch("uplink.1.2.3.>")
+	verifyLen(r.psubs, 1, t)
+	verifyMember(r.psubs, sub, t)
+}
+
 func TestSublistMatchWithEmptyTokens(t *testing.T) {
 	for _, test := range []struct {
 		name  string
diff --git a/server/test_test.go b/server/test_test.go
index 2f0e11d8c..8493eb07b 100644
--- a/server/test_test.go
+++ b/server/test_test.go
@@ -1,4 +1,4 @@
-// Copyright 2019-2021 The NATS Authors
+// Copyright 2019-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -14,7 +14,6 @@
 package server
 
 import (
-	"bytes"
 	"fmt"
 	"math/rand"
 	"net/url"
@@ -52,14 +51,6 @@ func RunRandClientPortServer() *Server {
 	return RunServer(&opts)
 }
 
-// Used to setup clusters of clusters for tests.
-type cluster struct {
-	servers []*Server
-	opts    []*Options
-	name    string
-	t       testing.TB
-}
-
 func require_True(t *testing.T, b bool) {
 	t.Helper()
 	if !b {
@@ -120,16 +111,16 @@ func require_Error(t *testing.T, err error, expected ...error) {
 	t.Fatalf("Expected one of %v, got '%v'", expected, err)
 }
 
-func require_Equal(t *testing.T, a, b string) {
+func require_Equal[T comparable](t *testing.T, a, b T) {
 	t.Helper()
-	if strings.Compare(a, b) != 0 {
+	if a != b {
 		t.Fatalf("require equal, but got: %v != %v", a, b)
 	}
 }
 
-func require_NotEqual(t *testing.T, a, b [32]byte) {
+func require_NotEqual[T comparable](t *testing.T, a, b T) {
 	t.Helper()
-	if bytes.Equal(a[:], b[:]) {
+	if a == b {
 		t.Fatalf("require not equal, but got: %v != %v", a, b)
 	}
 }
@@ -276,6 +267,11 @@ func (c *cluster) shutdown() {
 	if c == nil {
 		return
 	}
+	// Stop any proxies.
+	for _, np := range c.nproxies {
+		np.stop()
+	}
+	// Shutdown and cleanup servers.
 	for i, s := range c.servers {
 		sd := s.StoreDir()
 		s.Shutdown()
diff --git a/server/util.go b/server/util.go
index 52e0861f1..454de9d81 100644
--- a/server/util.go
+++ b/server/util.go
@@ -335,6 +335,7 @@ func copyStrings(src []string) []string {
 	return dst
 }
 
+// ** added by Memphis
 // copyMaps make a new map of the same size than `src` and copy its content.
 // If `src` is nil, then this returns `nil`
 func copyMaps(src map[string]string) map[string]string {
@@ -347,3 +348,5 @@ func copyMaps(src map[string]string) map[string]string {
 	}
 	return dst
 }
+
+// ** added by Memphis
diff --git a/server/util_test.go b/server/util_test.go
index 41100b10b..168a995ac 100644
--- a/server/util_test.go
+++ b/server/util_test.go
@@ -10,6 +10,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package server
 
 import (
diff --git a/server/websocket.go b/server/websocket.go
index 797ed5c86..0b8fe8048 100644
--- a/server/websocket.go
+++ b/server/websocket.go
@@ -1,4 +1,4 @@
-// Copyright 2020 The NATS Authors
+// Copyright 2020-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -15,7 +15,6 @@ package server
 
 import (
 	"bytes"
-	"compress/flate"
 	"crypto/rand"
 	"crypto/sha1"
 	"crypto/tls"
@@ -34,6 +33,8 @@ import (
 	"sync"
 	"time"
 	"unicode/utf8"
+
+	"github.com/klauspost/compress/flate"
 )
 
 type wsOpCode int
@@ -452,7 +453,9 @@ func (c *client) wsHandleControlFrame(r *wsReadInfo, frameType wsOpCode, nc io.R
 				}
 			}
 		}
-		c.wsEnqueueControlMessage(wsCloseMessage, wsCreateCloseMessage(status, body))
+		clm := wsCreateCloseMessage(status, body)
+		c.wsEnqueueControlMessage(wsCloseMessage, clm)
+		nbPoolPut(clm) // wsEnqueueControlMessage has taken a copy.
 		// Return io.EOF so that readLoop will close the connection as ClientClosed
 		// after processing pending buffers.
 		return pos, io.EOF
@@ -502,7 +505,7 @@ func wsIsControlFrame(frameType wsOpCode) bool {
 // Create the frame header.
 // Encodes the frame type and optional compression flag, and the size of the payload.
 func wsCreateFrameHeader(useMasking, compressed bool, frameType wsOpCode, l int) ([]byte, []byte) {
-	fh := make([]byte, wsMaxFrameHeaderSize)
+	fh := nbPoolGet(wsMaxFrameHeaderSize)[:wsMaxFrameHeaderSize]
 	n, key := wsFillFrameHeader(fh, useMasking, wsFirstFrame, wsFinalFrame, compressed, frameType, l)
 	return fh[:n], key
 }
@@ -596,11 +599,13 @@ func (c *client) wsEnqueueControlMessageLocked(controlMsg wsOpCode, payload []by
 	if useMasking {
 		sz += 4
 	}
-	cm := make([]byte, sz+len(payload))
+	cm := nbPoolGet(sz + len(payload))
+	cm = cm[:cap(cm)]
 	n, key := wsFillFrameHeader(cm, useMasking, wsFirstFrame, wsFinalFrame, wsUncompressedFrame, controlMsg, len(payload))
+	cm = cm[:n]
 	// Note that payload is optional.
 	if len(payload) > 0 {
-		copy(cm[n:], payload)
+		cm = append(cm, payload...)
 		if useMasking {
 			wsMaskBuf(key, cm[n:])
 		}
@@ -646,6 +651,7 @@ func (c *client) wsEnqueueCloseMessage(reason ClosedState) {
 	}
 	body := wsCreateCloseMessage(status, reason.String())
 	c.wsEnqueueControlMessageLocked(wsCloseMessage, body)
+	nbPoolPut(body) // wsEnqueueControlMessageLocked has taken a copy.
 }
 
 // Create and then enqueue a close message with a protocol error and the
@@ -655,6 +661,7 @@ func (c *client) wsEnqueueCloseMessage(reason ClosedState) {
 func (c *client) wsHandleProtocolError(message string) error {
 	buf := wsCreateCloseMessage(wsCloseStatusProtocolError, message)
 	c.wsEnqueueControlMessage(wsCloseMessage, buf)
+	nbPoolPut(buf) // wsEnqueueControlMessage has taken a copy.
 	return fmt.Errorf(message)
 }
 
@@ -671,7 +678,7 @@ func wsCreateCloseMessage(status int, body string) []byte {
 		body = body[:wsMaxControlPayloadSize-5]
 		body += "..."
 	}
-	buf := make([]byte, 2+len(body))
+	buf := nbPoolGet(2 + len(body))[:2+len(body)]
 	// We need to have a 2 byte unsigned int that represents the error status code
 	// https://tools.ietf.org/html/rfc6455#section-5.5.1
 	binary.BigEndian.PutUint16(buf[:2], uint16(status))
@@ -1270,13 +1277,7 @@ func (c *client) wsCollapsePtoNB() (net.Buffers, int64) {
 	if c.ws.browser {
 		mfs = wsFrameSizeForBrowsers
 	}
-	if len(c.out.p) > 0 {
-		p := c.out.p
-		c.out.p = nil
-		nb = append(c.out.nb, p)
-	} else if len(c.out.nb) > 0 {
-		nb = c.out.nb
-	}
+	nb = c.out.nb
 	mask := c.ws.maskwrite
 	// Start with possible already framed buffers (that we could have
 	// got from partials or control messages such as ws pings or pongs).
@@ -1308,6 +1309,7 @@ func (c *client) wsCollapsePtoNB() (net.Buffers, int64) {
 		var csz int
 		for _, b := range nb {
 			cp.Write(b)
+			nbPoolPut(b) // No longer needed as contents written to compressor.
 		}
 		if err := cp.Flush(); err != nil {
 			c.Errorf("Error during compression: %v", err)
@@ -1324,24 +1326,33 @@ func (c *client) wsCollapsePtoNB() (net.Buffers, int64) {
 				} else {
 					final = true
 				}
-				fh := make([]byte, wsMaxFrameHeaderSize)
 				// Only the first frame should be marked as compressed, so pass
 				// `first` for the compressed boolean.
+				fh := nbPoolGet(wsMaxFrameHeaderSize)[:wsMaxFrameHeaderSize]
 				n, key := wsFillFrameHeader(fh, mask, first, final, first, wsBinaryMessage, lp)
 				if mask {
 					wsMaskBuf(key, p[:lp])
 				}
-				bufs = append(bufs, fh[:n], p[:lp])
+				new := nbPoolGet(wsFrameSizeForBrowsers)
+				lp = copy(new[:wsFrameSizeForBrowsers], p[:lp])
+				bufs = append(bufs, fh[:n], new[:lp])
 				csz += n + lp
 				p = p[lp:]
 			}
 		} else {
-			h, key := wsCreateFrameHeader(mask, true, wsBinaryMessage, len(p))
+			ol := len(p)
+			h, key := wsCreateFrameHeader(mask, true, wsBinaryMessage, ol)
 			if mask {
 				wsMaskBuf(key, p)
 			}
-			bufs = append(bufs, h, p)
-			csz = len(h) + len(p)
+			bufs = append(bufs, h)
+			for len(p) > 0 {
+				new := nbPoolGet(len(p))
+				n := copy(new[:cap(new)], p)
+				bufs = append(bufs, new[:n])
+				p = p[n:]
+			}
+			csz = len(h) + ol
 		}
 		// Add to pb the compressed data size (including headers), but
 		// remove the original uncompressed data size that was added
@@ -1353,7 +1364,7 @@ func (c *client) wsCollapsePtoNB() (net.Buffers, int64) {
 		if mfs > 0 {
 			// We are limiting the frame size.
 			startFrame := func() int {
-				bufs = append(bufs, make([]byte, wsMaxFrameHeaderSize))
+				bufs = append(bufs, nbPoolGet(wsMaxFrameHeaderSize)[:wsMaxFrameHeaderSize])
 				return len(bufs) - 1
 			}
 			endFrame := func(idx, size int) {
@@ -1386,8 +1397,10 @@ func (c *client) wsCollapsePtoNB() (net.Buffers, int64) {
 					if endStart {
 						fhIdx = startFrame()
 					}
-					bufs = append(bufs, b[:total])
-					b = b[total:]
+					new := nbPoolGet(total)
+					n := copy(new[:cap(new)], b[:total])
+					bufs = append(bufs, new[:n])
+					b = b[n:]
 				}
 			}
 			if total > 0 {
diff --git a/server/websocket_test.go b/server/websocket_test.go
index 3439f8e8f..2e590e2c0 100644
--- a/server/websocket_test.go
+++ b/server/websocket_test.go
@@ -16,7 +16,6 @@ package server
 import (
 	"bufio"
 	"bytes"
-	"compress/flate"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/binary"
@@ -36,6 +35,8 @@ import (
 
 	"github.com/nats-io/jwt/v2"
 	"github.com/nats-io/nkeys"
+
+	"github.com/klauspost/compress/flate"
 )
 
 type testReader struct {
@@ -2496,7 +2497,7 @@ func TestWSAdvertise(t *testing.T) {
 	defer s.Shutdown()
 	l := &captureFatalLogger{fatalCh: make(chan string, 1)}
 	s.SetLogger(l, false, false)
-	go s.Start()
+	s.Start()
 	select {
 	case e := <-l.fatalCh:
 		if !strings.Contains(e, "Unable to get websocket connect URLs") {
@@ -2863,11 +2864,11 @@ func (wc *testWSWrappedConn) Write(p []byte) (int, error) {
 }
 
 func TestWSCompressionBasic(t *testing.T) {
-	payload := "This is the content of a message that will be compresseddddddddddddddddddddd."
+	payload := "This is the content of a message that will be compresseddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd."
 	msgProto := fmt.Sprintf("MSG foo 1 %d\r\n%s\r\n", len(payload), payload)
-
 	cbuf := &bytes.Buffer{}
-	compressor, _ := flate.NewWriter(cbuf, flate.BestSpeed)
+	compressor, err := flate.NewWriter(cbuf, flate.BestSpeed)
+	require_NoError(t, err)
 	compressor.Write([]byte(msgProto))
 	compressor.Flush()
 	compressed := cbuf.Bytes()
@@ -2890,14 +2891,14 @@ func TestWSCompressionBasic(t *testing.T) {
 	}
 
 	var wc *testWSWrappedConn
-	s.mu.Lock()
+	s.mu.RLock()
 	for _, c := range s.clients {
 		c.mu.Lock()
 		wc = &testWSWrappedConn{Conn: c.nc, buf: &bytes.Buffer{}}
 		c.nc = wc
 		c.mu.Unlock()
 	}
-	s.mu.Unlock()
+	s.mu.RUnlock()
 
 	nc := natsConnect(t, s.ClientURL())
 	defer nc.Close()

From 8433f40387ff053808626ddf1ef8276fda31b510 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Wed, 6 Dec 2023 18:05:08 +0200
Subject: [PATCH 02/16] removing extra logs

---
 server/jetstream.go         | 4 ++--
 server/jetstream_cluster.go | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/jetstream.go b/server/jetstream.go
index 6fbf25b66..e84399c4a 100644
--- a/server/jetstream.go
+++ b/server/jetstream.go
@@ -179,7 +179,7 @@ func (s *Server) EnableJetStream(config *JetStreamConfig) error {
 		return fmt.Errorf("jetstream already enabled")
 	}
 
-	s.Noticef("Starting JetStream")
+	// s.Noticef("Starting JetStream") // ** deleted by Memphis
 	if config == nil || config.MaxMemory <= 0 || config.MaxStore <= 0 {
 		var storeDir, domain string
 		var maxStore, maxMem int64
@@ -465,7 +465,7 @@ func (s *Server) restartJetStream() error {
 		MaxStore:  opts.JetStreamMaxStore,
 		Domain:    opts.JetStreamDomain,
 	}
-	s.Noticef("Restarting JetStream")
+	// s.Noticef("Restarting JetStream") // ** deleted by Memphis
 	err := s.EnableJetStream(&cfg)
 	if err != nil {
 		s.Warnf("Can't start JetStream: %v", err)
diff --git a/server/jetstream_cluster.go b/server/jetstream_cluster.go
index e3c552069..009e640c9 100644
--- a/server/jetstream_cluster.go
+++ b/server/jetstream_cluster.go
@@ -711,7 +711,7 @@ func (s *Server) enableJetStreamClustering() error {
 		return nil
 	}
 
-	s.Noticef("Starting JetStream cluster")
+	// s.Noticef("Starting JetStream cluster") // ** deleted by Memphis
 	// We need to determine if we have a stable cluster name and expected number of servers.
 	s.Debugf("JetStream cluster checking for stable cluster name and peers")
 

From 5e37dae4d082efc34ad330513555e3e718285b8c Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Thu, 7 Dec 2023 09:08:07 +0200
Subject: [PATCH 03/16] changes from cloud

---
 server/background_tasks.go              |  6 ++++--
 server/memphis_handlers_dls_messages.go | 18 ++++++++++--------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/server/background_tasks.go b/server/background_tasks.go
index e29d42ef7..aa023628e 100644
--- a/server/background_tasks.go
+++ b/server/background_tasks.go
@@ -565,6 +565,8 @@ func (s *Server) ConsumeSchemaverseDlsMessages() {
 			subject := fmt.Sprintf(JSApiRequestNextT, dlsSchemaverseStream, SCHEMAVERSE_DLS_CONSUMER)
 			s.sendInternalAccountMsgWithReply(s.MemphisGlobalAccount(), subject, replySubj, nil, req, true)
 
+			s.Debugf("ConsumeSchemaverseDlsMessages: sending fetch request")
+
 			timeout := time.NewTimer(5 * time.Second)
 			msgs := make([]schemaverseDlsMsg, 0)
 			stop := false
@@ -582,12 +584,12 @@ func (s *Server) ConsumeSchemaverseDlsMessages() {
 					}
 				case <-timeout.C:
 					stop = true
-					s.Debugf("ConsumeSchemaverseDlsMessages: finished because of timer")
+					s.Debugf("ConsumeSchemaverseDlsMessages: finished because of timer: %v messages", len(msgs))
 				}
 			}
 			for _, message := range msgs {
 				msg := message.Msg
-				s.handleSchemaverseDlsMsg(msg)
+				err := s.handleSchemaverseDlsMsg(msg)
 				if err == nil {
 					// send ack
 					s.sendInternalAccountMsgWithEcho(s.MemphisGlobalAccount(), message.ReplySubject, []byte(_EMPTY_))
diff --git a/server/memphis_handlers_dls_messages.go b/server/memphis_handlers_dls_messages.go
index f3ea549d7..b87c410da 100644
--- a/server/memphis_handlers_dls_messages.go
+++ b/server/memphis_handlers_dls_messages.go
@@ -155,45 +155,47 @@ func (s *Server) handleNewUnackedMsg(msg []byte) error {
 	return nil
 }
 
-func (s *Server) handleSchemaverseDlsMsg(msg []byte) {
+func (s *Server) handleSchemaverseDlsMsg(msg []byte) error {
 	tenantName, stringMessage, err := s.getTenantNameAndMessage(msg)
 	if err != nil {
 		s.Errorf("handleSchemaverseDlsMsg at getTenantNameAndMessage: %v", err.Error())
-		return
+		return err
 	}
 	var message models.SchemaVerseDlsMessageSdk
 	err = json.Unmarshal([]byte(stringMessage), &message)
 	if err != nil {
 		serv.Errorf("[tenant: %v]handleSchemaverseDlsMsg: %v", tenantName, err.Error())
-		return
+		return err
 	}
 
 	exist, station, err := db.GetStationByName(message.StationName, tenantName)
 	if err != nil {
 		serv.Errorf("[tenant: %v]handleSchemaverseDlsMsg: %v", tenantName, err.Error())
-		return
+		return err
 	}
 	if !exist {
 		serv.Warnf("[tenant: %v]handleSchemaverseDlsMsg: station %v couldn't been found", tenantName, message.StationName)
-		return
+		return nil
 	}
 
 	message.Message.TimeSent = time.Now()
 	_, err = db.InsertSchemaverseDlsMsg(station.ID, 0, message.Producer.Name, []string{}, models.MessagePayload(message.Message), message.ValidationError, tenantName, message.PartitionNumber)
 	if err != nil {
 		serv.Errorf("[tenant: %v]handleSchemaverseDlsMsg: %v", tenantName, err.Error())
-		return
+		return err
 	}
 	data, err := hex.DecodeString(message.Message.Data)
 	if err != nil {
 		serv.Errorf("[tenant: %v]handleSchemaverseDlsMsg at DecodeString: %v", tenantName, err.Error())
-		return
+		return err
 	}
 	err = s.sendToDlsStation(station, data, message.Message.Headers, "failed_schema", "")
 	if err != nil {
 		serv.Errorf("[tenant: %v]handleSchemaverseDlsMsg at sendToDlsStation: station: %v, Error while getting notified about a poison message: %v", tenantName, station.DlsStation, err.Error())
-		return
+		return err
 	}
+
+	return nil
 }
 
 func (pmh PoisonMessagesHandler) GetDlsMsgsByStationLight(station models.Station, partitionNumber int) ([]models.LightDlsMessageResponse, []models.LightDlsMessageResponse, []models.LightDlsMessageResponse, int, error) {

From 909514b4444c2b9e9de9b02e16a11c1859519e70 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Thu, 7 Dec 2023 09:51:11 +0200
Subject: [PATCH 04/16] test files

---
 test/bench_test.go                            |    6 +
 test/cluster_test.go                          |   21 +
 test/cluster_tls_test.go                      |    6 +
 .../ocsp_peer/mini-ca/caocsp/caocsp_cert.pem  |   91 +
 .../mini-ca/caocsp/private/caocsp_keypair.pem |   28 +
 .../mini-ca/client1/System_bundle.pem         |  186 ++
 .../ocsp_peer/mini-ca/client1/System_cert.pem |   97 +
 .../mini-ca/client1/UserA1_bundle.pem         |  186 ++
 .../ocsp_peer/mini-ca/client1/UserA1_cert.pem |   97 +
 .../mini-ca/client1/UserA2_bundle.pem         |  186 ++
 .../ocsp_peer/mini-ca/client1/UserA2_cert.pem |   97 +
 .../ocsp_peer/mini-ca/client1/certfile.pem    |  175 +
 .../client1/private/System_keypair.pem        |   28 +
 .../client1/private/UserA1_keypair.pem        |   28 +
 .../client1/private/UserA2_keypair.pem        |   28 +
 .../mini-ca/client2/UserB1_bundle.pem         |  186 ++
 .../ocsp_peer/mini-ca/client2/UserB1_cert.pem |   97 +
 .../mini-ca/client2/UserB2_bundle.pem         |  186 ++
 .../ocsp_peer/mini-ca/client2/UserB2_cert.pem |   97 +
 .../ocsp_peer/mini-ca/client2/certfile.pem    |  175 +
 .../client2/private/UserB1_keypair.pem        |   28 +
 .../client2/private/UserB2_keypair.pem        |   28 +
 .../intermediate1/intermediate1_cert.pem      |   89 +
 .../private/intermediate1_keypair.pem         |   28 +
 .../intermediate2/intermediate2_cert.pem      |   89 +
 .../private/intermediate2_keypair.pem         |   28 +
 .../misc/misconfig_TestServer1_bundle.pem     |  186 ++
 .../mini-ca/misc/trust_config1_bundle.pem     |  264 ++
 .../mini-ca/misc/trust_config2_bundle.pem     |  264 ++
 .../mini-ca/misc/trust_config3_bundle.pem     |  264 ++
 .../ocsp_peer/mini-ca/ocsp1/ocsp1_bundle.pem  |  181 +
 .../ocsp_peer/mini-ca/ocsp1/ocsp1_cert.pem    |   92 +
 .../mini-ca/ocsp1/private/ocsp1_keypair.pem   |   28 +
 .../ocsp_peer/mini-ca/ocsp2/ocsp2_bundle.pem  |  181 +
 .../ocsp_peer/mini-ca/ocsp2/ocsp2_cert.pem    |   92 +
 .../mini-ca/ocsp2/private/ocsp2_keypair.pem   |   28 +
 .../mini-ca/root/private/root_keypair.pem     |   28 +
 .../ocsp_peer/mini-ca/root/root_cert.pem      |   86 +
 .../mini-ca/server1/TestServer1_bundle.pem    |  186 ++
 .../mini-ca/server1/TestServer1_cert.pem      |   97 +
 .../mini-ca/server1/TestServer2_bundle.pem    |  186 ++
 .../mini-ca/server1/TestServer2_cert.pem      |   97 +
 .../server1/private/TestServer1_keypair.pem   |   28 +
 .../server1/private/TestServer2_keypair.pem   |   28 +
 .../mini-ca/server2/TestServer3_bundle.pem    |  186 ++
 .../mini-ca/server2/TestServer3_cert.pem      |   97 +
 .../mini-ca/server2/TestServer4_bundle.pem    |  186 ++
 .../mini-ca/server2/TestServer4_cert.pem      |   97 +
 .../server2/private/TestServer3_keypair.pem   |   28 +
 .../server2/private/TestServer4_keypair.pem   |   28 +
 .../certs/tlsauth/certstore/client.p12        |  Bin 0 -> 2509 bytes
 .../certstore/delete-cert-from-store.ps1      |    2 +
 .../tlsauth/certstore/import-p12-client.ps1   |    5 +
 .../tlsauth/certstore/import-p12-server.ps1   |    5 +
 .../configs/certs/tlsauth/certstore/pkcs12.md |   22 +
 .../certs/tlsauth/certstore/server.p12        |  Bin 0 -> 2533 bytes
 test/gateway_test.go                          |  157 +-
 test/gosrv_test.go                            |    1 +
 test/leafnode_test.go                         |    3 +
 test/ocsp_peer_test.go                        | 2926 +++++++++++++++++
 test/ocsp_test.go                             | 2609 ++++++++++-----
 test/system_services_test.go                  |    2 +-
 test/test_test.go                             |    3 +
 test/tls_test.go                              |   20 +
 test/verbose_test.go                          |    1 +
 65 files changed, 10136 insertions(+), 849 deletions(-)
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/caocsp/caocsp_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/caocsp/private/caocsp_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/System_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/System_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/UserA2_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/UserA2_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/certfile.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/private/System_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client1/private/UserA2_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client2/UserB1_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client2/UserB2_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client2/UserB2_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client2/certfile.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client2/private/UserB1_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/client2/private/UserB2_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/intermediate1/private/intermediate1_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/intermediate2/private/intermediate2_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/misc/misconfig_TestServer1_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/misc/trust_config1_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/misc/trust_config2_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/misc/trust_config3_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/ocsp1/private/ocsp1_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/ocsp2/private/ocsp2_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/root/private/root_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/root/root_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server1/TestServer2_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_bundle.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_cert.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem
 create mode 100644 test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer4_keypair.pem
 create mode 100644 test/configs/certs/tlsauth/certstore/client.p12
 create mode 100644 test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1
 create mode 100644 test/configs/certs/tlsauth/certstore/import-p12-client.ps1
 create mode 100644 test/configs/certs/tlsauth/certstore/import-p12-server.ps1
 create mode 100644 test/configs/certs/tlsauth/certstore/pkcs12.md
 create mode 100644 test/configs/certs/tlsauth/certstore/server.p12
 create mode 100644 test/ocsp_peer_test.go

diff --git a/test/bench_test.go b/test/bench_test.go
index d1d874394..d98ede451 100644
--- a/test/bench_test.go
+++ b/test/bench_test.go
@@ -11,6 +11,12 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// Please note that these tests will stress a system and they need generous
+// amounts of CPU, Memory and network sockets. Make sure the 'open files'
+// setting for your platform is at least 8192. On linux and MacOSX you can
+// do this via 'ulimit -n 8192'
+//
+
 package test
 
 import (
diff --git a/test/cluster_test.go b/test/cluster_test.go
index a08c30973..e851a841d 100644
--- a/test/cluster_test.go
+++ b/test/cluster_test.go
@@ -240,6 +240,10 @@ func TestClusterQueueSubs(t *testing.T) {
 	sendB("PING\r\n")
 	expectB(pongRe)
 
+	// Give plenty of time for the messages to flush, so that we don't
+	// accidentally only read some of them.
+	time.Sleep(time.Millisecond * 250)
+
 	// Should receive 5.
 	matches = expectMsgsA(5)
 	checkForQueueSid(t, matches, qg1SidsA)
@@ -248,6 +252,10 @@ func TestClusterQueueSubs(t *testing.T) {
 	// Send to A
 	sendA("PUB foo 2\r\nok\r\n")
 
+	// Give plenty of time for the messages to flush, so that we don't
+	// accidentally only read some of them.
+	time.Sleep(time.Millisecond * 250)
+
 	// Should receive 5.
 	matches = expectMsgsA(5)
 	checkForQueueSid(t, matches, qg1SidsA)
@@ -270,6 +278,10 @@ func TestClusterQueueSubs(t *testing.T) {
 	// Send to B
 	sendB("PUB foo 2\r\nok\r\n")
 
+	// Give plenty of time for the messages to flush, so that we don't
+	// accidentally only read some of them.
+	time.Sleep(time.Millisecond * 250)
+
 	// Should receive 1 from B.
 	matches = expectMsgsB(1)
 	checkForQueueSid(t, matches, qg2SidsB)
@@ -308,6 +320,10 @@ func TestClusterQueueSubs(t *testing.T) {
 	// Send to A
 	sendA("PUB foo 2\r\nok\r\n")
 
+	// Give plenty of time for the messages to flush, so that we don't
+	// accidentally only read some of them.
+	time.Sleep(time.Millisecond * 250)
+
 	// Should receive 4 now.
 	matches = expectMsgsA(4)
 	checkForPubSids(t, matches, pSids)
@@ -390,6 +406,8 @@ func TestClusterDoubleMsgs(t *testing.T) {
 	sendB("PING\r\n")
 	expectB(pongRe)
 
+	time.Sleep(10 * time.Millisecond)
+
 	matches = expectMsgsA2(2)
 	checkMsg(t, matches[0], "foo", "", "", "2", "ok")
 	checkForPubSids(t, matches, pSids)
@@ -588,6 +606,7 @@ func (c *captureErrLogger) Errorf(format string, v ...interface{}) {
 	}
 }
 
+// ** added by Memphis
 func (c *captureErrLogger) Systemf(format string, v ...interface{}) {
 	msg := fmt.Sprintf(format, v...)
 	select {
@@ -596,6 +615,8 @@ func (c *captureErrLogger) Systemf(format string, v ...interface{}) {
 	}
 }
 
+// ** added by Memphis
+
 func TestClusterNameConflictsDropRoutes(t *testing.T) {
 	ll := &captureErrLogger{ch: make(chan string, 4)}
 
diff --git a/test/cluster_tls_test.go b/test/cluster_tls_test.go
index 80bd1f3e3..e172cd6db 100644
--- a/test/cluster_tls_test.go
+++ b/test/cluster_tls_test.go
@@ -82,6 +82,7 @@ func (c *captureTLSError) Errorf(format string, v ...interface{}) {
 	}
 }
 
+// ** added by Memphis
 func (c *captureTLSError) Systemf(format string, v ...interface{}) {
 	msg := fmt.Sprintf(format, v...)
 	if strings.Contains(msg, "handshake error") {
@@ -92,6 +93,8 @@ func (c *captureTLSError) Systemf(format string, v ...interface{}) {
 	}
 }
 
+// ** added by Memphis
+
 type captureClusterTLSInsecureLogger struct {
 	dummyLogger
 	ch chan struct{}
@@ -107,6 +110,7 @@ func (c *captureClusterTLSInsecureLogger) Warnf(format string, v ...interface{})
 	}
 }
 
+// ** added by Memphis
 func (c *captureClusterTLSInsecureLogger) Systemf(format string, v ...interface{}) {
 	msg := fmt.Sprintf(format, v...)
 	if strings.Contains(msg, "solicited routes will not be verified") {
@@ -117,6 +121,8 @@ func (c *captureClusterTLSInsecureLogger) Systemf(format string, v ...interface{
 	}
 }
 
+// ** added by Memphis
+
 func TestClusterTLSInsecure(t *testing.T) {
 	confA := createConfFile(t, []byte(`
 		port: -1
diff --git a/test/configs/certs/ocsp_peer/mini-ca/caocsp/caocsp_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/caocsp/caocsp_cert.pem
new file mode 100644
index 000000000..b6d024a90
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/caocsp/caocsp_cert.pem
@@ -0,0 +1,91 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            17:37:00:a1:ce:35:e0:84:dd:e9:30:0c:a7:12:b9:50:88:9c:16:07
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:02:58 2023 GMT
+            Not After : Apr 28 19:02:58 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=CA OCSP Responder
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d6:10:15:61:34:1e:97:0d:c6:c2:7d:f2:0f:9a:
+                    35:56:54:7a:9b:9e:a3:0b:ff:31:0d:db:49:4b:98:
+                    e0:64:3a:3c:7f:4f:4b:d0:a8:01:80:c9:68:4e:76:
+                    3b:be:7b:d9:56:8d:d4:fd:bf:e1:6f:d0:5c:88:07:
+                    3f:05:a8:83:b3:7e:0b:ba:e0:36:f6:1c:e0:75:fd:
+                    be:38:26:33:1b:42:96:4e:62:0b:88:36:ef:cc:14:
+                    e3:97:86:dd:c2:78:d3:05:b7:4d:cd:2b:52:f2:11:
+                    16:d2:7e:8f:f3:47:8c:f9:0f:1e:cd:5e:f7:a4:1c:
+                    62:34:03:70:74:89:6b:bc:75:e3:30:82:c1:5b:67:
+                    f3:d1:ca:81:13:10:d8:c5:d8:20:05:6d:d1:e7:51:
+                    19:ac:03:96:2a:a1:21:ff:88:2e:d2:e9:67:79:cf:
+                    ef:17:b5:2b:7c:10:1f:5e:79:3e:08:98:7f:42:bb:
+                    8a:13:17:2d:9a:1a:8d:ff:36:c2:e9:c0:07:ea:cb:
+                    4f:72:35:f7:f2:d9:86:d2:ab:6b:70:2b:57:82:c8:
+                    02:93:aa:04:aa:00:3a:53:23:3d:61:82:32:0e:68:
+                    33:7e:5f:03:52:c9:53:db:e3:26:46:8a:ab:e0:e5:
+                    54:57:0d:e3:e3:24:b8:d9:69:92:0a:fb:bd:51:25:
+                    89:fd
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                D2:00:A2:C3:AA:00:76:1C:E7:67:37:96:89:77:38:69:C5:1B:5E:45
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                OCSP Signing
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b0:36:29:84:91:de:14:e5:db:bf:55:fc:d8:0a:81:b5:df:84:
+        e4:5c:ae:e2:3c:1d:05:09:8a:85:7a:9e:f4:82:61:1b:7b:8a:
+        0f:1d:e3:ad:b0:60:45:12:2e:38:6d:9c:95:d2:42:fe:2e:1a:
+        d2:a5:2c:82:40:1e:6c:4b:35:d1:3c:a6:4c:1c:73:c9:d0:32:
+        e9:47:c9:9a:fa:d0:1a:ef:86:c7:1e:49:ca:62:f1:81:9d:4e:
+        38:35:56:1b:53:fe:4a:f4:4c:91:31:8f:32:70:64:ee:91:f7:
+        4e:fe:ab:c5:1e:84:d1:43:cd:af:f6:5d:2a:b1:4f:b1:f4:1f:
+        5a:9d:33:7a:48:94:c8:88:23:e5:b9:c8:a1:4d:51:4c:d5:3b:
+        5f:f7:e8:e5:e1:53:a6:de:c8:95:14:32:e0:52:db:43:d6:c9:
+        2f:7f:96:07:fb:87:0a:f0:53:3d:ce:e1:56:6f:dc:0e:84:f3:
+        e2:ef:dc:17:0f:59:1f:1a:70:d5:7f:08:36:3d:7e:8e:f8:1f:
+        55:47:9a:96:1b:11:25:d9:27:7f:bf:e1:65:e5:16:ca:d9:bc:
+        6f:5c:5e:a6:4c:d0:7a:24:8d:42:c4:dc:b5:4a:75:4a:7c:88:
+        da:21:5e:27:e1:0c:36:64:69:10:58:81:3d:cd:74:df:50:85:
+        c2:71:fe:43
+-----BEGIN CERTIFICATE-----
+MIIEGzCCAwOgAwIBAgIUFzcAoc414ITd6TAMpxK5UIicFgcwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDI1OFoXDTMzMDQyODE5MDI1OFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFD
+QSBPQ1NQIFJlc3BvbmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANYQFWE0HpcNxsJ98g+aNVZUepueowv/MQ3bSUuY4GQ6PH9PS9CoAYDJaE52O757
+2VaN1P2/4W/QXIgHPwWog7N+C7rgNvYc4HX9vjgmMxtClk5iC4g278wU45eG3cJ4
+0wW3Tc0rUvIRFtJ+j/NHjPkPHs1e96QcYjQDcHSJa7x14zCCwVtn89HKgRMQ2MXY
+IAVt0edRGawDliqhIf+ILtLpZ3nP7xe1K3wQH155PgiYf0K7ihMXLZoajf82wunA
+B+rLT3I19/LZhtKra3ArV4LIApOqBKoAOlMjPWGCMg5oM35fA1LJU9vjJkaKq+Dl
+VFcN4+MkuNlpkgr7vVElif0CAwEAAaOB4jCB3zAdBgNVHQ4EFgQU0gCiw6oAdhzn
+ZzeWiXc4acUbXkUwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwDAYD
+VR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUH
+AwkwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3Rf
+Y3JsLmRlcjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcu
+MC4wLjE6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBALA2KYSR3hTl279V/NgKgbXf
+hORcruI8HQUJioV6nvSCYRt7ig8d462wYEUSLjhtnJXSQv4uGtKlLIJAHmxLNdE8
+pkwcc8nQMulHyZr60BrvhsceScpi8YGdTjg1VhtT/kr0TJExjzJwZO6R907+q8Ue
+hNFDza/2XSqxT7H0H1qdM3pIlMiII+W5yKFNUUzVO1/36OXhU6beyJUUMuBS20PW
+yS9/lgf7hwrwUz3O4VZv3A6E8+Lv3BcPWR8acNV/CDY9fo74H1VHmpYbESXZJ3+/
+4WXlFsrZvG9cXqZM0HokjULE3LVKdUp8iNohXifhDDZkaRBYgT3NdN9QhcJx/kM=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/caocsp/private/caocsp_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/caocsp/private/caocsp_keypair.pem
new file mode 100644
index 000000000..e3ac9b3a4
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/caocsp/private/caocsp_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDWEBVhNB6XDcbC
+ffIPmjVWVHqbnqML/zEN20lLmOBkOjx/T0vQqAGAyWhOdju+e9lWjdT9v+Fv0FyI
+Bz8FqIOzfgu64Db2HOB1/b44JjMbQpZOYguINu/MFOOXht3CeNMFt03NK1LyERbS
+fo/zR4z5Dx7NXvekHGI0A3B0iWu8deMwgsFbZ/PRyoETENjF2CAFbdHnURmsA5Yq
+oSH/iC7S6Wd5z+8XtSt8EB9eeT4ImH9Cu4oTFy2aGo3/NsLpwAfqy09yNffy2YbS
+q2twK1eCyAKTqgSqADpTIz1hgjIOaDN+XwNSyVPb4yZGiqvg5VRXDePjJLjZaZIK
++71RJYn9AgMBAAECggEACnoECdtaqervMOKoH7Jc7Oo6i/ZCJZqqRHLYjf4f8VfW
+USbI35/xXuO8mqZ3uxVlqDJN29NxzZ6lgLTWFUlPlM/U9CL4HaiBJdUy452e/7UN
+FS4AQXzq1JKrJuXfYZ63OT7k7Gcz6owCkW/HTNFSKXhfeg6tURdgiQooDVQSdUk6
+xX4gVEK3skozRXf4mrjTaNnFCOk2+sZdqrRn19ZAUGRisv6ECf8/wQlh3+ySfPYV
+u+BHQqzntToYP0HUZAO6rezcTVayW25E+AaOqNdNmSqcOX218ohVCzwzFpzIk8LW
+jYLyGQBhHHcw+RHJeitcHrDuTTpOZFznQxzHiGH3AwKBgQD91TNHx9Y9jUBkISSi
+XylSiZEAOjPl4VrhRfI5OUx1l3XTqB/e3xBYLwxEpXjs7m3qyXhCe+rVuIwSjLzc
+mLCspPZw/fxdRefWW5B+v1HbHxC3/lBOhqaDfLL6x4A/q3n/itG9X0GjpfvRkdJY
+GYOJea/2rJuMsFs3atX160p4cwKBgQDX4/VXJWxxWUJbObwoxxABG9VTZdI6Dsqr
+8tgg+7NPqw3PAo5W+XLsGZCSWQfJTD49AHcHBon5IfEDa5srfKsOXFXoiNEdCjIG
+zJ9mNtGMokXOWLKgxMoqHz+WnqWgxi9D7QwWWNq5hWnACJUqeqelRMzoNkmr96DX
+NloqHREHzwKBgQC0jKnlLOfe8FIU5t5AAKBL7T4Og1fW8+zIwBADVBZmrk1JOBUz
+Wkct8okvauQQ46ebkaLQ54OqcZJwv1q3LoS8yLnitUaEseyuNIMbJMr8qaQiu+oz
+cOOQM2q7ppw6raYhdoSpxs/Rr4bnEmoj8EH3z26ybyRVdjvrtzppqetWsQKBgQCa
+YogGA9siy6PqPMVTm9bUFCVfeEb4Aa/pesYYACbgaAB98uP7SnNmZ3m9TjGFQCKZ
+2QVFXuW35Q/HVGIonQRuRpWgroZr7+iKeDXdEIKVwU2OHFvRICk6KhJ9EYJ8EH2o
+Y5HrQStY1BElpH2XXRMZ2rN1s6zHb1Pz0whzaUnOfQKBgQCpfJYh1Yzpryb0hkfa
+MAL2Rsw+mpYeJ27Bmv+taW5iEVMQr2AEYNJhQx1SjNZOml2mqY6un4UPwhUwqAqg
+SOgWNQGD5g6xoM6Hom+nZG03QacCYUOaD6xDmVKTY0LnzVBwspfvrIgLKgZ7IWBx
+KlqvY5FJ+NXg3wHLNwgGzkgVPg==
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/System_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/System_bundle.pem
new file mode 100644
index 000000000..e89690691
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/System_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7c:43:65:c7:cf:27:e3:83:ae:2f:60:ac:03:e5:f2:b6:22:88:bc:a2
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:37:36 2023 GMT
+            Not After : Apr 28 19:37:36 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=System
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a3:21:2f:74:34:c1:1b:41:90:b6:4e:41:72:e0:
+                    3f:9e:49:94:55:ec:02:4c:dd:14:80:b8:3d:c6:c7:
+                    47:bb:a5:59:c3:35:86:89:17:08:ce:fe:71:e6:2f:
+                    9c:c1:db:d2:7e:14:24:da:61:30:3a:e7:6e:b1:e3:
+                    21:38:81:bc:47:df:b2:7f:1f:60:be:3d:c5:ed:76:
+                    03:94:e3:c4:b3:3e:bf:f8:43:ba:c2:54:bc:bb:66:
+                    59:98:a3:f9:aa:e3:10:e8:c3:88:dc:1a:18:6f:dd:
+                    90:eb:6f:a3:4b:d4:af:34:5c:43:20:d5:5b:e7:98:
+                    a5:7c:7b:a9:15:86:bb:28:bf:ba:e0:bb:f7:1c:08:
+                    c4:26:eb:c1:ac:05:1f:74:4f:05:11:57:e0:12:77:
+                    17:9e:89:dd:a5:38:ee:cf:cf:67:be:0c:5e:6a:4a:
+                    74:61:21:79:8e:c3:28:f1:e2:06:00:2d:ea:3a:6d:
+                    e2:a6:25:fd:2d:8b:f5:82:36:91:8a:21:f0:6a:93:
+                    19:d6:76:08:fd:cd:ee:90:a9:a9:cf:99:30:71:46:
+                    57:ea:fb:c5:65:4f:7c:86:5c:9d:d7:b4:c3:27:3c:
+                    eb:27:dd:bc:55:76:1f:25:0d:cb:6f:43:9a:9f:ba:
+                    de:54:c1:90:03:9e:e5:0d:d9:cd:84:d4:58:74:63:
+                    be:59
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                A0:FA:B5:24:42:70:DF:E1:BB:E6:10:62:BE:FE:F5:81:13:2F:31:9B
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                email:System@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        ad:00:40:7a:34:ad:07:e9:ed:fa:8f:1f:48:08:79:81:a8:3c:
+        90:da:05:95:74:05:51:9c:17:a8:5c:03:09:c8:f8:2c:09:64:
+        e2:7c:fc:69:e1:c0:5d:8a:d9:f0:f3:e4:cd:2c:5e:43:77:71:
+        f8:58:20:88:8f:63:e1:b4:86:db:7a:54:df:ce:be:01:e2:55:
+        a2:70:a8:89:64:cf:2a:13:78:91:de:83:ed:d6:74:24:00:ca:
+        3d:67:4a:cd:e3:82:b9:56:a3:3a:b4:80:b2:ac:61:e9:75:6c:
+        30:1c:81:96:2f:f0:99:b2:7b:73:b5:45:b0:3c:20:ed:54:b3:
+        87:37:9f:5e:07:c4:8a:72:94:53:4e:a2:a0:83:bc:fb:61:59:
+        ff:8c:91:1c:db:ad:7a:e0:12:e3:a3:b1:91:97:d4:c7:ed:02:
+        6e:7e:01:d8:d6:d5:6d:81:a2:32:ca:8c:6d:32:91:40:97:e5:
+        a1:ad:22:7d:af:ab:ce:68:0b:69:52:53:8a:80:dd:f3:9f:a8:
+        1f:34:a7:1f:37:58:cb:6c:da:54:cf:cc:0b:67:95:e9:6e:30:
+        a4:ce:12:c4:5a:e0:d4:92:fb:0b:67:a8:51:ad:dc:4a:d0:ad:
+        fb:92:77:85:a5:9d:84:ff:99:50:ca:15:4f:d4:30:c8:85:ca:
+        95:a0:88:62
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUfENlx88n44OuL2CsA+XytiKIvKIwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTM3MzZaFw0zMzA0MjgxOTM3MzZaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGU3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+oyEvdDTBG0GQtk5BcuA/nkmUVewCTN0UgLg9xsdHu6VZwzWGiRcIzv5x5i+cwdvS
+fhQk2mEwOuduseMhOIG8R9+yfx9gvj3F7XYDlOPEsz6/+EO6wlS8u2ZZmKP5quMQ
+6MOI3BoYb92Q62+jS9SvNFxDINVb55ilfHupFYa7KL+64Lv3HAjEJuvBrAUfdE8F
+EVfgEncXnondpTjuz89nvgxeakp0YSF5jsMo8eIGAC3qOm3ipiX9LYv1gjaRiiHw
+apMZ1nYI/c3ukKmpz5kwcUZX6vvFZU98hlyd17TDJzzrJ928VXYfJQ3Lb0Oan7re
+VMGQA57lDdnNhNRYdGO+WQIDAQABo4IBJDCCASAwHQYDVR0OBBYEFKD6tSRCcN/h
+u+YQYr7+9YETLzGbMB8GA1UdIwQYMBaAFLWRbk9ktxaEdvm0vpnOYJWYGo6dMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToxODg4OC9pbnRlcm1lZGlhdGUxX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjE4ODg4
+LzAaBgNVHREEEzARgQ9TeXN0ZW1AdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AK0AQHo0rQfp7fqPH0gIeYGoPJDaBZV0BVGcF6hcAwnI+CwJZOJ8/GnhwF2K2fDz
+5M0sXkN3cfhYIIiPY+G0htt6VN/OvgHiVaJwqIlkzyoTeJHeg+3WdCQAyj1nSs3j
+grlWozq0gLKsYel1bDAcgZYv8Jmye3O1RbA8IO1Us4c3n14HxIpylFNOoqCDvPth
+Wf+MkRzbrXrgEuOjsZGX1MftAm5+AdjW1W2BojLKjG0ykUCX5aGtIn2vq85oC2lS
+U4qA3fOfqB80px83WMts2lTPzAtnleluMKTOEsRa4NSS+wtnqFGt3ErQrfuSd4Wl
+nYT/mVDKFU/UMMiFypWgiGI=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/System_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/System_cert.pem
new file mode 100644
index 000000000..335485315
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/System_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7c:43:65:c7:cf:27:e3:83:ae:2f:60:ac:03:e5:f2:b6:22:88:bc:a2
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:37:36 2023 GMT
+            Not After : Apr 28 19:37:36 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=System
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a3:21:2f:74:34:c1:1b:41:90:b6:4e:41:72:e0:
+                    3f:9e:49:94:55:ec:02:4c:dd:14:80:b8:3d:c6:c7:
+                    47:bb:a5:59:c3:35:86:89:17:08:ce:fe:71:e6:2f:
+                    9c:c1:db:d2:7e:14:24:da:61:30:3a:e7:6e:b1:e3:
+                    21:38:81:bc:47:df:b2:7f:1f:60:be:3d:c5:ed:76:
+                    03:94:e3:c4:b3:3e:bf:f8:43:ba:c2:54:bc:bb:66:
+                    59:98:a3:f9:aa:e3:10:e8:c3:88:dc:1a:18:6f:dd:
+                    90:eb:6f:a3:4b:d4:af:34:5c:43:20:d5:5b:e7:98:
+                    a5:7c:7b:a9:15:86:bb:28:bf:ba:e0:bb:f7:1c:08:
+                    c4:26:eb:c1:ac:05:1f:74:4f:05:11:57:e0:12:77:
+                    17:9e:89:dd:a5:38:ee:cf:cf:67:be:0c:5e:6a:4a:
+                    74:61:21:79:8e:c3:28:f1:e2:06:00:2d:ea:3a:6d:
+                    e2:a6:25:fd:2d:8b:f5:82:36:91:8a:21:f0:6a:93:
+                    19:d6:76:08:fd:cd:ee:90:a9:a9:cf:99:30:71:46:
+                    57:ea:fb:c5:65:4f:7c:86:5c:9d:d7:b4:c3:27:3c:
+                    eb:27:dd:bc:55:76:1f:25:0d:cb:6f:43:9a:9f:ba:
+                    de:54:c1:90:03:9e:e5:0d:d9:cd:84:d4:58:74:63:
+                    be:59
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                A0:FA:B5:24:42:70:DF:E1:BB:E6:10:62:BE:FE:F5:81:13:2F:31:9B
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                email:System@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        ad:00:40:7a:34:ad:07:e9:ed:fa:8f:1f:48:08:79:81:a8:3c:
+        90:da:05:95:74:05:51:9c:17:a8:5c:03:09:c8:f8:2c:09:64:
+        e2:7c:fc:69:e1:c0:5d:8a:d9:f0:f3:e4:cd:2c:5e:43:77:71:
+        f8:58:20:88:8f:63:e1:b4:86:db:7a:54:df:ce:be:01:e2:55:
+        a2:70:a8:89:64:cf:2a:13:78:91:de:83:ed:d6:74:24:00:ca:
+        3d:67:4a:cd:e3:82:b9:56:a3:3a:b4:80:b2:ac:61:e9:75:6c:
+        30:1c:81:96:2f:f0:99:b2:7b:73:b5:45:b0:3c:20:ed:54:b3:
+        87:37:9f:5e:07:c4:8a:72:94:53:4e:a2:a0:83:bc:fb:61:59:
+        ff:8c:91:1c:db:ad:7a:e0:12:e3:a3:b1:91:97:d4:c7:ed:02:
+        6e:7e:01:d8:d6:d5:6d:81:a2:32:ca:8c:6d:32:91:40:97:e5:
+        a1:ad:22:7d:af:ab:ce:68:0b:69:52:53:8a:80:dd:f3:9f:a8:
+        1f:34:a7:1f:37:58:cb:6c:da:54:cf:cc:0b:67:95:e9:6e:30:
+        a4:ce:12:c4:5a:e0:d4:92:fb:0b:67:a8:51:ad:dc:4a:d0:ad:
+        fb:92:77:85:a5:9d:84:ff:99:50:ca:15:4f:d4:30:c8:85:ca:
+        95:a0:88:62
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUfENlx88n44OuL2CsA+XytiKIvKIwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTM3MzZaFw0zMzA0MjgxOTM3MzZaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGU3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+oyEvdDTBG0GQtk5BcuA/nkmUVewCTN0UgLg9xsdHu6VZwzWGiRcIzv5x5i+cwdvS
+fhQk2mEwOuduseMhOIG8R9+yfx9gvj3F7XYDlOPEsz6/+EO6wlS8u2ZZmKP5quMQ
+6MOI3BoYb92Q62+jS9SvNFxDINVb55ilfHupFYa7KL+64Lv3HAjEJuvBrAUfdE8F
+EVfgEncXnondpTjuz89nvgxeakp0YSF5jsMo8eIGAC3qOm3ipiX9LYv1gjaRiiHw
+apMZ1nYI/c3ukKmpz5kwcUZX6vvFZU98hlyd17TDJzzrJ928VXYfJQ3Lb0Oan7re
+VMGQA57lDdnNhNRYdGO+WQIDAQABo4IBJDCCASAwHQYDVR0OBBYEFKD6tSRCcN/h
+u+YQYr7+9YETLzGbMB8GA1UdIwQYMBaAFLWRbk9ktxaEdvm0vpnOYJWYGo6dMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToxODg4OC9pbnRlcm1lZGlhdGUxX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjE4ODg4
+LzAaBgNVHREEEzARgQ9TeXN0ZW1AdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AK0AQHo0rQfp7fqPH0gIeYGoPJDaBZV0BVGcF6hcAwnI+CwJZOJ8/GnhwF2K2fDz
+5M0sXkN3cfhYIIiPY+G0htt6VN/OvgHiVaJwqIlkzyoTeJHeg+3WdCQAyj1nSs3j
+grlWozq0gLKsYel1bDAcgZYv8Jmye3O1RbA8IO1Us4c3n14HxIpylFNOoqCDvPth
+Wf+MkRzbrXrgEuOjsZGX1MftAm5+AdjW1W2BojLKjG0ykUCX5aGtIn2vq85oC2lS
+U4qA3fOfqB80px83WMts2lTPzAtnleluMKTOEsRa4NSS+wtnqFGt3ErQrfuSd4Wl
+nYT/mVDKFU/UMMiFypWgiGI=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem
new file mode 100644
index 000000000..a27daa1f0
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            5c:a1:af:d5:7c:bb:16:ef:c2:c7:e6:53:fc:94:1a:ed:24:bb:b4:17
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:37:36 2023 GMT
+            Not After : Apr 28 19:37:36 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=UserA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b4:eb:22:e2:c4:ba:7f:33:aa:57:ab:13:f1:69:
+                    09:98:28:3c:7d:a7:e2:41:2a:28:2f:f9:85:a1:6c:
+                    94:ee:0a:eb:4d:01:4c:28:7c:9d:05:4d:d8:10:7f:
+                    b7:cf:13:c2:a6:de:11:0c:97:38:97:cd:6d:11:fd:
+                    16:76:c0:eb:5a:b7:7b:17:13:45:9d:4b:00:4f:26:
+                    c5:b1:9b:67:93:2c:d6:d5:33:37:e1:50:1d:7b:0d:
+                    be:8c:cb:bd:29:99:8f:54:f6:7e:04:84:82:2a:28:
+                    ee:71:3e:8d:5f:72:b2:6a:77:6b:47:3e:ba:4d:b3:
+                    e2:96:14:71:0a:1e:26:16:8f:6c:1b:07:2a:ac:15:
+                    89:1e:88:63:c3:81:3b:91:e9:f3:43:1b:f0:ec:08:
+                    24:96:46:27:21:2a:56:25:2c:b6:cc:d9:02:70:77:
+                    9d:e4:7c:44:8c:93:04:85:a3:09:0a:8e:f5:e7:21:
+                    fa:bd:56:28:b7:52:20:09:ec:9a:c4:d4:d7:8a:19:
+                    4e:7a:10:e9:b2:10:36:68:ce:ce:78:8b:79:3f:6f:
+                    70:3b:75:6d:70:59:3a:c9:85:a8:f8:23:d4:ab:44:
+                    c2:ae:f5:1c:6e:38:11:e1:5f:cc:8f:e2:43:f5:b3:
+                    0e:09:17:b3:c6:ee:47:fb:39:c4:58:62:ba:e3:a8:
+                    c5:ef
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                70:55:CA:CA:A5:8F:4D:73:39:47:E2:97:A3:1F:F6:3E:33:C9:7A:BF
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                email:UserA1@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        99:81:61:3a:f1:c2:de:05:ad:ab:f3:fd:e0:d5:97:5b:fe:b2:
+        fa:e2:5f:ab:41:9d:71:1d:10:54:0b:bc:b5:c9:8d:26:91:a9:
+        45:71:51:14:61:a7:3c:ef:1d:f7:db:71:2f:1f:c1:d7:80:96:
+        03:5d:0d:69:81:fa:be:ca:f7:56:70:7b:89:ca:8f:b6:16:ee:
+        4a:83:fc:70:2e:4b:0c:50:ba:c6:06:5e:58:bb:25:d6:19:40:
+        82:b4:18:57:16:5f:f2:98:3e:5d:9d:72:7a:8f:20:de:25:c2:
+        06:a7:46:b2:cc:4c:f9:da:a7:43:f5:a0:92:e4:e2:05:49:43:
+        9d:58:9f:20:5d:e2:88:77:f1:10:0c:f5:fc:a2:85:b6:41:0a:
+        1a:12:75:1e:47:3b:b3:4f:c9:45:71:99:b6:14:e9:6b:7d:7a:
+        98:ee:82:dd:59:f6:af:fa:a5:d1:1c:24:db:66:e7:82:bb:53:
+        70:4f:27:96:dc:19:c0:9e:2d:df:da:00:2f:c3:22:9e:71:9c:
+        b3:89:da:0a:79:c3:f6:e3:9b:ca:b7:db:b6:5c:8f:e9:29:cb:
+        d0:9c:e3:0e:0f:7c:2c:b5:b0:36:a9:13:38:d2:8e:6f:6a:6c:
+        0a:7f:3f:dd:af:b1:e2:ea:c6:de:1d:b0:97:c9:36:1d:85:81:
+        aa:42:9f:53
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUXKGv1Xy7Fu/Cx+ZT/JQa7SS7tBcwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTM3MzZaFw0zMzA0MjgxOTM3MzZaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGVXNlckExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+tOsi4sS6fzOqV6sT8WkJmCg8fafiQSooL/mFoWyU7grrTQFMKHydBU3YEH+3zxPC
+pt4RDJc4l81tEf0WdsDrWrd7FxNFnUsATybFsZtnkyzW1TM34VAdew2+jMu9KZmP
+VPZ+BISCKijucT6NX3KyandrRz66TbPilhRxCh4mFo9sGwcqrBWJHohjw4E7kenz
+Qxvw7AgklkYnISpWJSy2zNkCcHed5HxEjJMEhaMJCo715yH6vVYot1IgCeyaxNTX
+ihlOehDpshA2aM7OeIt5P29wO3VtcFk6yYWo+CPUq0TCrvUcbjgR4V/Mj+JD9bMO
+CRezxu5H+znEWGK646jF7wIDAQABo4IBJDCCASAwHQYDVR0OBBYEFHBVysqlj01z
+OUfil6Mf9j4zyXq/MB8GA1UdIwQYMBaAFLWRbk9ktxaEdvm0vpnOYJWYGo6dMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToxODg4OC9pbnRlcm1lZGlhdGUxX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjE4ODg4
+LzAaBgNVHREEEzARgQ9Vc2VyQTFAdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AJmBYTrxwt4Fravz/eDVl1v+svriX6tBnXEdEFQLvLXJjSaRqUVxURRhpzzvHffb
+cS8fwdeAlgNdDWmB+r7K91Zwe4nKj7YW7kqD/HAuSwxQusYGXli7JdYZQIK0GFcW
+X/KYPl2dcnqPIN4lwganRrLMTPnap0P1oJLk4gVJQ51YnyBd4oh38RAM9fyihbZB
+ChoSdR5HO7NPyUVxmbYU6Wt9epjugt1Z9q/6pdEcJNtm54K7U3BPJ5bcGcCeLd/a
+AC/DIp5xnLOJ2gp5w/bjm8q327Zcj+kpy9Cc4w4PfCy1sDapEzjSjm9qbAp/P92v
+seLqxt4dsJfJNh2FgapCn1M=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem
new file mode 100644
index 000000000..a2c5078bc
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            5c:a1:af:d5:7c:bb:16:ef:c2:c7:e6:53:fc:94:1a:ed:24:bb:b4:17
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:37:36 2023 GMT
+            Not After : Apr 28 19:37:36 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=UserA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b4:eb:22:e2:c4:ba:7f:33:aa:57:ab:13:f1:69:
+                    09:98:28:3c:7d:a7:e2:41:2a:28:2f:f9:85:a1:6c:
+                    94:ee:0a:eb:4d:01:4c:28:7c:9d:05:4d:d8:10:7f:
+                    b7:cf:13:c2:a6:de:11:0c:97:38:97:cd:6d:11:fd:
+                    16:76:c0:eb:5a:b7:7b:17:13:45:9d:4b:00:4f:26:
+                    c5:b1:9b:67:93:2c:d6:d5:33:37:e1:50:1d:7b:0d:
+                    be:8c:cb:bd:29:99:8f:54:f6:7e:04:84:82:2a:28:
+                    ee:71:3e:8d:5f:72:b2:6a:77:6b:47:3e:ba:4d:b3:
+                    e2:96:14:71:0a:1e:26:16:8f:6c:1b:07:2a:ac:15:
+                    89:1e:88:63:c3:81:3b:91:e9:f3:43:1b:f0:ec:08:
+                    24:96:46:27:21:2a:56:25:2c:b6:cc:d9:02:70:77:
+                    9d:e4:7c:44:8c:93:04:85:a3:09:0a:8e:f5:e7:21:
+                    fa:bd:56:28:b7:52:20:09:ec:9a:c4:d4:d7:8a:19:
+                    4e:7a:10:e9:b2:10:36:68:ce:ce:78:8b:79:3f:6f:
+                    70:3b:75:6d:70:59:3a:c9:85:a8:f8:23:d4:ab:44:
+                    c2:ae:f5:1c:6e:38:11:e1:5f:cc:8f:e2:43:f5:b3:
+                    0e:09:17:b3:c6:ee:47:fb:39:c4:58:62:ba:e3:a8:
+                    c5:ef
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                70:55:CA:CA:A5:8F:4D:73:39:47:E2:97:A3:1F:F6:3E:33:C9:7A:BF
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                email:UserA1@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        99:81:61:3a:f1:c2:de:05:ad:ab:f3:fd:e0:d5:97:5b:fe:b2:
+        fa:e2:5f:ab:41:9d:71:1d:10:54:0b:bc:b5:c9:8d:26:91:a9:
+        45:71:51:14:61:a7:3c:ef:1d:f7:db:71:2f:1f:c1:d7:80:96:
+        03:5d:0d:69:81:fa:be:ca:f7:56:70:7b:89:ca:8f:b6:16:ee:
+        4a:83:fc:70:2e:4b:0c:50:ba:c6:06:5e:58:bb:25:d6:19:40:
+        82:b4:18:57:16:5f:f2:98:3e:5d:9d:72:7a:8f:20:de:25:c2:
+        06:a7:46:b2:cc:4c:f9:da:a7:43:f5:a0:92:e4:e2:05:49:43:
+        9d:58:9f:20:5d:e2:88:77:f1:10:0c:f5:fc:a2:85:b6:41:0a:
+        1a:12:75:1e:47:3b:b3:4f:c9:45:71:99:b6:14:e9:6b:7d:7a:
+        98:ee:82:dd:59:f6:af:fa:a5:d1:1c:24:db:66:e7:82:bb:53:
+        70:4f:27:96:dc:19:c0:9e:2d:df:da:00:2f:c3:22:9e:71:9c:
+        b3:89:da:0a:79:c3:f6:e3:9b:ca:b7:db:b6:5c:8f:e9:29:cb:
+        d0:9c:e3:0e:0f:7c:2c:b5:b0:36:a9:13:38:d2:8e:6f:6a:6c:
+        0a:7f:3f:dd:af:b1:e2:ea:c6:de:1d:b0:97:c9:36:1d:85:81:
+        aa:42:9f:53
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUXKGv1Xy7Fu/Cx+ZT/JQa7SS7tBcwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTM3MzZaFw0zMzA0MjgxOTM3MzZaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGVXNlckExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+tOsi4sS6fzOqV6sT8WkJmCg8fafiQSooL/mFoWyU7grrTQFMKHydBU3YEH+3zxPC
+pt4RDJc4l81tEf0WdsDrWrd7FxNFnUsATybFsZtnkyzW1TM34VAdew2+jMu9KZmP
+VPZ+BISCKijucT6NX3KyandrRz66TbPilhRxCh4mFo9sGwcqrBWJHohjw4E7kenz
+Qxvw7AgklkYnISpWJSy2zNkCcHed5HxEjJMEhaMJCo715yH6vVYot1IgCeyaxNTX
+ihlOehDpshA2aM7OeIt5P29wO3VtcFk6yYWo+CPUq0TCrvUcbjgR4V/Mj+JD9bMO
+CRezxu5H+znEWGK646jF7wIDAQABo4IBJDCCASAwHQYDVR0OBBYEFHBVysqlj01z
+OUfil6Mf9j4zyXq/MB8GA1UdIwQYMBaAFLWRbk9ktxaEdvm0vpnOYJWYGo6dMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToxODg4OC9pbnRlcm1lZGlhdGUxX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjE4ODg4
+LzAaBgNVHREEEzARgQ9Vc2VyQTFAdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AJmBYTrxwt4Fravz/eDVl1v+svriX6tBnXEdEFQLvLXJjSaRqUVxURRhpzzvHffb
+cS8fwdeAlgNdDWmB+r7K91Zwe4nKj7YW7kqD/HAuSwxQusYGXli7JdYZQIK0GFcW
+X/KYPl2dcnqPIN4lwganRrLMTPnap0P1oJLk4gVJQ51YnyBd4oh38RAM9fyihbZB
+ChoSdR5HO7NPyUVxmbYU6Wt9epjugt1Z9q/6pdEcJNtm54K7U3BPJ5bcGcCeLd/a
+AC/DIp5xnLOJ2gp5w/bjm8q327Zcj+kpy9Cc4w4PfCy1sDapEzjSjm9qbAp/P92v
+seLqxt4dsJfJNh2FgapCn1M=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/UserA2_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/UserA2_bundle.pem
new file mode 100644
index 000000000..a181550a0
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/UserA2_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7a:3d:fa:5b:9b:df:69:55:6e:9c:53:4c:fc:86:75:65:bc:78:4c:24
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:37:36 2023 GMT
+            Not After : Apr 28 19:37:36 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=UserA2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a6:7c:40:80:2b:44:00:33:11:c6:c2:9d:67:3e:
+                    87:8e:7e:40:d3:f5:d3:27:b6:7d:18:3c:c0:86:ac:
+                    96:3a:ad:d8:c3:cb:ab:72:5e:4c:b7:24:45:da:c7:
+                    a8:cc:74:b8:21:75:62:9e:81:88:96:54:6e:db:f9:
+                    8c:2f:4c:97:0d:ce:21:42:2f:92:57:7f:34:2b:02:
+                    43:4c:22:ae:14:ca:fc:b2:2c:d0:67:0e:52:e0:6d:
+                    61:96:a6:3b:cc:4f:6a:d6:ef:45:9c:74:92:25:6c:
+                    0a:10:62:1b:22:2b:11:6b:d1:52:4d:da:8d:c3:4a:
+                    e6:74:a7:1b:1e:ef:8a:f4:96:88:02:0d:b7:57:35:
+                    9f:a3:ff:a2:2c:b7:0e:27:4e:79:2f:cf:0c:f1:91:
+                    0e:bf:01:d7:a2:71:2c:b7:0e:4b:7e:50:91:89:71:
+                    c2:17:aa:cb:29:80:9e:d7:2b:fa:33:41:e8:82:d1:
+                    3a:97:3d:6c:de:66:9b:b4:ea:1a:eb:94:be:6e:c0:
+                    66:e8:77:3d:72:d5:5c:a5:e8:ab:3b:33:f4:b3:c2:
+                    26:49:bc:08:55:cf:16:b6:12:22:91:fe:c1:5a:b2:
+                    d7:77:e3:f4:47:bc:c4:77:6b:f5:7f:c3:e8:48:99:
+                    b9:a8:ea:b1:ae:e6:cc:3a:12:fa:4d:2f:5f:0f:a8:
+                    fd:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B8:8E:4F:76:F1:F8:3C:A5:23:C5:8F:A1:2E:64:3E:48:53:02:CD:6B
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                email:UserA2@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        7c:1b:ae:98:16:42:f3:b2:a6:66:e9:a4:4f:61:04:a8:23:d5:
+        55:ea:d4:68:b5:98:fd:66:ff:10:dc:54:b7:01:78:4f:fc:e1:
+        75:e8:09:6d:ad:ac:57:b0:33:41:26:3d:ac:b0:17:46:c4:6f:
+        5b:c7:fa:ad:d2:94:13:ef:5e:bb:f5:ad:2d:39:85:d3:af:ff:
+        56:8e:f6:d1:20:12:03:86:cd:e8:ad:38:49:30:fb:98:de:3a:
+        5f:61:5a:08:37:a9:c3:10:ed:a3:60:3c:46:68:30:d8:4a:ac:
+        5d:eb:fd:d9:5d:90:b1:f0:b8:a8:68:5e:c8:41:6f:de:eb:a1:
+        cc:33:98:2d:06:17:26:c4:24:bf:62:82:a9:13:04:71:3e:6e:
+        ca:20:cf:5c:c5:47:67:f5:db:2e:56:60:4c:52:0c:4e:59:16:
+        da:6a:e3:b2:e4:cb:d6:65:26:df:26:2e:e0:f4:11:b1:36:92:
+        7c:ab:c3:c3:97:a5:06:26:54:5c:c1:35:a1:2f:e5:0f:2f:91:
+        2d:cd:c5:dd:a7:f2:4c:e1:4d:0d:5c:bd:25:4f:c8:52:79:c2:
+        29:78:ef:88:10:43:a4:c4:df:97:48:22:09:db:48:19:85:01:
+        48:39:28:20:69:1d:31:b5:4f:97:e0:ea:38:6d:e0:98:4b:78:
+        a4:b7:fd:c2
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUej36W5vfaVVunFNM/IZ1Zbx4TCQwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTM3MzZaFw0zMzA0MjgxOTM3MzZaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGVXNlckEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+pnxAgCtEADMRxsKdZz6Hjn5A0/XTJ7Z9GDzAhqyWOq3Yw8urcl5MtyRF2seozHS4
+IXVinoGIllRu2/mML0yXDc4hQi+SV380KwJDTCKuFMr8sizQZw5S4G1hlqY7zE9q
+1u9FnHSSJWwKEGIbIisRa9FSTdqNw0rmdKcbHu+K9JaIAg23VzWfo/+iLLcOJ055
+L88M8ZEOvwHXonEstw5LflCRiXHCF6rLKYCe1yv6M0HogtE6lz1s3mabtOoa65S+
+bsBm6Hc9ctVcpeirOzP0s8ImSbwIVc8WthIikf7BWrLXd+P0R7zEd2v1f8PoSJm5
+qOqxrubMOhL6TS9fD6j9jQIDAQABo4IBJDCCASAwHQYDVR0OBBYEFLiOT3bx+Dyl
+I8WPoS5kPkhTAs1rMB8GA1UdIwQYMBaAFLWRbk9ktxaEdvm0vpnOYJWYGo6dMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToxODg4OC9pbnRlcm1lZGlhdGUxX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjE4ODg4
+LzAaBgNVHREEEzARgQ9Vc2VyQTJAdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AHwbrpgWQvOypmbppE9hBKgj1VXq1Gi1mP1m/xDcVLcBeE/84XXoCW2trFewM0Em
+PaywF0bEb1vH+q3SlBPvXrv1rS05hdOv/1aO9tEgEgOGzeitOEkw+5jeOl9hWgg3
+qcMQ7aNgPEZoMNhKrF3r/dldkLHwuKhoXshBb97rocwzmC0GFybEJL9igqkTBHE+
+bsogz1zFR2f12y5WYExSDE5ZFtpq47Lky9ZlJt8mLuD0EbE2knyrw8OXpQYmVFzB
+NaEv5Q8vkS3Nxd2n8kzhTQ1cvSVPyFJ5wil474gQQ6TE35dIIgnbSBmFAUg5KCBp
+HTG1T5fg6jht4JhLeKS3/cI=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/UserA2_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/UserA2_cert.pem
new file mode 100644
index 000000000..19b70a48c
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/UserA2_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7a:3d:fa:5b:9b:df:69:55:6e:9c:53:4c:fc:86:75:65:bc:78:4c:24
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:37:36 2023 GMT
+            Not After : Apr 28 19:37:36 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=UserA2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a6:7c:40:80:2b:44:00:33:11:c6:c2:9d:67:3e:
+                    87:8e:7e:40:d3:f5:d3:27:b6:7d:18:3c:c0:86:ac:
+                    96:3a:ad:d8:c3:cb:ab:72:5e:4c:b7:24:45:da:c7:
+                    a8:cc:74:b8:21:75:62:9e:81:88:96:54:6e:db:f9:
+                    8c:2f:4c:97:0d:ce:21:42:2f:92:57:7f:34:2b:02:
+                    43:4c:22:ae:14:ca:fc:b2:2c:d0:67:0e:52:e0:6d:
+                    61:96:a6:3b:cc:4f:6a:d6:ef:45:9c:74:92:25:6c:
+                    0a:10:62:1b:22:2b:11:6b:d1:52:4d:da:8d:c3:4a:
+                    e6:74:a7:1b:1e:ef:8a:f4:96:88:02:0d:b7:57:35:
+                    9f:a3:ff:a2:2c:b7:0e:27:4e:79:2f:cf:0c:f1:91:
+                    0e:bf:01:d7:a2:71:2c:b7:0e:4b:7e:50:91:89:71:
+                    c2:17:aa:cb:29:80:9e:d7:2b:fa:33:41:e8:82:d1:
+                    3a:97:3d:6c:de:66:9b:b4:ea:1a:eb:94:be:6e:c0:
+                    66:e8:77:3d:72:d5:5c:a5:e8:ab:3b:33:f4:b3:c2:
+                    26:49:bc:08:55:cf:16:b6:12:22:91:fe:c1:5a:b2:
+                    d7:77:e3:f4:47:bc:c4:77:6b:f5:7f:c3:e8:48:99:
+                    b9:a8:ea:b1:ae:e6:cc:3a:12:fa:4d:2f:5f:0f:a8:
+                    fd:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B8:8E:4F:76:F1:F8:3C:A5:23:C5:8F:A1:2E:64:3E:48:53:02:CD:6B
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                email:UserA2@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        7c:1b:ae:98:16:42:f3:b2:a6:66:e9:a4:4f:61:04:a8:23:d5:
+        55:ea:d4:68:b5:98:fd:66:ff:10:dc:54:b7:01:78:4f:fc:e1:
+        75:e8:09:6d:ad:ac:57:b0:33:41:26:3d:ac:b0:17:46:c4:6f:
+        5b:c7:fa:ad:d2:94:13:ef:5e:bb:f5:ad:2d:39:85:d3:af:ff:
+        56:8e:f6:d1:20:12:03:86:cd:e8:ad:38:49:30:fb:98:de:3a:
+        5f:61:5a:08:37:a9:c3:10:ed:a3:60:3c:46:68:30:d8:4a:ac:
+        5d:eb:fd:d9:5d:90:b1:f0:b8:a8:68:5e:c8:41:6f:de:eb:a1:
+        cc:33:98:2d:06:17:26:c4:24:bf:62:82:a9:13:04:71:3e:6e:
+        ca:20:cf:5c:c5:47:67:f5:db:2e:56:60:4c:52:0c:4e:59:16:
+        da:6a:e3:b2:e4:cb:d6:65:26:df:26:2e:e0:f4:11:b1:36:92:
+        7c:ab:c3:c3:97:a5:06:26:54:5c:c1:35:a1:2f:e5:0f:2f:91:
+        2d:cd:c5:dd:a7:f2:4c:e1:4d:0d:5c:bd:25:4f:c8:52:79:c2:
+        29:78:ef:88:10:43:a4:c4:df:97:48:22:09:db:48:19:85:01:
+        48:39:28:20:69:1d:31:b5:4f:97:e0:ea:38:6d:e0:98:4b:78:
+        a4:b7:fd:c2
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUej36W5vfaVVunFNM/IZ1Zbx4TCQwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTM3MzZaFw0zMzA0MjgxOTM3MzZaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGVXNlckEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+pnxAgCtEADMRxsKdZz6Hjn5A0/XTJ7Z9GDzAhqyWOq3Yw8urcl5MtyRF2seozHS4
+IXVinoGIllRu2/mML0yXDc4hQi+SV380KwJDTCKuFMr8sizQZw5S4G1hlqY7zE9q
+1u9FnHSSJWwKEGIbIisRa9FSTdqNw0rmdKcbHu+K9JaIAg23VzWfo/+iLLcOJ055
+L88M8ZEOvwHXonEstw5LflCRiXHCF6rLKYCe1yv6M0HogtE6lz1s3mabtOoa65S+
+bsBm6Hc9ctVcpeirOzP0s8ImSbwIVc8WthIikf7BWrLXd+P0R7zEd2v1f8PoSJm5
+qOqxrubMOhL6TS9fD6j9jQIDAQABo4IBJDCCASAwHQYDVR0OBBYEFLiOT3bx+Dyl
+I8WPoS5kPkhTAs1rMB8GA1UdIwQYMBaAFLWRbk9ktxaEdvm0vpnOYJWYGo6dMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToxODg4OC9pbnRlcm1lZGlhdGUxX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjE4ODg4
+LzAaBgNVHREEEzARgQ9Vc2VyQTJAdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AHwbrpgWQvOypmbppE9hBKgj1VXq1Gi1mP1m/xDcVLcBeE/84XXoCW2trFewM0Em
+PaywF0bEb1vH+q3SlBPvXrv1rS05hdOv/1aO9tEgEgOGzeitOEkw+5jeOl9hWgg3
+qcMQ7aNgPEZoMNhKrF3r/dldkLHwuKhoXshBb97rocwzmC0GFybEJL9igqkTBHE+
+bsogz1zFR2f12y5WYExSDE5ZFtpq47Lky9ZlJt8mLuD0EbE2knyrw8OXpQYmVFzB
+NaEv5Q8vkS3Nxd2n8kzhTQ1cvSVPyFJ5wil474gQQ6TE35dIIgnbSBmFAUg5KCBp
+HTG1T5fg6jht4JhLeKS3/cI=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/certfile.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/certfile.pem
new file mode 100644
index 000000000..719d7516e
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/certfile.pem
@@ -0,0 +1,175 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            27:5e:cf:7e:be:aa:02:b9:a9:c7:42:30:43:fe:0e:80:05:91:dd:0b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 18:57:57 2023 GMT
+            Not After : Apr 28 18:57:57 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e2:21:6b:9f:ef:48:b9:de:22:fb:5b:37:09:68:
+                    c7:b5:92:57:52:24:ef:85:00:e8:71:85:4d:0f:5b:
+                    8c:c6:e7:4f:19:f6:e3:0b:70:a3:41:7e:71:d4:0f:
+                    d6:fd:f2:1a:ca:aa:57:91:76:9a:b2:82:62:60:ce:
+                    f2:00:2e:d4:bc:58:d3:60:30:42:a6:28:b2:50:7b:
+                    58:01:9f:fb:0a:65:b0:40:d6:7c:e2:b7:da:8d:19:
+                    d9:a5:51:d2:46:7e:14:46:ab:fa:df:ce:fe:84:08:
+                    98:63:46:1d:4d:8a:77:57:67:da:16:8b:32:0c:7c:
+                    41:e2:a5:ec:ee:7d:20:28:eb:03:5f:f5:e6:05:d8:
+                    8b:96:78:6f:ae:29:9a:50:f7:dc:96:31:86:81:b1:
+                    78:e8:eb:ef:5d:bb:ed:42:ec:94:c6:54:46:ec:05:
+                    6f:1b:0c:36:24:c6:a8:06:7e:5c:56:b8:43:3b:11:
+                    f4:06:0a:05:15:19:3b:1f:c8:67:31:eb:3b:5b:2a:
+                    15:0a:7b:f9:6b:e4:10:ee:44:be:19:d8:db:44:01:
+                    fa:3a:56:f5:6c:4e:f3:60:aa:e4:cd:b2:ad:77:07:
+                    45:ef:f1:d7:f5:fa:52:84:5c:03:4e:72:e0:a9:91:
+                    c5:d9:d6:0a:84:33:98:31:f2:02:5b:3f:10:15:65:
+                    76:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        22:79:1a:b9:5d:fa:f5:c9:a3:88:22:c4:92:e6:64:6d:ce:a5:
+        ae:2e:69:48:6a:9e:d5:11:c5:bb:b0:de:38:1b:5b:04:85:60:
+        d6:64:14:ed:c2:62:02:7d:ad:d2:17:ad:ef:40:27:2b:50:59:
+        4a:ff:88:c6:b3:16:5c:55:30:d9:23:bd:4f:0f:34:b7:7b:ed:
+        7a:e1:f3:39:35:e9:18:6d:70:b1:2b:2a:e2:e5:cd:a1:54:8a:
+        f9:f4:95:81:29:84:3f:95:2f:48:e0:35:3e:d9:cb:84:4d:3d:
+        3e:3c:0e:8d:24:42:5f:19:e6:06:a5:87:ae:ba:af:07:02:e7:
+        6a:83:0a:89:d4:a4:38:ce:05:6e:f6:15:f1:7a:53:bb:50:28:
+        89:51:3f:f2:54:f1:d3:c4:28:07:a1:3e:55:e5:84:b8:df:58:
+        af:c3:e7:81:c2:08:9c:35:e4:c4:86:75:a8:17:99:2c:a6:7f:
+        46:30:9b:23:55:c5:d8:e2:6a:e4:08:a1:8b:dc:bc:5b:86:95:
+        4a:79:fe:a6:93:3d:1a:5b:10:9a:2f:6a:45:2f:5d:c9:fa:95:
+        2e:66:eb:52:df:88:a7:5f:42:8f:5f:46:07:79:8b:a7:49:82:
+        d3:81:c6:3e:c2:5a:15:c4:83:69:30:49:4d:6e:ea:05:1e:d8:
+        dc:29:ac:17
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIUJ17Pfr6qArmpx0IwQ/4OgAWR3QswDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE4
+NTc1N1oXDTMzMDQyODE4NTc1N1owUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdS
+b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4iFrn+9Iud4i
++1s3CWjHtZJXUiTvhQDocYVND1uMxudPGfbjC3CjQX5x1A/W/fIayqpXkXaasoJi
+YM7yAC7UvFjTYDBCpiiyUHtYAZ/7CmWwQNZ84rfajRnZpVHSRn4URqv6387+hAiY
+Y0YdTYp3V2faFosyDHxB4qXs7n0gKOsDX/XmBdiLlnhvrimaUPfcljGGgbF46Ovv
+XbvtQuyUxlRG7AVvGww2JMaoBn5cVrhDOxH0BgoFFRk7H8hnMes7WyoVCnv5a+QQ
+7kS+GdjbRAH6Olb1bE7zYKrkzbKtdwdF7/HX9fpShFwDTnLgqZHF2dYKhDOYMfIC
+Wz8QFWV21wIDAQABo4GZMIGWMB0GA1UdDgQWBBTDEkK6qdhN4MM+utdHQaYJL220
+4TAfBgNVHSMEGDAWgBTDEkK6qdhN4MM+utdHQaYJL2204TAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vMTI3
+LjAuMC4xOjg4ODgvcm9vdF9jcmwuZGVyMA0GCSqGSIb3DQEBCwUAA4IBAQAieRq5
+Xfr1yaOIIsSS5mRtzqWuLmlIap7VEcW7sN44G1sEhWDWZBTtwmICfa3SF63vQCcr
+UFlK/4jGsxZcVTDZI71PDzS3e+164fM5NekYbXCxKyri5c2hVIr59JWBKYQ/lS9I
+4DU+2cuETT0+PA6NJEJfGeYGpYeuuq8HAudqgwqJ1KQ4zgVu9hXxelO7UCiJUT/y
+VPHTxCgHoT5V5YS431ivw+eBwgicNeTEhnWoF5kspn9GMJsjVcXY4mrkCKGL3Lxb
+hpVKef6mkz0aWxCaL2pFL13J+pUuZutS34inX0KPX0YHeYunSYLTgcY+wloVxINp
+MElNbuoFHtjcKawX
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/private/System_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/private/System_keypair.pem
new file mode 100644
index 000000000..cc779bece
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/private/System_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjIS90NMEbQZC2
+TkFy4D+eSZRV7AJM3RSAuD3Gx0e7pVnDNYaJFwjO/nHmL5zB29J+FCTaYTA6526x
+4yE4gbxH37J/H2C+PcXtdgOU48SzPr/4Q7rCVLy7ZlmYo/mq4xDow4jcGhhv3ZDr
+b6NL1K80XEMg1VvnmKV8e6kVhrsov7rgu/ccCMQm68GsBR90TwURV+ASdxeeid2l
+OO7Pz2e+DF5qSnRhIXmOwyjx4gYALeo6beKmJf0ti/WCNpGKIfBqkxnWdgj9ze6Q
+qanPmTBxRlfq+8VlT3yGXJ3XtMMnPOsn3bxVdh8lDctvQ5qfut5UwZADnuUN2c2E
+1Fh0Y75ZAgMBAAECggEAGJh8EGwU0pB56nbVmOW1Sd8jsanGNgMeYIMG83Xf+6uk
+Y1GqcXiK4DTOhQuYOcV0UQSmAtQlAriawNDzVRMAiaCxh8e6HSzwrws8YoJOCc2U
+AbFqkvrWQvYdW62bive1+LZkp/T6SsGQJGNebmRIr18a0vRAaWSjTOfTOFbqWKwD
+640JDw2KmJmba6JtOaEL4QWrvbugTNwh3OEHugBVTCiRTdruVpCpLSxW1yZEpwB2
+BmxQxHvbtIjiOmHuNrsh21jzi7IEx+TFawJ0EV6Wm9XCbjX62XETraILg5bWVGv7
+X+TIDE2JBCC9GZMm9Qj1EfCojRmKfxopv7sA1yBYRQKBgQC5K5NzQzk14G64tyvW
+61BteydWlBzFbgiMjYUq9wqgf2WbDVONBUB5x3MOArOmYuJOy0Xbt+pF3pF8wrkl
+hMt/hZqKzDtdDWo3+PnNFgcWmB+T76Jei9khIk3D9ENcGaNwGAS3l8sxqXNLVVBJ
+u5qHKeKFreXSra7xlXOuw5IMbQKBgQDhh1QqpQMloXOPCQWWzPtrEa8BRGNMFQTU
+yZFHeetQjjX5opxxMbbXU/wNz/dRgdfe2VLVo9e4dtQbzCKenuwWeivuDxd4YOsF
+Von9XDOzVWoXuP01MxDcU+sRoBLwWbpCWMe7r4Ny98C78+/5GssvkFUo+hd2vPo6
+U20pVZfuHQKBgGYD1eZooLpH/XgSojpzxgmrEc8nJnq21krpJPa4x8gIp+e2fdNx
+k0YEViTf5C3EyL10S/Zy6sS3jBvaA7rh4GNPLgdN4V6wp1ZS+vy8KAeQo8US/rds
+AKG6jnFovzucfGijMuYa4L1ph7V3ORaGHupcbwoK9lUNjxZVqjgcUvg5AoGBANOU
+zpWjcaxgJ7XNVP0BGe59DJ43tqCuJ3YqFK3l56oPgPvOXs6jQVIKbLHYpcJF+mwL
+nvbnW36nnJ7niKMfnYYI4CXa6r34zwSXB6Y2Vhqsy3euCX9bhTnvUN2cO6hZxbBw
+8hFWvA+j96FdXYlqZa0dz4c9+b1f1bHaitL4hizRAoGAVlH2lJr6s+ZmzkDY7D+Y
+6YKyjXaxhHBIqB2oLK1KuxGMiQnRADs9UOC4x2PQPOfemjVTJ3eN3rwxdqSh+Y2v
+K+RejHBJzbd4JIv0QRxpPAm9sezaNEHa7ss387cLZEBEYUI9HkIuPunKX+2lHITn
+WpVRyzYjVkFUUcRe3DyTlh8=
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem
new file mode 100644
index 000000000..1f4a6df18
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC06yLixLp/M6pX
+qxPxaQmYKDx9p+JBKigv+YWhbJTuCutNAUwofJ0FTdgQf7fPE8Km3hEMlziXzW0R
+/RZ2wOtat3sXE0WdSwBPJsWxm2eTLNbVMzfhUB17Db6My70pmY9U9n4EhIIqKO5x
+Po1fcrJqd2tHPrpNs+KWFHEKHiYWj2wbByqsFYkeiGPDgTuR6fNDG/DsCCSWRich
+KlYlLLbM2QJwd53kfESMkwSFowkKjvXnIfq9Vii3UiAJ7JrE1NeKGU56EOmyEDZo
+zs54i3k/b3A7dW1wWTrJhaj4I9SrRMKu9RxuOBHhX8yP4kP1sw4JF7PG7kf7OcRY
+YrrjqMXvAgMBAAECggEATFRQOaCKlpQzsB0rotSQCbQgIVutZ5Tjs6nwqTRoeS3+
+LFT5zrMUhGJdYEiiQimyHDjgtJEwfUtcUxSWX6/xHCsBMbEd08kK7loLWm2Ye02V
+rgmX7+WfKoWX+UsUGfMBt/TvIfTN/f+a6ghcGQMJJ0YO6tYaQCI+3NbvAjfKFgXi
+nWWZA+ipjh+Nu3YhVAy/uMInMi0qGWmpomU1yS+04E3OQksKYc3OmER7zFwbmNbF
+0LanWlLURUeHIS1BY+V4yXw6yBJaCDUpVA37mfLqRQshGtGjmWLtMt/AuSFokwHd
+yewoORlpVkZnE4Igv1JDggFdEI5lZ4PTmOjEXfntYQKBgQDH6sBr24OMUceNWyvf
+k03pqUaoiJkivAcUI/krfY7mdSLkiqs+UPuRrikGbvKT3R+iJVbTB4dXzGG6nzBc
+es7xwvzDGNHHXe0KAFhyIXwNMZmLGTmsNVfnKPAQ1BfKG9MtD5ck2gI1L1DkpaRz
+X57YONvG05HYmY7TaV2VOKK1iQKBgQDnq/zW6P9WHpIHBjZRN0V4yFl1dMfn2VwZ
+c3QWBd+kTwVBBhlJlqYeRIt4kmwExPnd3OX8Y7N18RttIc+k4dZgTA4w8G3xzvgk
+0sHgf3EBbrkUuS23BJ2IPIb4LmWckH6+KJkvBrlZOfoLBj8uxQwz/wmWA2IoQgKv
+CvDNr6G5twKBgECWSgZOjAhoX1T+0ITRvUkxJB/MydSb9JmAKb7wOJuh2l0Fo99l
+IHFnV9+5Nmuo89BZydwxwXsPD7/QMDqgfn1C5pBNU3Damnsxs2FkCgTlMlrrEmPd
+dAG9ixmUu/7S0H3tXIJOYIo4OCU2kpOnn9TxQafRsHvO2ILatp5ABukpAoGBALgP
+KJ4GF3bwaswx302/P+6qHoj28yv8wPNnir9Eg14jeeUjV0vj6K77fmOY0UEozeu6
+6O4QuC/oEwYtaq9wzcVMJ6oyGueWrAd1eptGJR4iPeF9DhjuDcqDbCgZlJlDI68o
+yitWiEOfkEzZ9bDO1NcqtQ7+OSoK597yLkb8Vt0ZAoGAN2dHPkTiNFlbzCefv/EP
+A4xQUAUiwfQ9ZlhMtD9Tlea8cMAD901rxy52YrgCvBPxw3HmKG2H0NOpa7BwrgA8
+uODxi6xBRExRhvaqZe1aP1xn4XKw2VVsMlIlJQj2Wmuxeknfm9R1sfRD797c4nuN
+ntLUOPAWtDkLoJLrTd9EqFk=
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client1/private/UserA2_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/client1/private/UserA2_keypair.pem
new file mode 100644
index 000000000..8485c7cf7
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client1/private/UserA2_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCmfECAK0QAMxHG
+wp1nPoeOfkDT9dMntn0YPMCGrJY6rdjDy6tyXky3JEXax6jMdLghdWKegYiWVG7b
++YwvTJcNziFCL5JXfzQrAkNMIq4UyvyyLNBnDlLgbWGWpjvMT2rW70WcdJIlbAoQ
+YhsiKxFr0VJN2o3DSuZ0pxse74r0logCDbdXNZ+j/6Istw4nTnkvzwzxkQ6/Adei
+cSy3Dkt+UJGJccIXqsspgJ7XK/ozQeiC0TqXPWzeZpu06hrrlL5uwGbodz1y1Vyl
+6Ks7M/SzwiZJvAhVzxa2EiKR/sFastd34/RHvMR3a/V/w+hImbmo6rGu5sw6EvpN
+L18PqP2NAgMBAAECggEAHsf4UPou326RydLvsUgRXhofuFDKEpyd8l5BJmVAfWbp
+HgJJF6Mxwea196ZUokCuTplae33tmAXSXV99OL2LbCUBZzBOeVjud0k60hfTYcrJ
+/9NjULqIPjBbC7R+d97zHPwuPagb4UlhbvgElkOqO+n+sqBG96WgiE7hJ84YPfJO
+Y+Is9vRbESkMVK1TH5PxfDE0Yu/i2vm/Fv+Ekgqe+GiZgbDw+L98D7ZX1xb8W2Ix
+WnM2Skd22pit1ftpixuHbdHcPX2NNdhFKy8r/ZYK0SCLwkb8yJhDLQF8Q01YXd6q
+FHtuE+MGXsr7dkcqYtc2QvigJdHs72WCjZwcpA+vgQKBgQC9qt3AIXPjPckhTEEK
+97tg0zqFVPHyhiy23qsKJ/egMIhYESQngLOPcQ0Q/bG5OJqe5sx31rmKQ368QUSX
+lIPG9WrRxCh3BTo7nOOEmAh4uGnKtvDJbTRP56fPQhkKlDywua8vKs0moUdcact7
+jjXYxXSPGEqHQrjPkuurPJvc7QKBgQDgtd4/kYGM9R2ltSLWm/TZnE6LM1EtBWrA
+HNAYV7WxxKdUvTtxBIXDKer0RAbDKHIoZ6HI3lon5siuBVtIFoq2VLxS1jm3rEJv
+qV6USxxDnEkbLla6Jzmd5eqFPZErWfNqmdXP1sqC8fs5q1PUJXNtEIdJulXQnHP2
+5lJxq8ovIQKBgQC1HBerg0YZ08HfHeVuB6jRiGH1N2vhXeYMqQtCI2/9ctp+3b9c
+STUs35LOirHOYBKlcVYFiPCa6mB2ewx4gcRjk61wqJLLNB6rFeDbmCFexRmgDJhY
+fwLY2igPbNpkk7BwQJ7bt082eAKgaBV54g3g9IucqGFiT4ASFgUb+kAK8QKBgFYJ
+rJgAWW8kJv7clQNA4YY0j+pCctFfIpl+LrszUhFHr54Fem3ygljQgvKV3VT59oO7
+8jkb0b83YR0oVeQLJX9cgGLjPWQzI5jna5wyChdlDqTGoFRUUn4/mwT7JstHfKkT
+T8dtgUqT5lIVZFp1IHXg/zveiZ7/WHNvip+VXCuhAoGAE3aA/rPBYEHJFLHaSgcR
+E+ggLP3HjQPN6347NXBZSaWSXqXtdLDlgnnysRnEd+JHSDI3lNuFa6d6nY7x7Mc0
+Bn54Tf3KLLHcyUrwQTCjY230212gYGqWXMgeaTPJRtl4K0PchWzKzZ1m9RQAZHOQ
+OaBsh0IA+LCDTmsPsbzh6U4=
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client2/UserB1_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/client2/UserB1_bundle.pem
new file mode 100644
index 000000000..c09aef2d9
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client2/UserB1_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3a:d5:76:e0:a4:4b:67:ba:da:f2:9b:15:09:4c:ff:54:58:1d:e9:92
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: May  1 19:40:31 2023 GMT
+            Not After : Apr 28 19:40:31 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=UserB1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:19:65:ab:3f:2e:f2:7a:93:ea:06:eb:a2:9a:
+                    c5:b9:20:66:2e:74:1b:94:5a:43:1c:8c:22:72:00:
+                    79:2d:20:18:e3:4a:35:a6:df:8a:58:33:73:2c:28:
+                    20:e7:d9:85:ec:f5:81:ae:44:44:55:66:65:d6:b5:
+                    78:71:c4:d8:c2:7b:4c:2d:8b:18:b6:86:fc:50:c0:
+                    7e:b6:6e:f7:76:c0:30:6c:67:09:53:2d:87:98:d6:
+                    d4:d8:b3:a9:80:45:93:7f:33:3f:41:2a:70:f3:e1:
+                    df:a0:85:64:4b:25:e4:91:e9:e6:c8:c3:a0:3e:b3:
+                    ef:97:1f:ae:9d:44:84:35:26:26:4e:0c:7a:1d:c7:
+                    ef:b6:46:8d:82:b8:b0:18:fb:25:77:04:20:8c:da:
+                    af:fa:9e:a2:b0:67:b6:a6:5b:d7:95:a5:3c:3e:76:
+                    b4:37:4a:48:98:34:96:9d:d2:ff:36:6a:f4:2a:cd:
+                    85:b3:e3:71:74:0f:e0:25:f1:06:cb:9d:53:fc:b4:
+                    5d:c4:8d:7a:0b:bd:16:ee:5c:58:21:ad:49:34:9f:
+                    9e:1b:6d:f6:47:52:1f:a0:74:00:fe:3c:4d:5f:4c:
+                    5a:23:4a:d5:4c:ff:3f:42:5d:85:df:f6:3b:32:c4:
+                    ca:4b:d0:9d:4b:9e:86:a6:64:44:b8:ae:24:1a:f4:
+                    66:6b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                EC:AB:7B:4D:CD:62:D6:89:63:69:FE:97:34:5A:96:58:A5:94:A6:D9
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+            X509v3 Subject Alternative Name: 
+                email:UserB1@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a8:78:fa:c2:44:e0:b9:c7:af:d5:cc:b6:b4:2b:3d:74:ae:b8:
+        d1:e1:22:d0:63:7d:77:97:db:97:2f:f1:f0:ce:e3:9e:5e:e1:
+        2a:19:54:00:38:7b:30:0b:8b:95:3a:4b:5d:83:08:80:fe:29:
+        85:72:fd:c9:80:6b:c3:fd:a3:00:4f:b5:f2:34:a3:42:54:77:
+        77:70:43:40:fe:1f:7a:b7:7f:55:c3:c0:e2:44:d1:95:fb:4c:
+        eb:f8:39:dd:b6:3d:07:27:39:8e:89:e4:a8:49:fd:02:70:65:
+        72:6f:c7:d4:12:57:bd:47:ea:7d:2d:63:b4:fe:81:33:20:3c:
+        e0:36:a2:60:58:79:5e:ce:6c:ed:7c:97:6e:6b:52:25:8d:73:
+        bb:ea:b5:8b:1e:d2:97:24:88:59:ea:a4:29:a3:ea:04:45:e1:
+        6a:cd:c8:b9:13:44:57:f8:7e:1a:85:34:11:71:f9:10:a4:6f:
+        07:d4:7d:21:84:f1:52:6f:f9:e8:36:83:28:32:aa:ad:2a:c3:
+        fb:98:02:c7:2e:2c:49:08:21:af:fe:15:0e:f3:ce:e7:24:b5:
+        c8:08:d6:20:e8:8c:24:ce:1f:84:0b:9a:46:07:8c:05:d0:86:
+        04:06:2b:a2:a8:e2:20:c1:1f:ac:07:fc:ac:e0:f5:ee:7a:c6:
+        5a:e4:81:74
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUOtV24KRLZ7ra8psVCUz/VFgd6ZIwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA1MDExOTQwMzFaFw0zMzA0MjgxOTQwMzFaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGVXNlckIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uhllqz8u8nqT6gbroprFuSBmLnQblFpDHIwicgB5LSAY40o1pt+KWDNzLCgg59mF
+7PWBrkREVWZl1rV4ccTYwntMLYsYtob8UMB+tm73dsAwbGcJUy2HmNbU2LOpgEWT
+fzM/QSpw8+HfoIVkSyXkkenmyMOgPrPvlx+unUSENSYmTgx6HcfvtkaNgriwGPsl
+dwQgjNqv+p6isGe2plvXlaU8Pna0N0pImDSWndL/Nmr0Ks2Fs+NxdA/gJfEGy51T
+/LRdxI16C70W7lxYIa1JNJ+eG232R1IfoHQA/jxNX0xaI0rVTP8/Ql2F3/Y7MsTK
+S9CdS56GpmREuK4kGvRmawIDAQABo4IBJDCCASAwHQYDVR0OBBYEFOyre03NYtaJ
+Y2n+lzRallillKbZMB8GA1UdIwQYMBaAFHVV4o7nraXdgD3JMwssold37RWsMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToyODg4OC9pbnRlcm1lZGlhdGUyX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjI4ODg4
+LzAaBgNVHREEEzARgQ9Vc2VyQjFAdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AKh4+sJE4LnHr9XMtrQrPXSuuNHhItBjfXeX25cv8fDO455e4SoZVAA4ezALi5U6
+S12DCID+KYVy/cmAa8P9owBPtfI0o0JUd3dwQ0D+H3q3f1XDwOJE0ZX7TOv4Od22
+PQcnOY6J5KhJ/QJwZXJvx9QSV71H6n0tY7T+gTMgPOA2omBYeV7ObO18l25rUiWN
+c7vqtYse0pckiFnqpCmj6gRF4WrNyLkTRFf4fhqFNBFx+RCkbwfUfSGE8VJv+eg2
+gygyqq0qw/uYAscuLEkIIa/+FQ7zzucktcgI1iDojCTOH4QLmkYHjAXQhgQGK6Ko
+4iDBH6wH/Kzg9e56xlrkgXQ=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem
new file mode 100644
index 000000000..51050116b
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3a:d5:76:e0:a4:4b:67:ba:da:f2:9b:15:09:4c:ff:54:58:1d:e9:92
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: May  1 19:40:31 2023 GMT
+            Not After : Apr 28 19:40:31 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=UserB1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:19:65:ab:3f:2e:f2:7a:93:ea:06:eb:a2:9a:
+                    c5:b9:20:66:2e:74:1b:94:5a:43:1c:8c:22:72:00:
+                    79:2d:20:18:e3:4a:35:a6:df:8a:58:33:73:2c:28:
+                    20:e7:d9:85:ec:f5:81:ae:44:44:55:66:65:d6:b5:
+                    78:71:c4:d8:c2:7b:4c:2d:8b:18:b6:86:fc:50:c0:
+                    7e:b6:6e:f7:76:c0:30:6c:67:09:53:2d:87:98:d6:
+                    d4:d8:b3:a9:80:45:93:7f:33:3f:41:2a:70:f3:e1:
+                    df:a0:85:64:4b:25:e4:91:e9:e6:c8:c3:a0:3e:b3:
+                    ef:97:1f:ae:9d:44:84:35:26:26:4e:0c:7a:1d:c7:
+                    ef:b6:46:8d:82:b8:b0:18:fb:25:77:04:20:8c:da:
+                    af:fa:9e:a2:b0:67:b6:a6:5b:d7:95:a5:3c:3e:76:
+                    b4:37:4a:48:98:34:96:9d:d2:ff:36:6a:f4:2a:cd:
+                    85:b3:e3:71:74:0f:e0:25:f1:06:cb:9d:53:fc:b4:
+                    5d:c4:8d:7a:0b:bd:16:ee:5c:58:21:ad:49:34:9f:
+                    9e:1b:6d:f6:47:52:1f:a0:74:00:fe:3c:4d:5f:4c:
+                    5a:23:4a:d5:4c:ff:3f:42:5d:85:df:f6:3b:32:c4:
+                    ca:4b:d0:9d:4b:9e:86:a6:64:44:b8:ae:24:1a:f4:
+                    66:6b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                EC:AB:7B:4D:CD:62:D6:89:63:69:FE:97:34:5A:96:58:A5:94:A6:D9
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+            X509v3 Subject Alternative Name: 
+                email:UserB1@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a8:78:fa:c2:44:e0:b9:c7:af:d5:cc:b6:b4:2b:3d:74:ae:b8:
+        d1:e1:22:d0:63:7d:77:97:db:97:2f:f1:f0:ce:e3:9e:5e:e1:
+        2a:19:54:00:38:7b:30:0b:8b:95:3a:4b:5d:83:08:80:fe:29:
+        85:72:fd:c9:80:6b:c3:fd:a3:00:4f:b5:f2:34:a3:42:54:77:
+        77:70:43:40:fe:1f:7a:b7:7f:55:c3:c0:e2:44:d1:95:fb:4c:
+        eb:f8:39:dd:b6:3d:07:27:39:8e:89:e4:a8:49:fd:02:70:65:
+        72:6f:c7:d4:12:57:bd:47:ea:7d:2d:63:b4:fe:81:33:20:3c:
+        e0:36:a2:60:58:79:5e:ce:6c:ed:7c:97:6e:6b:52:25:8d:73:
+        bb:ea:b5:8b:1e:d2:97:24:88:59:ea:a4:29:a3:ea:04:45:e1:
+        6a:cd:c8:b9:13:44:57:f8:7e:1a:85:34:11:71:f9:10:a4:6f:
+        07:d4:7d:21:84:f1:52:6f:f9:e8:36:83:28:32:aa:ad:2a:c3:
+        fb:98:02:c7:2e:2c:49:08:21:af:fe:15:0e:f3:ce:e7:24:b5:
+        c8:08:d6:20:e8:8c:24:ce:1f:84:0b:9a:46:07:8c:05:d0:86:
+        04:06:2b:a2:a8:e2:20:c1:1f:ac:07:fc:ac:e0:f5:ee:7a:c6:
+        5a:e4:81:74
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUOtV24KRLZ7ra8psVCUz/VFgd6ZIwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA1MDExOTQwMzFaFw0zMzA0MjgxOTQwMzFaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGVXNlckIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uhllqz8u8nqT6gbroprFuSBmLnQblFpDHIwicgB5LSAY40o1pt+KWDNzLCgg59mF
+7PWBrkREVWZl1rV4ccTYwntMLYsYtob8UMB+tm73dsAwbGcJUy2HmNbU2LOpgEWT
+fzM/QSpw8+HfoIVkSyXkkenmyMOgPrPvlx+unUSENSYmTgx6HcfvtkaNgriwGPsl
+dwQgjNqv+p6isGe2plvXlaU8Pna0N0pImDSWndL/Nmr0Ks2Fs+NxdA/gJfEGy51T
+/LRdxI16C70W7lxYIa1JNJ+eG232R1IfoHQA/jxNX0xaI0rVTP8/Ql2F3/Y7MsTK
+S9CdS56GpmREuK4kGvRmawIDAQABo4IBJDCCASAwHQYDVR0OBBYEFOyre03NYtaJ
+Y2n+lzRallillKbZMB8GA1UdIwQYMBaAFHVV4o7nraXdgD3JMwssold37RWsMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToyODg4OC9pbnRlcm1lZGlhdGUyX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjI4ODg4
+LzAaBgNVHREEEzARgQ9Vc2VyQjFAdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AKh4+sJE4LnHr9XMtrQrPXSuuNHhItBjfXeX25cv8fDO455e4SoZVAA4ezALi5U6
+S12DCID+KYVy/cmAa8P9owBPtfI0o0JUd3dwQ0D+H3q3f1XDwOJE0ZX7TOv4Od22
+PQcnOY6J5KhJ/QJwZXJvx9QSV71H6n0tY7T+gTMgPOA2omBYeV7ObO18l25rUiWN
+c7vqtYse0pckiFnqpCmj6gRF4WrNyLkTRFf4fhqFNBFx+RCkbwfUfSGE8VJv+eg2
+gygyqq0qw/uYAscuLEkIIa/+FQ7zzucktcgI1iDojCTOH4QLmkYHjAXQhgQGK6Ko
+4iDBH6wH/Kzg9e56xlrkgXQ=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client2/UserB2_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/client2/UserB2_bundle.pem
new file mode 100644
index 000000000..b28ac13a5
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client2/UserB2_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1e:dc:a2:b9:fd:aa:6e:73:ae:1c:7d:8d:13:73:d1:cd:16:bb:40:90
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: May  1 19:40:31 2023 GMT
+            Not After : Apr 28 19:40:31 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=UserB2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b2:1d:92:83:be:0f:40:5c:b8:34:93:66:28:ea:
+                    d3:85:1e:ec:66:e3:97:d0:fe:a7:2d:2c:89:c4:aa:
+                    e0:ff:62:a2:8b:19:19:8a:1f:bb:a9:24:2f:a8:a1:
+                    16:95:a7:5b:42:65:2f:03:27:12:ac:44:fb:2f:e0:
+                    9b:19:52:32:a7:db:83:d0:1a:d6:36:d7:b7:40:0e:
+                    85:c6:a7:75:5c:d1:71:a9:99:d3:da:2b:70:f9:9e:
+                    9d:0b:a8:35:bc:3c:7f:24:1e:b5:2e:83:31:07:c9:
+                    9b:4a:0e:a3:32:36:bd:a6:2c:55:79:f8:71:66:6a:
+                    2a:8f:f9:f9:67:b0:06:21:e4:2a:02:44:b6:39:84:
+                    18:7a:00:5e:34:36:f4:61:0d:11:a9:e2:0c:b8:05:
+                    ed:67:97:bc:29:e7:69:ac:48:6e:fb:78:e9:3b:38:
+                    e3:db:09:cb:22:0f:9a:57:1c:cc:06:f1:f7:44:66:
+                    d0:01:c4:c1:14:65:29:e5:cf:19:26:73:c9:8a:5c:
+                    2b:25:a9:d1:c6:3e:d8:4d:f5:f3:67:c7:23:b9:7b:
+                    2b:f5:97:28:89:81:99:9d:82:45:21:27:f4:ca:86:
+                    02:22:2f:26:4b:61:8a:cb:76:fb:b1:7b:4c:42:b6:
+                    25:e8:3e:cb:ab:2c:60:a7:a3:82:fb:ef:05:59:03:
+                    a5:5b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C6:25:DB:6C:4E:18:89:96:67:30:E8:5F:EC:0C:03:70:A4:4C:07:98
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+            X509v3 Subject Alternative Name: 
+                email:UserB2@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        7d:93:8d:17:4b:fe:9e:5d:d0:4e:c3:47:dc:6c:05:1b:10:7f:
+        9d:24:75:ea:30:27:c3:b1:26:2c:38:c3:c9:18:ec:21:d2:ef:
+        07:b2:d4:f9:2e:a1:a2:1a:a5:68:cb:1a:14:55:7f:82:05:8a:
+        a3:0d:11:f0:ed:f2:e2:c0:e3:6a:1c:76:42:01:92:68:2b:f7:
+        4d:98:ae:7b:02:f1:36:2e:44:67:43:39:8e:08:91:f1:f0:ab:
+        9c:84:df:08:80:bf:76:6b:37:3f:e8:70:e0:d6:27:73:e9:bc:
+        49:1f:c2:4a:15:51:22:c6:f3:85:52:e3:a6:93:aa:f6:c9:b4:
+        96:f2:09:e6:62:53:0e:87:76:fd:7a:38:69:e2:41:54:c5:51:
+        6e:cf:bc:1a:7b:0a:ef:c6:6e:be:b5:72:4d:f4:6f:fd:a5:a8:
+        ba:23:15:80:fa:b6:37:8d:68:d8:3e:36:c5:ae:f6:6c:22:a0:
+        00:0d:93:e1:ae:41:9a:d7:35:d0:ab:98:71:1b:6b:8d:da:78:
+        65:3c:97:be:9c:9e:d7:32:a1:0c:2b:60:ac:74:18:18:e4:48:
+        87:40:dd:bf:eb:0e:27:17:96:a1:aa:32:a9:58:b5:ee:fc:42:
+        7e:d7:71:a4:8e:a0:5b:06:6f:f1:85:27:8c:6b:20:df:e0:6b:
+        13:5f:cf:4c
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUHtyiuf2qbnOuHH2NE3PRzRa7QJAwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA1MDExOTQwMzFaFw0zMzA0MjgxOTQwMzFaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGVXNlckIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+sh2Sg74PQFy4NJNmKOrThR7sZuOX0P6nLSyJxKrg/2KiixkZih+7qSQvqKEWladb
+QmUvAycSrET7L+CbGVIyp9uD0BrWNte3QA6Fxqd1XNFxqZnT2itw+Z6dC6g1vDx/
+JB61LoMxB8mbSg6jMja9pixVefhxZmoqj/n5Z7AGIeQqAkS2OYQYegBeNDb0YQ0R
+qeIMuAXtZ5e8KedprEhu+3jpOzjj2wnLIg+aVxzMBvH3RGbQAcTBFGUp5c8ZJnPJ
+ilwrJanRxj7YTfXzZ8cjuXsr9ZcoiYGZnYJFISf0yoYCIi8mS2GKy3b7sXtMQrYl
+6D7Lqyxgp6OC++8FWQOlWwIDAQABo4IBJDCCASAwHQYDVR0OBBYEFMYl22xOGImW
+ZzDoX+wMA3CkTAeYMB8GA1UdIwQYMBaAFHVV4o7nraXdgD3JMwssold37RWsMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToyODg4OC9pbnRlcm1lZGlhdGUyX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjI4ODg4
+LzAaBgNVHREEEzARgQ9Vc2VyQjJAdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AH2TjRdL/p5d0E7DR9xsBRsQf50kdeowJ8OxJiw4w8kY7CHS7wey1PkuoaIapWjL
+GhRVf4IFiqMNEfDt8uLA42ocdkIBkmgr902YrnsC8TYuRGdDOY4IkfHwq5yE3wiA
+v3ZrNz/ocODWJ3PpvEkfwkoVUSLG84VS46aTqvbJtJbyCeZiUw6Hdv16OGniQVTF
+UW7PvBp7Cu/Gbr61ck30b/2lqLojFYD6tjeNaNg+NsWu9mwioAANk+GuQZrXNdCr
+mHEba43aeGU8l76cntcyoQwrYKx0GBjkSIdA3b/rDicXlqGqMqlYte78Qn7XcaSO
+oFsGb/GFJ4xrIN/gaxNfz0w=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client2/UserB2_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/client2/UserB2_cert.pem
new file mode 100644
index 000000000..a76cdf8c3
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client2/UserB2_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1e:dc:a2:b9:fd:aa:6e:73:ae:1c:7d:8d:13:73:d1:cd:16:bb:40:90
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: May  1 19:40:31 2023 GMT
+            Not After : Apr 28 19:40:31 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=UserB2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b2:1d:92:83:be:0f:40:5c:b8:34:93:66:28:ea:
+                    d3:85:1e:ec:66:e3:97:d0:fe:a7:2d:2c:89:c4:aa:
+                    e0:ff:62:a2:8b:19:19:8a:1f:bb:a9:24:2f:a8:a1:
+                    16:95:a7:5b:42:65:2f:03:27:12:ac:44:fb:2f:e0:
+                    9b:19:52:32:a7:db:83:d0:1a:d6:36:d7:b7:40:0e:
+                    85:c6:a7:75:5c:d1:71:a9:99:d3:da:2b:70:f9:9e:
+                    9d:0b:a8:35:bc:3c:7f:24:1e:b5:2e:83:31:07:c9:
+                    9b:4a:0e:a3:32:36:bd:a6:2c:55:79:f8:71:66:6a:
+                    2a:8f:f9:f9:67:b0:06:21:e4:2a:02:44:b6:39:84:
+                    18:7a:00:5e:34:36:f4:61:0d:11:a9:e2:0c:b8:05:
+                    ed:67:97:bc:29:e7:69:ac:48:6e:fb:78:e9:3b:38:
+                    e3:db:09:cb:22:0f:9a:57:1c:cc:06:f1:f7:44:66:
+                    d0:01:c4:c1:14:65:29:e5:cf:19:26:73:c9:8a:5c:
+                    2b:25:a9:d1:c6:3e:d8:4d:f5:f3:67:c7:23:b9:7b:
+                    2b:f5:97:28:89:81:99:9d:82:45:21:27:f4:ca:86:
+                    02:22:2f:26:4b:61:8a:cb:76:fb:b1:7b:4c:42:b6:
+                    25:e8:3e:cb:ab:2c:60:a7:a3:82:fb:ef:05:59:03:
+                    a5:5b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C6:25:DB:6C:4E:18:89:96:67:30:E8:5F:EC:0C:03:70:A4:4C:07:98
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+            X509v3 Subject Alternative Name: 
+                email:UserB2@user.net
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        7d:93:8d:17:4b:fe:9e:5d:d0:4e:c3:47:dc:6c:05:1b:10:7f:
+        9d:24:75:ea:30:27:c3:b1:26:2c:38:c3:c9:18:ec:21:d2:ef:
+        07:b2:d4:f9:2e:a1:a2:1a:a5:68:cb:1a:14:55:7f:82:05:8a:
+        a3:0d:11:f0:ed:f2:e2:c0:e3:6a:1c:76:42:01:92:68:2b:f7:
+        4d:98:ae:7b:02:f1:36:2e:44:67:43:39:8e:08:91:f1:f0:ab:
+        9c:84:df:08:80:bf:76:6b:37:3f:e8:70:e0:d6:27:73:e9:bc:
+        49:1f:c2:4a:15:51:22:c6:f3:85:52:e3:a6:93:aa:f6:c9:b4:
+        96:f2:09:e6:62:53:0e:87:76:fd:7a:38:69:e2:41:54:c5:51:
+        6e:cf:bc:1a:7b:0a:ef:c6:6e:be:b5:72:4d:f4:6f:fd:a5:a8:
+        ba:23:15:80:fa:b6:37:8d:68:d8:3e:36:c5:ae:f6:6c:22:a0:
+        00:0d:93:e1:ae:41:9a:d7:35:d0:ab:98:71:1b:6b:8d:da:78:
+        65:3c:97:be:9c:9e:d7:32:a1:0c:2b:60:ac:74:18:18:e4:48:
+        87:40:dd:bf:eb:0e:27:17:96:a1:aa:32:a9:58:b5:ee:fc:42:
+        7e:d7:71:a4:8e:a0:5b:06:6f:f1:85:27:8c:6b:20:df:e0:6b:
+        13:5f:cf:4c
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIUHtyiuf2qbnOuHH2NE3PRzRa7QJAwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA1MDExOTQwMzFaFw0zMzA0MjgxOTQwMzFaME8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEP
+MA0GA1UEAwwGVXNlckIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+sh2Sg74PQFy4NJNmKOrThR7sZuOX0P6nLSyJxKrg/2KiixkZih+7qSQvqKEWladb
+QmUvAycSrET7L+CbGVIyp9uD0BrWNte3QA6Fxqd1XNFxqZnT2itw+Z6dC6g1vDx/
+JB61LoMxB8mbSg6jMja9pixVefhxZmoqj/n5Z7AGIeQqAkS2OYQYegBeNDb0YQ0R
+qeIMuAXtZ5e8KedprEhu+3jpOzjj2wnLIg+aVxzMBvH3RGbQAcTBFGUp5c8ZJnPJ
+ilwrJanRxj7YTfXzZ8cjuXsr9ZcoiYGZnYJFISf0yoYCIi8mS2GKy3b7sXtMQrYl
+6D7Lqyxgp6OC++8FWQOlWwIDAQABo4IBJDCCASAwHQYDVR0OBBYEFMYl22xOGImW
+ZzDoX+wMA3CkTAeYMB8GA1UdIwQYMBaAFHVV4o7nraXdgD3JMwssold37RWsMAwG
+A1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwPQYDVR0fBDYwNDAyoDCgLoYs
+aHR0cDovLzEyNy4wLjAuMToyODg4OC9pbnRlcm1lZGlhdGUyX2NybC5kZXIwMwYI
+KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjI4ODg4
+LzAaBgNVHREEEzARgQ9Vc2VyQjJAdXNlci5uZXQwDQYJKoZIhvcNAQELBQADggEB
+AH2TjRdL/p5d0E7DR9xsBRsQf50kdeowJ8OxJiw4w8kY7CHS7wey1PkuoaIapWjL
+GhRVf4IFiqMNEfDt8uLA42ocdkIBkmgr902YrnsC8TYuRGdDOY4IkfHwq5yE3wiA
+v3ZrNz/ocODWJ3PpvEkfwkoVUSLG84VS46aTqvbJtJbyCeZiUw6Hdv16OGniQVTF
+UW7PvBp7Cu/Gbr61ck30b/2lqLojFYD6tjeNaNg+NsWu9mwioAANk+GuQZrXNdCr
+mHEba43aeGU8l76cntcyoQwrYKx0GBjkSIdA3b/rDicXlqGqMqlYte78Qn7XcaSO
+oFsGb/GFJ4xrIN/gaxNfz0w=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client2/certfile.pem b/test/configs/certs/ocsp_peer/mini-ca/client2/certfile.pem
new file mode 100644
index 000000000..a25efa0b7
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client2/certfile.pem
@@ -0,0 +1,175 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            27:5e:cf:7e:be:aa:02:b9:a9:c7:42:30:43:fe:0e:80:05:91:dd:0b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 18:57:57 2023 GMT
+            Not After : Apr 28 18:57:57 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e2:21:6b:9f:ef:48:b9:de:22:fb:5b:37:09:68:
+                    c7:b5:92:57:52:24:ef:85:00:e8:71:85:4d:0f:5b:
+                    8c:c6:e7:4f:19:f6:e3:0b:70:a3:41:7e:71:d4:0f:
+                    d6:fd:f2:1a:ca:aa:57:91:76:9a:b2:82:62:60:ce:
+                    f2:00:2e:d4:bc:58:d3:60:30:42:a6:28:b2:50:7b:
+                    58:01:9f:fb:0a:65:b0:40:d6:7c:e2:b7:da:8d:19:
+                    d9:a5:51:d2:46:7e:14:46:ab:fa:df:ce:fe:84:08:
+                    98:63:46:1d:4d:8a:77:57:67:da:16:8b:32:0c:7c:
+                    41:e2:a5:ec:ee:7d:20:28:eb:03:5f:f5:e6:05:d8:
+                    8b:96:78:6f:ae:29:9a:50:f7:dc:96:31:86:81:b1:
+                    78:e8:eb:ef:5d:bb:ed:42:ec:94:c6:54:46:ec:05:
+                    6f:1b:0c:36:24:c6:a8:06:7e:5c:56:b8:43:3b:11:
+                    f4:06:0a:05:15:19:3b:1f:c8:67:31:eb:3b:5b:2a:
+                    15:0a:7b:f9:6b:e4:10:ee:44:be:19:d8:db:44:01:
+                    fa:3a:56:f5:6c:4e:f3:60:aa:e4:cd:b2:ad:77:07:
+                    45:ef:f1:d7:f5:fa:52:84:5c:03:4e:72:e0:a9:91:
+                    c5:d9:d6:0a:84:33:98:31:f2:02:5b:3f:10:15:65:
+                    76:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        22:79:1a:b9:5d:fa:f5:c9:a3:88:22:c4:92:e6:64:6d:ce:a5:
+        ae:2e:69:48:6a:9e:d5:11:c5:bb:b0:de:38:1b:5b:04:85:60:
+        d6:64:14:ed:c2:62:02:7d:ad:d2:17:ad:ef:40:27:2b:50:59:
+        4a:ff:88:c6:b3:16:5c:55:30:d9:23:bd:4f:0f:34:b7:7b:ed:
+        7a:e1:f3:39:35:e9:18:6d:70:b1:2b:2a:e2:e5:cd:a1:54:8a:
+        f9:f4:95:81:29:84:3f:95:2f:48:e0:35:3e:d9:cb:84:4d:3d:
+        3e:3c:0e:8d:24:42:5f:19:e6:06:a5:87:ae:ba:af:07:02:e7:
+        6a:83:0a:89:d4:a4:38:ce:05:6e:f6:15:f1:7a:53:bb:50:28:
+        89:51:3f:f2:54:f1:d3:c4:28:07:a1:3e:55:e5:84:b8:df:58:
+        af:c3:e7:81:c2:08:9c:35:e4:c4:86:75:a8:17:99:2c:a6:7f:
+        46:30:9b:23:55:c5:d8:e2:6a:e4:08:a1:8b:dc:bc:5b:86:95:
+        4a:79:fe:a6:93:3d:1a:5b:10:9a:2f:6a:45:2f:5d:c9:fa:95:
+        2e:66:eb:52:df:88:a7:5f:42:8f:5f:46:07:79:8b:a7:49:82:
+        d3:81:c6:3e:c2:5a:15:c4:83:69:30:49:4d:6e:ea:05:1e:d8:
+        dc:29:ac:17
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIUJ17Pfr6qArmpx0IwQ/4OgAWR3QswDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE4
+NTc1N1oXDTMzMDQyODE4NTc1N1owUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdS
+b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4iFrn+9Iud4i
++1s3CWjHtZJXUiTvhQDocYVND1uMxudPGfbjC3CjQX5x1A/W/fIayqpXkXaasoJi
+YM7yAC7UvFjTYDBCpiiyUHtYAZ/7CmWwQNZ84rfajRnZpVHSRn4URqv6387+hAiY
+Y0YdTYp3V2faFosyDHxB4qXs7n0gKOsDX/XmBdiLlnhvrimaUPfcljGGgbF46Ovv
+XbvtQuyUxlRG7AVvGww2JMaoBn5cVrhDOxH0BgoFFRk7H8hnMes7WyoVCnv5a+QQ
+7kS+GdjbRAH6Olb1bE7zYKrkzbKtdwdF7/HX9fpShFwDTnLgqZHF2dYKhDOYMfIC
+Wz8QFWV21wIDAQABo4GZMIGWMB0GA1UdDgQWBBTDEkK6qdhN4MM+utdHQaYJL220
+4TAfBgNVHSMEGDAWgBTDEkK6qdhN4MM+utdHQaYJL2204TAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vMTI3
+LjAuMC4xOjg4ODgvcm9vdF9jcmwuZGVyMA0GCSqGSIb3DQEBCwUAA4IBAQAieRq5
+Xfr1yaOIIsSS5mRtzqWuLmlIap7VEcW7sN44G1sEhWDWZBTtwmICfa3SF63vQCcr
+UFlK/4jGsxZcVTDZI71PDzS3e+164fM5NekYbXCxKyri5c2hVIr59JWBKYQ/lS9I
+4DU+2cuETT0+PA6NJEJfGeYGpYeuuq8HAudqgwqJ1KQ4zgVu9hXxelO7UCiJUT/y
+VPHTxCgHoT5V5YS431ivw+eBwgicNeTEhnWoF5kspn9GMJsjVcXY4mrkCKGL3Lxb
+hpVKef6mkz0aWxCaL2pFL13J+pUuZutS34inX0KPX0YHeYunSYLTgcY+wloVxINp
+MElNbuoFHtjcKawX
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client2/private/UserB1_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/client2/private/UserB1_keypair.pem
new file mode 100644
index 000000000..1b2df180c
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client2/private/UserB1_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6GWWrPy7yepPq
+BuuimsW5IGYudBuUWkMcjCJyAHktIBjjSjWm34pYM3MsKCDn2YXs9YGuRERVZmXW
+tXhxxNjCe0wtixi2hvxQwH62bvd2wDBsZwlTLYeY1tTYs6mARZN/Mz9BKnDz4d+g
+hWRLJeSR6ebIw6A+s++XH66dRIQ1JiZODHodx++2Ro2CuLAY+yV3BCCM2q/6nqKw
+Z7amW9eVpTw+drQ3SkiYNJad0v82avQqzYWz43F0D+Al8QbLnVP8tF3EjXoLvRbu
+XFghrUk0n54bbfZHUh+gdAD+PE1fTFojStVM/z9CXYXf9jsyxMpL0J1LnoamZES4
+riQa9GZrAgMBAAECggEAAVnSLX+MajFnQj3our9FMrZSGx4bbAhQz9dndUWc1HT4
+d4AgPFpAfqpof6vVycHx2jSnILhuseJykSGzwoHgynrVpI82T6f9EzhRmkLbK1Y5
+6t6jC9uwXDvv37RgYcW02o1avD8VdHtN+qXtO4Db22P1p7zeA6LzSscmmLjf4QcY
+15O5DFUsVD6jfjI+edTKY4OgqblwD/t5EqApBI/KhAypSRD/NDzKdtHZO+K3eJW0
+apznw5wrzPVX1xk4p+1LnM5nLBRnwECqRyzlmxjX3rJr7tVVWqOkTHs807wK+7AW
+o9rujmS/J8I86BtZdj938VGVyuyqhJndANF8rOh6nQKBgQD09ZFmj/SMIeJIa2Xj
+MiK1JMU1rcr2h8NxYhQqZV/sj8TD+Sm/ljCDDClqyo5wAvBdIkFO689sIDEFT1W1
+vUOnE8xa4kkoSf4TVADiGAt4aLHiPiRAoX0aPqgBSy9IcXg7p/iG5qFLp72CNEFg
+3vM5vgjX+xio42Hqdo6+ruE1pwKBgQDCfK4KpR2BAv6dbuGNF8qZHWkgBDpSSlug
+WMEZe6c9l44EAIHgJNr4nBviVZTZAHD+H5qSC8STQ6Y4ccOZYnG4dGxAztKYnX9Z
+T6R+zOkisK+Zhq9noj8veBwS6F2fGTL7cagBkj2q3SveagGtutkV6kOKUw5uu8dI
+GnSxaiNpnQKBgQDrzURlVWgUST3ZdsECvq1YcIgCj0TUooYKLF67HREE2LSR7dU5
+XytdyyRHb6tDuiCFlscFYMwwCqEFuoQISaPJPq62QiQoS2nwUynyezD3fNjXr/gX
+2xxhWjVB4Y0nkEssKhp8SaC1AkjUANd6l8PNLti2iDkJwrDsEaqBdjjG+wKBgAVM
+Eg12K9SMuVSeZYRLRphfBbL6ioAdSFuYr0G7bXWvAA452U+6kUA+OEA05oX2jh1N
+zQ73RRZhvFBDQPmXhdNpUF1/hJrlh0dudOODP0JTn6TF11cyQxhO5CzbqVkg/ZN9
+p/7K9eUGeyBmsL8DnNAM/mPxGS6I7MeY+N6wLmC9AoGBAPL97OOwtkfCqCXBzIua
+eNFIPvW8cKEM1ggxUPGar36TuaKnDt8bdGL3/ZEAD28XMGCbUwo99WrW0J4r9b95
+Rrs1FzUW9iVIqB+4W35lMfSbFOC/2GsSUf95ANT4wihu2QbVQU7iqjXw+w8ZN9Vx
+Qkiwv6M/K0lzm6Q1H1pb7urx
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/client2/private/UserB2_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/client2/private/UserB2_keypair.pem
new file mode 100644
index 000000000..587c4544a
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/client2/private/UserB2_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyHZKDvg9AXLg0
+k2Yo6tOFHuxm45fQ/qctLInEquD/YqKLGRmKH7upJC+ooRaVp1tCZS8DJxKsRPsv
+4JsZUjKn24PQGtY217dADoXGp3Vc0XGpmdPaK3D5np0LqDW8PH8kHrUugzEHyZtK
+DqMyNr2mLFV5+HFmaiqP+flnsAYh5CoCRLY5hBh6AF40NvRhDRGp4gy4Be1nl7wp
+52msSG77eOk7OOPbCcsiD5pXHMwG8fdEZtABxMEUZSnlzxkmc8mKXCslqdHGPthN
+9fNnxyO5eyv1lyiJgZmdgkUhJ/TKhgIiLyZLYYrLdvuxe0xCtiXoPsurLGCno4L7
+7wVZA6VbAgMBAAECggEACzGbuulEMPd1DwetATtNZTbHBOoMe3vVj0A7dEiIXokG
+zc2tl10Td26EVEBFvTpI5YiaqwzElYNMTo2M7TjizvTynZyGusPnisl6SoWoh0U5
+2HWIAHkSKCAww1RbGL+HbEuO5Wy3R7FMC0C6PuQPP3Bo+swVnqn1s6wf88U/zWml
+Nthu0uQSj+pxW4tK/p7IoUVBnSqKExODDLG4LpO3meSaZIr36wC6bJZ8w8lZfRBy
+DkPJu9NNknL6qSoVGozLzgtg1//yCkU+LX0OcDgTNeup5DlA08jglQY8p3Xo3FPn
+evofoPvDnku4H1gCXT/djERRSlPdcGPEcy7xMQx12QKBgQDqdoL8hkp/DUzoKZyM
+u2Vud5E1jULal3SmRB1XFzqxEiFsAT6UBH2feVweBOKTjLBqIuC+teQ+JgC5TsYP
+CGbclQG/XBTYzOPfn3bBJWS4j7Jd68uXDQvkM9+RroFVaCXn75UGWEMqcbtgTNyU
+wUrAVgfTtz07iHf2oUy+IreW7wKBgQDCegdlOojhn4juC+B5ROJHXzwI1qEznpJa
+ftI7RERUbDFRIaucwvI6y95nduIRORO1bzpBhHZzJDPNBhZZya9wkaLElXktgi1Z
+IwF6eb3m/FtOxx7DtI9daCVsuZsoPEw08NJq6UYQqeauaJ3LM5rDSMX0DN3V//2m
+7tULbZn4VQKBgQCT4dwMWsdyC3mOlXBgc3IuksvL8yVPqmew1xWKcORb+wuJi99k
+jNCPXYR0irA+UGaVCxqmLyOe72lVeBIEOVBnoLRRdkrP06uGyJWmjWdR4ZCnHKp0
+w43UicNhp6d7rwz5lWtxbQowIzwEKXaXfLMhTSHyr4i3nAPOUz6MTmltkQKBgB6z
+ePtoFDfaIZnC0jsSvs4ZoLace3JUtDIJF1M34bmaIub188uZkvfpO0EGKYYihpP7
+7SxupuxiaLMTJPAjwMh6lUGHf0vJ4zLRLeiR04Llj9yN3rNyi7dpO49AddgSPM2W
+vwEVtnPm/n3GEjMEAIiXsnhml5azBO4XghZ9xPLJAoGBALctm1sK8MdawZ+cnc1i
+4P3VP2/nzGeODF29MbJefYrg0hlKHZSfKsWMKg3Dk9jDUplwsVjK5oBgN1vg/zOV
+ysTtyn1q/RBbe96lYkPHzdYPWDD5Rg80/t0n6jItTOQr6QCshDLrMB3bruIQz7V9
+6PPhzvdQu3v3e07wrKDa1F3t
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem
new file mode 100644
index 000000000..53786eb14
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem
@@ -0,0 +1,89 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/intermediate1/private/intermediate1_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/intermediate1/private/intermediate1_keypair.pem
new file mode 100644
index 000000000..6c04954d8
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/intermediate1/private/intermediate1_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQC8xoQtwqtdBddl
+qOIVdNjy8VURRZOWTKXcy0T19BR+RgJZ6K54WWkhWPcWOLnCwmDYdquhOboLowMX
+5KHLXRoMYnEkZLAA8G9MrwhijNxP4NfUVSzbNvypqtdYJ+SZy9wp2eo1FssuvgSy
+glj05VwH2xKO4zyaXpBLxaPUIZZf4Y/3y57b4BCgbKIeMBdsMp97Q6Sf02szGxjN
+pK0zSKOYsCvIInQXcdjxZCFV4TO8f3Rfpaaim1gv2+3HweU2LoYmrcb+uACFbnzt
+/UrGoNmyP069+ghSyF0xE4a9P+x62DoV4nGv7ACIfqbo4Z2rV1qKH/jiTSlYU3kl
+8J7ZGEAnAgMBAAECgf9Now4nMXr/fdU8+hNvCMPnuMbV5ewWCN2bzEa04K1D09BI
+Tmm78MCVGwGoRoeNJBr5fdTPMMoJ/yVrG+W34iSvzqgnT4rJ/KqlA6CTwsiPyFay
+RgxRQHCpVuLwp8ClyQ0wu26XQlrgJ480trAoUQdj6pC3V+ICdk90R/j0RW5JtsSu
+e0ML3jNA9C4OgKlt2ia/MLqriaHXOf30EPONvtyqyKeGUFL7Un4eYKh4euRFEEMb
+MKngNonefDCIdYA1wVFa3wT8bNBbpuHl3ghkokv6VpdHIVn9wC1l6HY5nPRjgmo7
+sguRI1bRa2TFkOIVwZjCJTyfANyQw14pRS6rxIkCgYEAwzSYHRpJlPHAD7wi3tls
+bw7cBF9Q1P9PYKmVD9fAjx6eOjzDVOCdpGDijEkYoQoX1yYK3JaS8Vvp8V1wZ5Uh
+HTTr6Y5uS6CPh37wGTJc9XhXdJpeN67fEOBZGU04FUlASVFeCiV3Ga6YX0HQ/yKd
+VSc2JMX9mzxZjwhKRHmCEr0CgYEA95FFAxPxPNzYU3yHIdBlQWB1Z6AUFn+D4FgF
+xeFOGmul1E+0PnPH78IlYanMjhhJ1nkc6X71rdX4ylonB/x6ldUpghWW9VWrqRGG
+76S010aaZgOinwVE7+eeoelsIuma2W0QDwWrUT+RAsJBvZpGx1keo1qZEAaocs9V
+R2lvHrMCgYBNMTMl7wtB9wd4MXGoploW4M1ofTi9wehl1Sm5BhyDfBwd84FawygT
+pKxxxUYUCKW80rJg4Lpi73HnnIeirnpVzmOsDELZbTjU4AGaNSxFdb0/wvuXEXPs
+fIs/UiXnZPwjAiYp5P7gDQb8RE6dVdbZoZPrns/W31qbETAtO8+QEQKBgQDgA710
+yYjSz+uXr+j/OflFrSjPedRzfzMvv7aJlhP8aEgH049/q3jRhNYah3Enaub1gWYe
+Ctn4UNPtFqKW4WlzRw1mPm741Gqec9Or6VgSLDrt8IAocLYud2HdlMBa3xNVhxCu
+5yxcOq7W1jxyerVtEUFeA07ZZ4zpRp8eHVOFbQKBgGJGU7xoJWO9P17SUGNfmSEF
+6VIYFX6orA1Fi/kAJiqiFf98T4jnUWnL8LXVckt9FNw6KQqBCB6JuKXBFVkG2Bkr
+f5IIhziTuDVpdLQSf0Z2i59TspgYjiKs4WEN3N0HGtCXfbyPO6Tt08d4icxL5Myt
+W84T6Uof3+QQaqQnGvBE
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem
new file mode 100644
index 000000000..4ca1762a0
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem
@@ -0,0 +1,89 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/intermediate2/private/intermediate2_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/intermediate2/private/intermediate2_keypair.pem
new file mode 100644
index 000000000..91e2908cd
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/intermediate2/private/intermediate2_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDaX/8d940anprz
+K2iPwQwzBkEAyT7kGuHgcGr1L63f8+mZ7cXXqpMTN/9HqvPFife3rTpH5ZxOn4zi
+Qe2kfJ2IMq71ioSfDBigs/6O3CqIavUvnIaS+ntus1p4Z1MLIWwNbIAaDh7uBsTS
+5yTG5XS+Hi4XVSvlnwugWMz+v1M399yViPR3plm0uHyiS7dqZ6qE3Cnx+deJBU0L
+84stUplX7W8Rnq8oo2FEwuxuf589C9z3GW0UiqW4tikCNJC0lsHLp0JGl8+NWf0X
+saYnp3uKR2/6AyQcEiXuNNZc2kWYIzDhSMma3zeqG3Bssg+VOdZtPiUgqAcsSFcM
+mVLLiQhBAgMBAAECggEABFew29ByrKMXSzsjgOpSmwgmjkSyPLiBIeSyZ85LK58u
+18oH62Y/tvvf1nXCk7zO4YbvGANrpI+dLlmnx2PYAR+a5ZSb1wrXSYjSyNX9fYl8
+9zWqYm1bO4QTCj5pwximzKyJ7pq1yD93tgb1LwRcmjRA7+NYdGBBi66AYxd8aOo6
+QB7JoME+hzYAWB+foCOAPGAxYe7EFCPkPEyz08oxRCvDua0xa0+tWkU77MhUSCu+
+/uSq/Og9C9TfzCX0W91TNDnq8VeXbLDJoPNzgfSWIeYxSw/X5dUkYU8N2LuPLQOO
+84Xv5UqU9YV22TEjg22YAL8/GMZ160K1xzXnQb1LPQKBgQDs/jOBp9NFiFlcNbJ8
+MKdfv+sktQR7onGehOaz/dEFEKiHNO8UmSlkAk+aZoTmYXKgIT4uytKRSOfZUWSl
+kY64sKJ7KTvVq/Dzm4KsyH8VgYYQ3OrNbqSCSK7DiOiKJxQ+Jhm2+a+io16B8ZbM
+RXLoaQ5+8oET6BgM5R6IMe4iFQKBgQDr44q7I7nhQdNz4h7OJ4HZ8X8WmQG7YpSX
+EMLb5sX5wymfPi5uUDTcthUw7dpleO9js5iT93fB6+rd5yyiDPIes/dWjqULprvR
+zIIr0u+cyt1TRxrNSa6dz/dJO3t/g/fTPKeM9j7ON4RvEGW4LPA+PbEUU0Q6xfSq
+OZ0sZSXUfQKBgQDh8+r/rxbLsJgiRkAKEAlETSLQOJYxmkthq6yZ52ElxyAm6N0Z
+cn34EAv9VclYLYiwC4HR8yaXxj7m/6dKBGFizWXcrw+RRQHSAW6xdedUhc1gvoBP
+pTHL1ahqXVn4fhHav1C9F4nRMpmkosX3tC8+Twu3FVbjt+FWSgy2JYS5kQKBgD5B
+6u6jaj7Skc2HA5xjfvkXrPQ44+UiCpeoW9WQHfZilQyra7O/xYPvJr6oODkJ5xzI
+XN/Is7nh2zY/+l62zfxegUw+D794fR/NOxn37TfTrwB4xtEhvk12gwy3/0tTeEgv
+PQWORFtG+dQaXs5yReIXhDIaG+rrLjzzQdFizM49AoGBAOulUGVDBpUFDVJn8S5r
+bqss/PXW+5xj5g8b9/tzBuyfL0NJ9p3q6EWlELPRTX3zXuVRYjSe9cBUm5FXPxP2
+s1TsGUILjSw21dOtodahvXRDN3Uw2ALQy1MTDy8xLhr9Le+e6xF1T2muzg0vDT6L
+VXAYfY5NPUOiPaYAj792oZk/
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/misc/misconfig_TestServer1_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/misc/misconfig_TestServer1_bundle.pem
new file mode 100644
index 000000000..c3d1d2c96
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/misc/misconfig_TestServer1_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:c4:82:66:f8:5d:a6:b6:c7:66:e1:b2:01:3f:e0:72:fc:72:61:33
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:33:37 2023 GMT
+            Not After : Apr 28 19:33:37 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:af:26:5c:50:c0:fa:62:b5:fd:3d:c1:9e:26:51:
+                    58:62:04:37:b0:b5:6a:9b:6a:e3:22:3c:cd:ee:3c:
+                    e7:8b:d3:e2:4c:08:1a:4d:63:c1:81:20:f4:53:a5:
+                    5d:2f:d2:71:d8:af:e3:26:95:b4:27:14:46:7f:e2:
+                    0a:73:12:a7:0e:ff:99:5a:29:f5:d0:65:96:b1:d1:
+                    96:7f:0c:43:b8:71:f2:4b:21:e1:97:6c:1b:01:e5:
+                    38:1a:39:44:72:d5:19:20:87:fe:90:4f:3b:97:f2:
+                    7d:bd:57:97:4d:9d:56:50:89:5b:79:29:7a:3a:13:
+                    97:08:61:c2:0c:a6:02:49:c9:8a:41:ab:8e:9f:25:
+                    c9:33:18:f8:92:64:58:04:cc:a3:9d:cf:d4:d2:bd:
+                    20:ab:8b:9d:55:df:fb:5b:23:ac:95:12:fa:6f:07:
+                    93:3f:0e:03:86:c4:9b:25:06:21:9b:03:96:32:b8:
+                    e0:0f:63:e2:1d:34:d1:41:35:19:09:c1:a0:dc:26:
+                    b9:c8:66:fa:87:67:22:6e:0c:a6:e7:0f:24:64:b1:
+                    4f:84:05:ef:ad:8e:1b:f2:f4:38:87:d3:e3:48:a5:
+                    82:e0:66:89:1d:92:9a:59:67:a4:1d:03:6f:4d:a5:
+                    fb:3b:c0:0b:73:a7:ab:8f:b4:10:25:8e:69:42:76:
+                    82:5f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                43:16:E6:03:AF:37:B2:7B:BD:B3:C8:A2:9C:95:D7:FA:32:F8:9E:6F
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a3:87:9f:05:e4:38:61:f7:c4:5b:17:13:4b:2c:9d:a2:4d:e6:
+        ad:93:54:c5:a3:00:27:0b:5c:45:c5:bd:f8:b6:a7:5a:2a:ec:
+        dc:9b:59:8a:c7:59:e7:b9:86:f7:27:be:45:0d:d9:86:76:cf:
+        00:71:ad:aa:cc:73:50:8c:68:63:b0:e2:3a:59:dd:85:fa:0d:
+        f0:82:51:05:79:e6:d5:0e:0b:bb:ed:23:65:8f:d0:8b:01:df:
+        86:74:bc:3a:22:90:e4:59:44:91:d5:44:d8:21:4d:4e:10:72:
+        0a:12:2e:4a:20:5f:15:e7:16:0b:6f:76:f3:04:1f:da:44:50:
+        3b:c3:b3:0f:fa:05:cf:6e:64:9c:65:e2:0d:38:28:31:c3:c3:
+        b6:66:ef:80:d3:c4:5f:e9:f9:01:e9:ce:e6:99:46:a0:9d:ce:
+        90:63:77:d2:85:21:d7:88:32:55:38:fe:10:07:69:cd:c8:06:
+        b7:6f:49:98:bf:cd:be:4f:ab:44:ea:78:af:ab:01:c8:3e:fa:
+        d9:54:bc:59:28:db:03:9b:1c:ee:e4:c3:ed:f3:97:30:c6:40:
+        33:76:84:40:b2:b8:4d:b4:ca:a9:2d:d1:4d:17:92:ea:c0:c9:
+        cb:f6:b1:d7:d3:c7:e6:75:15:00:ff:c7:d9:54:63:27:19:5c:
+        96:a5:e5:d9
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIUPMSCZvhdprbHZuGyAT/gcvxyYTMwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTMzMzdaFw0zMzA0MjgxOTMzMzdaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCvJlxQwPpitf09wZ4mUVhiBDewtWqbauMiPM3uPOeL0+JMCBpNY8GBIPRT
+pV0v0nHYr+MmlbQnFEZ/4gpzEqcO/5laKfXQZZax0ZZ/DEO4cfJLIeGXbBsB5Tga
+OURy1Rkgh/6QTzuX8n29V5dNnVZQiVt5KXo6E5cIYcIMpgJJyYpBq46fJckzGPiS
+ZFgEzKOdz9TSvSCri51V3/tbI6yVEvpvB5M/DgOGxJslBiGbA5YyuOAPY+IdNNFB
+NRkJwaDcJrnIZvqHZyJuDKbnDyRksU+EBe+tjhvy9DiH0+NIpYLgZokdkppZZ6Qd
+A29Npfs7wAtzp6uPtBAljmlCdoJfAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUQxbm
+A683snu9s8iinJXX+jL4nm8wHwYDVR0jBBgwFoAUtZFuT2S3FoR2+bS+mc5glZga
+jp0wDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjE4ODg4L2ludGVybWVkaWF0ZTFfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+MTg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAo4efBeQ4YffEWxcTSyydok3mrZNUxaMAJwtcRcW9+LanWirs3JtZisdZ
+57mG9ye+RQ3ZhnbPAHGtqsxzUIxoY7DiOlndhfoN8IJRBXnm1Q4Lu+0jZY/QiwHf
+hnS8OiKQ5FlEkdVE2CFNThByChIuSiBfFecWC2928wQf2kRQO8OzD/oFz25knGXi
+DTgoMcPDtmbvgNPEX+n5AenO5plGoJ3OkGN30oUh14gyVTj+EAdpzcgGt29JmL/N
+vk+rROp4r6sByD762VS8WSjbA5sc7uTD7fOXMMZAM3aEQLK4TbTKqS3RTReS6sDJ
+y/ax19PH5nUVAP/H2VRjJxlclqXl2Q==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config1_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config1_bundle.pem
new file mode 100644
index 000000000..f632ad54a
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config1_bundle.pem
@@ -0,0 +1,264 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            27:5e:cf:7e:be:aa:02:b9:a9:c7:42:30:43:fe:0e:80:05:91:dd:0b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 18:57:57 2023 GMT
+            Not After : Apr 28 18:57:57 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e2:21:6b:9f:ef:48:b9:de:22:fb:5b:37:09:68:
+                    c7:b5:92:57:52:24:ef:85:00:e8:71:85:4d:0f:5b:
+                    8c:c6:e7:4f:19:f6:e3:0b:70:a3:41:7e:71:d4:0f:
+                    d6:fd:f2:1a:ca:aa:57:91:76:9a:b2:82:62:60:ce:
+                    f2:00:2e:d4:bc:58:d3:60:30:42:a6:28:b2:50:7b:
+                    58:01:9f:fb:0a:65:b0:40:d6:7c:e2:b7:da:8d:19:
+                    d9:a5:51:d2:46:7e:14:46:ab:fa:df:ce:fe:84:08:
+                    98:63:46:1d:4d:8a:77:57:67:da:16:8b:32:0c:7c:
+                    41:e2:a5:ec:ee:7d:20:28:eb:03:5f:f5:e6:05:d8:
+                    8b:96:78:6f:ae:29:9a:50:f7:dc:96:31:86:81:b1:
+                    78:e8:eb:ef:5d:bb:ed:42:ec:94:c6:54:46:ec:05:
+                    6f:1b:0c:36:24:c6:a8:06:7e:5c:56:b8:43:3b:11:
+                    f4:06:0a:05:15:19:3b:1f:c8:67:31:eb:3b:5b:2a:
+                    15:0a:7b:f9:6b:e4:10:ee:44:be:19:d8:db:44:01:
+                    fa:3a:56:f5:6c:4e:f3:60:aa:e4:cd:b2:ad:77:07:
+                    45:ef:f1:d7:f5:fa:52:84:5c:03:4e:72:e0:a9:91:
+                    c5:d9:d6:0a:84:33:98:31:f2:02:5b:3f:10:15:65:
+                    76:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        22:79:1a:b9:5d:fa:f5:c9:a3:88:22:c4:92:e6:64:6d:ce:a5:
+        ae:2e:69:48:6a:9e:d5:11:c5:bb:b0:de:38:1b:5b:04:85:60:
+        d6:64:14:ed:c2:62:02:7d:ad:d2:17:ad:ef:40:27:2b:50:59:
+        4a:ff:88:c6:b3:16:5c:55:30:d9:23:bd:4f:0f:34:b7:7b:ed:
+        7a:e1:f3:39:35:e9:18:6d:70:b1:2b:2a:e2:e5:cd:a1:54:8a:
+        f9:f4:95:81:29:84:3f:95:2f:48:e0:35:3e:d9:cb:84:4d:3d:
+        3e:3c:0e:8d:24:42:5f:19:e6:06:a5:87:ae:ba:af:07:02:e7:
+        6a:83:0a:89:d4:a4:38:ce:05:6e:f6:15:f1:7a:53:bb:50:28:
+        89:51:3f:f2:54:f1:d3:c4:28:07:a1:3e:55:e5:84:b8:df:58:
+        af:c3:e7:81:c2:08:9c:35:e4:c4:86:75:a8:17:99:2c:a6:7f:
+        46:30:9b:23:55:c5:d8:e2:6a:e4:08:a1:8b:dc:bc:5b:86:95:
+        4a:79:fe:a6:93:3d:1a:5b:10:9a:2f:6a:45:2f:5d:c9:fa:95:
+        2e:66:eb:52:df:88:a7:5f:42:8f:5f:46:07:79:8b:a7:49:82:
+        d3:81:c6:3e:c2:5a:15:c4:83:69:30:49:4d:6e:ea:05:1e:d8:
+        dc:29:ac:17
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIUJ17Pfr6qArmpx0IwQ/4OgAWR3QswDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE4
+NTc1N1oXDTMzMDQyODE4NTc1N1owUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdS
+b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4iFrn+9Iud4i
++1s3CWjHtZJXUiTvhQDocYVND1uMxudPGfbjC3CjQX5x1A/W/fIayqpXkXaasoJi
+YM7yAC7UvFjTYDBCpiiyUHtYAZ/7CmWwQNZ84rfajRnZpVHSRn4URqv6387+hAiY
+Y0YdTYp3V2faFosyDHxB4qXs7n0gKOsDX/XmBdiLlnhvrimaUPfcljGGgbF46Ovv
+XbvtQuyUxlRG7AVvGww2JMaoBn5cVrhDOxH0BgoFFRk7H8hnMes7WyoVCnv5a+QQ
+7kS+GdjbRAH6Olb1bE7zYKrkzbKtdwdF7/HX9fpShFwDTnLgqZHF2dYKhDOYMfIC
+Wz8QFWV21wIDAQABo4GZMIGWMB0GA1UdDgQWBBTDEkK6qdhN4MM+utdHQaYJL220
+4TAfBgNVHSMEGDAWgBTDEkK6qdhN4MM+utdHQaYJL2204TAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vMTI3
+LjAuMC4xOjg4ODgvcm9vdF9jcmwuZGVyMA0GCSqGSIb3DQEBCwUAA4IBAQAieRq5
+Xfr1yaOIIsSS5mRtzqWuLmlIap7VEcW7sN44G1sEhWDWZBTtwmICfa3SF63vQCcr
+UFlK/4jGsxZcVTDZI71PDzS3e+164fM5NekYbXCxKyri5c2hVIr59JWBKYQ/lS9I
+4DU+2cuETT0+PA6NJEJfGeYGpYeuuq8HAudqgwqJ1KQ4zgVu9hXxelO7UCiJUT/y
+VPHTxCgHoT5V5YS431ivw+eBwgicNeTEhnWoF5kspn9GMJsjVcXY4mrkCKGL3Lxb
+hpVKef6mkz0aWxCaL2pFL13J+pUuZutS34inX0KPX0YHeYunSYLTgcY+wloVxINp
+MElNbuoFHtjcKawX
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config2_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config2_bundle.pem
new file mode 100644
index 000000000..fb390ca11
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config2_bundle.pem
@@ -0,0 +1,264 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            27:5e:cf:7e:be:aa:02:b9:a9:c7:42:30:43:fe:0e:80:05:91:dd:0b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 18:57:57 2023 GMT
+            Not After : Apr 28 18:57:57 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e2:21:6b:9f:ef:48:b9:de:22:fb:5b:37:09:68:
+                    c7:b5:92:57:52:24:ef:85:00:e8:71:85:4d:0f:5b:
+                    8c:c6:e7:4f:19:f6:e3:0b:70:a3:41:7e:71:d4:0f:
+                    d6:fd:f2:1a:ca:aa:57:91:76:9a:b2:82:62:60:ce:
+                    f2:00:2e:d4:bc:58:d3:60:30:42:a6:28:b2:50:7b:
+                    58:01:9f:fb:0a:65:b0:40:d6:7c:e2:b7:da:8d:19:
+                    d9:a5:51:d2:46:7e:14:46:ab:fa:df:ce:fe:84:08:
+                    98:63:46:1d:4d:8a:77:57:67:da:16:8b:32:0c:7c:
+                    41:e2:a5:ec:ee:7d:20:28:eb:03:5f:f5:e6:05:d8:
+                    8b:96:78:6f:ae:29:9a:50:f7:dc:96:31:86:81:b1:
+                    78:e8:eb:ef:5d:bb:ed:42:ec:94:c6:54:46:ec:05:
+                    6f:1b:0c:36:24:c6:a8:06:7e:5c:56:b8:43:3b:11:
+                    f4:06:0a:05:15:19:3b:1f:c8:67:31:eb:3b:5b:2a:
+                    15:0a:7b:f9:6b:e4:10:ee:44:be:19:d8:db:44:01:
+                    fa:3a:56:f5:6c:4e:f3:60:aa:e4:cd:b2:ad:77:07:
+                    45:ef:f1:d7:f5:fa:52:84:5c:03:4e:72:e0:a9:91:
+                    c5:d9:d6:0a:84:33:98:31:f2:02:5b:3f:10:15:65:
+                    76:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        22:79:1a:b9:5d:fa:f5:c9:a3:88:22:c4:92:e6:64:6d:ce:a5:
+        ae:2e:69:48:6a:9e:d5:11:c5:bb:b0:de:38:1b:5b:04:85:60:
+        d6:64:14:ed:c2:62:02:7d:ad:d2:17:ad:ef:40:27:2b:50:59:
+        4a:ff:88:c6:b3:16:5c:55:30:d9:23:bd:4f:0f:34:b7:7b:ed:
+        7a:e1:f3:39:35:e9:18:6d:70:b1:2b:2a:e2:e5:cd:a1:54:8a:
+        f9:f4:95:81:29:84:3f:95:2f:48:e0:35:3e:d9:cb:84:4d:3d:
+        3e:3c:0e:8d:24:42:5f:19:e6:06:a5:87:ae:ba:af:07:02:e7:
+        6a:83:0a:89:d4:a4:38:ce:05:6e:f6:15:f1:7a:53:bb:50:28:
+        89:51:3f:f2:54:f1:d3:c4:28:07:a1:3e:55:e5:84:b8:df:58:
+        af:c3:e7:81:c2:08:9c:35:e4:c4:86:75:a8:17:99:2c:a6:7f:
+        46:30:9b:23:55:c5:d8:e2:6a:e4:08:a1:8b:dc:bc:5b:86:95:
+        4a:79:fe:a6:93:3d:1a:5b:10:9a:2f:6a:45:2f:5d:c9:fa:95:
+        2e:66:eb:52:df:88:a7:5f:42:8f:5f:46:07:79:8b:a7:49:82:
+        d3:81:c6:3e:c2:5a:15:c4:83:69:30:49:4d:6e:ea:05:1e:d8:
+        dc:29:ac:17
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIUJ17Pfr6qArmpx0IwQ/4OgAWR3QswDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE4
+NTc1N1oXDTMzMDQyODE4NTc1N1owUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdS
+b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4iFrn+9Iud4i
++1s3CWjHtZJXUiTvhQDocYVND1uMxudPGfbjC3CjQX5x1A/W/fIayqpXkXaasoJi
+YM7yAC7UvFjTYDBCpiiyUHtYAZ/7CmWwQNZ84rfajRnZpVHSRn4URqv6387+hAiY
+Y0YdTYp3V2faFosyDHxB4qXs7n0gKOsDX/XmBdiLlnhvrimaUPfcljGGgbF46Ovv
+XbvtQuyUxlRG7AVvGww2JMaoBn5cVrhDOxH0BgoFFRk7H8hnMes7WyoVCnv5a+QQ
+7kS+GdjbRAH6Olb1bE7zYKrkzbKtdwdF7/HX9fpShFwDTnLgqZHF2dYKhDOYMfIC
+Wz8QFWV21wIDAQABo4GZMIGWMB0GA1UdDgQWBBTDEkK6qdhN4MM+utdHQaYJL220
+4TAfBgNVHSMEGDAWgBTDEkK6qdhN4MM+utdHQaYJL2204TAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vMTI3
+LjAuMC4xOjg4ODgvcm9vdF9jcmwuZGVyMA0GCSqGSIb3DQEBCwUAA4IBAQAieRq5
+Xfr1yaOIIsSS5mRtzqWuLmlIap7VEcW7sN44G1sEhWDWZBTtwmICfa3SF63vQCcr
+UFlK/4jGsxZcVTDZI71PDzS3e+164fM5NekYbXCxKyri5c2hVIr59JWBKYQ/lS9I
+4DU+2cuETT0+PA6NJEJfGeYGpYeuuq8HAudqgwqJ1KQ4zgVu9hXxelO7UCiJUT/y
+VPHTxCgHoT5V5YS431ivw+eBwgicNeTEhnWoF5kspn9GMJsjVcXY4mrkCKGL3Lxb
+hpVKef6mkz0aWxCaL2pFL13J+pUuZutS34inX0KPX0YHeYunSYLTgcY+wloVxINp
+MElNbuoFHtjcKawX
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config3_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config3_bundle.pem
new file mode 100644
index 000000000..2ba91b0d0
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/misc/trust_config3_bundle.pem
@@ -0,0 +1,264 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            27:5e:cf:7e:be:aa:02:b9:a9:c7:42:30:43:fe:0e:80:05:91:dd:0b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 18:57:57 2023 GMT
+            Not After : Apr 28 18:57:57 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e2:21:6b:9f:ef:48:b9:de:22:fb:5b:37:09:68:
+                    c7:b5:92:57:52:24:ef:85:00:e8:71:85:4d:0f:5b:
+                    8c:c6:e7:4f:19:f6:e3:0b:70:a3:41:7e:71:d4:0f:
+                    d6:fd:f2:1a:ca:aa:57:91:76:9a:b2:82:62:60:ce:
+                    f2:00:2e:d4:bc:58:d3:60:30:42:a6:28:b2:50:7b:
+                    58:01:9f:fb:0a:65:b0:40:d6:7c:e2:b7:da:8d:19:
+                    d9:a5:51:d2:46:7e:14:46:ab:fa:df:ce:fe:84:08:
+                    98:63:46:1d:4d:8a:77:57:67:da:16:8b:32:0c:7c:
+                    41:e2:a5:ec:ee:7d:20:28:eb:03:5f:f5:e6:05:d8:
+                    8b:96:78:6f:ae:29:9a:50:f7:dc:96:31:86:81:b1:
+                    78:e8:eb:ef:5d:bb:ed:42:ec:94:c6:54:46:ec:05:
+                    6f:1b:0c:36:24:c6:a8:06:7e:5c:56:b8:43:3b:11:
+                    f4:06:0a:05:15:19:3b:1f:c8:67:31:eb:3b:5b:2a:
+                    15:0a:7b:f9:6b:e4:10:ee:44:be:19:d8:db:44:01:
+                    fa:3a:56:f5:6c:4e:f3:60:aa:e4:cd:b2:ad:77:07:
+                    45:ef:f1:d7:f5:fa:52:84:5c:03:4e:72:e0:a9:91:
+                    c5:d9:d6:0a:84:33:98:31:f2:02:5b:3f:10:15:65:
+                    76:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        22:79:1a:b9:5d:fa:f5:c9:a3:88:22:c4:92:e6:64:6d:ce:a5:
+        ae:2e:69:48:6a:9e:d5:11:c5:bb:b0:de:38:1b:5b:04:85:60:
+        d6:64:14:ed:c2:62:02:7d:ad:d2:17:ad:ef:40:27:2b:50:59:
+        4a:ff:88:c6:b3:16:5c:55:30:d9:23:bd:4f:0f:34:b7:7b:ed:
+        7a:e1:f3:39:35:e9:18:6d:70:b1:2b:2a:e2:e5:cd:a1:54:8a:
+        f9:f4:95:81:29:84:3f:95:2f:48:e0:35:3e:d9:cb:84:4d:3d:
+        3e:3c:0e:8d:24:42:5f:19:e6:06:a5:87:ae:ba:af:07:02:e7:
+        6a:83:0a:89:d4:a4:38:ce:05:6e:f6:15:f1:7a:53:bb:50:28:
+        89:51:3f:f2:54:f1:d3:c4:28:07:a1:3e:55:e5:84:b8:df:58:
+        af:c3:e7:81:c2:08:9c:35:e4:c4:86:75:a8:17:99:2c:a6:7f:
+        46:30:9b:23:55:c5:d8:e2:6a:e4:08:a1:8b:dc:bc:5b:86:95:
+        4a:79:fe:a6:93:3d:1a:5b:10:9a:2f:6a:45:2f:5d:c9:fa:95:
+        2e:66:eb:52:df:88:a7:5f:42:8f:5f:46:07:79:8b:a7:49:82:
+        d3:81:c6:3e:c2:5a:15:c4:83:69:30:49:4d:6e:ea:05:1e:d8:
+        dc:29:ac:17
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIUJ17Pfr6qArmpx0IwQ/4OgAWR3QswDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE4
+NTc1N1oXDTMzMDQyODE4NTc1N1owUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdS
+b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4iFrn+9Iud4i
++1s3CWjHtZJXUiTvhQDocYVND1uMxudPGfbjC3CjQX5x1A/W/fIayqpXkXaasoJi
+YM7yAC7UvFjTYDBCpiiyUHtYAZ/7CmWwQNZ84rfajRnZpVHSRn4URqv6387+hAiY
+Y0YdTYp3V2faFosyDHxB4qXs7n0gKOsDX/XmBdiLlnhvrimaUPfcljGGgbF46Ovv
+XbvtQuyUxlRG7AVvGww2JMaoBn5cVrhDOxH0BgoFFRk7H8hnMes7WyoVCnv5a+QQ
+7kS+GdjbRAH6Olb1bE7zYKrkzbKtdwdF7/HX9fpShFwDTnLgqZHF2dYKhDOYMfIC
+Wz8QFWV21wIDAQABo4GZMIGWMB0GA1UdDgQWBBTDEkK6qdhN4MM+utdHQaYJL220
+4TAfBgNVHSMEGDAWgBTDEkK6qdhN4MM+utdHQaYJL2204TAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vMTI3
+LjAuMC4xOjg4ODgvcm9vdF9jcmwuZGVyMA0GCSqGSIb3DQEBCwUAA4IBAQAieRq5
+Xfr1yaOIIsSS5mRtzqWuLmlIap7VEcW7sN44G1sEhWDWZBTtwmICfa3SF63vQCcr
+UFlK/4jGsxZcVTDZI71PDzS3e+164fM5NekYbXCxKyri5c2hVIr59JWBKYQ/lS9I
+4DU+2cuETT0+PA6NJEJfGeYGpYeuuq8HAudqgwqJ1KQ4zgVu9hXxelO7UCiJUT/y
+VPHTxCgHoT5V5YS431ivw+eBwgicNeTEhnWoF5kspn9GMJsjVcXY4mrkCKGL3Lxb
+hpVKef6mkz0aWxCaL2pFL13J+pUuZutS34inX0KPX0YHeYunSYLTgcY+wloVxINp
+MElNbuoFHtjcKawX
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_bundle.pem
new file mode 100644
index 000000000..760eb22ec
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_bundle.pem
@@ -0,0 +1,181 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            29:e1:52:8d:fd:a5:2a:87:eb:1d:e4:1d:47:6c:e1:8a:58:69:73:ab
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:28:39 2023 GMT
+            Not After : Apr 28 19:28:39 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=OCSP Responder
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a3:0c:ca:eb:80:eb:a1:0e:1e:71:9b:d3:b3:f9:
+                    65:ce:70:c2:21:06:3c:31:c1:06:7e:a5:a8:4a:e1:
+                    21:a3:74:54:9f:57:ce:50:d6:c3:29:3c:43:b0:9d:
+                    3e:54:94:ee:8d:fa:0d:71:6c:df:5e:9e:01:30:79:
+                    6c:bb:97:5d:af:bb:5b:05:77:72:9f:55:e6:66:45:
+                    f4:e2:c2:cf:7b:0e:58:d6:14:6a:76:29:ac:e3:30:
+                    28:0d:ee:bd:ca:aa:ae:1f:1e:ef:40:f3:c3:ab:17:
+                    f2:d7:ec:0d:e1:fb:68:9a:09:83:99:11:58:42:94:
+                    f8:0d:d4:9a:6f:9f:3b:e8:56:f0:a9:b7:18:1a:91:
+                    41:7c:43:e3:db:b1:01:f1:ad:0b:39:d7:65:98:e6:
+                    15:b0:17:a9:56:6e:fb:84:7a:c0:cc:67:75:fc:f6:
+                    75:84:31:78:c5:6d:51:8f:d0:19:d3:16:4f:87:ef:
+                    5b:33:b9:7a:dd:fe:5f:a8:6a:fd:44:54:00:f3:a4:
+                    a6:5b:fd:3b:65:38:4f:82:4f:b9:c4:bd:c9:9a:56:
+                    fc:54:f1:58:2f:cb:ee:f4:08:fd:b7:ec:ad:28:08:
+                    66:9b:f8:78:98:32:db:b1:56:dd:0e:31:ba:c6:e3:
+                    56:f5:02:2f:fb:76:28:bb:c4:8b:f3:6b:da:aa:1d:
+                    38:21
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                CB:5E:50:60:7A:AB:2F:A9:3B:1E:24:AB:02:42:8D:EC:81:60:48:13
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                OCSP Signing
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        48:65:ce:6d:91:46:30:37:b6:f2:76:c0:42:e3:f5:ee:e9:32:
+        0e:46:b5:d5:9d:ac:b0:f2:23:f5:35:a8:1c:61:66:81:c0:0d:
+        bc:a4:bb:b5:be:47:58:8b:f1:d1:5f:73:83:d2:99:da:3e:a3:
+        0b:32:81:96:a4:bd:a8:57:8e:fe:3d:c4:93:57:ef:05:77:60:
+        c9:88:1c:2e:25:7e:ea:c8:95:8d:a6:4a:73:e5:bb:6c:c4:3b:
+        01:03:90:8d:12:f5:69:13:c5:79:87:ae:45:cb:49:c8:90:24:
+        39:30:cf:27:ba:31:1e:5f:5b:e0:0f:93:82:66:28:33:dc:e3:
+        a1:a8:fc:ad:40:d0:48:31:63:fb:a0:6a:13:18:b1:8b:59:bb:
+        ef:96:f8:83:98:6c:4a:18:37:1a:02:ad:c2:42:1d:7e:1c:dc:
+        4a:77:b7:f5:ae:97:3e:17:e8:35:96:85:a0:e4:30:c5:03:0b:
+        62:55:13:c1:3f:df:15:1b:c3:45:f7:69:d6:5e:f5:77:fc:4f:
+        e8:28:3b:3e:f0:2c:20:22:81:72:a3:d6:1b:d1:52:63:86:21:
+        22:06:7a:5b:f4:2a:c7:e5:b9:97:ac:1b:56:b5:4c:62:e9:f9:
+        6f:49:5f:43:3d:9c:e6:85:3a:f8:c9:4c:33:fd:e9:aa:88:8e:
+        cf:28:5c:69
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgIUKeFSjf2lKofrHeQdR2zhilhpc6swDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTI4MzlaFw0zMzA0MjgxOTI4MzlaMFcxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEX
+MBUGA1UEAwwOT0NTUCBSZXNwb25kZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCjDMrrgOuhDh5xm9Oz+WXOcMIhBjwxwQZ+pahK4SGjdFSfV85Q1sMp
+PEOwnT5UlO6N+g1xbN9engEweWy7l12vu1sFd3KfVeZmRfTiws97DljWFGp2Kazj
+MCgN7r3Kqq4fHu9A88OrF/LX7A3h+2iaCYOZEVhClPgN1JpvnzvoVvCptxgakUF8
+Q+PbsQHxrQs512WY5hWwF6lWbvuEesDMZ3X89nWEMXjFbVGP0BnTFk+H71szuXrd
+/l+oav1EVADzpKZb/TtlOE+CT7nEvcmaVvxU8Vgvy+70CP237K0oCGab+HiYMtux
+Vt0OMbrG41b1Ai/7dii7xIvza9qqHTghAgMBAAGjge0wgeowHQYDVR0OBBYEFMte
+UGB6qy+pOx4kqwJCjeyBYEgTMB8GA1UdIwQYMBaAFLWRbk9ktxaEdvm0vpnOYJWY
+Go6dMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoG
+CCsGAQUFBwMJMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly8xMjcuMC4wLjE6MTg4
+ODgvaW50ZXJtZWRpYXRlMV9jcmwuZGVyMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEF
+BQcwAYYXaHR0cDovLzEyNy4wLjAuMToxODg4OC8wDQYJKoZIhvcNAQELBQADggEB
+AEhlzm2RRjA3tvJ2wELj9e7pMg5GtdWdrLDyI/U1qBxhZoHADbyku7W+R1iL8dFf
+c4PSmdo+owsygZakvahXjv49xJNX7wV3YMmIHC4lfurIlY2mSnPlu2zEOwEDkI0S
+9WkTxXmHrkXLSciQJDkwzye6MR5fW+APk4JmKDPc46Go/K1A0EgxY/ugahMYsYtZ
+u++W+IOYbEoYNxoCrcJCHX4c3Ep3t/Wulz4X6DWWhaDkMMUDC2JVE8E/3xUbw0X3
+adZe9Xf8T+goOz7wLCAigXKj1hvRUmOGISIGelv0KsfluZesG1a1TGLp+W9JX0M9
+nOaFOvjJTDP96aqIjs8oXGk=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_cert.pem
new file mode 100644
index 000000000..218a28e9a
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_cert.pem
@@ -0,0 +1,92 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            29:e1:52:8d:fd:a5:2a:87:eb:1d:e4:1d:47:6c:e1:8a:58:69:73:ab
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:28:39 2023 GMT
+            Not After : Apr 28 19:28:39 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=OCSP Responder
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a3:0c:ca:eb:80:eb:a1:0e:1e:71:9b:d3:b3:f9:
+                    65:ce:70:c2:21:06:3c:31:c1:06:7e:a5:a8:4a:e1:
+                    21:a3:74:54:9f:57:ce:50:d6:c3:29:3c:43:b0:9d:
+                    3e:54:94:ee:8d:fa:0d:71:6c:df:5e:9e:01:30:79:
+                    6c:bb:97:5d:af:bb:5b:05:77:72:9f:55:e6:66:45:
+                    f4:e2:c2:cf:7b:0e:58:d6:14:6a:76:29:ac:e3:30:
+                    28:0d:ee:bd:ca:aa:ae:1f:1e:ef:40:f3:c3:ab:17:
+                    f2:d7:ec:0d:e1:fb:68:9a:09:83:99:11:58:42:94:
+                    f8:0d:d4:9a:6f:9f:3b:e8:56:f0:a9:b7:18:1a:91:
+                    41:7c:43:e3:db:b1:01:f1:ad:0b:39:d7:65:98:e6:
+                    15:b0:17:a9:56:6e:fb:84:7a:c0:cc:67:75:fc:f6:
+                    75:84:31:78:c5:6d:51:8f:d0:19:d3:16:4f:87:ef:
+                    5b:33:b9:7a:dd:fe:5f:a8:6a:fd:44:54:00:f3:a4:
+                    a6:5b:fd:3b:65:38:4f:82:4f:b9:c4:bd:c9:9a:56:
+                    fc:54:f1:58:2f:cb:ee:f4:08:fd:b7:ec:ad:28:08:
+                    66:9b:f8:78:98:32:db:b1:56:dd:0e:31:ba:c6:e3:
+                    56:f5:02:2f:fb:76:28:bb:c4:8b:f3:6b:da:aa:1d:
+                    38:21
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                CB:5E:50:60:7A:AB:2F:A9:3B:1E:24:AB:02:42:8D:EC:81:60:48:13
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                OCSP Signing
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        48:65:ce:6d:91:46:30:37:b6:f2:76:c0:42:e3:f5:ee:e9:32:
+        0e:46:b5:d5:9d:ac:b0:f2:23:f5:35:a8:1c:61:66:81:c0:0d:
+        bc:a4:bb:b5:be:47:58:8b:f1:d1:5f:73:83:d2:99:da:3e:a3:
+        0b:32:81:96:a4:bd:a8:57:8e:fe:3d:c4:93:57:ef:05:77:60:
+        c9:88:1c:2e:25:7e:ea:c8:95:8d:a6:4a:73:e5:bb:6c:c4:3b:
+        01:03:90:8d:12:f5:69:13:c5:79:87:ae:45:cb:49:c8:90:24:
+        39:30:cf:27:ba:31:1e:5f:5b:e0:0f:93:82:66:28:33:dc:e3:
+        a1:a8:fc:ad:40:d0:48:31:63:fb:a0:6a:13:18:b1:8b:59:bb:
+        ef:96:f8:83:98:6c:4a:18:37:1a:02:ad:c2:42:1d:7e:1c:dc:
+        4a:77:b7:f5:ae:97:3e:17:e8:35:96:85:a0:e4:30:c5:03:0b:
+        62:55:13:c1:3f:df:15:1b:c3:45:f7:69:d6:5e:f5:77:fc:4f:
+        e8:28:3b:3e:f0:2c:20:22:81:72:a3:d6:1b:d1:52:63:86:21:
+        22:06:7a:5b:f4:2a:c7:e5:b9:97:ac:1b:56:b5:4c:62:e9:f9:
+        6f:49:5f:43:3d:9c:e6:85:3a:f8:c9:4c:33:fd:e9:aa:88:8e:
+        cf:28:5c:69
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgIUKeFSjf2lKofrHeQdR2zhilhpc6swDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTI4MzlaFw0zMzA0MjgxOTI4MzlaMFcxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEX
+MBUGA1UEAwwOT0NTUCBSZXNwb25kZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCjDMrrgOuhDh5xm9Oz+WXOcMIhBjwxwQZ+pahK4SGjdFSfV85Q1sMp
+PEOwnT5UlO6N+g1xbN9engEweWy7l12vu1sFd3KfVeZmRfTiws97DljWFGp2Kazj
+MCgN7r3Kqq4fHu9A88OrF/LX7A3h+2iaCYOZEVhClPgN1JpvnzvoVvCptxgakUF8
+Q+PbsQHxrQs512WY5hWwF6lWbvuEesDMZ3X89nWEMXjFbVGP0BnTFk+H71szuXrd
+/l+oav1EVADzpKZb/TtlOE+CT7nEvcmaVvxU8Vgvy+70CP237K0oCGab+HiYMtux
+Vt0OMbrG41b1Ai/7dii7xIvza9qqHTghAgMBAAGjge0wgeowHQYDVR0OBBYEFMte
+UGB6qy+pOx4kqwJCjeyBYEgTMB8GA1UdIwQYMBaAFLWRbk9ktxaEdvm0vpnOYJWY
+Go6dMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoG
+CCsGAQUFBwMJMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly8xMjcuMC4wLjE6MTg4
+ODgvaW50ZXJtZWRpYXRlMV9jcmwuZGVyMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEF
+BQcwAYYXaHR0cDovLzEyNy4wLjAuMToxODg4OC8wDQYJKoZIhvcNAQELBQADggEB
+AEhlzm2RRjA3tvJ2wELj9e7pMg5GtdWdrLDyI/U1qBxhZoHADbyku7W+R1iL8dFf
+c4PSmdo+owsygZakvahXjv49xJNX7wV3YMmIHC4lfurIlY2mSnPlu2zEOwEDkI0S
+9WkTxXmHrkXLSciQJDkwzye6MR5fW+APk4JmKDPc46Go/K1A0EgxY/ugahMYsYtZ
+u++W+IOYbEoYNxoCrcJCHX4c3Ep3t/Wulz4X6DWWhaDkMMUDC2JVE8E/3xUbw0X3
+adZe9Xf8T+goOz7wLCAigXKj1hvRUmOGISIGelv0KsfluZesG1a1TGLp+W9JX0M9
+nOaFOvjJTDP96aqIjs8oXGk=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/ocsp1/private/ocsp1_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/ocsp1/private/ocsp1_keypair.pem
new file mode 100644
index 000000000..13b6dbe96
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/ocsp1/private/ocsp1_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjDMrrgOuhDh5x
+m9Oz+WXOcMIhBjwxwQZ+pahK4SGjdFSfV85Q1sMpPEOwnT5UlO6N+g1xbN9engEw
+eWy7l12vu1sFd3KfVeZmRfTiws97DljWFGp2KazjMCgN7r3Kqq4fHu9A88OrF/LX
+7A3h+2iaCYOZEVhClPgN1JpvnzvoVvCptxgakUF8Q+PbsQHxrQs512WY5hWwF6lW
+bvuEesDMZ3X89nWEMXjFbVGP0BnTFk+H71szuXrd/l+oav1EVADzpKZb/TtlOE+C
+T7nEvcmaVvxU8Vgvy+70CP237K0oCGab+HiYMtuxVt0OMbrG41b1Ai/7dii7xIvz
+a9qqHTghAgMBAAECggEAE++sPxPuG6zzhX4hakvYCiAo6GtQAGBi6CjetTsmRwti
+DnKoyCMeTUQwXZ+4X5SvP35f1urSPAozSIdMR3qoSqSsqjQy+G8DIyWyHejmgBwe
+uhxYcRbC7Ct29k8m9ykb7bO1WtqDZf/hYkvbXbKFFXKM2/IuOcPnuZ8xe+z7IPsQ
+ODHnrQs45wQyi2i2/+AbvEJjb3bb3oS8MfoZfvO8F06ejTOmv/ATZSxX0T6ppCPj
+HdmKqKDXlYQNA/LQeM4cs2FaQH170R1vGHppDjcs2ezqElB7/HKfKWeEn0Eytu9E
+eWw9tZteisnzfqEvDMgOM2eWwAzfIhXSQYMWlVBicQKBgQC6MPaLd4r82BBMj7qx
+ChdBxB7LXptvx/q3SrMjZ6GKmrGdXMbsos50XexajktBqkXfUMa8hGqmlciN5xL1
++w//p7oSzb3VorOyHVXZpc8p79eUeX8ONcwySOYwO+CpqFBBDlvPn1OuPnlUL1pv
+IgCMT66flWJxRklDMIJsHr+iWQKBgQDgLq3I2cj4q+3121ECPXKLt+VCHUY0aygc
+tl6lvQw61UnmyLQ+k53/MmyPGGCxIFr18DsoKeWYwt3kWTW0MCDrQuO6PZkB268v
+gdsmN3nhAKiR0gUwJDrFjpPWr0GAhw9LE7HqpvkQ3fG5YSnXTUibhm6smHg7dzVL
+ER+QJ+Y7CQKBgHIDN4WRjy9jEx/+x0BPwIwKDx1TcnURjQoeGPHuLHJWZbrJrBoN
+W8TQGsIc7iJopN6pdPjNUQ1vHN8gB3FO6q4PRBbtm3gtaEICSqa7LM8uSeFmQJIw
+CTklgKc6k0jwgyxDIZ9SnghNwzf0wzjYJmPFC1Y3QI/CjWwyUTrp3UkJAoGBANHc
+IKcS6MWQ/RPYGP+F0kLlBWJc0Smk3knylquES3yPybyXSdQCkDcjVuilo25soXn1
+RwuUHPBiCyIGOPXS0B4r4c6odyF8K4THhQVDjX6KBUNsXZrxb2scy1x/d0wAItrf
+NwA5CpM1kWE+idKY8E1XDSfZG0Rfla4N+4QRNb8xAoGAQrVe80TpPpzDH846xaPF
+BAhjKz7dRrUQ1n7ZI6yw8I5bU2ky9jSF3PRsDismM23aNbYhIgjcYv0tG0LMlWLV
+2eIrU9OoA7aepDPozyhEkENaWqYXX/T8AjD+Kaw7XJnt/NX8eS0RF2qgDA/HEwWw
+uf1ecRqpjZ9cxNGLZ+/pOkM=
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_bundle.pem
new file mode 100644
index 000000000..2d3f2d020
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_bundle.pem
@@ -0,0 +1,181 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7b:97:35:73:2b:2b:5f:74:c6:43:83:8f:ae:65:5b:a0:f5:f4:ff:1f
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: May  1 19:29:28 2023 GMT
+            Not After : Apr 28 19:29:28 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=OCSP Responder 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b8:98:3d:03:4d:5e:b2:66:5e:51:3b:f9:3d:f2:
+                    7a:24:6b:70:5c:2f:7a:05:b2:51:77:62:45:e7:33:
+                    75:77:db:31:6f:2d:13:32:cd:d3:a0:03:84:ee:f9:
+                    2b:81:9d:e5:c9:ba:e2:25:c9:a7:18:2b:fd:f1:95:
+                    ad:d3:46:90:d9:7b:7f:39:2d:85:b4:70:7c:72:44:
+                    99:fb:df:9f:22:4c:81:77:35:bb:fe:41:7f:86:f5:
+                    c7:29:53:7c:ee:d4:cc:09:54:fa:cc:b1:4d:4b:c2:
+                    c7:c7:3e:1a:13:59:66:36:31:ae:60:1b:6a:05:b0:
+                    5b:64:96:77:9d:74:cc:42:6e:13:d1:21:83:94:8e:
+                    6c:4c:d8:42:57:94:17:ff:26:d4:d1:2f:64:58:b5:
+                    47:1a:22:38:69:bf:c0:5a:9c:c3:88:01:0a:1d:f7:
+                    d8:68:88:7c:57:5d:44:c4:71:d0:66:8d:1c:39:e0:
+                    af:e8:f7:ce:51:60:7c:1d:b7:d5:e7:b5:3e:6a:a5:
+                    2b:46:c3:4e:b9:ef:de:bd:a6:be:e2:66:79:a9:6a:
+                    0d:c1:b2:e7:5e:03:9d:de:dd:41:b9:c9:80:2c:bd:
+                    6d:1f:09:5f:4e:25:e7:ac:ff:23:47:8f:5f:74:69:
+                    be:81:42:5c:e6:1a:f7:65:1f:eb:a1:d0:69:6f:be:
+                    7e:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                E4:4D:EE:6A:A3:30:91:37:3E:5C:1D:BD:26:96:5F:FF:DB:D3:E2:15
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                OCSP Signing
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        6c:d6:fa:8f:6f:c9:0a:99:0b:ee:6c:27:1f:75:52:b8:82:33:
+        41:fe:01:a1:f8:c5:24:4e:9e:3b:e2:89:0f:01:2b:8e:c4:76:
+        fb:d9:75:5a:b2:9c:e0:36:8d:fd:90:9f:28:92:1b:a3:74:fd:
+        c5:39:28:51:06:ab:95:f7:64:95:e8:7b:d9:97:35:33:97:05:
+        38:87:e6:e6:d7:a5:0b:a1:11:0c:b7:8b:76:b8:a9:46:33:ba:
+        50:b3:3b:96:90:65:4b:ea:14:20:c9:f7:0d:8d:5e:89:c6:78:
+        e3:0b:4f:d2:db:10:46:8a:c4:81:6f:20:13:30:83:a8:45:4d:
+        2b:ef:f0:ce:18:a7:96:fc:b9:67:79:e9:a9:f0:2f:b2:33:1c:
+        83:cf:a3:4b:df:fd:c5:58:ae:87:83:d9:be:22:85:58:41:f5:
+        a0:a2:2d:56:98:40:12:78:c5:43:b0:50:34:0f:6c:0b:52:ad:
+        68:e1:7a:9e:c1:54:58:bf:b4:f1:c5:3b:bf:97:e4:f9:44:09:
+        f5:c7:67:7d:dc:3d:ea:a9:9f:0f:3a:aa:9c:4a:c1:ef:a1:52:
+        25:e4:57:22:d6:af:c6:c9:c8:02:91:4b:ec:a2:d6:ba:b5:bf:
+        ed:22:7c:b2:71:6c:78:f4:ba:e4:b9:b7:1f:11:65:d4:4f:77:
+        4d:ef:b5:43
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgIUe5c1cysrX3TGQ4OPrmVboPX0/x8wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA1MDExOTI5MjhaFw0zMzA0MjgxOTI5MjhaMFkxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEZ
+MBcGA1UEAwwQT0NTUCBSZXNwb25kZXIgMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALiYPQNNXrJmXlE7+T3yeiRrcFwvegWyUXdiReczdXfbMW8tEzLN
+06ADhO75K4Gd5cm64iXJpxgr/fGVrdNGkNl7fzkthbRwfHJEmfvfnyJMgXc1u/5B
+f4b1xylTfO7UzAlU+syxTUvCx8c+GhNZZjYxrmAbagWwW2SWd510zEJuE9Ehg5SO
+bEzYQleUF/8m1NEvZFi1RxoiOGm/wFqcw4gBCh332GiIfFddRMRx0GaNHDngr+j3
+zlFgfB231ee1PmqlK0bDTrnv3r2mvuJmealqDcGy514Dnd7dQbnJgCy9bR8JX04l
+56z/I0ePX3RpvoFCXOYa92Uf66HQaW++fokCAwEAAaOB7TCB6jAdBgNVHQ4EFgQU
+5E3uaqMwkTc+XB29JpZf/9vT4hUwHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyi
+V3ftFawwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAww
+CgYIKwYBBQUHAwkwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovLzEyNy4wLjAuMToy
+ODg4OC9pbnRlcm1lZGlhdGUyX2NybC5kZXIwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
+AQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjI4ODg4LzANBgkqhkiG9w0BAQsFAAOC
+AQEAbNb6j2/JCpkL7mwnH3VSuIIzQf4BofjFJE6eO+KJDwErjsR2+9l1WrKc4DaN
+/ZCfKJIbo3T9xTkoUQarlfdkleh72Zc1M5cFOIfm5telC6ERDLeLdripRjO6ULM7
+lpBlS+oUIMn3DY1eicZ44wtP0tsQRorEgW8gEzCDqEVNK+/wzhinlvy5Z3npqfAv
+sjMcg8+jS9/9xViuh4PZviKFWEH1oKItVphAEnjFQ7BQNA9sC1KtaOF6nsFUWL+0
+8cU7v5fk+UQJ9cdnfdw96qmfDzqqnErB76FSJeRXItavxsnIApFL7KLWurW/7SJ8
+snFsePS65Lm3HxFl1E93Te+1Qw==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_cert.pem
new file mode 100644
index 000000000..1f26c3843
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_cert.pem
@@ -0,0 +1,92 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7b:97:35:73:2b:2b:5f:74:c6:43:83:8f:ae:65:5b:a0:f5:f4:ff:1f
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: May  1 19:29:28 2023 GMT
+            Not After : Apr 28 19:29:28 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=OCSP Responder 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b8:98:3d:03:4d:5e:b2:66:5e:51:3b:f9:3d:f2:
+                    7a:24:6b:70:5c:2f:7a:05:b2:51:77:62:45:e7:33:
+                    75:77:db:31:6f:2d:13:32:cd:d3:a0:03:84:ee:f9:
+                    2b:81:9d:e5:c9:ba:e2:25:c9:a7:18:2b:fd:f1:95:
+                    ad:d3:46:90:d9:7b:7f:39:2d:85:b4:70:7c:72:44:
+                    99:fb:df:9f:22:4c:81:77:35:bb:fe:41:7f:86:f5:
+                    c7:29:53:7c:ee:d4:cc:09:54:fa:cc:b1:4d:4b:c2:
+                    c7:c7:3e:1a:13:59:66:36:31:ae:60:1b:6a:05:b0:
+                    5b:64:96:77:9d:74:cc:42:6e:13:d1:21:83:94:8e:
+                    6c:4c:d8:42:57:94:17:ff:26:d4:d1:2f:64:58:b5:
+                    47:1a:22:38:69:bf:c0:5a:9c:c3:88:01:0a:1d:f7:
+                    d8:68:88:7c:57:5d:44:c4:71:d0:66:8d:1c:39:e0:
+                    af:e8:f7:ce:51:60:7c:1d:b7:d5:e7:b5:3e:6a:a5:
+                    2b:46:c3:4e:b9:ef:de:bd:a6:be:e2:66:79:a9:6a:
+                    0d:c1:b2:e7:5e:03:9d:de:dd:41:b9:c9:80:2c:bd:
+                    6d:1f:09:5f:4e:25:e7:ac:ff:23:47:8f:5f:74:69:
+                    be:81:42:5c:e6:1a:f7:65:1f:eb:a1:d0:69:6f:be:
+                    7e:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                E4:4D:EE:6A:A3:30:91:37:3E:5C:1D:BD:26:96:5F:FF:DB:D3:E2:15
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                OCSP Signing
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        6c:d6:fa:8f:6f:c9:0a:99:0b:ee:6c:27:1f:75:52:b8:82:33:
+        41:fe:01:a1:f8:c5:24:4e:9e:3b:e2:89:0f:01:2b:8e:c4:76:
+        fb:d9:75:5a:b2:9c:e0:36:8d:fd:90:9f:28:92:1b:a3:74:fd:
+        c5:39:28:51:06:ab:95:f7:64:95:e8:7b:d9:97:35:33:97:05:
+        38:87:e6:e6:d7:a5:0b:a1:11:0c:b7:8b:76:b8:a9:46:33:ba:
+        50:b3:3b:96:90:65:4b:ea:14:20:c9:f7:0d:8d:5e:89:c6:78:
+        e3:0b:4f:d2:db:10:46:8a:c4:81:6f:20:13:30:83:a8:45:4d:
+        2b:ef:f0:ce:18:a7:96:fc:b9:67:79:e9:a9:f0:2f:b2:33:1c:
+        83:cf:a3:4b:df:fd:c5:58:ae:87:83:d9:be:22:85:58:41:f5:
+        a0:a2:2d:56:98:40:12:78:c5:43:b0:50:34:0f:6c:0b:52:ad:
+        68:e1:7a:9e:c1:54:58:bf:b4:f1:c5:3b:bf:97:e4:f9:44:09:
+        f5:c7:67:7d:dc:3d:ea:a9:9f:0f:3a:aa:9c:4a:c1:ef:a1:52:
+        25:e4:57:22:d6:af:c6:c9:c8:02:91:4b:ec:a2:d6:ba:b5:bf:
+        ed:22:7c:b2:71:6c:78:f4:ba:e4:b9:b7:1f:11:65:d4:4f:77:
+        4d:ef:b5:43
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgIUe5c1cysrX3TGQ4OPrmVboPX0/x8wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA1MDExOTI5MjhaFw0zMzA0MjgxOTI5MjhaMFkxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEZ
+MBcGA1UEAwwQT0NTUCBSZXNwb25kZXIgMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALiYPQNNXrJmXlE7+T3yeiRrcFwvegWyUXdiReczdXfbMW8tEzLN
+06ADhO75K4Gd5cm64iXJpxgr/fGVrdNGkNl7fzkthbRwfHJEmfvfnyJMgXc1u/5B
+f4b1xylTfO7UzAlU+syxTUvCx8c+GhNZZjYxrmAbagWwW2SWd510zEJuE9Ehg5SO
+bEzYQleUF/8m1NEvZFi1RxoiOGm/wFqcw4gBCh332GiIfFddRMRx0GaNHDngr+j3
+zlFgfB231ee1PmqlK0bDTrnv3r2mvuJmealqDcGy514Dnd7dQbnJgCy9bR8JX04l
+56z/I0ePX3RpvoFCXOYa92Uf66HQaW++fokCAwEAAaOB7TCB6jAdBgNVHQ4EFgQU
+5E3uaqMwkTc+XB29JpZf/9vT4hUwHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyi
+V3ftFawwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAww
+CgYIKwYBBQUHAwkwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovLzEyNy4wLjAuMToy
+ODg4OC9pbnRlcm1lZGlhdGUyX2NybC5kZXIwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
+AQUFBzABhhdodHRwOi8vMTI3LjAuMC4xOjI4ODg4LzANBgkqhkiG9w0BAQsFAAOC
+AQEAbNb6j2/JCpkL7mwnH3VSuIIzQf4BofjFJE6eO+KJDwErjsR2+9l1WrKc4DaN
+/ZCfKJIbo3T9xTkoUQarlfdkleh72Zc1M5cFOIfm5telC6ERDLeLdripRjO6ULM7
+lpBlS+oUIMn3DY1eicZ44wtP0tsQRorEgW8gEzCDqEVNK+/wzhinlvy5Z3npqfAv
+sjMcg8+jS9/9xViuh4PZviKFWEH1oKItVphAEnjFQ7BQNA9sC1KtaOF6nsFUWL+0
+8cU7v5fk+UQJ9cdnfdw96qmfDzqqnErB76FSJeRXItavxsnIApFL7KLWurW/7SJ8
+snFsePS65Lm3HxFl1E93Te+1Qw==
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/ocsp2/private/ocsp2_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/ocsp2/private/ocsp2_keypair.pem
new file mode 100644
index 000000000..ad13f6f80
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/ocsp2/private/ocsp2_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4mD0DTV6yZl5R
+O/k98noka3BcL3oFslF3YkXnM3V32zFvLRMyzdOgA4Tu+SuBneXJuuIlyacYK/3x
+la3TRpDZe385LYW0cHxyRJn7358iTIF3Nbv+QX+G9ccpU3zu1MwJVPrMsU1LwsfH
+PhoTWWY2Ma5gG2oFsFtklneddMxCbhPRIYOUjmxM2EJXlBf/JtTRL2RYtUcaIjhp
+v8BanMOIAQod99hoiHxXXUTEcdBmjRw54K/o985RYHwdt9XntT5qpStGw0657969
+pr7iZnmpag3BsudeA53e3UG5yYAsvW0fCV9OJees/yNHj190ab6BQlzmGvdlH+uh
+0Glvvn6JAgMBAAECggEAIlCyruV4ICPljqZefASSbijG12w/+8UdXdsX8ZXgVWqa
+8vbnJb+bgpiE4sPRMaQ/rlOebLXi6RxsdbeEe80XakaJ7QAoZdWvXLKiCW+VrpOY
+UafcjbRxV45i+qy5gdBvKaDxipG/M8E+0CwcPtKUrKhpqRYPjIUvSDCshcnLmuF3
+zztB/4VyVEUUaM0pEqSZhxSyraRmGARvF1iOSu1npe3AzWTrrjrSkbk6fi4GyECL
+If0EQ1ZD+ZXQ6tcGDyNtmPox7lPMZOgwLJZ5zISXZ6QBjn0JvSzE+e4z0IFinLgx
+q5yBz2BhJEN8OBcs3J2N/ivQetWil64YbrbK6WbocQKBgQD/b4uHOuJVVifjIf6/
+kJ0UHhki4Q2Fj164royDigyyzaZmMzrlReZ5rAQLk8wGqw2hI+9gYoYBYqHm71kd
+WrwLS1TVZJ6x8TBh0sYOG2CPndqIjWFx9Wjjf1xNknwYdIoEdAAKZ/M1E71V0tZb
++Ampl+lHPnKqYRSCd7gbYBU/TQKBgQC5AKGJusjRRRRWQqQ0RdJuxusZrtAAUd7l
+wOGMC0zVQSSvUuegFtWEaZUbByhCARtYp8o4rT6Fw9yOvMaMNcfd8tV5nYVHDsrw
+MurPhPitgI0/LdVvkAOO4fgPZHIXV9GbUDGq4uqB61daBSLQg1JjtzG8GvlGiYZl
+mKOWEXjWLQKBgQC3nHHaehxZpT20yin5f7U50czVwppaqE05Sdcdcq1gFe2Hx0mN
+pypdyaV6wPnGzUxVyaP3T7rt4f1pKCGRtTg4kiTf450jYbEakEzntQw7EAgXYjFq
+njKQXWt3I1XqqlLPkqa41DIBtDfEKnMF1wzzCIyaNqxsBq6cffwsSWvcfQKBgF/y
+UNUCd0X5Yqu+EjU+BP4I0kNWo2+XBlf36cHc1nM/Psxi3dfsH751l6wV0S4yLsGS
++9DbILL1On0YsIxlFAwq9cYGCOoqZNugPKF1oBcztY2PssMSWJYQ4brx6C3tELtR
+IwEygFby/DGmukCT6vXmO7gH8UJA7t/gAu9Ajn/dAoGAI/Ejqb7HborIvCw/p+kB
+JkPIhTUuT5XonDm8h6KHWUESPikS7SMeRM/4V+AL/Y5MiiCBfjh3tCOup/16x6GQ
+4z6FvcIaYusxKup+afQaDyv1Phv5/mr74liLhC5Qp9EGU2FZrMZwG3EZjSn/0IE+
+dBJeWNtNHiFPcyTzYMMhDBw=
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/root/private/root_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/root/private/root_keypair.pem
new file mode 100644
index 000000000..dd6f2fb05
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/root/private/root_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDiIWuf70i53iL7
+WzcJaMe1kldSJO+FAOhxhU0PW4zG508Z9uMLcKNBfnHUD9b98hrKqleRdpqygmJg
+zvIALtS8WNNgMEKmKLJQe1gBn/sKZbBA1nzit9qNGdmlUdJGfhRGq/rfzv6ECJhj
+Rh1NindXZ9oWizIMfEHipezufSAo6wNf9eYF2IuWeG+uKZpQ99yWMYaBsXjo6+9d
+u+1C7JTGVEbsBW8bDDYkxqgGflxWuEM7EfQGCgUVGTsfyGcx6ztbKhUKe/lr5BDu
+RL4Z2NtEAfo6VvVsTvNgquTNsq13B0Xv8df1+lKEXANOcuCpkcXZ1gqEM5gx8gJb
+PxAVZXbXAgMBAAECggEAW6YC6i+/cIFs+SW3cStT4a29kU/h+axsCPJnUIWg0U6X
+WyUaUR0mNZmrRbDjyEmS/Te7xPtmaFn6yFSndVaFpw5zIQV+RbyxxHexK/tscgLT
+w/uKYxLz04M6GExIpoRb8Gash3/r3JRlOrsEjlRD2RuAoulob/H+e/8Wv3PcEGio
+R8jwCj5DEnWiMxDzgtxsVgR4OeRYqg3zKjWrLALEYoRbFTVncCVA40OnmGJZ3+E5
++3OOX6p9y/nY36888345yuwiCOTdNwQVaCXnLDZlAIVpB8QmjXVB35RSs+r2H5SF
+p/KRbZ/JNKdNrbTKfJyvbnIpyTAtJB9OkhyiR9AegQKBgQDkKAplyZ6ChT3l53nn
+4ngFi/nSTfrfJepmA5lVJk1Wxk0a4W++HxJkdKY2sUP7WuQ1xaPdcHxKzfp2HQE5
+L95jObU5dtY64QD4q0xqOw1ISDQi1euqZEmZziupEgPcMtw4sAVhHohzvTWo6a8o
+fGMSkLTd+2303xgBCZo2I/hZVwKBgQD9uha6pQmCg4Oi2i/38Vm3ByArnQvgkELC
+eGBBJrCE8pSm+ToPtgL+gSuA8PlWzIYlIf0UVOJFyws8GkUFm6n0nUlN0NmK8Rhm
+Bg4IvasxdRgtySJzZO7ipAqGIaWJIBi1Vj4/rnAVggkadbQgyw+eCZNc5Pg3D9MV
+TJ7d/xHegQKBgQCprGVfITuyUSihKy3rlu4vIdPd5IQnI2lYCGElg+CMIdkBnpmd
+SDpDXsSlc9rcuNFyc9LTQW4Nq3USFavtPX4jSK1PWOMk0mQIiku/zL6p/JhZN8GU
+7BQYP80UZQNd5K0Fs1Gs0ioj+JhJT9AlSavcCKWZV/yD2M1fKCb5EHMG7QKBgQDV
+SvtSeeytp8sgOtU6VMz7fOUBZOsYI43Ll5ArFNAtYxOt7jNuA68urf2ZTnn9Cr/2
+NUVgMx9oVpEiPF8roLlV5mc6IEjQcW72TT69AF0KnYnu63enlADxy78BFQXoaW/7
++P0pYYXdvsvST4JWUv3U9+3GmMFE4GutKxUeQA+QgQKBgQCauejVixhfKcmkM9nn
+MGLSOUuFyd9HpQk3efxylphFNjpohk+k3fVKXBhmE4BDXbSlYUmMemm27tuQ/I6Z
+bWOjGl57ZbCgJ7LdXLanJhyJJ6cSmkX8+oD+fwPMrD8yaAfh37MdTnriZKIDMXp2
+7HtfLcz0evmbW06b/dReyvcqyQ==
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/root/root_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/root/root_cert.pem
new file mode 100644
index 000000000..f4658e142
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/root/root_cert.pem
@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            27:5e:cf:7e:be:aa:02:b9:a9:c7:42:30:43:fe:0e:80:05:91:dd:0b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 18:57:57 2023 GMT
+            Not After : Apr 28 18:57:57 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e2:21:6b:9f:ef:48:b9:de:22:fb:5b:37:09:68:
+                    c7:b5:92:57:52:24:ef:85:00:e8:71:85:4d:0f:5b:
+                    8c:c6:e7:4f:19:f6:e3:0b:70:a3:41:7e:71:d4:0f:
+                    d6:fd:f2:1a:ca:aa:57:91:76:9a:b2:82:62:60:ce:
+                    f2:00:2e:d4:bc:58:d3:60:30:42:a6:28:b2:50:7b:
+                    58:01:9f:fb:0a:65:b0:40:d6:7c:e2:b7:da:8d:19:
+                    d9:a5:51:d2:46:7e:14:46:ab:fa:df:ce:fe:84:08:
+                    98:63:46:1d:4d:8a:77:57:67:da:16:8b:32:0c:7c:
+                    41:e2:a5:ec:ee:7d:20:28:eb:03:5f:f5:e6:05:d8:
+                    8b:96:78:6f:ae:29:9a:50:f7:dc:96:31:86:81:b1:
+                    78:e8:eb:ef:5d:bb:ed:42:ec:94:c6:54:46:ec:05:
+                    6f:1b:0c:36:24:c6:a8:06:7e:5c:56:b8:43:3b:11:
+                    f4:06:0a:05:15:19:3b:1f:c8:67:31:eb:3b:5b:2a:
+                    15:0a:7b:f9:6b:e4:10:ee:44:be:19:d8:db:44:01:
+                    fa:3a:56:f5:6c:4e:f3:60:aa:e4:cd:b2:ad:77:07:
+                    45:ef:f1:d7:f5:fa:52:84:5c:03:4e:72:e0:a9:91:
+                    c5:d9:d6:0a:84:33:98:31:f2:02:5b:3f:10:15:65:
+                    76:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        22:79:1a:b9:5d:fa:f5:c9:a3:88:22:c4:92:e6:64:6d:ce:a5:
+        ae:2e:69:48:6a:9e:d5:11:c5:bb:b0:de:38:1b:5b:04:85:60:
+        d6:64:14:ed:c2:62:02:7d:ad:d2:17:ad:ef:40:27:2b:50:59:
+        4a:ff:88:c6:b3:16:5c:55:30:d9:23:bd:4f:0f:34:b7:7b:ed:
+        7a:e1:f3:39:35:e9:18:6d:70:b1:2b:2a:e2:e5:cd:a1:54:8a:
+        f9:f4:95:81:29:84:3f:95:2f:48:e0:35:3e:d9:cb:84:4d:3d:
+        3e:3c:0e:8d:24:42:5f:19:e6:06:a5:87:ae:ba:af:07:02:e7:
+        6a:83:0a:89:d4:a4:38:ce:05:6e:f6:15:f1:7a:53:bb:50:28:
+        89:51:3f:f2:54:f1:d3:c4:28:07:a1:3e:55:e5:84:b8:df:58:
+        af:c3:e7:81:c2:08:9c:35:e4:c4:86:75:a8:17:99:2c:a6:7f:
+        46:30:9b:23:55:c5:d8:e2:6a:e4:08:a1:8b:dc:bc:5b:86:95:
+        4a:79:fe:a6:93:3d:1a:5b:10:9a:2f:6a:45:2f:5d:c9:fa:95:
+        2e:66:eb:52:df:88:a7:5f:42:8f:5f:46:07:79:8b:a7:49:82:
+        d3:81:c6:3e:c2:5a:15:c4:83:69:30:49:4d:6e:ea:05:1e:d8:
+        dc:29:ac:17
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIUJ17Pfr6qArmpx0IwQ/4OgAWR3QswDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE4
+NTc1N1oXDTMzMDQyODE4NTc1N1owUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdS
+b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4iFrn+9Iud4i
++1s3CWjHtZJXUiTvhQDocYVND1uMxudPGfbjC3CjQX5x1A/W/fIayqpXkXaasoJi
+YM7yAC7UvFjTYDBCpiiyUHtYAZ/7CmWwQNZ84rfajRnZpVHSRn4URqv6387+hAiY
+Y0YdTYp3V2faFosyDHxB4qXs7n0gKOsDX/XmBdiLlnhvrimaUPfcljGGgbF46Ovv
+XbvtQuyUxlRG7AVvGww2JMaoBn5cVrhDOxH0BgoFFRk7H8hnMes7WyoVCnv5a+QQ
+7kS+GdjbRAH6Olb1bE7zYKrkzbKtdwdF7/HX9fpShFwDTnLgqZHF2dYKhDOYMfIC
+Wz8QFWV21wIDAQABo4GZMIGWMB0GA1UdDgQWBBTDEkK6qdhN4MM+utdHQaYJL220
+4TAfBgNVHSMEGDAWgBTDEkK6qdhN4MM+utdHQaYJL2204TAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vMTI3
+LjAuMC4xOjg4ODgvcm9vdF9jcmwuZGVyMA0GCSqGSIb3DQEBCwUAA4IBAQAieRq5
+Xfr1yaOIIsSS5mRtzqWuLmlIap7VEcW7sN44G1sEhWDWZBTtwmICfa3SF63vQCcr
+UFlK/4jGsxZcVTDZI71PDzS3e+164fM5NekYbXCxKyri5c2hVIr59JWBKYQ/lS9I
+4DU+2cuETT0+PA6NJEJfGeYGpYeuuq8HAudqgwqJ1KQ4zgVu9hXxelO7UCiJUT/y
+VPHTxCgHoT5V5YS431ivw+eBwgicNeTEhnWoF5kspn9GMJsjVcXY4mrkCKGL3Lxb
+hpVKef6mkz0aWxCaL2pFL13J+pUuZutS34inX0KPX0YHeYunSYLTgcY+wloVxINp
+MElNbuoFHtjcKawX
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem
new file mode 100644
index 000000000..544e3d444
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:c4:82:66:f8:5d:a6:b6:c7:66:e1:b2:01:3f:e0:72:fc:72:61:33
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:33:37 2023 GMT
+            Not After : Apr 28 19:33:37 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:af:26:5c:50:c0:fa:62:b5:fd:3d:c1:9e:26:51:
+                    58:62:04:37:b0:b5:6a:9b:6a:e3:22:3c:cd:ee:3c:
+                    e7:8b:d3:e2:4c:08:1a:4d:63:c1:81:20:f4:53:a5:
+                    5d:2f:d2:71:d8:af:e3:26:95:b4:27:14:46:7f:e2:
+                    0a:73:12:a7:0e:ff:99:5a:29:f5:d0:65:96:b1:d1:
+                    96:7f:0c:43:b8:71:f2:4b:21:e1:97:6c:1b:01:e5:
+                    38:1a:39:44:72:d5:19:20:87:fe:90:4f:3b:97:f2:
+                    7d:bd:57:97:4d:9d:56:50:89:5b:79:29:7a:3a:13:
+                    97:08:61:c2:0c:a6:02:49:c9:8a:41:ab:8e:9f:25:
+                    c9:33:18:f8:92:64:58:04:cc:a3:9d:cf:d4:d2:bd:
+                    20:ab:8b:9d:55:df:fb:5b:23:ac:95:12:fa:6f:07:
+                    93:3f:0e:03:86:c4:9b:25:06:21:9b:03:96:32:b8:
+                    e0:0f:63:e2:1d:34:d1:41:35:19:09:c1:a0:dc:26:
+                    b9:c8:66:fa:87:67:22:6e:0c:a6:e7:0f:24:64:b1:
+                    4f:84:05:ef:ad:8e:1b:f2:f4:38:87:d3:e3:48:a5:
+                    82:e0:66:89:1d:92:9a:59:67:a4:1d:03:6f:4d:a5:
+                    fb:3b:c0:0b:73:a7:ab:8f:b4:10:25:8e:69:42:76:
+                    82:5f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                43:16:E6:03:AF:37:B2:7B:BD:B3:C8:A2:9C:95:D7:FA:32:F8:9E:6F
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a3:87:9f:05:e4:38:61:f7:c4:5b:17:13:4b:2c:9d:a2:4d:e6:
+        ad:93:54:c5:a3:00:27:0b:5c:45:c5:bd:f8:b6:a7:5a:2a:ec:
+        dc:9b:59:8a:c7:59:e7:b9:86:f7:27:be:45:0d:d9:86:76:cf:
+        00:71:ad:aa:cc:73:50:8c:68:63:b0:e2:3a:59:dd:85:fa:0d:
+        f0:82:51:05:79:e6:d5:0e:0b:bb:ed:23:65:8f:d0:8b:01:df:
+        86:74:bc:3a:22:90:e4:59:44:91:d5:44:d8:21:4d:4e:10:72:
+        0a:12:2e:4a:20:5f:15:e7:16:0b:6f:76:f3:04:1f:da:44:50:
+        3b:c3:b3:0f:fa:05:cf:6e:64:9c:65:e2:0d:38:28:31:c3:c3:
+        b6:66:ef:80:d3:c4:5f:e9:f9:01:e9:ce:e6:99:46:a0:9d:ce:
+        90:63:77:d2:85:21:d7:88:32:55:38:fe:10:07:69:cd:c8:06:
+        b7:6f:49:98:bf:cd:be:4f:ab:44:ea:78:af:ab:01:c8:3e:fa:
+        d9:54:bc:59:28:db:03:9b:1c:ee:e4:c3:ed:f3:97:30:c6:40:
+        33:76:84:40:b2:b8:4d:b4:ca:a9:2d:d1:4d:17:92:ea:c0:c9:
+        cb:f6:b1:d7:d3:c7:e6:75:15:00:ff:c7:d9:54:63:27:19:5c:
+        96:a5:e5:d9
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIUPMSCZvhdprbHZuGyAT/gcvxyYTMwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTMzMzdaFw0zMzA0MjgxOTMzMzdaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCvJlxQwPpitf09wZ4mUVhiBDewtWqbauMiPM3uPOeL0+JMCBpNY8GBIPRT
+pV0v0nHYr+MmlbQnFEZ/4gpzEqcO/5laKfXQZZax0ZZ/DEO4cfJLIeGXbBsB5Tga
+OURy1Rkgh/6QTzuX8n29V5dNnVZQiVt5KXo6E5cIYcIMpgJJyYpBq46fJckzGPiS
+ZFgEzKOdz9TSvSCri51V3/tbI6yVEvpvB5M/DgOGxJslBiGbA5YyuOAPY+IdNNFB
+NRkJwaDcJrnIZvqHZyJuDKbnDyRksU+EBe+tjhvy9DiH0+NIpYLgZokdkppZZ6Qd
+A29Npfs7wAtzp6uPtBAljmlCdoJfAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUQxbm
+A683snu9s8iinJXX+jL4nm8wHwYDVR0jBBgwFoAUtZFuT2S3FoR2+bS+mc5glZga
+jp0wDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjE4ODg4L2ludGVybWVkaWF0ZTFfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+MTg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAo4efBeQ4YffEWxcTSyydok3mrZNUxaMAJwtcRcW9+LanWirs3JtZisdZ
+57mG9ye+RQ3ZhnbPAHGtqsxzUIxoY7DiOlndhfoN8IJRBXnm1Q4Lu+0jZY/QiwHf
+hnS8OiKQ5FlEkdVE2CFNThByChIuSiBfFecWC2928wQf2kRQO8OzD/oFz25knGXi
+DTgoMcPDtmbvgNPEX+n5AenO5plGoJ3OkGN30oUh14gyVTj+EAdpzcgGt29JmL/N
+vk+rROp4r6sByD762VS8WSjbA5sc7uTD7fOXMMZAM3aEQLK4TbTKqS3RTReS6sDJ
+y/ax19PH5nUVAP/H2VRjJxlclqXl2Q==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem
new file mode 100644
index 000000000..ef73af87d
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:c4:82:66:f8:5d:a6:b6:c7:66:e1:b2:01:3f:e0:72:fc:72:61:33
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:33:37 2023 GMT
+            Not After : Apr 28 19:33:37 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:af:26:5c:50:c0:fa:62:b5:fd:3d:c1:9e:26:51:
+                    58:62:04:37:b0:b5:6a:9b:6a:e3:22:3c:cd:ee:3c:
+                    e7:8b:d3:e2:4c:08:1a:4d:63:c1:81:20:f4:53:a5:
+                    5d:2f:d2:71:d8:af:e3:26:95:b4:27:14:46:7f:e2:
+                    0a:73:12:a7:0e:ff:99:5a:29:f5:d0:65:96:b1:d1:
+                    96:7f:0c:43:b8:71:f2:4b:21:e1:97:6c:1b:01:e5:
+                    38:1a:39:44:72:d5:19:20:87:fe:90:4f:3b:97:f2:
+                    7d:bd:57:97:4d:9d:56:50:89:5b:79:29:7a:3a:13:
+                    97:08:61:c2:0c:a6:02:49:c9:8a:41:ab:8e:9f:25:
+                    c9:33:18:f8:92:64:58:04:cc:a3:9d:cf:d4:d2:bd:
+                    20:ab:8b:9d:55:df:fb:5b:23:ac:95:12:fa:6f:07:
+                    93:3f:0e:03:86:c4:9b:25:06:21:9b:03:96:32:b8:
+                    e0:0f:63:e2:1d:34:d1:41:35:19:09:c1:a0:dc:26:
+                    b9:c8:66:fa:87:67:22:6e:0c:a6:e7:0f:24:64:b1:
+                    4f:84:05:ef:ad:8e:1b:f2:f4:38:87:d3:e3:48:a5:
+                    82:e0:66:89:1d:92:9a:59:67:a4:1d:03:6f:4d:a5:
+                    fb:3b:c0:0b:73:a7:ab:8f:b4:10:25:8e:69:42:76:
+                    82:5f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                43:16:E6:03:AF:37:B2:7B:BD:B3:C8:A2:9C:95:D7:FA:32:F8:9E:6F
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a3:87:9f:05:e4:38:61:f7:c4:5b:17:13:4b:2c:9d:a2:4d:e6:
+        ad:93:54:c5:a3:00:27:0b:5c:45:c5:bd:f8:b6:a7:5a:2a:ec:
+        dc:9b:59:8a:c7:59:e7:b9:86:f7:27:be:45:0d:d9:86:76:cf:
+        00:71:ad:aa:cc:73:50:8c:68:63:b0:e2:3a:59:dd:85:fa:0d:
+        f0:82:51:05:79:e6:d5:0e:0b:bb:ed:23:65:8f:d0:8b:01:df:
+        86:74:bc:3a:22:90:e4:59:44:91:d5:44:d8:21:4d:4e:10:72:
+        0a:12:2e:4a:20:5f:15:e7:16:0b:6f:76:f3:04:1f:da:44:50:
+        3b:c3:b3:0f:fa:05:cf:6e:64:9c:65:e2:0d:38:28:31:c3:c3:
+        b6:66:ef:80:d3:c4:5f:e9:f9:01:e9:ce:e6:99:46:a0:9d:ce:
+        90:63:77:d2:85:21:d7:88:32:55:38:fe:10:07:69:cd:c8:06:
+        b7:6f:49:98:bf:cd:be:4f:ab:44:ea:78:af:ab:01:c8:3e:fa:
+        d9:54:bc:59:28:db:03:9b:1c:ee:e4:c3:ed:f3:97:30:c6:40:
+        33:76:84:40:b2:b8:4d:b4:ca:a9:2d:d1:4d:17:92:ea:c0:c9:
+        cb:f6:b1:d7:d3:c7:e6:75:15:00:ff:c7:d9:54:63:27:19:5c:
+        96:a5:e5:d9
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIUPMSCZvhdprbHZuGyAT/gcvxyYTMwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTMzMzdaFw0zMzA0MjgxOTMzMzdaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCvJlxQwPpitf09wZ4mUVhiBDewtWqbauMiPM3uPOeL0+JMCBpNY8GBIPRT
+pV0v0nHYr+MmlbQnFEZ/4gpzEqcO/5laKfXQZZax0ZZ/DEO4cfJLIeGXbBsB5Tga
+OURy1Rkgh/6QTzuX8n29V5dNnVZQiVt5KXo6E5cIYcIMpgJJyYpBq46fJckzGPiS
+ZFgEzKOdz9TSvSCri51V3/tbI6yVEvpvB5M/DgOGxJslBiGbA5YyuOAPY+IdNNFB
+NRkJwaDcJrnIZvqHZyJuDKbnDyRksU+EBe+tjhvy9DiH0+NIpYLgZokdkppZZ6Qd
+A29Npfs7wAtzp6uPtBAljmlCdoJfAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUQxbm
+A683snu9s8iinJXX+jL4nm8wHwYDVR0jBBgwFoAUtZFuT2S3FoR2+bS+mc5glZga
+jp0wDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjE4ODg4L2ludGVybWVkaWF0ZTFfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+MTg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAo4efBeQ4YffEWxcTSyydok3mrZNUxaMAJwtcRcW9+LanWirs3JtZisdZ
+57mG9ye+RQ3ZhnbPAHGtqsxzUIxoY7DiOlndhfoN8IJRBXnm1Q4Lu+0jZY/QiwHf
+hnS8OiKQ5FlEkdVE2CFNThByChIuSiBfFecWC2928wQf2kRQO8OzD/oFz25knGXi
+DTgoMcPDtmbvgNPEX+n5AenO5plGoJ3OkGN30oUh14gyVTj+EAdpzcgGt29JmL/N
+vk+rROp4r6sByD762VS8WSjbA5sc7uTD7fOXMMZAM3aEQLK4TbTKqS3RTReS6sDJ
+y/ax19PH5nUVAP/H2VRjJxlclqXl2Q==
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem
new file mode 100644
index 000000000..aacb9be1d
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2e:91:da:29:59:ff:c4:64:bf:02:bc:27:bb:e3:35:4e:5b:36:f7:91
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:33:53 2023 GMT
+            Not After : Apr 28 19:33:53 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ac:48:ce:a7:b2:ad:7a:68:01:55:3f:86:20:7e:
+                    bb:26:e6:88:f3:ae:04:15:7d:d9:64:98:85:bc:eb:
+                    bd:d8:0a:c7:26:c4:8e:27:56:8c:a8:9f:51:37:a9:
+                    ec:8a:dc:af:27:05:0c:f5:c0:19:b1:2c:0d:56:66:
+                    7b:7e:b1:8f:ab:34:61:56:37:a8:ab:51:d6:1d:e6:
+                    a7:56:b2:51:72:57:9b:c5:87:84:6c:ef:e6:18:d4:
+                    45:b8:ef:52:72:11:02:81:61:f2:36:63:25:18:31:
+                    7f:c7:91:89:c3:b0:73:13:f0:26:1f:a1:4f:8c:ff:
+                    94:1c:75:a6:be:38:7d:81:06:33:dd:7b:86:81:c5:
+                    1f:d2:5d:f6:ea:3f:9f:ab:fb:e7:97:3c:72:ea:b3:
+                    83:ab:49:88:ac:a9:4b:81:db:fa:e3:bf:79:d9:6e:
+                    90:bf:8f:68:d8:05:f8:52:ad:98:41:29:e0:2a:18:
+                    98:b6:b2:61:78:02:02:52:85:02:e0:63:f4:a0:55:
+                    80:c9:66:8b:ac:4f:8b:36:f4:56:8f:cf:bd:67:86:
+                    72:92:0b:f9:73:7b:05:cc:3d:91:ed:ed:4f:f0:8f:
+                    36:99:e5:51:7f:ee:9e:fb:e5:5c:d0:39:a2:f5:51:
+                    06:92:3c:ad:cc:59:9d:0a:81:50:26:30:01:e9:f4:
+                    b1:e9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                CD:65:B9:5C:48:35:F7:1E:85:6E:94:50:78:72:BB:3F:F7:BC:22:A6
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        6f:de:f3:92:b2:8b:57:61:7a:b9:06:49:3e:af:e0:1c:3a:d4:
+        42:52:fe:d0:7d:97:8a:9b:d0:6d:b9:f3:e6:8b:2a:40:ce:aa:
+        ed:bb:ce:21:e8:ae:32:9d:eb:5a:00:e0:c1:3a:d7:40:74:1b:
+        43:e4:43:f0:61:bf:40:06:75:52:1b:b9:f4:b5:32:55:94:f5:
+        84:98:90:cc:27:92:91:b7:3d:8e:f1:12:bf:37:1a:8a:50:41:
+        3a:14:0c:cf:93:fe:57:97:7b:fe:af:b9:c0:c2:d6:bb:20:e4:
+        0a:6f:12:0b:60:a6:cc:59:46:db:99:db:61:71:d3:a7:f5:a1:
+        d0:d6:81:87:57:a3:dd:b6:e1:ab:2f:4f:b6:51:21:ec:a6:95:
+        df:d3:ab:e5:a1:67:a3:ba:b1:b9:71:39:a1:3b:db:5e:c5:6f:
+        b1:34:27:ae:6d:f6:67:4c:7d:7c:6d:12:37:6f:b5:0b:5a:85:
+        aa:5d:fd:03:de:59:b5:20:7a:ea:84:a0:a5:75:60:12:12:08:
+        77:0e:46:d6:fa:57:fa:b1:43:42:54:38:d7:66:67:cd:fc:b6:
+        f9:4c:fe:99:71:2b:d5:a6:13:2f:2e:f0:a3:9e:fc:47:03:31:
+        79:38:e3:50:8a:de:81:97:80:9e:46:71:5c:9f:e5:de:0c:49:
+        fc:f5:61:1c
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIULpHaKVn/xGS/Arwnu+M1Tls295EwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTMzNTNaFw0zMzA0MjgxOTMzNTNaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCsSM6nsq16aAFVP4Ygfrsm5ojzrgQVfdlkmIW8673YCscmxI4nVoyon1E3
+qeyK3K8nBQz1wBmxLA1WZnt+sY+rNGFWN6irUdYd5qdWslFyV5vFh4Rs7+YY1EW4
+71JyEQKBYfI2YyUYMX/HkYnDsHMT8CYfoU+M/5Qcdaa+OH2BBjPde4aBxR/SXfbq
+P5+r++eXPHLqs4OrSYisqUuB2/rjv3nZbpC/j2jYBfhSrZhBKeAqGJi2smF4AgJS
+hQLgY/SgVYDJZousT4s29FaPz71nhnKSC/lzewXMPZHt7U/wjzaZ5VF/7p775VzQ
+OaL1UQaSPK3MWZ0KgVAmMAHp9LHpAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUzWW5
+XEg19x6FbpRQeHK7P/e8IqYwHwYDVR0jBBgwFoAUtZFuT2S3FoR2+bS+mc5glZga
+jp0wDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjE4ODg4L2ludGVybWVkaWF0ZTFfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+MTg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAb97zkrKLV2F6uQZJPq/gHDrUQlL+0H2XipvQbbnz5osqQM6q7bvOIeiu
+Mp3rWgDgwTrXQHQbQ+RD8GG/QAZ1Uhu59LUyVZT1hJiQzCeSkbc9jvESvzcailBB
+OhQMz5P+V5d7/q+5wMLWuyDkCm8SC2CmzFlG25nbYXHTp/Wh0NaBh1ej3bbhqy9P
+tlEh7KaV39Or5aFno7qxuXE5oTvbXsVvsTQnrm32Z0x9fG0SN2+1C1qFql39A95Z
+tSB66oSgpXVgEhIIdw5G1vpX+rFDQlQ412Znzfy2+Uz+mXEr1aYTLy7wo578RwMx
+eTjjUIregZeAnkZxXJ/l3gxJ/PVhHA==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:57:db:45:43:06:ce:52:63:59:b9:5a:26:78:fd:0d:94:68:95:9c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:15 2023 GMT
+            Not After : Apr 28 19:01:15 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:c6:84:2d:c2:ab:5d:05:d7:65:a8:e2:15:74:
+                    d8:f2:f1:55:11:45:93:96:4c:a5:dc:cb:44:f5:f4:
+                    14:7e:46:02:59:e8:ae:78:59:69:21:58:f7:16:38:
+                    b9:c2:c2:60:d8:76:ab:a1:39:ba:0b:a3:03:17:e4:
+                    a1:cb:5d:1a:0c:62:71:24:64:b0:00:f0:6f:4c:af:
+                    08:62:8c:dc:4f:e0:d7:d4:55:2c:db:36:fc:a9:aa:
+                    d7:58:27:e4:99:cb:dc:29:d9:ea:35:16:cb:2e:be:
+                    04:b2:82:58:f4:e5:5c:07:db:12:8e:e3:3c:9a:5e:
+                    90:4b:c5:a3:d4:21:96:5f:e1:8f:f7:cb:9e:db:e0:
+                    10:a0:6c:a2:1e:30:17:6c:32:9f:7b:43:a4:9f:d3:
+                    6b:33:1b:18:cd:a4:ad:33:48:a3:98:b0:2b:c8:22:
+                    74:17:71:d8:f1:64:21:55:e1:33:bc:7f:74:5f:a5:
+                    a6:a2:9b:58:2f:db:ed:c7:c1:e5:36:2e:86:26:ad:
+                    c6:fe:b8:00:85:6e:7c:ed:fd:4a:c6:a0:d9:b2:3f:
+                    4e:bd:fa:08:52:c8:5d:31:13:86:bd:3f:ec:7a:d8:
+                    3a:15:e2:71:af:ec:00:88:7e:a6:e8:e1:9d:ab:57:
+                    5a:8a:1f:f8:e2:4d:29:58:53:79:25:f0:9e:d9:18:
+                    40:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b1:48:16:3b:d7:91:d0:4d:54:09:cb:ab:c7:41:4f:35:12:8b:
+        a6:e8:84:11:49:a9:04:91:41:25:7c:02:38:b2:19:a0:e9:2e:
+        d5:d6:7a:26:c1:1a:f8:f1:c6:51:92:68:af:c8:6e:5b:df:28:
+        40:b8:99:94:d5:43:7d:e3:68:75:94:26:56:11:21:9e:50:b3:
+        36:7b:f8:5f:33:76:64:71:04:26:2b:bb:2c:83:33:89:ba:74:
+        c1:e9:9d:eb:c0:86:4b:4d:6f:f8:4d:55:5a:3d:f6:55:95:33:
+        0f:b8:f0:53:2b:93:a6:da:8d:5c:1a:e8:30:22:55:67:44:6e:
+        17:c4:57:05:0d:ce:fc:61:dd:b1:3c:b0:66:55:f4:42:d0:ce:
+        94:7d:6a:82:bd:32:ed:2f:21:ff:c7:70:ff:48:9d:10:4a:71:
+        be:a8:37:e5:0f:f4:79:1e:7d:a2:f1:6a:6b:2c:e8:03:20:ce:
+        80:94:d2:38:80:bc:7e:56:c5:77:62:94:c0:b7:40:11:4d:ba:
+        98:4b:2e:52:03:66:68:36:ab:d1:0f:3e:b5:92:a3:95:9d:a4:
+        ea:d3:8a:14:41:6d:86:24:89:aa:d7:29:20:c8:52:d5:bf:8d:
+        3b:09:52:dd:89:8c:2c:85:40:b5:9f:cc:47:63:ca:3a:e0:c9:
+        91:5c:43:a9
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUVVfbRUMGzlJjWblaJnj9DZRolZwwDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDExNVoXDTMzMDQyODE5MDExNVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALzGhC3Cq10F12Wo4hV02PLxVRFFk5ZMpdzLRPX0FH5GAlnornhZaSFY9xY4ucLC
+YNh2q6E5ugujAxfkoctdGgxicSRksADwb0yvCGKM3E/g19RVLNs2/Kmq11gn5JnL
+3CnZ6jUWyy6+BLKCWPTlXAfbEo7jPJpekEvFo9Qhll/hj/fLntvgEKBsoh4wF2wy
+n3tDpJ/TazMbGM2krTNIo5iwK8gidBdx2PFkIVXhM7x/dF+lpqKbWC/b7cfB5TYu
+hiatxv64AIVufO39Ssag2bI/Tr36CFLIXTEThr0/7HrYOhXica/sAIh+pujhnatX
+Woof+OJNKVhTeSXwntkYQCcCAwEAAaOB0DCBzTAdBgNVHQ4EFgQUtZFuT2S3FoR2
++bS+mc5glZgajp0wHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALFIFjvXkdBNVAnLq8dBTzUSi6bohBFJqQSRQSV8AjiyGaDp
+LtXWeibBGvjxxlGSaK/IblvfKEC4mZTVQ33jaHWUJlYRIZ5QszZ7+F8zdmRxBCYr
+uyyDM4m6dMHpnevAhktNb/hNVVo99lWVMw+48FMrk6bajVwa6DAiVWdEbhfEVwUN
+zvxh3bE8sGZV9ELQzpR9aoK9Mu0vIf/HcP9InRBKcb6oN+UP9HkefaLxamss6AMg
+zoCU0jiAvH5WxXdilMC3QBFNuphLLlIDZmg2q9EPPrWSo5WdpOrTihRBbYYkiarX
+KSDIUtW/jTsJUt2JjCyFQLWfzEdjyjrgyZFcQ6k=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer2_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer2_cert.pem
new file mode 100644
index 000000000..91ddf5657
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server1/TestServer2_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2e:91:da:29:59:ff:c4:64:bf:02:bc:27:bb:e3:35:4e:5b:36:f7:91
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 1
+        Validity
+            Not Before: May  1 19:33:53 2023 GMT
+            Not After : Apr 28 19:33:53 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ac:48:ce:a7:b2:ad:7a:68:01:55:3f:86:20:7e:
+                    bb:26:e6:88:f3:ae:04:15:7d:d9:64:98:85:bc:eb:
+                    bd:d8:0a:c7:26:c4:8e:27:56:8c:a8:9f:51:37:a9:
+                    ec:8a:dc:af:27:05:0c:f5:c0:19:b1:2c:0d:56:66:
+                    7b:7e:b1:8f:ab:34:61:56:37:a8:ab:51:d6:1d:e6:
+                    a7:56:b2:51:72:57:9b:c5:87:84:6c:ef:e6:18:d4:
+                    45:b8:ef:52:72:11:02:81:61:f2:36:63:25:18:31:
+                    7f:c7:91:89:c3:b0:73:13:f0:26:1f:a1:4f:8c:ff:
+                    94:1c:75:a6:be:38:7d:81:06:33:dd:7b:86:81:c5:
+                    1f:d2:5d:f6:ea:3f:9f:ab:fb:e7:97:3c:72:ea:b3:
+                    83:ab:49:88:ac:a9:4b:81:db:fa:e3:bf:79:d9:6e:
+                    90:bf:8f:68:d8:05:f8:52:ad:98:41:29:e0:2a:18:
+                    98:b6:b2:61:78:02:02:52:85:02:e0:63:f4:a0:55:
+                    80:c9:66:8b:ac:4f:8b:36:f4:56:8f:cf:bd:67:86:
+                    72:92:0b:f9:73:7b:05:cc:3d:91:ed:ed:4f:f0:8f:
+                    36:99:e5:51:7f:ee:9e:fb:e5:5c:d0:39:a2:f5:51:
+                    06:92:3c:ad:cc:59:9d:0a:81:50:26:30:01:e9:f4:
+                    b1:e9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                CD:65:B9:5C:48:35:F7:1E:85:6E:94:50:78:72:BB:3F:F7:BC:22:A6
+            X509v3 Authority Key Identifier: 
+                B5:91:6E:4F:64:B7:16:84:76:F9:B4:BE:99:CE:60:95:98:1A:8E:9D
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:18888/intermediate1_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:18888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        6f:de:f3:92:b2:8b:57:61:7a:b9:06:49:3e:af:e0:1c:3a:d4:
+        42:52:fe:d0:7d:97:8a:9b:d0:6d:b9:f3:e6:8b:2a:40:ce:aa:
+        ed:bb:ce:21:e8:ae:32:9d:eb:5a:00:e0:c1:3a:d7:40:74:1b:
+        43:e4:43:f0:61:bf:40:06:75:52:1b:b9:f4:b5:32:55:94:f5:
+        84:98:90:cc:27:92:91:b7:3d:8e:f1:12:bf:37:1a:8a:50:41:
+        3a:14:0c:cf:93:fe:57:97:7b:fe:af:b9:c0:c2:d6:bb:20:e4:
+        0a:6f:12:0b:60:a6:cc:59:46:db:99:db:61:71:d3:a7:f5:a1:
+        d0:d6:81:87:57:a3:dd:b6:e1:ab:2f:4f:b6:51:21:ec:a6:95:
+        df:d3:ab:e5:a1:67:a3:ba:b1:b9:71:39:a1:3b:db:5e:c5:6f:
+        b1:34:27:ae:6d:f6:67:4c:7d:7c:6d:12:37:6f:b5:0b:5a:85:
+        aa:5d:fd:03:de:59:b5:20:7a:ea:84:a0:a5:75:60:12:12:08:
+        77:0e:46:d6:fa:57:fa:b1:43:42:54:38:d7:66:67:cd:fc:b6:
+        f9:4c:fe:99:71:2b:d5:a6:13:2f:2e:f0:a3:9e:fc:47:03:31:
+        79:38:e3:50:8a:de:81:97:80:9e:46:71:5c:9f:e5:de:0c:49:
+        fc:f5:61:1c
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIULpHaKVn/xGS/Arwnu+M1Tls295EwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTAe
+Fw0yMzA1MDExOTMzNTNaFw0zMzA0MjgxOTMzNTNaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCsSM6nsq16aAFVP4Ygfrsm5ojzrgQVfdlkmIW8673YCscmxI4nVoyon1E3
+qeyK3K8nBQz1wBmxLA1WZnt+sY+rNGFWN6irUdYd5qdWslFyV5vFh4Rs7+YY1EW4
+71JyEQKBYfI2YyUYMX/HkYnDsHMT8CYfoU+M/5Qcdaa+OH2BBjPde4aBxR/SXfbq
+P5+r++eXPHLqs4OrSYisqUuB2/rjv3nZbpC/j2jYBfhSrZhBKeAqGJi2smF4AgJS
+hQLgY/SgVYDJZousT4s29FaPz71nhnKSC/lzewXMPZHt7U/wjzaZ5VF/7p775VzQ
+OaL1UQaSPK3MWZ0KgVAmMAHp9LHpAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUzWW5
+XEg19x6FbpRQeHK7P/e8IqYwHwYDVR0jBBgwFoAUtZFuT2S3FoR2+bS+mc5glZga
+jp0wDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjE4ODg4L2ludGVybWVkaWF0ZTFfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+MTg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAb97zkrKLV2F6uQZJPq/gHDrUQlL+0H2XipvQbbnz5osqQM6q7bvOIeiu
+Mp3rWgDgwTrXQHQbQ+RD8GG/QAZ1Uhu59LUyVZT1hJiQzCeSkbc9jvESvzcailBB
+OhQMz5P+V5d7/q+5wMLWuyDkCm8SC2CmzFlG25nbYXHTp/Wh0NaBh1ej3bbhqy9P
+tlEh7KaV39Or5aFno7qxuXE5oTvbXsVvsTQnrm32Z0x9fG0SN2+1C1qFql39A95Z
+tSB66oSgpXVgEhIIdw5G1vpX+rFDQlQ412Znzfy2+Uz+mXEr1aYTLy7wo578RwMx
+eTjjUIregZeAnkZxXJ/l3gxJ/PVhHA==
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem
new file mode 100644
index 000000000..2ea703d5a
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCvJlxQwPpitf09
+wZ4mUVhiBDewtWqbauMiPM3uPOeL0+JMCBpNY8GBIPRTpV0v0nHYr+MmlbQnFEZ/
+4gpzEqcO/5laKfXQZZax0ZZ/DEO4cfJLIeGXbBsB5TgaOURy1Rkgh/6QTzuX8n29
+V5dNnVZQiVt5KXo6E5cIYcIMpgJJyYpBq46fJckzGPiSZFgEzKOdz9TSvSCri51V
+3/tbI6yVEvpvB5M/DgOGxJslBiGbA5YyuOAPY+IdNNFBNRkJwaDcJrnIZvqHZyJu
+DKbnDyRksU+EBe+tjhvy9DiH0+NIpYLgZokdkppZZ6QdA29Npfs7wAtzp6uPtBAl
+jmlCdoJfAgMBAAECggEAQLRoOEECfwMCehUUKs20XAl41WQ/7QiQvm4+GXwQgjyV
+hkccCGkI7H5TJK+bfHY/LrDTtsZpVmKMJORJvfcvFkBg08lakVFmWWy3L1pFjlcy
+DoWGxJzgYVPf5PgxDEcjUDxNU9yhhGHGB/Pa5oZwg7Iqw9kJ2XixPBx5RpjxkXYw
+tR8V3IaKq0YRI5lpUfuaofmJnHJnWCMTmawWMxWuTlzlbDDZTHQs8aTDUnwZ26kD
+6tYB2Tp3aP3zUE8MQZwOEyhRH1WQeS3kcIWh4UnPyA09g0aTb6YK8qacnTL2CixF
+VJpLDtlkQk0TCo06AZkcvWkPTQyFXnVsgkG8rRUlEQKBgQDrTHyf6merJAohUeBV
+5IIfoKHWbGc1DXSdmHtCSN9wFGkhCYtfCZ7YaSLjFF7GOvd6mfHJVnIp3aFONqM7
+dk/MZDsAvogO6lU+zgQc+EcKk+e6zyfsUYghy/R3+QKsYtd4SyNDq6cl80MUujjG
+pE2b41O57sNCVZgywCCGXvt/ZwKBgQC+jyufgKRIptM+OOhHlKUaxkTDaMHA1KKY
+iFPLuLgWmyCYHQq2D6uoCRGnEguEnXtbtOz6SYlMMNfeHtX0SATkdCGae/bh5ibG
+uQoWwRMkRkAgl1gyAh7h669pDUiD2gh0q56cS8El7Jgze7NRF4hUyY2mWc5nGhVR
+7rHKlOCiSQKBgHBiWevvg5BkaEo91w5vVA9TI7lMkYbvZFGZcNXaBI590TCsZFsC
+N1JZ9QXMxu+bXnS6bpehqGmCp/a5dgGCot6WyO+0ETw+hHS45ZIIq7XLqxS4uPLQ
+hlrOFXfwAWzg0NVt3ewGYpFnvRR7VX7bHw5j56uY9L4ML+OdjGthlnHlAoGAZAm7
+R/f7xtw1h7POVU22w3CUxtUm6jl2xobDHu7xTYTQvqp4Zg2h+wwPxVqWy171VLaN
+tfOG7YWyvbwIbD6mutwwi+5KNFtjve2EW1+u0dtDbRimx1IPrmDRbF/50qZSzBUQ
+plKqqmMjn9tvzsGA46oP/+WjksLBsIqTsZsotmkCgYAn8Ap+e6ZNX2uM8Kg7LB+T
+hBNGczNOGQX8SpfCeH9eV4VzfpEHn8Fxk+lcI2WpYkandQ8ju2s0mT5OoQ2VjxGT
+eql9jMd8MQZTx/aWridt5qG3hsFcx9GILlcXTUqyRH0SFAU7xDO5HzzKP3tiW6BN
+YE3GakolPPymOR9q69sT0Q==
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem
new file mode 100644
index 000000000..7b76a48d6
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCsSM6nsq16aAFV
+P4Ygfrsm5ojzrgQVfdlkmIW8673YCscmxI4nVoyon1E3qeyK3K8nBQz1wBmxLA1W
+Znt+sY+rNGFWN6irUdYd5qdWslFyV5vFh4Rs7+YY1EW471JyEQKBYfI2YyUYMX/H
+kYnDsHMT8CYfoU+M/5Qcdaa+OH2BBjPde4aBxR/SXfbqP5+r++eXPHLqs4OrSYis
+qUuB2/rjv3nZbpC/j2jYBfhSrZhBKeAqGJi2smF4AgJShQLgY/SgVYDJZousT4s2
+9FaPz71nhnKSC/lzewXMPZHt7U/wjzaZ5VF/7p775VzQOaL1UQaSPK3MWZ0KgVAm
+MAHp9LHpAgMBAAECggEABbGGbngQX9Un+x8FQesSPgHnGM92wtY6J5Gwn2qhJy6M
+VYwwFZ3Nz5pBPbrOY9SRGhPihrdixKOWgWppA8ne0WB4JC26HnGZnFAbAQRVqPbQ
+duhd4ILpOpzpkh1K6b+vvU0addXpsUlHJjYZmdy+9tPBkhtwz1xDCFGShrguR0Pa
+WTudsee4skdGfw6wMyHEfM4IXXuSfb1hIse1xlnZMPXMMi3ebCqpOy4IzJ4ML7sF
+RySdrdAHcWJqOQjPkDTOPCXpthBn3iQ8Fa7Znd0GGLZvdRbq3p10H5LNhMg+LBc7
+oRVQ67qAfQKPHKQMSsR4x2fWo8/hw/QEi3cj6CohYQKBgQDtjDBm7VfbLojZeCMx
++32EZ0bLUTob5qInTKpDbdKcYmxP857LRAglaGu+pkOTnHi6lOjJYSiBDd1+vWm/
+1lgMUjKerI0l5ol5yRHWNDFyeQoh10TqEUbIUqB8E5Vi4gl0DlpnsfEm899rlfhP
+dmi1rNpc/C7ZK8Zpt7l4eLbqYQKBgQC5qs+K01WwjtrjoqkEwKqjy7ASrbBuZ56u
+wOe+iO7pYVP4/VdAvOsfEYCWfjhoETYGKob9ZZlo3StpQ5Ku5CigpWQVSCvJhO2T
+KQe75DfXXxaqoPmlNcqAFpqY383Sm+1r3a815sg83XhQAu7GdCyTrLocBLM9SFWX
+fVbojv/EiQKBgBlOpCFzC7cYIBA7ElTS3C5s6kfi4XPzgDb7nfANFTD/81YZOEOj
+fdKuazwmbnCdbOdD0gESTsRg+8Xy2/9KEJtPboElFOyCwQauey385X+ykXfFfVwK
+dyYEV4CgfXvJZQRuOwdtF6n0tUq68XdVwBYK0kCxxTPxy/ObVTEWezZBAoGAPPX2
+evB0vCnLeN5ZfHP+ExW31AovWbCwC1TPQmIXf40zUxdrZJgi4uqOO9tpjdHI2TFx
+bRXEzwd/T2qeaMoFBOoI+Gvf5KS+lIjuPyTpqM9R0+hSz4nf2TqSvAsPu0zzIW2C
+L8J8kG9vJ2YvG/3c/QfDe5uXdlGfuMOwm18IX3ECgYAelsVWNSm9YR2H7S6dlgjm
+8U1IZO342Ab5qlrIWn9Vr/X9MRsAASlVVESeNeQTToBoub5pakUrpz9nNQy29+TX
+xYju72RsCjKywKXWZrCAdHfY+wJJWVo5XkdDZJVl2AYrnP3C07S9aKIjhpGHwz7n
+jbbCEkHZREMbQJCQjuKT1w==
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem
new file mode 100644
index 000000000..7a1ee483a
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3e:1f:9b:cd:c8:7b:95:f1:64:e6:41:9c:df:6e:03:da:92:9a:90:b7
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: Aug  2 22:15:27 2023 GMT
+            Not After : Jul 30 22:15:27 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9a:3c:db:76:c9:19:0f:7b:e6:d3:ed:d1:0b:76:
+                    ae:15:d4:11:1c:66:b8:5d:2a:7d:e3:1f:65:d8:1b:
+                    c4:63:62:f6:5c:8b:18:66:a8:1c:c2:a6:5e:72:f2:
+                    dd:57:42:8a:ab:5d:bd:37:b6:f1:4b:51:f0:b3:6a:
+                    37:e9:55:78:01:23:ea:53:09:83:2f:7d:59:36:ab:
+                    33:4f:4c:bc:ef:a9:1c:db:94:79:4c:0d:4a:7c:3f:
+                    9d:3c:ba:6c:76:82:47:25:eb:79:22:f4:09:6c:78:
+                    3c:a6:ef:4b:30:90:29:b3:5f:ba:69:b1:1a:95:ed:
+                    53:e0:c6:24:78:6e:52:af:8e:bc:db:4a:f0:19:d2:
+                    00:5a:a8:b6:73:4c:17:92:d1:8d:81:9b:4c:b8:35:
+                    4d:91:dd:df:d3:85:a6:9f:c4:91:19:ec:47:d1:ca:
+                    4e:0b:c3:06:8c:27:42:95:83:e3:28:6a:3b:74:9c:
+                    68:b0:55:a5:91:91:cb:37:ad:fa:d8:69:8b:de:2e:
+                    4a:51:59:32:4b:3d:06:21:04:65:d2:f5:8b:e8:4d:
+                    45:96:de:63:97:47:81:85:ea:48:f0:9d:23:2d:71:
+                    87:6f:d2:75:3d:45:bf:de:ad:43:82:db:a5:29:9b:
+                    f9:5e:38:0a:39:a9:38:71:ec:40:40:b5:dc:69:c7:
+                    0b:73
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                7F:47:8C:9E:F1:73:7E:34:B9:5B:1E:ED:AD:3A:87:42:80:D4:E3:FD
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b9:b4:05:48:a6:ba:6c:99:8b:23:c4:9b:b3:8a:32:3f:ca:62:
+        89:81:1e:5d:04:ba:2d:22:a3:0f:5a:5d:a0:ab:40:a4:87:43:
+        26:36:0a:09:64:ef:f5:b0:a7:6f:7a:1f:cc:06:6c:f7:8d:9c:
+        64:5e:c2:ae:e7:45:39:dc:bc:87:06:e6:d5:aa:6b:32:76:51:
+        64:e1:ac:d9:9a:dd:17:47:9b:4e:31:1c:93:f5:c5:ca:d6:b7:
+        90:ff:64:97:59:df:2b:7f:ee:2d:7d:73:ef:95:ad:b5:1e:a9:
+        0c:48:38:29:0b:39:4f:05:fb:07:cf:ec:94:a3:b3:d5:eb:00:
+        ed:b2:b9:71:a0:59:b5:3f:7c:f5:20:90:54:a8:ea:36:4c:ae:
+        62:5b:2b:6d:05:8d:76:78:87:c9:90:f3:b2:d1:72:fc:87:f5:
+        28:4c:ec:19:50:0f:02:32:d4:57:75:d9:c1:b2:dc:0e:d4:9a:
+        3a:cd:48:70:1e:c4:2e:fd:4f:b0:89:6a:de:f0:90:91:23:16:
+        cd:04:fc:61:87:9c:c3:5c:7e:0f:19:ff:26:3e:fb:1b:65:2a:
+        49:ae:47:9f:d5:e6:c8:30:bb:13:b9:48:d0:67:57:0f:fb:c6:
+        df:1c:fc:82:3b:ae:1f:f7:25:c8:df:c0:c5:d1:8d:51:94:74:
+        30:be:fb:f7
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIUPh+bzch7lfFk5kGc324D2pKakLcwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA4MDIyMjE1MjdaFw0zMzA3MzAyMjE1MjdaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCaPNt2yRkPe+bT7dELdq4V1BEcZrhdKn3jH2XYG8RjYvZcixhmqBzCpl5y
+8t1XQoqrXb03tvFLUfCzajfpVXgBI+pTCYMvfVk2qzNPTLzvqRzblHlMDUp8P508
+umx2gkcl63ki9AlseDym70swkCmzX7ppsRqV7VPgxiR4blKvjrzbSvAZ0gBaqLZz
+TBeS0Y2Bm0y4NU2R3d/ThaafxJEZ7EfRyk4LwwaMJ0KVg+Moajt0nGiwVaWRkcs3
+rfrYaYveLkpRWTJLPQYhBGXS9YvoTUWW3mOXR4GF6kjwnSMtcYdv0nU9Rb/erUOC
+26Upm/leOAo5qThx7EBAtdxpxwtzAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUf0eM
+nvFzfjS5Wx7trTqHQoDU4/0wHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyiV3ft
+FawwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjI4ODg4L2ludGVybWVkaWF0ZTJfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+Mjg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAubQFSKa6bJmLI8Sbs4oyP8piiYEeXQS6LSKjD1pdoKtApIdDJjYKCWTv
+9bCnb3ofzAZs942cZF7CrudFOdy8hwbm1aprMnZRZOGs2ZrdF0ebTjEck/XFyta3
+kP9kl1nfK3/uLX1z75WttR6pDEg4KQs5TwX7B8/slKOz1esA7bK5caBZtT989SCQ
+VKjqNkyuYlsrbQWNdniHyZDzstFy/If1KEzsGVAPAjLUV3XZwbLcDtSaOs1IcB7E
+Lv1PsIlq3vCQkSMWzQT8YYecw1x+Dxn/Jj77G2UqSa5Hn9XmyDC7E7lI0GdXD/vG
+3xz8gjuuH/clyN/AxdGNUZR0ML779w==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem
new file mode 100644
index 000000000..b061b3d46
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3e:1f:9b:cd:c8:7b:95:f1:64:e6:41:9c:df:6e:03:da:92:9a:90:b7
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: Aug  2 22:15:27 2023 GMT
+            Not After : Jul 30 22:15:27 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9a:3c:db:76:c9:19:0f:7b:e6:d3:ed:d1:0b:76:
+                    ae:15:d4:11:1c:66:b8:5d:2a:7d:e3:1f:65:d8:1b:
+                    c4:63:62:f6:5c:8b:18:66:a8:1c:c2:a6:5e:72:f2:
+                    dd:57:42:8a:ab:5d:bd:37:b6:f1:4b:51:f0:b3:6a:
+                    37:e9:55:78:01:23:ea:53:09:83:2f:7d:59:36:ab:
+                    33:4f:4c:bc:ef:a9:1c:db:94:79:4c:0d:4a:7c:3f:
+                    9d:3c:ba:6c:76:82:47:25:eb:79:22:f4:09:6c:78:
+                    3c:a6:ef:4b:30:90:29:b3:5f:ba:69:b1:1a:95:ed:
+                    53:e0:c6:24:78:6e:52:af:8e:bc:db:4a:f0:19:d2:
+                    00:5a:a8:b6:73:4c:17:92:d1:8d:81:9b:4c:b8:35:
+                    4d:91:dd:df:d3:85:a6:9f:c4:91:19:ec:47:d1:ca:
+                    4e:0b:c3:06:8c:27:42:95:83:e3:28:6a:3b:74:9c:
+                    68:b0:55:a5:91:91:cb:37:ad:fa:d8:69:8b:de:2e:
+                    4a:51:59:32:4b:3d:06:21:04:65:d2:f5:8b:e8:4d:
+                    45:96:de:63:97:47:81:85:ea:48:f0:9d:23:2d:71:
+                    87:6f:d2:75:3d:45:bf:de:ad:43:82:db:a5:29:9b:
+                    f9:5e:38:0a:39:a9:38:71:ec:40:40:b5:dc:69:c7:
+                    0b:73
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                7F:47:8C:9E:F1:73:7E:34:B9:5B:1E:ED:AD:3A:87:42:80:D4:E3:FD
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        b9:b4:05:48:a6:ba:6c:99:8b:23:c4:9b:b3:8a:32:3f:ca:62:
+        89:81:1e:5d:04:ba:2d:22:a3:0f:5a:5d:a0:ab:40:a4:87:43:
+        26:36:0a:09:64:ef:f5:b0:a7:6f:7a:1f:cc:06:6c:f7:8d:9c:
+        64:5e:c2:ae:e7:45:39:dc:bc:87:06:e6:d5:aa:6b:32:76:51:
+        64:e1:ac:d9:9a:dd:17:47:9b:4e:31:1c:93:f5:c5:ca:d6:b7:
+        90:ff:64:97:59:df:2b:7f:ee:2d:7d:73:ef:95:ad:b5:1e:a9:
+        0c:48:38:29:0b:39:4f:05:fb:07:cf:ec:94:a3:b3:d5:eb:00:
+        ed:b2:b9:71:a0:59:b5:3f:7c:f5:20:90:54:a8:ea:36:4c:ae:
+        62:5b:2b:6d:05:8d:76:78:87:c9:90:f3:b2:d1:72:fc:87:f5:
+        28:4c:ec:19:50:0f:02:32:d4:57:75:d9:c1:b2:dc:0e:d4:9a:
+        3a:cd:48:70:1e:c4:2e:fd:4f:b0:89:6a:de:f0:90:91:23:16:
+        cd:04:fc:61:87:9c:c3:5c:7e:0f:19:ff:26:3e:fb:1b:65:2a:
+        49:ae:47:9f:d5:e6:c8:30:bb:13:b9:48:d0:67:57:0f:fb:c6:
+        df:1c:fc:82:3b:ae:1f:f7:25:c8:df:c0:c5:d1:8d:51:94:74:
+        30:be:fb:f7
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIUPh+bzch7lfFk5kGc324D2pKakLcwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA4MDIyMjE1MjdaFw0zMzA3MzAyMjE1MjdaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCaPNt2yRkPe+bT7dELdq4V1BEcZrhdKn3jH2XYG8RjYvZcixhmqBzCpl5y
+8t1XQoqrXb03tvFLUfCzajfpVXgBI+pTCYMvfVk2qzNPTLzvqRzblHlMDUp8P508
+umx2gkcl63ki9AlseDym70swkCmzX7ppsRqV7VPgxiR4blKvjrzbSvAZ0gBaqLZz
+TBeS0Y2Bm0y4NU2R3d/ThaafxJEZ7EfRyk4LwwaMJ0KVg+Moajt0nGiwVaWRkcs3
+rfrYaYveLkpRWTJLPQYhBGXS9YvoTUWW3mOXR4GF6kjwnSMtcYdv0nU9Rb/erUOC
+26Upm/leOAo5qThx7EBAtdxpxwtzAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUf0eM
+nvFzfjS5Wx7trTqHQoDU4/0wHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyiV3ft
+FawwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjI4ODg4L2ludGVybWVkaWF0ZTJfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+Mjg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAubQFSKa6bJmLI8Sbs4oyP8piiYEeXQS6LSKjD1pdoKtApIdDJjYKCWTv
+9bCnb3ofzAZs942cZF7CrudFOdy8hwbm1aprMnZRZOGs2ZrdF0ebTjEck/XFyta3
+kP9kl1nfK3/uLX1z75WttR6pDEg4KQs5TwX7B8/slKOz1esA7bK5caBZtT989SCQ
+VKjqNkyuYlsrbQWNdniHyZDzstFy/If1KEzsGVAPAjLUV3XZwbLcDtSaOs1IcB7E
+Lv1PsIlq3vCQkSMWzQT8YYecw1x+Dxn/Jj77G2UqSa5Hn9XmyDC7E7lI0GdXD/vG
+3xz8gjuuH/clyN/AxdGNUZR0ML779w==
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_bundle.pem
new file mode 100644
index 000000000..27f4217d7
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_bundle.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            16:5e:ab:1c:8b:dc:fc:97:d9:34:9d:fd:cd:7d:b3:3c:51:83:ce:d2
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: Aug  2 22:15:38 2023 GMT
+            Not After : Jul 30 22:15:38 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer4
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d5:fd:fb:3f:42:c7:ca:02:37:72:6e:78:d5:af:
+                    8d:b4:4d:f4:4c:0c:8f:8f:67:da:62:c0:2a:0f:f3:
+                    73:3b:83:c1:3a:df:9e:df:1d:26:12:95:41:ca:52:
+                    88:4d:8b:38:7f:78:ce:ed:aa:48:b0:dc:57:62:80:
+                    7a:fc:1f:43:c8:d8:2d:4f:38:c3:22:fc:bb:16:53:
+                    84:9e:44:0c:f9:51:00:a0:57:97:3f:df:57:08:48:
+                    3b:2b:55:b3:90:98:98:e6:a6:eb:ca:8f:ec:f8:4f:
+                    dc:4d:7e:71:2e:03:ff:cd:fa:ef:65:7e:6d:8c:35:
+                    be:df:fb:c1:0b:e9:f0:3b:89:24:4d:b4:02:7f:82:
+                    8e:0a:34:ea:a8:68:9e:f8:4b:39:9a:8f:d5:eb:bc:
+                    59:68:c9:f0:a5:eb:e9:be:7c:03:49:bd:b5:d9:54:
+                    cf:88:29:b0:2c:a3:e9:08:b6:66:37:57:ef:66:5f:
+                    6b:0f:34:6d:02:bf:92:2b:cc:e9:9d:c0:a8:92:0d:
+                    76:8f:ae:f6:3f:24:38:e9:5b:fc:12:a2:ab:fa:42:
+                    3f:5a:05:e3:5e:bb:08:43:5d:55:18:17:13:0a:27:
+                    84:5f:05:69:18:a9:45:68:37:a7:35:f9:8c:ef:c5:
+                    9f:b1:8d:aa:3c:b7:cc:47:b6:e5:85:e2:73:f5:8a:
+                    5a:71
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C4:BB:A1:42:EA:15:3E:0E:D1:48:5F:B5:E2:01:42:D0:72:BE:B0:CE
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        85:c2:1a:b0:94:8b:a0:f8:2c:85:1e:17:88:4e:ca:2c:d1:f6:
+        69:26:e3:a6:94:9f:62:eb:68:54:da:2b:f2:67:23:be:4b:95:
+        56:28:08:7a:52:8e:b3:b2:70:2f:c9:db:06:74:b4:8b:8e:84:
+        23:0a:74:f7:c1:67:81:69:11:36:2b:0e:4c:0f:2c:76:e6:2d:
+        50:f3:e8:59:0d:3a:6c:30:eb:31:16:74:c8:34:d1:62:97:6b:
+        1e:2f:5c:56:b0:6e:bc:5e:08:8f:d4:ce:4a:d3:8e:91:70:7d:
+        18:d4:3f:40:39:39:67:95:68:f7:16:c6:19:69:41:c2:20:2e:
+        45:e3:9d:31:c2:da:67:8d:2c:1f:a2:3f:1e:46:23:19:fd:25:
+        16:69:5c:80:09:1b:f7:7f:50:47:1d:d9:6b:aa:7b:0f:20:8d:
+        5a:f4:37:f0:c3:a7:31:5f:4d:41:70:c8:c4:aa:2a:69:d0:a8:
+        7b:3c:cc:b4:a4:12:54:a3:bf:ce:ea:22:20:58:ae:eb:29:f3:
+        15:da:22:05:46:cd:26:ef:63:84:4a:5b:86:47:fe:cb:fa:4a:
+        0c:fe:82:e0:db:81:dc:3e:87:8f:93:23:32:de:37:3d:d7:0f:
+        6c:f1:74:63:8b:11:b7:f3:69:b7:d6:e0:72:b2:1d:e1:15:10:
+        7d:2e:97:de
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIUFl6rHIvc/JfZNJ39zX2zPFGDztIwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA4MDIyMjE1MzhaFw0zMzA3MzAyMjE1MzhaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDV/fs/QsfKAjdybnjVr420TfRMDI+PZ9piwCoP83M7g8E6357fHSYSlUHK
+UohNizh/eM7tqkiw3FdigHr8H0PI2C1POMMi/LsWU4SeRAz5UQCgV5c/31cISDsr
+VbOQmJjmpuvKj+z4T9xNfnEuA//N+u9lfm2MNb7f+8EL6fA7iSRNtAJ/go4KNOqo
+aJ74Szmaj9XrvFloyfCl6+m+fANJvbXZVM+IKbAso+kItmY3V+9mX2sPNG0Cv5Ir
+zOmdwKiSDXaPrvY/JDjpW/wSoqv6Qj9aBeNeuwhDXVUYFxMKJ4RfBWkYqUVoN6c1
++YzvxZ+xjao8t8xHtuWF4nP1ilpxAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUxLuh
+QuoVPg7RSF+14gFC0HK+sM4wHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyiV3ft
+FawwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjI4ODg4L2ludGVybWVkaWF0ZTJfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+Mjg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAhcIasJSLoPgshR4XiE7KLNH2aSbjppSfYutoVNor8mcjvkuVVigIelKO
+s7JwL8nbBnS0i46EIwp098FngWkRNisOTA8sduYtUPPoWQ06bDDrMRZ0yDTRYpdr
+Hi9cVrBuvF4Ij9TOStOOkXB9GNQ/QDk5Z5Vo9xbGGWlBwiAuReOdMcLaZ40sH6I/
+HkYjGf0lFmlcgAkb939QRx3Za6p7DyCNWvQ38MOnMV9NQXDIxKoqadCoezzMtKQS
+VKO/zuoiIFiu6ynzFdoiBUbNJu9jhEpbhkf+y/pKDP6C4NuB3D6Hj5MjMt43PdcP
+bPF0Y4sRt/Npt9bgcrId4RUQfS6X3g==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA
+        Validity
+            Not Before: May  1 19:01:43 2023 GMT
+            Not After : Apr 28 19:01:43 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1:
+                    0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f:
+                    ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa:
+                    f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41:
+                    ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3:
+                    fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3:
+                    5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06:
+                    c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f:
+                    0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6:
+                    59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9:
+                    d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e:
+                    af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19:
+                    6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7:
+                    42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47:
+                    6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23:
+                    30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39:
+                    d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89:
+                    08:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Authority Key Identifier: 
+                C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:8888/root_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:8888/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3:
+        dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01:
+        34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63:
+        89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a:
+        22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5:
+        46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9:
+        6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd:
+        ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16:
+        57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c:
+        e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d:
+        14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5:
+        8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2:
+        3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d:
+        2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86:
+        f1:5e:60:55
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL
+BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5
+MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
+MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ
+bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ
+97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh
+bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn
+qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW
+wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5
+1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A
+PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag
+JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08
+ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG
+m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2
+J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc
+jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz
+EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU=
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_cert.pem
new file mode 100644
index 000000000..703262550
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_cert.pem
@@ -0,0 +1,97 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            16:5e:ab:1c:8b:dc:fc:97:d9:34:9d:fd:cd:7d:b3:3c:51:83:ce:d2
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2
+        Validity
+            Not Before: Aug  2 22:15:38 2023 GMT
+            Not After : Jul 30 22:15:38 2033 GMT
+        Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer4
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d5:fd:fb:3f:42:c7:ca:02:37:72:6e:78:d5:af:
+                    8d:b4:4d:f4:4c:0c:8f:8f:67:da:62:c0:2a:0f:f3:
+                    73:3b:83:c1:3a:df:9e:df:1d:26:12:95:41:ca:52:
+                    88:4d:8b:38:7f:78:ce:ed:aa:48:b0:dc:57:62:80:
+                    7a:fc:1f:43:c8:d8:2d:4f:38:c3:22:fc:bb:16:53:
+                    84:9e:44:0c:f9:51:00:a0:57:97:3f:df:57:08:48:
+                    3b:2b:55:b3:90:98:98:e6:a6:eb:ca:8f:ec:f8:4f:
+                    dc:4d:7e:71:2e:03:ff:cd:fa:ef:65:7e:6d:8c:35:
+                    be:df:fb:c1:0b:e9:f0:3b:89:24:4d:b4:02:7f:82:
+                    8e:0a:34:ea:a8:68:9e:f8:4b:39:9a:8f:d5:eb:bc:
+                    59:68:c9:f0:a5:eb:e9:be:7c:03:49:bd:b5:d9:54:
+                    cf:88:29:b0:2c:a3:e9:08:b6:66:37:57:ef:66:5f:
+                    6b:0f:34:6d:02:bf:92:2b:cc:e9:9d:c0:a8:92:0d:
+                    76:8f:ae:f6:3f:24:38:e9:5b:fc:12:a2:ab:fa:42:
+                    3f:5a:05:e3:5e:bb:08:43:5d:55:18:17:13:0a:27:
+                    84:5f:05:69:18:a9:45:68:37:a7:35:f9:8c:ef:c5:
+                    9f:b1:8d:aa:3c:b7:cc:47:b6:e5:85:e2:73:f5:8a:
+                    5a:71
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C4:BB:A1:42:EA:15:3E:0E:D1:48:5F:B5:E2:01:42:D0:72:BE:B0:CE
+            X509v3 Authority Key Identifier: 
+                75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, SSL Server
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://127.0.0.1:28888/intermediate2_crl.der
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:28888/
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        85:c2:1a:b0:94:8b:a0:f8:2c:85:1e:17:88:4e:ca:2c:d1:f6:
+        69:26:e3:a6:94:9f:62:eb:68:54:da:2b:f2:67:23:be:4b:95:
+        56:28:08:7a:52:8e:b3:b2:70:2f:c9:db:06:74:b4:8b:8e:84:
+        23:0a:74:f7:c1:67:81:69:11:36:2b:0e:4c:0f:2c:76:e6:2d:
+        50:f3:e8:59:0d:3a:6c:30:eb:31:16:74:c8:34:d1:62:97:6b:
+        1e:2f:5c:56:b0:6e:bc:5e:08:8f:d4:ce:4a:d3:8e:91:70:7d:
+        18:d4:3f:40:39:39:67:95:68:f7:16:c6:19:69:41:c2:20:2e:
+        45:e3:9d:31:c2:da:67:8d:2c:1f:a2:3f:1e:46:23:19:fd:25:
+        16:69:5c:80:09:1b:f7:7f:50:47:1d:d9:6b:aa:7b:0f:20:8d:
+        5a:f4:37:f0:c3:a7:31:5f:4d:41:70:c8:c4:aa:2a:69:d0:a8:
+        7b:3c:cc:b4:a4:12:54:a3:bf:ce:ea:22:20:58:ae:eb:29:f3:
+        15:da:22:05:46:cd:26:ef:63:84:4a:5b:86:47:fe:cb:fa:4a:
+        0c:fe:82:e0:db:81:dc:3e:87:8f:93:23:32:de:37:3d:d7:0f:
+        6c:f1:74:63:8b:11:b7:f3:69:b7:d6:e0:72:b2:1d:e1:15:10:
+        7d:2e:97:de
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIUFl6rHIvc/JfZNJ39zX2zPFGDztIwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx
+ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe
+Fw0yMzA4MDIyMjE1MzhaFw0zMzA3MzAyMjE1MzhaMFQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU
+MBIGA1UEAwwLVGVzdFNlcnZlcjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDV/fs/QsfKAjdybnjVr420TfRMDI+PZ9piwCoP83M7g8E6357fHSYSlUHK
+UohNizh/eM7tqkiw3FdigHr8H0PI2C1POMMi/LsWU4SeRAz5UQCgV5c/31cISDsr
+VbOQmJjmpuvKj+z4T9xNfnEuA//N+u9lfm2MNb7f+8EL6fA7iSRNtAJ/go4KNOqo
+aJ74Szmaj9XrvFloyfCl6+m+fANJvbXZVM+IKbAso+kItmY3V+9mX2sPNG0Cv5Ir
+zOmdwKiSDXaPrvY/JDjpW/wSoqv6Qj9aBeNeuwhDXVUYFxMKJ4RfBWkYqUVoN6c1
++YzvxZ+xjao8t8xHtuWF4nP1ilpxAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUxLuh
+QuoVPg7RSF+14gFC0HK+sM4wHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyiV3ft
+FawwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD
+AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg
+MKAuhixodHRwOi8vMTI3LjAuMC4xOjI4ODg4L2ludGVybWVkaWF0ZTJfY3JsLmRl
+cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6
+Mjg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEAhcIasJSLoPgshR4XiE7KLNH2aSbjppSfYutoVNor8mcjvkuVVigIelKO
+s7JwL8nbBnS0i46EIwp098FngWkRNisOTA8sduYtUPPoWQ06bDDrMRZ0yDTRYpdr
+Hi9cVrBuvF4Ij9TOStOOkXB9GNQ/QDk5Z5Vo9xbGGWlBwiAuReOdMcLaZ40sH6I/
+HkYjGf0lFmlcgAkb939QRx3Za6p7DyCNWvQ38MOnMV9NQXDIxKoqadCoezzMtKQS
+VKO/zuoiIFiu6ynzFdoiBUbNJu9jhEpbhkf+y/pKDP6C4NuB3D6Hj5MjMt43PdcP
+bPF0Y4sRt/Npt9bgcrId4RUQfS6X3g==
+-----END CERTIFICATE-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem
new file mode 100644
index 000000000..bb0d7e45b
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCaPNt2yRkPe+bT
+7dELdq4V1BEcZrhdKn3jH2XYG8RjYvZcixhmqBzCpl5y8t1XQoqrXb03tvFLUfCz
+ajfpVXgBI+pTCYMvfVk2qzNPTLzvqRzblHlMDUp8P508umx2gkcl63ki9AlseDym
+70swkCmzX7ppsRqV7VPgxiR4blKvjrzbSvAZ0gBaqLZzTBeS0Y2Bm0y4NU2R3d/T
+haafxJEZ7EfRyk4LwwaMJ0KVg+Moajt0nGiwVaWRkcs3rfrYaYveLkpRWTJLPQYh
+BGXS9YvoTUWW3mOXR4GF6kjwnSMtcYdv0nU9Rb/erUOC26Upm/leOAo5qThx7EBA
+tdxpxwtzAgMBAAECggEALjBPYLE0SgjGxWyQj6hI1cyeGy0/xNa2wE9kxmT6WPEH
+6grVkdiCVGBSJIZKdpk8wbjes1Kby/yL4o7Kk5u+xkilIZzVpmEZWF/Ii9TlN7gj
+Jja+ZGIOjkrWoZsKZCr7d4WezzLZp5wSPcOndrGVa1wdjQ02cvORjNyJi28uX9gd
+8uBK5AIXS1lbkt/v+8mrBPgZUttz6gxhlHwxKs6JWWlIpGemNddE39UxuGDGHmVA
+aw/gH/G4LNXtbAIPq5zDtFbfCKnQVgU1ppWILehoFqIs8JLtz4LPuvIxeztzKff4
+DU31rs14Zati5ykq9CVqY/d+4nKdstwhRPcPfsvgYQKBgQDBNVPn73A7fRoURpzV
+sdJPA4RDbrbiZj0x/cAskuzzx/mmJUuNyuJxGizJU0ebT3VxtdCR2LqpgGEQEaKS
+wYmMlSJ4NccugWgRl7/of5d5oY2m6f4W4YaNp4RebdVhNPJ4wSbeW7pH+2OKr2xd
+my+m1WJUvRBbPq5kV2BdHNw62QKBgQDMXTqaOjsC9jpOOIjsUHmV55MbMmwK8For
+H6e3Dn1ZO0Tpcg33GMLO5wHwzH6dlT2JVJAOdr5HqZgdIqjt30ACZsdf2VkutH94
+OvZmEAbwI9A+TAoxE8QlLYyz/qjJSGopJRU0x+KqEORxBmjO6LVV1GL9VVdoYrlH
+Z7mrJ+7RKwKBgQC87LyDS2rfgNEDipjJjPwtLy8iERzb/UVRoONNss3pA15mzIk4
+uW77UbEBnGGkyOn6quKr+tVr8ZD3+YaTIpSx1xLBoTSHkRqGOXD6k+k2knbFBIHl
+NdowoeGZxKSmTPPciGLNg7x/rp4Des3oKltKM9XXLpjT4FL+40HjStk+4QKBgQC8
+71AXd9BIy7VZzaCgwUG3GhIBadtDPbRO/AQFFAtE7KuoGz7X+/dWa3F62sQQEgKD
+LT/Fb3g5LoyoGvwMdoJp9fVLItj1egAC+pgEAbs4VhPXFFuzxa9oI7VaTwxikmU7
+RsJVOprOWbGo4KES8Ud8Y09lIHof0m2ymy2nE9MRYwKBgDn86ZcbBr6sBXgc6PEM
+rq4JXBCX8O17id9rJO37PkhPsOKpNf7YbQwHlHjwkUq5+g7Ec/LbeZ/tssEBY0ab
+zUXwgWFMUKJVTEZUFwl2aTBqW8+LSu1TgzGMx2H/sxrvS4ElxC04jpPWUQstcuRH
+y3yIz1HsmlMEg7qCiQ4maZE3
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer4_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer4_keypair.pem
new file mode 100644
index 000000000..979272806
--- /dev/null
+++ b/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer4_keypair.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDV/fs/QsfKAjdy
+bnjVr420TfRMDI+PZ9piwCoP83M7g8E6357fHSYSlUHKUohNizh/eM7tqkiw3Fdi
+gHr8H0PI2C1POMMi/LsWU4SeRAz5UQCgV5c/31cISDsrVbOQmJjmpuvKj+z4T9xN
+fnEuA//N+u9lfm2MNb7f+8EL6fA7iSRNtAJ/go4KNOqoaJ74Szmaj9XrvFloyfCl
+6+m+fANJvbXZVM+IKbAso+kItmY3V+9mX2sPNG0Cv5IrzOmdwKiSDXaPrvY/JDjp
+W/wSoqv6Qj9aBeNeuwhDXVUYFxMKJ4RfBWkYqUVoN6c1+YzvxZ+xjao8t8xHtuWF
+4nP1ilpxAgMBAAECggEABmE7dr39Ep3ZDRdz0QwaNY5O6p8Dvy7llQTdZCsaDAPQ
+NJsC46w87LgoNVnbUDOGwE8n3TBS2ToCfXBu6joc5V2jkS10LOR7x+0+wpCtEdhL
+RFyEKP51u+yaXf8Aut5/zX2bwUbj9d28p89NnMV4AIo7Dau0pKXcDlW1Qk+LztyI
+hKFN6hrSFqAurmSt/pu3oo9kI9WJkrCxoj+VjQdVi420uAYOFR22aFaHrzpuHouW
+4IzFbLhVF+c33xSbs1OEIpZSFzNucWYEKSwEREcyFgIXfWpDaXjoqWcrvXkeqyo9
+vGytQ3YaEsZPzfzgcViwa30g7WAA7kO9RuwcCPK4wQKBgQDpVmbVnmTlRwFbtdkD
+4rjd5vtAB3nfsl0Ex11nU8+Oo0kZWeg8mm+Gba4vjEKfVyojbjFmm0ytQG0OGEK7
+UQ13mE1wueMn5qEVX9nTXIxVwcS7+rQAUrC5a6SSg81WIWzeclkqNc1J1EVC7jtl
+zqy3PtC94g4tV68urpD86RRxUQKBgQDqxpWscN1u7GeuYf8rSPhPcoZTupqyrV3L
+h+w7jUt5O/vfNPOYIXVfo2u05jiK0mTvLf5tVjYoQDF+x6odA2oBH2yz1ED0DZsf
+2AhdtCSrMbxazcl/5fPrIIa1GRBp6y5i0ddX8T19twr/PVoYGRqkU4xoN+KoOKz+
+HLFUUgQPIQKBgG5N9v0DDMVKRL0bAQUSN7xGxf1ly1pRUiHBMUl4WEUgsZy3YM7N
+Xu1YiiBWGOSEaxomrFnKDnxUWXlxRJKSZWBk8i7Y4SZqozmcfzeop3qeyCbpBBCn
+Bn4RAdJ1VitiT7n0qmwG1Q4St89FGXUuN33Exx8MbxFGQz05LrcwZAaRAoGAVFez
+PZfudQMI3GToPqygSCpkh3/qQ3Z008Go5FwGWS9rdOyY9nZOrGURNJPgjD65dBOZ
+672lByDIpzsjqfioBG89pf0CuKqKqA38M22cHsRnXle/o+sAjd/JhRXUB7ktmOK5
+8iYAaUFw+fEYhL/ACnjZYDdzfeueekvkiN5OBwECgYB90hQJ2lw5s6GFJd+9T5xS
+OMngfLAWDvW8+0hvtWCTLAVpMDWRGhGmvj532jWfkgqnvUemyF541RkV0Hy5K1Xl
+0icXtpuZ+REh7NCXFJlEiOd+69OEdu78s5Zy8V1zCkEsgxzl2q6PkBDWfxepgdRC
+LbwiAF8h2mxCwvvHbaBiKA==
+-----END PRIVATE KEY-----
diff --git a/test/configs/certs/tlsauth/certstore/client.p12 b/test/configs/certs/tlsauth/certstore/client.p12
new file mode 100644
index 0000000000000000000000000000000000000000..18ee5c32f01bd2c89fdff8779f6b309242426da8
GIT binary patch
literal 2509
zcmY+^cQhM}8U}EQ7(o?9%&HM1S`xMAXMDBOs@T*hHCwaMp+?k*nx$6EiW*g;pAl*n
zO;IaUYgZGRnn|ttP*=~n_kQ>O@t*gb=Q-#3^9RR(2Y>)ZI0l@?42H#<#P6R0umDOh
z;AjvA9B~@ogJVF7|5VH+7|?~&NCXIAIDLHoGyu2=GuyuxH~`FWP7v#ySx{0b_H{52
z$jT6nVWfIE);Z^5SXfDW$%q+}C%UUF@BGL1Ym0TYN#J{Yq+q>Hm9~bndo3N39<|Dl
z_D63hmD3CY+B1*S&zN#$E6v${UKxCeg$P{at%{6Wr^lsZ1xfYUyU4!~dwV#ulxQV<
zf-rONs#WnN?LY1DnyR$91TlWe>B+`o;khe0nZh1aMk1~)^Keq8O~aIK5IOS^6;RjG
z^4#^SqO<uz1GP^myjvMMYf*_Z?LMw5rlsW|KgzFB8v{@(>Ny0Kwq_23+48PJ7p_?e
zFUI=_iAsriAboMTd8X?L{_|S()=^tw<ZkPTV~_OrFw6B#1uiUW>GwK(mMg?D<r}S0
z1h$EXb;<=ocP}hTGn^H8A-el2rU4SZRzJb90MsJA;8=TS@d>0_0L#8!&!y$ur3U^)
zm;F^&jk2pn%=SwlbWC9AoU+)PUN2LXOL=CaDP<p!x`abb|1gD~<Og<~5^uSd=5ec6
zj)7U7&#x`#CYH9?jw4YfK<OABR>L*Yn}l?KV<TurPBLoDkh)agpf*IvuJ-%NeLd|8
zR8vuMIjhwtEk-`c=eV$XTUM~-N#2VKU$qkuclU=|6NdKMSMv-Z98}Te4>7PJc}c1O
zv_#{3Ov>sF_MN^PZ@KZrij9ORmIb+PGGi(+im^Y#)Yq$B%4<8$A%C)scx}DKvXu5Q
z7%;U_ARHx^GB|&y4+etvmq}3?Ejt<*e0#DkAg8Lod|vUyI+SWh{J0u&`Mb@4YYRFw
zLxsoYPrcr)fK7}`!qyH;*iQ|0Hir(+X(GOpNDIoFj3QZPNzikyGZ&>X-yaJGZgs~d
zCdP_}<5oEsvMcED?KBooRP%8~#Ypo}Ces_uuR4A~bTu8Jh?dZ1*OsG7BzCPRqJdm~
zAoe4Ksaoq@(rb0^o<j2l0Yz>i$BEv6cJ6H{71x2!Gl3~D#iNHZe}Kmy+)19k=i;+X
zLk>A@p5+NB?nTIQir2=BG+V!pG-M3_Ly0MEf;E$;r*=4O1RH2({IZXKca(yk$ezD5
z(@Pi+RF*tLN)<=TB_1fcz~;LBR?d!w!}XmC3Nsy|){C0Eo?Na-sxj`9zNj3M&)&m_
z>UIm?;)RN(Ak-#39xqMx&$AM{b%q}!**X-iK+Li58#UMyA#Js9>+1q1EGCgXlOB?r
za)E$Vz5%RmA^^SBx|Y&qJF~{7lm_Rd)lcwmI6vqwp-WD>y=tQiJ=7Lw5Tv#A=qiv>
zjO3d7g1CXbmD%>eIj?eS-pAZ)aqUUQc;W?i8u=H?4S+(nLY{Zm1|=TZ+!x<jpCt)4
z%8$!@^|s=0!7E$^>U@D?nDqY#h7t^u5(vYja2mr-PnwziKTNOzfTx~po<g$ve|j+f
z)}y)Q4Oh&RZO(5!Kp4>bAzd=V&amcSh%8Y{e@sThsBr9N2n2+<F}xGPo8+TH=1?dk
zA9Rn7dtY2K@TbI04`pt11;}#VaewBmmoQ42Ix@lq+e4iy*S@G3HI%5Qyw#1msiIuo
zKOeVY?501@-Vl!36P+CoeXA@?c~U51lBglghhGqo5^!hN5~7#9WtV-XfB(^k6Gy~h
z=xSvZFa1o49-q*#3>f-u<-JOQljo>Yh)lN9{6O8o)+DvDb}4B#Xs<)I=28jl3;I@M
znK5Vd`FFL(*5MnhuZUGq14i38B-P66q~pA+U@Cb<Sg5?pIYv4bQDjs3D{KC`)V4nA
z&5UXX=E7a=8R<)9z*t|Y3UhOVUViGljWZ1|65_7!vSTQE+;pQ!WI?iH&=CP;F90xc
zni?ZbQf32YTYU}*tt9lMz_Pi%Sku0+ZO)V{hLON>*~*U@2JK?m<BO<X-qidt53=A8
zv7p@YMWKBZsAY5k!{cAw5vdAY;{L6zOe2oLIuI2mRYM+%gpFNW6M-kN_RcLo^+9Bq
ziQuH%QgcsQQ@5~zXn2%Tp8J}=s~Z9=hXJD7&a-fNA;et~s-gMvK$N;W%ueBt$kquM
zneEBqY_?vLn)r_wjqv1BNxNg?bQiZV`_1(#!_DLnI?TWcTy=SIC(x!Yopm4VP}fSe
zR=X_-y~NuZ7gm4!Te?}sZH?Z1KokH_h0EqVYce@jydf1~{;k4`D|f42ICLEIboXfE
zoht=B6mqNFvTrwj^gLBE#ku;Xt*4p<q|yf$2t`i7aHJ&2IZ3cb3@Sy65Q(5&4SV{-
z?&rYC^3Oc;93AW{>mEBYrR3Jmj?od2(~MJ}z|TM8?`v2`ktaO)B*ED{B|+WNTiB5B
zrMKo^Y?7abjx&}8>wWgF$}L@#tIJu&*?*2&z&^bzUl`AJG-FYF^mkb4Rm34IR9ePv
z<H#b!$F>msB2v2d`tY}hbND|41ufarRY!Y2r9WiTFJEOFX6G*AJoy9rx9DiB;q)`)
z&eN5U#XUIskl@oB^pZs<@%wIolcKGEAM#~muc>Q!s^pe3GL@(p`irUi#74dKAnVyq
z+hT;q!W}|aeAiif;i|$QoJE~lOU5-u+U6$70c(HaW-Y-jJT20>JOb(vP3XIcOCrBM
zxCk){Jp9><y(YUQUz%GI;ylpVv-dzHV2%6<H-`xfCkAJ?^m@|Kv5Rui-dU>VpzYk(
z?XO56dqEiuC42F6^~|N3GtvN>7=AX`#qd$;bLP%VhL0eT(E;6xO>RsqANaDBG-^;B
zgI2;rV3{~K389Hq2vqyM-=6yTx#yU}G40;M6?S?CUogwi8v97Jr`Dwkl{mj@Jv$+h
z%DZ}ovBbFdXwfA?R(IIX6}s!Th7$$5a^xqRQ7dqKPORM9p>L+PcFe0?K=eGh;DbHu
zhS-#KfNrkAOn*f@Sm;`k?M*`Y&y&BZbmbg^dNL1=2luV`>KGLFxK)(85=ZjhP4yZ*
zCa+JnLVAJ<ipc!U&&qa%oIDcugK^BhMifLvbKpRH#MFiL;!5v{mEv8Rn58q??hWyw
zb-SV37qfg5`I-_XP;_4qz9!qGA>SBNmG5Zk5@lu9&hJiA$>rcjK;e@A)e+2x;0N)#
zo5+$P_je*+900UxBv$C{dctSm2)H;L%*-Uu$p{o;VgT{dyc|4~xM#EOpJY&8%gTuY
U+E{c!tg<!azqFH#xqmD9FFp^exBvhE

literal 0
HcmV?d00001

diff --git a/test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1 b/test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1
new file mode 100644
index 000000000..e3a05ae58
--- /dev/null
+++ b/test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1
@@ -0,0 +1,2 @@
+$issuer="Synadia Communications Inc."
+Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Issuer -match $issuer} | Remove-Item
\ No newline at end of file
diff --git a/test/configs/certs/tlsauth/certstore/import-p12-client.ps1 b/test/configs/certs/tlsauth/certstore/import-p12-client.ps1
new file mode 100644
index 000000000..f2b4a270c
--- /dev/null
+++ b/test/configs/certs/tlsauth/certstore/import-p12-client.ps1
@@ -0,0 +1,5 @@
+$fileLocale = $PSScriptRoot + "\client.p12"
+$Pass = ConvertTo-SecureString -String 's3cr3t' -Force -AsPlainText
+$User = "whatever"
+$Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $Pass
+Import-PfxCertificate -FilePath $filelocale -CertStoreLocation Cert:\CurrentUser\My -Password $Cred.Password
\ No newline at end of file
diff --git a/test/configs/certs/tlsauth/certstore/import-p12-server.ps1 b/test/configs/certs/tlsauth/certstore/import-p12-server.ps1
new file mode 100644
index 000000000..14a006d82
--- /dev/null
+++ b/test/configs/certs/tlsauth/certstore/import-p12-server.ps1
@@ -0,0 +1,5 @@
+$fileLocale = $PSScriptRoot + "\server.p12"
+$Pass = ConvertTo-SecureString -String 's3cr3t' -Force -AsPlainText
+$User = "whatever"
+$Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $Pass
+Import-PfxCertificate -FilePath $filelocale -CertStoreLocation Cert:\CurrentUser\My -Password $Cred.Password
\ No newline at end of file
diff --git a/test/configs/certs/tlsauth/certstore/pkcs12.md b/test/configs/certs/tlsauth/certstore/pkcs12.md
new file mode 100644
index 000000000..569d88084
--- /dev/null
+++ b/test/configs/certs/tlsauth/certstore/pkcs12.md
@@ -0,0 +1,22 @@
+# PKCS12 Files
+
+Refresh PKCS12 files when test certificates and keys (PEM files) are refreshed (e.g. expiry workflow)
+
+- `client.p12` is a p12/pfx packaging of `client.pem` and `client-key.pem`
+
+`openssl pkcs12 -export -inkey ./client-key.pem -in ./client.pem -out client.p12`
+
+> Note: set the PKCS12 bundle password to `s3cr3t` as required by provisioning scripts
+
+## Cert Store Provisioning Scripts
+
+Windows cert store supports p12/pfx bundle for certificate-with-key import.  Windows cert store tests will execute 
+a Powershell script to import relevant PKCS12 bundle into the Windows store before the test. Equivalent to:
+
+`powershell.exe -command "& '..\test\configs\certs\tlsauth\certstore\import-<client,server>-p12.ps1'"`
+
+The `delete-cert-from-store.ps1` script deletes imported certificates from the Windows store (if present) that can
+cause side-effects and impact the validity of different use tests.
+
+> Note: Tests are configured for "current user" store context. Execute tests with appropriate Windows permissions
+> (e.g. as Admin) if adding tests with "local machine" store context specified.
\ No newline at end of file
diff --git a/test/configs/certs/tlsauth/certstore/server.p12 b/test/configs/certs/tlsauth/certstore/server.p12
new file mode 100644
index 0000000000000000000000000000000000000000..9325afbc15cd755c85b08a3307aa55d4b6547e85
GIT binary patch
literal 2533
zcmY+^cQhM{9tUt4O~tOQm#QdktVV2V?@>D~MQyQXt(#b(N^B9*w5lkshFZ01_8Kj!
zR$8N_#jV=ZikeT)dGFo#{`j5WIp6O&-#<SH9CQu{03mSDatKsB$uNn=47dn*ii48C
zIB4#9oQ1%F4gRShPjO(S^GFT|pgVt3|1<yuKZN1m3rqkAf(1;UU~rR)ke0d*1k%&R
z;lOkpnKAjvpCv2jCi!C7wmTJwb`JGHN2+?4{0O`l$|%ToJt>%w7Yr02Rps2f86S@Y
zf2$ms_-c003}Dje-#TThI1+bj)|@qQlr95E$dPa7Kt!&GqS#^Hk9RsN#JT15=>Quw
zC`3f_NfbBL*stak({qc9@EUi#n>QI|=<##K`uFJ>$q8eZ_`k?}UJpD5KxIBCmIyU3
zZk42$gnYxnx;x3J6LQ038lIk{A5$%@^3@`+qqpYPdYk<<cH2}z=-tH?xTQ;^$<s?F
zGVIx^^oMf-ElsTNmtE0U!uK$?a<182%?+5xH*CE9o7<Nkzp4M|^_l;=`7{S(<5z}#
zmgg3)q)>0?y30kPxHdK4Om|~q;2m|viM4)h6saVGK{?94@DLN~#gCR#(I|Tn%Xj+>
zD_{Jn+)9OIV|oa?0x@vNM7z1r3b%5}6E&g0MBd`QR`exnz58jeoJ!>iSLoYtc&g|u
zo1d#-$Zy|1CqtA5L$1k5A3o|u&JW9yW{rrGBvYH^7Il1j)QA1?N|RB5c0)+I$dF{F
z&)nBy3I}huZ@iEDqpI!I)Q2X|a$>~<_ae!j{32!?BkuP#8W)AX#{T6x-sHO(?z}63
zjvC|C<mHT07_W64;S>g+S$Vt^=;dwh)7|p9t+#YkYbTU@gc58|v-`PGLn|pLqnD#c
zWdD^j^VzRU3{cVBZ7nbs8Ks{`Ooi#@)C4-PzRj9xEs}`E8k)`a-5)1SlZFHWa!bu}
zs{0EPXv*{}yB4lkuOOXQ*9X{*^R}%X!n<T&m<!#xb<t&9MgpNBpQ{v@<>G6!KRnC3
zt;H<RP<6!=RT~+i39`768Y(74cPAV&aH32u3Vrc8ZZWRD&4N!Zt9#*$N5F@j_5H53
zuS=FQp4W)yW)&U_w_2Fa!ymc$hB@TRP8OCxtJR5A(?G{k%J9O{$>1@quPWt+B!h?h
zp^?p$)^f>lUz2hLjI*(>hc7Amn$vX<gJapB3dU)1cdcIZC8$poT|6$>Q~B9x*F-Da
z8rImgRU4akzWU@~FU2Ph95^}|)EQyMsL?+faoH`*<+ST$F;JsuheftpZJhU;YsN=O
zl>X}Ph3xRo;q_P}oNb*#7=XjgV@(?`%k`+NG-PyxQJ#Mfrj7Zc!_*;haLTm{%Z~^q
zt@=;esn?(0d{ky-9D*LeKh|Q8zxOfwYJH)~X2Bgc8#Zo=a}l>Z!;kK#d&6Y%Xo#Yp
zctBYXYnDt^Om|HtRi&z(>_6yz5uD#`1eTU-*!^%NxL#G#R;N+TnI`SY>um)&GZplo
z=&%4v)>rE|GWq1f$84)|{fHRCfnhQzNa7V1zZOzVM8{2E29zLh7qtEdjHkE@NHFe#
z^m#0PexeY@|M0;80G>OuaSqJN|EU7{rOLZ~YDp$=2K-AEFb@2d!Lkc?{G3A(jZ7ha
zxzvAHOQ7CXLRkV7`e$3DjPC2|Ug7{YXdDL3a~mq+jTp*ivEE&Y6LK)awneU^HJA;`
zu(!k$4v8V^<#eiS)vwG`fyXzc<wGoTcKK47c473z<|=`_S4H2i7Ld{;9ndvTa)n+N
z9P{ToPo#tQRRX9n%Q?Kc3p5WSwqWmAI)}9_S9L)@vwr9|(|E4wyWdl?TWSPFgz}dj
zOm|k(rly%NJ~%}OPT}^m7#|bn8}`<2I<3SVPYrC8F`RgZ?riHe$<AK1^_h+e0IRov
zHK6N@#D_!yqI=GO<o3q#WCN?wiIN?)&SG>rIOm!lIj_i7KUp*y6X3;WyeZu}Yb1!2
z52t@)88vb3i(+Z&#3bguLiKO(Nr{I<3F0)R^7JJl+Wz&;$pTf%x^H7eUefx(?7YX#
zgu3>(Fn~<$jk3!w1z$17PFMH>9`U)Omue`-t*M6$+5w(*UQ_#f7KewK!RF5xMF;20
zpH<rY%ni~kfy}>1n-?7$N(i+|dRKtcjnk$A-?-<VIFXjtc?5<UD(43*XAT!x&4=-v
zTgESH(&O;fPIG)_g<Cv-Q-TuXWxjS)O1Wn%`H2n5=FhP{)s8b&Ck}62C5CsA(=;T%
z-;u3TKzh{^@KWlL`t+kv$~Wi1e2DWV{1N%y9@REj`FrewQDW^ov5Y3!?KzDJUS*{P
zXuqbLgC0?AwguU(nGr52wq3PjZT=daEm&wJ$wP`tmijE<_I4Pl(7q|XmQ@!K7N_4F
z08-_IjErzFD~#aYSa0N4ez>Mu>azeDY(Z#6qz}BUHfPdH@O+LDB-bN1CCg82HG4M0
zqx^fG$4$~TtuE$ufAK<I%HCM=L3)ZQ9jtA*Ac2;6Yf(*cQx;*>-P6YeL>2EKoTk$z
z{@#rS>%_7nJ`s$gQI?fQ%XZjoH)l`COr0_S&*9SN=3CB8qZVI{81@G_I~Vuun5VbW
z^uCksRrp-LRqk7NrE^(%v-H3o##;LN{z%h!i*9Cf=(Oyi;!xC|9D7}1D5Y^&{N_<4
zl-aKr`p!6~!00!E^#?`^4JYgevEE95wr#Oea-tsktc@j;;2w+?-q6{CX|K{=Ly<tn
zR*V%NtnHvF7CmE@v3*2J=OGUz-jJWqa8j1ifu|w%gafNSCfQMBtvELZx}U75ecEPa
zOc|KDobV*mssj7US4UL}^}IUa?;;PCP6SPXeAG0Rq(rf`DlV4)<ByrU+XtX{zH&ks
zK~}9^TN-XttOba6>-7bXIbK&@4a-!tsegVNtkz;Y#p)oHDp5aXfKhEsJqYS!_$Cb$
zd|4viz@NB>ZOwKb*cSX$?8VQq3+QVeRw1k9nP~+Or>pxrLPDDgSEYO<K)RxzpLV=3
zdgEZs7VWUJpw!&N)P)M|VV_)<T<@f}ArGvi6&LlCe=?sLwI@+Lya(ZqYotX0AqvS4
z5KWzuX3Vfhb~y561dVG=Eqs9vcdbD$)(z#{9@6HbaD-%IVLt@Q+1m%L-@V_!=jx13
zN_^6O(tN>swD$w3ApPtRp2)H)9c)MC5~+O900%j9-pNLja!xrD2M~KQOZV^!lRD~{
zj9^*r=lm~CWke9d|J4!7CBqHo{F7BghChx*Kvrxw+gSg2IA@^3jgUbIA)t^85-cF#
q<qLFR&L7DpDXFM|lm|{1CG{2+nGZ!Ox54yR0919bqhtFoCI1DfvZNjW

literal 0
HcmV?d00001

diff --git a/test/gateway_test.go b/test/gateway_test.go
index 740be62cf..49b890d35 100644
--- a/test/gateway_test.go
+++ b/test/gateway_test.go
@@ -605,89 +605,96 @@ func TestGatewayTLSMixedIPAndDNS(t *testing.T) {
 	server.SetGatewaysSolicitDelay(5 * time.Millisecond)
 	defer server.ResetGatewaysSolicitDelay()
 
-	confA1 := createConfFile(t, []byte(`
-		listen: 127.0.0.1:-1
-		gateway {
-			name: "A"
-			listen: "127.0.0.1:-1"
-			tls {
-				cert_file: "./configs/certs/server-iponly.pem"
-				key_file:  "./configs/certs/server-key-iponly.pem"
-				ca_file:   "./configs/certs/ca.pem"
-				timeout: 2
+	// Run this test extra times to make sure not flaky since it
+	// on solicit time.
+	for i := 0; i < 10; i++ {
+		t.Run("", func(t *testing.T) {
+			confA1 := createConfFile(t, []byte(`
+			listen: 127.0.0.1:-1
+			server_name: A1
+			gateway {
+				name: "A"
+				listen: "127.0.0.1:-1"
+				tls {
+					cert_file: "./configs/certs/server-iponly.pem"
+					key_file:  "./configs/certs/server-key-iponly.pem"
+					ca_file:   "./configs/certs/ca.pem"
+					timeout: 2
+				}
 			}
-		}
-		cluster {
-			listen: "127.0.0.1:-1"
-		}
-	`))
-	srvA1, optsA1 := RunServerWithConfig(confA1)
-	defer srvA1.Shutdown()
-
-	confA2Template := `
-		listen: 127.0.0.1:-1
-		gateway {
-			name: "A"
-			listen: "localhost:-1"
-			tls {
-				cert_file: "./configs/certs/server-cert.pem"
-				key_file:  "./configs/certs/server-key.pem"
-				ca_file:   "./configs/certs/ca.pem"
-				timeout: 2
+			cluster {
+				listen: "127.0.0.1:-1"
+			}`))
+			srvA1, optsA1 := RunServerWithConfig(confA1)
+			defer srvA1.Shutdown()
+
+			confA2Template := `
+			listen: 127.0.0.1:-1
+			server_name: A2
+			gateway {
+				name: "A"
+				listen: "localhost:-1"
+				tls {
+					cert_file: "./configs/certs/server-cert.pem"
+					key_file:  "./configs/certs/server-key.pem"
+					ca_file:   "./configs/certs/ca.pem"
+					timeout: 2
+				}
 			}
-		}
-		cluster {
-			listen: "127.0.0.1:-1"
-			routes [
-				"nats://%s:%d"
-			]
-		}
-	`
-	confA2 := createConfFile(t, []byte(fmt.Sprintf(confA2Template,
-		optsA1.Cluster.Host, optsA1.Cluster.Port)))
-	srvA2, optsA2 := RunServerWithConfig(confA2)
-	defer srvA2.Shutdown()
-
-	checkClusterFormed(t, srvA1, srvA2)
-
-	// Create a GW connection to cluster "A". Don't use the helper since we need verification etc.
-	o := DefaultTestOptions
-	o.Port = -1
-	o.Gateway.Name = "B"
-	o.Gateway.Host = "127.0.0.1"
-	o.Gateway.Port = -1
-
-	tc := &server.TLSConfigOpts{}
-	tc.CertFile = "./configs/certs/server-cert.pem"
-	tc.KeyFile = "./configs/certs/server-key.pem"
-	tc.CaFile = "./configs/certs/ca.pem"
-	tc.Timeout = 2.0
-	tlsConfig, err := server.GenTLSConfig(tc)
-	if err != nil {
-		t.Fatalf("Error generating TLS config: %v", err)
-	}
-	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-	tlsConfig.RootCAs = tlsConfig.ClientCAs
+			cluster {
+				listen: "127.0.0.1:-1"
+				routes [
+					"nats://%s:%d"
+				]
+			}`
+			confA2 := createConfFile(t, []byte(fmt.Sprintf(confA2Template,
+				optsA1.Cluster.Host, optsA1.Cluster.Port)))
+			srvA2, optsA2 := RunServerWithConfig(confA2)
+			defer srvA2.Shutdown()
+
+			checkClusterFormed(t, srvA1, srvA2)
+
+			// Create a GW connection to cluster "A". Don't use the helper since we need verification etc.
+			o := DefaultTestOptions
+			o.Port = -1
+			o.ServerName = "B1"
+			o.Gateway.Name = "B"
+			o.Gateway.Host = "127.0.0.1"
+			o.Gateway.Port = -1
+
+			tc := &server.TLSConfigOpts{}
+			tc.CertFile = "./configs/certs/server-cert.pem"
+			tc.KeyFile = "./configs/certs/server-key.pem"
+			tc.CaFile = "./configs/certs/ca.pem"
+			tc.Timeout = 2.0
+			tlsConfig, err := server.GenTLSConfig(tc)
+			if err != nil {
+				t.Fatalf("Error generating TLS config: %v", err)
+			}
+			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			tlsConfig.RootCAs = tlsConfig.ClientCAs
 
-	o.Gateway.TLSConfig = tlsConfig.Clone()
+			o.Gateway.TLSConfig = tlsConfig.Clone()
 
-	rurl, _ := url.Parse(fmt.Sprintf("nats://%s:%d", optsA2.Gateway.Host, optsA2.Gateway.Port))
-	remote := &server.RemoteGatewayOpts{Name: "A", URLs: []*url.URL{rurl}}
-	remote.TLSConfig = tlsConfig.Clone()
-	o.Gateway.Gateways = []*server.RemoteGatewayOpts{remote}
+			rurl, _ := url.Parse(fmt.Sprintf("nats://%s:%d", optsA2.Gateway.Host, optsA2.Gateway.Port))
+			remote := &server.RemoteGatewayOpts{Name: "A", URLs: []*url.URL{rurl}}
+			remote.TLSConfig = tlsConfig.Clone()
+			o.Gateway.Gateways = []*server.RemoteGatewayOpts{remote}
 
-	srvB := RunServer(&o)
-	defer srvB.Shutdown()
+			srvB := RunServer(&o)
+			defer srvB.Shutdown()
 
-	waitForOutboundGateways(t, srvB, 1, 10*time.Second)
-	waitForOutboundGateways(t, srvA1, 1, 10*time.Second)
-	waitForOutboundGateways(t, srvA2, 1, 10*time.Second)
+			waitForOutboundGateways(t, srvB, 1, 10*time.Second)
+			waitForOutboundGateways(t, srvA1, 1, 10*time.Second)
+			waitForOutboundGateways(t, srvA2, 1, 10*time.Second)
 
-	// Now kill off srvA2 and force serverB to connect to srvA1.
-	srvA2.Shutdown()
+			// Now kill off srvA2 and force serverB to connect to srvA1.
+			srvA2.Shutdown()
 
-	// Make sure this works.
-	waitForOutboundGateways(t, srvB, 1, 10*time.Second)
+			// Make sure this works.
+			waitForOutboundGateways(t, srvB, 1, 30*time.Second)
+		})
+	}
 }
 
 func TestGatewayAdvertiseInCluster(t *testing.T) {
diff --git a/test/gosrv_test.go b/test/gosrv_test.go
index b89ca377c..6f58e857e 100644
--- a/test/gosrv_test.go
+++ b/test/gosrv_test.go
@@ -10,6 +10,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package test
 
 import (
diff --git a/test/leafnode_test.go b/test/leafnode_test.go
index 84a21d23c..5a2966dde 100644
--- a/test/leafnode_test.go
+++ b/test/leafnode_test.go
@@ -1274,6 +1274,7 @@ func (c *captureLeafNodeErrLogger) Errorf(format string, v ...interface{}) {
 	}
 }
 
+// ** added by Memphis
 func (c *captureLeafNodeErrLogger) Systemf(format string, v ...interface{}) {
 	msg := fmt.Sprintf(format, v...)
 	select {
@@ -1282,6 +1283,8 @@ func (c *captureLeafNodeErrLogger) Systemf(format string, v ...interface{}) {
 	}
 }
 
+// ** added by Memphis
+
 func TestLeafNodeTLSMixIP(t *testing.T) {
 	content := `
 	listen: "127.0.0.1:-1"
diff --git a/test/ocsp_peer_test.go b/test/ocsp_peer_test.go
new file mode 100644
index 000000000..9fc398977
--- /dev/null
+++ b/test/ocsp_peer_test.go
@@ -0,0 +1,2926 @@
+// Copyright 2023 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package test
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"golang.org/x/crypto/ocsp"
+
+	"github.com/memphisdev/memphis/server"
+	"github.com/nats-io/nats.go"
+)
+
+func newOCSPResponderRootCA(t *testing.T) *http.Server {
+	t.Helper()
+	respCertPEM := "configs/certs/ocsp_peer/mini-ca/caocsp/caocsp_cert.pem"
+	respKeyPEM := "configs/certs/ocsp_peer/mini-ca/caocsp/private/caocsp_keypair.pem"
+	issuerCertPEM := "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+	return newOCSPResponderDesignatedCustomAddress(t, issuerCertPEM, respCertPEM, respKeyPEM, "127.0.0.1:8888")
+}
+
+func newOCSPResponderIntermediateCA1(t *testing.T) *http.Server {
+	t.Helper()
+	respCertPEM := "configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_bundle.pem"
+	respKeyPEM := "configs/certs/ocsp_peer/mini-ca/ocsp1/private/ocsp1_keypair.pem"
+	issuerCertPEM := "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem"
+	return newOCSPResponderDesignatedCustomAddress(t, issuerCertPEM, respCertPEM, respKeyPEM, "127.0.0.1:18888")
+}
+
+func newOCSPResponderIntermediateCA1Undelegated(t *testing.T) *http.Server {
+	t.Helper()
+	issuerCertPEM := "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem"
+	issuerCertKey := "configs/certs/ocsp_peer/mini-ca/intermediate1/private/intermediate1_keypair.pem"
+	return newOCSPResponderCustomAddress(t, issuerCertPEM, issuerCertKey, "127.0.0.1:18888")
+}
+
+func newOCSPResponderBadDelegateIntermediateCA1(t *testing.T) *http.Server {
+	t.Helper()
+	// UserA2 is a cert issued by intermediate1, but intermediate1 did not add OCSP signing extension
+	respCertPEM := "configs/certs/ocsp_peer/mini-ca/client1/UserA2_bundle.pem"
+	respKeyPEM := "configs/certs/ocsp_peer/mini-ca/client1/private/UserA2_keypair.pem"
+	issuerCertPEM := "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem"
+	return newOCSPResponderDesignatedCustomAddress(t, issuerCertPEM, respCertPEM, respKeyPEM, "127.0.0.1:18888")
+}
+
+func newOCSPResponderIntermediateCA2(t *testing.T) *http.Server {
+	t.Helper()
+	respCertPEM := "configs/certs/ocsp_peer/mini-ca/ocsp2/ocsp2_bundle.pem"
+	respKeyPEM := "configs/certs/ocsp_peer/mini-ca/ocsp2/private/ocsp2_keypair.pem"
+	issuerCertPEM := "configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem"
+	return newOCSPResponderDesignatedCustomAddress(t, issuerCertPEM, respCertPEM, respKeyPEM, "127.0.0.1:28888")
+}
+
+// TestOCSPPeerGoodClients is test of two NATS client (AIA enabled at leaf and cert) under good path (different intermediates)
+// and default ocsp_cache implementation and oscp_cache=false configuration
+func TestOCSPPeerGoodClients(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	intermediateCA2Responder := newOCSPResponderIntermediateCA2(t)
+	intermediateCA2ResponderURL := fmt.Sprintf("http://%s", intermediateCA2Responder.Addr)
+	defer intermediateCA2Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA2ResponderURL, "configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"Default cache: mTLS OCSP peer check on inbound client connection, client of intermediate CA 1",
+			`
+				port: -1
+				# default ocsp_cache since omitted
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration, non-default ca_timeout
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 30
+					}
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+		{
+			"Default cache: mTLS OCSP peer check on inbound client connection, client of intermediate CA 2",
+			`
+				port: -1
+				# default ocsp_cache since omitted
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Short form configuration
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client2/UserB1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client2/private/UserB1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+		{
+			"Explicit true cache: mTLS OCSP peer check on inbound client connection, client of intermediate CA 1",
+			`
+				port: -1
+				# Short form configuration
+				ocsp_cache: true
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 30
+					}
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+		})
+	}
+}
+
+// TestOCSPPeerUnknownClient is test of NATS client that is OCSP status Unknown from its OCSP Responder
+func TestOCSPPeerUnknownClient(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	defer intermediateCA1Responder.Shutdown(ctx)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"Default cache, mTLS OCSP peer check on inbound client connection, client unknown to intermediate CA 1",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Short form configuration
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+
+			t.Errorf("Expected connection error, fell through")
+		})
+	}
+}
+
+// TestOCSPPeerRevokedClient is test of NATS client that is OCSP status Revoked from its OCSP Responder
+func TestOCSPPeerRevokedClient(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Revoked)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"mTLS OCSP peer check on inbound client connection, client revoked by intermediate CA 1",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check so this revoked client should NOT be able to connect
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			func() {},
+		},
+		{
+			"Explicit disable, mTLS OCSP peer check on inbound client connection, client revoked by intermediate CA 1 but no OCSP check",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Explicit disable of OCSP peer check
+					ocsp_peer: false
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+		{
+			"Implicit disable, mTLS OCSP peer check on inbound client connection, client revoked by intermediate CA 1 but no OCSP check",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Implicit disable of OCSP peer check (i.e. not configured)
+					# ocsp_peer: false
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+		{
+			"Explicit disable (long form), mTLS OCSP peer check on inbound client connection, client revoked by intermediate CA 1 but no OCSP check",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Explicit disable of OCSP peer check, long form
+					ocsp_peer: { verify: false }
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+		})
+	}
+}
+
+// TestOCSPPeerUnknownAndRevokedIntermediate test of NATS client that is OCSP good but either its intermediate is unknown or revoked
+func TestOCSPPeerUnknownAndRevokedIntermediate(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Revoked)
+	// No test OCSP status set on intermediate2, so unknown
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	intermediateCA2Responder := newOCSPResponderIntermediateCA2(t)
+	intermediateCA2ResponderURL := fmt.Sprintf("http://%s", intermediateCA2Responder.Addr)
+	defer intermediateCA2Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA2ResponderURL, "configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"mTLS OCSP peer check on inbound client connection, client's intermediate is revoked",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Short form configuration
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			func() {},
+		},
+		{
+			"mTLS OCSP peer check on inbound client connection, client's intermediate is unknown'",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Short form configuration
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client2/UserB1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client2/private/UserB1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+
+			t.Errorf("Expected connection error, fell through")
+		})
+	}
+}
+
+// TestOCSPPeerLeafGood tests Leaf Spoke peer checking Leaf Hub, Leaf Hub peer checking Leaf Spoke, and both peer checking
+func TestOCSPPeerLeafGood(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem", ocsp.Good)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer2_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name        string
+		hubconfig   string
+		spokeconfig string
+		expected    int
+	}{
+		{
+			"OCSP peer check on Leaf Hub by Leaf Spoke (TLS client OCSP verification of TLS server)",
+			`
+				port: -1
+				# Cache configuration is default
+				leaf: {
+					listen: 127.0.0.1:7444
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+					}
+				}
+			`,
+			`
+				port: -1
+				leaf: {
+					remotes: [
+						{
+							url: "nats://127.0.0.1:7444",
+							tls: {
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+								# Short form configuration
+								ocsp_peer: true
+							}
+						}
+					]
+				}
+			`,
+			1,
+		},
+		{
+			"OCSP peer check on Leaf Spoke by Leaf Hub (TLS server OCSP verification of TLS client)",
+			`
+				port: -1
+				# Cache configuration is default
+				leaf: {
+					listen: 127.0.0.1:7444
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+						verify: true
+						# Short form configuration
+						ocsp_peer: true
+					}
+				}
+			`,
+			`
+				port: -1
+				leaf: {
+					remotes: [
+						{
+							url: "nats://127.0.0.1:7444",
+							tls: {
+								cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem"
+								key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem"
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+							}
+						}
+					]
+				}
+			`,
+			1,
+		},
+		{
+			"OCSP peer check bi-directionally",
+			`
+				port: -1
+				# Cache configuration is default
+				leaf: {
+					listen: 127.0.0.1:7444
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+						verify: true
+						# Short form configuration
+						ocsp_peer: true
+					}
+				}
+			`,
+			`
+				port: -1
+				leaf: {
+					remotes: [
+						{
+							url: "nats://127.0.0.1:7444",
+							tls: {
+								cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem"
+								key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem"
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+								# Short form configuration
+								ocsp_peer: true
+							}
+						}
+					]
+				}
+			`,
+			1,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			hubcontent := test.hubconfig
+			hubconf := createConfFile(t, []byte(hubcontent))
+			hub, _ := RunServerWithConfig(hubconf)
+			defer hub.Shutdown()
+
+			spokecontent := test.spokeconfig
+			spokeconf := createConfFile(t, []byte(spokecontent))
+			spoke, _ := RunServerWithConfig(spokeconf)
+			defer spoke.Shutdown()
+
+			checkLeafNodeConnectedCount(t, hub, test.expected)
+		})
+	}
+}
+
+// TestOCSPPeerLeafRejects tests rejected Leaf Hub, rejected Leaf Spoke, and both rejecting each other
+func TestOCSPPeerLeafReject(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem", ocsp.Revoked)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer2_cert.pem", ocsp.Revoked)
+
+	for _, test := range []struct {
+		name        string
+		hubconfig   string
+		spokeconfig string
+		expected    int
+	}{
+		{
+			"OCSP peer check on Leaf Hub by Leaf Spoke (TLS client OCSP verification of TLS server)",
+			`
+				port: -1
+				# Cache configuration is default
+				leaf: {
+					listen: 127.0.0.1:7444
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+					}
+				}
+			`,
+			`
+				port: -1
+				leaf: {
+					remotes: [
+						{
+							url: "nats://127.0.0.1:7444",
+							tls: {
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+								# Short form configuration
+								ocsp_peer: true
+							}
+						}
+					]
+				}
+			`,
+			0,
+		},
+		{
+			"OCSP peer check on Leaf Spoke by Leaf Hub (TLS server OCSP verification of TLS client)",
+			`
+				port: -1
+				leaf: {
+					listen: 127.0.0.1:7444
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+						verify: true
+						# Short form configuration
+						ocsp_peer: true
+					}
+				}
+			`,
+			`
+				port: -1
+				leaf: {
+					remotes: [
+						{
+							url: "nats://127.0.0.1:7444",
+							tls: {
+								cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem"
+								key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem"
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+							}
+						}
+					]
+				}
+			`,
+			0,
+		},
+		{
+			"OCSP peer check bi-directionally",
+			`
+				port: -1
+				leaf: {
+					listen: 127.0.0.1:7444
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+						verify: true
+						# Short form configuration
+						ocsp_peer: true
+					}
+				}
+			`,
+			`
+				port: -1
+				leaf: {
+					remotes: [
+						{
+							url: "nats://127.0.0.1:7444",
+							tls: {
+								cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem"
+								key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem"
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+								# Short form configuration
+								ocsp_peer: true
+							}
+						}
+					]
+				}
+			`,
+			0,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			hubcontent := test.hubconfig
+			hubconf := createConfFile(t, []byte(hubcontent))
+			hub, _ := RunServerWithConfig(hubconf)
+			defer hub.Shutdown()
+			spokecontent := test.spokeconfig
+			spokeconf := createConfFile(t, []byte(spokecontent))
+			spoke, _ := RunServerWithConfig(spokeconf)
+			defer spoke.Shutdown()
+			// Need to inject some time for leaf connection attempts to complete, could refine this to better
+			// negative test
+			time.Sleep(2000 * time.Millisecond)
+			checkLeafNodeConnectedCount(t, hub, test.expected)
+		})
+	}
+}
+
+func checkLeafNodeConnectedCount(t testing.TB, s *server.Server, lnCons int) {
+	t.Helper()
+	checkFor(t, 5*time.Second, 15*time.Millisecond, func() error {
+		if nln := s.NumLeafNodes(); nln != lnCons {
+			return fmt.Errorf("expected %d connected leafnode(s) for server %q, got %d",
+				lnCons, s.ID(), nln)
+		}
+		return nil
+	})
+}
+
+// TestOCSPPeerGoodClientsNoneCache is test of two NATS client (AIA enabled at leaf and cert) under good path (different intermediates)
+// and ocsp cache type of none (no-op)
+func TestOCSPPeerGoodClientsNoneCache(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	intermediateCA2Responder := newOCSPResponderIntermediateCA2(t)
+	intermediateCA2ResponderURL := fmt.Sprintf("http://%s", intermediateCA2Responder.Addr)
+	defer intermediateCA2Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA2ResponderURL, "configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem", ocsp.Good)
+
+	deleteLocalStore(t, "")
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"None cache explicit long form: mTLS OCSP peer check on inbound client connection, client of intermediate CA 1",
+			`
+				port: -1
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 30
+					}
+				}
+				# Long form configuration
+				ocsp_cache: {
+					type: none
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+		{
+			"None cache explicit short form: mTLS OCSP peer check on inbound client connection, client of intermediate CA 1",
+			`
+				port: -1
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 30
+					}
+				}
+				# Short form configuration
+				ocsp_cache: false
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+		})
+	}
+}
+
+// TestOCSPPeerGoodClientsLocalCache is test of two NATS client (AIA enabled at leaf and cert) under good path (different intermediates)
+// and leveraging the local ocsp cache type
+func TestOCSPPeerGoodClientsLocalCache(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	intermediateCA2Responder := newOCSPResponderIntermediateCA2(t)
+	intermediateCA2ResponderURL := fmt.Sprintf("http://%s", intermediateCA2Responder.Addr)
+	defer intermediateCA2Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA2ResponderURL, "configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"Default cache, short form: mTLS OCSP peer check on inbound client connection, UserA1 client of intermediate CA 1",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 30
+					}
+				}
+				# Short form configuration, local as default
+				ocsp_cache: true
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+		{
+			"Local cache long form: mTLS OCSP peer check on inbound client connection, UserB1 client of intermediate CA 2",
+			`
+				port: -1
+				http_port: 8222
+
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Short form configuration
+					ocsp_peer: true
+				}
+				# Long form configuration
+				ocsp_cache: {
+					type: local
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client2/UserB1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client2/private/UserB1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			// Cleanup any previous test that saved a local cache
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			nc.Close()
+
+			v := monitorGetVarzHelper(t, 8222)
+			if v.OCSPResponseCache.Misses != 2 || v.OCSPResponseCache.Responses != 2 {
+				t.Errorf("Expected cache misses and cache items to be 2, got %d and %d", v.OCSPResponseCache.Misses, v.OCSPResponseCache.Responses)
+			}
+
+			// Should get a cache hit now
+			nc, err = nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+
+			v = monitorGetVarzHelper(t, 8222)
+			if v.OCSPResponseCache.Misses != 2 || v.OCSPResponseCache.Hits != 2 || v.OCSPResponseCache.Responses != 2 {
+				t.Errorf("Expected cache misses, hits and cache items to be 2, got %d and %d and %d", v.OCSPResponseCache.Misses, v.OCSPResponseCache.Hits, v.OCSPResponseCache.Responses)
+			}
+		})
+	}
+}
+
+func TestOCSPPeerMonitor(t *testing.T) {
+	for _, test := range []struct {
+		name               string
+		config             string
+		NATSClient         bool
+		WSClient           bool
+		MQTTClient         bool
+		LeafClient         bool
+		LeafRemotes        bool
+		NumTrueLeafRemotes int
+	}{
+		{
+			"Monitor peer config setting on NATS client",
+			`
+				port: -1
+				http_port: 8222
+				# Default cache configuration
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+					}
+				}
+			`,
+			true,
+			false,
+			false,
+			false,
+			false,
+			0,
+		},
+		{
+			"Monitor peer config setting on Websockets client",
+			`
+				port: -1
+				http_port: 8222
+				# Default cache configuration
+				websocket: {
+					port: 8443
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+						verify: true
+						# Long form configuration
+						ocsp_peer: {
+							verify: true
+						}
+					}
+				}
+			`,
+			false,
+			true,
+			false,
+			false,
+			false,
+			0,
+		},
+		{
+			"Monitor peer config setting on MQTT client",
+			`
+				port: -1
+				http_port: 8222
+				# Default cache configuration
+				# Required for MQTT
+				server_name: "my_mqtt_server"
+				jetstream: {
+					enabled: true
+				}
+				mqtt: {
+					port: 1883
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+						verify: true
+						# Long form configuration
+						ocsp_peer: {
+							verify: true
+						}
+					}
+				}
+			`,
+			false,
+			false,
+			true,
+			false,
+			false,
+			0,
+		},
+		{
+			"Monitor peer config setting on Leaf client",
+			`
+				port: -1
+				http_port: 8222
+				# Default cache configuration
+				leaf: {
+					port: 7422
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+						verify: true
+						# Long form configuration
+						ocsp_peer: {
+							verify: true
+						}
+					}
+				}
+			`,
+			false,
+			false,
+			false,
+			true,
+			false,
+			0,
+		},
+		{
+			"Monitor peer config on some Leaf Remotes as well as Leaf client",
+			`
+				port: -1
+				http_port: 8222
+				# Default cache configuration
+				leaf: {
+					port: 7422
+					tls: {
+						cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+						key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+						ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+						timeout: 5
+						verify: true
+						# Long form configuration
+						ocsp_peer: {
+							verify: true
+						}
+					}
+					remotes: [
+						{
+							url: "nats-leaf://bogus:7422"
+							tls: {
+								cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+								key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+								# Long form configuration
+								ocsp_peer: {
+									verify: true
+								}
+							}
+						},
+						{
+							url: "nats-leaf://anotherbogus:7422"
+							tls: {
+								cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+								key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+								# Short form configuration
+								ocsp_peer: true
+							}
+						},
+						{
+							url: "nats-leaf://yetanotherbogus:7422"
+							tls: {
+								cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+								key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+								ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+								timeout: 5
+								# Peer not configured (default false)
+							}
+						}
+					]
+				}
+			`,
+			false,
+			false,
+			false,
+			true,
+			true,
+			2,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, _ := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			v := monitorGetVarzHelper(t, 8222)
+			if test.NATSClient {
+				if !v.TLSOCSPPeerVerify {
+					t.Fatalf("Expected NATS Client TLSOCSPPeerVerify to be true, got false")
+				}
+			}
+			if test.WSClient {
+				if !v.Websocket.TLSOCSPPeerVerify {
+					t.Fatalf("Expected WS Client TLSOCSPPeerVerify to be true, got false")
+				}
+			}
+			if test.LeafClient {
+				if !v.LeafNode.TLSOCSPPeerVerify {
+					t.Fatalf("Expected Leaf Client TLSOCSPPeerVerify to be true, got false")
+				}
+			}
+			if test.LeafRemotes {
+				cnt := 0
+				for _, r := range v.LeafNode.Remotes {
+					if r.TLSOCSPPeerVerify {
+						cnt++
+					}
+				}
+				if cnt != test.NumTrueLeafRemotes {
+					t.Fatalf("Expected %d Leaf Remotes with TLSOCSPPeerVerify true, got %d", test.NumTrueLeafRemotes, cnt)
+				}
+			}
+		})
+	}
+}
+
+func TestOCSPResponseCacheMonitor(t *testing.T) {
+	for _, test := range []struct {
+		name   string
+		config string
+		expect string
+	}{
+		{
+			"Monitor local cache enabled, explicit cache true",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+					}
+				}
+				# Short form configuration
+				ocsp_cache: true
+			`,
+			"local",
+		},
+		{
+			"Monitor local cache enabled, explicit cache type local",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+					}
+				}
+				# Long form configuration
+				ocsp_cache: {
+					type: local
+				}
+			`,
+			"local",
+		},
+		{
+			"Monitor local cache enabled, implicit default",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+					}
+				}
+				# Short form configuration
+				# ocsp_cache: true
+			`,
+			"local",
+		},
+		{
+			"Monitor none cache enabled, explicit cache false (short)",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+					}
+				}
+				# Short form configuration
+				ocsp_cache: false
+			`,
+			"",
+		},
+		{
+			"Monitor none cache enabled, explicit cache false (long)",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+					}
+				}
+				# Long form configuration
+				ocsp_cache: {
+					type: none
+				}
+			`,
+			"",
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, _ := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			v := monitorGetVarzHelper(t, 8222)
+			if v.OCSPResponseCache.Type != test.expect {
+				t.Fatalf("Expected OCSP Response Cache to be %s, got %s", test.expect, v.OCSPResponseCache.Type)
+			}
+		})
+	}
+}
+
+func TestOCSPResponseCacheChangeAndReload(t *testing.T) {
+	deleteLocalStore(t, "")
+
+	// Start with ocsp cache set to none
+	content := `
+		port: -1
+		http_port: 8222
+		tls {
+			cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+			key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+			ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+			timeout: 5
+			verify: true
+			# Short form configuration
+			ocsp_peer: true
+		}
+		# Long form configuration
+		ocsp_cache: {
+			type: none
+		}
+	`
+	conf := createConfFile(t, []byte(content))
+	s, _ := RunServerWithConfig(conf)
+	defer s.Shutdown()
+	v := monitorGetVarzHelper(t, 8222)
+	if v.OCSPResponseCache.Type != "" {
+		t.Fatalf("Expected OCSP Response Cache to have empty type in varz indicating none")
+	}
+
+	// Change to local cache
+	content = `
+		port: -1
+		http_port: 8222
+		tls {
+			cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+			key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+			ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+			timeout: 5
+			verify: true
+			# Short form configuration
+			ocsp_peer: true
+		}
+		# Long form configuration
+		ocsp_cache: {
+			type: local
+		}
+	`
+	if err := os.WriteFile(conf, []byte(content), 0666); err != nil {
+		t.Fatalf("Error writing config: %v", err)
+	}
+	if err := s.Reload(); err != nil {
+		t.Fatal(err)
+	}
+	time.Sleep(2 * time.Second)
+	v = monitorGetVarzHelper(t, 8222)
+	if v.OCSPResponseCache.Type != "local" {
+		t.Fatalf("Expected OCSP Response Cache type to be local, got %q", v.OCSPResponseCache.Type)
+	}
+}
+
+func deleteLocalStore(t *testing.T, dir string) {
+	t.Helper()
+	if dir == "" {
+		// default
+		dir = "_rc_"
+	}
+	if err := os.RemoveAll(dir); err != nil {
+		t.Fatalf("Error cleaning up local store: %v", err)
+	}
+}
+
+func monitorGetVarzHelper(t *testing.T, httpPort int) *server.Varz {
+	t.Helper()
+	url := fmt.Sprintf("http://127.0.0.1:%d/", httpPort)
+	resp, err := http.Get(url + "varz")
+	if err != nil {
+		t.Fatalf("Expected no error: Got %v\n", err)
+	}
+	if resp.StatusCode != 200 {
+		t.Fatalf("Expected a 200 response, got %d\n", resp.StatusCode)
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("Got an error reading the body: %v\n", err)
+	}
+	v := server.Varz{}
+	if err := json.Unmarshal(body, &v); err != nil {
+		t.Fatalf("Got an error unmarshalling the body: %v\n", err)
+	}
+	return &v
+}
+
+func writeCacheFile(dir string, content []byte) error {
+	if dir == "" {
+		dir = "_rc_"
+	}
+	err := os.MkdirAll(filepath.Join(dir), os.ModePerm)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(filepath.Join(dir, "cache.json"), content, os.ModePerm)
+}
+
+// TestOCSPPeerPreserveRevokedCacheItem is test of the preserve_revoked cache policy
+func TestOCSPPeerPreserveRevokedCacheItem(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		responses int64
+		revokes   int64
+		goods     int64
+		unknowns  int64
+		err       error
+		rerr      error
+		clean     bool
+	}{
+		{
+			"Test expired revoked cert not actually deleted",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check so this revoked client should NOT be able to connect
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 0.5
+					}
+				}
+				# preserve revoked true
+				ocsp_cache: {
+					type: local
+					preserve_revoked: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			1,
+			1,
+			0,
+			0,
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			true,
+		},
+		{
+			"Test expired revoked cert replaced by current good cert",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check so this revoked client should NOT be able to connect
+					ocsp_peer: true
+				}
+				# preserve revoked true
+				ocsp_cache: {
+					type: local
+					preserve_revoked: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			2,
+			0,
+			2,
+			0,
+			nil,
+			nil,
+			false,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			var intermediateCA1Responder *http.Server
+			// clean slate starting the test and start the leaf CA responder for first run
+			if test.clean {
+				deleteLocalStore(t, "")
+				// establish the revoked item (expired) in cache
+				c := []byte(`
+				{
+				 "5xL/SuHl6JN0OmxrNMpzVMTA73JVYcRfGX8+HvJinEI=": {
+				  "subject": "CN=UserA1,O=Testnats,L=Tacoma,ST=WA,C=US",
+				  "cached_at": "2023-05-29T17:56:45Z",
+				  "resp_status": "revoked",
+				  "resp_expires": "2023-05-29T17:56:49Z",
+				  "resp": "/wYAAFMyc1R3TwBSBQBao1Qr1QzUMIIGUQoBAKCCBkowggZGBgkrBgEFBQcwAQEEggY3MIIGMzCB46FZMFcxCzAJBgNVBAYTAlVTEQ0gCAwCV0ExDzANAQ0wBwwGVGFjb21hMREwDwEROAoMCFRlc3RuYXRzMRcwFQET8HQDDA5PQ1NQIFJlc3BvbmRlchgPMjAyMzA1MjkxNzU2MDBaMHUwczBNMAkGBSsOAwIaBQAEFKgwn5fplwQy+DsulBg5SRpx0iaYBBS1kW5PZLcWhHb5tL6ZzmCVmBqOnQIUXKGv1Xy7Fu/Cx+ZT/JQa7SS7tBc2ZAAQNDVaoBE2dwD0QQE0OVowDQYJKoZIhvcNAQELBQADggEBAGAax/vkv3SBFNbxp2utc/N6Rje4E0ceC972sWgqYjzYrH0oc/acg+OAXaxUjwqoQWaT+dHaI4D5qoTkMx7XlWATjI2L72IUTf6Luo92jPzyDFwb10CdeFHtRtEYD54Qbi/nD4oxQ8cSoLKC3wft2l3E/mK/1I4Mxwq15CioK4MhfzTISoeGZbjDXPKgloJOG3rn9v64vFGV6dosbLgaXEs+MPcCsPQYkwhOOyazuewRmIDOBp5QSsKPhqsT8Rs20t8LGTMkvjZniFWJs90l9QL9F1m3obq5nyuxrGt+7Rf5zoj4T+0XCOGtE+b7cRCLg43tFuTbaAQG8Z+qkPzpza+gggQ1MIIEMTCCBC0wggMVoAMCAQICFCnhUo39pSqH6x3kHUds4YpYaXOrOj8BBDBaUSLaLwIIGjAYSS+oEUludGVybWVkaWF0ZSBDQSAxMB4XDTIzMDUwMTE5MjgzOVoXDTMzMDQyOA0PUasVAEkMMIIBIi4nAgABBQD0QAEPADCCAQoCggEBAKMMyuuA66EOHnGb07P5Zc5wwiEGPDHBBn6lqErhIaN0VJ9XzlDWwyk8Q7CdPlSU7o36DXFs316eATB5bLuXXa+7WwV3cp9V5mZF9OLCz3sOWNYUanYprOMwKA3uvcqqrh8e70Dzw6sX8tfsDeH7aJoJg5kRWEKU+A3Umm+fO+hW8Km3GBqRQXxD49uxAfGtCznXZZjmFbAXqVZu+4R6wMxndfz2dYQxeMVtUY/QGdMWT4fvWzO5et3+X6hq/URUAPOkplv9O2U4T4JPucS9yZpW/FTxWC/L7vQI/bfsrSgIZpv4eJgy27FW3Q4xusbjVvUCL/t2KLvEi/Nr2qodOCECAwEAAaOB7TCB6jAdBgNVHQ4EFgQUy15QYHqrL6k7HiSrAkKN7IFgSBMwHwYDVR0jBBgwFoBSyQNQMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQ4YBAMCB4AwFgEeACUBEBAMMAoGCIm0sAMJMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly8xMjcuMC4wLjE6MTg4ODgvaV1WKDFfY3JsLmRlcjAzEUscAQEEJzAlMCMRWwwwAYYXWkoALhICkTnw/0hlzm2RRjA3tvJ2wELj9e7pMg5GtdWdrLDyI/U1qBxhZoHADbyku7W+R1iL8dFfc4PSmdo+owsygZakvahXjv49xJNX7wV3YMmIHC4lfurIlY2mSnPlu2zEOwEDkI0S9WkTxXmHrkXLSciQJDkwzye6MR5fW+APk4JmKDPc46Go/K1A0EgxY/ugahMYsYtZu++W+IOYbEoYNxoCrcJCHX4c3Ep3t/Wulz4X6DWWhaDkMMUDC2JVE8E/3xUbw0X3adZe9Xf8T+goOz7wLCAigXKj1hvRUmOGISIGelv0KsfluZesG1a1TGLp+W9JX0M9nOaFOvjJTDP96aqIjs8oXGk="
+				 }
+				}`)
+				err := writeCacheFile("", c)
+				if err != nil {
+					t.Fatal(err)
+				}
+			} else {
+				intermediateCA1Responder = newOCSPResponderIntermediateCA1(t)
+				intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+				setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+				defer intermediateCA1Responder.Shutdown(ctx)
+			}
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+			v := monitorGetVarzHelper(t, 8222)
+			responses := v.OCSPResponseCache.Responses
+			revokes := v.OCSPResponseCache.Revokes
+			goods := v.OCSPResponseCache.Goods
+			unknowns := v.OCSPResponseCache.Unknowns
+			if !(responses == test.responses && revokes == test.revokes && goods == test.goods && unknowns == test.unknowns) {
+				t.Fatalf("Expected %d response, %d revoked, %d good, %d unknown; got [%d] and [%d] and [%d] and [%d]", test.responses, test.revokes, test.goods, test.unknowns, responses, revokes, goods, unknowns)
+			}
+		})
+	}
+}
+
+// TestOCSPStapleFeatureInterop is a test of a NATS client (AIA enabled at leaf and cert) connecting to a NATS Server
+// in which both ocsp_peer is enabled on NATS client connections (verify client) and the ocsp staple is enabled such
+// that the NATS Server will staple its own OCSP response and make available to the NATS client during handshake.
+func TestOCSPStapleFeatureInterop(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"Interop: Both Good: mTLS OCSP peer check on inbound client connection and server's OCSP staple validated at client",
+			`
+				port: -1
+				ocsp_cache: true
+				ocsp: {
+					mode: always
+				}
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration, non-default ca_timeout
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 30
+					}
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return fmt.Errorf("expected OCSP staple to be present")
+						}
+						resp, err := ocsp.ParseResponse(s.OCSPResponse, s.VerifiedChains[0][1])
+						if err != nil || resp.Status != ocsp.Good {
+							return fmt.Errorf("expected a valid GOOD stapled response")
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {
+				setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+			},
+		},
+		{
+			"Interop: Bad Client: mTLS OCSP peer check on inbound client connection and server's OCSP staple validated at client",
+			`
+				port: -1
+				ocsp_cache: true
+				ocsp: {
+					mode: always
+				}
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration, non-default ca_timeout
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 30
+					}
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return fmt.Errorf("expected OCSP staple to be present")
+						}
+						resp, err := ocsp.ParseResponse(s.OCSPResponse, s.VerifiedChains[0][1])
+						if err != nil || resp.Status != ocsp.Good {
+							return fmt.Errorf("expected a valid GOOD stapled response")
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			fmt.Errorf("remote error: tls: bad certificate"),
+			nil,
+			func() {
+				setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Revoked)
+			},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+		})
+	}
+}
+
+// TestOCSPPeerWarnOnlyOption is test of NATS client that is OCSP Revoked status but allowed to pass with warn_only option
+func TestOCSPPeerWarnOnlyOption(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Revoked)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"Revoked NATS client with warn_only explicitly set to false",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Enable OCSP peer but with warn_only option set to false
+					ocsp_peer: {
+						verify: true
+						warn_only: false
+					}
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			func() {},
+		},
+		{
+			"Revoked NATS client with warn_only explicitly set to true",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Enable OCSP peer but with warn_only option set to true
+					ocsp_peer: {
+						verify: true
+						warn_only: true
+					}
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+		})
+	}
+}
+
+// TestOCSPPeerUnknownIsGoodOption is test of NATS client that is OCSP status Unknown from its OCSP Responder but we treat
+// status Unknown as "Good"
+func TestOCSPPeerUnknownIsGoodOption(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	defer intermediateCA1Responder.Shutdown(ctx)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"Unknown NATS client with no unknown_is_good option set (default false)",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Short form configuration
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			func() {},
+		},
+		{
+			"Unknown NATS client with unknown_is_good set to true",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+						unknown_is_good: true
+					}
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+		})
+	}
+}
+
+// TestOCSPPeerAllowWhenCAUnreachableOption is test of the allow_when_ca_unreachable peer option
+func TestOCSPPeerAllowWhenCAUnreachableOption(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name           string
+		config         string
+		opts           []nats.Option
+		cachedResponse string
+		err            error
+		rerr           error
+	}{
+		{
+			"Expired Revoked response in cache for UserA1 -- should be rejected connection (expired revoke honored)",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check but allow when CA is unreachable
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 0.5
+						allow_when_ca_unreachable: true
+					}
+				}
+				# preserve revoked true
+				ocsp_cache: {
+					type: local
+					preserve_revoked: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			`
+				{
+					"5xL/SuHl6JN0OmxrNMpzVMTA73JVYcRfGX8+HvJinEI=": {
+						"subject": "CN=UserA1,O=Testnats,L=Tacoma,ST=WA,C=US",
+						"cached_at": "2023-05-29T17:56:45Z",
+						"resp_status": "revoked",
+						"resp_expires": "2023-05-29T17:56:49Z",
+						"resp": "/wYAAFMyc1R3TwBSBQBao1Qr1QzUMIIGUQoBAKCCBkowggZGBgkrBgEFBQcwAQEEggY3MIIGMzCB46FZMFcxCzAJBgNVBAYTAlVTEQ0gCAwCV0ExDzANAQ0wBwwGVGFjb21hMREwDwEROAoMCFRlc3RuYXRzMRcwFQET8HQDDA5PQ1NQIFJlc3BvbmRlchgPMjAyMzA1MjkxNzU2MDBaMHUwczBNMAkGBSsOAwIaBQAEFKgwn5fplwQy+DsulBg5SRpx0iaYBBS1kW5PZLcWhHb5tL6ZzmCVmBqOnQIUXKGv1Xy7Fu/Cx+ZT/JQa7SS7tBc2ZAAQNDVaoBE2dwD0QQE0OVowDQYJKoZIhvcNAQELBQADggEBAGAax/vkv3SBFNbxp2utc/N6Rje4E0ceC972sWgqYjzYrH0oc/acg+OAXaxUjwqoQWaT+dHaI4D5qoTkMx7XlWATjI2L72IUTf6Luo92jPzyDFwb10CdeFHtRtEYD54Qbi/nD4oxQ8cSoLKC3wft2l3E/mK/1I4Mxwq15CioK4MhfzTISoeGZbjDXPKgloJOG3rn9v64vFGV6dosbLgaXEs+MPcCsPQYkwhOOyazuewRmIDOBp5QSsKPhqsT8Rs20t8LGTMkvjZniFWJs90l9QL9F1m3obq5nyuxrGt+7Rf5zoj4T+0XCOGtE+b7cRCLg43tFuTbaAQG8Z+qkPzpza+gggQ1MIIEMTCCBC0wggMVoAMCAQICFCnhUo39pSqH6x3kHUds4YpYaXOrOj8BBDBaUSLaLwIIGjAYSS+oEUludGVybWVkaWF0ZSBDQSAxMB4XDTIzMDUwMTE5MjgzOVoXDTMzMDQyOA0PUasVAEkMMIIBIi4nAgABBQD0QAEPADCCAQoCggEBAKMMyuuA66EOHnGb07P5Zc5wwiEGPDHBBn6lqErhIaN0VJ9XzlDWwyk8Q7CdPlSU7o36DXFs316eATB5bLuXXa+7WwV3cp9V5mZF9OLCz3sOWNYUanYprOMwKA3uvcqqrh8e70Dzw6sX8tfsDeH7aJoJg5kRWEKU+A3Umm+fO+hW8Km3GBqRQXxD49uxAfGtCznXZZjmFbAXqVZu+4R6wMxndfz2dYQxeMVtUY/QGdMWT4fvWzO5et3+X6hq/URUAPOkplv9O2U4T4JPucS9yZpW/FTxWC/L7vQI/bfsrSgIZpv4eJgy27FW3Q4xusbjVvUCL/t2KLvEi/Nr2qodOCECAwEAAaOB7TCB6jAdBgNVHQ4EFgQUy15QYHqrL6k7HiSrAkKN7IFgSBMwHwYDVR0jBBgwFoBSyQNQMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQ4YBAMCB4AwFgEeACUBEBAMMAoGCIm0sAMJMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly8xMjcuMC4wLjE6MTg4ODgvaV1WKDFfY3JsLmRlcjAzEUscAQEEJzAlMCMRWwwwAYYXWkoALhICkTnw/0hlzm2RRjA3tvJ2wELj9e7pMg5GtdWdrLDyI/U1qBxhZoHADbyku7W+R1iL8dFfc4PSmdo+owsygZakvahXjv49xJNX7wV3YMmIHC4lfurIlY2mSnPlu2zEOwEDkI0S9WkTxXmHrkXLSciQJDkwzye6MR5fW+APk4JmKDPc46Go/K1A0EgxY/ugahMYsYtZu++W+IOYbEoYNxoCrcJCHX4c3Ep3t/Wulz4X6DWWhaDkMMUDC2JVE8E/3xUbw0X3adZe9Xf8T+goOz7wLCAigXKj1hvRUmOGISIGelv0KsfluZesG1a1TGLp+W9JX0M9nOaFOvjJTDP96aqIjs8oXGk="
+					}
+				}`,
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+		},
+		{
+			"Expired Good response in cache for UserA1 -- should be allowed connection (cached item irrelevant)",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check but allow when CA is unreachable
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 0.5
+						allow_when_ca_unreachable: true
+					}
+				}
+				# preserve revoked true
+				ocsp_cache: {
+					type: local
+					preserve_revoked: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			`
+			{
+				"5xL/SuHl6JN0OmxrNMpzVMTA73JVYcRfGX8+HvJinEI=": {
+					"subject": "CN=UserA1,O=Testnats,L=Tacoma,ST=WA,C=US",
+					"cached_at": "2023-06-05T16:33:52Z",
+					"resp_status": "good",
+					"resp_expires": "2023-06-05T16:33:55Z",
+					"resp": "/wYAAFMyc1R3TwBYBQBgpzMn1wzUMIIGUwoBAKCCBkwwggZIBgkrBgEFBQcwAQEEggY5MIIGNTCB5aFZMFcxCzAJBgNVBAYTAlVTEQ0gCAwCV0ExDzANAQ0wBwwGVGFjb21hMREwDwEROAoMCFRlc3RuYXRzMRcwFQET8HYDDA5PQ1NQIFJlc3BvbmRlchgPMjAyMzA2MDUxNjMzMDBaMHcwdTBNMAkGBSsOAwIaBQAEFKgwn5fplwQy+DsulBg5SRpx0iaYBBS1kW5PZLcWhHb5tL6ZzmCVmBqOnQIUXKGv1Xy7Fu/Cx+ZT/JQa7SS7tBeAADZmABA1MVqgEToTAPRAATVaMA0GCSqGSIb3DQEBCwUAA4IBAQB9csJxA2VcpQYmC5lzI0dJJnEC1zcaP1oFbBm5VsZAbWh4mIGTqyEjMkucBqANTypnhWFRYcZE5nJE8tN8Aen0EBYkhk1wfEIhincaF3zs6x5RzigxQOqTPAanO55keKH5exYnfBcyCwAQiBbQaTXLJJdjerfqiRjqgsnLW8yl2IC8+kxTCfR4GHTK34mvqVWYYhP/xbaxTLJTp35t1vf1o78ct9R+z8W5sCSO4TsMNnExZlu4Ejeon/KivMR22j7nelTEaDCuaOl03WxKh9yhw2ix8V7lvR74wh5f4fjLZria6Y0+lUjwvvrZyBRwA62W/ihe3778q8KhLECFPQSaoIIENTCCBDEwggQtMIIDFaADAgECAhQp4VKN/aUqh+sd5B1HbOGKWGlzqzo/AQQwWlEk2jECCBowGEkxqBFJbnRlcm1lZGlhdGUgQ0EgMTAeFw0yMzA1MDExOTI4MzlaFw0zMzA0MjgND1GtFQBJDDCCASIuJwIAAQUA9EABDwAwggEKAoIBAQCjDMrrgOuhDh5xm9Oz+WXOcMIhBjwxwQZ+pahK4SGjdFSfV85Q1sMpPEOwnT5UlO6N+g1xbN9engEweWy7l12vu1sFd3KfVeZmRfTiws97DljWFGp2KazjMCgN7r3Kqq4fHu9A88OrF/LX7A3h+2iaCYOZEVhClPgN1JpvnzvoVvCptxgakUF8Q+PbsQHxrQs512WY5hWwF6lWbvuEesDMZ3X89nWEMXjFbVGP0BnTFk+H71szuXrd/l+oav1EVADzpKZb/TtlOE+CT7nEvcmaVvxU8Vgvy+70CP237K0oCGab+HiYMtuxVt0OMbrG41b1Ai/7dii7xIvza9qqHTghAgMBAAGjge0wgeowHQYDVR0OBBYEFMteUGB6qy+pOx4kqwJCjeyBYEgTMB8GA1UdIwQYMBaAUssDUDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEOGAQDAgeAMBYBHgAlARAQDDAKBgiJtrADCTA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vMTI3LjAuMC4xOjE4ODg4L2ldVigxX2NybC5kZXIwMxFLHAEBBCcwJTAjEVsMMAGGF1pKAC4SAgALBQD0AQEBAEhlzm2RRjA3tvJ2wELj9e7pMg5GtdWdrLDyI/U1qBxhZoHADbyku7W+R1iL8dFfc4PSmdo+owsygZakvahXjv49xJNX7wV3YMmIHC4lfurIlY2mSnPlu2zEOwEDkI0S9WkTxXmHrkXLSciQJDkwzye6MR5fW+APk4JmKDPc46Go/K1A0EgxY/ugahMYsYtZu++W+IOYbEoYNxoCrcJCHX4c3Ep3t/Wulz4X6DWWhaDkMMUDC2JVE8E/3xUbw0X3adZe9Xf8T+goOz7wLCAigXKj1hvRUmOGISIGelv0KsfluZesG1a1TGLp+W9JX0M9nOaFOvjJTDP96aqIjs8oXGk="
+				}
+			}`,
+			nil,
+			nil,
+		},
+		{
+			"Expired Unknown response in cache for UserA1 -- should be allowed connection (cached item irrelevant)",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check but allow when CA is unreachable
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 0.5
+						allow_when_ca_unreachable: true
+					}
+				}
+				# preserve revoked true
+				ocsp_cache: {
+					type: local
+					preserve_revoked: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			`
+			{
+				"5xL/SuHl6JN0OmxrNMpzVMTA73JVYcRfGX8+HvJinEI=": {
+					"subject": "CN=UserA1,O=Testnats,L=Tacoma,ST=WA,C=US",
+					"cached_at": "2023-06-05T16:45:01Z",
+					"resp_status": "unknown",
+					"resp_expires": "2023-06-05T16:45:05Z",
+					"resp": "/wYAAFMyc1R3TwBSBQBH1aW01wzUMIIGUwoBAKCCBkwwggZIBgkrBgEFBQcwAQEEggY5MIIGNTCB5aFZMFcxCzAJBgNVBAYTAlVTEQ0gCAwCV0ExDzANAQ0wBwwGVGFjb21hMREwDwEROAoMCFRlc3RuYXRzMRcwFQET8HYDDA5PQ1NQIFJlc3BvbmRlchgPMjAyMzA2MDUxNjQ1MDBaMHcwdTBNMAkGBSsOAwIaBQAEFKgwn5fplwQy+DsulBg5SRpx0iaYBBS1kW5PZLcWhHb5tL6ZzmCVmBqOnQIUXKGv1Xy7Fu/Cx+ZT/JQa7SS7tBeCADpmAAwxWqAROhMA9EABNVowDQYJKoZIhvcNAQELBQADggEBAAzwED88ngiFj3hLzIejZ8DE/ppticX0vgAjUM8oXjDjwNXpSQ5xdXHsDk4RAYAVpNyiAfL2fapwz91g3JuZot6npp8smtZC5D0YMKK8iMjrx2aMqVyv+ai/33WG8PRWpBNzSTYaLhlBFjhUrx8HDu97ozNbmfgDWzRS1LqkJRa5YXvkyppqYTFSX73DV9R9tOVOwZ0x5WEKst9IJ+88mXsOBGyuye2Gh9RK6KsLgaOwiD9FBf18WRKIixeVM1Y/xHc/iwFPi8k3Z6hZ6gHX8NboQ/djCyzYVSWsUedTo/62uuagHPRWoYci4HQl4bSFXfcEO/EkWGnqkWBHfYZ4soigggQ1MIIEMTCCBC0wggMVoAMCAQICFCnhUo39pSqH6x3kHUds4YpYaXOrOj8BBDBaUSTaMQIIGjAYSTGoEUludGVybWVkaWF0ZSBDQSAxMB4XDTIzMDUwMTE5MjgzOVoXDTMzMDQyOA0PUa0VAEkMMIIBIi4nAgABBQD0QAEPADCCAQoCggEBAKMMyuuA66EOHnGb07P5Zc5wwiEGPDHBBn6lqErhIaN0VJ9XzlDWwyk8Q7CdPlSU7o36DXFs316eATB5bLuXXa+7WwV3cp9V5mZF9OLCz3sOWNYUanYprOMwKA3uvcqqrh8e70Dzw6sX8tfsDeH7aJoJg5kRWEKU+A3Umm+fO+hW8Km3GBqRQXxD49uxAfGtCznXZZjmFbAXqVZu+4R6wMxndfz2dYQxeMVtUY/QGdMWT4fvWzO5et3+X6hq/URUAPOkplv9O2U4T4JPucS9yZpW/FTxWC/L7vQI/bfsrSgIZpv4eJgy27FW3Q4xusbjVvUCL/t2KLvEi/Nr2qodOCECAwEAAaOB7TCB6jAdBgNVHQ4EFgQUy15QYHqrL6k7HiSrAkKN7IFgSBMwHwYDVR0jBBgwFoBSywNQMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQ4YBAMCB4AwFgEeACUBEBAMMAoGCIm2sAMJMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly8xMjcuMC4wLjE6MTg4ODgvaV1WKDFfY3JsLmRlcjAzEUscAQEEJzAlMCMRWwwwAYYXWkoALhICkTnw/0hlzm2RRjA3tvJ2wELj9e7pMg5GtdWdrLDyI/U1qBxhZoHADbyku7W+R1iL8dFfc4PSmdo+owsygZakvahXjv49xJNX7wV3YMmIHC4lfurIlY2mSnPlu2zEOwEDkI0S9WkTxXmHrkXLSciQJDkwzye6MR5fW+APk4JmKDPc46Go/K1A0EgxY/ugahMYsYtZu++W+IOYbEoYNxoCrcJCHX4c3Ep3t/Wulz4X6DWWhaDkMMUDC2JVE8E/3xUbw0X3adZe9Xf8T+goOz7wLCAigXKj1hvRUmOGISIGelv0KsfluZesG1a1TGLp+W9JX0M9nOaFOvjJTDP96aqIjs8oXGk="
+				}
+			}`,
+			nil,
+			nil,
+		},
+		{
+			"No response in cache for UserA1 -- should be allowed connection",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check but allow when CA is unreachable
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 0.5
+						allow_when_ca_unreachable: true
+					}
+				}
+				# preserve revoked true
+				ocsp_cache: {
+					type: local
+					preserve_revoked: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			"",
+			nil,
+			nil,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			c := []byte(test.cachedResponse)
+			err := writeCacheFile("", c)
+			if err != nil {
+				t.Fatal(err)
+			}
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+		})
+	}
+}
+
+// TestOCSPResponseCacheLocalStoreOption is test of default and non-default local_store option
+func TestOCSPResponseCacheLocalStoreOpt(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name           string
+		config         string
+		opts           []nats.Option
+		cachedResponse string
+		err            error
+		rerr           error
+		storeLocation  string
+	}{
+		{
+			"Test load from non-default local store _custom_; connect will reject only if cache file found and loaded",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check but allow when CA is unreachable
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 0.5
+						allow_when_ca_unreachable: true
+					}
+				}
+				# preserve revoked true
+				ocsp_cache: {
+					type: local
+					local_store: "_custom_"
+					preserve_revoked: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			`
+				{
+					"5xL/SuHl6JN0OmxrNMpzVMTA73JVYcRfGX8+HvJinEI=": {
+						"subject": "CN=UserA1,O=Testnats,L=Tacoma,ST=WA,C=US",
+						"cached_at": "2023-05-29T17:56:45Z",
+						"resp_status": "revoked",
+						"resp_expires": "2023-05-29T17:56:49Z",
+						"resp": "/wYAAFMyc1R3TwBSBQBao1Qr1QzUMIIGUQoBAKCCBkowggZGBgkrBgEFBQcwAQEEggY3MIIGMzCB46FZMFcxCzAJBgNVBAYTAlVTEQ0gCAwCV0ExDzANAQ0wBwwGVGFjb21hMREwDwEROAoMCFRlc3RuYXRzMRcwFQET8HQDDA5PQ1NQIFJlc3BvbmRlchgPMjAyMzA1MjkxNzU2MDBaMHUwczBNMAkGBSsOAwIaBQAEFKgwn5fplwQy+DsulBg5SRpx0iaYBBS1kW5PZLcWhHb5tL6ZzmCVmBqOnQIUXKGv1Xy7Fu/Cx+ZT/JQa7SS7tBc2ZAAQNDVaoBE2dwD0QQE0OVowDQYJKoZIhvcNAQELBQADggEBAGAax/vkv3SBFNbxp2utc/N6Rje4E0ceC972sWgqYjzYrH0oc/acg+OAXaxUjwqoQWaT+dHaI4D5qoTkMx7XlWATjI2L72IUTf6Luo92jPzyDFwb10CdeFHtRtEYD54Qbi/nD4oxQ8cSoLKC3wft2l3E/mK/1I4Mxwq15CioK4MhfzTISoeGZbjDXPKgloJOG3rn9v64vFGV6dosbLgaXEs+MPcCsPQYkwhOOyazuewRmIDOBp5QSsKPhqsT8Rs20t8LGTMkvjZniFWJs90l9QL9F1m3obq5nyuxrGt+7Rf5zoj4T+0XCOGtE+b7cRCLg43tFuTbaAQG8Z+qkPzpza+gggQ1MIIEMTCCBC0wggMVoAMCAQICFCnhUo39pSqH6x3kHUds4YpYaXOrOj8BBDBaUSLaLwIIGjAYSS+oEUludGVybWVkaWF0ZSBDQSAxMB4XDTIzMDUwMTE5MjgzOVoXDTMzMDQyOA0PUasVAEkMMIIBIi4nAgABBQD0QAEPADCCAQoCggEBAKMMyuuA66EOHnGb07P5Zc5wwiEGPDHBBn6lqErhIaN0VJ9XzlDWwyk8Q7CdPlSU7o36DXFs316eATB5bLuXXa+7WwV3cp9V5mZF9OLCz3sOWNYUanYprOMwKA3uvcqqrh8e70Dzw6sX8tfsDeH7aJoJg5kRWEKU+A3Umm+fO+hW8Km3GBqRQXxD49uxAfGtCznXZZjmFbAXqVZu+4R6wMxndfz2dYQxeMVtUY/QGdMWT4fvWzO5et3+X6hq/URUAPOkplv9O2U4T4JPucS9yZpW/FTxWC/L7vQI/bfsrSgIZpv4eJgy27FW3Q4xusbjVvUCL/t2KLvEi/Nr2qodOCECAwEAAaOB7TCB6jAdBgNVHQ4EFgQUy15QYHqrL6k7HiSrAkKN7IFgSBMwHwYDVR0jBBgwFoBSyQNQMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQ4YBAMCB4AwFgEeACUBEBAMMAoGCIm0sAMJMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly8xMjcuMC4wLjE6MTg4ODgvaV1WKDFfY3JsLmRlcjAzEUscAQEEJzAlMCMRWwwwAYYXWkoALhICkTnw/0hlzm2RRjA3tvJ2wELj9e7pMg5GtdWdrLDyI/U1qBxhZoHADbyku7W+R1iL8dFfc4PSmdo+owsygZakvahXjv49xJNX7wV3YMmIHC4lfurIlY2mSnPlu2zEOwEDkI0S9WkTxXmHrkXLSciQJDkwzye6MR5fW+APk4JmKDPc46Go/K1A0EgxY/ugahMYsYtZu++W+IOYbEoYNxoCrcJCHX4c3Ep3t/Wulz4X6DWWhaDkMMUDC2JVE8E/3xUbw0X3adZe9Xf8T+goOz7wLCAigXKj1hvRUmOGISIGelv0KsfluZesG1a1TGLp+W9JX0M9nOaFOvjJTDP96aqIjs8oXGk="
+					}
+				}`,
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			"_custom_",
+		},
+		{
+			"Test load from default local store when \"\" set; connect will reject only if cache file found and loaded",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check but allow when CA is unreachable
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 0.5
+						allow_when_ca_unreachable: true
+					}
+				}
+				# preserve revoked true
+				ocsp_cache: {
+					type: local
+					local_store: ""
+					preserve_revoked: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			`
+				{
+					"5xL/SuHl6JN0OmxrNMpzVMTA73JVYcRfGX8+HvJinEI=": {
+						"subject": "CN=UserA1,O=Testnats,L=Tacoma,ST=WA,C=US",
+						"cached_at": "2023-05-29T17:56:45Z",
+						"resp_status": "revoked",
+						"resp_expires": "2023-05-29T17:56:49Z",
+						"resp": "/wYAAFMyc1R3TwBSBQBao1Qr1QzUMIIGUQoBAKCCBkowggZGBgkrBgEFBQcwAQEEggY3MIIGMzCB46FZMFcxCzAJBgNVBAYTAlVTEQ0gCAwCV0ExDzANAQ0wBwwGVGFjb21hMREwDwEROAoMCFRlc3RuYXRzMRcwFQET8HQDDA5PQ1NQIFJlc3BvbmRlchgPMjAyMzA1MjkxNzU2MDBaMHUwczBNMAkGBSsOAwIaBQAEFKgwn5fplwQy+DsulBg5SRpx0iaYBBS1kW5PZLcWhHb5tL6ZzmCVmBqOnQIUXKGv1Xy7Fu/Cx+ZT/JQa7SS7tBc2ZAAQNDVaoBE2dwD0QQE0OVowDQYJKoZIhvcNAQELBQADggEBAGAax/vkv3SBFNbxp2utc/N6Rje4E0ceC972sWgqYjzYrH0oc/acg+OAXaxUjwqoQWaT+dHaI4D5qoTkMx7XlWATjI2L72IUTf6Luo92jPzyDFwb10CdeFHtRtEYD54Qbi/nD4oxQ8cSoLKC3wft2l3E/mK/1I4Mxwq15CioK4MhfzTISoeGZbjDXPKgloJOG3rn9v64vFGV6dosbLgaXEs+MPcCsPQYkwhOOyazuewRmIDOBp5QSsKPhqsT8Rs20t8LGTMkvjZniFWJs90l9QL9F1m3obq5nyuxrGt+7Rf5zoj4T+0XCOGtE+b7cRCLg43tFuTbaAQG8Z+qkPzpza+gggQ1MIIEMTCCBC0wggMVoAMCAQICFCnhUo39pSqH6x3kHUds4YpYaXOrOj8BBDBaUSLaLwIIGjAYSS+oEUludGVybWVkaWF0ZSBDQSAxMB4XDTIzMDUwMTE5MjgzOVoXDTMzMDQyOA0PUasVAEkMMIIBIi4nAgABBQD0QAEPADCCAQoCggEBAKMMyuuA66EOHnGb07P5Zc5wwiEGPDHBBn6lqErhIaN0VJ9XzlDWwyk8Q7CdPlSU7o36DXFs316eATB5bLuXXa+7WwV3cp9V5mZF9OLCz3sOWNYUanYprOMwKA3uvcqqrh8e70Dzw6sX8tfsDeH7aJoJg5kRWEKU+A3Umm+fO+hW8Km3GBqRQXxD49uxAfGtCznXZZjmFbAXqVZu+4R6wMxndfz2dYQxeMVtUY/QGdMWT4fvWzO5et3+X6hq/URUAPOkplv9O2U4T4JPucS9yZpW/FTxWC/L7vQI/bfsrSgIZpv4eJgy27FW3Q4xusbjVvUCL/t2KLvEi/Nr2qodOCECAwEAAaOB7TCB6jAdBgNVHQ4EFgQUy15QYHqrL6k7HiSrAkKN7IFgSBMwHwYDVR0jBBgwFoBSyQNQMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQ4YBAMCB4AwFgEeACUBEBAMMAoGCIm0sAMJMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly8xMjcuMC4wLjE6MTg4ODgvaV1WKDFfY3JsLmRlcjAzEUscAQEEJzAlMCMRWwwwAYYXWkoALhICkTnw/0hlzm2RRjA3tvJ2wELj9e7pMg5GtdWdrLDyI/U1qBxhZoHADbyku7W+R1iL8dFfc4PSmdo+owsygZakvahXjv49xJNX7wV3YMmIHC4lfurIlY2mSnPlu2zEOwEDkI0S9WkTxXmHrkXLSciQJDkwzye6MR5fW+APk4JmKDPc46Go/K1A0EgxY/ugahMYsYtZu++W+IOYbEoYNxoCrcJCHX4c3Ep3t/Wulz4X6DWWhaDkMMUDC2JVE8E/3xUbw0X3adZe9Xf8T+goOz7wLCAigXKj1hvRUmOGISIGelv0KsfluZesG1a1TGLp+W9JX0M9nOaFOvjJTDP96aqIjs8oXGk="
+					}
+				}`,
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			"_rc_",
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, test.storeLocation)
+			c := []byte(test.cachedResponse)
+			err := writeCacheFile(test.storeLocation, c)
+			if err != nil {
+				t.Fatal(err)
+			}
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+		})
+	}
+}
+
+// TestOCSPPeerIncrementalSaveLocalCache is test of timer-based response cache save as new entries added
+func TestOCSPPeerIncrementalSaveLocalCache(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	intermediateCA2Responder := newOCSPResponderIntermediateCA2(t)
+	intermediateCA2ResponderURL := fmt.Sprintf("http://%s", intermediateCA2Responder.Addr)
+	defer intermediateCA2Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA2ResponderURL, "configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem", ocsp.Good)
+
+	var fi os.FileInfo
+	var err error
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      [][]nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"Default cache, short form: mTLS OCSP peer check on inbound client connection, UserA1 client of intermediate CA 1",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 30
+					}
+				}
+				# Local cache with custom save_interval for testability
+				ocsp_cache: {
+					type: local
+					# Save if dirty ever 1 second
+					save_interval: 1
+				}
+			`,
+			[][]nats.Option{
+				{
+					nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+					nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+					nats.ErrorHandler(noOpErrHandler),
+				},
+				{
+					nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client2/UserB1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client2/private/UserB1_keypair.pem"),
+					nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+					nats.ErrorHandler(noOpErrHandler),
+				},
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			// Cleanup any previous test that saved a local cache
+			deleteLocalStore(t, "")
+			fi, err = statCacheFile("")
+			if err != nil && fi != nil && fi.Size() != 0 {
+				t.Fatalf("Expected no local cache file, got a FileInfo with size %d", fi.Size())
+			}
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+
+			// Connect with UserA1 client and get a CA Response
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts[0]...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			nc.Close()
+			time.Sleep(2 * time.Second)
+			fi, err = statCacheFile("")
+			if err == nil && fi != nil && fi.Size() > 0 {
+				// good
+			} else {
+				if err != nil {
+					t.Fatalf("Expected an extant local cache file, got error: %v", err)
+				}
+				if fi != nil {
+					t.Fatalf("Expected non-zero size local cache file, got a FileInfo with size %d", fi.Size())
+				}
+			}
+			firstFi := fi
+			// Connect with UserB1 client and get another CA Response
+			nc, err = nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts[1]...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			nc.Close()
+			time.Sleep(2 * time.Second)
+			fi, err = statCacheFile("")
+			if err == nil && fi != nil && fi.Size() > firstFi.Size() {
+				// good
+			} else {
+				if err != nil {
+					t.Fatalf("Expected an extant local cache file, got error: %v", err)
+				}
+				if fi != nil {
+					t.Fatalf("Expected non-zero size local cache file with more bytes, got a FileInfo with size %d", fi.Size())
+				}
+			}
+		})
+	}
+}
+
+func statCacheFile(dir string) (os.FileInfo, error) {
+	if dir == "" {
+		dir = "_rc_"
+	}
+	return os.Stat(filepath.Join(dir, "cache.json"))
+}
+
+// TestOCSPPeerUndelegatedCAResponseSigner
+func TestOCSPPeerUndelegatedCAResponseSigner(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1Undelegated(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"mTLS OCSP peer check on inbound client connection, responder is CA (undelegated)",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check so unvalidated clients can't connect
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+		})
+	}
+}
+
+// TestOCSPPeerDelegatedCAResponseSigner
+func TestOCSPPeerDelegatedCAResponseSigner(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"mTLS OCSP peer check on inbound client connection, responder is CA (undelegated)",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check so unvalidated clients can't connect
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+		})
+	}
+}
+
+// TestOCSPPeerBadDelegatedCAResponseSigner
+func TestOCSPPeerBadDelegatedCAResponseSigner(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderBadDelegateIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"mTLS OCSP peer check on inbound client connection, responder is not a legal delegate",
+			`
+				port: -1
+				# Cache configuration is default
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Turn on CA OCSP check so unvalidated clients can't connect
+					ocsp_peer: true
+				}
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			errors.New("remote error: tls: bad certificate"),
+			errors.New("expect error"),
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+		})
+	}
+}
+
+// TestOCSPPeerNextUpdateUnset is test of scenario when responder does not set NextUpdate and cache TTL option is used
+func TestOCSPPeerNextUpdateUnset(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rootCAResponder := newOCSPResponderRootCA(t)
+	rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
+	defer rootCAResponder.Shutdown(ctx)
+	setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
+
+	respCertPEM := "configs/certs/ocsp_peer/mini-ca/ocsp1/ocsp1_bundle.pem"
+	respKeyPEM := "configs/certs/ocsp_peer/mini-ca/ocsp1/private/ocsp1_keypair.pem"
+	issuerCertPEM := "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem"
+	intermediateCA1Responder := newOCSPResponderBase(t, issuerCertPEM, respCertPEM, respKeyPEM, true, "127.0.0.1:18888", 0)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
+
+	for _, test := range []struct {
+		name           string
+		config         string
+		opts           []nats.Option
+		err            error
+		rerr           error
+		expectedMisses int64
+		configure      func()
+	}{
+		{
+			"TTL set to 4 seconds with second client connection leveraging cache from first client connect",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 0
+						cache_ttl_when_next_update_unset: 4
+					}
+				}
+				# Short form configuration, local as default
+				ocsp_cache: true
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			2,
+			func() {},
+		},
+		{
+			"TTL set to 1 seconds with second client connection not leveraging cache items from first client connect",
+			`
+				port: -1
+				http_port: 8222
+				tls: {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+					verify: true
+					# Long form configuration
+					ocsp_peer: {
+						verify: true
+						ca_timeout: 5
+						allowed_clockskew: 0
+						cache_ttl_when_next_update_unset: 1
+					}
+				}
+				# Short form configuration, local as default
+				ocsp_cache: true
+			`,
+			[]nats.Option{
+				nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
+				nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			3,
+			func() {},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			// Cleanup any previous test that saved a local cache
+			deleteLocalStore(t, "")
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			nc.Close()
+
+			// Wait interval shorter than first test, and longer than second test
+			time.Sleep(2 * time.Second)
+
+			nc, err = nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+
+			v := monitorGetVarzHelper(t, 8222)
+			if v.OCSPResponseCache.Misses != test.expectedMisses || v.OCSPResponseCache.Responses != 2 {
+				t.Errorf("Expected cache misses to be %d and cache items to be 2, got %d and %d", test.expectedMisses, v.OCSPResponseCache.Misses, v.OCSPResponseCache.Responses)
+			}
+		})
+	}
+}
diff --git a/test/ocsp_test.go b/test/ocsp_test.go
index e83fea7c1..bf1635051 100644
--- a/test/ocsp_test.go
+++ b/test/ocsp_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021 The NATS Authors
+// Copyright 2021-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -16,7 +16,7 @@ package test
 import (
 	"bytes"
 	"context"
-	"crypto/rsa"
+	"crypto"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
@@ -32,9 +32,15 @@ import (
 	"testing"
 	"time"
 
+	"golang.org/x/crypto/ocsp"
+
 	"github.com/memphisdev/memphis/server"
 	"github.com/nats-io/nats.go"
-	"golang.org/x/crypto/ocsp"
+)
+
+const (
+	defaultResponseTTL = 4 * time.Second
+	defaultAddress     = "127.0.0.1:8888"
 )
 
 func TestOCSPAlwaysMustStapleAndShutdown(t *testing.T) {
@@ -1255,6 +1261,7 @@ func TestOCSPLeaf(t *testing.T) {
 	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
 	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
 	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/client-cert.pem", ocsp.Good)
 
 	// Store Dirs
 	storeDirA := t.TempDir()
@@ -1275,6 +1282,7 @@ func TestOCSPLeaf(t *testing.T) {
 			timeout: 5
 		}
 		store_dir: '%s'
+
 		leafnodes {
 			host: "127.0.0.1"
 			port: -1
@@ -1285,6 +1293,8 @@ func TestOCSPLeaf(t *testing.T) {
 				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
 				ca_file: "configs/certs/ocsp/ca-cert.pem"
 				timeout: 5
+				# Leaf connection must present certs.
+				verify: true
 			}
 		}
 	`
@@ -1293,7 +1303,8 @@ func TestOCSPLeaf(t *testing.T) {
 	srvA, optsA := RunServerWithConfig(sconfA)
 	defer srvA.Shutdown()
 
-	// LeafNode that has the original as a remote.
+	// LeafNode that has the original as a remote and running
+	// without OCSP Stapling for the leaf remote.
 	srvConfB := `
 		host: "127.0.0.1"
 		port: -1
@@ -1307,12 +1318,14 @@ func TestOCSPLeaf(t *testing.T) {
 			timeout: 5
 		}
 		store_dir: '%s'
+
 		leafnodes {
 			remotes: [ {
 				url: "tls://127.0.0.1:%d"
 				tls {
-					cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem"
-					key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem"
+					# Cert without OCSP Stapling enabled is able to connect.
+					cert_file: "configs/certs/ocsp/client-cert.pem"
+					key_file: "configs/certs/ocsp/client-key.pem"
 					ca_file: "configs/certs/ocsp/ca-cert.pem"
 					timeout: 5
 				}
@@ -1341,19 +1354,19 @@ func TestOCSPLeaf(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer cA.Close()
-	// checkLeafNodeConnected(t, srvA)
+	checkLeafNodeConnected(t, srvA)
 
 	// Revoke the seed server cluster certificate, following servers will not be able to verify connection.
 	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Revoked)
 
-	// Original set of servers still can communicate to each other, even though the cert has been revoked.
-	// checkLeafNodeConnected(t, srvA)
+	// Original set of servers still can communicate to each other via leafnode, even though the staple
+	// for the leaf server has been revoked.
+	checkLeafNodeConnected(t, srvA)
 
-	// Wait for seed server to notice that its certificate has been revoked,
-	// so that new leafnodes can't connect to it.
+	// Wait for seed server to notice that its certificate has been revoked.
 	time.Sleep(6 * time.Second)
 
-	// Start another server against the seed server that has an invalid OCSP Staple
+	// Start another server against the seed server that has an revoked OCSP Staple.
 	srvConfC := `
 		host: "127.0.0.1"
 		port: -1
@@ -1417,7 +1430,8 @@ func TestOCSPLeaf(t *testing.T) {
 	}
 	defer cC.Close()
 
-	// There should be no connectivity between the clients due to the revoked staple.
+	// There should be connectivity between the clients even if there is a revoked staple
+	// from a leafnode connection.
 	_, err = cA.Subscribe("foo", func(m *nats.Msg) {
 		m.Respond(nil)
 	})
@@ -1432,13 +1446,13 @@ func TestOCSPLeaf(t *testing.T) {
 		t.Fatal(err)
 	}
 	cB.Flush()
-	resp, err := cC.Request("foo", nil, 2*time.Second)
-	if err == nil {
-		t.Errorf("Unexpected success, response: %+v", resp)
+	_, err = cC.Request("foo", nil, 2*time.Second)
+	if err != nil {
+		t.Errorf("Expected success, got: %+v", err)
 	}
-	resp, err = cC.Request("bar", nil, 2*time.Second)
-	if err == nil {
-		t.Errorf("Unexpected success, response: %+v", resp)
+	_, err = cC.Request("bar", nil, 2*time.Second)
+	if err != nil {
+		t.Errorf("Expected success, got: %+v", err)
 	}
 
 	// Switch the certs from the leafnode server to new ones that are not revoked,
@@ -1466,6 +1480,7 @@ func TestOCSPLeaf(t *testing.T) {
 				key_file: "configs/certs/ocsp/server-status-request-url-08-key.pem"
 				ca_file: "configs/certs/ocsp/ca-cert.pem"
 				timeout: 5
+				verify: true
 			}
 		}
 	`
@@ -1502,7 +1517,7 @@ func TestOCSPLeaf(t *testing.T) {
 	}
 }
 
-func TestOCSPGateway(t *testing.T) {
+func TestOCSPLeafNoVerify(t *testing.T) {
 	const (
 		caCert = "configs/certs/ocsp/ca-cert.pem"
 		caKey  = "configs/certs/ocsp/ca-key.pem"
@@ -1520,13 +1535,14 @@ func TestOCSPGateway(t *testing.T) {
 	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
 	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
 	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/client-cert.pem", ocsp.Good)
 
 	// Store Dirs
 	storeDirA := t.TempDir()
 	storeDirB := t.TempDir()
 	storeDirC := t.TempDir()
 
-	// Gateway server configuration
+	// LeafNode server configuration
 	srvConfA := `
 		host: "127.0.0.1"
 		port: -1
@@ -1540,8 +1556,8 @@ func TestOCSPGateway(t *testing.T) {
 			timeout: 5
 		}
 		store_dir: '%s'
-		gateway {
-			name: A
+
+		leafnodes {
 			host: "127.0.0.1"
 			port: -1
 			advertise: "127.0.0.1"
@@ -1551,6 +1567,8 @@ func TestOCSPGateway(t *testing.T) {
 				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
 				ca_file: "configs/certs/ocsp/ca-cert.pem"
 				timeout: 5
+				# Leaf server does not require certs for clients.
+				verify: false
 			}
 		}
 	`
@@ -1559,7 +1577,7 @@ func TestOCSPGateway(t *testing.T) {
 	srvA, optsA := RunServerWithConfig(sconfA)
 	defer srvA.Shutdown()
 
-	// LeafNode that has the original as a remote.
+	// LeafNode remote that will connect to A and will not present certs.
 	srvConfB := `
 		host: "127.0.0.1"
 		port: -1
@@ -1573,30 +1591,18 @@ func TestOCSPGateway(t *testing.T) {
 			timeout: 5
 		}
 		store_dir: '%s'
-		gateway {
-			name: B
-			host: "127.0.0.1"
-			advertise: "127.0.0.1"
-			port: -1
-			gateways: [{
-				name: "A"
-				url: "nats://127.0.0.1:%d"
+
+		leafnodes {
+			remotes: [ {
+				url: "tls://127.0.0.1:%d"
 				tls {
-					cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem"
-					key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem"
 					ca_file: "configs/certs/ocsp/ca-cert.pem"
 					timeout: 5
 				}
-			}]
-			tls {
-				cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem"
-				key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem"
-				ca_file: "configs/certs/ocsp/ca-cert.pem"
-				timeout: 5
-			}
+			} ]
 		}
 	`
-	srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.Gateway.Port)
+	srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.LeafNode.Port)
 	conf := createConfFile(t, []byte(srvConfB))
 	srvB, optsB := RunServerWithConfig(conf)
 	defer srvB.Shutdown()
@@ -1618,20 +1624,18 @@ func TestOCSPGateway(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer cA.Close()
-	waitForOutboundGateways(t, srvB, 1, 5*time.Second)
+	checkLeafNodeConnected(t, srvA)
 
 	// Revoke the seed server cluster certificate, following servers will not be able to verify connection.
 	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Revoked)
 
 	// Original set of servers still can communicate to each other, even though the cert has been revoked.
-	waitForOutboundGateways(t, srvA, 1, 5*time.Second)
-	waitForOutboundGateways(t, srvB, 1, 5*time.Second)
+	checkLeafNodeConnected(t, srvA)
 
-	// Wait for gateway A to notice that its certificate has been revoked,
-	// so that new gateways can't connect to it.
+	// Wait for seed server to notice that its certificate has been revoked.
 	time.Sleep(6 * time.Second)
 
-	// Start another server against the seed server that has an invalid OCSP Staple
+	// Start another server against the seed server that has an revoked OCSP Staple.
 	srvConfC := `
 		host: "127.0.0.1"
 		port: -1
@@ -1645,21 +1649,20 @@ func TestOCSPGateway(t *testing.T) {
 			timeout: 5
 		}
 		store_dir: '%s'
-		gateway {
-			name: C
-			host: "127.0.0.1"
-			advertise: "127.0.0.1"
-			port: -1
-			gateways: [{name: "A", url: "nats://127.0.0.1:%d" }]
-			tls {
-				cert_file: "configs/certs/ocsp/server-status-request-url-06-cert.pem"
-				key_file: "configs/certs/ocsp/server-status-request-url-06-key.pem"
-				ca_file: "configs/certs/ocsp/ca-cert.pem"
-				timeout: 5
-			}
+		leafnodes {
+			remotes: [ {
+				url: "tls://127.0.0.1:%d"
+				tls {
+					cert_file: "configs/certs/ocsp/server-status-request-url-06-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-06-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+					timeout: 5
+				}
+			} ]
 		}
 	`
-	srvConfC = fmt.Sprintf(srvConfC, storeDirC, optsA.Gateway.Port)
+	srvConfC = fmt.Sprintf(srvConfC, storeDirC, optsA.LeafNode.Port)
 	conf = createConfFile(t, []byte(srvConfC))
 	srvC, optsC := RunServerWithConfig(conf)
 	defer srvC.Shutdown()
@@ -1697,7 +1700,8 @@ func TestOCSPGateway(t *testing.T) {
 	}
 	defer cC.Close()
 
-	// There should be no connectivity between the clients due to the revoked staple.
+	// There should be connectivity between the clients even if there is a revoked staple
+	// from a leafnode connection.
 	_, err = cA.Subscribe("foo", func(m *nats.Msg) {
 		m.Respond(nil)
 	})
@@ -1712,21 +1716,17 @@ func TestOCSPGateway(t *testing.T) {
 		t.Fatal(err)
 	}
 	cB.Flush()
-
-	// Gateway C was not able to mesh with Gateway A because of the revoked OCSP staple
-	// so these requests to A and B should fail.
-	resp, err := cC.Request("foo", nil, 2*time.Second)
-	if err == nil {
-		t.Errorf("Unexpected success, response: %+v", resp)
+	_, err = cC.Request("foo", nil, 2*time.Second)
+	if err != nil {
+		t.Errorf("Expected success, got: %+v", err)
 	}
-	// Make request to B
-	resp, err = cC.Request("bar", nil, 2*time.Second)
-	if err == nil {
-		t.Errorf("Unexpected success, response: %+v", resp)
+	_, err = cC.Request("bar", nil, 2*time.Second)
+	if err != nil {
+		t.Errorf("Expected success, got: %+v", err)
 	}
 
-	// Switch the certs from the seed server to new ones that are not revoked,
-	// this should restart OCSP Stapling for the cluster routes.
+	// Switch the certs from the leafnode server to new ones that are not revoked,
+	// this should restart OCSP Stapling for the leafnode server.
 	srvConfA = `
 		host: "127.0.0.1"
 		port: -1
@@ -1740,8 +1740,7 @@ func TestOCSPGateway(t *testing.T) {
 			timeout: 5
 		}
 		store_dir: '%s'
-		gateway {
-			name: A
+		leafnodes {
 			host: "127.0.0.1"
 			port: -1
 			advertise: "127.0.0.1"
@@ -1751,10 +1750,10 @@ func TestOCSPGateway(t *testing.T) {
 				key_file: "configs/certs/ocsp/server-status-request-url-08-key.pem"
 				ca_file: "configs/certs/ocsp/ca-cert.pem"
 				timeout: 5
+				verify: true
 			}
 		}
 	`
-
 	srvConfA = fmt.Sprintf(srvConfA, storeDirA)
 	if err := os.WriteFile(sconfA, []byte(srvConfA), 0666); err != nil {
 		t.Fatalf("Error writing config: %v", err)
@@ -1763,424 +1762,1463 @@ func TestOCSPGateway(t *testing.T) {
 		t.Fatal(err)
 	}
 	time.Sleep(4 * time.Second)
-	waitForOutboundGateways(t, srvA, 2, 5*time.Second)
-	waitForOutboundGateways(t, srvB, 2, 5*time.Second)
-	waitForOutboundGateways(t, srvC, 2, 5*time.Second)
 
-	// Now clients connect to C can communicate with B and A.
+	// A <-> A
+	_, err = cA.Request("foo", nil, 2*time.Second)
+	if err != nil {
+		t.Errorf("%v", err)
+	}
+
+	// B <-> A
+	_, err = cB.Request("foo", nil, 2*time.Second)
+	if err != nil {
+		t.Errorf("%v", err)
+	}
+
+	// C <-> A
 	_, err = cC.Request("foo", nil, 2*time.Second)
 	if err != nil {
 		t.Errorf("%v", err)
 	}
+	// C <-> B via leafnode A
 	_, err = cC.Request("bar", nil, 2*time.Second)
 	if err != nil {
 		t.Errorf("%v", err)
 	}
 }
 
-func TestOCSPGatewayIntermediate(t *testing.T) {
+func TestOCSPLeafVerifyLeafRemote(t *testing.T) {
 	const (
-		caCert       = "configs/certs/ocsp/desgsign/ca-cert.pem"
-		caIntermCert = "configs/certs/ocsp/desgsign/ca-interm-cert.pem"
-		caIntermKey  = "configs/certs/ocsp/desgsign/ca-interm-key.pem"
+		caCert = "configs/certs/ocsp/ca-cert.pem"
+		caKey  = "configs/certs/ocsp/ca-key.pem"
 	)
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
-
-	ocspr := newOCSPResponderDesignated(t, caCert, caIntermCert, caIntermKey, true)
+	ocspr := newOCSPResponder(t, caCert, caKey)
 	defer ocspr.Shutdown(ctx)
-
 	addr := fmt.Sprintf("http://%s", ocspr.Addr)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/desgsign/server-01-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/desgsign/server-02-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-03-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-04-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-05-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/client-cert.pem", ocsp.Good)
 
-	// Gateway server configuration
+	// Store Dirs
+	storeDirA := t.TempDir()
+	storeDirB := t.TempDir()
+
+	// LeafNode server configuration
 	srvConfA := `
 		host: "127.0.0.1"
 		port: -1
 
 		server_name: "AAA"
 
-		ocsp: {
-			mode: always
-			url: %s
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
 		}
+		store_dir: '%s'
 
-		gateway {
-			name: A
+		leafnodes {
 			host: "127.0.0.1"
 			port: -1
 			advertise: "127.0.0.1"
 
 			tls {
-				cert_file: "configs/certs/ocsp/desgsign/server-01-cert.pem"
-				key_file: "configs/certs/ocsp/desgsign/server-01-key.pem"
-				ca_file: "configs/certs/ocsp/desgsign/ca-chain-cert.pem"
+				cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
 				timeout: 5
+				verify: true
 			}
 		}
 	`
-	srvConfA = fmt.Sprintf(srvConfA, addr)
+	srvConfA = fmt.Sprintf(srvConfA, storeDirA)
 	sconfA := createConfFile(t, []byte(srvConfA))
 	srvA, optsA := RunServerWithConfig(sconfA)
 	defer srvA.Shutdown()
 
+	// LeafNode remote that will connect to A and will not present certs.
 	srvConfB := `
 		host: "127.0.0.1"
 		port: -1
 
 		server_name: "BBB"
 
-		ocsp: {
-			mode: always
-			url: %s
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
 		}
+		store_dir: '%s'
 
-		gateway {
-			name: B
-			host: "127.0.0.1"
-			advertise: "127.0.0.1"
-			port: -1
-			gateways: [{
-				name: "A"
-				url: "nats://127.0.0.1:%d"
-			}]
-			tls {
-				cert_file: "configs/certs/ocsp/desgsign/server-02-cert.pem"
-				key_file: "configs/certs/ocsp/desgsign/server-02-key.pem"
-				ca_file: "configs/certs/ocsp/desgsign/ca-chain-cert.pem"
-				timeout: 5
-			}
+		leafnodes {
+			remotes: [ {
+				url: "tls://127.0.0.1:%d"
+				tls {
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}
+			} ]
 		}
 	`
-	srvConfB = fmt.Sprintf(srvConfB, addr, optsA.Gateway.Port)
+	srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.LeafNode.Port)
 	conf := createConfFile(t, []byte(srvConfB))
-	srvB, optsB := RunServerWithConfig(conf)
+	srvB, _ := RunServerWithConfig(conf)
 	defer srvB.Shutdown()
 
 	// Client connects to server A.
-	cA, err := nats.Connect(fmt.Sprintf("nats://127.0.0.1:%d", optsA.Port),
+	cA, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsA.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple from server")
+				}
+				return nil
+			},
+		}),
+		nats.RootCAs(caCert),
 		nats.ErrorHandler(noOpErrHandler),
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer cA.Close()
-	waitForOutboundGateways(t, srvB, 1, 5*time.Second)
 
-	cB, err := nats.Connect(fmt.Sprintf("nats://127.0.0.1:%d", optsB.Port),
-		nats.ErrorHandler(noOpErrHandler),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer cB.Close()
+	// Should not have been able to connect.
+	checkLeafNodeConnections(t, srvA, 0)
 }
 
-func TestOCSPCustomConfig(t *testing.T) {
+func TestOCSPLeafVerifyAndMapLeafRemote(t *testing.T) {
 	const (
-		caCert     = "configs/certs/ocsp/ca-cert.pem"
-		caKey      = "configs/certs/ocsp/ca-key.pem"
-		serverCert = "configs/certs/ocsp/server-cert.pem"
-		serverKey  = "configs/certs/ocsp/server-key.pem"
+		caCert = "configs/certs/ocsp/ca-cert.pem"
+		caKey  = "configs/certs/ocsp/ca-key.pem"
 	)
-
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	ocspr := newOCSPResponder(t, caCert, caKey)
-	ocspURL := fmt.Sprintf("http://%s", ocspr.Addr)
 	defer ocspr.Shutdown(ctx)
+	addr := fmt.Sprintf("http://%s", ocspr.Addr)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-03-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-04-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-05-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/client-cert.pem", ocsp.Good)
 
-	var (
-		errExpectedNoStaple = fmt.Errorf("expected no staple")
-		errMissingStaple    = fmt.Errorf("missing OCSP Staple from server")
-	)
-
-	for _, test := range []struct {
-		name      string
-		config    string
-		opts      []nats.Option
-		err       error
-		rerr      error
-		configure func()
-	}{
-		{
-			"OCSP Stapling in auto mode makes server fail to boot if status is revoked",
-			`
-				port: -1
+	// Store Dirs
+	storeDirA := t.TempDir()
+	storeDirB := t.TempDir()
 
-				ocsp {
-					mode: auto
-				}
+	// LeafNode server configuration
+	srvConfA := `
+		host: "127.0.0.1"
+		port: -1
 
-				tls {
-					cert_file: "configs/certs/ocsp/server-cert.pem"
-					key_file: "configs/certs/ocsp/server-key.pem"
-					ca_file: "configs/certs/ocsp/ca-cert.pem"
-					timeout: 5
-				}
-			`,
-			[]nats.Option{
-				nats.Secure(&tls.Config{
-					VerifyConnection: func(s tls.ConnectionState) error {
-						if s.OCSPResponse != nil {
-							return errExpectedNoStaple
-						}
-						return nil
-					},
-				}),
-				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
-				nats.RootCAs(caCert),
-				nats.ErrorHandler(noOpErrHandler),
-			},
-			nil,
-			nil,
-			func() { setOCSPStatus(t, ocspURL, serverCert, ocsp.Revoked) },
-		},
-		{
-			"OCSP Stapling must staple ignored if disabled with ocsp: false",
-			`
-				port: -1
+		server_name: "AAA"
 
-				ocsp: false
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+			verify_and_map: true
+		}
+		store_dir: '%s'
+
+		leafnodes {
+			host: "127.0.0.1"
+			port: -1
+			advertise: "127.0.0.1"
+
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+				verify_and_map: true
+			}
+		}
+
+		accounts: {
+			leaf: {
+			  users: [ {user: "C=US, ST=CA, L=San Francisco, O=Synadia, OU=nats.io, CN=localhost server-status-request-url-04"} ]
+			}
+			client: {
+			  users: [ {user: "C=US, ST=CA, L=San Francisco, O=Synadia, OU=nats.io, CN=localhost client"} ]
+			}
+		}
+
+	`
+	srvConfA = fmt.Sprintf(srvConfA, storeDirA)
+	sconfA := createConfFile(t, []byte(srvConfA))
+	srvA, optsA := RunServerWithConfig(sconfA)
+	defer srvA.Shutdown()
+
+	// LeafNode remote that will connect to A and will not present certs.
+	srvConfB := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "BBB"
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+		store_dir: '%s'
 
+		leafnodes {
+			remotes: [ {
+				url: "tls://127.0.0.1:%d"
 				tls {
-					cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-					key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+					cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem"
 					ca_file: "configs/certs/ocsp/ca-cert.pem"
 					timeout: 5
 				}
-			`,
-			[]nats.Option{
-				nats.Secure(&tls.Config{
-					VerifyConnection: func(s tls.ConnectionState) error {
-						if s.OCSPResponse != nil {
-							return errExpectedNoStaple
-						}
-						return nil
-					},
-				}),
-				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
-				nats.RootCAs(caCert),
-				nats.ErrorHandler(noOpErrHandler),
-			},
-			nil,
-			nil,
-			func() {
-				setOCSPStatus(t, ocspURL, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
+			} ]
+		}
+	`
+	srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.LeafNode.Port)
+	conf := createConfFile(t, []byte(srvConfB))
+	srvB, _ := RunServerWithConfig(conf)
+	defer srvB.Shutdown()
+
+	// Client connects to server A.
+	cA, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsA.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple from server")
+				}
+				return nil
 			},
-		},
-		{
-			"OCSP Stapling must staple ignored if disabled with ocsp mode never",
-			`
-				port: -1
+		}),
+		nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cA.Close()
+	checkLeafNodeConnections(t, srvA, 1)
+}
 
-				ocsp: { mode: never }
+func TestOCSPGateway(t *testing.T) {
+	const (
+		caCert = "configs/certs/ocsp/ca-cert.pem"
+		caKey  = "configs/certs/ocsp/ca-key.pem"
+	)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	ocspr := newOCSPResponder(t, caCert, caKey)
+	defer ocspr.Shutdown(ctx)
+	addr := fmt.Sprintf("http://%s", ocspr.Addr)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-03-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-04-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-05-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
+
+	// Store Dirs
+	storeDirA := t.TempDir()
+	storeDirB := t.TempDir()
+	storeDirC := t.TempDir()
+
+	// Gateway server configuration
+	srvConfA := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "AAA"
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+		store_dir: '%s'
+		gateway {
+			name: A
+			host: "127.0.0.1"
+			port: -1
+			advertise: "127.0.0.1"
+
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+			}
+		}
+	`
+	srvConfA = fmt.Sprintf(srvConfA, storeDirA)
+	sconfA := createConfFile(t, []byte(srvConfA))
+	srvA, optsA := RunServerWithConfig(sconfA)
+	defer srvA.Shutdown()
 
+	// LeafNode that has the original as a remote.
+	srvConfB := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "BBB"
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+		store_dir: '%s'
+		gateway {
+			name: B
+			host: "127.0.0.1"
+			advertise: "127.0.0.1"
+			port: -1
+			gateways: [{
+				name: "A"
+				url: "nats://127.0.0.1:%d"
 				tls {
-					cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-					key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+					cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem"
 					ca_file: "configs/certs/ocsp/ca-cert.pem"
 					timeout: 5
 				}
-			`,
-			[]nats.Option{
-				nats.Secure(&tls.Config{
-					VerifyConnection: func(s tls.ConnectionState) error {
-						if s.OCSPResponse != nil {
-							return errExpectedNoStaple
-						}
-						return nil
-					},
-				}),
-				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
-				nats.RootCAs(caCert),
-				nats.ErrorHandler(noOpErrHandler),
+			}]
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+			}
+		}
+	`
+	srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.Gateway.Port)
+	conf := createConfFile(t, []byte(srvConfB))
+	srvB, optsB := RunServerWithConfig(conf)
+	defer srvB.Shutdown()
+
+	// Client connects to server A.
+	cA, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsA.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple from server")
+				}
+				return nil
 			},
-			nil,
-			nil,
-			func() {
+		}),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cA.Close()
+	waitForOutboundGateways(t, srvB, 1, 5*time.Second)
+
+	// Revoke the seed server cluster certificate, following servers will not be able to verify connection.
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Revoked)
+
+	// Original set of servers still can communicate to each other, even though the cert has been revoked.
+	waitForOutboundGateways(t, srvA, 1, 5*time.Second)
+	waitForOutboundGateways(t, srvB, 1, 5*time.Second)
+
+	// Wait for gateway A to notice that its certificate has been revoked,
+	// so that new gateways can't connect to it.
+	time.Sleep(6 * time.Second)
+
+	// Start another server against the seed server that has an invalid OCSP Staple
+	srvConfC := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "CCC"
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-05-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-05-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+		store_dir: '%s'
+		gateway {
+			name: C
+			host: "127.0.0.1"
+			advertise: "127.0.0.1"
+			port: -1
+			gateways: [{name: "A", url: "nats://127.0.0.1:%d" }]
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-06-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-06-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+			}
+		}
+	`
+	srvConfC = fmt.Sprintf(srvConfC, storeDirC, optsA.Gateway.Port)
+	conf = createConfFile(t, []byte(srvConfC))
+	srvC, optsC := RunServerWithConfig(conf)
+	defer srvC.Shutdown()
+
+	cB, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsB.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple from server")
+				}
+				return nil
+			},
+		}),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cB.Close()
+	cC, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsC.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple from server")
+				}
+				return nil
+			},
+		}),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cC.Close()
+
+	// There should be no connectivity between the clients due to the revoked staple.
+	_, err = cA.Subscribe("foo", func(m *nats.Msg) {
+		m.Respond(nil)
+	})
+	if err != nil {
+		t.Errorf("%v", err)
+	}
+	cA.Flush()
+	_, err = cB.Subscribe("bar", func(m *nats.Msg) {
+		m.Respond(nil)
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	cB.Flush()
+
+	// Gateway C was not able to mesh with Gateway A because of the revoked OCSP staple
+	// so these requests to A and B should fail.
+	resp, err := cC.Request("foo", nil, 2*time.Second)
+	if err == nil {
+		t.Errorf("Unexpected success, response: %+v", resp)
+	}
+	// Make request to B
+	resp, err = cC.Request("bar", nil, 2*time.Second)
+	if err == nil {
+		t.Errorf("Unexpected success, response: %+v", resp)
+	}
+
+	// Switch the certs from the seed server to new ones that are not revoked,
+	// this should restart OCSP Stapling for the cluster routes.
+	srvConfA = `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "AAA"
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-07-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-07-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+		store_dir: '%s'
+		gateway {
+			name: A
+			host: "127.0.0.1"
+			port: -1
+			advertise: "127.0.0.1"
+
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-08-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-08-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+			}
+		}
+	`
+
+	srvConfA = fmt.Sprintf(srvConfA, storeDirA)
+	if err := os.WriteFile(sconfA, []byte(srvConfA), 0666); err != nil {
+		t.Fatalf("Error writing config: %v", err)
+	}
+	if err := srvA.Reload(); err != nil {
+		t.Fatal(err)
+	}
+	time.Sleep(4 * time.Second)
+	waitForOutboundGateways(t, srvA, 2, 5*time.Second)
+	waitForOutboundGateways(t, srvB, 2, 5*time.Second)
+	waitForOutboundGateways(t, srvC, 2, 5*time.Second)
+
+	// Now clients connect to C can communicate with B and A.
+	_, err = cC.Request("foo", nil, 2*time.Second)
+	if err != nil {
+		t.Errorf("%v", err)
+	}
+	_, err = cC.Request("bar", nil, 2*time.Second)
+	if err != nil {
+		t.Errorf("%v", err)
+	}
+}
+
+func TestOCSPGatewayIntermediate(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem", ocsp.Good)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer2_cert.pem", ocsp.Good)
+
+	// Gateway server configuration
+	srvConfA := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "AAA"
+
+		ocsp: {
+			mode: always
+			url: %s
+		}
+
+		gateway {
+			name: A
+			host: "127.0.0.1"
+			port: -1
+			advertise: "127.0.0.1"
+
+			tls {
+				cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+				key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+				ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+				timeout: 5
+			}
+		}
+	`
+	srvConfA = fmt.Sprintf(srvConfA, intermediateCA1ResponderURL)
+	sconfA := createConfFile(t, []byte(srvConfA))
+	srvA, optsA := RunServerWithConfig(sconfA)
+	defer srvA.Shutdown()
+
+	srvConfB := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "BBB"
+
+		ocsp: {
+			mode: always
+			url: %s
+		}
+
+		gateway {
+			name: B
+			host: "127.0.0.1"
+			advertise: "127.0.0.1"
+			port: -1
+			gateways: [{
+				name: "A"
+				url: "nats://127.0.0.1:%d"
+			}]
+			tls {
+				cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer2_bundle.pem"
+				key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer2_keypair.pem"
+				ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+				timeout: 5
+			}
+		}
+	`
+	srvConfB = fmt.Sprintf(srvConfB, intermediateCA1ResponderURL, optsA.Gateway.Port)
+	conf := createConfFile(t, []byte(srvConfB))
+	srvB, optsB := RunServerWithConfig(conf)
+	defer srvB.Shutdown()
+
+	// Client connects to server A.
+	cA, err := nats.Connect(fmt.Sprintf("nats://127.0.0.1:%d", optsA.Port),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cA.Close()
+	waitForOutboundGateways(t, srvB, 1, 5*time.Second)
+
+	cB, err := nats.Connect(fmt.Sprintf("nats://127.0.0.1:%d", optsB.Port),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cB.Close()
+}
+
+func TestOCSPCustomConfig(t *testing.T) {
+	const (
+		caCert     = "configs/certs/ocsp/ca-cert.pem"
+		caKey      = "configs/certs/ocsp/ca-key.pem"
+		serverCert = "configs/certs/ocsp/server-cert.pem"
+		serverKey  = "configs/certs/ocsp/server-key.pem"
+	)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	ocspr := newOCSPResponder(t, caCert, caKey)
+	ocspURL := fmt.Sprintf("http://%s", ocspr.Addr)
+	defer ocspr.Shutdown(ctx)
+
+	var (
+		errExpectedNoStaple = fmt.Errorf("expected no staple")
+		errMissingStaple    = fmt.Errorf("missing OCSP Staple from server")
+	)
+
+	for _, test := range []struct {
+		name      string
+		config    string
+		opts      []nats.Option
+		err       error
+		rerr      error
+		configure func()
+	}{
+		{
+			"OCSP Stapling in auto mode makes server fail to boot if status is revoked",
+			`
+				port: -1
+
+				ocsp {
+					mode: auto
+				}
+
+				tls {
+					cert_file: "configs/certs/ocsp/server-cert.pem"
+					key_file: "configs/certs/ocsp/server-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse != nil {
+							return errExpectedNoStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(caCert),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() { setOCSPStatus(t, ocspURL, serverCert, ocsp.Revoked) },
+		},
+		{
+			"OCSP Stapling must staple ignored if disabled with ocsp: false",
+			`
+				port: -1
+
+				ocsp: false
+
+				tls {
+					cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse != nil {
+							return errExpectedNoStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(caCert),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {
+				setOCSPStatus(t, ocspURL, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
+			},
+		},
+		{
+			"OCSP Stapling must staple ignored if disabled with ocsp mode never",
+			`
+				port: -1
+
+				ocsp: { mode: never }
+
+				tls {
+					cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse != nil {
+							return errExpectedNoStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(caCert),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {
+				setOCSPStatus(t, ocspURL, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
+			},
+		},
+		{
+			"OCSP Stapling in always mode fetches a staple even if cert does not have one",
+			`
+				port: -1
+
+				ocsp {
+					mode: always
+					url: "http://127.0.0.1:8888"
+				}
+
+				tls {
+					cert_file: "configs/certs/ocsp/server-cert.pem"
+					key_file: "configs/certs/ocsp/server-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return errMissingStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(caCert),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() { setOCSPStatus(t, ocspURL, serverCert, ocsp.Good) },
+		},
+		{
+			"OCSP Stapling in must staple mode does not fetch staple if there is no must staple flag",
+			`
+				port: -1
+
+				ocsp {
+					mode: must
+					url: "http://127.0.0.1:8888"
+				}
+
+				tls {
+					cert_file: "configs/certs/ocsp/server-cert.pem"
+					key_file: "configs/certs/ocsp/server-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse != nil {
+							return errExpectedNoStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(caCert),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() { setOCSPStatus(t, ocspURL, serverCert, ocsp.Good) },
+		},
+		{
+			"OCSP Stapling in must staple mode fetches staple if there is a must staple flag",
+			`
+				port: -1
+
+				ocsp {
+					mode: must
+					url: "http://127.0.0.1:8888"
+				}
+
+				tls {
+					cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return errMissingStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(caCert),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			func() {
 				setOCSPStatus(t, ocspURL, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
 			},
-		},
-		{
-			"OCSP Stapling in always mode fetches a staple even if cert does not have one",
-			`
-				port: -1
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
+
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+		})
+	}
+}
+
+func TestOCSPCustomConfigReloadDisable(t *testing.T) {
+	const (
+		caCert            = "configs/certs/ocsp/ca-cert.pem"
+		caKey             = "configs/certs/ocsp/ca-key.pem"
+		serverCert        = "configs/certs/ocsp/server-cert.pem"
+		updatedServerCert = "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+	)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	ocspr := newOCSPResponder(t, caCert, caKey)
+	defer ocspr.Shutdown(ctx)
+	addr := fmt.Sprintf("http://%s", ocspr.Addr)
+	setOCSPStatus(t, addr, serverCert, ocsp.Good)
+	setOCSPStatus(t, addr, updatedServerCert, ocsp.Good)
+
+	// Start with server without OCSP Stapling MustStaple
+	content := `
+		port: -1
+
+		ocsp: { mode: always, url: "http://127.0.0.1:8888" }
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-cert.pem"
+			key_file: "configs/certs/ocsp/server-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+	`
+	conf := createConfFile(t, []byte(content))
+	s, opts := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple!")
+				}
+				return nil
+			},
+		}),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer nc.Close()
+	sub, err := nc.SubscribeSync("foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	nc.Publish("foo", []byte("hello world"))
+	nc.Flush()
+
+	_, err = sub.NextMsg(1 * time.Second)
+	if err != nil {
+		t.Fatal(err)
+	}
+	nc.Close()
+
+	// Change and disable OCSP Stapling.
+	content = `
+		port: -1
+
+		ocsp: { mode: never }
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+	`
+	if err := os.WriteFile(conf, []byte(content), 0666); err != nil {
+		t.Fatalf("Error writing config: %v", err)
+	}
+	if err := s.Reload(); err != nil {
+		t.Fatal(err)
+	}
+
+	// The new certificate has must staple but OCSP Stapling is disabled.
+	time.Sleep(2 * time.Second)
+
+	nc, err = nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse != nil {
+					return fmt.Errorf("unexpected OCSP Staple!")
+				}
+				return nil
+			},
+		}),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	nc.Close()
+}
+
+func TestOCSPCustomConfigReloadEnable(t *testing.T) {
+	const (
+		caCert            = "configs/certs/ocsp/ca-cert.pem"
+		caKey             = "configs/certs/ocsp/ca-key.pem"
+		serverCert        = "configs/certs/ocsp/server-cert.pem"
+		updatedServerCert = "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+	)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	ocspr := newOCSPResponder(t, caCert, caKey)
+	defer ocspr.Shutdown(ctx)
+	addr := fmt.Sprintf("http://%s", ocspr.Addr)
+	setOCSPStatus(t, addr, serverCert, ocsp.Good)
+	setOCSPStatus(t, addr, updatedServerCert, ocsp.Good)
+
+	// Start with server without OCSP Stapling MustStaple
+	content := `
+		port: -1
+
+		ocsp: { mode: never, url: "http://127.0.0.1:8888" }
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+	`
+	conf := createConfFile(t, []byte(content))
+	s, opts := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse != nil {
+					return fmt.Errorf("unexpected OCSP Staple!")
+				}
+				return nil
+			},
+		}),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer nc.Close()
+	sub, err := nc.SubscribeSync("foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	nc.Publish("foo", []byte("hello world"))
+	nc.Flush()
+
+	_, err = sub.NextMsg(1 * time.Second)
+	if err != nil {
+		t.Fatal(err)
+	}
+	nc.Close()
+
+	// Change and disable OCSP Stapling.
+	content = `
+		port: -1
+
+		ocsp: { mode: always, url: "http://127.0.0.1:8888" }
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+	`
+	if err := os.WriteFile(conf, []byte(content), 0666); err != nil {
+		t.Fatalf("Error writing config: %v", err)
+	}
+	if err := s.Reload(); err != nil {
+		t.Fatal(err)
+	}
+	time.Sleep(2 * time.Second)
+
+	nc, err = nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple!")
+				}
+				return nil
+			},
+		}),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	nc.Close()
+}
+
+func newOCSPResponderCustomAddress(t *testing.T, issuerCertPEM, issuerKeyPEM string, addr string) *http.Server {
+	t.Helper()
+	return newOCSPResponderBase(t, issuerCertPEM, issuerCertPEM, issuerKeyPEM, false, addr, defaultResponseTTL)
+}
+
+func newOCSPResponder(t *testing.T, issuerCertPEM, issuerKeyPEM string) *http.Server {
+	t.Helper()
+	return newOCSPResponderBase(t, issuerCertPEM, issuerCertPEM, issuerKeyPEM, false, defaultAddress, defaultResponseTTL)
+}
+
+func newOCSPResponderDesignatedCustomAddress(t *testing.T, issuerCertPEM, respCertPEM, respKeyPEM string, addr string) *http.Server {
+	t.Helper()
+	return newOCSPResponderBase(t, issuerCertPEM, respCertPEM, respKeyPEM, true, addr, defaultResponseTTL)
+}
+
+func newOCSPResponderBase(t *testing.T, issuerCertPEM, respCertPEM, respKeyPEM string, embed bool, addr string, responseTTL time.Duration) *http.Server {
+	t.Helper()
+	var mu sync.Mutex
+	status := make(map[string]int)
+
+	issuerCert := parseCertPEM(t, issuerCertPEM)
+	respCert := parseCertPEM(t, respCertPEM)
+	respKey := parseKeyPEM(t, respKeyPEM)
+
+	mux := http.NewServeMux()
+	// The "/statuses/" endpoint is for directly setting a key-value pair in
+	// the CA's status database.
+	mux.HandleFunc("/statuses/", func(rw http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+
+		key := r.URL.Path[len("/statuses/"):]
+		switch r.Method {
+		case "GET":
+			mu.Lock()
+			n, ok := status[key]
+			if !ok {
+				n = ocsp.Unknown
+			}
+			mu.Unlock()
+
+			fmt.Fprintf(rw, "%s %d", key, n)
+		case "POST":
+			data, err := io.ReadAll(r.Body)
+			if err != nil {
+				http.Error(rw, err.Error(), http.StatusBadRequest)
+				return
+			}
+
+			n, err := strconv.Atoi(string(data))
+			if err != nil {
+				http.Error(rw, err.Error(), http.StatusBadRequest)
+				return
+			}
+
+			mu.Lock()
+			status[key] = n
+			mu.Unlock()
+
+			fmt.Fprintf(rw, "%s %d", key, n)
+		default:
+			http.Error(rw, "Method Not Allowed", http.StatusMethodNotAllowed)
+			return
+		}
+	})
+	// The "/" endpoint is for normal OCSP requests. This actually parses an
+	// OCSP status request and signs a response with a CA. Lightly based off:
+	// https://www.ietf.org/rfc/rfc2560.txt
+	mux.HandleFunc("/", func(rw http.ResponseWriter, r *http.Request) {
+		if r.Method != "GET" {
+			http.Error(rw, "Method Not Allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
+		reqData, err := base64.StdEncoding.DecodeString(r.URL.Path[1:])
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		ocspReq, err := ocsp.ParseRequest(reqData)
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		mu.Lock()
+		n, ok := status[ocspReq.SerialNumber.String()]
+		if !ok {
+			n = ocsp.Unknown
+		}
+		mu.Unlock()
+
+		tmpl := ocsp.Response{
+			Status:       n,
+			SerialNumber: ocspReq.SerialNumber,
+			ThisUpdate:   time.Now(),
+		}
+		if responseTTL != 0 {
+			tmpl.NextUpdate = tmpl.ThisUpdate.Add(responseTTL)
+		}
+		if embed {
+			tmpl.Certificate = respCert
+		}
+		respData, err := ocsp.CreateResponse(issuerCert, respCert, tmpl, respKey)
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		rw.Header().Set("Content-Type", "application/ocsp-response")
+		rw.Header().Set("Content-Length", fmt.Sprint(len(respData)))
+
+		fmt.Fprint(rw, string(respData))
+	})
+
+	srv := &http.Server{
+		Addr:    addr,
+		Handler: mux,
+	}
+	go srv.ListenAndServe()
+	time.Sleep(1 * time.Second)
+	return srv
+}
+
+func setOCSPStatus(t *testing.T, ocspURL, certPEM string, status int) {
+	t.Helper()
+
+	cert := parseCertPEM(t, certPEM)
+
+	hc := &http.Client{Timeout: 10 * time.Second}
+	resp, err := hc.Post(
+		fmt.Sprintf("%s/statuses/%s", ocspURL, cert.SerialNumber),
+		"",
+		strings.NewReader(fmt.Sprint(status)),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read OCSP HTTP response body: %s", err)
+	}
+
+	if got, want := resp.Status, "200 OK"; got != want {
+		t.Error(strings.TrimSpace(string(data)))
+		t.Fatalf("unexpected OCSP HTTP set status, got %q, want %q", got, want)
+	}
+}
+
+func parseCertPEM(t *testing.T, certPEM string) *x509.Certificate {
+	t.Helper()
+	block := parsePEM(t, certPEM)
 
-				ocsp {
-					mode: always
-					url: "http://127.0.0.1:8888"
-				}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("failed to parse cert '%s': %s", certPEM, err)
+	}
+	return cert
+}
 
-				tls {
-					cert_file: "configs/certs/ocsp/server-cert.pem"
-					key_file: "configs/certs/ocsp/server-key.pem"
-					ca_file: "configs/certs/ocsp/ca-cert.pem"
-					timeout: 5
-				}
-			`,
-			[]nats.Option{
-				nats.Secure(&tls.Config{
-					VerifyConnection: func(s tls.ConnectionState) error {
-						if s.OCSPResponse == nil {
-							return errMissingStaple
-						}
-						return nil
-					},
-				}),
-				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
-				nats.RootCAs(caCert),
-				nats.ErrorHandler(noOpErrHandler),
-			},
-			nil,
-			nil,
-			func() { setOCSPStatus(t, ocspURL, serverCert, ocsp.Good) },
-		},
-		{
-			"OCSP Stapling in must staple mode does not fetch staple if there is no must staple flag",
-			`
-				port: -1
+func parseKeyPEM(t *testing.T, keyPEM string) crypto.Signer {
+	t.Helper()
+	block := parsePEM(t, keyPEM)
 
-				ocsp {
-					mode: must
-					url: "http://127.0.0.1:8888"
-				}
+	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		key, err = x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			t.Fatalf("failed to parse ikey %s: %s", keyPEM, err)
+		}
+	}
+	keyc := key.(crypto.Signer)
+	return keyc
+}
 
-				tls {
-					cert_file: "configs/certs/ocsp/server-cert.pem"
-					key_file: "configs/certs/ocsp/server-key.pem"
-					ca_file: "configs/certs/ocsp/ca-cert.pem"
-					timeout: 5
-				}
-			`,
-			[]nats.Option{
-				nats.Secure(&tls.Config{
-					VerifyConnection: func(s tls.ConnectionState) error {
-						if s.OCSPResponse != nil {
-							return errExpectedNoStaple
-						}
-						return nil
-					},
-				}),
-				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
-				nats.RootCAs(caCert),
-				nats.ErrorHandler(noOpErrHandler),
-			},
-			nil,
-			nil,
-			func() { setOCSPStatus(t, ocspURL, serverCert, ocsp.Good) },
-		},
-		{
-			"OCSP Stapling in must staple mode fetches staple if there is a must staple flag",
-			`
-				port: -1
+func parsePEM(t *testing.T, pemPath string) *pem.Block {
+	t.Helper()
+	data, err := os.ReadFile(pemPath)
+	if err != nil {
+		t.Fatal(err)
+	}
 
-				ocsp {
-					mode: must
-					url: "http://127.0.0.1:8888"
-				}
+	block, _ := pem.Decode(data)
+	if block == nil {
+		t.Fatalf("failed to decode PEM %s", pemPath)
+	}
+	return block
+}
 
-				tls {
-					cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-					key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
-					ca_file: "configs/certs/ocsp/ca-cert.pem"
-					timeout: 5
-				}
-			`,
-			[]nats.Option{
-				nats.Secure(&tls.Config{
-					VerifyConnection: func(s tls.ConnectionState) error {
-						if s.OCSPResponse == nil {
-							return errMissingStaple
-						}
-						return nil
-					},
-				}),
-				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
-				nats.RootCAs(caCert),
-				nats.ErrorHandler(noOpErrHandler),
-			},
-			nil,
-			nil,
-			func() {
-				setOCSPStatus(t, ocspURL, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
-			},
-		},
-	} {
-		t.Run(test.name, func(t *testing.T) {
-			test.configure()
-			content := test.config
-			conf := createConfFile(t, []byte(content))
-			s, opts := RunServerWithConfig(conf)
-			defer s.Shutdown()
+func getOCSPStatus(s tls.ConnectionState) (*ocsp.Response, error) {
+	if len(s.VerifiedChains) == 0 {
+		return nil, fmt.Errorf("missing TLS verified chains")
+	}
+	chain := s.VerifiedChains[0]
 
-			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
-			if test.err == nil && err != nil {
-				t.Errorf("Expected to connect, got %v", err)
-			} else if test.err != nil && err == nil {
-				t.Errorf("Expected error on connect")
-			} else if test.err != nil && err != nil {
-				// Error on connect was expected
-				if test.err.Error() != err.Error() {
-					t.Errorf("Expected error %s, got: %s", test.err, err)
-				}
-				return
-			}
-			defer nc.Close()
+	if got, want := len(chain), 2; got < want {
+		return nil, fmt.Errorf("incomplete cert chain, got %d, want at least %d", got, want)
+	}
+	leaf, issuer := chain[0], chain[1]
 
-			nc.Subscribe("ping", func(m *nats.Msg) {
-				m.Respond([]byte("pong"))
-			})
-			nc.Flush()
+	resp, err := ocsp.ParseResponseForCert(s.OCSPResponse, leaf, issuer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse OCSP response: %w", err)
+	}
+	if err := resp.CheckSignatureFrom(issuer); err != nil {
+		return resp, err
+	}
+	return resp, nil
+}
 
-			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
-			if test.rerr != nil && err == nil {
-				t.Errorf("Expected error getting response")
-			} else if test.rerr == nil && err != nil {
-				t.Errorf("Expected response")
-			}
-		})
+func TestOCSPTLSConfigNoLeafSet(t *testing.T) {
+	o := DefaultTestOptions
+	o.HTTPHost = "127.0.0.1"
+	o.HTTPSPort = -1
+	o.TLSConfig = &tls.Config{ServerName: "localhost"}
+	cert, err := tls.LoadX509KeyPair("configs/certs/server-cert.pem", "configs/certs/server-key.pem")
+	if err != nil {
+		t.Fatalf("Got error reading certificates: %s", err)
 	}
+	o.TLSConfig.Certificates = []tls.Certificate{cert}
+	s := RunServer(&o)
+	s.Shutdown()
 }
 
-func TestOCSPCustomConfigReloadDisable(t *testing.T) {
+func TestOCSPSuperCluster(t *testing.T) {
 	const (
-		caCert            = "configs/certs/ocsp/ca-cert.pem"
-		caKey             = "configs/certs/ocsp/ca-key.pem"
-		serverCert        = "configs/certs/ocsp/server-cert.pem"
-		updatedServerCert = "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+		caCert = "configs/certs/ocsp/ca-cert.pem"
+		caKey  = "configs/certs/ocsp/ca-key.pem"
 	)
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	ocspr := newOCSPResponder(t, caCert, caKey)
 	defer ocspr.Shutdown(ctx)
 	addr := fmt.Sprintf("http://%s", ocspr.Addr)
-	setOCSPStatus(t, addr, serverCert, ocsp.Good)
-	setOCSPStatus(t, addr, updatedServerCert, ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-03-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-04-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-05-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-cert.pem", ocsp.Good)
 
-	// Start with server without OCSP Stapling MustStaple
-	content := `
+	// Store Dirs
+	storeDirA := t.TempDir()
+	storeDirB := t.TempDir()
+	storeDirC := t.TempDir()
+	storeDirD := t.TempDir()
+
+	// Gateway server configuration
+	srvConfA := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "A"
+
+		ocsp { mode: "always" }
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+		store_dir: '%s'
+
+		cluster {
+			name: A
+			host: "127.0.0.1"
+			advertise: 127.0.0.1
+			port: -1
+
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+			}
+		}
+
+		gateway {
+			name: A
+			host: "127.0.0.1"
+			port: -1
+			advertise: "127.0.0.1"
+
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+				verify: true
+			}
+		}
+	`
+	srvConfA = fmt.Sprintf(srvConfA, storeDirA)
+	sconfA := createConfFile(t, []byte(srvConfA))
+	srvA, optsA := RunServerWithConfig(sconfA)
+	defer srvA.Shutdown()
+
+	// Server that has the original as a cluster.
+	srvConfB := `
+		host: "127.0.0.1"
 		port: -1
 
-		ocsp: { mode: always, url: "http://127.0.0.1:8888" }
+		server_name: "B"
+
+		ocsp { mode: "always" }
 
 		tls {
-			cert_file: "configs/certs/ocsp/server-cert.pem"
-			key_file: "configs/certs/ocsp/server-key.pem"
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
 			ca_file: "configs/certs/ocsp/ca-cert.pem"
 			timeout: 5
 		}
+		store_dir: '%s'
+
+		cluster {
+			name: A
+			host: "127.0.0.1"
+			advertise: 127.0.0.1
+			port: -1
+
+			routes: [ nats://127.0.0.1:%d ]
+
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+			}
+		}
+
+		gateway {
+			name: A
+			host: "127.0.0.1"
+			advertise: "127.0.0.1"
+			port: -1
+
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+				verify: true
+			}
+		}
 	`
-	conf := createConfFile(t, []byte(content))
-	s, opts := RunServerWithConfig(conf)
-	defer s.Shutdown()
+	srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.Cluster.Port)
+	conf := createConfFile(t, []byte(srvConfB))
+	srvB, optsB := RunServerWithConfig(conf)
+	defer srvB.Shutdown()
 
-	nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+	// Client connects to server A.
+	cA, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsA.Port),
 		nats.Secure(&tls.Config{
 			VerifyConnection: func(s tls.ConnectionState) error {
 				if s.OCSPResponse == nil {
-					return fmt.Errorf("missing OCSP Staple!")
+					return fmt.Errorf("missing OCSP Staple from server")
 				}
 				return nil
 			},
@@ -2190,149 +3228,144 @@ func TestOCSPCustomConfigReloadDisable(t *testing.T) {
 	)
 	if err != nil {
 		t.Fatal(err)
-	}
-	defer nc.Close()
-	sub, err := nc.SubscribeSync("foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	nc.Publish("foo", []byte("hello world"))
-	nc.Flush()
 
-	_, err = sub.NextMsg(1 * time.Second)
-	if err != nil {
-		t.Fatal(err)
 	}
-	nc.Close()
+	defer cA.Close()
 
-	// Change and disable OCSP Stapling.
-	content = `
+	// Start another server that will make connect as a gateway to cluster A.
+	srvConfC := `
+		host: "127.0.0.1"
 		port: -1
 
-		ocsp: { mode: never }
+		server_name: "C"
+
+		ocsp { mode: "always" }
 
 		tls {
-			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			cert_file: "configs/certs/ocsp/server-status-request-url-05-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-05-key.pem"
 			ca_file: "configs/certs/ocsp/ca-cert.pem"
 			timeout: 5
 		}
-	`
-	if err := os.WriteFile(conf, []byte(content), 0666); err != nil {
-		t.Fatalf("Error writing config: %v", err)
-	}
-	if err := s.Reload(); err != nil {
-		t.Fatal(err)
-	}
-
-	// The new certificate has must staple but OCSP Stapling is disabled.
-	time.Sleep(2 * time.Second)
-
-	nc, err = nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
-		nats.Secure(&tls.Config{
-			VerifyConnection: func(s tls.ConnectionState) error {
-				if s.OCSPResponse != nil {
-					return fmt.Errorf("unexpected OCSP Staple!")
+		store_dir: '%s'
+		gateway {
+			name: C
+			host: "127.0.0.1"
+			advertise: "127.0.0.1"
+			port: -1
+			gateways: [{
+				name: "A",
+				urls: ["nats://127.0.0.1:%d"]
+				tls {
+					cert_file: "configs/certs/ocsp/server-status-request-url-06-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-06-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
 				}
-				return nil
-			},
-		}),
-		nats.RootCAs(caCert),
-		nats.ErrorHandler(noOpErrHandler),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-	nc.Close()
-}
+			}]
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-06-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-06-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+				verify: true
+			}
+		}
+	`
+	srvConfC = fmt.Sprintf(srvConfC, storeDirC, optsA.Gateway.Port)
+	conf = createConfFile(t, []byte(srvConfC))
+	srvC, optsC := RunServerWithConfig(conf)
+	defer srvC.Shutdown()
 
-func TestOCSPCustomConfigReloadEnable(t *testing.T) {
-	const (
-		caCert            = "configs/certs/ocsp/ca-cert.pem"
-		caKey             = "configs/certs/ocsp/ca-key.pem"
-		serverCert        = "configs/certs/ocsp/server-cert.pem"
-		updatedServerCert = "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-	)
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	ocspr := newOCSPResponder(t, caCert, caKey)
-	defer ocspr.Shutdown(ctx)
-	addr := fmt.Sprintf("http://%s", ocspr.Addr)
-	setOCSPStatus(t, addr, serverCert, ocsp.Good)
-	setOCSPStatus(t, addr, updatedServerCert, ocsp.Good)
+	// Check that server is connected to any server from the other cluster.
+	checkClusterFormed(t, srvA, srvB)
+	waitForOutboundGateways(t, srvC, 1, 5*time.Second)
 
-	// Start with server without OCSP Stapling MustStaple
-	content := `
+	// Start one more server that will become another gateway.
+	srvConfD := `
+		host: "127.0.0.1"
 		port: -1
 
-		ocsp: { mode: never, url: "http://127.0.0.1:8888" }
+		server_name: "D"
+
+		ocsp { mode: "auto", url: "%s" }
 
 		tls {
-			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			cert_file: "configs/certs/ocsp/server-status-request-url-07-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-07-key.pem"
 			ca_file: "configs/certs/ocsp/ca-cert.pem"
 			timeout: 5
 		}
+		store_dir: '%s'
+		gateway {
+			name: D
+			host: "127.0.0.1"
+			advertise: "127.0.0.1"
+			port: -1
+			gateways: [{
+				name: "A",
+				urls: ["nats://127.0.0.1:%d"]
+				tls {
+					cert_file: "configs/certs/ocsp/server-status-request-url-08-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-08-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}},
+				{
+				name: "C",
+				urls: ["nats://127.0.0.1:%d"]
+
+				####################################################################
+				## TEST NOTE: This cert does not have an OCSP Staple intentionally##
+				####################################################################
+				tls {
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					cert_file: "configs/certs/ocsp/server-cert.pem"
+					key_file: "configs/certs/ocsp/server-key.pem"
+					timeout: 5
+				}}
+			]
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-08-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-08-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+				verify: true
+			}
+		}
 	`
-	conf := createConfFile(t, []byte(content))
-	s, opts := RunServerWithConfig(conf)
-	defer s.Shutdown()
+	srvConfD = fmt.Sprintf(srvConfD, addr, storeDirD, optsA.Gateway.Port, optsC.Gateway.Port)
+	conf = createConfFile(t, []byte(srvConfD))
+	srvD, _ := RunServerWithConfig(conf)
+	defer srvD.Shutdown()
 
-	nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+	// There should be a single gateway here because one of the gateway connections does not have a OCSP staple.
+	waitForOutboundGateways(t, srvD, 1, 10*time.Second)
+
+	// Connect to cluster A using server B.
+	cB, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsB.Port),
 		nats.Secure(&tls.Config{
 			VerifyConnection: func(s tls.ConnectionState) error {
-				if s.OCSPResponse != nil {
-					return fmt.Errorf("unexpected OCSP Staple!")
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple from server")
 				}
 				return nil
 			},
 		}),
 		nats.RootCAs(caCert),
 		nats.ErrorHandler(noOpErrHandler),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer nc.Close()
-	sub, err := nc.SubscribeSync("foo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	nc.Publish("foo", []byte("hello world"))
-	nc.Flush()
-
-	_, err = sub.NextMsg(1 * time.Second)
-	if err != nil {
-		t.Fatal(err)
-	}
-	nc.Close()
-
-	// Change and disable OCSP Stapling.
-	content = `
-		port: -1
-
-		ocsp: { mode: always, url: "http://127.0.0.1:8888" }
-
-		tls {
-			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
-			ca_file: "configs/certs/ocsp/ca-cert.pem"
-			timeout: 5
-		}
-	`
-	if err := os.WriteFile(conf, []byte(content), 0666); err != nil {
-		t.Fatalf("Error writing config: %v", err)
-	}
-	if err := s.Reload(); err != nil {
+	)
+	if err != nil {
 		t.Fatal(err)
 	}
-	time.Sleep(2 * time.Second)
+	defer cB.Close()
 
-	nc, err = nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+	// Connects to cluster C using server C.
+	cC, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsC.Port),
 		nats.Secure(&tls.Config{
 			VerifyConnection: func(s tls.ConnectionState) error {
 				if s.OCSPResponse == nil {
-					return fmt.Errorf("missing OCSP Staple!")
+					return fmt.Errorf("missing OCSP Staple from server")
 				}
 				return nil
 			},
@@ -2343,244 +3376,338 @@ func TestOCSPCustomConfigReloadEnable(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	nc.Close()
-}
-
-func newOCSPResponder(t *testing.T, issuerCertPEM, issuerKeyPEM string) *http.Server {
-	t.Helper()
-	return newOCSPResponderDesignated(t, issuerCertPEM, issuerCertPEM, issuerKeyPEM, false)
-}
-
-func newOCSPResponderDesignated(t *testing.T, issuerCertPEM, respCertPEM, respKeyPEM string, embed bool) *http.Server {
-	t.Helper()
-	var mu sync.Mutex
-	status := make(map[string]int)
-
-	issuerCert := parseCertPEM(t, issuerCertPEM)
-	respCert := parseCertPEM(t, respCertPEM)
-	respKey := parseKeyPEM(t, respKeyPEM)
-
-	mux := http.NewServeMux()
-	// The "/statuses/" endpoint is for directly setting a key-value pair in
-	// the CA's status database.
-	mux.HandleFunc("/statuses/", func(rw http.ResponseWriter, r *http.Request) {
-		defer r.Body.Close()
-
-		key := r.URL.Path[len("/statuses/"):]
-		switch r.Method {
-		case "GET":
-			mu.Lock()
-			n, ok := status[key]
-			if !ok {
-				n = ocsp.Unknown
-			}
-			mu.Unlock()
-
-			fmt.Fprintf(rw, "%s %d", key, n)
-		case "POST":
-			data, err := io.ReadAll(r.Body)
-			if err != nil {
-				http.Error(rw, err.Error(), http.StatusBadRequest)
-				return
-			}
-
-			n, err := strconv.Atoi(string(data))
-			if err != nil {
-				http.Error(rw, err.Error(), http.StatusBadRequest)
-				return
-			}
-
-			mu.Lock()
-			status[key] = n
-			mu.Unlock()
+	defer cC.Close()
 
-			fmt.Fprintf(rw, "%s %d", key, n)
-		default:
-			http.Error(rw, "Method Not Allowed", http.StatusMethodNotAllowed)
-			return
-		}
+	_, err = cA.Subscribe("foo", func(m *nats.Msg) {
+		m.Respond([]byte("From Server A"))
 	})
-	// The "/" endpoint is for normal OCSP requests. This actually parses an
-	// OCSP status request and signs a response with a CA. Lightly based off:
-	// https://www.ietf.org/rfc/rfc2560.txt
-	mux.HandleFunc("/", func(rw http.ResponseWriter, r *http.Request) {
-		if r.Method != "GET" {
-			http.Error(rw, "Method Not Allowed", http.StatusMethodNotAllowed)
-			return
-		}
+	if err != nil {
+		t.Errorf("%v", err)
+	}
+	cA.Flush()
 
-		reqData, err := base64.StdEncoding.DecodeString(r.URL.Path[1:])
-		if err != nil {
-			http.Error(rw, err.Error(), http.StatusBadRequest)
-			return
-		}
+	_, err = cB.Subscribe("bar", func(m *nats.Msg) {
+		m.Respond([]byte("From Server B"))
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	cB.Flush()
 
-		ocspReq, err := ocsp.ParseRequest(reqData)
-		if err != nil {
-			http.Error(rw, err.Error(), http.StatusBadRequest)
-			return
+	// Confirm that a message from server C can flow back to server A via gateway..
+	var (
+		resp *nats.Msg
+		lerr error
+	)
+	for i := 0; i < 10; i++ {
+		resp, lerr = cC.Request("foo", nil, 500*time.Millisecond)
+		if lerr != nil {
+			continue
 		}
-
-		mu.Lock()
-		n, ok := status[ocspReq.SerialNumber.String()]
-		if !ok {
-			n = ocsp.Unknown
+		got := string(resp.Data)
+		expected := "From Server A"
+		if got != expected {
+			t.Fatalf("Expected %v, got: %v", expected, got)
 		}
-		mu.Unlock()
 
-		tmpl := ocsp.Response{
-			Status:       n,
-			SerialNumber: ocspReq.SerialNumber,
-			ThisUpdate:   time.Now(),
-			NextUpdate:   time.Now().Add(4 * time.Second),
-		}
-		if embed {
-			tmpl.Certificate = respCert
+		// Make request to B
+		resp, lerr = cC.Request("bar", nil, 500*time.Millisecond)
+		if lerr != nil {
+			continue
 		}
-		respData, err := ocsp.CreateResponse(issuerCert, respCert, tmpl, respKey)
-		if err != nil {
-			http.Error(rw, err.Error(), http.StatusInternalServerError)
-			return
+		got = string(resp.Data)
+		expected = "From Server B"
+		if got != expected {
+			t.Errorf("Expected %v, got: %v", expected, got)
 		}
-
-		rw.Header().Set("Content-Type", "application/ocsp-response")
-		rw.Header().Set("Content-Length", fmt.Sprint(len(respData)))
-
-		fmt.Fprint(rw, string(respData))
-	})
-
-	srv := &http.Server{
-		Addr:    "127.0.0.1:8888",
-		Handler: mux,
+		lerr = nil
+		break
+	}
+	if lerr != nil {
+		t.Errorf("Unexpected error: %v", lerr)
+	}
+	if n := srvD.NumOutboundGateways(); n > 1 {
+		t.Errorf("Expected single gateway, got: %v", n)
 	}
-	go srv.ListenAndServe()
-	time.Sleep(1 * time.Second)
-	return srv
 }
 
-func setOCSPStatus(t *testing.T, ocspURL, certPEM string, status int) {
-	t.Helper()
+func TestOCSPLocalIssuerDetermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
 
-	cert := parseCertPEM(t, certPEM)
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
 
-	hc := &http.Client{Timeout: 10 * time.Second}
-	resp, err := hc.Post(
-		fmt.Sprintf("%s/statuses/%s", ocspURL, cert.SerialNumber),
-		"",
-		strings.NewReader(fmt.Sprint(status)),
+	// Test constants
+	ocspURL := intermediateCA1ResponderURL
+	clientTrustBundle := "configs/certs/ocsp_peer/mini-ca/misc/trust_config1_bundle.pem"
+	serverCert := "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem"
+
+	var (
+		errMissingStaple = fmt.Errorf("missing OCSP Staple from server")
 	)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
 
-	data, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("failed to read OCSP HTTP response body: %s", err)
-	}
+	for _, test := range []struct {
+		name        string
+		config      string
+		opts        []nats.Option
+		err         error
+		rerr        error
+		serverStart bool
+		configure   func()
+	}{
+		{
+			"Correct issuer configured in cert bundle",
+			`
+				port: -1
 
-	if got, want := resp.Status, "200 OK"; got != want {
-		t.Error(strings.TrimSpace(string(data)))
-		t.Fatalf("unexpected OCSP HTTP set status, got %q, want %q", got, want)
-	}
-}
+				ocsp {
+					mode: always
+				}
 
-func parseCertPEM(t *testing.T, certPEM string) *x509.Certificate {
-	t.Helper()
-	block := parsePEM(t, certPEM)
+				tls {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return errMissingStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(clientTrustBundle),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			true,
+			func() {
+				setOCSPStatus(t, ocspURL, serverCert, ocsp.Good)
+			},
+		},
+		{
+			"Wrong issuer configured in cert bundle, server no start",
+			`
+				port: -1
 
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatalf("failed to parse cert '%s': %s", certPEM, err)
-	}
-	return cert
-}
+				ocsp {
+					mode: always
+				}
 
-func parseKeyPEM(t *testing.T, keyPEM string) *rsa.PrivateKey {
-	t.Helper()
-	block := parsePEM(t, keyPEM)
+				tls {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/misc/misconfig_TestServer1_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return errMissingStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(clientTrustBundle),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			false,
+			func() {
+				setOCSPStatus(t, ocspURL, serverCert, ocsp.Good)
+			},
+		},
+		{
+			"Issuer configured in CA bundle only, configuration 1",
+			`
+				port: -1
+
+				ocsp {
+					mode: always
+				}
+
+				tls {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/misc/trust_config1_bundle.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return errMissingStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(clientTrustBundle),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			true,
+			func() {
+				setOCSPStatus(t, ocspURL, serverCert, ocsp.Good)
+			},
+		},
+		{
+			"Issuer configured in CA bundle only, configuration 2",
+			`
+				port: -1
 
-	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		t.Fatalf("failed to parse ikey %s: %s", keyPEM, err)
-	}
-	return key
-}
+				ocsp {
+					mode: always
+				}
 
-func parsePEM(t *testing.T, pemPath string) *pem.Block {
-	t.Helper()
-	data, err := os.ReadFile(pemPath)
-	if err != nil {
-		t.Fatal(err)
-	}
+				tls {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/misc/trust_config2_bundle.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return errMissingStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(clientTrustBundle),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			true,
+			func() {
+				setOCSPStatus(t, ocspURL, serverCert, ocsp.Good)
+			},
+		},
+		{
+			"Issuer configured in CA bundle only, configuration 3",
+			`
+				port: -1
 
-	block, _ := pem.Decode(data)
-	if block == nil {
-		t.Fatalf("failed to decode PEM %s", pemPath)
-	}
-	return block
-}
+				ocsp {
+					mode: always
+				}
 
-func getOCSPStatus(s tls.ConnectionState) (*ocsp.Response, error) {
-	if len(s.VerifiedChains) == 0 {
-		return nil, fmt.Errorf("missing TLS verified chains")
-	}
-	chain := s.VerifiedChains[0]
+				tls {
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/misc/trust_config3_bundle.pem"
+					timeout: 5
+				}
+			`,
+			[]nats.Option{
+				nats.Secure(&tls.Config{
+					VerifyConnection: func(s tls.ConnectionState) error {
+						if s.OCSPResponse == nil {
+							return errMissingStaple
+						}
+						return nil
+					},
+				}),
+				nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+				nats.RootCAs(clientTrustBundle),
+				nats.ErrorHandler(noOpErrHandler),
+			},
+			nil,
+			nil,
+			true,
+			func() {
+				setOCSPStatus(t, ocspURL, serverCert, ocsp.Good)
+			},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			defer func() {
+				r := recover()
+				if r != nil && test.serverStart {
+					t.Fatalf("Expected server start, unexpected panic: %v", r)
+				}
+				if r == nil && !test.serverStart {
+					t.Fatalf("Expected server to not start and panic thrown")
+				}
+			}()
+			test.configure()
+			content := test.config
+			conf := createConfFile(t, []byte(content))
+			s, opts := RunServerWithConfig(conf)
+			// server may not start for some tests
+			if s != nil {
+				defer s.Shutdown()
+			}
 
-	if got, want := len(chain), 2; got < want {
-		return nil, fmt.Errorf("incomplete cert chain, got %d, want at least %d", got, want)
-	}
-	leaf, issuer := chain[0], chain[1]
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
 
-	resp, err := ocsp.ParseResponseForCert(s.OCSPResponse, leaf, issuer)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse OCSP response: %w", err)
-	}
-	if err := resp.CheckSignatureFrom(issuer); err != nil {
-		return resp, err
-	}
-	return resp, nil
-}
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
 
-func TestOCSPTLSConfigNoLeafSet(t *testing.T) {
-	o := DefaultTestOptions
-	o.HTTPHost = "127.0.0.1"
-	o.HTTPSPort = -1
-	o.TLSConfig = &tls.Config{ServerName: "localhost"}
-	cert, err := tls.LoadX509KeyPair("configs/certs/server-cert.pem", "configs/certs/server-key.pem")
-	if err != nil {
-		t.Fatalf("Got error reading certificates: %s", err)
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+		})
 	}
-	o.TLSConfig.Certificates = []tls.Certificate{cert}
-	s := RunServer(&o)
-	s.Shutdown()
 }
 
-func TestOCSPSuperCluster(t *testing.T) {
+func TestMixedCAOCSPSuperCluster(t *testing.T) {
 	const (
-		caCert = "configs/certs/ocsp/ca-cert.pem"
+		caCert = "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 		caKey  = "configs/certs/ocsp/ca-key.pem"
 	)
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
-	ocspr := newOCSPResponder(t, caCert, caKey)
-	defer ocspr.Shutdown(ctx)
-	addr := fmt.Sprintf("http://%s", ocspr.Addr)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-03-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-04-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-05-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
-	setOCSPStatus(t, addr, "configs/certs/ocsp/server-cert.pem", ocsp.Good)
+
+	intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
+	intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
+	defer intermediateCA1Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem", ocsp.Good)
+
+	intermediateCA2Responder := newOCSPResponderIntermediateCA2(t)
+	intermediateCA2ResponderURL := fmt.Sprintf("http://%s", intermediateCA2Responder.Addr)
+	defer intermediateCA2Responder.Shutdown(ctx)
+	setOCSPStatus(t, intermediateCA2ResponderURL, "configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem", ocsp.Good)
 
 	// Store Dirs
 	storeDirA := t.TempDir()
 	storeDirB := t.TempDir()
 	storeDirC := t.TempDir()
-	storeDirD := t.TempDir()
 
 	// Gateway server configuration
 	srvConfA := `
@@ -2592,9 +3719,9 @@ func TestOCSPSuperCluster(t *testing.T) {
 		ocsp { mode: "always" }
 
 		tls {
-			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
-			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+			key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+			ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 			timeout: 5
 		}
 		store_dir: '%s'
@@ -2606,9 +3733,9 @@ func TestOCSPSuperCluster(t *testing.T) {
 			port: -1
 
 			tls {
-				cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
-				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
-				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+				key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+				ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 				timeout: 5
 			}
 		}
@@ -2620,9 +3747,9 @@ func TestOCSPSuperCluster(t *testing.T) {
 			advertise: "127.0.0.1"
 
 			tls {
-				cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
-				key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
-				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+				key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+				ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 				timeout: 5
 				verify: true
 			}
@@ -2643,9 +3770,9 @@ func TestOCSPSuperCluster(t *testing.T) {
 		ocsp { mode: "always" }
 
 		tls {
-			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
-			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
-			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+			key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+			ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 			timeout: 5
 		}
 		store_dir: '%s'
@@ -2659,9 +3786,9 @@ func TestOCSPSuperCluster(t *testing.T) {
 			routes: [ nats://127.0.0.1:%d ]
 
 			tls {
-				cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
-				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
-				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+				key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+				ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 				timeout: 5
 			}
 		}
@@ -2673,9 +3800,9 @@ func TestOCSPSuperCluster(t *testing.T) {
 			port: -1
 
 			tls {
-				cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
-				key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
-				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
+				key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
+				ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 				timeout: 5
 				verify: true
 			}
@@ -2705,7 +3832,7 @@ func TestOCSPSuperCluster(t *testing.T) {
 	}
 	defer cA.Close()
 
-	// Start another server that will make connect as a gateway to cluster A.
+	// Start another server that will make connect as a gateway to cluster A but with different CA issuer.
 	srvConfC := `
 		host: "127.0.0.1"
 		port: -1
@@ -2715,9 +3842,9 @@ func TestOCSPSuperCluster(t *testing.T) {
 		ocsp { mode: "always" }
 
 		tls {
-			cert_file: "configs/certs/ocsp/server-status-request-url-05-cert.pem"
-			key_file: "configs/certs/ocsp/server-status-request-url-05-key.pem"
-			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			cert_file: "configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem"
+			key_file: "configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem"
+			ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 			timeout: 5
 		}
 		store_dir: '%s'
@@ -2730,16 +3857,16 @@ func TestOCSPSuperCluster(t *testing.T) {
 				name: "A",
 				urls: ["nats://127.0.0.1:%d"]
 				tls {
-					cert_file: "configs/certs/ocsp/server-status-request-url-06-cert.pem"
-					key_file: "configs/certs/ocsp/server-status-request-url-06-key.pem"
-					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					cert_file: "configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem"
+					key_file: "configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem"
+					ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 					timeout: 5
 				}
 			}]
 			tls {
-				cert_file: "configs/certs/ocsp/server-status-request-url-06-cert.pem"
-				key_file: "configs/certs/ocsp/server-status-request-url-06-key.pem"
-				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				cert_file: "configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem"
+				key_file: "configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem"
+				ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
 				timeout: 5
 				verify: true
 			}
@@ -2754,67 +3881,6 @@ func TestOCSPSuperCluster(t *testing.T) {
 	checkClusterFormed(t, srvA, srvB)
 	waitForOutboundGateways(t, srvC, 1, 5*time.Second)
 
-	// Start one more server that will become another gateway.
-	srvConfD := `
-		host: "127.0.0.1"
-		port: -1
-
-		server_name: "D"
-
-		ocsp { mode: "auto", url: "%s" }
-
-		tls {
-			cert_file: "configs/certs/ocsp/server-status-request-url-07-cert.pem"
-			key_file: "configs/certs/ocsp/server-status-request-url-07-key.pem"
-			ca_file: "configs/certs/ocsp/ca-cert.pem"
-			timeout: 5
-		}
-		store_dir: '%s'
-		gateway {
-			name: D
-			host: "127.0.0.1"
-			advertise: "127.0.0.1"
-			port: -1
-			gateways: [{
-				name: "A",
-				urls: ["nats://127.0.0.1:%d"]
-				tls {
-					cert_file: "configs/certs/ocsp/server-status-request-url-08-cert.pem"
-					key_file: "configs/certs/ocsp/server-status-request-url-08-key.pem"
-					ca_file: "configs/certs/ocsp/ca-cert.pem"
-					timeout: 5
-				}},
-				{
-				name: "C",
-				urls: ["nats://127.0.0.1:%d"]
-
-				####################################################################
-				## TEST NOTE: This cert does not have an OCSP Staple intentionally##
-				####################################################################
-				tls {
-					ca_file: "configs/certs/ocsp/ca-cert.pem"
-					cert_file: "configs/certs/ocsp/server-cert.pem"
-					key_file: "configs/certs/ocsp/server-key.pem"
-					timeout: 5
-				}}
-			]
-			tls {
-				cert_file: "configs/certs/ocsp/server-status-request-url-08-cert.pem"
-				key_file: "configs/certs/ocsp/server-status-request-url-08-key.pem"
-				ca_file: "configs/certs/ocsp/ca-cert.pem"
-				timeout: 5
-				verify: true
-			}
-		}
-	`
-	srvConfD = fmt.Sprintf(srvConfD, addr, storeDirD, optsA.Gateway.Port, optsC.Gateway.Port)
-	conf = createConfFile(t, []byte(srvConfD))
-	srvD, _ := RunServerWithConfig(conf)
-	defer srvD.Shutdown()
-
-	// There should be a single gateway here because one of the gateway connections does not have a OCSP staple.
-	waitForOutboundGateways(t, srvD, 1, 10*time.Second)
-
 	// Connect to cluster A using server B.
 	cB, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsB.Port),
 		nats.Secure(&tls.Config{
@@ -2899,7 +3965,4 @@ func TestOCSPSuperCluster(t *testing.T) {
 	if lerr != nil {
 		t.Errorf("Unexpected error: %v", lerr)
 	}
-	if n := srvD.NumOutboundGateways(); n > 1 {
-		t.Errorf("Expected single gateway, got: %v", n)
-	}
 }
diff --git a/test/system_services_test.go b/test/system_services_test.go
index 0bdd06ed7..cc0c19d77 100644
--- a/test/system_services_test.go
+++ b/test/system_services_test.go
@@ -262,7 +262,7 @@ func TestSystemServiceSubscribersLeafNodesWithoutSystem(t *testing.T) {
 	// For now we do not see all the details behind a leafnode if the leafnode is not enabled.
 	checkDbgNumSubs(t, nc, "foo.bar.3", 2)
 
-	checkDbgNumSubs(t, nc, "foo.bar.baz QG.22", 11)
+	checkDbgNumSubs(t, nc, "foo.bar.baz QG.22", 12)
 }
 
 func runSolicitLeafServerWithSystemToURL(surl string) (*server.Server, *server.Options) {
diff --git a/test/test_test.go b/test/test_test.go
index 60617e932..c6b83de65 100644
--- a/test/test_test.go
+++ b/test/test_test.go
@@ -146,9 +146,12 @@ func (d *dummyLogger) Debugf(format string, args ...interface{}) {
 func (d *dummyLogger) Tracef(format string, args ...interface{}) {
 }
 
+// ** added by Memphis
 func (d *dummyLogger) Systemf(format string, args ...interface{}) {
 }
 
+// ** added by Memphis
+
 func (d *dummyLogger) Noticef(format string, args ...interface{}) {
 }
 
diff --git a/test/tls_test.go b/test/tls_test.go
index 288d4b737..dc430d860 100644
--- a/test/tls_test.go
+++ b/test/tls_test.go
@@ -72,6 +72,26 @@ func TestTLSConnection(t *testing.T) {
 	}
 }
 
+// TestTLSInProcessConnection checks that even if TLS is enabled on the server,
+// that an in-process connection that does *not* use TLS still connects successfully.
+func TestTLSInProcessConnection(t *testing.T) {
+	srv, opts := RunServerWithConfig("./configs/tls.conf")
+	defer srv.Shutdown()
+
+	nc, err := nats.Connect("", nats.InProcessServer(srv), nats.UserInfo(opts.Username, opts.Password))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if nc.TLSRequired() {
+		t.Fatalf("Shouldn't have required TLS for in-process connection")
+	}
+
+	if _, err = nc.TLSConnectionState(); err == nil {
+		t.Fatal("Should have got an error retrieving TLS connection state")
+	}
+}
+
 func TestTLSClientCertificate(t *testing.T) {
 	srv, opts := RunServerWithConfig("./configs/tlsverify.conf")
 	defer srv.Shutdown()
diff --git a/test/verbose_test.go b/test/verbose_test.go
index af88477d8..d370a2df9 100644
--- a/test/verbose_test.go
+++ b/test/verbose_test.go
@@ -10,6 +10,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package test
 
 import (

From b8297a8231ab845cd18a2620f26e04dd44466cc5 Mon Sep 17 00:00:00 2001
From: shay23b <shay@memphis.dev>
Date: Tue, 5 Dec 2023 16:22:38 +0200
Subject: [PATCH 05/16] from cloud

---
 server/memphis_cloud.go              | 8 ++++++++
 server/memphis_handlers_stations.go  | 5 +++++
 server/memphis_handlers_user_mgmt.go | 6 +++++-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/server/memphis_cloud.go b/server/memphis_cloud.go
index f4fe1ec83..0bfc6c973 100644
--- a/server/memphis_cloud.go
+++ b/server/memphis_cloud.go
@@ -2382,3 +2382,11 @@ func getUsageLimitProduersLimitPerStation(tenantName, stationName string) (float
 func (s *Server) GetConnectorsByStationAndPartition(stationID, partitionNumber, numOfPartitions int) ([]map[string]string, error) {
 	return []map[string]string{}, nil
 }
+
+func deleteConnectorsStationResources(tenantName string, stationID int) error {
+	return nil
+}
+
+func deleteConnectorsTenantResources(tenantName string) error {
+	return nil
+}
diff --git a/server/memphis_handlers_stations.go b/server/memphis_handlers_stations.go
index 1a7ba0640..b955ccdf2 100644
--- a/server/memphis_handlers_stations.go
+++ b/server/memphis_handlers_stations.go
@@ -182,6 +182,11 @@ func removeStationResources(s *Server, station models.Station, shouldDeleteStrea
 		return err
 	}
 
+	err = deleteConnectorsStationResources(station.TenantName, station.ID)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
diff --git a/server/memphis_handlers_user_mgmt.go b/server/memphis_handlers_user_mgmt.go
index 9dd76cd5e..ef57bf312 100644
--- a/server/memphis_handlers_user_mgmt.go
+++ b/server/memphis_handlers_user_mgmt.go
@@ -160,7 +160,11 @@ func removeTenantResources(tenantName string, user models.User) error {
 	if err != nil {
 		return err
 	}
-	// TODO: send response of DeleteAndGetAttachedFunctionsByStation to microservice to delete
+
+	err = deleteConnectorsTenantResources(tenantName)
+	if err != nil {
+		return err
+	}
 
 	err = db.RemoveStationsByTenant(tenantName)
 	if err != nil {

From a6fef73fd937f679ab4eabe8a99f838aba61a9fc Mon Sep 17 00:00:00 2001
From: Avitaltrifsik <107035359+Avitaltrifsik@users.noreply.github.com>
Date: Wed, 6 Dec 2023 10:59:14 +0200
Subject: [PATCH 06/16] Update README.md (#1483)

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a0d6abe38..c238e4294 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-[![Github (6)](https://github.com/memphisdev/memphis/assets/107035359/bc2feafc-946c-4569-ab8d-836bc0181890)](https://www.functions.memphis.dev/)
+[![Github functions new banner (1)](https://github.com/memphisdev/memphis/assets/107035359/7f89dcba-b897-4164-93b3-fec252341960)](https://www.functions.memphis.dev/)
 <p align="center">
 <a href="https://memphis.dev/discord"><img src="https://img.shields.io/discord/963333392844328961?color=6557ff&label=discord" alt="Discord"></a>
 <a href="https://github.com/memphisdev/memphis/issues?q=is%3Aissue+is%3Aclosed"><img src="https://img.shields.io/github/issues-closed/memphisdev/memphis?color=6557ff"></a> 

From 034745e2814b5541105e98185ca7e33db9ec0ae7 Mon Sep 17 00:00:00 2001
From: svetaStrech <sveta@strech.io>
Date: Wed, 6 Dec 2023 21:20:30 +0200
Subject: [PATCH 07/16] align with cloud

---
 ui_src/src/App.js                             |   9 +-
 ui_src/src/App.scss                           |   1 +
 ui_src/src/assets/images/connectIcon.svg      |  15 +
 ui_src/src/assets/images/connectorIcon.svg    |   6 +
 ui_src/src/assets/images/producerIcon.svg     |   9 +
 ui_src/src/assets/images/purplePlus.svg       |   4 +
 ui_src/src/components/InputNumber/index.js    |   3 +-
 ui_src/src/components/InputNumber/style.scss  |  12 +-
 ui_src/src/components/connectorModal/index.js | 345 +++++++++++++++++
 .../src/components/connectorModal/style.scss  |  57 +++
 ui_src/src/components/customSelect/style.scss |   9 +
 .../src/components/produceMessages/index.js   |   2 +-
 ui_src/src/components/select/index.js         |   7 +-
 ui_src/src/components/select/style.scss       |  68 +++-
 ui_src/src/components/sideBar/index.js        |  77 ++--
 ui_src/src/components/sideBar/style.scss      |  62 ++--
 ui_src/src/components/spinner/index.js        |  21 +-
 ui_src/src/connectors/assets/awsKinesis.svg   |  10 +
 ui_src/src/connectors/assets/kafkaIcon.svg    |  10 +
 ui_src/src/connectors/assets/s3LogoIcon.svg   |  10 +
 ui_src/src/connectors/index.js                |  12 +
 ui_src/src/connectors/kafka.js                | 187 ++++++++++
 ui_src/src/connectors/kinesis.js              |  97 +++++
 ui_src/src/const/apiEndpoints.js              |   4 +
 ui_src/src/domain/administration/index.js     |   5 +-
 .../ProduceConsumList/index.js                | 347 +++++++++++++++---
 .../ProduceConsumList/style.scss              |  73 +++-
 .../components/functionsOverview/style.scss   |   4 +-
 .../stationOverviewHeader/index.js            |  17 +-
 .../stationOverviewHeader/style.scss          |   2 +-
 ui_src/src/domain/stationOverview/style.scss  |   3 +-
 .../stationsList/stationBoxOverview/index.js  |   2 +-
 32 files changed, 1316 insertions(+), 174 deletions(-)
 create mode 100644 ui_src/src/assets/images/connectIcon.svg
 create mode 100644 ui_src/src/assets/images/connectorIcon.svg
 create mode 100644 ui_src/src/assets/images/producerIcon.svg
 create mode 100644 ui_src/src/assets/images/purplePlus.svg
 create mode 100644 ui_src/src/components/connectorModal/index.js
 create mode 100644 ui_src/src/components/connectorModal/style.scss
 create mode 100644 ui_src/src/connectors/assets/awsKinesis.svg
 create mode 100644 ui_src/src/connectors/assets/kafkaIcon.svg
 create mode 100644 ui_src/src/connectors/assets/s3LogoIcon.svg
 create mode 100644 ui_src/src/connectors/index.js
 create mode 100644 ui_src/src/connectors/kafka.js
 create mode 100644 ui_src/src/connectors/kinesis.js

diff --git a/ui_src/src/App.js b/ui_src/src/App.js
index edfd21df0..5fcf156e9 100644
--- a/ui_src/src/App.js
+++ b/ui_src/src/App.js
@@ -29,9 +29,7 @@ import {
     LOCAL_STORAGE_USER_PASS_BASED_AUTH,
     LOCAL_STORAGE_WS_PORT,
     USER_IMAGE,
-    LOCAL_STORAGE_PLAN,
-    LOCAL_STORAGE_FULL_NAME,
-    LOCAL_STORAGE_USER_NAME
+    LOCAL_STORAGE_PLAN
 } from './const/localStorageConsts';
 import { CLOUD_URL, ENVIRONMENT, HANDLE_REFRESH_INTERVAL, WS_PREFIX, WS_SERVER_URL_PRODUCTION } from './config';
 import { isCheckoutCompletedTrue, isCloud } from './services/valueConvertor';
@@ -686,6 +684,11 @@ const App = withRouter(() => {
                             />
                             <PrivateRoute exact path={`${pathDomains.administration}/usage`} component={<AppWrapper content={<Administration />}></AppWrapper>} />
                             <PrivateRoute exact path={`${pathDomains.administration}/payments`} component={<AppWrapper content={<Administration />}></AppWrapper>} />
+                            <PrivateRoute
+                                exact
+                                path={`${pathDomains.administration}/system_information`}
+                                component={<AppWrapper content={<Administration />}></AppWrapper>}
+                            />
 
                             <PrivateRoute
                                 path="/"
diff --git a/ui_src/src/App.scss b/ui_src/src/App.scss
index 5846122fe..858d842ea 100644
--- a/ui_src/src/App.scss
+++ b/ui_src/src/App.scss
@@ -1,3 +1,4 @@
+//ANT design v4
 @import '~antd/dist/antd.css';
 @import '@stigg/react-sdk/dist/styles.css';
 
diff --git a/ui_src/src/assets/images/connectIcon.svg b/ui_src/src/assets/images/connectIcon.svg
new file mode 100644
index 000000000..2df412708
--- /dev/null
+++ b/ui_src/src/assets/images/connectIcon.svg
@@ -0,0 +1,15 @@
+<svg width="15" height="15" viewBox="0 0 15 15" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g id="flow-connection" clip-path="url(#clip0_8996_14942)">
+<g id="elements">
+<path id="Rectangle 2311 (Stroke)" d="M3.71822 0.78125H3.75H3.78178H3.78181C4.27026 0.78123 4.68339 0.781214 5.0126 0.825476C5.36243 0.872508 5.68682 0.977111 5.94861 1.2389C6.21039 1.50068 6.315 1.82508 6.36203 2.1749C6.40629 2.50412 6.40627 2.91726 6.40625 3.40573V3.46928C6.40627 3.95775 6.40629 4.37088 6.36203 4.7001C6.315 5.04992 6.21039 5.37432 5.94861 5.63611C5.68682 5.89789 5.36242 6.0025 5.0126 6.04953C4.68338 6.09379 4.27025 6.09377 3.78178 6.09375H3.71823C3.22976 6.09377 2.81662 6.09379 2.4874 6.04953C2.13758 6.0025 1.81318 5.89789 1.5514 5.63611C1.28961 5.37432 1.18501 5.04993 1.13798 4.7001C1.09371 4.37089 1.09373 3.95776 1.09375 3.46931V3.46928V3.4375V3.40572V3.4057C1.09373 2.91724 1.09371 2.50412 1.13798 2.1749C1.18501 1.82508 1.28961 1.50068 1.5514 1.2389C1.81318 0.977111 2.13758 0.872508 2.4874 0.825476C2.81662 0.781214 3.22974 0.78123 3.7182 0.78125H3.71822Z" fill="#6557FF"/>
+<path id="Rectangle 2312 (Stroke)" d="M2.83147 8.63622C3.09937 8.43181 3.39183 8.28125 3.75 8.28125C4.10816 8.28125 4.40063 8.43181 4.66853 8.63622C4.91992 8.82802 5.24202 9.15014 5.56817 9.47632C5.89436 9.80248 6.17198 10.0801 6.36378 10.3315C6.56818 10.5994 6.71875 10.8918 6.71875 11.25C6.71875 11.6082 6.56818 11.9006 6.36378 12.1685C6.17198 12.4199 5.89436 12.6975 5.56818 13.0237L5.56817 13.0237C5.24202 13.3499 4.91992 13.672 4.66853 13.8638C4.40063 14.0682 4.10816 14.2187 3.75 14.2187C3.39183 14.2187 3.09937 14.0682 2.83147 13.8638C2.58008 13.672 2.25799 13.3499 1.93183 13.0237L1.93183 13.0237C1.60565 12.6975 1.32802 12.4199 1.13622 12.1685C0.931815 11.9006 0.78125 11.6082 0.78125 11.25C0.78125 10.8918 0.931815 10.5994 1.13622 10.3315C1.32802 10.0801 1.65014 9.75798 1.97632 9.43183L1.97632 9.43183C2.30248 9.10564 2.58008 8.82802 2.83147 8.63622Z" fill="#6557FF"/>
+<path id="Vector 4876 (Stroke)" fill-rule="evenodd" clip-rule="evenodd" d="M3.75 5C3.40482 5 3.125 5.27982 3.125 5.625V8.75C3.125 9.09518 3.40482 9.375 3.75 9.375C4.09518 9.375 4.375 9.09518 4.375 8.75V5.625C4.375 5.27982 4.09518 5 3.75 5ZM10 11.25C10 10.9048 9.72018 10.625 9.375 10.625H6.25C5.90482 10.625 5.625 10.9048 5.625 11.25C5.625 11.5952 5.90482 11.875 6.25 11.875H9.375C9.72018 11.875 10 11.5952 10 11.25Z" fill="#6557FF"/>
+<path id="Rectangle 2313 (Stroke)" d="M11.5307 8.59375H11.5625H11.5943H11.5943C12.0828 8.59373 12.4959 8.59371 12.8251 8.63798C13.1749 8.68501 13.4993 8.78961 13.7611 9.0514C14.0229 9.31318 14.1275 9.63758 14.1745 9.9874C14.2188 10.3166 14.2188 10.7298 14.2188 11.2182V11.2818C14.2188 11.7702 14.2188 12.1834 14.1745 12.5126C14.1275 12.8624 14.0229 13.1868 13.7611 13.4486C13.4993 13.7104 13.1749 13.815 12.8251 13.862C12.4959 13.9063 12.0827 13.9063 11.5943 13.9063H11.5307C11.0423 13.9063 10.6291 13.9063 10.2999 13.862C9.95008 13.815 9.62568 13.7104 9.3639 13.4486C9.10211 13.1868 8.99751 12.8624 8.95048 12.5126C8.90621 12.1834 8.90623 11.7703 8.90625 11.2818V11.2818V11.25V11.2182V11.2182C8.90623 10.7297 8.90621 10.3166 8.95048 9.9874C8.99751 9.63758 9.10211 9.31318 9.3639 9.0514C9.62568 8.78961 9.95008 8.68501 10.2999 8.63798C10.6291 8.59371 11.0422 8.59373 11.5307 8.59375H11.5307Z" fill="#6557FF"/>
+</g>
+</g>
+<defs>
+<clipPath id="clip0_8996_14942">
+<rect width="15" height="15" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/ui_src/src/assets/images/connectorIcon.svg b/ui_src/src/assets/images/connectorIcon.svg
new file mode 100644
index 000000000..0c54c2e01
--- /dev/null
+++ b/ui_src/src/assets/images/connectorIcon.svg
@@ -0,0 +1,6 @@
+<svg width="15" height="16" viewBox="0 0 15 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M3.71822 1.28125H3.75H3.78178H3.78181C4.27026 1.28123 4.68339 1.28121 5.0126 1.32548C5.36243 1.37251 5.68682 1.47711 5.94861 1.7389C6.21039 2.00068 6.315 2.32508 6.36203 2.6749C6.40629 3.00412 6.40627 3.41726 6.40625 3.90573V3.96928C6.40627 4.45775 6.40629 4.87088 6.36203 5.2001C6.315 5.54992 6.21039 5.87432 5.94861 6.13611C5.68682 6.39789 5.36242 6.5025 5.0126 6.54953C4.68338 6.59379 4.27025 6.59377 3.78178 6.59375H3.71823C3.22976 6.59377 2.81662 6.59379 2.4874 6.54953C2.13758 6.5025 1.81318 6.39789 1.5514 6.13611C1.28961 5.87432 1.18501 5.54993 1.13798 5.2001C1.09371 4.87089 1.09373 4.45776 1.09375 3.96931V3.96928V3.9375V3.90572V3.9057C1.09373 3.41724 1.09371 3.00412 1.13798 2.6749C1.18501 2.32508 1.28961 2.00068 1.5514 1.7389C1.81318 1.47711 2.13758 1.37251 2.4874 1.32548C2.81662 1.28121 3.22974 1.28123 3.7182 1.28125H3.71822Z" fill="#6557FF"/>
+<path d="M2.83147 9.13622C3.09937 8.93181 3.39183 8.78125 3.75 8.78125C4.10816 8.78125 4.40063 8.93181 4.66853 9.13622C4.91992 9.32802 5.24202 9.65014 5.56817 9.97632C5.89436 10.3025 6.17198 10.5801 6.36378 10.8315C6.56818 11.0994 6.71875 11.3918 6.71875 11.75C6.71875 12.1082 6.56818 12.4006 6.36378 12.6685C6.17198 12.9199 5.89436 13.1975 5.56818 13.5237L5.56817 13.5237C5.24202 13.8499 4.91992 14.172 4.66853 14.3638C4.40063 14.5682 4.10816 14.7187 3.75 14.7187C3.39183 14.7187 3.09937 14.5682 2.83147 14.3638C2.58008 14.172 2.25799 13.8499 1.93183 13.5237L1.93183 13.5237C1.60565 13.1975 1.32802 12.9199 1.13622 12.6685C0.931815 12.4006 0.78125 12.1082 0.78125 11.75C0.78125 11.3918 0.931815 11.0994 1.13622 10.8315C1.32802 10.5801 1.65014 10.258 1.97632 9.93183L1.97632 9.93183C2.30248 9.60564 2.58008 9.32802 2.83147 9.13622Z" fill="#6557FF"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M3.75 5.5C3.40482 5.5 3.125 5.77982 3.125 6.125V9.25C3.125 9.59518 3.40482 9.875 3.75 9.875C4.09518 9.875 4.375 9.59518 4.375 9.25V6.125C4.375 5.77982 4.09518 5.5 3.75 5.5ZM10 11.75C10 11.4048 9.72018 11.125 9.375 11.125H6.25C5.90482 11.125 5.625 11.4048 5.625 11.75C5.625 12.0952 5.90482 12.375 6.25 12.375H9.375C9.72018 12.375 10 12.0952 10 11.75Z" fill="#6557FF"/>
+<path d="M11.5307 9.09375H11.5625H11.5943H11.5943C12.0828 9.09373 12.4959 9.09371 12.8251 9.13798C13.1749 9.18501 13.4993 9.28961 13.7611 9.5514C14.0229 9.81318 14.1275 10.1376 14.1745 10.4874C14.2188 10.8166 14.2188 11.2298 14.2188 11.7182V11.7818C14.2188 12.2702 14.2188 12.6834 14.1745 13.0126C14.1275 13.3624 14.0229 13.6868 13.7611 13.9486C13.4993 14.2104 13.1749 14.315 12.8251 14.362C12.4959 14.4063 12.0827 14.4063 11.5943 14.4063H11.5307C11.0423 14.4063 10.6291 14.4063 10.2999 14.362C9.95008 14.315 9.62568 14.2104 9.3639 13.9486C9.10211 13.6868 8.99751 13.3624 8.95048 13.0126C8.90621 12.6834 8.90623 12.2703 8.90625 11.7818V11.7818V11.75V11.7182V11.7182C8.90623 11.2297 8.90621 10.8166 8.95048 10.4874C8.99751 10.1376 9.10211 9.81318 9.3639 9.5514C9.62568 9.28961 9.95008 9.18501 10.2999 9.13798C10.6291 9.09371 11.0422 9.09373 11.5307 9.09375H11.5307Z" fill="#6557FF"/>
+</svg>
diff --git a/ui_src/src/assets/images/producerIcon.svg b/ui_src/src/assets/images/producerIcon.svg
new file mode 100644
index 000000000..b4fa1f67f
--- /dev/null
+++ b/ui_src/src/assets/images/producerIcon.svg
@@ -0,0 +1,9 @@
+<svg width="15" height="15" viewBox="0 0 15 15" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g id="vuesax/bold/code-circle">
+<g id="vuesax/bold/code-circle_2">
+<g id="code-circle">
+<path id="Vector" d="M7.5 1.25C4.05 1.25 1.25 4.05 1.25 7.5C1.25 10.95 4.05 13.75 7.5 13.75C10.95 13.75 13.75 10.95 13.75 7.5C13.75 4.05 10.95 1.25 7.5 1.25ZM5.33125 8.41875C5.5125 8.6 5.5125 8.9 5.33125 9.08125C5.2375 9.175 5.11875 9.21875 5 9.21875C4.88125 9.21875 4.7625 9.175 4.66875 9.08125L3.41875 7.83125C3.2375 7.65 3.2375 7.35 3.41875 7.16875L4.66875 5.91875C4.85 5.7375 5.15 5.7375 5.33125 5.91875C5.5125 6.1 5.5125 6.4 5.33125 6.58125L4.4125 7.5L5.33125 8.41875ZM8.55625 6.225L7.30625 9.14375C7.23125 9.31875 7.05625 9.425 6.875 9.425C6.8125 9.425 6.75 9.4125 6.69375 9.3875C6.45625 9.2875 6.34375 9.0125 6.45 8.76875L7.7 5.85C7.8 5.6125 8.075 5.5 8.3125 5.60625C8.55 5.7125 8.65625 5.9875 8.55625 6.225ZM11.5813 7.83125L10.3313 9.08125C10.2375 9.175 10.1187 9.21875 10 9.21875C9.88125 9.21875 9.7625 9.175 9.66875 9.08125C9.4875 8.9 9.4875 8.6 9.66875 8.41875L10.5875 7.5L9.66875 6.58125C9.4875 6.4 9.4875 6.1 9.66875 5.91875C9.85 5.7375 10.15 5.7375 10.3313 5.91875L11.5813 7.16875C11.7625 7.35 11.7625 7.65 11.5813 7.83125Z" fill="#6557FF"/>
+</g>
+</g>
+</g>
+</svg>
diff --git a/ui_src/src/assets/images/purplePlus.svg b/ui_src/src/assets/images/purplePlus.svg
new file mode 100644
index 000000000..3bf8b5295
--- /dev/null
+++ b/ui_src/src/assets/images/purplePlus.svg
@@ -0,0 +1,4 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="24" height="24" rx="4" fill="#6557FF"/>
+<path d="M16.6667 11.3334H12.6667V7.33335C12.6667 7.15654 12.5964 6.98697 12.4714 6.86195C12.3464 6.73693 12.1768 6.66669 12 6.66669C11.8232 6.66669 11.6536 6.73693 11.5286 6.86195C11.4036 6.98697 11.3334 7.15654 11.3334 7.33335V11.3334H7.33335C7.15654 11.3334 6.98697 11.4036 6.86195 11.5286C6.73693 11.6536 6.66669 11.8232 6.66669 12C6.66669 12.1768 6.73693 12.3464 6.86195 12.4714C6.98697 12.5964 7.15654 12.6667 7.33335 12.6667H11.3334V16.6667C11.3334 16.8435 11.4036 17.0131 11.5286 17.1381C11.6536 17.2631 11.8232 17.3334 12 17.3334C12.1768 17.3334 12.3464 17.2631 12.4714 17.1381C12.5964 17.0131 12.6667 16.8435 12.6667 16.6667V12.6667H16.6667C16.8435 12.6667 17.0131 12.5964 17.1381 12.4714C17.2631 12.3464 17.3334 12.1768 17.3334 12C17.3334 11.8232 17.2631 11.6536 17.1381 11.5286C17.0131 11.4036 16.8435 11.3334 16.6667 11.3334Z" fill="white"/>
+</svg>
diff --git a/ui_src/src/components/InputNumber/index.js b/ui_src/src/components/InputNumber/index.js
index e70f706b3..dec6ad414 100644
--- a/ui_src/src/components/InputNumber/index.js
+++ b/ui_src/src/components/InputNumber/index.js
@@ -18,7 +18,7 @@ import React from 'react';
 import ArrowDropDownRounded from '@material-ui/icons/ArrowDropDownRounded';
 import ArrowDropUpRounded from '@material-ui/icons/ArrowDropUpRounded';
 
-const InputNumberComponent = ({ min, max, onChange, value, placeholder, disabled, bordered = false }) => {
+const InputNumberComponent = ({ min, max, onChange, value, placeholder, disabled, bordered = false, style }) => {
     const handleChange = (e) => {
         onChange(e);
     };
@@ -34,6 +34,7 @@ const InputNumberComponent = ({ min, max, onChange, value, placeholder, disabled
             placeholder={placeholder}
             disabled={disabled}
             className="input-number-wrapper"
+            style={style}
             controls={{ downIcon: <ArrowDropDownRounded />, upIcon: <ArrowDropUpRounded /> }}
         />
     );
diff --git a/ui_src/src/components/InputNumber/style.scss b/ui_src/src/components/InputNumber/style.scss
index e549b0525..ebfd6aed7 100644
--- a/ui_src/src/components/InputNumber/style.scss
+++ b/ui_src/src/components/InputNumber/style.scss
@@ -1,14 +1,18 @@
-.input-number-wrapper{
-    svg{
+.input-number-wrapper {
+    svg {
         color: black;
     }
-
 }
 .ant-input-number {
     border-radius: 4px;
     border: 1px solid var(--gray);
 }
 
+.ant-input-number:hover {
+    border-color: var(--gray);
+    border: 1px solid var(--gray);
+}
+
 .ant-input-number-focused {
     box-shadow: unset;
 }
@@ -17,4 +21,4 @@
 }
 .ant-input-number-handler-wrap {
     opacity: 1;
-}
\ No newline at end of file
+}
diff --git a/ui_src/src/components/connectorModal/index.js b/ui_src/src/components/connectorModal/index.js
new file mode 100644
index 000000000..defb1ebfe
--- /dev/null
+++ b/ui_src/src/components/connectorModal/index.js
@@ -0,0 +1,345 @@
+// Copyright 2022-2023 The Memphis.dev Authors
+// Licensed under the Memphis Business Source License 1.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// Changed License: [Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0), as published by the Apache Foundation.
+//
+// https://github.com/memphisdev/memphis/blob/master/LICENSE
+//
+// Additional Use Grant: You may make use of the Licensed Work (i) only as part of your own product or service, provided it is not a message broker or a message queue product or service; and (ii) provided that you do not use, provide, distribute, or make available the Licensed Work as a Service.
+// A "Service" is a commercial offering, product, hosted, or managed service, that allows third parties (other than your own employees and contractors acting on your behalf) to access and/or use the Licensed Work or a substantial set of the features or functionality of the Licensed Work to third parties as a software-as-a-service, platform-as-a-service, infrastructure-as-a-service or other similar services that compete with Licensor products or services.
+
+import './style.scss';
+
+import React, { useContext, useEffect, useState } from 'react';
+import { Divider, Form, Result } from 'antd';
+import { StationStoreContext } from '../../domain/stationOverview';
+import { ReactComponent as ConnectorIcon } from '../../assets/images/connectorIcon.svg';
+import InputNumberComponent from '../InputNumber';
+import TitleComponent from '../titleComponent';
+import SelectComponent from '../select';
+import { Select } from 'antd';
+import Input from '../Input';
+import Modal from '../modal';
+import Spinner from '../spinner';
+import { ApiEndpoints } from '../../const/apiEndpoints';
+import { httpRequest } from '../../services/http';
+import CloudModal from '../cloudModal';
+import { isCloud } from '../../services/valueConvertor';
+import { connectorTypes } from '../../connectors';
+
+const ConnectorModal = ({ open, clickOutside, newConnecor, source }) => {
+    const [stationState, stationDispatch] = useContext(StationStoreContext);
+    const [connectorForm] = Form.useForm();
+    const [step, setStep] = useState(1);
+    const [isEditing, setIsEditing] = useState(false);
+    const [loading, setLoading] = useState(false);
+    const [formFields, setFormFields] = useState({
+        connector_type: source ? 'source' : 'sink'
+    });
+    const [connectorInputFields, setConnectorInputFields] = useState([]);
+    const [resError, setError] = useState(null);
+    const [cloudModalopen, setCloudModalOpen] = useState(false);
+
+    useEffect(() => {
+        if (open) {
+            setStep(1);
+            setFormFields({
+                connector_type: source ? 'source' : 'sink'
+            });
+            setIsEditing(false);
+            setLoading(false);
+            setError(null);
+        }
+    }, [open]);
+
+    useEffect(() => {
+        let connectorType = connectorTypes.find((connector) => connector.name === formFields?.type);
+        formFields?.type && setConnectorInputFields(connectorType?.inputs[formFields?.connector_type]);
+    }, [formFields?.type, formFields?.connector_type]);
+
+    const updateFormState = (key, value) => {
+        setFormFields({ ...formFields, [key]: value });
+    };
+    const updateFormSettingsState = (key, value) => {
+        let settings = formFields?.settings || {};
+        settings[key] = value;
+        setFormFields({ ...formFields, settings });
+    };
+
+    const updateMultiFormState = (key, value, index) => {
+        let settings = formFields?.settings || {};
+        settings[key] = value;
+        setFormFields({ ...formFields, settings });
+        isEditing && setIsEditing(false);
+    };
+
+    const handleSearch = (value, index) => {
+        let conntectorsNewFields = [...connectorInputFields];
+        if (isEditing) conntectorsNewFields[index]?.options?.splice(-1, 1);
+        else setIsEditing(true);
+        value !== '' &&
+            conntectorsNewFields[index]?.options?.push({
+                name: value,
+                value: value
+            });
+        setConnectorInputFields(conntectorsNewFields);
+    };
+
+    const connectorModalTitle =
+        step === 1 ? (
+            <>
+                <p>Add a new connector</p>
+                <label>Choose a ready-to-use sink for the ingested messages</label>
+            </>
+        ) : loading ? (
+            <>
+                <p>Validating connectivity</p>
+                <label>Choose a ready-to-use sink for the ingested messages</label>
+            </>
+        ) : resError ? (
+            <>
+                <p>Error while creating connector</p>
+                <label>Choose a ready-to-use sink for the ingested messages</label>
+            </>
+        ) : (
+            <>
+                <p>Created successfully</p>
+                <label>Choose a ready-to-use sink for the ingested messages</label>
+            </>
+        );
+    const onFinish = async () => {
+        try {
+            await connectorForm.validateFields();
+            if (step === 1) {
+                isCloud() ? createConnector() : setCloudModalOpen(true);
+            } else {
+                resError ? setStep(1) : clickOutside();
+                setError(null);
+            }
+        } catch (err) {
+            console.log(err);
+        }
+    };
+
+    const createConnector = async () => {
+        setLoading(true);
+        setError(null);
+        setStep(2);
+        try {
+            const modifiedSettings = { ...formFields?.settings };
+
+            for (const key in modifiedSettings) {
+                if (Array.isArray(modifiedSettings[key])) {
+                    modifiedSettings[key] = modifiedSettings[key].join(',');
+                }
+            }
+            let data = await httpRequest('POST', ApiEndpoints.CREATE_CONNECTOR, {
+                name: formFields?.name,
+                station_id: stationState?.stationMetaData?.id,
+                type: formFields?.type,
+                connector_type: formFields?.connector_type,
+                settings: modifiedSettings,
+                partitions: [stationState?.stationPartition]
+            });
+            newConnecor(data?.connector, source);
+        } catch (error) {
+            setError(JSON.stringify(error));
+        } finally {
+            setLoading(false);
+        }
+    };
+
+    const generateFormItem = (input, index) => {
+        return (
+            <>
+                <Form.Item
+                    name={input?.name}
+                    validateTrigger="onChange"
+                    rules={[
+                        {
+                            required: input?.required,
+                            message: `required`
+                        }
+                    ]}
+                >
+                    <TitleComponent headerTitle={input?.display} typeTitle="sub-header" headerDescription={input?.description} />
+                    {input?.type === 'string' && (
+                        <Input
+                            value={formFields[input?.name]}
+                            placeholder={input?.placeholder}
+                            type="text"
+                            radiusType="semi-round"
+                            backgroundColorType="none"
+                            boxShadowsType="none"
+                            colorType="black"
+                            borderColorType="gray"
+                            width="100%"
+                            height="40px"
+                            fontSize="14px"
+                            onChange={(e) => {
+                                input?.name === 'name' ? updateFormState(input?.name, e.target.value) : updateFormSettingsState(input?.name, e.target.value);
+                                connectorForm.setFieldValue(input?.name, e.target.value);
+                            }}
+                        />
+                    )}
+                    {input?.type === 'number' && (
+                        <InputNumberComponent
+                            radiusType="semi-round"
+                            backgroundColorType="none"
+                            boxShadowsType="none"
+                            colorType="black"
+                            borderColorType="gray"
+                            fontSize="14px"
+                            style={{ width: '100%', height: '40px', display: 'flex', alignItems: 'center' }}
+                            min={0}
+                            onChange={(e) => {
+                                updateFormSettingsState(input?.name, e);
+                                connectorForm.setFieldValue(input?.name, e);
+                            }}
+                            value={formFields[input?.name]}
+                            placeholder={input?.placeholder}
+                        />
+                    )}
+                    {input?.type === 'select' && (
+                        <SelectComponent
+                            colorType="black"
+                            backgroundColorType="none"
+                            fontFamily="Inter"
+                            borderColorType="gray"
+                            radiusType="semi-round"
+                            height="40px"
+                            popupClassName="select-options"
+                            options={input?.options}
+                            value={formFields[input?.name]}
+                            placeholder={input?.placeholder}
+                            onChange={(e) => {
+                                updateFormSettingsState(input?.name, e);
+                                connectorForm.setFieldValue(input?.name, e);
+                            }}
+                            disabled={false}
+                        />
+                    )}
+                    {input?.type === 'multi' && (
+                        <Select
+                            mode="multiple"
+                            colorType="black"
+                            backgroundColorType="none"
+                            fontFamily="Inter"
+                            borderColorType="gray"
+                            radiusType="semi-round"
+                            popupClassName="select-options"
+                            showSearch
+                            placeholder={input?.placeholder}
+                            options={input?.options}
+                            onSearch={(e) => handleSearch(e, index)}
+                            onChange={(e) => {
+                                updateMultiFormState(input?.name, e, index);
+                                connectorForm.setFieldValue(input?.name, e);
+                            }}
+                            autoClearSearchValue
+                            style={{ width: '100%', borderRadius: '5px', minHeight: '40px' }}
+                        />
+                    )}
+                </Form.Item>
+                {input?.children &&
+                    formFields?.settings &&
+                    formFields?.settings[input?.name] &&
+                    connectorInputFields[index][formFields?.settings[input?.name]]?.map((child, index) => generateFormItem(child, index))}
+            </>
+        );
+    };
+
+    return (
+        <Modal
+            header={
+                <div className="modal-header">
+                    <div className="header-img-container">
+                        <ConnectorIcon className="headerImage" alt="stationImg" />
+                    </div>
+                    {connectorModalTitle}
+                </div>
+            }
+            className={'modal-wrapper produce-modal'}
+            width="550px"
+            height="60vh"
+            clickOutside={clickOutside}
+            open={open}
+            displayButtons={true}
+            rBtnText={step === 1 ? 'Next' : resError ? 'Back' : 'Done'}
+            lBtnText={'Close'}
+            rBtnClick={onFinish}
+            lBtnClick={clickOutside}
+            isLoading={false}
+            keyListener={false}
+        >
+            <div className="connector-modal-wrapper">
+                {step === 1 && (
+                    <Form name="form" form={connectorForm} autoComplete="on" className={'connector-form'}>
+                        <Form.Item name="connector_type" validateTrigger="onChange">
+                            <TitleComponent headerTitle="Direction" typeTitle="sub-header" headerDescription="Choose the direction of the connector" />
+                            <SelectComponent
+                                colorType="black"
+                                backgroundColorType="none"
+                                fontFamily="Inter"
+                                borderColorType="gray"
+                                radiusType="semi-round"
+                                height="40px"
+                                popupClassName="select-options"
+                                options={['source', 'sink']}
+                                value={formFields?.connector_type}
+                                onChange={(e) => updateFormState('connector_type', e)}
+                                onBlur={(e) => updateFormState('connector_type', e)}
+                                disabled={false}
+                            />
+                        </Form.Item>
+                        <Form.Item name="type" validateTrigger="onChange">
+                            <TitleComponent headerTitle="Type" typeTitle="sub-header" headerDescription="Choose the type of the connector" />
+                            <SelectComponent
+                                colorType="black"
+                                backgroundColorType="none"
+                                fontFamily="Inter"
+                                borderColorType="gray"
+                                radiusType="semi-round"
+                                height="40px"
+                                popupClassName="select-options"
+                                options={connectorTypes}
+                                value={formFields?.type}
+                                onChange={(e) => {
+                                    updateFormState('type', e);
+                                    connectorForm.setFieldValue('connectorType', e);
+                                }}
+                                disabled={false}
+                            />
+                        </Form.Item>
+                        <Divider />
+                        <div className="connector-inputs">
+                            {formFields?.type &&
+                                connectorInputFields?.map((input, index) => {
+                                    return generateFormItem(input, index);
+                                })}
+                        </div>
+                    </Form>
+                )}
+                {step === 2 && !resError && (
+                    <div className="validation">
+                        {loading ? (
+                            <>
+                                <Spinner fontSize={60} />
+                                <p>Waiting for messages to arrive</p>
+                            </>
+                        ) : (
+                            <Result status="success" subTitle="The connector has been successfully created and is now ready to use" />
+                        )}
+                    </div>
+                )}
+
+                {step === 2 && resError && !loading && <div className="result">{resError}</div>}
+            </div>
+            <CloudModal type="cloud" open={cloudModalopen} handleClose={() => setCloudModalOpen(false)} />
+        </Modal>
+    );
+};
+
+export default ConnectorModal;
diff --git a/ui_src/src/components/connectorModal/style.scss b/ui_src/src/components/connectorModal/style.scss
new file mode 100644
index 000000000..ba1fac131
--- /dev/null
+++ b/ui_src/src/components/connectorModal/style.scss
@@ -0,0 +1,57 @@
+.connector-modal-wrapper {
+    gap: 10px;
+    display: flex;
+    flex-direction: column;
+    height: 100%;
+    font-family: 'Inter';
+    position: relative;
+    .ant-divider-horizontal {
+        margin: 20px 0px 10px 0px;
+    }
+    .ant-form-item {
+        margin-bottom: 10px;
+    }
+    .header-wrapper {
+        p {
+            font-family: 'InterSemiBold';
+            font-size: 16px;
+            margin: 0;
+        }
+        span {
+            font-family: 'Inter';
+            font-size: 12px;
+            color: #84818a;
+        }
+    }
+    .connector-form {
+        height: 100%;
+        position: relative;
+    }
+    .connector-inputs {
+        height: calc(100% - 215px);
+        overflow-y: auto;
+        padding: 2px;
+    }
+    .validation {
+        width: 100%;
+        margin: 20px 0px;
+        height: calc(100% - 40px);
+        border-radius: 12px;
+        border: 1px solid #dcdcdc;
+        display: flex;
+        flex-direction: column;
+        justify-content: center;
+        align-items: center;
+        gap: 20px;
+    }
+    .result {
+        width: 100%;
+        margin: 20px 0px;
+        height: calc(100% - 40px);
+        border-radius: 12px;
+        border: 1px solid #dcdcdc;
+        padding: 20px;
+        white-space: pre-wrap;
+        overflow-y: auto;
+    }
+}
diff --git a/ui_src/src/components/customSelect/style.scss b/ui_src/src/components/customSelect/style.scss
index c75d5a647..2e3bfb0f2 100644
--- a/ui_src/src/components/customSelect/style.scss
+++ b/ui_src/src/components/customSelect/style.scss
@@ -1,4 +1,7 @@
 .select-schema-container {
+    p {
+        margin: 0;
+    }
     .select {
         border: 1px solid #d8d8d8;
         border-radius: 4px;
@@ -19,6 +22,12 @@
             margin-left: 10px;
         }
     }
+    .ant-select:not(.ant-select-customize-input) .ant-select-selector {
+        border: none;
+        background-color: unset;
+        text-align: initial;
+        align-items: center;
+    }
 }
 .select-schema-options {
     border: 1px solid #f0f0f0 !important;
diff --git a/ui_src/src/components/produceMessages/index.js b/ui_src/src/components/produceMessages/index.js
index ae0dafa3d..a1dc93130 100644
--- a/ui_src/src/components/produceMessages/index.js
+++ b/ui_src/src/components/produceMessages/index.js
@@ -262,7 +262,7 @@ const ProduceMessages = ({ stationName, cancel, produceMessagesRef, setLoading }
                             <InputNumberComponent
                                 min={1}
                                 max={isCloud() ? 1000 : 1}
-                                onChange={(e) =>creationForm.setFieldsValue({'amount': e})}
+                                onChange={(e) => creationForm.setFieldsValue({'amount': e})}
                                 value={formFields.amount}
                                 placeholder={formFields.amount || 1}
                                 disabled={!isCloud()}
diff --git a/ui_src/src/components/select/index.js b/ui_src/src/components/select/index.js
index be175f251..4c109ed70 100644
--- a/ui_src/src/components/select/index.js
+++ b/ui_src/src/components/select/index.js
@@ -80,7 +80,12 @@ const SelectComponent = ({
             >
                 {options.map((option) => (
                     <Option key={option?.id || option?.name || option} disabled={option?.disabled || false}>
-                        {option?.name || option}
+                        <span style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between' }}>
+                            <span style={{ display: 'flex', alignItems: 'center', gap: '5px' }}>
+                                <img src={option?.icon} alt={option?.name} /> <label>{option?.name || option}</label>
+                            </span>
+                            {option?.comment && <span className="comment">{option?.comment}</span>}
+                        </span>
                     </Option>
                 ))}
             </Select>
diff --git a/ui_src/src/components/select/style.scss b/ui_src/src/components/select/style.scss
index 095384779..7818cc3fe 100644
--- a/ui_src/src/components/select/style.scss
+++ b/ui_src/src/components/select/style.scss
@@ -4,24 +4,25 @@
         display: flex;
         align-items: center;
     }
+
     .ant-select:not(.ant-select-customize-input) .ant-select-selector {
-        border: unset;
+        border: none;
         background-color: unset;
         text-align: initial;
         align-items: center;
     }
-    // .ant-select-selector {
-    //     border: unset;
-    //     color: #5e5e68;
-    //     font-family: 'InterMedium';
 
-    // }
     .ant-select-arrow {
         background-color: transparent;
     }
     .ant-select-selection-item span {
         display: none;
     }
+    label {
+        display: flex;
+        align-items: center;
+        gap: 5px;
+    }
 }
 
 .select-container .ant-select-focused .ant-select-selector,
@@ -40,6 +41,7 @@
     box-shadow: 0px 10px 10px rgb(16 10 85 / 10%);
     border-radius: 8px;
     padding: 3px;
+
     .ant-select-item {
         color: rgba(74, 73, 92, 0.8) !important;
     }
@@ -56,6 +58,7 @@
     .ant-select-item-option {
         margin: 2px 8px;
         border-radius: 8px;
+        height: 100%;
     }
     .ant-select-item-option-selected:not(.ant-select-item-option-disabled) {
         background: rgba(101, 87, 255, 0.1);
@@ -64,6 +67,10 @@
         font-weight: unset !important;
         color: var(--purple) !important;
         font-family: 'InterBold' !important;
+        .comment {
+            color: #5e5e68 !important;
+            font-family: 'Inter' !important;
+        }
     }
 }
 
@@ -83,7 +90,17 @@
         background-color: #edebeb;
     }
 }
-
+.ant-select-selection-item {
+    display: flex;
+    align-items: center;
+    gap: 5px;
+}
+.ant-select-selection-item {
+    border: unset !important;
+}
+.ant-select-selection-search-input {
+    border: none !important;
+}
 .rc-virtual-list-scrollbar {
     width: 3px !important;
     background: white !important;
@@ -95,3 +112,40 @@
 .ant-select-item-option-selected:not(.ant-select-item-option-disabled) {
     background-color: transparent;
 }
+.anticon-check {
+    color: var(--purple) !important;
+}
+
+.ant-select:not(.ant-select-disabled):hover .ant-select-selector {
+    border-color: #cbcbcb !important;
+
+    box-shadow: none !important;
+}
+.ant-select.ant-select-in-form-item::selection {
+    background: transparent;
+    border-color: #cbcbcb !important;
+}
+.ant-select-selector {
+    border: unset;
+    border-radius: 5px !important;
+    height: 40px;
+    color: #5e5e68;
+    font-family: 'InterMedium';
+}
+.ant-select-focused .ant-select-selector,
+.ant-select-selector:focus,
+.ant-select-selector:active,
+.connector-modal-wrapper {
+    .ant-select-open .ant-select-selector {
+        border-color: #d9d9d9 !important;
+        box-shadow: none !important;
+    }
+    .ant-select-status-error.ant-select:not(.ant-select-disabled):not(.ant-select-customize-input):not(.ant-pagination-size-changer) .ant-select-selector {
+        border-color: #d9d9d9 !important;
+        border-color: none !important;
+        box-shadow: none !important;
+    }
+}
+.ant-select-multiple .ant-select-selector {
+    overflow-y: auto !important;
+}
diff --git a/ui_src/src/components/sideBar/index.js b/ui_src/src/components/sideBar/index.js
index fe3f96810..e428e21ea 100644
--- a/ui_src/src/components/sideBar/index.js
+++ b/ui_src/src/components/sideBar/index.js
@@ -119,7 +119,7 @@ function SideBar() {
         paddingTop: '5px',
         paddingBottom: '5px',
         marginBottom: '10px',
-        marginLeft: expandSidebar ? '100px' : '',
+        marginLeft: expandSidebar ? '100px' : ''
     };
 
     const quickActionsStyles = {
@@ -128,7 +128,7 @@ function SideBar() {
         paddingTop: '5px',
         paddingBottom: '5px',
         marginBottom: '10px',
-        marginLeft: expandSidebar ? '100px' : '',
+        marginLeft: expandSidebar ? '100px' : ''
     };
 
     const supportContextMenuStyles = {
@@ -136,7 +136,7 @@ function SideBar() {
         paddingTop: '5px',
         paddingBottom: '5px',
         marginBottom: '10px',
-        marginLeft: expandSidebar ? '100px' : '',
+        marginLeft: expandSidebar ? '100px' : ''
     };
 
     const getCompanyLogo = useCallback(async () => {
@@ -213,7 +213,7 @@ function SideBar() {
 
     const MenuItem = ({ icon, activeIcon, name, route, onClick, onMouseEnter, onMouseLeave, badge }) => {
         return (
-            <div className={"item-wrapper " + (state.route === route ? 'ms-active' : '')} onMouseEnter={onMouseEnter} onMouseLeave={onMouseLeave} onClick={onClick}>
+            <div className={'item-wrapper ' + (state.route === route ? 'ms-active' : '')} onMouseEnter={onMouseEnter} onMouseLeave={onMouseLeave} onClick={onClick}>
                 <div className="icon">{state.route === route ? activeIcon : hoveredItem === route ? activeIcon : icon}</div>
                 <p className={state.route === route ? 'checked' : 'name'}>{name}</p>
                 {badge && <label className="badge">{badge}</label>}
@@ -396,9 +396,6 @@ function SideBar() {
                         trigger="click"
                         onOpenChange={() => setPopoverOpenSupport(!popoverOpenSupport)}
                         open={popoverOpenSupport}
-                        onClick={() => {
-                            setPopoverOpenSupportContextMenu(false);
-                        }}
                     >
                         <div className="item">
                             <span className="icons">
@@ -413,14 +410,19 @@ function SideBar() {
     );
 
     return (
-        <div className={"sidebar-container " + ( expandSidebar ? 'expand' : 'collapse' )}>
+        <div className={'sidebar-container ' + (expandSidebar ? 'expand' : 'collapse')}>
             <div className="upper-icons">
-                <div className={'upper-icons-toggle ' + ( expandSidebar ? 'open' : 'close' )} onClick={ () => {setExpandSidebar(!expandSidebar)}}>
-                    <ArrowRight/>
+                <div
+                    className={'upper-icons-toggle ' + (expandSidebar ? 'open' : 'close')}
+                    onClick={() => {
+                        setExpandSidebar(!expandSidebar);
+                    }}
+                >
+                    <ArrowRight />
                 </div>
                 <span className="logo-wrapper">
                     <img
-                        src={isCloud() ? state?.companyLogo || (expandSidebar ? FullLogo : Logo) : (expandSidebar ? FullLogo : Logo)}
+                        src={isCloud() ? state?.companyLogo || (expandSidebar ? FullLogo : Logo) : expandSidebar ? FullLogo : Logo}
                         width={expandSidebar ? 'auto' : '45'}
                         height="45"
                         className="logoimg"
@@ -430,28 +432,29 @@ function SideBar() {
                     <EditIcon alt="edit" className="edit-logo" onClick={() => history.replace(`${pathDomains.administration}/profile`)} />
                 </span>
 
-                {( isCloud() &&
-                <div className="item-wrapper">
-                    <div className="menu-item-env">
-                        <div className="menu-item-env-badge">Coming  Soon</div>
-                        {( expandSidebar ?
-                            <>
-                                <div className="menu-item-env-left">
-                                    <div className="menu-item-env-title">Production</div>
-                                    <div className="menu-item-env-subtitle">Memphis.dev</div>
-                                </div>
-                                <div className="menu-item-env-right">
-                                    <ArrowTopGrayIcon/>
-                                    <ArrowTopGrayIcon style={{transform: 'rotate(180deg)'}} />
-                                </div>
-                            </>
-                            :
-                            <>
-                                <div className="menu-item-env-collapsed">P</div>
-                            </>
-                        )}
+                {isCloud() && (
+                    <div className="item-wrapper">
+                        <div className="menu-item-env">
+                            <div className="menu-item-env-badge">Coming Soon</div>
+                            {expandSidebar ? (
+                                <>
+                                    <div className="menu-item-env-left">
+                                        <div className="menu-item-env-title">Production</div>
+                                        <div className="menu-item-env-subtitle">Memphis.dev</div>
+                                    </div>
+                                    <div className="menu-item-env-right">
+                                        <ArrowTopGrayIcon />
+                                        <ArrowTopGrayIcon style={{ transform: 'rotate(180deg)' }} />
+                                    </div>
+                                </>
+                            ) : (
+                                <>
+                                    <div className="menu-item-env-collapsed">P</div>
+                                </>
+                            )}
+                        </div>
                     </div>
-                </div>)}
+                )}
 
                 <Popover
                     overlayInnerStyle={quickActionsStyles}
@@ -561,11 +564,11 @@ function SideBar() {
                     <div className="ms-appearance">
                         <div className="ms-appearance-badge">Coming soon</div>
                         <div className="ms-appearance-light ms-active">
-                            <SunIcon/>
+                            <SunIcon />
                             <span className="ms-appearance-text">Light</span>
                         </div>
                         <div className="ms-appearance-dark">
-                            <MoonIcon/>
+                            <MoonIcon />
                             <span className="ms-appearance-text">Dark</span>
                         </div>
                     </div>
@@ -582,7 +585,9 @@ function SideBar() {
                     <div className="sub-icon-wrapper" onClick={() => setPopoverOpenSetting(true)}>
                         <div className="sidebar-user-info">
                             <img
-                                className={`sidebar-user-info-img sandboxUserImg ${(state.route === 'profile' || state.route === 'administration') && 'sandboxUserImgSelected'}`}
+                                className={`sidebar-user-info-img sandboxUserImg ${
+                                    (state.route === 'profile' || state.route === 'administration') && 'sandboxUserImgSelected'
+                                }`}
                                 src={localStorage.getItem(USER_IMAGE) && localStorage.getItem(USER_IMAGE) !== 'undefined' ? localStorage.getItem(USER_IMAGE) : avatarUrl}
                                 referrerPolicy="no-referrer"
                                 width={localStorage.getItem(USER_IMAGE) && localStorage.getItem(USER_IMAGE) !== 'undefined' ? 35 : 25}
@@ -614,7 +619,7 @@ function SideBar() {
                     <UpgradePlans
                         content={
                             <div className="upgrade-button-wrapper">
-                                <CloudUploadIcon className="upgrade-plan-icon" style={{marginRight: '5px'}} />
+                                <CloudUploadIcon className="upgrade-plan-icon" style={{ marginRight: '5px' }} />
                                 <p className="upgrade-plan">Upgrade</p>
                             </div>
                         }
diff --git a/ui_src/src/components/sideBar/style.scss b/ui_src/src/components/sideBar/style.scss
index 69b0d98d9..cfc020aa2 100644
--- a/ui_src/src/components/sideBar/style.scss
+++ b/ui_src/src/components/sideBar/style.scss
@@ -12,34 +12,36 @@
 
     .sidebar-user-info {
         cursor: pointer;
-        &-img {}
+        &-img {
+        }
         &-bottom {
             display: none;
         }
     }
 
     opacity: 1;
-    transition: all .3s ease-in-out;
+    transition: all 0.3s ease-in-out;
 
     &.expand {
-        animation: expandAnimation .5s ease-out forwards;
+        animation: expandAnimation 0.5s ease-out forwards;
         width: 205px;
     }
 
     &.collapse {
-        animation: collapseAnimation .5s ease-in-out forwards;
+        animation: collapseAnimation 0.5s ease-in-out forwards;
         width: 90px;
     }
 
     @keyframes expandAnimation {
-        0%, 35% {
+        0%,
+        35% {
             opacity: 0;
         }
         50% {
-            opacity: .3;
+            opacity: 0.3;
         }
         75% {
-            opacity: .65;
+            opacity: 0.65;
         }
         100% {
             opacity: 1;
@@ -57,9 +59,9 @@
     @mixin comingSoonBadge {
         position: absolute;
         border-radius: 32px;
-        background: var(--Purply-blue, #6557FF);
+        background: var(--Purply-blue, #6557ff);
         padding: 4px 8px;
-        color: #FFF;
+        color: #fff;
         text-align: center;
         font-size: 8px;
         font-style: normal;
@@ -77,8 +79,9 @@
             align-items: center;
             margin: 0 10px 15px;
             padding-top: 8px;
-            border-top: 1px solid #E4E4E4;
-            &-img {}
+            border-top: 1px solid #e4e4e4;
+            &-img {
+            }
             &-bottom {
                 display: flex;
                 flex-direction: column;
@@ -99,12 +102,12 @@
                 font-style: normal;
                 font-weight: 400;
                 line-height: normal;
-                opacity: .4;
+                opacity: 0.4;
                 text-align: left;
             }
         }
         .upgrade-plan-icon {
-            display: initial!important;
+            display: initial !important;
         }
         .item-wrapper {
             flex-direction: row;
@@ -122,7 +125,8 @@
                     top: -8px;
                     right: 5px;
                 }
-                &-left {}
+                &-left {
+                }
                 &-right {
                     display: flex;
                     align-items: center;
@@ -138,7 +142,7 @@
                     text-align: left;
                 }
                 &-subtitle {
-                    color: #6D6C7C;
+                    color: #6d6c7c;
                     font-size: 10px;
                     font-style: normal;
                     font-weight: 500;
@@ -175,13 +179,13 @@
             }
             &.ms-active {
                 border-radius: 4px;
-                background: rgba(101, 87, 255, 0.20);
+                background: rgba(101, 87, 255, 0.2);
                 position: relative;
                 &:after {
                     content: '';
                     position: absolute;
                     border-radius: 0px 4px 4px 0px;
-                    background: #6557FF;
+                    background: #6557ff;
                     height: 100%;
                     width: 3px;
                     top: 0;
@@ -204,7 +208,7 @@
             align-items: initial;
             .item-wrapper:first-child {
                 padding-top: 16px;
-                border-top: 1px solid #E4E4E4;
+                border-top: 1px solid #e4e4e4;
             }
         }
     }
@@ -221,16 +225,15 @@
     }
 
     .item-wrapper {
-
         .menu-item-env {
             padding: 9px 16px;
             border-radius: 6px;
-            border: 1px solid #6557FF;
-            background: #E8E5FF;
+            border: 1px solid #6557ff;
+            background: #e8e5ff;
             margin-bottom: 15px;
             position: relative;
             &-collapsed {
-                color: var(--Purply-blue, #6557FF);
+                color: var(--Purply-blue, #6557ff);
                 font-size: 18px;
                 font-style: normal;
                 font-weight: 600;
@@ -246,7 +249,7 @@
 
         .ms-appearance {
             border-radius: 32px;
-            background: #F0F0F0;
+            background: #f0f0f0;
             padding: 4px;
             display: flex;
             position: relative;
@@ -267,18 +270,18 @@
                 align-items: center;
                 justify-content: center;
                 padding: 6px;
-                opacity: .4;
+                opacity: 0.4;
             }
             .ms-active {
                 padding: 6px;
                 border-radius: 32px;
                 border: 0.5px solid rgba(0, 0, 0, 0.04);
-                background: var(--system-background-light-primary, #FFF);
+                background: var(--system-background-light-primary, #fff);
                 box-shadow: 0px 1px 1px 0px rgba(0, 0, 0, 0.08);
                 opacity: 1;
             }
             &-dark {
-                opacity: .4;
+                opacity: 0.4;
                 padding: 6px;
                 flex: 0 0 50%;
                 display: flex;
@@ -329,7 +332,7 @@
             height: 16px;
             background: white;
             border-radius: 50%;
-            fill: #FFF;
+            fill: #fff;
             filter: drop-shadow(0px 1px 3px rgba(0, 0, 0, 0.12));
             display: flex;
             justify-items: center;
@@ -339,7 +342,7 @@
             cursor: pointer;
             padding: 5px;
             z-index: 2;
-            transition: .2s linear;
+            transition: 0.2s linear;
             &.open {
                 transform: scale(-1, -1);
             }
@@ -348,7 +351,6 @@
                 width: 100%;
             }
         }
-
         .logo-wrapper {
             position: relative;
             .edit-logo {
@@ -432,6 +434,7 @@
                 justify-content: center;
                 margin-bottom: 10px;
                 cursor: pointer;
+
                 p {
                     line-height: 12px;
                     margin: 0;
@@ -582,6 +585,7 @@
 .ant-popover-placement-rightTop {
     left: 60px !important;
 }
+
 .support-container {
     a {
         color: #6557ff;
diff --git a/ui_src/src/components/spinner/index.js b/ui_src/src/components/spinner/index.js
index ccba6ebe9..ec409eb8b 100644
--- a/ui_src/src/components/spinner/index.js
+++ b/ui_src/src/components/spinner/index.js
@@ -15,17 +15,16 @@ import React from 'react';
 import { Spin } from 'antd';
 import { LoadingOutlined } from '@ant-design/icons';
 
-const antIcon = (
-    <LoadingOutlined
-        style={{
-            fontSize: 18,
-            color: 'var(--purple)'
-        }}
-        spin
-    />
-);
-
-const Spinner = () => {
+const Spinner = ({ fontSize }) => {
+    const antIcon = (
+        <LoadingOutlined
+            style={{
+                fontSize: fontSize || 18,
+                color: 'var(--purple)'
+            }}
+            spin
+        />
+    );
     return (
         <div className="spinner-container">
             <Spin indicator={antIcon} />
diff --git a/ui_src/src/connectors/assets/awsKinesis.svg b/ui_src/src/connectors/assets/awsKinesis.svg
new file mode 100644
index 000000000..f71d4b6c0
--- /dev/null
+++ b/ui_src/src/connectors/assets/awsKinesis.svg
@@ -0,0 +1,10 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<circle opacity="0.6" cx="10" cy="10" r="10" fill="white"/>
+<rect x="5" y="4" width="10" height="12" fill="url(#pattern0)"/>
+<defs>
+<pattern id="pattern0" patternContentUnits="objectBoundingBox" width="1" height="1">
+<use xlink:href="#image0_9050_754" transform="matrix(0.000587889 0 0 0.000489908 0 -0.00166569)"/>
+</pattern>
+<image id="image0_9050_754" width="1701" height="2048" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABqUAAAgACAYAAACvoDmjAAAgAElEQVR4AezdCZRcd30n+pKMLeOFzQaCLUDuuv+SEbbUrdJAICQIHodE2Or6Vzv95iUh4ECieY8XJnjBWDbGrcVvsocomNDu+lfHjiG4nWSysYTJhEkmYUlMHANe2Gwj74sk27Jsgy31O2WriTBaulv3dtfy4RxOy91Vv7r3c7/ddev/PVW3VPI/AgQIECBAgAABAgQIEJiWwMTw4ueOn1U5NdWyi/7uXcu++c3zV/z7HesH3vi1XzvtpRPDpSOmNcSNCBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECOxPYMuabNHY4NLlqZ5d2KyHr6cYJj/3rmWT2zdUJx/auPKJuy4a+Ms71w/87NfOPe3lkyOlhfub4XsECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIE9iswuq565HgM/Y1YWZ9q2T+1yqip/0+VUo9dtmpy12WrJrdvWLnjgUv7r/n2B1b8l+vW9T1/vwN9kwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgMC+Ao3BcpZi2Jhi+HKK4dGpMmrq676lVKuYerqc2rxqcseG6rYHLx249qbzVvziDecvP3bfmf5NgAABAgQIECBAgAABAgQIECBAgAABAgQIECBA4GmBxvDiF6V6eH+K4Vv7K6MOVkrtU07tfnhj9YG7PzjwP2583+lrrltXPRIvAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIBAjwtMDC9+bhpcurQRs/UphjtSDLunyqcDfd3fO6WmSql9v+7cVH1q6/qBG267sH/1t89f/pKJ4dIRPc5t9wkQIECAAAECBAgQIECAAAECBAgQIECAAAECvSWwZU22KNUrKxq17AMphhsPVEDt7/vTLaWmCqqHNq783p0X9//1HetXDH3t3NNePjlSWthb2vaWAAECBAgQIECAAAECBAgQIECAAAECBAgQINBjAhPDy44aj6E/1bMLUwxf2F/pdKjvzbSUapVTuy5bNbl9w8od91/af82tH+j/la/+P6e/sMfo7S4BAgQIECBAgAABAgQIECBAgAABAgQIECBAoPsFJkulBVfW+yopho0phi+lGHYdqnw60M9nU0pNvWtq1+ZVkzs2VLc9eOnAtTedu/wdN5y//Nju17eHBAgQIECAAAECBAgQIECAAAECBAgQIECAAIEeELiyfvIJz7wzKvtGimHngcqm6X7/cEqpfcqp3Q9vrN5/98UDn7vpff1n3Diy7KgeOBR2kQABAgQIECBAgAABAgQIECBAgAABAgQIECDQXQLjZy85evysvrD3Y/q2phiemm7pdKjb5VFKTZVTj122as/OTdXv37F+4PrbL1rxpm+cVz3RNae6K4v2hgABAgQIECBAgAABAgQIECBAgAABAgQIEOhCgS1rskWpXlnRqGUfSDHcdKiCaTY/z7mUmpwqqB7eWP3+nRet/Js7Ll5R/9q5p71cOdWFAbVLBAgQIECAAAECBAgQIECAAAECBAgQIECAQGcLTAwvO2o8hv5WGdWshS/Opmya7n2KKqVa5dSuy1rXnFr50P2X9l9z64X9v3zjOa9+UWcfGVtPgAABAgQIECBAgAABAgQIECBAgAABAgQIEOgCgclSaUEaPGVpo1bZsLeM2jXdcmm2tyuylJp619Suza1yqrrtwUsHrr3p3OXvuOH85cd2weGyCwQIECBAgAABAgQIECBAgAABAgQIECBAgACBzhO4sn7yCc16uDjVws0php2zLZlmer+5KKX2Kaf2PLyxet89Fw989uZzlq+9cWTZUZ13pGwxAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQKDDBMbPXnJ0Y7CcpXp2YTOG76YYnpxpqXS4t5/LUuoH5dRlq/Y8sqn6xNaLBr5y+4XL33zz+tec4JpTHRZem0uAAAECBAgQIECAAAECBAgQIECAAAECBAi0v8CWNdmiVK+saF0zau87oyYPt1ya7f3no5SaKqdaXx/eWH3yjosHPnXXxf21r5172suVU+2fX1tIgAABAgQIECBAgAABAgQIECBAgAABAgQItLnAxPCyo8Zj6G/GcEGK4cuzLZLyvN98l1KtYmrXZa1rTq186N5L+6+5/cIV77ruvMqJbX4obR4BAgQIECBAgAABAgQIECBAgAABAgQIECBAoP0ERkZKC8fPWnJqo1bZkGL4QorhsTyLpcOZ1Q6l1NQ7p3ZtbpVT1W0Pjgxce/N5/e+88T3Ljmu/o2mLCBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQJtKHBl/eQTUgyXpBhuSjHsPJwCqYj7tlMptU85teehjdX77rlk4DM3nnN67VvvzRa14aG1SQQIECBAgAABAgQIECBAgAABAgQIECBAgACB+RVoXTOqORT6nr5mVKzcnmL4fhGFUh4z27GU+kE5ddmqPY9sqj52x0UD//rdC5b/H1+98PQXuubU/GbboxMgQIAAAQIECBAgQIAAAQIECBAgQIAAAQJtINAqo1K9smLvNaNuyaM0KnpGO5dSU+VU6+vDm6pP3bF+4DN3Xbx87Q0XLF+snGqDwNsEAgQIECBAgAABAgQIECBAgAABAgQIECBAYG4FJoaXHTUeQ3+qh/enmP1r0UVSnvM7pZRqFVO7Lmtdc2rlw/ddsnLitvUrfumG85e/ZG6PtEcjQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECMyDwMhIaeFYPbwqxcpIiuELqRYez7MwmotZnVRKTb1zatfmVZPbN1S3bRsZuPbm8/rfeeN7lh03D4ffQxIgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIEihe4sn7yCa0yqlkPX08x7JyLAqmIx+jEUmqfcmrPQxur9953ycCnbzpnRf1b780WFX/kPQIBAgQIECBAgAABAgQIECBAgAABAgQIECBAoGCB1jWjxuOSJXuvGXVbiuF7RRRFczmzk0upH5RTl63a/cim6qN3XDTw5e+cf/pbbntf/wtcc6rgXwbjCRAgQIAAAQIECBAgQIAAAQIECBAgQIAAgfwFWmVUqldWPFNGZd+Yy9Ko6MfqhlJqqpxqfX1kU3X31vUr//bOi/rPuOGC5YsnhktH5J8IEwkQIECAAAECBAgQIECAAAECBAgQIECAAAECOQpMDC87ajyG/hTL56UYvlJ0QTQf87utlGoVU7suWzW5Y8PKh++7ZOXEbev73/m1XzvtpTnGwigCBAgQIECAAAECBAgQIECAAAECBAgQIECAQD4CrXfXNGvZshSzS1Os/HOqhcfnozCai8fsxlJq6p1Tuzavmtw+Ut22bWTg2pvP7T/7xvcsOy6fhJhCgAABAgQIECBAgAABAgQIECBAgAABAgQIEDhMgdG1lRNTDBtTzL6aYtg5F8XQfD5GN5dS+5ZTD22o3nvvJSv/5ubzVgx9/uwlRx9mTNydAAECBAgQIECAAAECBAgQIECAAAECBAgQIDBzgdbH9F15Zt8rUj28P8Vwa4rhifksiubysXuhlNqnnNr9yKbqzjsuGvjid84//S3feu9rnzc5Ulo488S4BwECBAgQIECAAAECBAgQIECAAAECBAgQIEBgBgJb1mSLUr2yohnDBSmGb85lGdQuj9VLpdRUOdX6+sim6p6t6/s/d8dFp6/51gXLF7c+snEG0XFTAgQIECBAgAABAgQIECBAgAABAgQIECBAgMChBVpl1HgM/amenduI4fp2KYjmYzt6tZRqFVO7Lls1uWPDykfuu2TlxHc/MPCOG9+z7McOnR63IECAAAECBAgQIECAAAECBAgQIECAAAECBAgcQqD1bpg/Wpu9ulnPPpRq2T/10sf0Hajw6uVSauqdU7s2r5rcPlLdtm1k4Nqbz+0/+8b3LDvuEFHyYwIECBAgQIAAAQIECBAgQIAAAQIECBAgQIDA/gWaw9mLG7WwOcXw7ymGnQcqaXrt+0qpVZP7llMPbajee/8l/X99y3nLf/bzZy85ev9p8l0CBAgQIECAAAECBAgQIECAAAECBAgQIECAwD4Co+uqR44NZYtTPbw/xfAd74wKk88u3ZRS/1FK7VNO7X5kU/XhOy8a+Odvnn/6W1rvnJocKS3cJ1r+SYAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAolVrXjBobXLq8GcMFKYZvPbuI8d//UU4ppX60lJoqp1pfH9lU3XPH+oH/ufWiFT/9jXNWnNz6CEi/YwQIECBAgAABAgQIECBAgAABAgQIECBAgECPC4yuPemY5lC2MtWzc/d+TN+PvDNIIfUfhVTLQil18FKqVUztumzV5I4NK3fe98GBa7/7gRVvv+l9r3pZj/+q2X0CBAgQIECAAAECBAgQIECAAAECBAgQINCbAq13RjUGw0+lWvjNFMMXUgzfUz79cPl0IA+l1KFLqal3Tu3avGpy+0h127aRgWu/ef6KX2p9rF9v/sbZawIECBAgQIAAAQIECBAgQIAAAQIECBAg0IMCjXr5tEa9/LEUwy2pFh4/UPni+/svqZRS0y+l9i2nHtpQvfe+Swb+8pZzTx/+/NlLju7BXz27TIAAAQIECBAgQIAAAQIECBAgQIAAAQIEultgslRaMDG87KhmLVs2FrPfSzHc4Z1R+y+cplPEKaVmXkrtU07tfmRT9aE7L+r/3988//S33HD+8mNb+ezu30B7R4AAAQIECBAgQIAAAQIECBAgQIAAAQIEekDg6jXZ88aGsh/fW0bdO53SxW0OXlgppWZfSk2VU62vj2yq7tl6Uf8/bL1wxVtvuWDgpInh0hE98CtpFwkQIECAAAECBAgQIECAAAECBAgQIECAQHcJtMqoVO97QyNm/1+KldsVTQcvmmbio5TKp5SaKqh2bFi5855LBv709ov6f/6WXx04yTunuutvkb0hQIAAAQIECBAgQIAAAQIECBAgQIAAgS4VGD97ydGNwfBTKWa/nWL21RTDUzMpXNz20OWVUirfUqpVTu3avGpy+0h124MjKye+df7yd9/4nmXHdemvqN0iQIAAAQIECBAgQIAAAQIECBAgQIAAAQKdLzA2eMrysVr5D1Mt3Jxq4XEF06ELptkYKaXyL6Wm3jXVKqd2bKje98CHBv7ipnNX/OcvnLP4uZ3/m2kPCBAgQIAAAQIECBAgQIAAAQIECBAgQIBAhwu0PuZsdF31yNGzKqc26tnvphi2phi+N5uixX2mX2AppYorpfYpp3Y/sqm6/a6LB/7hm+ef/pbrRqrH+Fi/Dv+DZfMJECBAgAABAgQIECBAgAABAgQIECBAoDMFWteMatbCaxux/OEUw31KpemXSodrpZQqvpSaKqdaXx/ZVN2zdX3/P931wYG33HLBwEkTw6UjOvO31lYTIECAAAECBAgQIECAAAECBAgQIECAAIEOEmiVUY2h8k+kWuW/pVi5/XALFvefeZmllJrbUmqqoNqxYeWj91wy8KdbLxz4uVt+deAk75zqoD9cNpUAAQIECBAgQIAAAQIECBAgQIAAAQIEOkfgd4cXP7dZz97YqIffSjH7aorhKYXSzAulPMyUUvNTSrXKqdY1p7aPDGx74NL+a771/uW/fMu7lh7fOb/FtpQAAQIECBAgQIAAAQIECBAgQIAAAQIECLS5QGMwG2jE7KMphptSLTyeR7FixuwLLaXU/JVSU++aapVTOzZU77//Q/1/ftM5y/+vL5yz+Llt/mts8wgQIECAAAECBAgQIECAAAECBAgQIECAQHsKjKxe/Zwr6n2VRsx+J8WwNcXwPUXS7IukPO2UUvNfSu1TTu1+ZFN1250XD3z+m+ef/pbbRpYc7WP92vNvmq0iQIAAAQIECBAgQIAAAQIECBAgQIAAgTYTePqaUbHymlQr/36K4f48yxSz8im1lFLtU0pNlVOtr49squ7Zur7/S3deuPzNN72v+rKJ4dIRbfbrbXMIECBAgAABAgQIECBAgAABAgQIECBAgMD8C7TKqCtq5dc36uHXmzF8V4GUT4FUhKNSqj1LqamCaseGlbvu/uDAn229cMV//sY5K072zqn5//tmCwgQIECAAAECBAgQIECAAAECBAgQIECgDQR+d3jxc5v17I2NevitFLOvphh2F1GkmJlfyaWUau9SqlVOta45tX1k5fYHLu2/5tvn9//KLe9aenwb/LrbBAIECBAgQIAAAQIECBAgQIAAAQIECBAgMD8CY7FcbcTs8hTDjakWHlcc5VccFWmplGr/UmrqXVOtcmrHhur9918y8Gc3n7f8565bVz1mfn7bPSoBAgQIECBAgAABAgQIECBAgAABAgQIEJhjgZGR0sKPndUXGjH7nb0f0/dEkQWK2fkXXUqpziml9imndj+8sfrg3Rev/Pubzjn9LTeOLDtqjn/1PRwBAgQIECBAgAABAgQIECBAgAABAgQIEJgbgaevGTXU95/GYtiSYnhAWZR/WTRXpkqpziulpsqp1tedm6p7tq7v/9c7LuxffeP7l/3YxHDpiLn5K+BRCBAgQIAAAQIECBAgQIAAAQIECBAgQIBAgQKtMirVs9c1YviNve+Mmpyr8sTjFFN8KaU6u5SaKqge2rDysbsv7v/z717YP/yNc1acPFkqLSjwT4HRBAgQIECAAAECBAgQIECAAAECBAgQIECgGIHRtScd06xnbxyrhd9MMXwtxbBHSVRMSTTXrkqp7iilWuVU65pT20dWbn9gZOCT3z6//1duedfS44v5i2AqAQIECBAgQIAAAQIECBAgQIAAAQIECBAoQOCKob7/lGrZR5r18PVUC4/PdWni8Yotv5RS3VNKTb1rqlVO7dhQfeDBSweuvfmc/p+/bl31mAL+NBhJgAABAgQIECBAgAABAgQIECBAgAABAgTyERiNWTnF7Lf3fkzfE8qhYsuh+fJVSnVfKbVPObX74Y3VB+66eODvbjrn9Ld8fmT1c/L562AKAQIECBAgQIAAAQIECBAgQIAAAQIECBA4TIGnrxk12LdqLIYtKYYH56so8bhzV4Appbq3lJoqp1pfd26q7vnu+v7rt37g9J/62q+d9tKJ4dIRh/nnwt0JECBAgAABAgQIECBAgAABAgQIECBAgMDMBVpl1NhQ9uONevitFMNWpdDclULzba2U6o1Saqqgemjjysfvumjlf79z/cDP3vDe5YsnR0oLZ/4Xwz0IECBAgAABAgQIECBAgAABAgQIECBAgMAMBUbXnnRMs569sRHDb6QYvpZi2DPfJYnHn9tCTCnVW6VUq5xqXXNq+4aV2x/40MAnv/3+FetuedfS42f4p8PNCRAgQIAAAQIECBAgQIAAAQIECBAgQIDA9AWefmdUzP7g6TKqFh5XBs1tGdQu3kqp3iulpt411SqndmyobntwZOXELef1/8J166rHTP8viFsSIECAAAECBAgQIECAAAECBAgQIECAAIFDCIzGrJxi9tvNGL6blFGT7VIOzdd2KKV6t5SaKqce3bxq98Mbq/ffdfHA524+Z8VbPz+y+jmH+DPixwQIECBAgAABAgQIECBAgAABAgQIECBAYP8CaXDp8WOxXB2LYUuK4QEf09eb74raX/GllFJKTZVTra87N1V3b13f/+9b1y//yW+fv/wlrjm1/7+pvkuAAAECBAgQIECAAAECBAgQIECAAAECzxK4ek32vGYtvLb1zqgUw9b9lRK+19sFlVJKKbVvKTX174c2rnzirosH/uKO9SuGbnjv8sXKqWf9cfWfBAgQIECAAAECBAgQIECAAAECBAgQIPCMwFVvXX5ss569sVEPv96sh68rnnq7eDrY8VdKKaWmiqhnf9112arJ7RtW7rj/QwOfvPUD/b9y3bq+5/sbS4AAAQIECBAgQIAAAQIECBAgQIAAAQIEnhaYLJUWpHr2ur0f0/e1FMMTBysk/ExZpZRSSj27jHr2f+/avGpyx4bqtgcu7b/mlnNXvP2G85cf608uAQIECBAgQIAAAQIECBAgQIAAAQIECPSwQGOwnDXq2e+mGG5LtfC4wknhNJ0MKKWUUs8uoQ70349uXrX74Y3V++7+4Mq/vfGc5T9z3brqkT38J9euEyBAgAABAgQIECBAgAABAgQIECBAoLcE0uDS45tD2cpUK/9+iuH+FMPu6RQRbqOwmsqAUkopdaAS6iDf3/PIpur371jf/29bP3D6T33jvOqJrjnVW8899pYAAQIECBAgQIAAAQIECBAgQIAAgR4SuHpN9rxmLbw2xey3Uwx3TBUMviqbZpoBpZRS6iDl0+ShfvbQxpXfu/Oigb/aur4/3vDe5YuVUz30RGRXCRAgQIAAAQIECBAgQIAAAQIECBDoboGr3rr82MZg+KlUq/y3FMONMy0g3F5p9ewMKKWUUocqng71812XrZrcvmHljvs/NPDJWy8YePf17+t/QXf/JbZ3BAgQIECAAAECBAgQIECAAAECBAgQ6GKBkZHSwitq5dc/8zF92VdTDE88u1zw3wqn2WRAKaWUOlTpNN2f79q8anLHhuqDD1zaf80t5654+w3nLz+2i/8s2zUCBAgQIECAAAECBAgQIECAAAECBAh0n8DHzuoLjVj+cIrh1lQLj8+meHAfhdWBMqCUUkpNt3Sa7u0e3bxq98Mbq/fdffHAZ2869/S33Tiy7Kju+8tsjwgQIECAAAECBAgQIECAAAECBAgQINAFApOl0oLxuOQFY7XKT47VwtUphgdTDE8dqFTwfYXT4WRAKaWUmm7ZNNPb7bps1Z5HNlWf2Lp+xXW3vf/0N968/jUnuOZUFzxJ2QUCBAgQIECAAAECBAgQIECAAAECBLpDYHRt5cRmfembU8yuSjE8fDhlg/sqq6aTAaWUUmqmZdNsbv/wxur377i4/6+3rh8YvOG9yxcrp7rjOcteECBAgAABAgQIECBAgAABAgQIECDQgQIfPeMVL2zWw5mNmH001Sr3TKdMcBulUx4ZUEoppWZTMs3mPrsuWzW5fcPKh+7/0MAnv3PhinfdeM6rX9SBf65tMgECBAgQIECAAAECBAgQIECAAAECBDpTYGT16uekoWww1bMrn75mlI/pm8yjaDFj+oWdUkopNZuC6XDus2vzqsntl1YffODS/mtuOm/FL95w/vJjO/MvuK0mQIAAAQIECBAgQIAAAQIECBAgQIBAhwg0a+G1KVauSTHckWJ4UpEy/SKFVX5WSiml1OEUTIdz30c3r9rz0MbqvfdcMvDpm89dceaNI8uO6pA/3zaTAAECBAgQIECAAAECBAgQIECAAAEC7S0wWSotuHpN9rxU73tDM1YmUgw7Ugy7FSz5FSwsZ26plFJKHU6xlMd9d122as8jm6qP3XFR/7/cdmH/6q9eePoLXXOqvZ/PbB0BAgQIECBAgAABAgQIECBAgAABAm0sMLq2cmKzvvTNjZj9cYrhYeXJzMsTZsWYKaWUUnkUS3nNeHhj9ck7Lh741F0XL197wwXLFyun2viJzaYRIECAAAECBAgQIECAAAECBAgQINBeAo3hxS9q1sOZKWaXpxjuU6wUU6xwnb2rUkoplVehlNecXZetmty+YeVD939w4JO3Xdh/9nXnVU5sr7/stoYAAQIECBAgQIAAAQIECBAgQIAAAQJtJDAxvOyoNJQNNmP4oxTDrSmGpxQnsy9O2BVnp5RSSuVVJuU9Z9fmVZPbL60++ODIwMe/8p7TXtVGf+JtCgECBAgQIECAAAECBAgQIECAAAECBNpDYGwo+/G914zammJ4UqFSXKHC9vBtP/dLy/ZsH6lO5l0omKfsyisDj26u7vr3//e0env8hbcVBAgQIECAAAECBAgQIECAAAECBAgQmEeByVJpQRpcenxjqPwTe8uobSmG3QqTwy9MGBZvqJRSHuVVHhU1Z9fmVY999VdPH57HP/MemgABAgQIECBAgAABAgQIECBAgAABAvMvMLq2cmKzvvTNjZj9cYrhESVK8SUK43yNlVJKqaLKpLzmKqXm/7nOFhAgQIAAAQIECBAgQIAAAQIECBAgMI8CjeHFL2oMhTNSzC5PMTygKMm3KOE5d55KKaVUXuVRUXOUUvP4ZOehCRAgQIAAAQIECBAgQIAAAQIECBCYP4Eta7JFaSgbTPXQTDHcmmJ4SoEydwUK6/ytlVJKqaLKpLzmKqXm7znPIxMgQIAAAQIECBAgQIAAAQIECBAgME8CqZ69LtXDtc0YvptieFJBkn9BwnTuTZVSSqm8yqOi5iil5ulJz8MSIECAAAECBAgQIECAAAECBAgQIDB3ApOl0oLLh5cdd0Wt/PoUK9ekGB70zqi5L00UVcWaK6WUUkWVSXnNVUrN3fOeRyJAgAABAgQIECBAgAABAgQIECBAYB4ErqyfekKzvvTNqZZdnWJ4RDFSbDHCd/58lVJKqbzKo6LmKKXm4UnQQxIgQIAAAQIECBAgQIAAAQIECBAgULxAq4war1XelmrZR1IM25Ql81eWsJ8be6WUUqqoMimvuUqp4p/7PAIBAgQIECBAgAABAgQIECBAgAABAnMoMH72kqPTYDbYjCGlGG71MX1zU4gonubfWSmllMqrPCpqjlJqDp8MPRQBAgQIECBAgAABAgQIECBAgAABAsUKPHPNqPCnKVZuTzE8qSiZ/6LEMZi7Y6CUUkoVVSblNVcpVexzoOkECBAgQIAAAQIECBAgQIAAAQIECBQoMFkqLRhde9IxY0PZjzdi9skUw/3eGTV3JYjCqb2slVJKqbzKo6LmKKUKfEI0mgABAgQIECBAgAABAgQIECBAgACB4gRa14xq1pe+uRmzj6cYdipI2qsgcTzm/ngopZRSRZVJec1VShX3nGgyAQIECBAgQIAAAQIECBAgQIAAAQIFCLTKqBQra1It+0iKYYfyY+7LD+btaa6UUkrlVR4VNUcpVcCTopEECBAgQIAAAQIECBAgQIAAAQIECOQvMALlIE8AACAASURBVDG8+LlpMBtMsdJIMdyWYtitHGnPcsRxmZ/jopRSShVVJuU1VymV/3OjiQQIECBAgAABAgQIECBAgAABAgQI5CyQ6n1vSDH8aYqV21MMTyo95qf04N7e7koppVRe5VFRc5RSOT85GkeAAAECBAgQIECAAAECBAgQIECAwOELTJZKC8bPXnJ0sxZem2rhT1IM96UYnlKKtHcp4vjM7/FRSimliiqT8pqrlDr850cTCBAgQIAAAQIECBAgQIAAAQIECBDIUeDpa0YNlt+UYvkTKYadio75LTr4d46/UkoplVd5VNQcpVSOT5ZGESBAgAABAgQIECBAgAABAgQIECAwe4HRtZUTm7Xsp1PMLk8x7FCGdE4Z4li1x7FSSimliiqT8pqrlJr9c6R7EiBAgAABAgQIECBAgAABAgQIECCQg8BVb11+bBrMBhv1bCzFcFuKYbeSoz1KDsehs46DUkoplVd5VNQcpVQOT5pGECBAgAABAgQIECBAgAABAgQIECAwO4FmPXtjM1Ym9pZRTypBOqsEcbza63gppZRSRZVJec1VSs3uudK9CBAgQIAAAQIECBAgQIAAAQIECBCYhcBkqbRgy5psUSOe8ppUC3+SYrg3xfCUcqO9yg3HozOPh1JKKZVXeVTUHKXULJ443YUAAQIECBAgQIAAAQIECBAgQIAAgZkLXFk/9YSxmK3eW0btVHx0ZvHhuLXvcVNKKaWKKpPymquUmvlzp3sQIECAAAECBAgQIECAAAECBAgQIDADgdG1lRNTzN6aauU/TDHsUGq0b6nh2HT2sVFKKaXyKo+KmqOUmsGTp5sSIECAAAECBAgQIECAAAECBAgQIDB9gcuHlx2XBrPBVMuuSLFye4pht9Kjs0sPx6+9j59SSilVVJmU11yl1PSfQ92SAAECBAgQIECAAAECBAgQIECAAIFpCozVy29uxOyTKYZbUwxPKjPau8xwfLrj+CillFJ5lUdFzVFKTfNJ1M0IECBAgAABAgQIECBAgAABAgQIEDiwwGSptGB0XfXIK4b6/lOK4ROpVrknxfCUsqM7yg7HsTOOo1JKKVVUmZTXXKXUgZ9H/YQAAQIECBAgQIAAAQIECBAgQIAAgWkIXFk/9YSxmK3e+86oRxUYnVFgOE7dd5yUUkqpvMqjouYopabxpOomBAgQIECAAAECBAgQIECAAAECBAj8sMDISGlhGlx6UorZW5v18sdSDDuUHN1XcjimnXVMlVJKqaLKpLzmKqV++LnUfxEgQIAAAQIECBAgQIAAAQIECBAgcBCB1sf0jQ2e8tJUK78j1cLVKYatKYY9yovOKi8cr+48XkoppVRe5VFRc5RSB3mC9SMCBAgQIECAAAECBAgQIECAAAECBP5DYPzsJUc3Y/i5RgyfSjHcnWLYrdzoznLDce3M46qUUkoVVSblNVcp9R/Pqf5FgAABAgQIECBAgAABAgQIECBAgMCzBFrvjJoYXvzcFMtrUsw+m2J4UBnVmYWFoqn7j5tSSimVV3lU1Byl1LOeZP0nAQIECBAgQIAAAQIECBAgQIAAAQKlUuuaUaNDr3rZWD0MpXr29ymG7ys1ur/UcIw7+xgrpZRSRZVJec1VSjnDIECAAAECBAgQIECAAAECBAgQIEDgBwKtMqpZK7/8mTIq/HmqhccVFZ1dVDh+vXP8lFJKqbzKo6LmKKV+8HTrHwQIECBAgAABAgQIECBAgAABAgR6V6D1MX3jw0t+LNXK72jE7JMphgdSDHsUGr1TaDjWnX+slVJKqaLKpLzmKqV69zzDnhMgQIAAAQIECBAgQIAAAQIECBB4WmD87CVHp3r2C6lW/psUw92uGdX55YSCqTePoVJKKZVXeVTUHKWUEw8CBAgQIECAAAECBAgQIECAAAECPSqwZU22qFEv/0yqZZ/Z+86o3cqM3iwzHPfuOO5KKaVUUWVSXnOVUj16wmG3CRAgQIAAAQIECBAgQIAAAQIEelOgdc2o0aFXvSzVyvVmzD6fYvi+QqI7CgnH0XFUSiml8iqPipqjlOrNcw97TYAAAQIECBAgQIAAAQIECBAg0GMCE8OlI5q18stbZVQjZn+RauFxJYYSQwa6KwNKKaVUUWVSXnOVUj128mF3CRAgQIAAAQIECBAgQIAAAQIEektgslRaMDr0ypc1YvaLqRb+JMXwoCKiu4oIx9PxnMqAUkoplVd5VNQcpVRvnYPYWwIECBAgQIAAAQIECBAgQIAAgR4SmBhe/NxWGdWM2V+lGO5OMbhmVFRgTBUYvnZfFpRSSqmiyqS85iqleugkxK4SIECAAAECBAgQIECAAAECBAj0hsDE8LKjUiyvSTH7dIrhAWVU95UPCiXHdH8ZUEoppfIqj4qao5TqjfMQe0mAAAECBAgQIECAAAECBAgQINDlAiMjpYXjw0t+rHXNqGbMPp9i+N7+Fq19T5khA92bAaWUUqqoMimvuUqpLj8ZsXsECBAgQIAAAQIECBAgQIAAAQLdLTAxXDqiWSu/vFnPailmf51ieELp0L2lg2Pr2B4sA0oppVRe5VFRc5RS3X1OYu8IECBAgAABAgQIECBAgAABAgS6VGCyVFowOvTKl7WuGZVq4U9SDNsOtljtZ8oMGej+DCillFJFlUl5zVVKdelJid0iQIAAAQIECBAgQIAAAQIECBDoXoGJ4cXPbdTL70z17C9TDHe7ZlT3lw0KJcd4OhlQSiml8iqPipqjlOrecxN7RoAAAQIECBAgQIAAAQIECBAg0GUCW9Zki8ZrfW9LMft0iuEBZZSiYjpFhdv0Tk6UUkqposqkvOYqpbrsxMTuECBAgAABAgQIECBAgAABAgQIdJfAyEhp4djgKS9txHJM9ezvUy08nmLYo2jonaLBsXasp5sBpZRSKq/yqKg5SqnuOkexNwQIECBAgAABAgQIECBAgAABAl0iMDFcOmJsKFvcrGe1VCv/TYrhiekuTLudEkMGejMDSimlVFFlUl5zlVJdcpJiNwgQIECAAAECBAgQIECAAAECBLpDYLJUWpAGl57UjNnbUyx/ohkr2xUMvVkwOO6O+0wzoJRSSuVVHhU1RynVHecq9oIAAQIECBAgQIAAAQIECBAgQKALBK5660uPbdTL72zE7C9SDHe7ZpRSYqalhNv3dmaUUkqposqkvOYqpbrgZMUuECBAgAABAgQIECBAgAABAgQIdLbAljXZosZQOCPVss+kGO5XRvV2saBYcvxnmwGllFIqr/KoqDlKqc4+X7H1BAgQIECAAAECBAgQIECAAAECHSowMlJaeFW9/JKnrxkVs/+ZYtiVYtgz28Vo91NkyIAMKKWUUkWVSXnNVUp16EmLzSZAgAABAgQIECBAgAABAgQIEOhMgYnh0hFjQ9niVhnViOFTKYYnlAnKBBmQgTwyoJRSSuVVHhU1RynVmecutpoAAQIECBAgQIAAAQIECBAgQKDDBFrvjLryzMrJqZ79QorlT6QYduSxCG2GMkMGZGAqA0oppVRRZVJec5VSHXbyYnMJECBAgAABAgQIECBAgAABAgQ6T+Dy4WXHNerld6aY/fcUw92uGaVEmCoRfJWFPDOglFJK5VUeFTVHKdV55zC2mAABAgQIECBAgAABAgQIECBAoEMEtqzJFjXr4cxUyz6TYrhPGaWAyLOAMEuenp0BpZRSqqgyKa+5SqkOOYGxmQQIECBAgAABAgQIECBAgAABAp0h0PqYvuZw9uI0mA2mGP4uxfBoimHPsxeP/bdCQQZkIO8MKKWUUnmVR0XNUUp1xrmMrSRAgAABAgQIECBAgAABAgQIEGhzgYnh0hGta0Y1Yjk2YvhUiuGJvBeczVNiyIAMHCwDSimlVFFlUl5zlVJtfjJj8wgQIECAAAECBAgQIECAAAECBNpboPXOqKfLqFr4+RTLn0gxPHSwRWM/UyrIgAwUlQGllFIqr/KoqDlKqfY+p7F1BAgQIECAAAECBAgQIECAAAECbSxw9ZrseY16+Z3NWP6zFMPdrhmlbCiqbDBXtqaTAaWUUqqoMimvuUqpNj6psWkECBAgQIAAAQIECBAgQIAAAQLtKbBlTbaoUcvWplr2mRTDvcoohcF0CgO3kZOiM6CUUkrlVR4VNUcp1Z7nNbaKAAECBAgQIECAAAECBAgQIECgzQSevmZU/dQTni6jYvl/pBgeUUYpGYouGcyXsZlkQCmllCqqTMprrlKqzU5ubA4BAgQIECBAgAABAgQIECBAgEB7CTxdRp1ZObkRyzHF7NMphidmskjstkoFGZCBucqAUkoplVd5VNQcpVR7nePYGgIECBAgQIAAAQIECBAgQIAAgTYRGBkpLRwbyhY3Y/i5Zsw+vvedUZNztbjscRQZMiADM82AUkopVVSZlNdcpVSbnOTYDAIECBAgQIAAAQIECBAgQIAAgfYRGI9LXtCol9+ZYvanKYa7fUyfcmCm5YDby8x8ZEAppZTKqzwqao5Sqn3OdWwJAQIECBAgQIAAAQIECBAgQIDAPAuMDvc9v1ELP59i9repVrlHGaVYmI9iwWPK3WwzoJRSShVVJuU1Vyk1zyc6Hp4AAQIECBAgQIAAAQIECBAgQGB+BUZWr37O+PCSH2vWwi+lGP4txbBLGaUUmG0p4H6yM58ZUEoppfIqj4qao5Sa33Mej06AAAECBAgQIECAAAECBAgQIDBPAqPrqkeOrV16yjNlVPav87mQ7LEVGTIgA3lkQCmllCqqTMprrlJqnk56PCwBAgQIECBAgAABAgQIECBAgMD8CLTeGXVFva/SqIX/kmqVz6QYnspjMdgMpYIMyMB8Z0AppZTKqzwqao5San7OfTwqAQIECBAgQIAAAQIECBAgQIDAPAhceWbl5GYtO6cZw+dSDA/N9wKyx1diyIAM5JkBpZRSqqgyKa+5Sql5OPnxkAQIECBAgAABAgQIECBAgAABAnMrMDrc9/xmrfLLKYYvNWNle56LwGYpFWRABtolA0oppVRe5VFRc5RSc3v+49EIECBAgAABAgQIECBAgAABAgTmSKD1MX1X1csvSTGcnWL4Sorh0XZZOLYdSgwZkIEiMqCUUkoVVSblNVcpNUcnQR6GAAECBAgQIECAAAECBAgQIEBgbgRG11WPHI+nLmnUs3c1Y7iuiIVfMxUKMiAD7ZgBpZRSKq/yqKg5Sqm5ORfyKAQIECBAgAABAgQIECBAgAABAgULtN4ZdUW9r9KM5XUphs+mGPa046KxbVJmyIAMFJUBpZRSqqgyKa+5SqmCT4aMJ0CAAAECBAgQIECAAAECBAgQKF6gWSu/PMXsfSmGv00xPFTUgq+5ygQZkIF2zoBSSimVV3lU1BylVPHnRB6BAAECBAgQIECAAAECBAgQIECgIIHR4b7nN2uVX04xfKkZK9vbebHYtikzZEAGis6AUkopVVSZlNdcpVRBJ0TGEiBAgAABAgQIECBAgAABAgQIFCMwMVw6ojmcvbhRL79z7zWjdha90Gu+MkEGZKATMqCUUkrlVR4VNUcpVcy5kakECBAgQIAAAQIECBAgQIAAAQI5C4yuqx7ZGDrllSlm704xfKUTFohtoyJDBmRgLjOglFJKFVUm5TVXKZXzyZFxBAgQIECAAAECBAgQIECAAAEC+QqMrF79nCvqfZVUL/9KiuGzc7nA67EUCjIgA52UAaWUUiqv8qioOUqpfM+RTCNAgAABAgQIECBAgAABAgQIEMhR4Moz+16RYva+FMPfphge7qTFYduqzJABGZjrDCillFJFlUl5zVVK5XiSZBQBAgQIECBAgAABAgQIECBAgEA+AuNxyQuaMaxr1sIXUwzb5nph1+MpE2RABjoxA0oppVRe5VFRc5RS+ZwnmUKAAAECBAgQIECAAAECBAgQIHCYAhPDpSOurJ96QqqV35Fi9q8phkc6cVHYNiszZEAG5isDSimlVFFlUl5zlVKHebLk7gQIECBAgAABAgQIECBAgAABAocnMLquemRj6JRXppi9O8Xwb/O1mOtxFQkyIAOdngGllFIqr/KoqDlKqcM7Z3JvAgQIECBAgAABAgQIECBAgACBWQqMrF79nCvqfZVWGdWM4XOdvhhs+xUaMiAD850BpZRSqqgyKa+5SqlZnjS5GwECBAgQIECAAAECBAgQIECAwOwEJkulBa13RjVi+LUUw2d9TJ+F/PleyPf4MtgtGVBKKaXyKo+KmqOUmt25k3sRIECAAAECBAgQIECAAAECBAjMQmA8LnlBqof/O8XKP6cYtnXLQrD9UGrIgAy0QwaUUkqposqkvOYqpWZx8uQuBAgQIECAAAECBAgQIECAAAEC0xcYGSkt/PgZr3hhqpXfkWL4lxTDw+2weGsblAgyIAPdlgGllFIqr/KoqDlKqemfP7klAQIECBAgQIAAAQIECBAgQIDADARG11WPbH1MX+uaUY0Yru+2xV/7o9CQARlotwwopZRSRZVJec1VSs3gRMpNCRAgQIAAAQIECBAgQIAAAQIEDi3QKqPGz+oLjXr2rhTD37Xboq3tUSTIgAx0awaUUkqpvMqjouYopQ59HuUWBAgQIECAAAECBAgQIECAAAEC0xCYLJUWjMclS5r18F9TrfKZFMMj3brwa7+UGjIgA+2YAaWUUqqoMimvuUqpaZxQuQkBAgQIECBAgAABAgQIECBAgMDBBcbjkhc0atl7Ui37pxTDtnZcrLVNSgQZkIFuz4BSSimVV3lU1Byl1MHPp/yUAAECBAgQIECAAAECBAgQIEDgAAKtd0aNDvc9vxGzX0wxfDnF8FC3L/jaP6WGDMhAO2dAKaWUKqpMymuuUuoAJ1W+TYAAAQIECBAgQIAAAQIECBAgsH+BkdWrn9MYOuWVKWbvTvVwQzsv0No2BYIMyEAvZUAppZTKqzwqao5Sav/nVr5LgAABAgQIECBAgAABAgQIECDwLIHRddUjx8/qC81a+KVUr/x9Ly302lfFhgzIQCdkQCmllCqqTMprrlLqWSdX/pMAAQIECBAgQIAAAQIECBAgQOCHBVof0ze2dukpKYb3plrlMymGnZ2wOGsblQgyIAO9lgGllFIqr/KoqDlKqR8+x/JfBAgQIECAAAECBAgQIECAAAEC+wh8/IxXvLARK7/aiOEfUwzbem2B1/4qNWRABjopA0oppVRRZVJec5VS+5xk+ScBAgQIECBAgAABAgQIECBAgECp1HpnVBpcenwzZm9PMXwpxfBQJy3K2lYlggzIQK9mQCmllMqrPCpqjlLKmSYBAgQIECBAgAABAgQIECBAgMDTAiOrVz+nMXTKK1PM3p1i9tVeXdS13woNGZCBTs2AUkopVVSZlNdcpZSTTgIECBAgQIAAAQIECBAgQIBAjwuMrqseOX5WX2jUy+9M9fAPnboYa7sVCTIgA72eAaWUUiqv8qioOUqpHj/ptPsECBAgQIAAAQIECBAgQIBA7wqMjJQWNodCX+uaUSlmn04xPNrrC7r2X6khAzLQyRlQSimliiqT8pqrlOrd8057ToAAAQIECBAgQIAAAQIECPSwwMfPeMULm/XwX1MM/yvFsK2TF2FtuxJBBmRABp7JgFJKKZVXeVTUHKVUD5982nUCBAgQIECAAAECBAgQIECg9wQuH152XDNmb2/WwhdTDA9ZyLWYLwMyIAPdkwGllFKqqDIpr7lKqd4797THBAgQIECAAAECBAgQIECAQI8JjJ+95OjxeOqSFLN3p5h9NcWwxyJ09yxCO5aOpQzIwFQGlFJKqbzKo6LmKKV67CTU7hIgQIAAAQIECBAgQIAAAQK9IzC69qRjUr2yolHLzkkxfGVq0dJXC9gyIAMy0J0ZUEoppYoqk/Kaq5TqnfNQe0qAAAECBAgQIECAAAECBAj0iMDI6tXPaQ5lK8fq5Yv3fkzfExagu3MB2nF1XGVABvbNgFJKKZVXeVTUHKVUj5yM2k0CBAgQIECAAAECBAgQIECgNwSaQ6GvUQubUwz/kmLYue9ipX9bvJYBGZCB7s6AUkopVVSZlNdcpVRvnI/aSwIECBAgQIAAAQIECBAgQKDLBUaHXvWysXp2YYrh31MMj1p47u6FZ8fX8ZUBGdhfBpRSSqm8yqOi5iiluvyE1O4RIECAAAECBAgQIECAAAEC3SswfvaSo8fP6gtjMVySYrgtxbB7f4uUvmfxWgZkQAZ6IwNKKaVUUWVSXnOVUt17XmrPCBAgQIAAAQIECBAgQIAAgS4VGF170jFjg6csTzF7XyNm37DY3BuLzY6z4ywDMnCoDCillFJ5lUdFzVFKdenJqd0iQIAAAQIECBAgQIAAAQIEuk9gdF31yOZQtjLVsouatfDFFMP3DrVA6ecWsWVABmSgdzKglFJKFVUm5TVXKdV956f2iAABAgQIECBAgAABAgQIEOhCgeZQ6BurZ5elGL6cYthpkbl3Fpkda8daBmRguhlQSiml8iqPipqjlOrCk1S7RIAAAQIECBAgQIAAAQIECHSPQBpcetJYPbuwEcP1KYZd012YdDuL2DIgAzLQexlQSimliiqT8pqrlOqec1R7QoAAAQIECBAgQIAAAQIECHSJwJY12aLGYDlrxPDBFMOtKYanLC733uKyY+6Yy4AMzDQDSimlVF7lUVFzlFJdcrJqNwgQIECAAAECBAgQIECAAIHOFxhde9Ix47W+0xu17JxGzL4508VIt7eALQMyIAO9nQGllFKqqDIpr7lKqc4/X7UHBAgQIECAAAECBAgQIECAQIcLTAwvO6o5lK1MtcpFzVr4Yorh+xaWe3th2fF3/GVABmaTAaWUUiqv8qioOUqpDj9ptfkECBAgQIAAAQIECBAgQIBAZwt87Ky+0KiFzSmGL6cYHp3NIqT7WLyWARmQARloZUAppZQqqkzKa65SqrPPW209AQIECBAgQIAAAQIECBAg0KECf3hm5eRGzNY3YrheGWUxWaEgAzIgA3lkQCmllMqrPCpqjlKqQ09cbTYBAgQIECBAgAABAgQIECDQeQJb1mSLRmNWHquXL27E8G0f02cROo9FaDPkSAZkYCoDSimlVFFlUl5zlVKdd/5qiwkQIECAAAECBAgQIECAAIEOExhde9IxjXr5tFSvnJti+NbU4qGvFpJlQAZkQAbyzIBSSimVV3lU1BylVIedxNpcAgQIECBAgAABAgQIECBAoHMEJoaXHdUcylY2YmV9sxa+mGJ4Ms/FR7MsZsuADMiADOybAaWUUqqoMimvuUqpzjmPtaUECBAgQIAAAQIECBAgQIBABwmkwaVLG7G8KcXwJdeMsmi876Kxf8uDDMhAURlQSiml8iqPipqjlOqgk1mbSoAAAQIECBAgQIAAAQIECLS/wNhQtrgRs/WNGK5XRll4Lmrh2VzZkgEZ2F8GlFJKqaLKpLzmKqXa/1zWFhIgQIAAAQIECBAgQIAAAQJtLrBlTbaoORT6Ui27aO81o763v8VC37OILAMyIAMyUGQGlFJKqbzKo6LmKKXa/KTW5hEgQIAAAQIECBAgQIAAAQLtKzC69qRjrlibvXosVs7bW0ZNFrnYaLbFbBmQARmQgYNlQCmllCqqTMprrlKqfc9rbRkBAgQIECBAgAABAgQIECDQpgLPvDMqWzlWzy7ce82oJw+2SOhnFpFlQAZkQAbmIgNKKaVUXuVRUXOUUm16cmuzCBAgQIAAAQIECBAgQIAAgfYUGKuHV6VY3tishS+6ZpRF5rlYZPYYciYDMjDdDCillFJFlUl5zVVKtef5ra0iQIAAAQIECBAgQIAAAQIE2kygWSu/vHXNqEYM1yujLBBPd4HY7WRFBmRgLjOglFJK5VUeFTVHKdVmJ7g2hwABAgQIECBAgAABAgQIEGgfgdbH9I2tXXpKq4xKMftGiuGJuVxc9FgWs2VABmRABmaSAaWUUqqoMimvuUqp9jnPtSUECBAgQIAAAQIECBAgQIBAmwiMrj3pmKc/pq8e3t+I4dszWRB0WwvIMiADMiAD85UBpZRSKq/yqKg5Sqk2Odm1GQQIECBAgAABAgQIECBAgMD8C7TeGdUcylY2atkHGjF8OcXw1HwtLHpci9oyIAMyIAMzzYBSSilVVJmU11yl1Pyf79oCAgQIECBAgAABAgQIECBAoA0ErlibvbpRyzY0a+GLrhllIXimC8FuLzMyIAPtkAGllFIqr/KoqDlKqTY46bUJBAgQIECAAAECBAgQIECAwPwJNGvll7euGdWI4foUw852WFS0DRa3ZUAGZEAGZpMBpZRSqqgyKa+5Sqn5O+f1yAQIECBAgAABAgQIECBAgMA8CUwMLztqPJ66pBGz9SmGW1ItPD6bxT/3sWgsAzIgAzLQThlQSiml8iqPipqjlJqnk18PS4AAAQIECBAgQIAAAQIECMy9wOjak44ZPaty6t5rRn27nRYSbYuFbRmQARmQgcPNgFJKKVVUmZTXXKXU3J//ekQCBAgQIECAAAECBAgQIEBgjgXGz15ydHMoW9mI4YJGDF9OMew+3IU/97d4LAMyIAMy0G4ZUEoppfIqj4qao5Sa45NgD0eAAAECBAgQIECAAAECBAjMrcBore/0sZiNpBi+kGLY1W4LiLbHorYMyIAMyEBeGVBKKaWKKpPymquUmtvzYI9GgAABAgQIECBAgAABAgQIzJHA6Jl9r0i17KJGDNenGHbmteBnjsVjGZABGZCBds2AUkoplVd5VNQcpdQcnQh7GAIECBAgQIAAAQIECBAgQKB4gdF11SNbZdRYPbswxXBTiuGxdl04tF0WtWVABmRABvLOgFJKKVVUmZTXXKVU8efDHoEAAQIECBAgQIAAAQIECBAoWGB07UnHXFHvq+wto76T9yKfeRaOZUAGZEAGOiEDSimlVF7lUVFzlFIFnxQbT4AAAQIECBAgQIAAAQIECBQnMH72kqMbg9lAqof3pxj+JcWwpxMWMUwgygAAIABJREFUDW2jxW0ZkAEZkIEiMqCUUkoVVSblNVcpVdx5sckECBAgQIAAAQIECBAgQIBAgQJjg6csTzG7NMXwhRTDriIW98y0aCwDMiADMtBJGVBKKaXyKo+KmqOUKvDk2GgCBAgQIECAAAECBAgQIEAgf4HxWt/pjXr2oUYM16cYdnbSYqFttbgtAzIgAzJQZAaUUkqposqkvOYqpfI/NzaRAAECBAgQIECAAAECBAgQyFlgYnjZUWlw6dIUw5YUK7enGB4rclHPbIvGMiADMiADnZgBpZRSKq/yqKg5SqmcT5KNI0CAAAECBAgQIECAAAECBPITuHpN9rxGvXxaq4xqxsr2TlwgtM0WtmVABmRABuYqA0oppVRRZVJec5VS+Z0nm0SAAAECBAgQIECAAAECBAjkJJAGlx4/Xqv8ZKpnl6UYbpurxTyPY+FYBmRABmSgkzOglFJK5VUeFTVHKZXTybIxBAgQIECAAAECBAgQIECAwOELTJZKC8ZitjrF8HvNevh6iuH7nbw4aNstbsuADMiADMxlBpRSSqmiyqS85iqlDv982QQCBAgQIECAAAECBAgQIEAgB4Gxs05Z/vQ1o2rh5hTD9+ZyEc9jWTSWARmQARnohgwopZRSeZVHRc1RSuVw0mwEAQIECBAgQIAAAQIECBAgMDuB0XXVI8fP6gupVv79vR/Tp4yKFoa7YWHYPsixDMjAfGRAKaWUKqpMymuuUmp258zuRYAAAQIECBAgQIAAAQIECByGQOuaUY16+bRmzP4gxbBjPhbuPKYFYxmQARmQgW7LgFJKKZVXeVTUHKXUYZxAuysBAgQIECBAgAABAgQIECAwM4FWGZXqfW9o1MLmFCu3d9tioP2xwC0DMiADMjCfGVBKKaWKKpPymquUmtm5s1sTIECAAAECBAgQIECAAAECsxAYGSktTEPlN6WY/U6zHr6eYnhyPhftPLZFYxmQARmQgW7MgFJKKZVXeVTUHKXULE6k3YUAAQIECBAgQIAAAQIECBCYvkCqn7IixbAlxXBTisE1o1wzarIbF4Ltk4JDBmSgHTKglFJKFVUm5TVXKTX9c2i3JECAAAECBAgQIECAAAECBKYpMDFcOqIxWM6aMXw4xfAdZZTF2nZYrLUNcigDMtDtGVBKKaXyKo+KmqOUmubJtJsRIECAAAECBAgQIECAAAEChxZoXTOqUS+flmrZR1IMO7p98c/+WeCWARmQARlopwwopZRSRZVJec1VSh36fNotCBAgQIAAAQIECBAgQIAAgUMIPF1GDS39iUYtbE4xbG2nBTrbYsFYBmRABmSgVzKglFJK5VUeFTVHKXWIk2o/JkCAAAECBAgQIECAAAECBA4s0PqYvjRUflOK2W+nGG5MMTzZKwt/9tMitwzIgAzIQLtlQCmllCqqTMprrlLqwOfVfkKAAAECBAgQIECAAAECBAgcROCKGPqbMfuDFMNNrhllYbbdFmZtj0zKgAz0YgaUUkqpvMqjouYopQ5ycu1HBAgQIECAAAECBAgQIECAwA8LTJZKC0ZjVm7G8OFGDN9WRln07cVFX/ss9zIgA+2aAaWUUqqoMimvuUqpHz639l8ECBAgQIAAAQIECBAgQIDAfgSevmZUvXxaitnlKYYd7boYZ7ssFMuADMiADPRyBpRSSqm8yqOi5iil9nOi7VsECBAgQIAAAQIECBAgQIDAMwJXr8me16yVX9+M5U2pHu7s5YU++26hWwZkQAZkoN0zoJRSShVVJuU1VynlVQYBAgQIECBAgAABAgQIECDwIwIjq1c/Jw2V39Ssh99KMdyYYniy3RfibJ/FYhmQARmQgV7PgFJKKZVXeVTUHKXUj5x2+wYBAgQIECBAgAABAgQIEOhtgcZZ2UCqZR/ZW0Z9r9cX+Oy/RW4ZkAEZkIFOyYBSSilVVJmU11ylVG+/zrD3BAgQIECAAAECBAgQIEDgBwLNodCXYvi9FMM3UwzKqGgRtlMWYW2nrMqADMjAMxlQSiml8iqPipqjlPrBqbd/ECBAgAABAgQIECBAgACB3hO4fHjZcY16+bRGzD6aYthhUc/CrgzIgAzIgAx0bgaUUkqposqkvOYqpXrv9YY9JkCAAAECBAgQIECAAAECpavXZM9L9ex1zVjelGqVeyxAdu4CpGPn2MmADMiADExlQCmllMqrPCpqjlLKCxECBAgQIECAAAECBAgQINBDAhPDy44ai9nqVAu/ufeaUU9OLWT5alFTBmRABmRABjo7A0oppVRRZVJec5VSPfTCw64SIECAAAECBAgQIECAQG8LNM7KBlKsXN6sh6+7ZlRnLzpaNHb8ZEAGZEAG9pcBpZRSKq/yqKg5Sqnefj1i7wkQIECAAAECBAgQIECgBwQag+WsGcOHU8y+oYyyiLm/RUzfkwsZkAEZ6I4MKKWUUkWVSXnNVUr1wIsPu0iAAAECBAgQIECAAAECvSdw1VuXH9uol09LMbs8xbAtxbDHgmN3LDg6jo6jDMiADMjAgTKglFJK5VUeFTVHKdV7r0vsMQECBAgQIECAAAECBAh0scDVa7LnNWvhtSmWN6YY7jvQopXvW9CUARmQARmQge7LgFJKKVVUmZTXXKVUF78QsWsECBAgQIAAAQIECBAg0DsCW9Zki8ZitroRw2+kGG5KMTxlsbH7FhsdU8dUBmRABmTgYBlQSiml8iqPipqjlOqd1yf2lAABAgQIECBAgAABAgS6VKA5lK1MsXJ5sx6+7ppRFisPtljpZ/IhAzIgA92dAaWUUqqoMimvuUqpLn1BYrcIECBAgAABAgQIECBAoPsFxs/qC80YPpxiuEUZ1d2LjBaRHV8ZkAEZkIHpZEAppZTKqzwqao5Sqvtfo9hDAgQIECBAgAABAgQIEOgigaveuvzYK9Zmr0617CMphgdSDLuns0jlNhYzZUAGZEAGZKD7M6CUUkoVVSblNVcp1UUvTOwKAQIECBAgQIAAAQIECHSvwNVrsuc1YuU1KZY37i2jJi0udv/iomPsGMuADMiADMwkA0oppVRe5VFRc5RS3ft6xZ4RIECAAAECBAgQIECAQBcIbFmTLRqL2epmPfx6qoWbUwxPzWRxym0tZsqADMiADMhA72RAKaWUKqpMymuuUqoLXqDYBQIECBAgQIAAAQIECBDoToGxWK42YvhoiuFrrhnVOwuKFo8daxmQARmQgdlmQCmllMqrPCpqjlKqO1+32CsCBAgQIECAAAECBAgQ6GCBNHjK0mYMH977zqjvz3Zhyv0sasqADMiADMhAb2VAKaWUKqpMymuuUqqDX6TYdAIECBAgQIAAAQIECBDoDoHJUmnB5cPLjmvWsmWpln0kxXCfj+nrrUVEi8aOtwzIgAzIQB4ZUEoppfIqj4qao5Tqjtcv9oIAAQIECBAgQIAAAQIEOlBgZKS0sDmcvbhZL785xfB7KYYH81iQMsPCpgzIgAzIgAz0ZgaUUkqposqkvOYqpTrwRYtNJkCAAAECBAgQIECAAIHOF/j4Ga94YbOe1Zr18sdSDHekGPZYQOzNBUTH3XGXARmQARnIKwNKKaVUXuVRUXOUUp3/OsYeECBAgAABAgQIECBAgEAHCWxZky1q1rKfbsTsj1MM3/ExfRYi81qINEeWZEAGZEAGlFJKqaLKpLzmKqU66IWLTSVAgAABAgQIECBAgACBzhUYXVc9sjFU/om9ZdRtyigLhxaPZUAGZEAGZCDvDCillFJ5lUdFzVFKde7rGVtOgAABAgQIECBAgAABAm0uMFkqLUiDS49vlVEpZtekGHYooyxA5r0AaZ5MyYAMyIAMTGVAKaWUKqpMymuuUqrNX8DYPAIECBAgQIAAAQIECBDoPIGRkdLC5nD24jRYflOjno2lmD02tVjkq4VDGZABGZABGZCBojKglFJK5VUeFTVHKdV5r21sMQECBAgQIECAAAECBAi0sUBjePGL0mA22KyXP5bq2Z0phj1FLTyZa1FTBmRABmRABmRg3wwopZRSRZVJec1VSrXxCxmbRoAAAQIECBAgQIAAAQKdI7BlTbYoxfKaFLOrUgzf8TF9Fgn3XST0b3mQARmQARmYiwwopZRSeZVHRc1RSnXO6xtbSoAAAQIECBAgQIAAAQJtKDC6rnpkqve9YW8ZdasyyqLjXCw6egw5kwEZkAEZ2F8GlFJKqaLKpLzmKqXa8AWNTSJAgAABAgQIECBAgACB9haYLJUWpMGlxzdr5dc3YvbJFMM2ZZTFwf0tDvqeXMiADMiADMxlBpRSSqm8yqOi5iil2vt1jq0jQIAAAQIECBAgQIAAgTYSGBkpLWwOZy9u1rM3pnrWTDF7bC4XmjyWhU0ZkAEZkAEZkIGDZUAppZQqqkzKa65Sqo1e3NgUAgQIECBAgAABAgQIEGhPgdY7oxrDi1/UqGVrU638hylmd6UY9hxsUcjPLBrKgAzIgAzIgAzMdQaUUkqpvMqjouYopdrz9Y6tIkCAAAECBAgQIECAAIE2EdiyJlvUGApnpHp2ZYrhOz6mzwLjXC8wejyZkwEZkAEZmG4GlFJKqaLKpLzmKqXa5EWOzSBAgAABAgQIECBAgACB9hIYXVc9crxW+ckUs6tSDLcqoywITndB0O1kRQZkQAZkYL4yoJRSSuVVHhU1RynVXq95bA0BAgQIECBAgAABAgQIzKNA62P6Lh9edlyqZ69LtfAnKYYHUgxPztfCkse1qCkDMiADMiADMjCTDCillFJFlUl5zVVKzeOLHQ9NgAABAgQIECBAgAABAu0hMDJSWji6tnJiYzD8VDOGP0oxe2wmC0Bua8FQBmRABmRABmSgHTKglFJK5VUeFTVHKdUer39sBQECBAgQIECAAAECBAjMg0DrnVFX1k89oVkPZ6Za+Q9TLN+dYtjTDotKtsHipgzIgAzIgAzIwEwzoJRSShVVJuU1Vyk1Dy96PCQBAgQIECBAgAABAgQIzL/AljXZokYtW/vMO6PCd1wzysLfTBf+3F5mZEAGZEAG2i0DSimlVF7lUVFzlFLz/zrIFhAgQIAAAQIECBAgQIDAHAqMrqse2fqYvhSzq1IMtyqjLCi224Ki7ZFJGZABGZCB2WZAKaWUKqpMymuuUmoOX/h4KAIECBAgQIAAAQIECBCYH4HWx/Rd9dblx44NZT+eYvkTKYb7UgxPznbBx/0sFsqADMiADMiADLRjBpRSSqm8yqOi5iil5uf1kEclQIAAAQIECBAgQIAAgTkQGBkpLRxdWzkx1fve0IjZH6eYPdaOC0i2ycKmDMiADMiADMhAHhlQSimliiqT8pqrlJqDF0EeggABAgQIECBAgAABAgTmVqD1zqgr66ee0BgKZzRi9tFUy+7JY6HHDAuGMiADMiADMiAD7ZwBpZRSKq/yqKg5Sqm5fV3k0QgQIECAAAECBAgQIECgYIEta7JFzXpWS/Ws6ZpRFg7beeHQtsmnDMiADMhA3hlQSimliiqT8pqrlCr4xZDxBAgQIECAAAECBAgQIDA3AhPDy45q1rM3pnp2ZYrhthTDU3kv9Jhn8VAGZEAGZEAGZKCdM6CUUkrlVR4VNUcpNTevjTwKAQIECBAgQIAAAQIECBQg0PqYvtG1Jx3TrIXXNmP28RTDvSmGJ9t5sci2WcyUARmQARmQARkoKgNKKaVUUWVSXnOVUgW8KDKSAAECBAgQIECAAAECBIoVGBkpLWxdM6pZK78+xfInUsweK2pxx1wLhzIgAzIgAzIgA52SAaWUUiqv8qioOUqpYl8nmU6AAAECBAgQIECAAAECOQo8886oyonjtb63NWL20RSz1jujJv2fgQzIgAzIgAzIgAyESaWUUqqoMimvuUqpHF8cGUWAAAECBAgQIECAAAECxQlsWZMtasRybMYspRhudc0oi48WH2VABmRABmRABn44A0oppVRe5VFRc5RSxb1eMpkAAQIECBAgQIAAAQIEchCYGF521FjMVjdj+KMUw23KqB9efLIYx0MGZEAGZEAGZGAqA0oppVRRZVJec5VSObxAMoIAAQIECBAgQIAAAQIE8hVofUzf+NlLjm7WwmtTLbs6xXB3iuHJqQUXXy2+yYAMyIAMyIAMyMCPZkAppZTKqzwqao5SKt/XTaYRIECAAAECBAgQIECAwGEIjIyUFl5ZP/WEVM9el2J2Taplj1tw+tEFJyZMZEAGZEAGZEAG9pcBpZRSqqgyKa+5SqnDeLHkrgQIECBAgAABAgQIECCQj0DrnVGjaysnplhe04jZR1PM7t/fQovvWYCTARmQARmQARmQgQNnQCmllMqrPCpqjlIqn9dPphAgQIAAAQIECBAgQIDALAVaH9PXiOWYYtZIMdyaYthtsenAi01s2MiADMiADMiADBwoA0oppVRRZVJec5VSs3zR5G4ECBAgQIAAAQIECBAgcHgCE8PLjkqD5TelenZliuG2FMNTB1pg8X2LbzIgAzIgAzIgAzJw6AwopZRSeZVHRc1RSh3eayj3JkCAAAECBAgQIECAAIEZCmxZky1qxFNek2rZ1SmGu1IMT1pkOvQiEyNGMiADMiADMiADh8qAUkopVVSZlNdcpdQMXzy5OQECBAgQIECAAAECBAjMXGBkpLSwMfzqF6V69roUs2tSLTx+qEUVP7fwJgMyIAMyIAMyIAMzy4BSSimVV3lU1Byl1MxfS7kHAQIECBAgQIAAAQIECExTYLJUWtAczl7cqJd/phGzj6aYPWhxaWaLS7x4yYAMyIAMyIAMTDcDSimlVFFlUl5zlVLTfCHlZgQIECBAgAABAgQIECAwM4GPn/GKFzZiOTbq2djea0btnu6CittZfJMBGZABGZABGZCBmWdAKaWUyqs8KmqOUmpmr6ncmgABAgQIECBAgAABAgQOIXD58LLjmrXsZ1M9/GWK4dYUw1MWlWa+qMSMmQzIgAzIgAzIwEwzoJRSShVVJuU1Vyl1iBdTfkyAAAECBAgQIECAAAEChxZofUzfxPDi5zZr2U+nWuUzKYYHUgzeGRUtps10Mc3tZUYGZEAGZEAGZp8BpZRSKq/yqKg5SqlDv7ZyCwIECBAgQIAAAQIECBA4gMDEcOmIq+rll6RYXtOI4R8tIs1+EYkdOxmQARmQARmQgcPNgFJKKVVUmZTXXKXUAV5Y+TYBAgQIECBAgAABAgQIHFigVUaNDWWLG/VsOMXKNSmGJw53EcX9LcTJgAzIgAzIgAzIwOFlQCmllMqrPCpqjlLqwK+x/IQAAQIECBAgQIAAAQIE9iNwZf3kE1IMZzdjZSLFcL/Fo8NbPOLHTwZkQAZkQAZkIK8MKKWUUkWVSXnNVUrt5wWWbxEgQIAAAQIECBAgQIDAjwpcPrzsuNY7o5ox/FWqVe7Ja/HEHAtxMiADMiADMiADMpBPBpRSSqm8yqOi5iilfvR1lu8QIECAAAECBAgQIECAwD4CW9Zki5q17KdTzD69951Reywc5bNwxJGjDMiADMiADMhAnhlQSimliiqT8pqrlNrnhZZ/EiBAgAABAgQIECBAgMAzAq1rRjWHsxeP1/relmL433kulphl8U0GZEAGZEAGZEAGismAUkoplVd5VNQcpZRXnAQIECBAgAABAgQIECDwA4FWGTU2lC1u1rKf3XvNqO9bNCpm0YgrVxmQARmQARmQgbwzoJRSShVVJuU1Vyn1g5de/kGAAAECBAgQIECAAIHeFmi9M6pRr7xzbxn1QN6LJOZZeJMBGZABGZABGZCBYjOglFJK5VUeFTVHKdXbrzntPQECBAgQIECAAAECBEppcOnxjXo23Izhr1Ktco/FomIXi/jylQEZkAEZkAEZKCoDSimlVFFlUl5zlVJegBIgQIAAAQIECBAgQKBHBbasyRY16uWfSTH7dIrhvhTDnqIWSMy1+CYDMiADMiADMiADxWdAKaWUyqs8KmqOUqpHX3zabQIECBAgQIAAAQIEelOgdc2o0bWVExtD4YxGDP+YYthtgaj4BSLGjGVABmRABmRABuYiA0oppVRRZVJec5VSvfk61F4TIECAAAECBAgQINBjAq0yamwoWzxWD0N7rxn15FwsjHgMC3AyIAMyIAMyIAMyMHcZUEoppfIqj4qao5TqsReidpcAAQIECBAgQIAAgd4TuKpefkmqVd6RYuWaFMODFobmbmGINWsZkAEZkAEZkIG5zIBSSilVVJmU11ylVO+9HrXHBAgQIECAAAECBAj0iEAaXHp8itn/2Yzhr1Ktcs9cLoh4LAtwMiADMiADMiADMjD3GVBKKaXyKo+KmqOU6pEXo3aTAAECBAgQIECAAIHeERg/e8nR47W+tzVi+FSK4d4Uwx6LQnO/KMScuQzIgAzIgAzIwFxnQCmllCqqTMprrlKqd16X2lMCBAgQIECAAAECBLpYoHXNqCvrp57QGApnpBj+V4qhdc0oZVS0GDbXi2EeT+ZkQAZkQAZkYP4yoJRSSuVVHhU1RynVxS9K7RoBAgQIECBAgAABAt0v0CqjxoayxalWrqd6uDbFsNtC0PwtBLFnLwMyIAMyIAMyMJ8ZUEoppYoqk/Kaq5Tq/teo/z97dx4nx13f+V8YY2LukACBKCBrqkaybB0zPflls9lN9MvuLxsHPP1tOROOAIEAJhyOkbGNLV9jSeTY/WWTkB8J8vS3ZROSJQrkYHMshCMhhHAYB8cIAzb4xLdsy5IwtrH692hZFQZFiFF31XRV1/MPP2oka6q73v2qd33r85rpdoQSkIAEJCABCUhAAhKQwIgmMDd9wnNic/yV7ZC8N4Z01zAHIB7bAA4DGMAABjCAAQwMnwFSipTKSx4VtR9SakRvTh2WBCQgAQlIQAISkIAEJDC6CcTpFU+NIfmFTkg/EJvjtxsADX8A5DXwGmAAAxjAAAYwUAYGSClSqiiZlNd+SanRvU91ZBKQgAQkIAEJSEACEpDAiCWw/VXLvq/3mVHtkP41GWXwVYbBl+eAQwxgAAMYwEC5GCClSKm85FFR+yGlRuwm1eFIQAISkIAEJCABCUhAAqOVQO8zo37/hc///p6M6oT0YzGkD8WQ7jcAKtcAyOvh9cAABjCAAQxgoAwMkFKkVFEyKa/9klKjdb/qaCQgAQlIQAISkIAEJCCBEUmgJ6PmNiRL22EsxJC+rwxDDs/BsA0DGMAABjCAAQyUmwFSipTKSx4VtR9SakRuWB2GBCQgAQlIQAISkIAEJDA6CWyfWfZD7ZC8oh2S93bC+L2GP+Ue/nh9vD4YwAAGMIABDJSFAVKKlCpKJuW1X1JqdO5bHYkEJCABCUhAAhKQgAQkUPEE4vSKp3aa4y/uhPQDPjPKcKsswy3PA4sYwAAGMICB6jBASpFSecmjovZDSlX8ptXTl4AEJCABCUhAAhKQgASqn8COmaXHd1rpi2Iz/asY0tsMfqoz+PFaea0wgAEMYAADGCgTA6QUKVWUTMprv6RU9e9fHYEEJCABCUhAAhKQgAQkUMEEZmeXHLM9LHtGe0P6wtga/2hspg/GkD5apqGG52LIhgEMYAADGMAABqrFAClFSuUlj4raDylVwZtXT1kCEpCABCQgAQlIQAISqG4CO2aWPP6KF43/cJxOpmMr/TODnmoNerxeXi8MYAADGMAABsrMAClFShUlk/LaLylV3XvZsj3zd86sekp7eiz5q5ev/I/Xbly9+srTG08q23P0fCQgAQlIQAISkIAEJDDUBLZteMFzOyF5eTsk7+2E8XvLPNDw3AzcMIABDGAAAxjAQPUYIKVIqbzkUVH7IaWGekta6QfvLlnyuD964fO/f/uG8R9tN9OXdULyazGkH/w/r1p1+x0XTV551yWNLdefvbZ19dlrnlzpA/XkJSABCUhAAhKQgAQkMGgC7zkleVonpC+NrfQvY3P8dgOe6g14vGZeMwxgAAMYwAAGqsAAKUVKFSWT8tovKTXo3WX9vr93P92eTn8yttJzOmF8RwzpZ2JI787e/v7Dr1nV7fG5Z0tj/67Zxi27L21c/pWzJ3716jevOaF+aTliCUhAAhKQgAQkIIFaJ7BjZunx7WZyamymfxVDelsVBhmeo4EbBjCAAQxgAAMYqC4DpBQplZc8Kmo/pFStb5EXfPBxesVTO62kGUP62+2Qfrwd0utjSO8/3PUpk1IZs/vePrV/9+bGvfdd2viXG85du23nGSetWvAD+4cSkIAEJCABCUhAAhKoWgKzs0uO2R6WPWN7c/nPxZB8JIZ0X/YTXIdbQPu76g59vHZeOwxgAAMYwAAGysYAKUVKZYP5sm5Jqard4Rb/fN9xSvLE3j30Fa3l4+0Ny18Ww9gfx5B8/eC99MMxpPuP1LWHSqn57O/bOvXIN94+9cAN5637hy+fPfGS28+feNYNs8u+r/dWgMUfmUeQgAQkIAEJSEACEpBAgQnsmFny+CteNP7Dvd+MaofxvzjSotn/M8DCAAYwgAEMYAADGCiCAVKKlJo/kC/j16RUgTelFdn1v/0g52nL004r+alOSM/thPRjMaT39dOLR5JS88+BvVun9t950cSNt18wcfEt50/81JVvaTy3IpF5mhKQgAQkIAEJSEACEvh2Ar2fsIrTK54XW8kvxmb6v/pdSPez+PY9hlkYwAAGMIABDGAAA/MZIKVIqflD+DJ+TUp9+16ybl91ZpJnxVby453m+Gs7Yex3Ymv8ozGkD8zvsH6+XqiUmn8+3D07ee8dF06+5/YLJ1997cbVq688vfGEur0ejlcCEpCABCQgAQlIoIIJHPjA1Wb6shiSP4/N8dv7WUD7HoMkDGAAAxjAAAYwgIG8GCClSKn5g/cyfk1KVfDGt8+n3PuNqG0bXvDc7c3xn4vN8U0xjP9JDOlVMaR78uq83n76kVK9c2Pf26e6929u7Lnv0smP33bhuv+588w1093ZJcf0ebi+TQISkIAEJCABCUhAAsUlsO3U5z0pTifrdzX3AAAgAElEQVTTMaT/O4b0tjwX1PZlKIUBDGAAAxjAAAYw0C8DpBQpVUYRNf85kVLF3aeWZc/tmaXPnGsmP98OyTtjSD4bQ3rDQRF1xM+G6rf3+pVS87ncs6Xx0O7NjZvuunjyb7648eTX7HzjqqeUJU/PQwISkIAEJCABCUigpgnMrl9/7BWtlT/Qbiav7YT0yoOL6kf7XTj7PsMmDGAAAxjAAAYwgIG8GSClSKn5g/Yyfk1Kjc4Nde83od5xSvLEbTPLn35Za/l4O6RntkP61wd/cLP321AP591xh9tfHlIqO1f2bZ3av2/r1L67L2l87bpz1v1/N5zfWPmlc1c81W9QjQ63jkQCEpCABCQgAQmUPoHeIruzIV3ebo39UgzpZw63CPZ3BkoYwAAGMIABDGAAA2VggJQipbLhelm3pFTpb4GP+AR7n6nc+2HNy05NToph7JR2SC9sN5NPxJB8Y1gdmKeUOvS8uf/SxqM3n7/2b++4ePLU6946serqs9c8+YgB+Z8SkIAEJCABCUhAAhLoN4ED73992vjKuZC8oR3SD8WQ7hvWItvjGnJhAAMYwAAGMIABDCyEAVKKlDp0qF62P5NS/d6hDu/7dswsefwVM+M/HFvj/ym2xl4Xw/g7D3421N6F9FLR/6ZIKZWdPw9saTx054WTn7vzoolLr3vb6uanzkieNrxXxCNLQAISkIAEJCABCYxcAnMbkqVzrfRXY0g/HEN6X9GLaPs3ZMIABjCAAQxgAAMYyIMBUoqUyoboZd2SUtW5fW5vOOEF7TAeYnP812NI/jy20qtjM30wj67Kcx+LIaWy82nPlsb+XbOTt+7e0rj8+nMmzvjcG09KqvOKeqYSkIAEJCABCUhAAqVLYNup4z/Ybqavj63xj8aQ7spzoWxfBk0YwAAGMIABDGAAA0UzQEqRUtnwvKxbUqp0t8H/9oR6n6Pce+v6GNJXxTDe7r19fSekN8WQfrPo7hpk/4sppbLzat/bp/bfv7lx732XNq686fy17/rCGSet7b214b+F6QsJSEACEpCABCQgAQl8twQOvBVBa+UPxJC8JobkszGkvbcg2D/Iotj3GjhhAAMYwAAGMIABDAyDAVKKlMqG5mXdklLf7c50cf++93b121+17Pvec0rytDh9worYSs9ph+SDMaR3x5DuiSF9ZBgd1s9jDkNKzT+/9m6denjf1qldN5w/8fEvnrX2xV99W+PpO2dXHUdSLS7THk0CEpCABCQgAQmUPoF3nJI8ce7UFSfE5tgr2yG5sp/Fr+8xbMIABjCAAQxgAAMYKBMDpBQpNX9YXsavSanh3SpvO73xhN67g1x2anJSu5mc2gljv3PgLflC+nCZeuxon8uwpdT882zv1qn9d140ccstm9bN3nT+up+46s0TzxveK+6RJSABCUhAAhKQgARKkUDvN6O2nTa+ci4kb2iH9EMxpN842kWvf2/4hAEMYAADGMAABjBQRgZIKVJq/oC8jF+TUot7W9y7/90eVi6LIfmZdhh7c6c19q5OK/lC2d+S72j6tUxSav45d88lk/fdfuHke++8eOIV15x58porT288YXFffY8mAQlIQAISkIAEJDD0BOY2JEvbIT0zhvTvYkjvO5qFrn9r8IQBDGAAAxjAAAYwUHYGSClSav5QvIxfk1LF3xb3fiOq95Z8nWby8zEk/28npB9oh/T6URJR87u4rFIqO//u39zYd+/s5Mdvv3jyv+/cuK7Ze2u/4inwCBKQgAQkIAEJSEACQ02gM5M8K7bSX4kh+UgnjN87fwHra8MlDGAAAxjAAAYwgIFRYYCUIqWyQXhZt6RUcbfGl5+anNR7R5DYSv80hvRzMaQ3V+mzofrt4bJLqexc3LOl8dD9mxs33j07+TfXvnX16V/65RVPLY4Ge5aABCQgAQlIQAISWPQEem9T0J456ZkxJK+JIf3MwQ9r3d/vQtf3GVZhAAMYwAAGMIABDJSdAVKKlMoG4GXdklKD3xrPzi45pvcZydvDsmd0mumPdVrJxbGV/kMM6V0H73u/VfauyvP5VUVKZefkvq1T+/dtndqza7bxlevOnvi9L7+1sfK22caTukuWPG5wOuxBAhKQgAQkIAEJSGDRE3hscb5yWTskr2iH5F/yXOzal0EUBjCAAQxgAAMYwECZGSClSKls8F3WLSnV3y3yjplVx23bcOJz262xkzutpNlupe+KzfTaMvfRYj23qkmpQ8/N+zc3Hr35/HUfu33TxClfOnfNiqvPXvPk/ijxXRKQgAQkIAEJSEACi5pA7zej4vSKFb236ZvrfWZUM31wsRbBHsdwCgMYwAAGMIABDGCgDAyQUqTUoQPvsv2ZlFr4bfKOmaXHbwvJWAxjp8SQvKUdkvce/GyoWv0m1Pfq1qpLqewc3bNl6uE7Lmz8y50XT85+9Zy1L9q58aRnLpwW/1ICEpCABCQgAQlIYFETmNuQLO0t0jsh/VAM6f3fa9Hq/xsaYQADGMAABjCAAQyMIgOkFCmVDbjLuiWljnyr3PuNqCumT1jTbiW/HEP62+2Q/nUnpDfFkD48ip2VxzGNipTKztm9W6f275qdvHX3lsbl15+79s2ff9Pa8SNT4/9KQAISkIAEJCABCSxaAn/QGnt27zejYkg/3Anj9+axoLUPAyoMYAADGMAABjCAgaoyQEqRUtlgu6xbUurf3y73RFQ8bflUO6RntkPyFzGkV8WQ3hlD+khVu2gxn/eoSan55+79lzbuve/SxqdvPn/d71+z8eSp3jvE/HuC/I0EJCABCUhAAhKQQKEJ9D7U9fdf+PzvP/iTY5+KIX0ghnT/Yi56PZZBFQYwgAEMYAADGMBAGRkgpUip+QPtMn5ddynVu5/tSah3zqx6SqeV/FS7lf5GDOnnD0qoPTGkj5axW8r8nEZZSmXn8N6tUw/t2/qjd968ad0/XrNx7S/cNtt40sdm1x9b6PDFziUgAQlIQAISkEDdE3jHKckT2xtOeMFcSF4+F5J/LfOi2HMzpMIABjCAAQxgAAMYGAYDpBQplQ2xy7qto5Tq3cvG6RXP2x7SdbE59soYxt8dQ3rzMDpiFB+zDlJq/vnce3u/Oy+euO3m89duueX8NT921Zsnnlf3eZHjl4AEJCABCUhAArkmMLt+/bFxesWKdjN9/VxI/y6G9JujuJB2TAZXGMAABjCAAQxgAAODMkBKkVLzh9dl/LouUqr3m1CXnZqc1GmlL2o3x86OrfTPDn42VHfQ89z3f+e1om5Sav55fc8lk/fdtmni/XdcNPGSa848ec3O2VXH5TqQsTMJSEACEpCABCRQtwQ6zbEfaTeTjZ2QfiiG9H6L7+9cfMtDHhjAAAYwgAEMYAAD8xkgpUip+QPrMn49ylIqTq946oHPhmqmr++E5Pc6If1YbI7f7u3mi+3pOkup7By/f3PjG7tmJz9+x8UTv7Zz47rmJzf++PF1mx85XglIQAISkIAEJDBQAnPTJzwnttJfiY/9ZtR982+0fV3sgl6+8sUABjCAAQxgAAPVZYCUIqWyIXVZt6MmpXbMLD2+PZ3+ZAzJJZ2QfuDg50PdE0P6LV26OF1KSn279/ZsaTx0/6WNG3ZdMvHXXzxrzRs+dUbytIGGM75ZAhKQgAQkIAEJjHICvQ983R6WPWOumb6600z/OYZ0t58oW5xFvJslOWMAAxjAAAYwgIHRYICU+vZwtqxSpu7Pq8pSqnfPuu30xhO2zSx/ers19rOdkP5ODMnOGNI7Y0j3xZA+qksXv0tJqX/fe/u2Tu3fs6Wx+95LGzu/cs7ad3zpzDUrem/t112y5HGjPFdybBKQgAQkIAEJSGBBCeyYWXVc72365kLy8nYr+YJF/OIv4mUucwxgAAMYwAAGMDAaDJBS/344W3cJVLbjr5KU6g3w3/0za548tyFZuj2k63qfc9wO6fu9tXy5+pKU+t69t3tz49Gbz1/3qdsuXPsz1583mVx99ponL2hg4x9JQAISkIAEJCCBUUpgdv36Y+P0ihVzYez0dkg/HEP6kGFIuRb3Xg+vBwYwgAEMYAADGKgWA6TU9x7Olk3S1O35VEFK9X4TKrbG18bmWKv3tnyxOf63MaR368Ny9iEptfDe27t16pGvXzj5r7dfOHnJDeet+dkr3zr+g6M0Z3IsEpCABCQgAQlI4LsmsO1Fy58fQ/KWGNIP+imzci7s3XB5XTCAAQxgAAMYwED1GCClFj6crZsMKsvxllVKXdFa+QOdVvJT7TD+5k4rfVcM6T/GkN6lB8vfg6TU0ffe3q1T+3ddMvn13bONK65727o3Xfnm1Su/6wDH/5CABCQgAQlIQAJVTmBu+oTnzIXkDTGkfxdDep8FfvkX+F4jrxEGMIABDGAAAxioDgOk1NEPZ8sia+ryPMokpdozS5/Z+2yodkh+rR3Sv44h7X0+1P06rzqd13utSKnBeu++Sxv33T/b+Odbzp/4vS+eteY/fGx2/bFVnjt57hKQgAQkIAEJSGBJ732433NK8rS5ZvrqGMb/6eAif7+FfrUW+l4vrxcGMIABDGAAAxgoPwOk1GDD2bqIoWEe57CkVO++dMfMksf/0Quf//0xpKfFVtqJIf1iDOmdMaTfiCF1jxrK33GHuw6RUvn03t6tUw/t3Tp12y2bJj5+9a+ueUl3dv2x3dklxxhrSUACEpCABCQggcoksGNm1XG9D4SNzbFXtkPS+4mzrv9kgAEMYAADGMAABjCAgeIYIKXyGc4OU9qM+mMvlpTqSag4veKpnebYj8Tp5VPtVrKxE9IPxZD0BJR70xHKgJTKv/f2bZ3q3nXxxJ03nbfu126+YGJq5zmrfqh3TlVmIOWJSkACEpCABCRQrwS2nd54QpxesSK2xl4XQ/KRGNKHLfrd9GAAAxjAAAYwgAEMYKB4Bkip/Iezoy6JFvv4ipRSvd+E2nbq+A/OhbFGp5n8fGwlb58L6d/HkO7VP8X3z7AyJqWK7b1dl0ze//ULJv7irosnX3zN2Sev2Tm76rh6TbkcrQQkIAEJSEACpU7gD8LKZe2QnhlD+sEY0t3DWpR63NG94fDaem0xgAEMYAADGMDAd2eAlCp2OLvYAmcUH68IKbV9ZtkPdZrpf42t5KwY0u0xpJ+JIX1AV3z3rhilbEipxem93Zsb37z7ksl/vPPiic1fOmvN9M43rnpKqQdUnpwEJCABCUhAAqOdQO8mYC4kb4gh/bsY0vtGaYHrWOpxI+N19jpjAAMYwAAGMDAKDJBSizOcHUVZtFjHlJeUOvBW8b3Phgrpbx+4D22m1xJR9exxUmpxe2/PlsbD913a+No9s5MfuPatJ59x5enLnz7aEy9HJwEJSEACEpBAqRLovUd3DOmrYjP5xEEZ5cNhR+i9uUdhMOMY6nlj6nX3umMAAxjAQF0ZIKUWdzi7WCJnlB6nXynV+zybP9zwgue2NySviGHsj2NIvxhDelcM6Tfrer477seudaTUcHpv39ap/Xu2NO6/79LG1V86e+3vfv5Na8d97lSpRnaejAQkIAEJSGB0Etgxs+q4OL3ieT0Z1Q5J70bAh8TKAAMYwAAGMIABDGAAAyVggJQaznB2lKRR0ceyECk1O7vkmG0zy5/eaY79yPbm+H/uhLEt7Wb6zz6v2L334eYPpFQ5em/35sajN5+/7jO3b5o45drz1i27+uw1Tx6dSZgjkYAEJCABCUhgKAlsO73xhMtay8fbzeS17Vby0RjSRw63IPR3bhQwgAEMYAADGMAABjAwHAZIqXIMZ4sWO1Xe/3eTUjtmljz+wA8/tpIfb7fGXxJD0ntbvt5nQ/lNqBII7zJ3OilVrt7bt3Xq0dsunPjC7ZvWXXLTeRP/9eqz1zzbb1ANZYznQSUgAQlIQALVTqCzIV0+10p/NYb0gzGku8u8IPXchjMAkbvcMYABDGAAAxjAwPAZIKXKNZytsjwq6rnPl1Kz69cf295wwgs6rfRFsZWcF0Pae1u+nUTU8LukSn1OSpWz9/Zundq/a3bytvsunbj8xrete9NVZ0ysqvZkzLOXgAQkIAEJSGBREti24cTnzoXkDTGkH+6E8XurtDD1XN3IYAADGMAABjCAAQzUjQFSqpzD2aIETxX325NSnzz9xLfE5tgrY0i3xdZ47104vhqb6YN1O18dbz7XKFKq/L1336WN3ffONj7x9QvW/u7Ot676T1ee3njCogy1PIgEJCABCUhAAtVJIE6veGrvM6NiSP/xoIzab8Gcz4JZjnLEAAYwgAEMYAADGCiKAVKq/MPZKoqkPJ/zA1sa+//iZeN3xJDe7TOidGEeXUhKVaf39mxpPLR3a+PmWy+Y/OjVZ655ZXWmZJ6pBCQgAQlIQAKFJLBjZtVxB34zqpm+uh2S3lsmEFHeu9sHlmMAAxjAAAYwgAEMVIgBUqo6w9k8RU+V9vXA5kb3z1+6wr1mhXolD3FU5D5IqWr23r63Tz1618WTd93wtrW/eeumdesOfPbU7JJjChl42akEJCABCUhAAuVKYPurln3fZacmJ8WQvKbdSnpvnfCtIheM9u2n4TCAAQxgAAMYwAAGMFAMA6RUNYezVZJKgz5XUqqYc7/OnUpKVb/3ds02dt+6aeIv77h48sXXbly9eufsquPKNTnzbCQgAQlIQAISyC2B9mnJRAzpRe0w9vEY0gfqvJB17G6OMIABDGAAAxjAAAaqzgApVf3h7KDSp+zfT0rp2bx7lpQand7bvbnxyF0XT/zT3Rc1Lr727DWnXnl64+m5DcDsSAISkIAEJCCB4Saw/bTlaU9GxZB+ygfKuinI+6bA/jCFAQxgAAMYwAAGhsMAKTU6w9myy6V+nx8pNZxuGOVOJqVGr/f2bJl6+N7Zxld3zU7+2ZfPXnvWv7xl3TOGO0Xz6BKQgAQkIAEJ9J1AZyZ5Vqc1dkEM6edjSPeM8sLUsbnZwQAGMIABDGAAAxioGwOk1OgNZ/uVP2X9PlJKL+fdy6TU6Pbevq1T+x/Y0rh/9+bGVV85d+3vXnXGxKq+B2K+UQISkIAEJCCBxUug95lRcxuSpXOPyajbYkgfzXsRaH9uLDCAAQxgAAMYwAAGMDB8Bkip0R3OllUyHe3zIqWG3xOj1tWkVG1679HdmxvfvOX8dZ+66fy1L7ru3DVLrzy98aTFm655JAlIQAISkIAEvmcCPRkVW+NrYxh7awzpzhjS/aO2+HQ8bmgwgAEMYAADGMAABjDwbQZIqdoMZ7tHK4PK8u9JqW+fr7ornyxIqfr13r63T+3/+gUT135907pLbjlv3fprzjz5Od0lSx73PQdl/oEEJCABCUhAAsUl0NmQTLZDemEM6adjSB+y2M1nsStHOWIAAxjAAAYwgAEMlJkBUqp+w9myyKaFPg9SSofm3aGkVH17b+/Wqf27Lpm8fdfsxOU3blr3ps+/ae1JxU3a7FkCEpCABCQggcMmcFlr+XgM6UUxpJ+KzfTBvBd79ucGAgMYwAAGMIABDGAAA+VlgJSq73B2oVJo2P+OlCpvf1S120kpvdfrtfsubey58W0T8bDDMn8pAQlIQAISkED+CcxNn/Ccg78ZdVUM6Z6qLiY9bzcoGMAABjCAAQxgAAMY6J8BUspwdtjS6Xs9PinV//mtGw+fHSml97LeuXXTun/Mf+JmjxKQgAQkIAEJ/FsCvc+M2rbhxOcekFGt9NYY0kcsUg+/SJWLXDCAAQxgAAMYwAAG6sAAKWU4mw1ny7olpXRx3l1MSum9rO9IqX8bGfpCAhKQgAQkkG8CO2aWHj83fcKa2ErOis302hjS/Xkv6uzPjQIGMIABDGAAAxjAAAaqxwApZTibDWfLuiWlqtcrZb8WkFJ6L+s7Uirf+aO9SUACEpCABA4kEE9bPtVppRfEkH46hvShsi8OPT83HBjAAAYwgAEMYAADGFg8Bkgpw9lsOFvWLSm1eH1Ql+4lpfRe1neklOGpBCQgAQlIIMcE4vQJKw5+ZtSnYzN9sC6LS8fphgUDGMAABjCAAQxgAAMLZ4CUMpzNhrNl3ZJSCz+fdd/CsiKl9F7Wd6RUjoNIu5KABCQggfomsH1m2Q8dlFGfiyHdY1G6sEWpnOSEAQxgAAMYwAAGMFBHBkgpw9lsOFvWLSmlm/PuZlJK72V9R0rVd37qyCUgAQlIYMAE3nFK8sS56ROe024lF8eQ3hxD+rDPjbJwz3vhbn+YwgAGMIABDGAAA6PHACllOJsNZ8u6JaVGr3eGfS0hpfRe1nek1IADSd8uAQlIQAL1S2DHzNLj262xk2MrOSuG5MvDXth5fDcLGMAABjCAAQxgAAMYqBYDpJThbDacLeuWlKpWp1ThGkBK6b2s70ip+s1SHbEEJCABCQyQQDxt+VRsjm+KIf1MDOlDVVj4eY5uJjCAAQxgAAMYwAAGMFAuBkgpw9lsOFvWLSlVrs4YhQ4npfRe1nek1ACDSd8qAQlIQAL1SSBOn7Di4GdGfTo20wdHYUHoGNxkYAADGMAABjCAAQxgYDgMkFKGs9lwtqxbUmo43TDKnUxK6b2s70ip+sxTHakEJCABCfSRQJxe8byejOqE9MoY0j2jvEB0bG46MIABDGAAAxjAAAYwsDgMkFKGs9lwtqxbUmpxuqBOnUtK6b2s70ipPgaUvkUCEpCABEY7gXeckjxxbvqE58xtSC+KYfzGg2/Tt79Oi0XH6gYEAxjAAAYwgAEMYAADxTFAShnOZsPZsm5JqeLO/7p2Kyml97K+I6VGe67q6CQgAQlI4CgS2DGz9PjLTk1Oiq3krBjS6+q6UHTcbj4wgAEMYAADGMAABjBQLAOklOFsNpwt65aUKrYD6tixpJTey/qOlDqKYaV/KgEJSEACo5nA7OySY+Jpy6faYfz8GNLPHPzNqG4dF4mO2Y0HBjCAAQxgAAMYwAAGimeAlDKczYazZd2SUsX3QN26lpTSe1nfkVKjOV91VBKQgAQksMAEtp22bGUMvbfpSz8dm+mDdVsUOl43GhjAAAYwgAEMYAADGFh8Bkgpw9lsOFvWLSm1+L0w6l1MSum9rO9IqQUOLf0zCUhAAhIYrQSumBn/4cdkVPLZGNK9o774c3xuKDCAAQxgAAMYwAAGMFAeBkgpw9lsOFvWLSlVnr4Yle4mpfRe1nek1GjNWB2NBCQgAQkcIYEdM6uOe3dr7NlzGw78ZtRXY0i/GUO6f1QWeI7DTQMGMIABDGAAAxjAAAaqwQApZTibDWfLuiWlqtElVep8UkrvZX1HSh1heOl/SUACEpDAaCSwY2bp8Z1msqrTTDbGkPZklM+LkgEGMIABDGAAAxjAAAYwMDQGSCnD2Ww4W9YtKWVukPfshJTSe1nfkVKjMW91FBKQgAQkcJgEZmeXHBNPWz4VW8l5MRx4m76H815U2Z+FOgYwgAEMYAADGMAABjBwtAyQUoaz2XC2rFtSSq8dba99r39PSum9rO9IqcMMMf2VBCQgAQlUP4Ftpy1b2WklF8eQfio20we/1+LI/7fgxgAGMIABDGAAAxjAAAYWiwFSynA2G86WdUtK6cO8+5CU0ntZ35FS1Z+7OgIJSEACEpiXQKc59iMxHPjMqE/HkO7NexFlfxbmGMAABjCAAQxgAAMYwMCgDJBShrPZcLasW1JKzw3ac4d+Pyml97K+I6XmDTJ9KQEJSEAC1Uxg2+mNJ7y7NfbsdkgvjCG97uBvRu0/dAHkzxbVGMAABjCAAQxgAAMYwEAZGCClDGez4WxZt6SUrsy7K0kpvZf1HSlVzfmrZy0BCUhAAkuWLNkxs/T47aeNr+w0k40xjN+Y94LJ/izCMYABDGAAAxjAAAYwgIEiGCClDGez4WxZt6SU7su7+0gpvZf1HSllrCsBCUhAApVLYMfMksfPhbFGu5m8rRPSK2NIH857sWR/FuAYwAAGMIABDGAAAxjAQFEMkFKGs9lwtqxbUkr/5d1/pJTey/qOlKrcKNYTloAEJFDvBOZa6YmdVnJxDOmnDr5NXzfvhZL9WXxjAAMYwAAGMIABDGAAA0UyQEoZzmbD2bJuSSkdmHcHklJ6L+s7Uqres11HLwEJSKAyCWybWf78GNKLDsiokO7Le3FkfxbcGMAABjCAAQxgAAMYwMBiMUBKGc5mw9mybkkpfZh3H5JSei/rO1KqMuNYT1QCEpBA/RKYXb/+2M5M8qxOa+yCGJIvx5B+I4Z0f94LI/uz2MYABjCAAQxgAAMYwAAGFpMBUspwNhvOlnVLSunEvDuRlNJ7Wd+RUvWb8TpiCUhAAqVPYMfM0uPj9IoV7VayMYb05rwXQvZncY0BDGAAAxjAAAYwgAEMDJMBUspwNhvOlnVLSunIvDuSlNJ7Wd+RUqUfzXqCEpCABOqTQO83o+bCWKMT0nNjSD8XQ/pI3osg+7OwxgAGMIABDGAAAxjAAAaGzQApZTibDWfLuiWl9GTePUlK6b2s70ip+sx6HakEJCCBUicw10pPjCG5pNNM/zk20wfzXvzYnwU1BjCAAQxgAAMYwAAGMFAWBkgpw9lsOFvWLSmlL/PuS1JK72V9R0qVekTryUlAAhIY/QTaG054QQzpRQdkVEj35b3osT8LaQxgAAMYwAAGMIABDGCgbAyQUoaz2XC2rFtSSm/m3ZuklN7L+o6UGv15ryOUgAQkULoEtp3eeEJ7eiyJzbHfjWHshhjSb8SQ7s97wWN/FtEYwAAGMIABDGAAAxjAQBkZIKUMZ7PhbFm3pJTuzLs7SSm9l/UdKVW6Ua0nJAEJSGA0E+guWfK495ySPK2zIZnstJLfiCHZnfcCx/4smjGAAQxgAAMYwAAGMICBKjBAShnOZsPZsm5JKV2ad5eSUnov6ztSajRnv45KAhKQQKkSeOfMqqfMhWR9bCa/HkNyXQzpo3kvbuzPghkDGMAABjCAAQxgAAMYqAoDpJThbDacLeuWlNKnefcpKaX3sr4jpV5APKAAACAASURBVEo1tvVkJCABCYxWAjtmVh0XW8mPx5D8dqeVfiGG9JG8FzX2Z6GMAQxgAAMYwAAGMIABDFSNAVLKcDYbzpZ1S0rp1bx7lZTSe1nfkVKjNf91NBKQgARKkcDs+vXHtqeTiZ6Miq306hjSh/NezNifBTIGMIABDGAAAxjAAAYwUFUGSCnD2Ww4W9YtKaVf8+5XUkrvZX1HSpVifOtJSEACEhiNBHoy6vKQjMXm2O/GkNwYQ/rNvBcx9mdhjAEMYAADGMAABjCAAQxUnQFSynA2G86WdUtK6dm8e5aU0ntZ35FSozEHdhQSkIAEhpZAd8mSx73nlORp20O6rtNKfiOGZE/eCxf7sxjGAAYwgAEMYAADGMAABkaJAVLKcDYbzpZ1S0rp3Lw7l5TSe1nfkVJDG+N6YAlIQALVT+CdM6ue0mklPxWbya+3Q3J9DOmjeS9a7M9CGAMYwAAGMIABDGAAAxgYNQZIKcPZbDhb1i0ppXfz7l1SSu9lfUdKVX8m7AgkIAEJDC2BudbYT3da6RdiSB/Je7FifxbAGMAABjCAAQxgAAMYwMCoMvChV5+4/97ZRjcb0Nka1paNAVJK/+bdv6SUnst6jpQa2ijXA0tAAhKofgLt1tgv5b1IsT8LXwxgAAMYwAAGMIABDGBg1Bl4TEpNklJvN6TNhrRl25JSejjvHial9F3Wc6RU9WfCjkACEpDA0BIgpSxS816k2h+mMIABDGAAAxjAAAbqwAApZTibDWfLuiWldHHeXUxK6b2s70ipoY1yPbAEJCCB6idASlmk5r1ItT9MYQADGMAABjCAAQzUgQFSynA2G86WdUtK6eK8u5iU0ntZ35FS1Z8JOwIJSEACQ0uAlLJIzXuRan+YwgAGMIABDGAAAxioAwOklOFsNpwt65aU0sV5dzEppfeyviOlhjbK9cASkIAEqp8AKWWRmvci1f4whQEMYAADGMAABjBQBwZIKcPZbDhb1i0ppYvz7mJSSu9lfUdKVX8m7AgkIAEJDC0BUsoiNe9Fqv1hCgMYwAAGMIABDGCgDgyQUoaz2XC2rFtSShfn3cWklN7L+o6UGtoo1wNLQAISqH4CpJRFat6LVPvDFAYwgAEMYAADGMBAHRggpQxns+FsWbeklC7Ou4tJKb2X9R0pVf2ZsCOQgAQkMLQESCmL1LwXqfaHKQxgAAMYwAAGMICBOjBAShnOZsPZsm5JKV2cdxeTUnov6ztSamijXA8sAQlIoPoJkFIWqXkvUu0PUxjAAAYwgAEMYAADdWCAlDKczYazZd2SUro47y4mpfRe1nekVPVnwo5AAhKQwNASIKUsUvNepNofpjCAAQxgAAMYwAAG6sAAKWU4mw1ny7olpXRx3l1MSum9rO9IqaGNcj2wBCQggeonQEpZpOa9SLU/TGEAAxjAAAYwgAEM1IEBUspwNhvOlnVLSunivLuYlNJ7Wd+RUtWfCTsCCUhAAkNLgJSySM17kWp/mMIABjCAAQxgAAMYqAMDpJThbDacLeuWlNLFeXcxKaX3sr4jpYY2yvXAEpCABKqfACllkZr3ItX+MIUBDGAAAxjAAAYwUAcGSCnD2Ww4W9YtKaWL8+5iUkrvZX1HSlV/JuwIJCABCQwtAVLKIjXvRar9YQoDGMAABjCAAQxgoA4MkFKGs9lwtqxbUkoX593FpJTey/qOlBraKNcDS0ACEqh+AqSURWrei1T7wxQGMIABDGAAAxjAQB0YIKUMZ7PhbFm3pJQuzruLSSm9l/UdKVX9mbAjkIAEJDC0BEgpi9S8F6n2hykMYAADGMAABjCAgTowQEoZzmbD2bJuSSldnHcXk1J6L+s7Umpoo1wPLAEJSKD6CZBSFql5L1LtD1MYwAAGMIABDGAAA3VggJQynM2Gs2XdklK6OO8uJqX0XtZ3pFT1Z8KOQAISkMDQEiClLFLzXqTaH6YwgAEMYAADGMAABurAACllOJsNZ8u6JaV0cd5dTErpvazvSKmhjXI9sAQkIIHqJ0BKWaTmvUi1P0xhAAMYwAAGMIABDNSBAVLKcDYbzpZ1S0rp4ry7mJTSe1nfkVLVnwk7AglIQAJDS4CUskjNe5Fqf5jCAAYwgAEMYAADGKgDA6SU4Ww2nC3rlpTSxXl3MSml97K+I6WGNsr1wBKQgASqnwApZZGa9yLV/jCFAQxgAAMYwAAGMFAHBkgpw9lsOFvWLSmli/PuYlJK72V9R0pVfybsCCQgAQkMLQFSyiI170Wq/WEKAxjAAAYwgAEMYKAODJBShrPZcLasW1JKF+fdxaSU3sv6jpQa2ijXA0tAAhKofgKklEVq3otU+8MUBjCAAQxgAAMYwEAdGCClDGez4WxZt6SULs67i0kpvZf1HSlV/ZmwI5CABCQwtARIKYvUvBep9ocpDGAAAxjAAAYwgIE6MEBKGc5mw9mybkkpXZx3F5NSei/rO1JqaKNcDywBCUig+gmQUhapeS9S7Q9TGMAABjCAAQxgAAN1YICUMpzNhrNl3ZJSujjvLial9F7Wd6RU9WfCjkACEpDA0BIgpSxS816k2h+mMIABDGAAAxjAAAbqwAApZTibDWfLuiWldHHeXUxK6b2s70ipoY1yPbAEJCCB6idASlmk5r1ItT9MYQADGMAABjCAAQzUgQFSynA2G86WdUtK6eK8u5iU0ntZ35FS1Z8JOwIJSEACQ0uAlLJIzXuRan+YwgAGMIABDGAAAxioAwOklOFsNpwt65aU0sV5dzEppfeyviOlhjbK9cASkIAEqp8AKWWRmvci1f4whQEMYAADGMAABjBQBwZIKcPZbDhb1i0ppYvz7mJSSu9lfUdKVX8m7AgkIAEJDC0BUsoiNe9Fqv1hCgMYwAAGMIABDGCgDgyQUoaz2XC2rFtSShfn3cWklN7L+o6UGtoo1wNLQAISqH4CpJRFat6LVPvDFAYwgAEMYAADGMBAHRggpQxns+FsWbeklC7Ou4tJKb2X9R0pVf2ZsCOQgAQkMLQESCmL1LwXqfaHKQxgAAMYwAAGMICBOjBAShnOZsPZsm5JKV2cdxeTUnov6ztSamijXA8sAQlIoPoJkFIWqXkvUu0PUxjAAAYwgAEMYAADdWCAlDKczYazZd2SUro47y4mpfRe1nekVPVnwo5AAhKQwNASIKUsUvNepNofpjCAAQxgAAMYwAAG6sAAKWU4mw1ny7olpXRx3l1MSum9rO9IqaGNcj2wBCQggeonQEpZpOa9SLU/TGEAAxjAAAYwgAEM1IEBUspwNhvOlnVLSunivLuYlNJ7Wd+RUtWfCTsCCUhAAkNLgJSySM17kWp/mMIABjCAAQxgAAMYqAMDpJThbDacLeuWlNLFeXcxKaX3sr4jpYY2yvXAEpCABKqfACllkZr3ItX+MIUBDGAAAxjAAAYwUAcGSCnD2Ww4W9YtKaWL8+5iUkrvZX1HSlV/JuwIJCABCQwtAVLKIjXvRar9YQoDGMAABjCAAQxgoA4MkFKGs9lwtqxbUkoX593FpJTey/qOlBraKNcDS0ACEqh+AqSURWrei1T7wxQGMIABDGAAAxjAQB0YIKUMZ7PhbFm3pJQuzruLSSm9l/UdKVX9mbAjkIAEJDC0BEgpi9S8F6n2hykMYAADGMAABjCAgTowQEoZzmbD2bJuSSldnHcXk1J6L+s7Umpoo1wPLAEJSKD6CZBSFql5L1LtD1MYwAAGMIABDGAAA3VggJQynM2Gs2XdklK6OO8uJqX0XtZ3pFT1Z8KOQAISkMDQEiClLFLzXqTaH6YwgAEMYAADGMAABurAACllOJsNZ8u6JaV0cd5dTErpvazvSKmhjXI9sAQkIIHqJ0BKWaTmvUi1P0xhAAMYwAAGMIABDNSBAVLKcDYbzpZ1S0rp4ry7mJTSe1nfkVLVnwk7AglIQAJDS4CUskjNe5Fqf5jCAAYwgAEMYAADGKgDA6SU4Ww2nC3rlpTSxXl3MSml97K+I6WGNsr1wBKQgASqnwApZZGa9yLV/jCFAQxgAAMYwAAGMFAHBkgpw9lsOFvWLSmli/PuYlJK72V9R0pVfybsCCQgAQkMLQFSyiI170Wq/WEKAxjAAAYwgAEMYKAODJBShrPZcLasW1JKF+fdxaSU3sv6jpQa2ijXA0tAAhKofgKklEVq3otU+8MUBjCAAQxgAAMYwEAdGCClDGez4WxZt6SULs67i0kpvZf1HSlV/ZmwI5CABCQwtARIKYvUvBep9ocpDGAAAxjAAAYwgIE6MEBKGc5mw9mybkkpXZx3F5NSei/rO1JqaKNcDywBCUig+gmQUhapeS9S7Q9TGMAABjCAAQxgAAN1YICUMpzNhrNl3ZJSujjvLial9F7Wd6RU9WfCjkACEpDA0BIgpSxS816k2h+mMIABDGAAAxjAAAbqwAApZTibDWfLuiWldHHeXUxK6b2s70ipoY1yPbAEJCCB6idASlmk5r1ItT9MYQADGMAABjCAAQzUgQFSynA2G86WdUtK6eK8u5iU0ntZ35FS1Z8JOwIJSEACQ0uAlLJIzXuRan+YwgAGMIABDGAAAxioAwOklOFsNpwt65aU0sV5dzEppfeyviOlhjbK9cASkIAEqp8AKWWRmvci1f4whQEMYAADGMAABjBQBwZIKcPZbDhb1i0ppYvz7mJSSu9lfUdKVX8m7AgkIAEJDC0BUsoiNe9Fqv1hCgMYwAAGMIABDGCgDgyQUoaz2XC2rFtSShfn3cWklN7L+o6UGtoo1wNLQAISqH4CpJRFat6LVPvDFAYwgAEMYAADGMBAHRggpQxns+FsWbeklC7Ou4tJKb2X9R0pVf2ZsCOQgAQkMLQESCmL1LwXqfaHKQxgAAMYwAAGMICBOjBAShnOZsPZsm5JKV2cdxeTUnov6ztSamijXA8sAQlIoPoJkFIWqXkvUu0PUxjAAAYwgAEMYAADdWCAlDKczYazZd2SUro47y4mpfRe1nekVPVnwo5AAhKQwNASIKUsUvNepNofpjCAAQxgAAMYwAAG6sAAKWU4mw1ny7olpXRx3l1MSum9rO9IqaGNcj2wBCQggeonQEpZpOa9SLU/TGEAAxjAAAYwgAEM1IEBUspwNhvOlnVLSunivLuYlNJ7Wd+RUtWfCTsCCUhAAkNLgJSySM17kWp/mMIABjCAAQxgAAMYqAMDpJThbDacLeuWlNLFeXcxKaX3sr4jpYY2yvXAEpCABKqfACllkZr3ItX+MIUBDGAAAxjAAAYwUAcGSCnD2Ww4W9YtKaWL8+5iUkrvZX1HSlV/JuwIJCABCQwtAVLKIjXvRar9YQoDGMAABjCAAQxgoA4MkFKGs9lwtqxbUkoX593FpJTey/qOlBraKNcDS0ACEqh+AqSURWrei1T7wxQGMIABDGAAAxjAQB0YIKUMZ7PhbFm3pJQuzruLSSm9l/UdKVX9mbAjkIAEJDC0BEgpi9S8F6n2hykMYAADGMAABjCAgTowQEoZzmbD2bJuSSldnHcXk1J6L+s7Umpoo1wPLAEJSKD6CZBSFql5L1LtD1MYwAAGMIABDGAAA3VggJQynM2Gs2XdklK6OO8uJqX0XtZ3pFT1Z8KOQAISkMDQEiClLFLzXqTaH6YwgAEMYAADGMAABurAACllOJsNZ8u6JaV0cd5dTErpvazvSKmhjXI9sAQkIIHqJ0BKWaTmvUi1P0xhAAMYwAAGMIABDNSBAVLKcDYbzpZ1S0rp4ry7mJTSe1nfkVLVnwk7AglIQAJDS4CUskjNe5Fqf5jCAAYwgAEMYAADGKgDA6SU4Ww2nC3rlpTSxXl3MSml97K+I6WGNsr1wBKQgASqnwApZZGa9yLV/jCFAQxgAAMYwAAGMFAHBkgpw9lsOFvWLSmli/PuYlJK72V9R0pVfybsCCQgAQkMLQFSyiI170Wq/WEKAxjAAAYwgAEMYKAODJBShrPZcLasW1JKF+fdxaSU3sv6jpQa2ijXA0tAAhKofgKklEVq3otU+8MUBjCAAQxgAAMYwEAdGCClDGez4WxZt6SULs67i0kpvZf1HSlV/ZmwI5CABCQwtARIKYvUvBep9ocpDGAAAxjAAAYwgIE6MEBKGc5mw9mybkkpXZx3F5NSei/rO1JqaKNcDywBCUig+gmQUhapeS9S7Q9TGMAABjCAAQxgAAN1YICUMpzNhrNl3ZJSujjvLial9F7Wd6RU9WfCjkACEpDA0BIgpSxS816k2h+mMIABDGAAAxjAAAbqwAApZTibDWfLuiWldHHeXUxK6b2s70ipoY1yPbAEJCCB6idASlmk5r1ItT9MYQADGMAABjCAAQzUgQFSynA2G86WdUtK6eK8u5iU0ntZ35FS1Z8JOwIJSEACQ0uAlLJIzXuRan+YwgAGMIABDGAAAxioAwOklOFsNpwt65aU0sV5dzEppfeyviOlhjbK9cASkIAEqp8AKWWRmvci1f4whQEMYAADGMAABjBQBwZIKcPZbDhb1i0ppYvz7mJSSu9lfUdKVX8m7AgkIAEJDC0BUsoiNe9Fqv1hCgMYwAAGMIABDGCgDgyQUoaz2XC2rFtSShfn3cWklN7L+o6UGtoo1wNLQAISqH4CpJRFat6LVPvDFAYwgAEMYAADGMBAHRggpQxns+FsWbeklC7Ou4tJKb2X9R0pVf2ZsCOQgAQkMLQESCmL1LwXqfaHKQxgAAMYwAAGMICBOjBAShnOZsPZsm5JKV2cdxeTUnov6ztSamijXA8sAQlIoPoJkFIWqXkvUu0PUxjAAAYwgAEMYAADdWCAlDKczYazZd2SUro47y4mpfRe1nekVPVnwo5AAhKQwNASIKUsUvNepNofpjCAAQxgAAMYwAAG6sAAKWU4mw1ny7olpXRx3l1MSum9rO9IqaGNcj2wBCQggeonQEpZpOa9SLU/TGEAAxjAAAYwgAEM1IEBUspwNhvOlnVLSunivLuYlNJ7Wd+RUtWfCTsCCUhAAkNLgJSySM17kWp/mMIABjCAAQxgAAMYqAMDpJThbDacLeuWlNLFeXcxKaX3sr4jpYY2yvXAEpCABKqfACllkZr3ItX+MIUBDGAAAxjAAAYwUAcGSCnD2Ww4W9YtKaWL8+5iUkrvZX1HSlV/JuwIJCCB753AttMbT9gxs+Tx3/tf+hdHlQApZZGa9yLV/jCFAQxgAAMYwAAGMFAHBkgpw9lsOFvWLSmli/PuYlJK72V9R0od1fjVP5aABCqQQE9AzW1Ilrank4l2GAvtZvr6HS8ev/j6c9ed8+Wz1v3clac3nl6Bw6jGUySlLFLzXqTaH6YwgAEMYAADGMAABurAACllOJsNZ8u6JaV0cd5dTErpvazvSKlqzH09SwlI4PAJzM4uOebdrbFnx1by452QvHyulZwXm+l7Ykj+ptNM/7kT0ptiSB9430tXdG+7YOLhe2cb1++andxx3blrzr/yV1c9//B79bcLToCUskjNe5Fqf5jCAAYwgAEMYAADGKgDA6SU4Ww2nC3rlpTSxXl3MSml97K+I6UWPHr1DyUggRIksD0se0Y8bflUbCW/2A7JO2Nz/G9jK706hvSrMaR39ATU4a6ZPSl1x0WT3V737ds6tf+BzY0H7t/c+Pz156657PNnrJ0owaFV8ymQUhaphzvh/B0uMIABDGAAAxjAAAYwcGQGSCnD2Ww4W9YtKXXkc1jHHX0+pJTey/qOlKrmHNizlsAoJjC7fv2xO2aWHt8TT9tnlv1QZ0O6/PKw/L/E1vhZ7TD+h+2QXBlDui820wdjSB+KIf1WDOn+hawD5kuprP96231bp761e3Nj383nT3zua29b88obNzWee+XpjSeNYr6FHBMpdfSLsIUA69/IFQMYwAAGMIABDGAAA6PNACllODt/OFHGr0mp0e6gYVxjSCm9l3UdKVXImNZOJSCBBSTwnlOSp20PK5dtby5f3Z5Of7Idkle0Q3phDGN/HJvptd/tt576uW5+NymVdWG2ve2CiRtv3jTxazdfMPGT15x18o/smJl5/AIOpb7/hJSySO3nhPQ9uMEABjCAAQxgAAMYqDsDpJThbDaIKOuWlNLTefc0KaX3sr4jpeo7S3bkEljMBN79M8958vbTlqedVvJT7db4S2JIz2i3xv9nO4z/RQzpp2NI7877Wjd/fwuVUr1u3Lt1av89l0zec8/s5I5bNk2c4e39jkAKKWWROv9E8zUeMIABDGAAAxjAAAYwsDAGSCnD2Ww4W9YtKbWwc1nnLTwnUkrvZX1HSh1h2Op/SUACfSfQaSar5prjPzcXxk7vyacY0j+OIflIDOk1MaR3xpA+vJjX7aORUlk/9rb3Xdr4xq7ZyU/edtHEb1171toX7Xzjqqf0HcoofiMptfDF12IC77G8LhjAAAYwgAEMYAADGCg3A6SU4ez84UMZvyalyt0hVex4UkrvZV1HSo3ilNgxSWBxE7jiRcufH8PYKbGVntMJ6eXtkH48hvSLnZDedPA3oBZVQB3uutyvlMq6cs+WxsO7tzRuvv2CyY/ufMuasxc34RI/GillkXq4E87f4QIDGMAABjCAAQxgAANHZoCUMpzNBg5l3ZJSRz6HddzR50NK6b2s70ipEg97PTUJDDmB7pIlj9t2euMJ7/6ZNU/+/Rc+//vnpk94Tnt6LOl99lNsJW9vh7H3x+b47Qc/++kbMaQPxZB+q4zX5UGlVNaZ+94+tX/f1qmH7r548utfPXftH1x/3urGzo0nPbO2nz1FSh39IqyMJ4jn5HXEAAYwgAEMYAADGMDA4jJAShnOZoOGsm5JqcXthDp0MCml97K+I6WGPPX38BIoUQI7ZlYdt31m2Q/1xFNnQzIZw3jvt59+JTbHfjeG5IMxpDdX9RqZl5TKujPb9t7e75bzJz52+wXrZr509slrrj57zZNL9JIW/1RIKYvUqpaC541dDGAAAxjAAAYwgIFhMkBKGc5mg4WybkkpHZl3R5JSei/rO1Kq+JmtR5BAGRPo/QbUtg0veG57OpmYay7/uU5z/LXtkF4YW8kVnZB+KDbTa/O+9gxzf0VJqaxLd29uPHrHRZOfv+uSiS3Xv3VduOqMiWeV8XXP/TmRUhapwzyxPTb+MIABDGAAAxjAAAaqygApZTibDRTKuiWl9Gve/UpK6b2s70ip3Ee0diiBUibQmUmedVlz7D+2W8lMbCabYivttMP4X8SQfjKG9KsxpPvyvtaUaX9FS6msU/dsmfrWrtnJm++Zndzx1XPXnX/1m9ecUEog8npSpJRFaplOdM8FjxjAAAYwgAEMYAADVWGAlDKczQYJZd2SUvo07z4lpfRe1nekVF6TWfuRQHkSeM8pydN6b7/X8wXtVvI/YzP9qxiSz8aQfiW20ltjSPfkfV0p+/4WS0pl3bp369T+3Zsbe3ZvaXzua+eu2/b5M9b+X+UhJMdnQkpZpJb95Pf8MIoBDGAAAxjAAAYwUEYGSCnD2WyAUNYtKaU78+5OUkrvZX1HSuU4nLUrCSxCArOzS455xynJE+P0iqe2Z0565rtbY8/utJKfiq3xszqtsXd1QnplJ4zfG0P6QAzpN2JIH44h3Z/3daRq+1tsKZV1bG+7b+vUI7s3N+6/ZdPEZ64/Z92rrj97zbM/ufHHj18EXIp/CFLKIrVqZeD5YhYDGMAABjCAAQxgoAwMkFKGs/MHB2X8mpTSlXl3JSml97KuI6WKn9l6BAkMksD2sOwZ7Q0nvKDTTFa1N6z4iRjS0w589lNI/iSG5F9H/W338rr+DVNKZX2bbW+7cOLWm86b+I2vX7DuP1597pqlO2ZmHj8II0P9XlLKIjWvk9R+sIQBDGAAAxjAAAYwUCcGSCnD2WxIUNYtKaWT8+5kUkrvZX1HSg11nOvBJfAdCWybWf70OL1iRXs6/ckYkl+IrfRXOiH9ndhK/zKG9DMxpPfnfT2oy/7KJKV6/dt7e797LpnYdddFjT/9+qbJN12z8eSp74ChKn8gpSxS61IijhPrGMAABjCAAQxgAAN5MkBKGc5mw9mybkkpnZdn5/X2RUrpvazvSKmqTH49z1FLYHb9+mO3N5evjmHslNgae10MyW/FZvqeGNIPx5BeE0N6Vwzpt/Lu/7rur2xSKuvg3vb+SxsP3jM7+anbL1r3mzvPWjP9qTOSp1WGd1LKIrWupeK4sY8BDGAAAxjAAAYwMAgDpJTh7PzBQBm/JqV03CAdd7jvJaX0XtZ1pFRlRr+eaIUT2DGz5PGdDenyTit9UTuk53ZCenkM6d8flE83HBRQjxyur/1dPmuAMkuprI/3bGk8vHtz46Y7Lpr40Bc3rjtn5+yq40qPPSmVD6BOdDliAAMYwAAGMIABDGCgXgyQUoaz2TCgrFtSql6dtBjXIFJK72V9R0qVfuTrCZY8ge6SJY/r/dbTjpmlx8fpFU9tz5z0zPb0WNIJyctjGNvcDsn7YkjviCHdFUP6QGymD8aQElBhca/tVZBSWS/v2zq1f+/Wqd5vT918/Tlr/+Ar56xbd90ZP/a0Un72FCm1uCAvxiLRY3hNMYABDGAAAxjAAAYwUDwDpJThbDYEKOuWlCq+B+rWtaSU3sv6jpQqufHw9EqXwPZXLfu+zkzyrLlTV5xwWUjXtcPy/9L77KcY0ne0H3vrvd7b7nX9V64MqiSlsn7Otr2397t508Q/3L5p8heu3bh69dVnr3lyaU4MUqpcoCserwcGMIABDGAAAxjAAAaqwQApZTib3fSXdUtKVaNLqtT5pJTey/qOlCrNaNcTKWEC7zgleeK7W2PP3h7SdXPN5T8XW8kvdlrpBbGZXBZD+n9iSL4aQ/pQlfq/rs+1ylIq6+sHNjceveOiyZ13Xjw5e925a6avOfPk5wz9tCGlLFLrWiqOG/sYwAAGMIABDGAAA4MwQEoZzmY3+2XdklI6bpCOO9z3klJ6L+s7UmroI11PoEQJbNtw4nPjacunOs2xG2waSQAAIABJREFUF7ebydtiSN4Zw/ifxGbyiRjS3mc/7T5cp/q78l+nR0FKZb29d+vUt3Zd0rjl7ksm/+SGt6079/NnrR0f2mlESpUffgXlNcIABjCAAQxgAAMYwED5GCClDGezm/yybkmp8vVG1buclNJ7Wd+RUkMb5XrgISfwRy98/vdvby5fHVtjr2uHsd+MrfRPO830nzut9Auxld4aQ7onhvTRqve95//YGmKUpFTW33u3Tu3fvbnxwJ7NjSu/es7Eu/7lzet+YtFPK1LKIlXJYAADGMAABjCAAQxgAANHzwApZTib3dyXdUtKHf15rQuPnBkppfeyviOlFn2E6wEXIYHZ2SXHbDu98YRtpz7vSXF6xVO3h2XP2B6S9XMheUNsjv1BDMknD4qnew7Kp28SUEe+blT9ujqKUirr8d5279aph3dvbtxz66aJT37lnNWv+vJbGz943RnJEws/3Uip0T5xqn7ie/74xAAGMIABDGAAAxgoKwOklOHs/Jv6Mn5NSunPvPuTlNJ7WdeRUoWPbD1AwQl0lyx5XE86xekVz4vTK1bE6eVT21vphk5Iz42t5E/bIf2XGNK9efeo/VXr2jzqUirr9Gx7+4UTd9547rr/ftsFE1Nf3rj2hz82u/7YQk5FUqpaJ4Li8nphAAMYwAAGMIABDGCgHAyQUoaz2Q18WbekVDm6YpQ6m5TSe1nfkVKFjGnttKAEMgF1eUjG5prj/zlOJ9OxNf66GNLf7oRkRyckV8aQ7Ioh3T9Kne1YBl8H1E1K9Tp+39ap/ffMTt5750UT77v1golf2Xnmmh/L/dQkpQaH0wkuQwxgAAMYwAAGMIABDNSPAVLKcDYbzpZ1S0rVr5eKvhaRUnov6ztSKvcRrR3mmMCOmaXHX3ZactJcK/1/2s3ktbGVvL0T0stjSP4mhvSaGNLbvO2ea+RCrpl1lFJZz/e291/aePDuiyc/e9dFk2//0sbVzSvf1nh6LqcqKeUEXMgJ6N/gBAMYwAAGMIABDGAAA9/JACllODv/pr2MX5NS33nO6rDB8yCl9F7WdaRULmNZO8khgR0zq46bO/UFJ8Qwdko7pOfONdPeZz99JIb0qhjS62JI74ohfdg1YPBrQB0zrLuUyjr/gS2N3mdP3XjnxZN/86WN687Z+cZVTxno9CWlnJB1LBTHjHsMYAADGMAABjCAgUEZIKUMZ7Mb9bJuSSk9N2jPHfr9pJTey/qOlBpoHOubF5hA7233dswseXxPPPV+++mdM6uesv205elcK93QDumF7ZD8eQzJV2JI7+iE8XtjSPcRUK59h167BvkzKfWd1719W6ce3bt1at+u2ckbv3bOuiuu3bh69W2zjSd1Z5ccs8DT+rF/Rko5UQc5MX0vfjCAAQxgAAMYwAAG6soAKfWdN6nZoNK2PLmQUvo5734mpcpzfg+7a0mpoxq/+scLTKAnnq5orfyB7WHlsu3N5avj9Nj/HUP6qk4Y+512GPv4XCu9Ne9esz/XyiMxQEod+bq3e3Pj4Vs2rfuX2zatfflX37Z69dVnr3nygk53UsqJd6QTz//DBwYwgAEMYAADGMAABg7PACl15JvUYQ9MPf5Ul5Q6/Lmr0/rPhZTSe1m3klILGrv6R0dIYPurln3fu1tjz54LY43Lmsl/a7fGXxKb45s6rbF3Pfb2e8mNfuup/752rcsnO1JqYde9PVsb3Tsvmrjl7osmLr7h3HXh6jPWLD3C6b9kCSmVD6BOdDliAAMYwAAGMIABDGCgXgyQUgu7Sc0GmLaLnxcpVa9OWoxrECm1+OdxWbuTlDriuNX/PEwCcxuSpXMbkv/QaY69OLbSc2JI39EJ6R91muk/x5DeEEO6dzF6zGO4Nh4NA6TU0V339m6d2n/P7ORdu2Yn33/reevO/+Kvrjn5MHVASh0NhP6t0sIABjCAAQxgAAMYwAAGMgZIqaO7SS3rYHWUnxcppa+yvsprS0rpvawzSanDjln95cEErmj98A/E05ZPdcLY6e1W+hudML4jNpNPxJBeE0N6SwzpnhjSR/PqJvtxvSuKAVKqv+vevrdPdXdvbuzbs6XxuZvOW7d958aTfvY7CtJvSjlpizpp7RdbGMAABjCAAQxgAAOjzAAp1d9NajbQtC0+P1JKB+fdwaRU8edtVbqRlPqO8Wqt/tBdsuRxO2aWPH7HzKrjDrwF38+seXJnQ/pf2xvS17dD8vsxJP8Uw3jvrffuiCHdHZvpgwSU61He16PF2h8pNfh1b+/WqUce2NK45/YLJz7z5beuee0tG096prfvC0phsU5ij4M1DGAAAxjAAAYwgIFRYoCUGvwmtSrD16o+T1JK5+bduaSU3sv6kJSqh4fqyadtM8ufvm3Dic9tT48l20O6bnsr3RBbyXmdMPb+diu9Oob0oby7xv5cv8rCwPtesqJ7x4WT+7Pusx38OnjXxZN7SSlSqluWk9zzcMHBAAYwgAEMYAADGKgSA6TU4DelbuyLzZCU0ql5dyopVew5W6VOJKVGT0r1fgMqTq94ak8+dZrpj7U3pC/shPT0GJLf6oRkRwzJVTEku/PuFftzrSozA6RUMdc9UoqUIqUwgAEMYAADGMAABjCAgT4YIKWKuUmt0lC27M+VlDLoy3vQR0rpvaz3SKnRklKz69cf224lM51W+q4Ykr+JIb0qNsdvz7tD7M91qWoMkFLFXPdIqT5uPqt28ni+Ch8DGMAABjCAAQxgAAP5M0BKFXOTmg08bQfPl5TK/7yve5eSUoOfl6PSbaTUaEmpd5ySPDGGpF33jnP8rpuHMkBKFXPdI6VIKT8ViwEMYAADGMAABjCAAQz0wQApVcxN6qgMbMtwHKSU4dqhw7VB/0xK6b2s20gpUmrQPvH9rlFVYICUKua6R0r1cfNZhRPGc1TsGMAABjCAAQxgAAMYKJYBUqqYm9Rs4Gk7eL6kVLEdUMeOJaUGPy9HpdtIKVKqjh3omOt3XSWlirnukVKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYmdVQGtmU4DlKqfsOzogempJTey7qNlCKliu4b+3cNKwMDpFQx1z1Sqo+bzzKcEJ6DYsYABjCAAQxgAAMYwMBwGSClirlJzQaetoPnS0oNtyNGsaNJqcHPy1HpNlKKlBrFjnNMrpuHMkBKFXPdI6VIKT8ViwEMYAADGMAABjCAAQz0wQApVcxN6qgMbMtwHKSU4dqhw7VB/0xK6b2s20gpUmrQPvH9rlFVYICUKua6R0r1cfNZhRPGc1TsGMAABjCAAQxgAAMYKJYBUqqYm9Rs4Gk7eL6kVLEdUMeOJaUGPy9HpdtIKVKqjh3omOt3XSWlirnukVKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYmdVQGtmU4DlKqfsOzogempJTey7qNlCKliu4b+3cNKwMDpFQx1z1Sqo+bzzKcEJ6DYsYABjCAAQxgAAMYwMBwGSClirlJzQaetoPnS0oNtyNGsaNJqcHPy1HpNlKKlBrFjnNMrpuHMkBKFXPdI6VIKT8ViwEMYAADGMAABjCAAQz0wQApVcxN6qgMbMtwHKSU4dqhw7VB/0xK6b2s20gpUmrQPvH9rlFVYICUKua6R0r1cfNZhRPGc1TsGMAABjCAAQxgAAMYKJYBUqqYm9Rs4Gk7eL6kVLEdUMeOJaUGPy9HpdtIKVKqjh3omOt3XSWlirnukVKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYmdVQGtmU4DlKqfsOzogempJTey7qNlCKliu4b+3cNKwMDpFQx1z1Sqo+bzzKcEJ6DYsYABjCAAQxgAAMYwMBwGSClirlJzQaetoPnS0oNtyNGsaNJqcHPy1HpNlKKlBrFjnNMrpuHMkBKFXPdI6VIKT8ViwEMYAADGMAABjCAAQz0wQApVcxN6qgMbMtwHKSU4dqhw7VB/0xK6b2s20gpUmrQPvH9rlFVYICUKua6R0r1cfNZhRPGc1TsGMAABjCAAQxgAAMYKJYBUqqYm9Rs4Gk7eL6kVLEdUMeOJaUGPy9HpdtIKVKqjh3omOt3XSWlirnukVKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYmdVQGtmU4DlKqfsOzogempJTey7qNlCKliu4b+3cNKwMDpFQx1z1Sqo+bzzKcEJ6DYsYABjCAAQxgAAMYwMBwGSClirlJzQaetoPnS0oNtyNGsaNJqcHPy1HpNlKKlBrFjnNMrpuHMkBKFXPdI6VIKT8ViwEMYAADGMAABjCAAQz0wQApVcxN6qgMbMtwHKSU4dqhw7VB/0xK6b2s20gpUmrQPvH9rlFVYICUKua6R0r1cfNZhRPGc1TsGMAABjCAAQxgAAMYKJYBUqqYm9Rs4Gk7eL6kVLEdUMeOJaUGPy9HpdtIKVKqjh3omOt3XSWlirnukVKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYmdVQGtmU4DlKqfsOzogempJTey7qNlCKliu4b+3cNKwMDpFQx1z1Sqo+bzzKcEJ6DYsYABjCAAQxgAAMYwMBwGSClirlJzQaetoPnS0oNtyNGsaNJqcHPy1HpNlKKlBrFjnNMrpuHMkBKFXPdI6VIKT8ViwEMYAADGMAABjCAAQz0wQApVcxN6qgMbMtwHKSU4dqhw7VB/0xK6b2s20gpUmrQPvH9rlFVYICUKua6R0r1cfNZhRPGc1TsGMAABjCAAQxgAAMYKJYBUqqYm9Rs4Gk7eL6kVLEdUMeOJaUGPy9HpdtIKVKqjh3omOt3XSWlirnukVKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYmdVQGtmU4DlKqfsOzogempJTey7qNlCKliu4b+3cNKwMDpFQx1z1Sqo+bzzKcEJ6DYsYABjCAAQxgAAMYwMBwGSClirlJzQaetoPnS0oNtyNGsaNJqcHPy1HpNlKKlBrFjnNMrpuHMkBKFXPdI6VIKT8ViwEMYAADGMAABjCAAQz0wQApVcxN6qgMbMtwHKSU4dqhw7VB/0xK6b2s20gpUmrQPvH9rlFVYICUKua6R0r1cfNZhRPGc1TsGMAABjCAAQxgAAMYKJYBUqqYm9Rs4Gk7eL6kVLEdUMeOJaUGPy9HpdtIKVKqjh3omOt3XSWlirnukVKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYmdVQGtmU4DlKqfsOzogempJTey7qNlCKliu4b+3cNKwMDpFQx1z1Sqo+bzzKcEJ6DYsYABjCAAQxgAAMYwMBwGSClirlJzQaetoPnS0oNtyNGsaNJqcHPy1HpNlKKlBrFjnNMrpuHMkBKFXPdI6VIKT8ViwEMYAADGMAABjCAAQz0wQApVcxN6qgMbMtwHKSU4dqhw7VB/0xK6b2s20gpUmrQPvH9rlFVYICUKua6R0r1cfNZhRPGc1TsGMAABjCAAQxgAAMYKJYBUqqYm9Rs4Gk7eL6kVLEdUMeOJaUGPy9HpdtIKVKqjh3omOt3XSWlirnukVKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYmdVQGtmU4DlKqfsOzogempJTey7qNlCKliu4b+3cNKwMDpFQx1z1Sqo+bzzKcEJ6DYsYABjCAAQxgAAMYwMBwGSClirlJzQaetoPnS0oNtyNGsaNJqcHPy1HpNlKqOlKqu2TJ495xSvLEd86sekp75qRnzk2f8Jztpy1P43Qy3W6Ond0OY++/vJXuvPLNqx+65i1ruh/65RO7733xiu4fnjbe3d7So6PY5Y5p4VyTUsVc90gpUspPxWIAAxjAAAYwgAEMYAADfTBAShVzkzoqA9syHAcptfChkwHdwrIipfRe1m2kVDml1OzskmPec0rytE5z7Ee2N5evjq3kx3vyaXtr/KxOSH6vHdIPt0N6/aGd15NP17xlzf7s9d01O9n9ytlrux977aruX7585QFJdfmGcevFPtaLh2btzwu73pQlJ1KqmOseKaVMXFAwgAEMYAADGMAABjCAgT4YIKWKuUnNBmK2g+dLSlVr8FWWAdyRngcpNfh5OSrdRkoNX0rNrl9/7LZTx3+w3Ro7udNa8dPtVjLTbqZnx5D8Vgzp+2JIPhtD+vUjndPZ/ztUSmWc7nv7VHfXJZPd685Z2/3sm1Z3P/TqVd33vXRF9/IN+jXLzna0WSClirnukVJ93Hwqm9EuG6+v1xcDGMAABjCAAQxgYCEMkFLF3KRmgzDbwfMlpXTZQrrsaP4NKTX4eTkq3UZKLa6U2jGz6ri5DcnS9nT6k52QvLwd0nM7IY09+dQO6cdjSL8Ym+O3H835PP/ffjcpdSiv91wy2b3xvHXdf33Lmu4/vO6k7p+9bIW3+DNbHukfbiOlirnukVKKY6SLY/4F1tduyDCAAQxgAAMYwAAG8mSAlCrmJvXQAZg/958zKaXz8uy83r5Iqf7Px1HrMlKqOCnV+w2o3tvvdZrJf+uE5A3tkLwzhuQjMaRXxZBed1A+7c7z/F6olMo43rt1qnvfpY3uHRdOdL927truP77+pO77X7qSoDJnHrk5MylVzHWPlFIWI1cWeV6U7ctNHAYwgAEMYAADGMDAd2OAlCrmJjUbeNkOni8ppb++W3/1+/ek1ODn5ah0GynVn5TaMbPk8dtftez73jmz6ilXtFb+QO+3n7ZvSP5Du5m+vtNK/0fvM59iK7k1hvT+GNK9sZk+GEP6SAzp/n7P24V839FKqUM53rNlqrt7c6N766aJ7pVvXt39wCtWdv/w58e7V2wY73bMXs1eK8wAKVXMdY+UqvBJsZCLin/jJgQDGMAABjCAAQxgAAPFMEBKFXOTeuigy5/7z5mUKubcr3OnklL9n4+j1mWk1PeWUj359AetsWdvDyuXzYWxxvbm+H/uhPSlMSSzMSTtdiv5wkHpNHRpMaiUOhzft1040b36zN7nUJ3Y/bOXrez+0cx4t9PSy3W+hlTx2EmpYq57pBQpNfQLXxULyXO2iMAABjCAAQxgAAMYIKWKuUk93GDL3/WXNSmlp/K+VpFS/Z2Lo9hhpNR3Sqltpz7vSZ0N6fI4vXwqhvS0GJLXdFrJxZ2QxE5IPxBD+tUY0j15n5N57a8IKZVxv3dro3vHRRPdL25c2/3E60/u/tUrT+y+9xd8FlVer539FHutJ6WKue6RUqQUKYUBDGAAAxjAAAYwgAEM9MEAKVXMTWo2xLIdPF9SqthBVR0HgaTU4OflqHRbnaXUtpnlT59rpSf2PvNprpW8qd1Mt3ZCenlsjv9tDOmnD37m0zeq1BFFSqn5zPc+i6r3OVTXn7P2wNv8feQ1q7p/PDNuHdrHOrRKfFX5uZJSxVz3SCknveLHAAYwgAEMYAADGMAABvpggJQq5iZ1/vDK14NlTEqRUnkPAkmpwc7JUeq0ukipbaeO/+D2Dct/tBOSl7fD2G/OhfE/iSH9ZGylV8eQfi2GdFdZ3oJvkPN9saTU/HOg9zlUu2Ynu7dsmuju3Lim2xNUvd+g8hlUrl2DsJz395JSxVz3SKk+bj7zhtv+lC0GMIABDGAAAxjAAAaqxwApVcxN6vyBla8Hy5iUql6vlP1aQEoNdk6OUqdVXUp1lyx53LbTG0/ove3ee05JntaeOemZ7emxpNMa++nYTDbFkG4/8FtPIb0nhvT+GNK9MaQPxZB+q+znaT/PbxhSav75sG/rVPeBLY3u/Zc2DvwW1cdPP6m74yUruu8+bbzbe279HJPvkVseDJBSxVz3SClSSrFjAAMYwAAGMIABDGAAA30wQEoVc5M6f0jl68EyJqUM5PIYyM3fByk12Dk5Sp1WJSk1O7vkmDi94qlXvGj8hy9rLR+/bMPyH203k1NjK/2VdiuZiyH9cCekN81nvW5fD1tKHe7c6Emqm85f1/3MG0/u/vUrT/w3SeU3qVzbFvP8JKWKue6RUn3cfC4m+B5L0WIAAxjAAAYwgAEMYKCcDJBSxdykHm4w5e/6y5qUKmd3VLnTSan+zsVR7LCySqnZ9euP7cwkz9reXLl6LiTr55pjL26HsTfH5vivx95b7zWTT8SQ3lHl87CI515GKTX/vNnTE1Tnretedcbq7kdfe1L3L1++svuen/dZVEWwYJ/fuXYgpYq57pFSpJSfisUABjCAAQxgAAMYwAAG+mCAlCrmJnX+EMrXg2VMSn3nYMmgbfA8SKnBzslR6rSySKm5DcnSnnxqN9OX9d52rxOS3zsgn1rpP8SQ7oyPvf3eSL7lXp6dVnYpNf/c2b250b1100T3S29d2/2nX3nst6j+8DSCKk8e7Ovb10tSqpjrHinVx82nE/PbJ6YsZIEBDGAAAxjAAAYwUFcGSKliblLnD558PVjGpJR+zrufSanBzslR6rRhSKneZz61W2M/G1vJm9qtsXfFkP7vg5/79JUY0q8f/NynR/Pmvg77q5KUmn8e9QTVXRdNdm9822O/RfU3v3Tigc+hqsNr5hgX5xpPShVz3SOlSCk/FYsBDGAAAxjAAAYwgAEM9MEAKVXMTer8YZOvB8uYlFqcgVWdBoOk1GDn5Ch1Wp5SasfMksfvmFl13LZTn/ek3mc/bQ/LnnH5hrGfiCF5TaeV/o8Yko+0Q3p9DOndMaT3H5RPD8eQ7q/T+VfksVZVSs0/p/Zuner2JNU9l0x2rz5zTfdDrz6x+8e/MN69YsN4t9NyPSiSn1HeNylVzHWPlOrj5nOUTzTH5iKFAQxgAAMYwAAGMICBhTFAShVzkzp/wOTrwTImpRZ2Luu8hedESg12To5Sp/UrpXbMLD1+26njPzh36ooT2q2xkzvN9Mc6IX1pO6QXtkPy3rmQfi6GdLfzcuHnZR5ZjYKUOtz5de9so3v9OWu7f/+6Vd0//8WV3f/1CysOSKo8MrOPxWV0WHmTUsVc90gpUspPxWIAAxjAAAYwgAEMYAADfTBAShVzk3q4oZK/6y9rUqoeA7PFHNSRUv2di6PYYQuRUu/+mec8udMc+5GeeIph/JR2a/yXYkgviiHdFkP6d+2QfimGdN9iMuyxDt+Loyql5p97985Odq87Z233M29c3f3gq1d13//SFd3LNxw+D5zIJWOAlCrmukdK9XHzmUFpq6AwgAEMYAADGMAABjBQXwZIqWJuUucPkHw9WMakVH37qahrEyk12Dk5Sp12qJTaNrP86Z1msqrdTE5tt5Jf7oR0S7uVzMWQ/HknpFfGkN4QQ/rNoti038H6rg5Sav75t+uSye6N563rfv7M1d2/f91J3T9/2UqCyoz8sD+kR0oVc90jpZxwhz3hXMwHu5jLT34YwAAGMIABDGBg9BkgpYq5SZ0/NPL1YBmTUqPfQ4t9rSGlBjsnR6nTvnbumi92mslr50Iy2wnjO2Ir/YcY0qsOyqc7Y0gfWmw+PV7/nVc3KZWdi/u2TnXvu7TRve3CiQNv8/fJN5zc/bOeoPIZVObFB50BKVXMdY+UIqWUDAYwgAEMYAADGMAABjDQBwOkVDE3qdmgyHbwfEmp/ge0htuHz46UGvy8HJVu+8Jb1jwSQ/pADOk3Ykgfdc4c/pypSi51lVKHno8PbGkckFS3bprofvZNJ3c/8IqV3XefNt7t5dPpY61Yldff8/zu5y8pVcx1j5RSKAYQGMAABjCAAQxgAAMYwEAfDJBSxdykHjog8uf+cyalvvuQyQCuv2xIqf7Px1Hrsmvesma/86i/86iMuT0mpVbvHzVO8zieOy+e7P7rmWu6H3zVid33vXRF949mHpNUZXwdPaf8z0lSqpjrHinVx82nEzz/E1ymMsUABjCAAQxgAAMYqBoDpFQxN6l5DJDs47HXhpTSq3n3Kiml97J+JaVGq19Iqe99bvfe6u/Oiya6Ozeu7X7i9Sd3//crTuy+98UrDvwWVd5da3/lOb9Iqe99bmTXhaPZklKklJ+KxQAGMIABDGAAAxjAAAb6YICUKuYm9WhuaP3bI78GpFR5hlqjMmAkpY58ztWpk0ip0eoXUuroz+3bL5zoXnfO2u5n37y6++FfXtX9kxevsJ7uYz1d9usjKXX058ZCroWk1AieLGU/mT2/0Vq4eD29nhjAAAYwgAEM1JUBUqqYm9SF3Mj6NwvLnpTSz3n3Mym1sHOvDh1FSo1Wv5BS/Z/be7ZMdXddMtm95fx13Z0b13Q/+prHBFWnNVqM5H09qcr+SKn+z40jXQtJKVKKxccABjCAAQxgAAMYwAAG+mCAlCrmJvVIN7D+39FlTkoZCOY99COlju4cHOXOIqVGq19IqXzO7d5b/O3e3Ojumm10rz+n9zZ/J3Xf++Lx7uUb0i5JVc1zhpTK59w49HpISvVx85n3os7+qllKXjevGwYwgAEMYAADGKg3A6RUMTeph960+nP/OZNS9e6oIq5RpFT/5+OodRkpNVr9QkoVd27v3TrVvfn8ie5n3tj7HKqVB97m792njXc7ZtKV+KE4UqqYc4OUUgCVKIAiFtP2OVoLKK+n1xMDGMAABjCAgcVmgJQq5iZ11Aa3wzweUkov5t2LpJTeyzqNlBqtfiGlFufc3rOl0b1100T3qjNWdz/ymlXdv/jFld0/miGo8r5W5bk/Uur/Z+d+XvDNzruO549J0qaJjc7k/zCtLloRsS6EVsFabUGrLZqUIm7UrVSNuCuKK6XgVqHFjRs3SkFEUEGa9Bct0oyMcnYahutc15zPXL4CX+7NzP18n895f677Puf9TGa6QUqRUqQUBjCAAQxgAAMYwAAGMFBggJSa2aSeA0/X+3xJqV2Hxp2HbNV7kVL3vdwy20ipXfOFlPr0u/3xM/pjQfXvf+oHP/o3P/6Vj/7Fn/rSR//kj3/RO3nhnbz6TPsk/x4pNdMNUioM9E9SBv/Mrge/9bSeGMAABjCAAQxg4LPJACk1s0ndcmCb8D1Iqc/mbEl+JpBS5t6ZbaTUrvnyf6TUD373rK/rp9v13/zGhx/5gAo7AAAgAElEQVT9t7/+wUe//jNf/d//FdU//5Pf/9HHa5L8PPj/5e9GSs10gZQipQw4DGAAAxjAAAYwgAEMYKDAACk1s0l1ENaXKynlQK/70JCU6uvnZ33WkVK75ov/Uiqn2x//X/z96o9/5bvf+mH/1VT3M6xyP1JqphukVGHzWQHYv7PrYW09rScGMIABDGAAAxjAACk1s0n9rB/UJv39SSlzqvtZRUqZe2fGkVK75gspldXtf/vnvvLdf0xKRfxojpSa6QYpRUpFFLz7Rdn9dr0cWU/riQEMYAADGMBAIgOk1Mwm9Rx4ut7nS0qZnd2zk5S67+WW2UZK7ZovpFRWt0mpnH6RUjPdIKVIKVIKAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXuncszwTkAACAASURBVNlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADKn7c/wAAIABJREFUGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVLpckSaAAAgAElEQVQqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDdIKVLKr2IxgAEMYAADGMAABjCAgQIDpNTMJnXLgW3C9yClcg61uuXQq/uRUubemW2k1K75QkpldZuUyukXKTXTDVKqsPl89fLnc3MGkrWwFhjAAAYwgAEMYAADpNTMJvUceLre50tKmVPdzypS6r6XW2YbKbVrvpBSWd0mpXL6RUrNdIOUIqX8KhYDGMAABjCAAQxgAAMYKDBASs1sUrcc2CZ8D1Iq51CrWw69uh8pZe6d2UZK7ZovpFRWt0mpnH6RUjPdIKUKm89XL38+N2cgWQtrgQEMYAADGMAABjBASs1sUs+Bp+t9vqSUOdX9rCKl7nu5ZbaRUrvmCymV1W1SKqdfpNRMN0gpUsqvYjGAAQxgAAMYwAAGMICBAgOk1MwmdcuBbcL3IKVyDrW65dCr+5FS5t6ZbaTUrvlCSmV1m5TK6RcpNdMNUqqw+Xz18udzcwaStbAWGMAABjCAAQxgAAOk1Mwm9Rx4ut7nS0qZU93PKlLqvpdbZhsptWu+kFJZ3SalcvpFSs10g5QipfwqFgMYwAAGMIABDGAAAxgoMEBKzWxStxzYJnwPUirnUKtbDr26Hyll7p3ZRkrtmi+kVFa3SamcfpFSM90gpQqbz1cvfz43ZyBZC2uBAQxgAAMYwAAGMEBKzWxSz4Gn632+pJQ51f2sIqXue7lltpFSu+YLKZXVbVIqp1+k1Ew3SClSyq9iMYABDGAAAxjAAAYwgIECA6TUzCZ1y4FtwvcgpXIOtbrl0Kv7kVLm3pltpNSu+UJKZXWblMrpFyk10w1SqrD5fPXy53NzBpK1sBYYwAAGMIABDGAAA6TUzCb1HHi63udLSplT3c8qUuq+l1tmGym1a76QUlndJqVy+kVKzXSDlCKl/CoWAxjAAAYwgAEMYAADGCgwQErNbFK3HNgmfA9SKudQq1sOvbofKWXundlGSu2aL6RUVrdJqZx+kVIz3SClCpvPVy9/PjdnIFkLa4EBDGAAAxjAAAYwQErNbFLPgafrfb6klDnV/awipe57uWW2kVK75gspldVtUiqnX6TUTDc+9/e//oUf/aWvf+E3/JEBBjCAAQxgAAMYwAAGMICBT87Ar/zYl37nv//cB3/wnb/54Xf9kUEiA//j5z/4g3/2o9/3W3r9yXstq++d1b/6Mz/w24ms+zt9ujP423/jw+/+u7/wh35fX753Xz5L+fzDH/rCtz9eU136dLv0/8r7137iK7/3rR/+wrc/Swxt/bv+8o9833f+y8/+kd//zW98+D/9qWfwW9/48Pd+5xe+9p3f/YWv/cbHfz73D/7o53/gl77++Z/0RwYYwAAGMIABDGAAAxjAAAY+OQP/8k9//8//x5/+w3/nP/2Vr/49f2SQyMCv/8xX/+4//RNf/Kt6/cl7LavvndWv/NiX/loi6/5On/4M/rU//+Vf1Jfv3ZfPUj7/6Ic+/xd/9Se+/Ld06dPv0v8t83/9Z7/8zW/9sS/+1GeJoa1/11/+kS/85f/w01/9xf/8sx/8bX/qGfzXn/vgm7/9jQ//0u9+82s/+fGfz/mfBCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAQkIAEJSEACEpCABCQgAQlIQAISkIAEJCABCUhAAhKQgAT+F3v3HSZXdef5/5md3Vnv/mZ3ZnZmdj27Ezy7NhkTJaEskUEE5ZxRQgEFJJQz6hyqbrVyji21QktqtaROdUtkbIOxDdhgTLTJUUCle2s+v+fc6ipVN4wtCYUO7z/OU43oUPW9r66+9/u555wzqICkP/PGkiX/QZmjrOzPlTnsJf9RP1v7nxoM82+Zn2M+zvweqY+lPzuDp8SnUgEqQAWoABWgAlSAClABKkAFqAAVoAJUgApQASpABagAFaACVIAKXOwK6Kmi/yJ75V82GI9Zfy975fcbjBOBf5W98oeZIxYsujJuF1+bOVzbd4+C1mjZgQdSIxG0FiVCgZUJO7A6NVzbOuyGrGdd2/ppeoSsQ24osDb1Od6j+dqgf1zqe5lHN2j1iAf9N2T+3Jjtv0on/D/KfH6yi3+gx4r/ocHrsAv+Tk/k/rcGr9fe/D0TpF3sY8HPpwJUgApQASpABagAFaACVIAKUAEqQAWoABWgAlSAClABKkAFqECTqYCOF/0PVa3+nw2GHbhMJwJXZw6nztfFCfpvyRxuKNDPDQYGZ45EyD83YVvLG4ygtc21/fsaDusnjh14OXO4tvWxa1v/5tqWmsA46djWqw2enwm9TNDV4LUEtiRsK6fB67Wt2a7tH5FZF9e2+jp11u2Z9XNCVmfZK6/NrLOCvku94CvzmNSW/K2ZAdZk0PBEqAAVoAJUgApQASpABagAFaACVIAKUAEqQAWoABWgAlSAClCBll0BlS35C51Y+U8ys4xSo7bkEtWVdHHqAjenRzBwhxeKmFlA9SNu+yck7MBixw48mjlc278hEbS2ZQ7XtmrcUOBE5nBC1iuubb3ZaESbQHjUFAKs03kOYdcO/D6zfo5t/doNWU9m1tkNWVWuHSjNPB4J29rs2IH8zOPm2P4lCds/KXV8k48mCCu5O+2gLnCz6nxddKL48rQXz03hP5kZbS37t4VXRwWoABWgAlSAClABKkAFqAAVoAJUgApQASpABagAFaACVKAVVUB28V97gUCw5Eqlh/8GNxjo49qBAekRtIabJemcoH/ZqeHLc22rzLUDB9LDm6VjhVzbeiw9QtaTCdt6MXNGj5nh49rW+65tfZQxPnVtyyVEahKzsE4nxPpTn2OO5WcZx9cca3PMf5tpwdhwbevptJeknZBr+yvSroyxkLXHCfqLTvnzL0uEAgvrQ69Mq71lWzed8lxv+/FVf9OKfrV5qVSAClABKkAFqAAVoAJUgApQASpABagAFaACVIAKUAEq0BorYPbu+ZNjyZL/oG8bZWV/rsxh531fdVZbBX3tUsPsaZSwSyYlQoEpqeGErKVuyNrqmmXpUsP2H0uGAdZvHDs5XNt6zQ1Zb7m29XbGeKdRkPCRG7I+cW3rKzdkfZ0ethVpQkvZ/amAhP/fNJYc/C7HwSybGE37MxaNSdsyYWZmuPlh/YyvTNPm49dS7lOP3qyv1O9H/aOZ7ZX6PUo9Klhyf+r3Lf1YV/R/Gvxumt/Tb/sdNv92Gu8BrfG9kddMBagAFaACVIAKUAEqQAWoABWgAlSAClABKkAFqAAVaNUVkL3ke6rK//8aDLNfTub+OebjGt8/q7b4/zYYJ4ovj50IXJ053KDvPtUFRmWORNCb4bEyEQqkh2tbe13b+knD4TdL0TWV/Yu+S5jA1zb/QIhjeHrH0AS6jX6PrfLM33XzsRca11ljM98X3JB1b/yEdV3m+4c3i7Hx+4z33uP7Xw3ek8y+a/bKv2zwvnXU+s8mDGvVb+i8eCpABagAFaACVIAKUAEqQAWoABWgAlSAClABKkAFqMC5rIDsgr/TY9bfNxi11hWNl+5yglZXJ+Tvnjlcu7hnenm6+qXqErZ/ZiK5F47ZDyc5QtbG+tDIBEep8ZQTsl7KHK7t+5yl51rM0nOEMKcXwlCn81unz71ZXRnvNa5tPZVc1jD9XrTX23fNzPBKvWeZx6B/hmtbQxq9x/V0gv5bMt8HHdvXSfbKaxu+Z/ouVXXgfzd4X3181d/oZ2v/07l8/+Z7UQEqQAWoABWgAlSAClABKkAFqAAVoAJUgApQASpABc5rBWQX/6DxcOxAt8bDtf0jXNsamTkSdmCxmWGQORJB/6aEHdiSOdyQVefa3r5GZm+j5AgFfufa1hsNRnL5L5rq57epTn2pLwaaioHke55ZyjD9XuiErFeSQVfGe2bIqnLtQGmD99Wgtc6xrZyG77/WvIQdmJD5Pu0GA4Md239n5nu66vwdFPRd2uC934Re9pLvndc/OHxzKkAFqAAVoAJUgApQASpABagAFaACVIAKUAEqQAWaTwW8paDMrKOMEa/1tXFDgX4Nhu0f4dj+JQ1GyJ+bMasoNbvIPNqNR8K2XsyccWQ+dkPWB65tfdhosJRdU2lu8zwIWjCAAdtyXNv6rNH79LuObb2a+Z6eCFm/cG3riUbv/bWubR1s+HciUOrYfl/m35KEbS1IBP3jGvzNCVq9FQx0zPzb5IVej6/6m+bzF5ZnSgWoABWgAlSAClABKkAFqAAVoAJUgApQASpABZp5BWRb/yg7cGPmcGzr1kQwMDFzOCH/XNe2NmcOx/YfMOFQ5nBs69eZd9TXf2zusm8cFn3s2tZXjUaEpexYyg4DGMAABs7AgLnxINrob8mXrm192uDvTvKmBbN/V3rGl2tbr5tZX5l/w7wwLOSvzPxbZ5Y6NLO9Mv8mJoIl42T77sn82+l9XFfyL838tICnTwWoABWgAlSAClABKkAFqAAVoAJUgApQASrQnCsge/P3VLH2vzYYZoP5xnsa1RX9H9WV/EuDccL/I2/T+hPFl6cezRJHClrDM4d3V7gdCCQyhnc3ech61m0w/H9wbcs08BoP7t5nBgcGMAGYKocAACAASURBVIABDGDguxto/Pf137xZvA3+Fpu/zYHKzL/Z9R8vyfzbbj52g1aP1N//9GNtySUNzhXMuYO5waTxeYU517BX/mWD8w9zTiL9WXM+r+K5UwEqQAWoABWgAlSAClABKkAFqAAVoAJUoMVUwDRqZDZmz2zsVK3+n/LCoZWX60T9qLWucOr8HZw6X5f0CFpd3aD/fjcY6JMettU3EfQ/kghaizKHa/YzCll7UsMNWXtc23qswd3atvWiG/J/cgZ3i9NM/O7NRGpIDTGAAQxgoKkb+Pwb5wu29VTqnCL1aGZ7Oba1PPP8I2H7Z7oha1D6PMU7Z/Hf74T83dPnM965jb9DzPZflT7v8c5//D+SvfL7Dc6RzDlTWdmft5gTQV4IFaACVIAKUAEqQAWoABWgAlSAClABKkAF/lgFZC/5j9+4W7jO+n+qK+mSOUyzxbX9A93kXcfmzuPhZpP1hG3NToQCC9PDDixO2NaaRMjamB7JJeuOu7YVzBi2Y1u/MUv/ZIw33ZAVI0Ri2SkMYAADGMAABpqRAbP8oVnaMH1OU3+O81jGeY85BzrmBq1t6fMjc65k+1c7Qf+y9HmUOaeyA3PiQWt0g3OuYGCwN9M78/zM7PFlZoJnzhI3M74q1v7XP3bux/+jAlSAClABKkAFqAAVoAJUgApQASpABajAaVfAW8ouYym65FI01nUN79j1ZhoNbtDgCAUWOnbgUdcOlDYcVpkbsuoaDNsKJWzrV5nDbJ7uhqw/1C+h84H3aFsfuckN15v6HdE8P+7axwAGMIABDGCguRhwXNv6uNE517uObb2aeW7m7d9lW080Ooerce3AgYbnev7tju3Pb3he6J/rhgKjGpw/2oGeCvrapZc5NOebZqnDo9Z/P+0TVT6RClABKkAFqAAVoAJUgApQASpABagAFbh4FfCWsjNL19mBGzOHG/TfnbADE9IjVPKgE7QWuSFrY4NhB0pNw6HBsK1fubb1WqNh7sx9v9H40LUts1H5qRGyvm5Gdx03l8YRz5MmJwYwgAEMYAADTdmA2acr0uCc0LZOesFXw/PH91zberPROeZr5sakhueigZ+7tnW84Tmrtd7c/JQ+t/XOc63xrl3cM/McWHUl1+tE4T9dvLNzfjIVoAJUgApQASpABagAFaACVIAKUIHvUAEv9Clb8hd6qui/pEfF2v8qu/ivVVvyt+lhr/07PVb8D94m1mZZEzNOrPwnmWXqzB2gqWEHLlPQ6irbGnJqBIYmbOvhhB3wpUeoxB+3rd1uyHoyPWzraTfk/139zCFzh2vmcF3bajhCVsJtPGzrm5t70+Rpyk0enhs+MYABDGAAAxhorQa+ed76zXPbhue/p86HM8+T467tfyd9Tm3Or80MMNsqT597nzoPf/TUOXr9+XrQf3/6XD59Tr/yhw3O+825f13R/0lfG6SuE8yeXpnXEeZje/P3vsPlCV9KBagAFaACVIAKUAEqQAWoABWgAk2pAmYjZ5mLP7vg79LDzCSqLf6/MoFQatRaV8RDvjaO7euUHnW+Lm4ocJdrB3qeGlbfRMg/JWH7558agcWu2dPIzDKqH65tlZmL28wlTxw78LJrW58zc4g9KzCAAQxgAAMYwAAGMNCiDIQzz/vNx65t/TR1bXDq0dp86hoifT0x89S1Rv11R8i6N31Nkro+qfN3iAVLrkxfv5jrGC8U8/2v9HWOueY5XvQ/zB6uTemajOdCBagAFaACVIAKUAEqQAWoABVoshWQmYVUHfjfqvH9c3rY3p2HNylkdU4Npy5ws2sHBri2NSQ9QoFRiZA1KxG05qWGY/uXJILWqoRtrU8NN+jf5NrWYde2ajOGt6dR5obRbsh6y7Wtr2gYtKiGQWu9s5jXzV31GMAABjCAAQxgoPkYiDe4LrGt180eX65tPZZx/VLrhqwqN2RtTV3n1D+uqb8GSl8TJWxrdjzkH5W+bjLXUCFrkLmmSl1feY/BQEfZRT9MX4eZazKz2kPZkr9osheQPDEqQAWoABWgAlSAClABKkAFWlcF9ETuf2twt565Y6/OausGrd6NxvDGdwU6tj/bta0dDUbI2uPa1jHX9lefGpadsK3nM9eW92Ydhaw/NNrT6OP6Jeu44G4+F9wcK44VBjCAAQxgAAMYwAAGzqcBs8yhbZlrpcw9Yd/75v5d1guubdmnrsP81V7wZZYRz7xuC1rbHNu3vMH1XdCa5wat0Q2uAUMlvZxQcftvXC8+vupvWtdVM6+WClABKkAFqAAVoAJUgAq04gp4SzsE/Tcoc9RZtyeCJeMajFDJXDdorWswbP8+LxwyAdGp8Utz117mqL+r713XtjLHh402O/7Sta0ws5CYhYQBDGAAAxjAAAYwgAEMYKCZGQhZXze6vjvp2tZHja4BzfXgG5nXiubj+qUOM68pn3dt/8EG155Ba10iFFjY4Bo1WDLODfrvbnAta65r7bzvt+JLfF46FaACVIAKUAEqQAWoQGuugKQ/85afa7x57VHrv3v7Gpm9jcww63ybfY3MMnWZo67kX7y9jsx+R94oucQJ+bvLDgxIDbPkgrdEXcgqTNQPxw746vcwMss5JEdyw943XNuKfmOErJibOWzLLA+Rufmv+dh1v7lxsNlcmLsYqQEGMIABDGAAAxjAAAYwgAEMnEsD//Yt15/ut1ynxhtcy5rr2m+75rX9JhA7dX2c/Phw6hr61KN/YepaO/0YCtzV8Lrc7Edc/IMG1+7mOt5e+f0G1/nmWr9m7V+pcT/A3vy91twn4bVTASpABagAFaACVIAKZFTAbADrnTTWlvytUsOERScC/5rcNLbkEu/xxMrL4yFfGydU0j49vA1n/Xe6dsk9p4bVNxHyT0nYgTmnhrXAta2SRCiwMzXc5BJ1Zg+jX6aGWTqhfkmFc3liz/fiQhEDGMAABjCAAQxgAAMYwAAGMPCdDPi/TF27px5d23o6dY2ffjQzvBr0A5K9gVM9g1P9g3RvIaPP0KAPUVvfj0j1KjIfpT/LaG3wIRWgAlSAClABKkAFqMD5qoB3x5G5I8lstpoa5kTNtm6S2ZS1fpjZRd5a1iFrkNnA1RtBa3jCtqYlgoFH0sMsB2D7fQnbWpMabtC/ybWtww3W0bYtEyC96IYCv0sP23qb5eeYNcXMMQxgAAMYwAAGMIABDGAAAxjAwBkbyOwvpD62rZqGvQh/dSIUWJvqV2Q8zk73Nep7HG4wMDjd/6jvgyhkdU71SdKPJ/w/SvdTUn2Vp4r+y/nq4/B9qQAVoAJUgApQASpwQSsgs2ydXfTDBhub1lltk3cJBXq6dv0I+YclbP/MzDuKnJC1wrX9G1w7sOXUsHa7oUCla1vHM4adCFnPJezAz08N60U3GRq959pWapiNXc0yddwhRg0wgAEMYAADGMAABjCAAQxgAAMYaEkG3s/of3h9kETI+sWpPkmyZ+LaVjCjn1LfWwmUnuq7JHswju1/NLNHYz52Q/5h6T5OfT8nXutr06DnYwcuM72gC9p84odRASpABagAFaACzbcC3hrJdSXXK3OY5elC1tjMkQhai1zbv7rhsMpc23rKta2fpIY5+XHswMuObf06NVzbes21rXdcO/D79AhZH7i29blrW2Zz1NQIu7bFHkZcJLSkiwReC54xgAEMYAADGMAABjCAAQxgoDkYMD2ZVH8m+ej1bjJ6OV5fx3ot1e9JPZpeUKovlHqMh/x7GvaQ/Ksd25qd2WvyPraLezboSZn+VI3vn5tvp41nTgWoABWgAlTgIlZA0p+pbMlfyN78vfQwG2A+kfvfvH2NzIaYZtjFf63HrL9Xre9/NRi29Y+qK/mXBsNMxbatvpkjESyZkQgFcjOHa5u7Xiy70fita1tfNRgh62vXtiKNRrR+hpGZZZQajmtbZtPRUyNkJZiFxCwsDGAAAxjAAAYwgAEMYAADGMAABjCAgQYGkj2jUz2kZD/J9JZSfabUo+lBNe5LmYCsYf/K9r/RqMdlm/27E8GSvMx+mFmVR3WBfpl9M9nF3by9xDN7bKbnZq/8foM+nNlz3PToUv068+itCJTR1zM9PtPrY5+vi9hx5UdTASpABVpQBbRkyX/w/tgcL/ofSg274O9kF/9A9sofpkfQd2m8ruT6eNDXLjW8DStt61Y3FLgrPYKB+xIh68EG6/7a/vlu0FqVsEt2pIb5I+ra1hPeNGsz1bp+uLZllp9rDnfT8Bw5ThjAAAYwgAEMYAADGMAABjCAAQxgAAPNxID/04Rt/SrVgzOPbsh61tzknerXJR+t9YmgNa9Bby9oPeSGrHvT/b9Q4C6nzro9bls3pfqEyUf/DfL2Rc/oKZ4I/KtMrzHVdzSPNTl/ZXqSLajFykuhAlSACrTcCshe8j09VvwP8u5uMHc4mFH0Q4VWtlGopH1qOCF/dzdo9XaD/v6nhm94Img9lLCthzPG7ETIKkyE/CtTww1a61zbOuiGrKqMUWf+cNUvS2eWpjPjTde2zJ0czeSPL8+TY4UBDGAAAxjAAAYwgAEMYAADGMAABjCAge9sIGTFXNsys7lSfcLXzPYWbsiqy+gnVrm2vyIRtNal+o7eo+33JWxrdkZ/0utVurY15FQfM9nTVNDqmup3ph9ri/9vw96o9Y9mNlfL7QjzyqgAFaACZ1AB7y6AE/4fKei79NTw3+AGS+52g4H7MsbgRCgwPRGyZqWGE/ItdW1rjRuyNqaHbe1wbeuwGwpUpodt1Zr1axO29XzGeDG5p5H1rmvXj5D1iWtbZtowIRI1wAAGMIABDGAAAxjAAAYwgAEMYAADGMAABpqSgY/Sfcz6fqY3u6thz/N51/ZXp/uiqR5p0NqW7p/W91ITdmBxqs+aenTtkoEZ/VivN6sT1nWn+rb1PVwzo4slC8+gC86nUgEqcNYV8GYhBa1rvDcj84Z0wrrODfrvdkOBUa4deCA1Et6SdAHLDflXpoft32eWpHNt6+nUSISs5xK29aITsl7KGK+4Ieut+tDonfrH91zb+swNWV9kjK9d9jBqSn8YeS6cqGEAAxjAAAYwgAEMYAADGMAABjCAAQxgoHkY+Cqjz5rsuSbDrlQ/1nt0bOs3GX1br4drerqp/m7q0TG936C1Kt0LDvlXOqZHHLLGpnrG3mNd4C4F/Tdk9pe9/bxYsvCse/Z8IRX4ThXQz9b+Jx21/nODYa/8S29fI7ORXmrUlvytHrP+vsGoDvzvb0zNrPV3lx3omTnq1zzNSgQD6eEm0/Iq17ZqUsOx/S9/IwiyrZPf3FjQW6LObEKYOczmhGbW0alBgMQf5ObxB5njxHHCAAYwgAEMYAADGMAABjCAAQxgAAMYwMCZGEj2ft0G/WDbMj3izJ6x+dhsd/JVo3GycUDm9abNcocZ/Wo3ZG11bCsns69tZnmZZQ0z+9+yi7vJ268rtb2L9Y/eZIvG/XTTY69Z+1fpnrvpvZtevL35ew3686Znz8yw75R78MXnqAIqK/tzD+3jq/5GqWE2prOLf6A66/+lxwn/j+InrOviduDGzOHUBW52QiW3ZY5EyHqw8XqhCdu/OhG0tmUON2Q9mbCtFzKHa1tfsvQcS+9hAAMYwAAGMIABDGAAAxjAAAYwgAEMYAADGMAABjIMhKwvzL5ejfrpj7t2oLRB3922ShIh/9wGPfqgf5xrl9yT2cd3Qv7u8TqrbWa/P15Xcr1qSy5J5wImIzBZgQnDUvmBeTRBmL3kP56jmIJv05Qr4M1Ceqz4HxrOJir+gUIr2yhY0i41HNvXybUDPd1goE962P6BCduanLADU9PD7G8U9BclbCuQGm4osNbb08i2jrmpEbLqzBRH17Z+22hEeGPIeGM4k+Sdz+VODQxgAAMYwAAGMIABDGAAAxjAAAYwgAEMYAADGLgYBkLW165tvZnZ7zehl2tbdjoXSOYDhxO2tT6VH9Q/FifswJx0zuBlDtZkNxgYnM4jTDZhVkALWl1TuYX3aAdu9EIvO2MWmL3y+7KXfK8pZzPN5rmpJuevZK/8oZcumoTRDDtwoxu0ephkMj2CgcGJUGB6ZnrphHxLXdu/2guJTFBkRtC/ybWtg/Wh0eF0eBSynk3Y1s8yxgvePkYh6w9uatjWh65tmemH/JJTAwxgAAMYwAAGMIABDGAAAxjAAAYwgAEMYAADGMAABs6VAZM9fJzOI0wuYVtvJ2zrlxm5xc/ckPWsG7LMNjypfMM8HnTtwJYGWUgosNYJWUszMxPzsWtbQ9K5Sn3G4k3aSeUvqUe7+K+bRZCkGt8/yy6+NnM4tnWra1sj3VBgVGokbP9MJ2T53WDASo+Qf6drW4+5tvV4epiwKGT9or7wpvi/NBureQlkyHrLTQ3bes/b+8i2PndTI5lU/hshEiEaBjCAAQxgAAMYwAAGMIABDGAAAxjAAAYwgAEMYAADrcyA2b/rVGaS/Pi9dK5Sn6+YzCUzgzEfe+FXZlbjfRwoTec59dlOwrZmp3Kf1KOCgTsyMyLv4xOF/3TGSxZWTOyy2p59909+lj34Z78umfDku9tnvXbySNYnX1bmfPL1sbxPwsfyP4lUFXwerSk8Ga8tPhmv8510g/6T9fscmRefOcyGZmaTMydjMAuJVPlcpcp8HyxhAAMYwAAGMIABDGAAAxjAAAYwgAEMYAADGMAABs6dAZPhZGY65mOT9WRmP+bjr1zbOukGfSfduuKTbl3RSbe28HO3tuBTpyb/E6c69xOnKueT+OEFr8fLHnomvu2Bn8bWDXguZvXIkdXtH9MztDb2/NFPNvb8kRqPbQOu1IGx7XVkUjfZc+7R4wt66ZdFo/XrwDi9uWmG3tn2iD7Ys0Af7l2kT8uX6fNDj+rro7kKH89XvLYYEOcOBLWklhjAAAYwgAEMYAADGMAABjCAAQxgAAMYwAAGMIABDJxfA0G/3JoCudV5co5nyzmWJefIEjkVi+Ucmq/4wXmKl05SfMd4xTYNU2zdQEUCPRQpvl2R3I4Kr7jx20YwsuSmH/zJUKpxSPVt/1028kbtG91OlZO7qWrabXpiYS89vbSffp43XC/6xujV1ZP0+oapemfbLL2/e74+3r9EJ49ke8FVK5tOd36h8ItIfTGAAQxgAAMYwAAGMIABDGAAAxjAAAYwgAEMYAADGPhjBmoL5FblyDm6PBk0mZBp30zFy6Z5YVNsZ33YtGGQoqt7KbryfkUKb1akoKvC2e2+LXA6nX87d6HUtwVVmf+2fcBV2jX0Wu0b3VaHxnfywquah+9QcHYPL8B6Zll/b/bVy4HxemPjNL215WFv1tUXh1coVlMEnj+Gh/+HDwxgAAMYwAAGMIABDGAAAxjAAAYwgAEMYAADGMAABuoNOMdWJAOng/PlHJitWOlkxXZOUGzLSEU3DlF0Xb9k2FRyj6L+OxUpulXh/C4K53Y4nXDpbD/nwoVSmQHVt328qfelMsHVzkE/1u5h12vP8BtUPra9Do7rqIqJXVQ5qZueWNRbzywfoF8VP6BXVj2od3fO0Ud7F+nrY3lA480GAxjAAAYwgAEMYAADGMAABjCAAQxgAAMYwAAGMICBlm+gtlDOkaXJZfTKpiu+e4qim4YpamY1mRlNZhk93+2KFN+mSGF3RQq6KWyW1MvpoHBW27MNlM7F1zWdUOrbgqrG/7a596Xa3Ocybel7ubb2u0Lb+l/pBVk7Bl7thVnl4zro+PTb9Nj8+/VczlC96B+jtzY/rPdL5+nLIzn6+miet1xgpKpA0epCRWuKFK/zecM16yPyy0oNMIABDGAAAxjAAAYwgAEMYAADGMAABjCAAQxgAAMYOJ8Ggj65ZtQVy60rkltbmNy/qSY/uYdTxSI55bMVL52s+LYxim0Yosiqnor471Akr1MyYDIzmnLaK5xzk8LZNyXDposbOJ1OaNW8QqnGIdWZ/rcJsw6Mba+KSV29ZQNPzLvfm3X1cmCc3to8Q3/YMVsf7Fnozb76tHyZPj+0Ql8dzfWCrHhtMb+E5/OXkO+NLwxgAAMYwAAGMIABDGAAAxjAAAYwgAEMYAADGGjuBkzYZPZrqs6TezxbzrGs5KymisVyDi1Izm7aNVHxHWbPpqGKrR+oiHVXclbT+V0673RCo/P9Oa0rlDqdEGv38Ou9fa/McoFV02/T4wt66ull/fTzvOF6yT9Wr66epNc3TtM722bpg90L9PG+xfrySLbCx/LkMNuKN8zm/obJ88cwBjCAAQxgAAMYwAAGMIABDGAAAxjAAAYwgIF/34CZzVSVI6dyuRwTNB2cp/j+WYqbZfRKJylmwqbNwxUzS+mt7qXoyvsUKbxZEbNfU9OfyUQodTpB0oX8HLNkYOnQa7V3VBsdmtDJ2+uqduadsmf38Pa8enppv/rZV+P1+oZp3vKBZtbVF4dXeMsFskSg9e//MvNGR20wgAEMYAADGMAABjCAAQxgAAMYwAAGMIABDGDgYhkI+uUcWyGncpkXNjkH5ihmgqadExTbMtKb2RRd20/RNb0VLblHUf+dihTdorAJnMxSeituZPzxGjBT6lwHWpt6XeLtc7Vz0I+1e9j1Khtxg8xeV4fGd9SRSV11dEp3Pb6wl55Z3l+/Kh6tV1ZN1O+3P+ItGfhVZQ5vNhfrzYafiz0MYAADGMAABjCAAQxgAAMYwAAGMIABDGAAAy3bQE2+nMqlycDJm9k0WdFNwxU1s5pW3e8FTRHfHYr4bkvObirsnty/KacDs5z+eNh0umEcodS5DqVO5/tt7n2pNve5TFv7Xq5t/a7wQqwdA6+WCbJ2DbnWWz7w2LRbVffI3XouZ6h+WTRKb2yc7u15dbIiy9vjKlJVoEh1oTf7KlZTpHidT44ZLCHYst80+aPI8cUABjCAAQxgAAMYwAAGMIABDGAAAxjAAAZaqwGzX5MZdcXJUVso14yaAm84hxfKKZ+teOlkxbePVXT9IEVW9VLEd7si+Z0VyeuUDJnM3k1mZlP2TcmwiWX1TjdU+q6fRyh1OiFSU/scMxtr76i2Ojihk2pm3qnH5t+v5/OGeXtevb5+qt7dOVcf7Fmgj/Yt1qcHkksHflmZ44VZ0epC3rBb6xs2rxv7GMAABjCAAQxgAAMYwAAGMIABDGAAAxjAQFM1YIImEzBV58k9ni3nWFZyGb0jS+SFTWbvJm/PpnGKbRyqmAmczKymoltZOu/czGL6roHT6Xw9oVRTC5zO1fPZMejH2jsyue9V9YzbFZpzr8x+Vz/LGqyXA+O9ZQNf3zhNb215WO/vnu8tH2j2vfqqMlfx2mLemJvqGzPPC5sYwAAGMIABDGAAAxjAAAYwgAEMYAADGMBAczRgwqaqHDmVy+VULFH84FzFDzyieNk0xXdPUWzHOMW2jFDMLKW3upeiJfcml9DL76xwVpvTCTz4nKYfThFKnasQqLl9ny19LtOuIddoz/AbdGh8J1VM7Kqah+9Q8JEeemJRby/A+kXhKL1kjdVr6x7S21tm6sOyhfr84HJ9fSyPN/3m+KbPc8YtBjCAAQxgAAMYwAAGMIABDGAAAxjAAAYwcD4MmK1ljq1Izmw6OE9O+RzFdk1SbOcExbaMVGzTMEXX9lN0TW9v36aodZcXOIXzuyqccxNhUtMPk87VMSKUam5h0oV8vtv6Xymz19XuodepbMSNOjCmvRdgHZnUVcceukX2nHv09LL+ej5vuF5dPUlvbprhBVeflS9jb6vz8cbO9+SEAQMYwAAGMIABDGAAAxjAAAYwgAEMYAADGLgYBqpy5VQulXNwrpyy6Yrvmqjo5hGKmllNq+5Pzmry35Hcu6noZkUKuyf3bjL7NjHL6VwFOi3h+xBKXciQp6X9LLO31eY+l2lL38tlAqztA67SzkE/1s7B16h06HXaN6qtjk+7VcHZPfSz7CEyM6/e3DRd7+6cI7NUYKSqQGaPq2hNkWJm1BYrbhL1oJ9Q62L8YeFnckKDAQxgAAMYwAAGMIABDGAAAxjAAAYwgIGWaSDolxv0JYfZu6muSG6tGYXecA4tkFM+W/HSyYrvGKfo+oGKrO6dDJnyuyiS31mRvE6ngiYzuym7ncJZbVtCUMJruHAztQilWlpQ1NxeT9nIG3VwfCdVz7hDjy/oqedyhnpLBv5u3UN6r3SePtizUB/vW6JPy5fpZEWWvqzMUfh4vhdmufyBbJl/IDmuHFcMYAADGMAABjCAAQxgAAMYwAAGMIABDJy+ARMymXAptWfTsazkvk1Hlso5vCi5d1PppOSeTRuHKmYCJ98dihTdonA2S+eFL1wgQ/i14kZCqeYW4rS252tmX5WNbKPycR29Pa/MkoHPLOvvzbz6dWC8Xlk1UW9smq63t87U+7vn68OyRfqiIktfHc31Zl8RXFmn/8eLP/TUCgMYwAAGMIABDGAAAxjAAAYwgAEMYAADTc9Ada7cqpz6oGmJ4uVzFT8wW/G90xXf85Bi28cm921aP1DR1b0VDfTwAqdIXmdCEAKnpmaAUKq1hTwt7fVu7n2pdg25RnuG36CD4zuqYmIX1cy8U/bsHnpiUW8vwHqhYKRessbptXVTvPDqgz0L9NnB5V5wRWhFaIUBDGAAAxjAAAYwgAEMYAADGMAABjCAAQxcNAN1RXKOrZBjZjUdnCfnwGzFSicrtnOCYltHKWb2bVrbV9E1fRQtuUdR6+7kfk35XZjlRODU1AKn03k+hFItLaTh9fxIjWuwtd8V2jHwam+fq70j2+jAmPY6PKGTjkzq5u15ZWZfPW1mX+UM1W/XTNYbG6fJBFdmycB4ra/p3RnB3SocEwxgAAMYwAAGMIABDGAAAxjAAAYwgAEMNA8Dx7PlVC6Tc2COnLLpiu98UNEtIxXdMEjRVfcrWnKvItadyb2bim5OBk65HRXOaa9wVpvTafLzOYRTzckAoVTjAIP//mao09JrsqnXJdrS5zJt6Xu5zHKBJsDaNfga7RpyrXYPu157R7VRFKE/0gAAIABJREFU1fTbFJxzj36aNVi/KBypNzfP0Ls75+qLQysUrS7ylgqM1RYrbkadT44ZQb83LtpdFpyYNI8TE44TxwkDGMAABjCAAQxgAAMYwAAGMIABDDRdA0G/XG/45AZ9cs3+Td4okltbJOfQfDnlsxUvnaz4jgmKrhvgLaEX8d2uSEE3RfK7yFtGzwRNuR0UzrlJ4ex2Cme1bU5BAs+V4OtcGSCUaumBC6/vwoRsJrwyywea8Orxhb28Pa9essbqtbVT9MHuBfqwbKE+2b/Um311siJbX1bmKFJVoGh1IcEVJ11N96SLY8OxwQAGMIABDGAAAxjAAAYwgAEMYKAlGzDhUm2h3Oo8uVW5co5lyTn6qJzKpXIqFitePkfx3ZMV2z5OsY1DFFvXXxHfHYoU3pwMlggqzlVQwfdpPZYIpQhtLkxo09rrvK3/lSobeaMOjG2vmofvUHB2D2+/q+eyh+jlwHi9snqi3tw0Q29vnaX3S+fro72L9MXhFd6+V2YmFrOtWNcYAxjAAAYwgAEMYAADGMAABjCAAQxgAANnYsAvtzpXTlWOnMrl3p5N8fK5ih+YrfjeGYqXTVVs+1jFtoxUbP1AxVb3VsTs11R0iyJ5HQlJWk9IwrG+sMeaUKq1hyW8/qYRypklBHcNuUZ7ht+gg+M6qmJiVy+8MvtdPbmot559dKBeKBiplwLj9Nu1U/TOtll6f/d8fXZwub48kkNo1ZLv2OG14RsDGMAABjCAAQxgAAMYwAAGMIABDHzTQG2BnONZXtjkHJyn+P5HFNs9RbGdExTbOkqxzSMUXddP0TV9FC25R9HA3d5yeuH8LsxyurAhBKEP9c40QChFKNM0QhmOw58+Dlv7Xe7td1U69DrtHdVW5WPa6/CDnVU5qZuqp9+enH21fICeyx2qV1dP0usbpuqDPQv06YFlitYw24o7ic7kTiI+Fy8YwAAGMIABDGAAAxjAAAYwgAEMXFwDzrEVycDpwGw5e2cotmO8YltGKbp+oKKreiq68l5FrbuSy+mZ2U2F3RU2+zbltFd4RZvMJjgfE4pgoOkYIJQiDPnTYQg1ah41MrOttvS5TCa82j7gKi/A2jXkWpkQy8zAMssHVs24Xfbce/XTrMH6ZdFovbFxmt7bNU+fH3pUsdpixc2o83nDqfN7+105qc0cuSPnm3fkUBNqggEMYAADGMAABjCAAQxgAAMYwAAG/h0DfrmpvpL36JMb9Mn19nEqkHN4gRyzlF7pZMV3Pqjo2n6KmiX0fLd7AVMkv4u8kddJkVTYlN1O4SwCp3DTCRgIezgWZ2qAUIrApXkELhynC3Ocdg29VuXjOujY1Fv0xMJeXnj1sjVWv10zWR+WLfT2ujIzr8yygSePZOvLyhxFqgoUrS70AizuILq4dxBRf+qPAQxgAAMYwAAGMIABDGAAAxjAwAUxUFckt7ZQbnW+3KpcOcey5M1sqlwm58gSxQ88ovieKck9mzYMUXRN3+SMpsJuCme1PdMmNp9P8IGBlmOAUIqw48KEHdS5ZdR5a9/LvRlXB8a2V/WM2xV85G49a5YMzBmqlwPjvWUD39w8Q+9se0Tvl87XR3sXe7Owvjqa6wVXF+SkiLuT/p27kzgpxx8GMIABDGAAAxjAAAYwgAEMYAADp2HAzGaqzpNzPFtO5XJvCb14+VzFzaymvTMUL5uu2PYxim0Zqdj6AYqt6aOI/05FzBJ6uR0ID1pOeMCx5FieDwOEUoQlLSMs4Tg2neO4c/A13nKB5WM76Mikrqp5+A6F5tyrJxf11k9XDNILBSO9AMvMvvq9F17N02fly3SyIpvZVgRqBGoYwAAGMIABDGAAAxjAAAYwgAEMnG8DNflyjmd5M5qcg/MU3z9Lsd0PKbbzQcW2jlZs8whF1/VXdE0fRUvuVTTQQ+GCbgrndVY4m1lOLJ134/kIKvierScAI5QizGg6YQbHonUciy19L/f2uyodeq32jW6r8rHtVTGxiyond/cCrODsHnrGzL7KHaZXVj2o361/SB/sWaBPDyz1lgrkjqbTuKPpfJ+88v25QMIABjCAAQxgAAMYwAAGMIABDDRZA85RM7tpibdfk7N3hmLbxym2ZZSi6wd4ezZFV5qg6e7kcnpmdpMJnHI7KZzTnmCg9QQDHGuO9cUyQChFENI6ghCOc/M5zpt6XaItfS/T1n5XaMfAq7Rj0I9VOvQ67R52vcpG3Ki9o9qoavptCs29Vz9ZMUi/8j2g1zdM03ul8/T5weVy6nzejCsn6G/wSJhFmIUBDGAAAxjAAAYwgAEMYAADGMBA8zHgl2vXj6BfbmqYWU6HF3qBU7x0suI7Jyi6tr+iq3sp4rtdkaKbFSnoqkh+F0XyOimS2zEZNmW3UzirzcVqQvNzCUAwgIGUAUIpwormE1ZwrDhWp2tg56Af68DYDqqc0l1PLOqtnzw6UC9b4/TamsnerKuP9y3Wp+XLvf2uvjySra8qc7xZWNGaIi/Uaj4nqFxMcKwwgAEMYAADGMAABjCAAQxgAAPNykBdkdzaQrnV+fX7NmXJObZC3uymyqXeUnrxPQ8ptm2MYhuHeDObvP2aCrqmGro80tzHAAaaswFCqdNtcvN5BCIYaDkGNve5zJt1dWBse2/WVd2su/Ts8gF6PneoF179du0Uvbl5hn6//RG9XzpfJsT6/NCj6fCqWZ3sspxCk11OAUdcOGMAAxjAAAYwgAEMYAADGGhhBuqK64OmbDmVZgm9pYqbPZvK5yi+72HFzVJ62x5QbMtIxdYNUGxN3/QSeiydxz5F7FWFgVZigFCKoKHlBA0cS47luTSwY9DV2jP8BpngqnJyN9XMuMNbMvDJRb31s+wheqFgpF4uGa9X10zywqv3ds3TZ+XLdLIiW/E6H0EIYRgGMIABDGAAAxjAAAYwgAEMYKAlGQj65FblyjmelVw+7+Bcxfc+rNieqYrtGKfYttGKbR6e3LdpTR9FS+5V1LpbYbNfU15nhbPaNueZDTx3ZuZgAAPnygCh1LlsYvO9CEUw0HoMbOlzmXYMvFq7hlyr/aPbqXxsex2Z2FVHp3RXzcN3KvhIDz376EA9nztMv1k5Qa+te0jv756vTw8sVfhYPhcmLenChNeCZwxgAAMYwAAGMIABDGAAA83fQG1Rcgm9ikVy9s9SvGxacgm9LSMVXdvPW0bPC5oCPRTx3aZI0S0K53dVOK+TwlntzlWzlu9D4x8DGGjpBgilCBFaT4jAseZYX2gDW/perq39rvDCK7PP1e5h13mzr/aObOMFWcen3arQvPu88Ool/1i9vmGq3i9NzrhiCYcWtoQDF6jN/wKVY8gxxAAGMIABDGAAAxjAQPM1EPTLPZ4tp2KxnH0zFS+dpOjW0YquG6DIyvsVKTYh082KFHRTpKCrIiZoyu2ocM5NCmebwKlNS28S8/oIQjCAgQtlgFDqQjep+XkEIxjAwOka2D7gKm/5wCOTu+mJhb28fa9eDozTa2un6IPdC/TJ/iX67OCj+uLwCn15JEdfHc1VpKpA0ZoilhDkYrH5Xixy7Dh2GMAABjCAAQxgAAMYwEBjAyZUqiuSW1sotzpfTnWeHBMyHcuqn920OLln056HFNsyQrENgxUpuU8R/51iryb26Wkl+/RcqECBn0N49V0NEEqdbnOYzyNIwAAGmpqBTb0u0Z4RN3rB1fGpt6rukbv1zLL+3pKBL1vj9Lt1D+mtzQ/r99tn6/3S+V6I9fmhR/VVZY7Cx1lCkNlozEbDAAYwgAEMYAADGMAABjDQFAz468OmvGTIVLncm9EUPzRf8QOzT4VN28d4ezbFzFJ6q3p5s5vCBd3Zq4kG+XdtkPP1GMLAhTVAKNXUmsw8H4IPDGDgXBrYPvAq7R5+vQ6MuUmVk7uresbtOjH3Xj2xsLeeyxmqFwpG6tclE/Tqmsl6Z9sjenfXXH1WvkwnK7IUqy3m7rzGd+fx35jAAAYwgAEMYAADGMAABjBwZgaCPrlVOXKOrZBzeKGcg/MU3ztD8T1TFdsxTrFtDyi2aahi6wcqurqXooF7FPHd7i2lF87twNJ5F7ZZTHOeemMAA+fbAKHUuWz+8r0IEzCAgeZmYHOfS709r3YNuVb7RrdT+Zj2OjKpq449dLNqZ96p4CN369kVA/V83nAvvPrd+of03q65+uTAUm+5QO4qbAp3FfIccIgBDGAAAxjAAAYwgAEMXEQDNQXJJfRM4LR/luJl0xTbNkbRLSMVXddf0TV9FF15r6KBHsmwqegWhfO7KGz2bcpqe76bn3x/GuwYwAAGmpYBQqnm1kDm+RJ6YAADF9rAlr6Xa2u/K5Lh1eBrtHvY9SobcaP2jWrrzcA6NvUWhebdq2eWD9BL1ji9tm6K3iud5y0X6Jp1v7mLkBpgAAMYwAAGMIABDGAAAxhongbMLCezb1OF2bNphuK7Jim6dZSi6wcqsvI+RXy3KVJ0iyKF3RUp6KpIXmeF8zoqnH2TwtntaAQ3rUYwx4PjgQEMNAUDhFIXurnLzyNQwAAGWrIBs89V47FtwJUqH9fBWz7w8YW9vH2vfh0Y7+15Zfa6+vTAMpm9rr6oyNKXlTn6+lieIlUFitUUKV7na54Xblxwc9wwgAEMYAADGMAABjCAgaZgwIRKdcXJPZtq8uVU58k5ni3neJaco4/KObIkuZTe7imKmZlNGwYrUnKvIv67FM5pr3BWm1NjRRuW0qOh3RQa2jwHHGKgeRsglGrJzWFeG+EHBjDQXAwk971qr6MP3azgIz309NJ+ej5vmF7yj9XrG6bprS0P6w875ui90vne0oGfHXzUWz4wfDxfDrOxuNhvChf7PAccYgADGMAABjCAAQxcaAPmWqi2UK4Jm8x+TUeXJ2c0HVqg+IHZiu+fqbgJm7aPVWzzMMXW9VdkVU9Fim9VuKBrMmxq3o1NGtMcPwxgAAPNzwChVHNp2PI8CRcwgIHWbGBb/ytlgqv9D7TT0Sk3q3rG7Tox7z49uai3ns8dphcKRuo3Kx/Ub9dO0TvbZundnXP1WfkynazIUrS6iIvjC31xzM/DHAYwgAEMYAADGMAABr67AbNyhJnVdOxROYcXKn5wXnJW056piu0Yr9i2BxTbNFSxDYMUXdVT0ZJ7kns2FXRLznJqfo1KmsscMwxgAAMt3wChVGtu8vLaCTkwgIGWYmBT70uTe14NuVb7Rpu9rtqrcnI3mf2uamfeJXv2PXp2+QA9nzdcLwfG6/UNU/XuzjnevldfHsn57heLXHBTQwxgAAMYwAAGMIABDGDgjAz45VbnJ2c3HVogZ/8sxfY85M1qim4eoei6AYqu6avoynsVLemRDJuKblU4v4vCeZ2Y5dTym7Y05jnGGMBASzVAKNVSGrK8DsIFDGAAA3/cwJa+l2lb/yvS4dWeYddr78g22j+6ncrHdvCWDgzNu09PLe2nlwPj9Ns1k/Xerrn6ZN8SxWuLucA+owtsi3pRLwxgAAMYwAAGMICB1m2gzle/Z9NixcumKb5rkqJmz6b1g5J7Nvlu95bRixTerEhBV0XyOyuc1zE5wym7XUttRPK6aLJjAAMYwAChFE3cP97EpT7UBwMYaE0GNvW6ROnR+1JtTo0+JtC6UuXjOqpySnc9tqCnnlnWX78uGa/frX9I75fO02cHl+uLwyt08ki2vqrMVfhYviJVBYrVFCle62vdF+Q0ZDj+GMAABjCAAQxgAAPNzUDQJ7euuH7PpgI51XlyqnLkeMvprZBzZElyKb3dUxTfMkrRDUOSYZP/zmSwlNVW4fRok5zZlNVG4RVm3MigBhjAAAYw0FoNEEq1pmYrr5VwAQMYwMD5NVA69FodGHOTF1wFZ/fQU0v66vm8YXrJP1ZvbJyut7fM9JYNfH/3fH16YKkXZH11NFfh4/lyzCbFze1CnefLMcMABjCAAQxgAAMYaI4GzLl3bYHcmnw5x1Ykl9CrWKy42bepfI7i+2cpvnuKYjvGKbZpmGJr+yuy8j5Fim9LLp/nhUsES4RrGMAABjCAgbMwQChFg/b8NmipL/XFAAYwcMrA1n5XaPfw6719r45OuVlV02/TY/Pv15OL++j53GF6oWCkfrPqQb22bore3jpL7+6cq0/Ll+lkRZYiVYU0PJpjw4PnjFsMYAADGMAABjBw4Q2YGU5mRtPRR+UcXqT4wXnJWU17piq2c4Ji28cotmmoYhsGKbqqp6Il93iBU6Sgu8LZN7XWO9d53czawAAGMICBC2GAUIpm6almKbWgFhjAAAYurgGzdOCOgVdr15BrveCqfGx7VU7upuPTblXtzLsUmnuvnlk+QD/PH66XrHF6fcM0/WHHbH28f4lOHs668Bf7NFioOQYwgAEMYAADGMDAhTZgZjlV5yZnNx2aL2f/LMV2P6TY9nGKbh6h6PoBiq7tq+jK+xQt6aFI/d5NYbNnU27H5DJ6NB0vRNORn4EzDGAAAxj4NgOEUjRgL24DlvpTfwxgAANnZmBL/f5WJrwqHXKt9gy/QXtHtdH+B9rp4PiOMjOwTsy/T08t7ectG/jq6ol6b9dcfbxviaLVzLZiiUSLxtmFbpzx8zCHAQxgAAMYODMDdcVyKpfJqVikeNk0xXdNSoZNGwYrErhHEf8dihTfqkjRLYoUdFMkv4vCeR2T+zhlt/u25hf/RlMUAxjAAAYw0HQMEErRDD2zZij1ol4YwAAGmr4BM+PKjM29L/WGCbLM2Nr3cpklBL3w6iETXt2vZ5cP0MsBM+tqqt7bNU+fH3rUWy7wy8ocpfa7MksHxmqKFK8tPrOGAg0Y6oUBDGAAAxjAAAZan4GgT65ZPq+2UG5NgZzqfDlmZlNVjpzjWXLM3k37HlZ892TFt45SdOOQZNjku0Ph3A7J5fNMuGRGVtv60YYZTk2nmUhjl2OBAQxgAAPfxQChFM3Vpt9c5RhxjDCAAQxcWAM7B1+j/Q/cpCOTu8mec4+eWtxHP88brheLH9Bbmx/W21tn6t1dc/X+7gX65MBSfXZweTrAitf5Wl/jhWYbxxwDGMAABjCAgdZiwCydV1MgtzpPzrGs5J5NFYuT+zaVz1F8/6xk2LRjXHLPprX9FCm519uvKZzXSeEVbb5LE4uvpQmKAQxgAAMYaP4GCKVodF7YRif1pt4YwAAGmr+BLX0v1+5h13v7XlVO6a6qabfpsfn366klffV87jD9onCUXlk1Ua+te8gLsMwMLBNenazIUuR4AU2r1tK04nViHQMYwAAGMND8DNQWyTUzmo4uTwZNB+cpvneG4numKrZzgmLbxybDpg2DFF3VU9GSe5JL6RV2T85oav6NMpqdHEMMYAADGMDA+TVAKEVztPk3RzmGHEMMYAADTc+A2fNq19BrtXdUW5WP7aDKyd288Kpu1l06Me9+PbOsv36eP1wv+sfqjY3T9fvtj+jj/Uv0xaEVcswduDSxqAEGMIABDGAAAxg4twbMOZYXOD0qx4RN+2cptnuKYjvGK7p5uKLrByq6tq+iq+5XtKSHovV7N4XzOiuc25Hl885vg44GKPXFAAYwgIHWYoBQikZm02tkckw4JhjAAAZavoHNfS7Ttv5XyoRXpUOv057hN3gzrw48cJMOTegkMwPL7Hn11NJ+etE3Rr9Z+aDe2zVXH+9brPDx/HPboKHhRT0xgAEMYAADGGgJBuqK5FQulXN4geJl0xTfNUnRzSMU3TBYkUAPRfx3KuK7TZHiWxQp6KZIfheF8zoqnNOeWU40QltLI5TXiXUMYAADF98AoRSNz5bf+OQYc4wxgAEMNE8Dm3pdok29L5UJsLb0uUxb+16urf2u0DYz+l+p8nEddWzqLTox7z79ZMUgvWSN1esbpurdnXP1RUWWvjyS7e119fWxPEWqChStLlSstljxWva9YiaaRfO1JTRfeQ04xgAGWpqBoE9uXbHc2sLkqMmXY/ZuqsqVczxbTsVixffPVLx0kuJbRyfDJrNfk+/25EwmEy5l31Q/2iWDpqy2zHC6+M03GqAcAwxgAAMYwMApA4RSNCqbZ6OS48ZxwwAGMICBP2XAzMLa90A7HZ7YRaG59+rJRb2TSwb6xujNzTP0zrZZeq90nj7Ys8Db8+qzg8u9EMvMxIrXFtPoa2mNPl4PpjGAAQxg4GIaMEvn1RTINSHT8Sw5Rx+VU7Gkft+muYofeETx3ZMV3zlesY2DFV3bT5GA2a/ptmTgdKqRQ1OLWmAAAxjAAAYw0JwNEEr9qYYW/5+mJwYwgAEMYKBlGtjc+1LtHna9t2yg2fPq+LRb9fiCnnp6SV89nztMvywarVdWTdTv1j+kt7fO9AKsT8y+VxVZCh9jCUFmWzHbCgMYwAAGMJBhwMxu8vZrWi6nYpHiB+cqvu9hxfdMVWzXg4rtGKfYpqGKbRik6Kqeipbco0jRLQoXdGPpPBqLzbmxyHPHLwYwgAEMnKkBQikajS2z0chx5bhiAAMYwMC5MLB9wFUqHXqt9o5qo4PjOsqEV1XTb1PdrLu9AOuZZf318/wR+pVvjN7YNN2bfWX2vfr80KOK17FMIM3KjGblxbw7n5/N7BAMYAAD382AWVbPLJ9nZjeVz1V8/yzFdk9RbMcERTcPV9QETWv7JcOmQA9F/XckA6f8zgrndFB4RZszbdbw+TT4MIABDGAAAxhoqQYIpc5Fw4rvQeMTAxjAAAYw0DoNmNlWZn+r7QOv9mZd7Rl+g/Y/0E7lY9rr8IOdvRDrxPz79fSyfvpl8QP6zcoJenfnHJng6uujed+tQUaDkfphAAMYwAAGzo2B2kI5R5bIOTRf8bJpipVOUnTTcEXXD1LEzGiy7vL2bYoU36pIQTdF8rvW7+HUgVlONAxbasOQ14VtDGAAAxg4XwYIpWgits4mIsed444BDGAAAxfKwKbel8iEV1v6XKYtfS/X1n5XJIOsAVfJzMQ6MLa9jk29RaF59+mnWYP1kn+MXt8wVe/umKMvj2Try8ocfX0sT18fy1ekqlDR6kLFaouTM7GCzMRhNhYGMIABDGDANTOZzKgtkmuW0TN7N9Xky6nOlWOW1KtYJMfs2VQ6SfGto72ZTZGV9yX3a8rrqHBuB4Vz2iucc5PC2e2SI6utwlnMcArTkDtfDTm+L7YwgAEMYKC1GiCUulANKX4OzU8MYAADGMAABs7GwLYBV2rfA+106MHOsufcoycW9tIL+SP0kn+s3tw0Q+9se0Tv756vD8sW6tMDS72lA786mqvw8XwvvKJZS7MWAxjAAAaatQETNpmQqTpPzvEsOcdWJGc1efs2zVP8wOxk2LRzvGIbB3vL6EUCPRQpvj0ZNNHwaq0NL1439jGAAQxgAANN0wCh1Nk0h/gamooYwAAGMIABDDQVA5t6XaLdw67TvtFtdWRSV1VNu02PmSUDl/bT8znDvP2uXlk1Ub9bP1Vvb53pBVgf71uiLyqy9PXR3HOz7BHLR1FHDGAAAxg4GwNBfzJwMrOZKpfJObxI8YNzFd83U/E9UxUrnajY9nGKbRqm2PqBiq7ulVxOr/Bmhc0SemY2U9NstvC8OC4YwAAGMIABDGDg2w0QSjWVhhLPg+YmBjCAAQxgAAPny4DZ92rXkGu1d2QbHRrfydvrqnrG7aqbdZeeWNhbzyzrrxcKRupF/xi9sXGaF16Zfa8+P/SoYjVFNFrPptHK1+AGAxjAgNw6n1wzu+nocjnlcxXfP0ux0smK7XxQ0U3DFN2QnNlkwqZooIei/jsUKbpF4fwuzHL69iYOzS3qggEMYAADGMBAczdAKHW+mj98XxqLGMAABjCAAQw0FwNmzysTXO0YeLV2D7teZSNu0IEHblL52A6qmNhFRyZ102MLeurpZf31i6JRemXlg/r99kf00d5F+vJIDo1nGs8YwAAGWqsBs2/TkaVyDs5TvGyaYqWTkmHT+oGKlNyrSOBuRXy3e3s3RQq7K1LQVeHcjgrndGC/Jhpqzb2hxvPHMAYwgAEMYODsDBBKNZdmEc+TxiYGMIABDGAAAxfTwKbel8qEV1v6Xq6t/S73QqztA67ygqydg36sA2Pa69jUW2TPvVfP5QzVi77krKs/bJ+trypzlNrnyux1Fa0uVLSmSPHaYsXrfHLM8k2ttaHL6+bYYwADF9OA2a/JjLoiubVmFHrL6Tlm/yazpN7hRXLMnk27Jiq+9QFF1w9SZGVPL2QK53VKBky5HZKzmrJvUji7XXJJvaw2NGnOrklD3agbBjCAAQxgAAMt3QCh1MVs7vCzaS5iAAMYwAAGMNBaDGztd4W379WhCZ0VnN1Djy/oqRfyR+gl/1i9uXG6fr99tj7Ys8CbffXpgWX6/NAKL8wyIRZLCFo07S9m056fjb/maqCuWG5tgdzqPLnHs+UcW5Gc1VSxWM6h+cmwqXSS4jvGKbYxuYxexLo7GTiZcImGEDXAAAYwgAEMYAADGDj3BgilWksjiNdJ0xMDGMAABjCAgaZuoHToddo7uq23ZGDV9Nt0Yt59enppP2/mlQmvXlk1Ua9vmKq3tszUB7sXyOx79UVFljcLi9lWBFfMtsNAqzJgZpjW5MutypVTuVROxSLF6/dsiu+ZqnjpJMW2j1Vs83DF1g+U2bMpErhHkcKbk/s1MZOJBtO5bzBRU2qKAQxgAAMYwMDpGCCUaurNGZ4fDUQMYAADGMAABjCQNGBmW+0acq3KRtyoQxM6eXtdVc+4XXWz7tYTi3p7e169UDhSL/rH6vUN07zwygRXnx961FsysFU1rJvrzA6eN7OSMJA0UFecnNlUuUzOwbmK75+lWOlkxXZOSAZNG4courafomt6KxrooYj/TkWK6gMns4weDRFqgAEMYAADGMAABjDQNA0QStHkodGHAQxgAAMYwAAGWoaBTb0u8fa62jHwau0edr0XXpm9rg6O66gjE7vq6JTuOjH/Pj2zvL9eKBjpzbx6Z+tMfVS2UCcrsggDCAMwgIHVNRTHAAAgAElEQVQLZMDvLannzXAqnyOnbLpiux5UdNNwRc2sppX3JYMm3x2K+G5TpLC7IgVdk/s35XRQmFlONJiaZoOJ48JxwQAGMIABDGDgdAwQStGEahlNKI4jxxEDGMAABjCAgdMxsKn3pdrc5zJt6Xu5tvW7QtsHXCkTYu0c9GPtGnyN9o+5Scen3erte/V87jD9qvgBvblpuv6wY46+PJKj8LF8RaoKvBGtKfL2u4rX+eSYYZbToqlPDTDQOgwEfXLNMPs21RXJrS1MjpqC5JJ6hxfKKZ+j+K4HFdv2gBc2RVb1UqT4VkXyOiuS1+lUyJTTXmEzuymrLYETjZzTaeTwOTjBAAYwgAEMYKA5GyCUOp3mBZ9DkwsDGMAABjCAAQxgwBgwgda+0W295QPNsoGPzb9fLxSM0MvWWL2xcbre3TlHH+xZoI/2Ldan5cv0xeEV+qoyR+Hj+V6ARWjFvkcYaAYGTNBkQqbqPLnHs08to1exWM7hBcmwqXSi4jvGKVa/jF5y+bxbFc5u15wbBDx3GlwYwAAGMIABDGAAA+fbAKEUDSYaTBjAAAYwgAEMYAAD59LAzsHXaO+otjr8YGeZPa9OzLtPzyzrp+dyhurlwDi9snqiXt9o9rx6OBlg7V2sLyqy9NXRXG/GFaFFMwgtmA3VfGdDmRmNNflyq3LkLZ9XsVjxcrNn0yOKl01V3OzbtH2sYptHKLZ+gKKreyli9mwqvFlhM7uJpfPOd5OC708jDAMYwAAGMIABDLRsA4RS57IBwfeioYUBDGAAAxjAAAYw8KcMmKUDdw25VntG3KDDEzrryKSuqnn4DgUf6aEnF/XR08v66xeFo/SSNVa/Wz9Vb22ZqY/2LtLnhx5V5HhB8w0DCHI4dhfCQG1R/cympXIOmrBplmKlkxTbOSEZNG0cqujafoqu6ZPct8l/ZzJwyu/CLKeW3fygucXxxQAGMIABDGAAA03DAKHUn2oa8P9pLGEAAxjAAAYwgAEMXEgDm3pdom39k3td7R52vcpG3Kjyse11aHwnHZnUTcceukUhM/tqeX/9PH+EXl09yZt19WHZQn1+8FGCjwsRfPAzLo4zM8spNcOpfLbiZdO8sCm6eYSi6wYouvI+RUvuUcR/hyK+27ywKVLQrX7vpvYKr2hDI6JpNCI4DhwHDGAAAxjAAAYw0HoNEEpdyAYDP4uGFgYwgAEMYAADGMDAuTCwqfel3v5WW/te7gVY2wdcpZ2DfiyzdGDp0Ou0/4F2Oj79NgXn3KPnc4fpV8Wj9ebmGd6eV18eyVakqkDR6kJvxGqKFKstVrzOJyfo9wZLCLKE4HkzYIKloE+u2bfJG0Vya80wezjlntqzadeDim0bo+i6gYqs7q1I0S2K5HdRJK+zImYZvdwOCue0Vzj7puQMJ5bVo7HTehs7HHuOPQYwgAEMYAADzckAodS5aArwPWguYQADGMAABjCAAQw0JwNmNpbZ9+rQhE6qnXmnHlvQUz/PG66XrXF6Y8M0vbdrnszMq4/3LdGn5ct00ux5VZmjcH2Ydd4CC2YgXZwZSOeq7iZk8sKlPDnHc+qX0Vsm58gSOYcXyjkwW/HSSYqbPZs2DvGW0Yv47kgun5fVtjldSPNcafxgAAMYwAAGMIABDGDg7AwQSjWn5gHPlWYXBjCAAQxgAAMYwMCFMrBj0NXaO6qNF1xVz7hDobn36pll/fWz7CH6dckEb9nANzZN19tbZ+qD3Qu8fa+88OporuK1xc07XDlXIU1L+j5mdlN1Xv3yecvkVCxWvHyu4iZoKpuq+O7JipmwactIxdb1V3RVL0Wsu70ZTuHcjiydd3YX7DQ6qBsGMIABDGAAAxjAQEszQCh1oS7q+Tk0kDCAAQxgAAMYwAAGWpKBLX0u064h12rPiBu84OrIpK7erCt7dg89ubiPF2D9omiUXgqM0+/WP+SFV6l9r74+lkdo1dQCq9rC5MwmM6vp4DzF989SrHSSt2eTFzRtGurNbIqu6a1ooIci/jsVKeyucH5XhZnl1NIaBbweml8YwAAGMIABDGAAA+fLAKFUS2oM8FpodGEAAxjAAAYwgAEMNCUD2/pfKTPjavew67V3ZBuVj22vwxM6q3JSNx2fdmty9tXy/no+b7heXTNJb26a4S0b+Fn5cva2OpehlZnldDxbTuUyOQceUbxsmmI7xiu6ZaSi3qym+xUtuUcR605FfLcpUnSzIgXd5M1wMvs2rWhzvi5I+b40OzCAAQxgAAMYwAAGMNC6DBBKNaWLdp4LTSQMYAADGMAABjCAgdZkYFPvS2VmXG3te7m2D7hKOwZerZ2Dr/FmYJkga9/odqqacZvsOffouZyh+mXRaL21eYbe2zXX2+cqWl2oWE1RctQWK17nk2NG0N/yQq2gX643fHJNyGT2b/JGkbesnnNogZzy2YrvmqjYtjGKrhug6Ore3vJ5kYKuiuR3ViSvc33Q1EHhnJsUzm6ncBaBU7h1NQFo+nC8MYABDGAAAxjAAAYupgFCqdZ00c9rpcmFAQxgAAMYwAAGMNDSDJSNvFEHJ3RS9cN36PEFvfR87lC9bI3T6+un6v3d8/Vh2SJ9sn+pPi1fppNHsvVVZY4iVQUygZYbtJrAMoL+ZLhUW5gMl6pyksvoHV0uxyylV7EoObvJ27NpjGIbhyi6pq8ivjsULujO0nk0FC5mQ4GfjT8MYAADGMAABjCAgTM1QCjV0i7KeT00mjCAAQxgAAMYwAAGMHDKgJmBVWaWDhzXUTUP3+nNunpmeX89lz1Uvy6ZoFdXJ5cNfHvrLL2/e4E+2rvIm4X11dFcbwaW+12X0TOzmqrz5FbVL59XsVjx8rmKH5jtLaMX3z1Fse1jFds6SrF1/RRd1UsR6y5vhlM4p8OZXuDx+TQFMIABDGAAAxjAAAYwgIGmbIBQigv2Uxfs1IJaYAADGMAABjCAAQy0NgObe1+qXUOu0Z4RN+jQ+E6qmNhVtTOT4dWTi/vo2eUD9IvCUXo5MF6vrXtI72ydpQ/2LNBnB5frq8pcuTUFco5lyTmyWM7BeYrvm6lY6WRvz6bYlpGKbRqm6Np+iq7prWighyL+OxUxM5zyuzDLiWZBU24W8NzwiQEMYAADGMAABjBwPgwQSrW2i25eL40mDGAAAxjAAAYwgAEMnJmBrf2u0I5BV2v3sOu0d1QblY9tr8MPdlbdjFv1aaDPv3kzm3y3p/dvCud2TO7ZtIL9mtiv6cbzcSHP96RBhAEMYAADGMAABjDQXA0QSnFBfmYX5NSLemEAAxjAAAYwgAEMYCBpYM/AK/T+8s7/RvBC8IIBDGAAAxjAAAYwgAEMYOC0DBBKcUFNUwUDGMAABjCAAQxgAAMYOBsDhFKnddHZXO/g5Hlz9zEGMIABDGAAAxjAAAbOvQFCqbO5+ORraFpgAAMYwAAGMIABDGAAA4RShFLcDYsBDGAAAxjAAAYwgAEMnJEBQimaCTQTMIABDGAAAxjAAAYwgIGzMUAodUYXn9xleu7vMqWm1BQDGMAABjCAAQxgoLkZIJQ6m4tPvoamBQYwgAEMYAADGMAABjBAKEUoxV2xGMAABjCAAQxgAAMYwMAZGSCUoplAMwEDGMAABjCAAQxgAAMYOBsDhFJndPHZ3O7g5Ply1zEGMIABDGAAAxjAAAbOvQFCqbO5+ORraFpgAAMYwAAGMIABDGAAA4RShFLcFYsBDGAAAxjAAAYwgAEMnJEBQimaCTQTMIABDGAAAxjAAAYwgIGzMUAodUYXn9xleu7vMqWm1BQDGMAABjCAAQxgoLkZIJQ6m4tPvoamBQYwgAEMYAADGMAABjBAKEUoxV2xGMAABjCAAQxgAAMYwMAZGSCUoplAMwEDGMAABjCAAQxgAAMYOBsDhFJndPHZ3O7g5Ply1zEGMIABDGAAAxjAAAbOvQFCqbO5+ORraFpgAAMYwAAGMIABDGAAA4RShFLcFYsBDGAAAxjAAAYwgAEMnJEBQimaCTQTMIABDGAAAxjAAAYwgIGzMUAodUYXn9xleu7vMqWm1BQDGMAABjCAAQxgoLkZIJQ6m4tPvoamBQYwgAEMYAADGMAABjBAKEUoxV2xGMAABjCAAQxgAAMYwMAZGSCUoplAMwEDGMAABjCAAQxgAAMYOBsDhFJndPHZ3O7g5Ply1/H/z96dwMdV1f0fL5uURUXAx0dFbcncUPY2M2lBQAoIWJbmplAoe0UElH1TkW1o5ibdkznTAiFzEyhlK1stUGibzJkiKuACPj7KpiCiyL60nTtJ5gy//+tOin/lodAZJsksH18vXix2kju/+24z9/s9514MYAADGMAABjCAAQwU3wClVCEXn7yG0AIDGMAABjCAAQxgAAMYoJSilGJVLAYwgAEMYAADGMAABjCQlwFKKcIEwgQMYAADGMAABjCAAQxgoBADlFJ5XXyyyrT4q0yZKTPFAAYwgAEMYAADGCg3A5RShVx88hpCCwxgAAMYwAAGMIABDGCAUopSilWxGMAABjCAAQxgAAMYwEBeBiilCBMIEzCAAQxgAAMYwAAGMICBQgxQSuV18VluKzg5XlYdYwADGMAABjCAAQxgoPgGKKUKufjkNYQWGMAABjCAAQxgAAMYwAClFKUUq2IxgAEMYAADGMAABjCAgbwMUEoRJhAmYAADGMAABjCAAQxgAAOFGKCUyuvik1WmxV9lykyZKQYwgAEMYAADGMBAuRmglCrk4pPXEFpgAAMYwAAGMIABDGAAA5RSlFKsisUABjCAAQxgAAMYwAAG8jJAKUWYQJiAAQxgAAMYwAAGMIABDBRigFIqr4vPclvByfGy6hgDGMAABjCAAQxgAAPFN0ApVcjFJ68htMAABjCAAQxgAAMYwAAGKKUopVgViwEMYAADGMAABjCAAQzkZYBSijCBMAEDGMAABjCAAQxgAAMYKMQApVReF5+sMi3+KlNmykwxgAEMYAADGMAABsrNAKVUIRefvIbQAgMYwAAGMIABDGAAAxiglKKUYlUsBjCAAQxgAAMYwAAGMJCXAUopwgTCBAxgAAMYwAAGMIABDGCgEAOUUnldfJbbCk6Ol1XHGMAABjCAAQxgAAMYKL4BSqlCLj55DaEFBjCAAQxgAAMYwAAGMEApRSnFqlgMYAADGMAABjCAAQxgIC8DlFKECYQJGMAABjCAAQxgAAMYwEAhBiil8rr4ZJVp8VeZMlNmigEMYAADGMAABjBQbgYopQq5+OQ1hBYYwAAGMIABDGAAAxjAAKUUpRSrYjGAAQxgAAMYwAAGMICBvAxQShEmECZgAAMYwAAGMIABDGAAA4UYoJTK6+Kz3FZwcrysOsYABjCAAQxgAAMYwEDxDVBKFXLxyWsILTCAAQxgAAMYwAAGMIABSilKKVbFYgADGMAABjCAAQxgAAN5GaCUIkwgTMAABjCAAQxgAAMYwAAGCjFAKZXXxSerTIu/ypSZMlMMYAADGMAABjCAgXIzQClVyMUnryG0wAAGMIABDGAAAxjAAAYopSilWBWLAQxgAAMYwAAGMIABDORlgFKKMIEwAQMYwAAGMIABDGAAAxgoxAClVF4Xn+W2gpPjZdUxBjCAAQxgAAMYwAAGim+AUqqQi09eQ2iBAQxgAAMYwAAGMIABDFBKUUqxKhYDGMAABjCAAQxgAAMYyMsApRRhAmECBjCAAQxgAAMYwAAGMFCIAUqpvC4+WWVa/FWmzJSZYgADGMAABjCAAQyUmwFKqUIuPnkNoQUGMIABDGAAAxjAAAYwQClFKcWqWAxgAAMYwAAGMIABDGAgLwOUUoQJhAkYwAAGMIABDGAAAxjAQCEGKKXyuvgstxWcHC+rjjGAAQxgAAMYwAAGMFB8A5RShVx88hpCCwxgAAMYwAAGMIABDGCAUopSilWxGMAABjCAAQxgAAMYwEBeBiilCBMIEzCAAQxgAAMYwAAGMICBQgxQSuV18ckq0+KvMmWmzBQDGMAABjCAAQxgoNwMUEoVcvHJawgtMIABDGAAAxjAAAYwgAFKKUopVsViAAMYwAAGMIABDGAAA3kZoJQiTCBMwAAGMIABDGAAAxjAAAYKMUApldfFZ7mt4OR4WXWMAQxgAAMYwAAGMICB4huglCrk4pPXEFpgAAMYwAAGMIABDGAAA5RSlFKsisUABjCAAQxgAAMYwAAG8jJAKUWYQJiAAQxgAAMYwAAGMIABDBRigFIqr4tPVpkWf5UpM2WmGMAABjCAAQxgAAPlZoBSqpCLT15DaIEBDGAAAxjAAAYwgAEMUEpRSrEqFgMYwAAGMIABDGAAAxjIywClFGECYQIGMIABDGAAAxjAAAYwUIgBSqm8Lj7LbQUnx8uqYwxgAAMYwAAGMIABDBTfAKVUIRefvIbQAgMYwAAGMIABDGAAAxiglKKUYlUsBjCAAQxgAAMYwAAGMJCXAUopwgTCBAxgAAMYwAAGMIABDGCgEAOUUnldfLLKtPirTJkpM8UABjCAAQxgAAMYKDcDlFKFXHzyGkILDGAAAxjAAAYwgAEMYIBSilKKVbEYwAAGMIABDGAAAxjAQF4GKKUIEwgTMIABDGAAAxjAAAYwgIFCDFBK5XXxWW4rODleVh1jAAMYwAAGMIABDGCg+AYopQq5+OQ1hBYYwAAGMIABDGAAAxjAAKUUpRSrYjGAAQxgAAMYwAAGMICBvAxQShEmECZgAAMYwAAGMIABDGAAA4UYoJTK6+KTVabFX2XKTJkpBjCAAQxgAAMYwEC5GaCUKuTik9cQWmAAAxjAAAYwgAEMYAADlFKUUqyKxQAGMIABDGAAAxjAAAbyMkApRZhAmIABDGAAAxjAAAYwgAEMFGKAUiqvi89yW8HJ8bLqGAMYwAAGMIABDGAAA8U3QClVyMUnryG0wAAGMIABDGAAAxjAAAYopSilWBWLAQxgAAMYwAAGMIABDORlgFKKMIEwAQMYwAAGMIABDGAAAxgoxAClVF4Xn6wyLf4qU2bKTDGAAQxgAAMYwAAGys0ApVQhF5+8htACAxjAAAYwgAEMYAADGKCUopRiVSwGMIABDGAAAxjAAAYwkJcBSinCBMIEDGAAAxjAAAYwgAEMYKAQA5RSeV18ltsKTo6XVccYwAAGMIABDGAAAxgovgFKqUIuPnkNoQUGMIABDGAAAxjAAAYwQClFKcWqWAxgAAMYwAAGMIABDGAgLwOUUoQJhAkYwAAGMIABDGAAAxjAQCEGKKXyuvhklWnxV5kyU2aKAQxgAAMYwAAGMFBuBiilCrn45DWEFhjAAAYwgAEMYAADGMAApRSlFKtiMYABDGAAAxjAAAYwgIG8DFBKESYQJmAAAxjAAAYwgAEMYAADhRiglMrr4rPcVnByvKw6xgAGMIABDGAAAxjAQPENUEoVcvHJawgtMIABDGAAAxjAAAYwgAFKKUopVsViAAMYwAAGMIABDGAAA3kZoJQiTCBMwAAGMIABDGAAAxjAAAYKMUApldfFJ6tMi7/KlJkyUwxgAAMYwAAGMICBcjNAKVXIxSevIbTAAAYwgAEMYAADGMAABiilKKVYFYsBDGAAAxjAAAYwgAEM5GWAUoowgTABAxjAAAYwgAEMYAADGCjEAKVUXhef5baCk+Nl1TEGMIABDGAAAxjAAAaKb4BSqpCLT15DaIEBDGAAAxjAAAYwgAEMUEpRSrEqFgMYwAAGMIABDGAAAxjIywClFGECYQIGMIABDGAAAxjAAAYwUIgBSqm8Lj5ZZVr8VabMlJliAAMYwAAGMIABDJSbAUqpQi4+eQ2hBQYwgAEMYAADGMAABjBAKUUpxapYDGAAAxjAAAYwgAEMYCAvA5RShAmECRjAAAYwgAEMYAADGMBAIQYopfK6+Cy3FZwcL6uOMYABDGAAAxjAAAYwUHwDlFKFXHzyGkILDGAAAxjAAAYwgAEMYIBSilKKVbEYwAAGMIABDGAAAxjAQF4GKKUIEwgTMIABDGAAAxjAAAYwgIFCDFBK5XXxySrT4q8yZabMFAMYwAAGMIABDGCg3AxQShVy8clrCC0wgAEMYAADGMAABjCAAUopSilWxWIAAxjAAAYwgAEMYAADeRmglCJMIEzAAAYwgAEMYAADGMAABgoxQCmV18Vnua3g5HhZdYwBDGAAAxjAAAYwgIHiG6CUKuTik9cQWmAAAxjAAAYwgAEMYAADlFKUUqyKxQAGMIABDGAAAxjAAAbyMkApRZhAmIABDGAAAxjAAAYwgAEMFGKAUiqvi09WmRZ/lSkzZaYYwAAGMIABDGAAA+VmgFKqkItPXkNogQEMYAADGMAABjCAAQxQSlFKsSoWAxjAAAYwgAEMYAADGMjLAKUUYQJhAgYwgAEMYAADGMAABjBQiAFKqbwuPsttBSfHy6pjDGAAAxjAAAYwgAEMFN8ApVQhF5+8htACAxjAAAYwgAEMYAADGKCUopRiVSwGMIABDGAAAxjAAAYwkJcBSinCBMIEDGAAAxjAAAYwgAEMYKAQA5RSeV18ssq0+KtMmSkzxQAGMIABDGAAAxgoNwOUUoVcfPIaQgsMYAADGMAABjCAAQxggFKKUopVsRjAAAYwgAEMYAADGMBAXgYopQgTCBMwgAEMYAADGMAABjCAgUIMUErldfFZbis4OV5WHWMAAxjAAAYwgAEMYKD4BiilCrn45DWEFhjAAAYwgAEMYAADGMAApRSlFKtiMYABDGAAAxjAAAYwgIG8DFBKESYQJmAAAxjAAAYwgAEMYAADhRiglMrr4pNVpsVfZcpMmSkGMIABDGAAAxjAQLkZoJQq5OKT1xBaYAADGMAABjCAAQxgAAOUUpRSrIrFAAYwgAEMYAADGMAABvIyQClFmECYgAEMYAADGMAABjCAAQwUYoBSKq+Lz3JbwcnxsuoYAxjAAAYwgAEMYAADxTdAKVXIxSevIbTAAAYwgAEMYAADGMAABiilKKVYFYsBDGAAAxjAAAYwgAEM5GWAUoowgTABAxjAAAYwgAEMYAADGCjEAKVUXhefrDIt/ipTZspMMYABDGAAAxjAAAbKzQClVCEXn7yG0AIDGMAABjCAAQxgAAMYoJSilGJVLAYwgAEMYAADGMAABjCQlwFKKcIEwgQMYAADGMAABjCAAQxgoBADlFJ5XXyW2wpOjpdVxxjAAAYwgAEMYAADGCi+AUqpQi4+eQ2hBQYwgAEMYAADGMAABjBAKUUpxapYDGAAAxjAAAYwgAEMYCAvA5RShAmECRjAAAYwgAEMYAADGMBAIQYopfK6+GSVafFXmTJTZooBDGAAAxjAAAYwUG4G/rOU6mwI/KqQizFew0U8BjCAAQxgAAMYwAAGMFBtBiilKKVYFYsBDGAAAxjAAAYwgAEM5GWgOx0Z940RH/zPtQPXxG3rEbfBetq1rTdd28pW24Ul75cwBQMYwAAGMIABDGAAAxjYGAN3nLCbvNp0QLmtTOR4WU2LAQxgAAMYwAAGMIABDAyVgazn1L/tOaFnPSe0OuUEr5KWPb/wQSc1QkaM2KRzauCL8cnWt+IN1lmubbXGbevB9SXVuo25MOPXcAGPAQxgAAMYwAAGMIABDFSDAXZK5bUicqguevk+BCwYwAAGMIABDGAAAxgYXgN9KSf0p3Qk+KDXXBfzmoLnpZ1xh0h4r//6Vxm1oX9oPzO4RbsdqOmwAxPjjbWnddqBZreh5gHXtv5RDReZvEfCFAxgAAMYwAAGMIABDGBgQwYopSiluFULBjCAAQxgAAMYwAAGMBDKek7w1ZQTXNnbHJyXckKnp5tCE3ubgjUyf9+tNtQ/feJ/D4dHbOpO3uWz7Uft/PXOKYG6eGNgaocdaHVt6zHXtno3dKHGf+ciHgMYwAAGMIABDGAAAxioRAOUUgQQBBAYwAAGMIABDGAAAxioUgN9XiT4lBcJLvScuuNSLaFx6Zaxo2Rm8PMSHrHpJxZOhfwCv6RSkwJbLjpsr23cybt8paOh5viOhprrXdt6yrWt113bWuPaVn8lXnzynghVMIABDGAAAxjAAAYwgAFKKQKIKg0guB3O8N4Oh/kzfwxgAAMYwAAGhtJAxnNCaz0n9IbnBJ9OR4LXe5FxJ6Sb9hot4d22FRXYctBKqI0trvxb/nU0WrvGG2tOcxsCN7oNgUdd23rGta03XdsyXLxz8Y4BDGAAAxjAAAYwgAEMVIIBSilKKUopDGAAAxjAAAYwgAEMVJiBrOfUv+05oWc9p/6RlFPnpppCZ/U7Y8dKeOLmG9sTDduvkxEjNrm5ccwO8cnWt9xG6+xO22pzGyz/mVR/cm1rbSVciPIeCFQwgAEMYAADGMAABjBQnQYopQggKiyAGMoVt3wvVnhjAAMYwAAGMICB0jGQTjmhP6WduuWeE1zoRYLnp53gQdI87ovDVi4V6xvndlEdvctod3LNQa5tTXcbAi1uQ41fUr3MhXx1Xshz3jnvGMAABjCAAQxgAAPlaoBSilKKUgoDGMAABjCAAQxgAANlaCDrOcFXUk5wZW9zcF7KCZ3ul1C9TcEaCU8cWaw+qOS+jv9MKnfyLp+NTxn9jQ67JhhvDEyNNwbmdzZYv3JtyyvXC1OOm1AFAxjAAAYwgAEMYAAD1WGAUooAogwDCFYkl86KZM4F5wIDGMAABjCAgaE00Os5wSe9SDDqReqOT7XUBdNN40fLzODnRUZsUnIF0lAckF9SdU0fNXLxpMDnOqYEdhooqWpucBut37u29ZZrW2tc2+rjAr86LvA5z5xnDGAAAxjAAAYwgIFSN0ApRSlFKYUBDGAAAxjAAAYwgIESM5DxnNC6gedCBZ9OO3U3pJ3giQO7oCZ8zt8JJUumbjYUnU/Zfg//ln/u5NG7uHbgONcOzIvb1iOubf3Rta1XXdvKlPqFKsdHmIIBDGAAAxjAAAYwgIHKNEApRQBRYgHEUK605XuxshsDGMAABjCAAQyUhoF+zxs41T4AACAASURBVAm97j8TynNCj6Yioc6UU3dm/8xxe0t4xKZlWwyV0oH7u6ncyTuH4o01p7kN1uxO27rHta2nXNt6h4v9yrzY57xyXjGAAQxgAAMYwAAGStEApRSlFKUUBjCAAQxgAAMYwAAGhsHAO54TetJzQks9p25+qqnu+14kNF7CwR1Lqcup2GNpn7Lrl+NTavaLN1gnunbgmk67donbYD1dihetHBNhCgYwgAEMYAADGMAABirHAKUUAcQwBBCsSC6NFcmcB84DBjCAAQxgAANDaaDPiwSf95zg0pRTF0lH6k7ymkP7ebP22knag1tUbPlTDm9s/tSdtvKfR+U21u7d1VB7hGvXzHDtwArXtt7j4r9yLv45l5xLDGAAAxjAAAYwgIFSMEApRSlFKYUBDGAAAxjAAAYwgIHBMJB2Qu+ui4RWpyLBplQk1JCaERqXnhn8uszZa5ty6Gqq8hhlxIhN/Fv9LZ4U+Fzn1MAXXTtwmGsH5rp24PFOu/Zt17bWubbVVwoXsxwDoQoGMIABDGAAAxjAAAbKzwClFAHEYAQQfE1cYQADGMAABjCAgaox8L7nhPxnQqU8J/SO59Q94UWCc3ojdUf7BdTbM4Ofl/DEkTwbqgIqLv+Wfx2N1pTORmuO2xB41LWtP7m29aprW/2EAeUXBnDOOGcYwAAGMIABDGAAA8NhgFKqasKCobw1C9+LWwFhAAMYwAAGMICByjbgl1BvpJzQn7zmkPacoPIi405IN+01ugKqF97CxkxATQps2WHXBOONNaf5JVWnbd3j2tZT63dTyXBc3PI9CVUwgAEMYAADGMAABjBQ+gYopSilWMWMAQxgAAMYwAAGMICBTzZQ/7YXCT7lOaGfeU6wLdVU9/1US11QZu3y2Y3pMPg1FT6Bjsmjv+Q27rx/px042bVrw5127RLXtv7o2tb7BAOlHwxwjjhHGMAABjCAAQxgAANDZYBSigDikwMIZsSMMIABDGAAAxjAQBUa6POc4HOeE1yaioScdKTuJK85tJ8X2fur0h7cosIrFt7ep5mA/0yqjimBnbpsa2x8inWka1szXDvwsGtb7wzVhS7fh1AFAxjAAAYwgAEMYAADpWmAUoqApQoDFm4nVNm3E+L8cn4xgAEMYAADhRt4x4sEE6lI8NpUc9BOzagLpiPjviFz9trm03QUvLaKJyAjRmyyZOpOW3XZo7brmjrqvzsarUNzz6SyrSdc23rPtS2PZ1KVZlhAiMN5wQAGMIABDGAAAxgYDAOUUpRSlFIYwAAGMIABDGAAA1Vl4H3PCWU8J+SlndC7nlP3hNcUnNvbPG5yumXsqHdb9vyCzN93KwmP2LSKqxTe+lBMIHfLv4aaRrehZrZr1/7Cta1nXNt6jZKK8GMwwg++Jq4wgAEMYAADGMBAaRiglKqqAIJVw4WvGmZ2zA4DGMAABjCAgXI20O85odc9J/SM54SSnhNUnjNuWnpm8OtD0T3wPZjAJ06g/czgFp1TAnWubU137cBc1w7cF7etJ13beovwoDTCA84D5wEDGMAABjCAAQxgoBgGKKUopVgZjQEMYAADGMAABjBQcQb83VBveZHgU16k/n4vEoymnOAZKSdYJ+Hdtv3EgoBfwASGewLXN9b8V3xKzX5xO3BKvKH22k67dklno/W/rm1li3EhzNcgUMEABjCAAQxgAAMYwMDwGKCUqrgAopxX8HLsrEDHAAYwgAEMYAADhRvo9ZzQs54TXJpy6iLpSOiUdCS4vxfZ+6sSnrj5cHcMfH8mUPAEuqaPGtnZUPM1fydVfIp1pGtbM9yGwEPsohqeEIHwhrljAAMYwAAGMIABDHwaA5RSlFKsjMYABjCAAQxgAAMYKFMDkeDbqUjdqlQkeK0XqWtMRcaF/OdCSTi4dcEFAC9kAqU8ARkxYpMlU3faKj519+3dybt8xbUDh8XtmlmuHfi1a1vr3AYr7dpW5tNcJPNaQhYMYAADGMAABjCAAQwMngFKqTINIApfQcvqY2aHAQxgAAMYwAAGysuAfys+4zkhfyfUGi8S+rUXCc7rbR43Od00fvR74X23l/n7biXhEZuWcpfAsTGBQZ9A59TAF+N2je021Mx27dpfuHbgWde2XnNtq49QYfBCBWbLbDGAAQxgAAMYwAAG8jFAKUUpxcpoDGAAAxjAAAYwgIGSM9DvOaHXB27HV/9IygkqL1J3vH8rvkEP9vkGTKASJrBk6ojN4pMD41zbmh5vrJ0ft2uXurb1uNtQ+0/Xtkw+F838WkIWDGAAAxjAAAYwgAEMFM8ApVTJBRCsXC6vlcucL84XBjCAAQxgAAPFMODvhnrTiwSfSjuhBzwnqFJO6PRUS2iczNlrm0roCHgPTGBYJ+Dvouqwa4IdDTXHdzbWXOHatYtc23rCta21BAzFCxiYJbPEAAYwgAEMYAADGPgkA5RSlFKsjMYABjCAAQxgAAMYGBYDa/0SynNCt6ebg1emndCp6Uhw/9SscV+RJVM3G9YAn2/OBCp5Au1nBrfomjrqvzsmj97LfyZVp239yG0M3BW3A39lFxUhyieFKPz/GMEABjCAAQxgAAOfzgCl1LAEEMVYTcvXYFU2BjCAAQxgAAMYKDMDqUjw755Td7fXHPpRygke6e+E8m/JJ+3BLSq5A+C9MYGSnkDX9FEjrzvy61+4+ajar3Y11B4QtwOXx+2AjtuBd9Y/jyrj2tb7hA+fLnxgfswPAxjAAAYwgAEMYMA3QClFKcXKaAxgAAMYwAAGMICBohrwb8VnPCfUl3JC73mRYCLlhMLpprqD05Fx33gvvO/2Ep44UmTEJiUd1HNwTKDaJ7B4UuBz7uSagzps66q4HVjh2tYz659J5VFSEagQqmEAAxjAAAYwgAEMFGaAUqqoAQSrlctstTIBHP4xgAEMYAADGCiSgbQXCf3Tc0LPpJpDq1KRkJNqDh0h4d22rfZcn/fPBCpiAjJixCY3N46pjTcGpnY0Bhy30bqrs8H6lWtbr7i25e+kEv5iBhjAAAYwgAEMYAADGPhkA5RSBDFFCmIo5CjkMIABDGAAAxioJgP+TqhXPCf0a88JLfWaQrM9p+643ubxtdyKryIqCN4EE/j4CbRP3fnzXbY1Nt5YMy1uW1fG7dpbXNt6Im4H3iOI+OQgghkxIwxgAAMYwAAGMFC9BiilKKUopTCAAQxgAAMYwAAGNsrAGs8JPek1h+5IO6ErPCc0LdVSXy/+7fi4Fd/HB/j8v0ygkifQfmZwi/Ypu37Zbazd27UDh3Xa1o867cCSuB14gV1U1Ru2ELRx7jGAAQxgAAMYwMBHG6CU2qgAoppW/fJeWeWOAQxgAAMYwAAG1htIOcGXvebgEq859KNUU91RqZa6oDdrwk4Snrh5JWfsvDcmwAQ+xQS6po8aeXPjmB06G2q+Fp9sfcttDPwk3hhIrN9F5d/qL8szqT46oCC4YS4YwAAGMIABDGCg8g1QSlFKsTIaAxjAAAYwgAEMVLmB9z0nlPWcUMZzQmu8SFCnIsFr0011B6dbxo5a0zx+BwlPHMluqE8R0vNSJsAERoxYOHW3bbvswMQO27oqbgdWuHbgWde2XnVty6OkqvzwhYCNc4wBDGAAAxjAAAYGDFBKEUJVeQjFSnB2A2AAAxjAAAaq00Dac0Kvek7wOS8S6k5FQs46p+5wCQe3JjtnAkyACQzJBOKTawLxxsDUjsaA49rW3a5tPeba1j+45R+BFYEVBjCAAQxgAAMYqGQDlFKUUpRSGMAABjCAAQxgoAoM+LugXvGc0G88J7TMawrN9iLBqb1NYy1pD24xJAE034QJMAEmsKEJtE/d+fNdtjU23lgzbWAnVe0trm094drWu5UcSPDeCNwwgAEMYAADGMBA9RmglCKEqoIQihXw1bkCnvPOeccABjBQ5QZSTug9zwk96Tmh29NO8CovEjoh1VJfLy17foFb8W0oGee/MwEmMOwTCE+cuHn7lF2/fONASfUdt9G6rNMOLInbgT+zi6r6QhuCOs45BjCAAQxgAAOVZoBSilKKUgoDGMAABjCAAQxUioFUJPii5wTv9Jzgj1NNocmpyLiQF9n7qxKeuPmwB80cABNgAkygkAl0TR81sv3o2h277DGjOhsDB8btwOVx2+qO24F1rm1leR4VQVWlBVW8H0xjAAMYwAAGKtsApRQhVKWEULwPLGMAAxjAAAaqysD7nhPKek5o7bqmumQqErw27Yw7pLelfuc14eCOEp44kt1QhaTfvIYJMIGymUD70V/ZOj7Z+lbctq6M24EVrm0959rWa65teRRVlR3kENRxfjGAAQxgAAMYKGcDlFJVFd5wG6Mqv40RYS2/3zGAAQxgoIwNeF5z/WueE/qzFwn2pJy6yNqWuoMlHNy6bAJkDpQJMAEmMJgTWHT0LqPjjYGpcTvQ7DZa97q29bjbaP2dW/4RWpVzaMWx4xcDGMAABjBQeQYopQinyjicomSjZMMABjCAAQxUroGM54Re8ZzQb71I/f1eU3Cm1xw6trcpWMOt+AYz1eZrMwEmUBETWDwp8Lku2xrb0VBzvGsHrnEbrMW5ksq23mEXVeUFO4R1nFMMYAADGMAABsrJAKUUpRSlFAYwgAEMYAADGCgFAykn9J4XCf3Oaw7dlm6uv3qdEzwx1VJfL+Gx23ErvoqIyXkTTIAJDMcEwhMnbt4+ZdcvxycHxnU07HyEa9de4tpWV9y2nlp/qz8ppxCDYyV0wwAGMIABDGAAA+VtgFKKEKoUQiiOAYcYwAAGMICB6jSQdkJ/8JzgnZ4T/HGqKWj7JVRq1rivsBtqOJJrvicTYAJVMYGu6aNG3tw4Zof4lNHf6GywJsTt2nPjtnV33A68QcBT3gEP54/zhwEMYAADGMBAORiglKrOAIjgj/OOAQxgAAMYwMBwGEg7oXc9J7TMi9Rf6kVC49Mt+4xa2zzuizJ/363YDVUVcThvkgkwgVKcgIwYsYmaFNgyd8u/Ruv8uF1zj2tbz7i29aprW+tc28qWQ8DBMRLEYQADGMAABjCAgdI3QClFIDUcgRTfE3cYwAAGMICBijewznNCr3pO6M/pSOjBdf5OqBmhcX7xRPlUiok0x8QEmAAT+NAE2o+u3dG1ayfFbevKuB24w7Vrf+Ha1gtug5Um7Cn9sIdzxDnCAAYwgAEMYKBUDVBKVXwgxAPgK/cB8Jxbzi0GMIABDJSSgV7PCf3Vc0KPeU5oabo5eGXKCU1a50z40odiTv6VCTABJsAEym0CS6butJU7eZdd3MmByR2NgZ902pbrNlqrXdt6hV1UBF6lGnhxXNjEAAYwgAEMlKYBSilKKVaqYwADGMAABjCAgQINvOE5oV+mnJCbbg7+xGuun7LWCe0h4d0+U255K8fLBJgAE2ACGzmBcHjEpv4zqboaxux5Y0Pg8E478AO30eqM29aTrm2lCH9KM/zhvHBeMIABDGAAAxgoFQOUUoRQBYZQpbQym2NhpwAGMIABDGBg6Aw8mYqEOj0neF6qOXTEOqd+7Jrm8TtsZJTJL2MCTIAJMIFKm0D7mcEt/Fv9dRy9y2i3MbBv3K49d+B2f4HXSiX44DgI4TCAAQxgAAMYwEDpGKCUopSilMIABjCAAQxgAAMfY+Atzwn9zIvUX+o1Byekm8aP9ksodkNVWqrM+2ECTIAJFGkCMmLEJkumjtisa/qokfHJgXFx27ogbtfc49qBZ13b8ouqddzyr3RCIQI6zgUGMIABDGAAA0NtgFKKEOpjQihWnQ/dqnNmzawxgAEMYGC4Dazzmutf85zQC+lI6MF1zaEf+bugJDxxc1kydTMJj9i0SHElX4YJMAEmwASqcQLxqTttH2+s+U7ctq507cCdrm390rWtF1zb8oY6COH7Eb5hAAMYwAAGMICB4TNAKUUpRSmFAQxgAAMYwEBVGuj1nNBLnhN6wt8JlW4OXrmupf47a5vHfbEas1LeMxNgAkyACQzhBPxdVDc27lwbbwgcHbcDl69/JtUjrm39w7UtQ0g0fCERs2f2GMAABjCAAQwMtgFKqaoMoYZ7JTbfn90AGMAABjCAgeEx8LrnhH7hPxMq3Rz6qRcJHbPWCe0h7cEthjCK5FsxASbABJgAE/j/EwiHR2zq76LqahizZ24nVUPgh5225cZt63frb/Ungx2M8PUJ3zCAAQxgAAMYwMDQGaCUopRidTwGMIABDGAAAxVrIOtFQr/zSygvEjw/1Vx3lH9LvvfC+27//9NA/okJMAEmwASYQAlNoP3M4BbtR9fu2G4Hajobar7pNtaeE2+wbo/bNa8QFg1dWMSsmTUGMIABDGAAA4NlgFKqYkMoVqAPzwp05s7cMYABDGBguA284Tmh+zwneInXHJzQ2xSsWRMO7ijh3T5TQpEjh8IEmAATYAJMYOMm4O+kGiiqvrJ1fHJgnGsHLuxotO51bes517Zed20r5dpWdrBCE74ugRwGMIABDGAAAxgorgFKKUopVsdjAAMYwAAGMFB2Bt73nFDKc0J+AfVS2gktX9dcf2lqRmicqMCW/u34ZMnUzTYu7eNXMQEmwASYABMowwnceuTXv9DRaB0at60r3cbAXa5tPeba1gvrSypu+WcXNzwijGOeGMAABjCAAQwUywClVNmFUMO9+prvzw4ADGAAAxjAwPAYSPsFlOeEfu05oZ+lm4NXrnPqDl/TPH6HMowSOWQmwASYABNgAsWbgJoU2PLGxp1r3cmByR2NgZ+4ttUVt61H3Ebr765tZYoVoPB1COMwgAEMYAADGMDApzdAKUUpxep4DGAAAxjAAAZK1EBz/WueE3o05QS70k7oCi8SOmbtjPrd2QVVvByTr8QEmAATYAIVNgEZMWKT+NSdtu+YvMteHQ07H+E2Bs5xGwI3dtjWb13bWkuQ9OmDJGbIDDGAAQxgAAMY+DQGKKVKNIQanhXYrHxn7hjAAAYwgIHhNZDxnNBvU5FQp+fUX5CK1B+9bub4vd8L77t9hUWGvB0mwASYABNgAkMzgYHnUdXu2HXMzpbbuPP+uZLKtm6L24GXP02YwmsJ4zCAAQxgAAMYwEBhBiilKKVYHY8BDGAAAxjAwDAayO2GCt7rOcFLvObghN6mCdba5nFf9J8LNTRpHd+FCTABJsAEmECVTMDfRbVk6ojNlkzd7TOLDttrm84pgTrXDlzoNli3uw3W065tvb5+NxW3/OOZVDyXDAMYwAAGMICBQTJAKTWMIdTwrsRmJTzzxwAGMIABDAydAeM5oXWeE3rTc0IvpyOhh7xI8OKUE6yTcHBrUYEtJTxx8yqJBHmbTIAJMAEmwARKbwJd00eNjNujx8cbAhfF7dpbXLv2F65tPefa1rusgi5sFTRzY24YwAAGMIABDHyUAUopSilWx2MAAxjAAAYwUHQD73tOaI3nhP7iOaHH1jl1t3uR4KXrnLrD323Z8wull8RxREyACTABJsAEmMC/JuDvpuqYEtipo3H0oXHbusC1rXbXtlbFbevPrm31flS4wn8jdMMABjCAAQxgAAMbZ4BSqughFKvOh27VObNm1hjAAAYwUEoG/OdBvZRqrluVdkLt65qDl6ac4JHppr1Gi4zY5F9BF//ABJgAE2ACTIAJlNcEFh32pW3ajxk1pqPROrSzofYM1w60xu2aR1zbepPwaePCJ+bEnDCAAQxgAAMY+MAApRSlFKvjMYABDGAAAxgozEDKCb7rOcFHPCe0INUc/EHKCU3qaw6OkVm7fLa80jaOlgkwASbABJgAE9ioCYTDIzbtskdt124HauJ27fh4Y81p63dS/eGDoIW/E7phAAMYwAAGMICBDRuglCoshCK8Y24YwAAGMICBqjSQ8Zzgc6mm4M29zaGzUi11wd6mYM174d2355lQGxXl8YuYABNgAkyACVTWBPxb/alJgS0XTt1t265jdrbiDQF/J9Ui17aecW3rDde21rm2ZQimNhxMMRtmgwEMYAADGKguA5RSVRmoldKtjjgWbr2FAQxgAAOlaMB4Tmid54TeTDnBv3iR4JJ007jv9TXV7Srh3baV8MSRsmTqZpWVqvFumAATYAJMgAkwgaJNoGv6qJGdUwJ1rr3zhW6DtbizwfqVa1vPu7b1DsFbdQVvnG/ONwYwgAEMYOA/DVBKUUqx0h8DGMAABjCAgdD7nhNa4zmhFzwn9Pg6p+52L1J3oRcZ+02Zs9c2RQuo+EJMgAkwASbABJhA9U3A301181G1X+1oHH1o3LYucBsCN7q21R23rT+7ttVLUPWfQRXzYB4YwAAGMICByjZAKUUQSRCJAQxgAAMYqFID/Z4TfDHVXLcqHQneuM6puyzlBI9Mt4wdVX1pGe+YCTABJsAEmAATGLIJtB/9la3bjxk1xrUDh3Xa1pmuHWh17UBy/e3+hCCusoM4zi/nFwMYwAAGqt0ApRRBZJUGkaV4qyiOiVuYYQADGBh0A8G3PSe02nOCC1NO3TkpJzSprzk4xr8l35AFUXwjJsAEmAATYAJMgAl8MIFweMSmXfao7eKTawIdUwL7xBtrTos31tzgNlq/d20rW+2hFe+f4BYDGMAABjBQeQYopSilKKUwgAEMYAADFWwg4znBZ1OR4E3p5rrve5HQ+N6WusB74d2355lQH6Rh/J0JMAEmwASYABMomQn4t/pbMnWnrRZPCnyu65idrXhD4Iy4HbjFtQPPurb1lmtbKde2DAFd5QV0nFPOKQYwgAEMVIsBSimCyAoOItlxMOg7Dvj9w+8fDGCgZAwYzwmlPKf+7ZQTfNGLhO5IOcEz+mbsvfvbM4Ofl/n7biXhiZuXTODEgTABJsAEmAATYAJMIJ8JqEmBLeOTA+Ncu+a8Ttu61bWtx9c/k+od17ber5YQi/dJYIsBDGAAAxgofwOUUiUTplGgUKBgAAMYwAAGNt5A1nNCa/xnQnlO6Il1Tt3tXqTuQi9St4+Eg1vnk/Hwa5kAE2ACTIAJMAEmUFYT8HdTtU/5xpc7Gkcf6tqBC92GwI2ubXXnSqoGK01YV/5hHeeQc4gBDGAAA5VsgFKKUopV/hjAAAYwgIEyMdDvOaEXPCfUnYoE4+uaQz9KNYWO8CJ7fK2sgiQOlgkwASbABJgAE2ACxZyAf7u/9mNGjelsCBweb7DOcu1Aq9sYSLi29XolB1q8NwJbDGAAAxjAQHkaoJQiiCyTIJLdAxu/e4BZMSsMYKBSDLzvOcE3PSe02nOCC71I6NyUE5rU1xwcI+Hdti1mlsPXYgJMgAkwASbABJhARUwgHB6xaZc9arv45JpAZ0PNN+ONNad1NNRcH7etJ3kWVXkGdwSunDcMYAADGKg0A5RSlFKUUhjAAAYwgIESMtDvOcGnU5FgV7o59D3/dny9TWOtNc3jd5AlUzeriLCIN8EEmAATYAJMgAkwgaGaQHjixM3bj/7K1n5R1XXMzpbbWPP9uB24xbWt51zbete1LY+yirCz0sJO3g+mMYABDJS2AUopgsgSCiIrZWU/74NdKhjAAAY+2YDxnJCXckLvpZzg37xI8LZUU933+5zQHu+27PkFmbPXNhKeuPlQ5TV8HybABJgAE2ACTIAJVNUE1KTAlm7j6L3jDYEfurZ1m2tbj7t24FnXtt5wbStLmFfaYR7nh/ODAQxgAAPlbIBSilKKUgoDGMAABjAwBAaynhNa4znBFz0n9MS65tAdXlPwAm9GcIKEJ46sqhCIN8sEmAATYAJMgAkwgVKagH/Lv/aja3eMT6nZL/dMqobAgluO22P1ouN2f6lryi695Rx6ceyEthjAAAYwgIHSM0ApRRA5BEEkOwY+eccAM2JGGMBA5Rlo2UfS8w7qS0cnvdq74MjfptWkG9PRw07zInt/tZRyGI6FCTABJsAEmAATYAJVOwG5v31r0bExmaQ6wOjotKyOnpPRba1v3h1OvNR18V+fXnBW7xORE2TFRYfKHSePE4K90gv2OCecEwxgAAMYKDcDlFKUUpRSGMAABjCAgaIYaK6X9JxvSe/CydLXdar0336u9N93eW/mocg/s92tTxqtHjJa3ZFJqmg20fZTk4x91+gFR4mO7iGPtH65asMg3jgTYAJMgAkwASbABIZiAv6HLv/DV1arczNazTRa3We0Sma1+l1Gq2eMjv3dJNVbJqmyRiv54K/elfPk3Z9F5NU7rpC/3Hi+PDbjOLn/h9+SrmPGUFLZBKHlFoRyvJjFAAYwMPwGKKUIIosSRLLDofJ2OHBOOacYwMDGGPB3Q0UPl77Ok6X/roslc//VknnIEdM9T4yO/ivL+CDTWP/3941W64xWrxqtXsxq9ZTR6ldGq2VGq1hWL7jQJGNTJaH2lp9f94WhyGj4HkyACTABJsAEmAATKLsJSDi8qejw5qK7RsqKOdvIcvU50a3biVb7mJ62qdmkutYk1c1GR/0PWn8zWr1ptHp3/Qex3g+XTx/6wPaRH+Qyiaj0rpov3sNzZO0DLfL8DefKo1c1yj2nT5BFx+0uNx27q3Q21lJWUVZhAAMYwAAGMLBBA5RSlFKUUhjAAAYwgIFPNNBcL17LBPFm7ivpeQdLb/xEydx1kWQeiohZNUdMz3wxiQ2WUB+ZaXxE7uGXVf0mqVImqd5bn5u8mkmqPxqtlme1munfUUYS6kDRraMGcpeF2+ZymCXhz8iSJZuVXZjEATMBJsAEmAATYAJM4JMmIL9p30IenfVZWRn7Sm9368593W179SfaJphktDGrY2dnteowWq0yydhfch+m/m2X00d84NrYD2Z5/7p3l0bkuet/KI9c0SA/O2t/uWt6vSyeticlFaHkBkNJdisM/24FzgHnAAMYGA4DlFIEkZ8YRG7MSnl+DTsqMIABDFSWAb+EmvVN/5lQ0qsmSW/HNOm/4zwxy5vEJNryzigGKQ952STVL7KJaGc2oa42yegpGR2b2K9bx/qPRhCtdpLuBTvIL+dvJSKbn0GIJwAAIABJREFUfFLew//PBJgAE2ACTIAJMIFhnUBu19PD87eX1VGrv0eN92+1Z3TbydlE9OKsjrZkk+pOo1XCaPXC+t1OpfKh7P8cR3rFPHnltsvlj+r78otrjpGHL/i23H36eFk0dTcKCkoqDGAAAxjAQJUboJSilKKUwgAGMIABDOQM+Lfim3/IwDOh4idK320/kMzSn4pZNff/5AyDVDIV6/u87D8awSTVPUZHr8/q6BVGt33PJNXRGd22vyQW7J4rrJarLYc1eOKbMwEmwASYABNgAtU5AX97t3S3fUl069iMVt82OnpGRqsf+/cxNjp6i9HqYaPVr9c/4ylV4h+8NuoDnP9MqpcXXSZPLzhbHo9Mk5UXHyZ3nFJHKFnloeRwrM7ne7IrBAMYwMDwG6CUIogkjMYABjCAgSo10Fwv6TkHDpRQXadK/+3nSv/Sy8U83Cymp3Wj8oUyykj82wL+I6vV/xittNGxe/3CKpOINme1Ossk1BRJLthXuhfU+nfIqc6EjHfNBJgAE2ACTIAJFH0C/gMypbut3uiYndXqkkyyLWqSaoXR6lH/wZoZrZ4zWr1utFpbRh+sPtUHxd6V88Qvqf55+0/lzzeeL4/NOE4eOOfA3POoCAqHPyjkHHAOMIABDGBgsA1QSlVpEMlttirrNlucT84nBjCwsQb83VDR70hf58nSf9fFkll2lWQecsR0z/tU2UIZZyiZ3LOrkuql9c+u+vXAIxmibu6WgAl1unSrA0TPDxQ9pOILMgEmwASYABNgAuU5gdxOJ/85T8vVlrn7BOuF28ojrV+WROzwbCJ6ZkaruUarOzJJ9ay/KsZo9YbR6p3cLfeSqq+MPzgV/QNjJhEVv6RKPTRb1tzfLM+3nyc/v8rO3erv5qm7yU3HjOGZVOymYkcdBjCAAQxUmAFKKUopdkhgAAMYwEAFGvCfCdUyXjy/hJp3sPTFT5TMXRdJxn8m1Mo5Yrrni0lEi54rVFDG4pdVntFqTa600urV9Y9v0CYZa89qdaUk1JGSUHvnnjt+f/vWortGypLwZ3I5Fc+wKs+QkaNmAkyACTABJvDvExD/B7y/02n1wq/lnvOUUHvnnvWUUKf7HwZyt9pLxlavL5z4YKVVUWfw7s8cee6Gc+SRK21ZeuZ+suS0kCyeticlVYUFk4O9Gp+vz44PDGAAA6VngFKqAoPIjV0tz69jZwUGMICByjHgl1CzvinpeRNzO6F6O6ZJ/53nifFLKMqnouYjH1G8rc1q9Qejo3dnkyrqL5A2ydik/p4FdX3+86tWtX194LERC7f1n1/+71kX/8wEmAATYAJMgAmUwARy5dOK6/9Luq/bK9MT/ab/IEqjYydnk7GrTCKmjFYPDDzjSf3TaGU+4sPAYH/YqPqv7++meuW2y+WP6vvy6NVT5OELvp3bTbXouN1ZPU9JhQEMYAADGCgzA5RSlFLskMAABjCAgTI14O+Cmn/IwDOh4idK320/kMzPrhDTPbfqc4uSyIqS6j2j1fO5Z5Un1KJsIjojq9W5/vOr/Geai144VlbHRotu3U7C4U1LIJLjEJgAE2ACTIAJVPYEcuVTz4JviF64v0lEG/wfzBkdDfsPmjQJdZvR6pFsUv3e6Fz51FsSHyiKvPuoUt7Te8sceXnRZfJ07Cx5vGmarLz4MLnz1CChZJmFkuxeKL3dC5wTzgkGMDAUBiilyjSIZHdD5exu4FxyLjGAgY010Fwv6bkHDpRQXadI/+3nSmbp5WIebhaTaKOIKpfMJqneMlr92X++udFqmUlEOzOJ6PysVheaZPSUTDJ6kOjoHtK9YAfKqsrORnl3TIAJMAEmMEgTyN1PV7eOEt060ejY8Rkdixgd7Rh4cKT6xfoHSb5otHrb8Iynsv8Q6e+ievdnEfnnbT+VP994njzWdLw8cM6B4j+TaiiCNb4HAS4GMIABDGAgPwOUUpRS7JDAAAYwgIESNjBz39zt+Pr8Esp/JtSyqyTzkCOme17Z5weVslC3aO9jYGfVPzNaPZ1Nqt8arbRJtt2T0WpmVkfPMXrBUbJajZMVc7YZpAiPL8sEmAATYAJMoHQnICKb5B7cqMOb50qn5WpL/4fiwLbjmJ3VsQuMjsYzyegKo9VfTVL9w2j1eq54GnhQZH/RfmiXy0qYKjzOTCIqfkm1bvks8XdT/fnG8+XnV9m5W/3ddOyu0jVlF55JxW4qykoMYAADGBhmA5RSJRxEbuzKeX4duywwgAEMVICBevGax4vXMkHS8w6WvvgJkvFLqOVNklk5e6CE4tlQ1VfEJVXWaJU2Wq0xWr1ptHrVJNVLWR190n+2em7hdzJ6ivTEDpZV7Z8X3TVS/IzuN+1b5HI7bgtYuuEqR8YEmAATYAIbnoA8OuuzuS3DuQczLqjtX63G+fe+zSaj52V0bI7RaqlJqsd5vpOqvg9Hn6Joe29Zszx/wzny86sa5b7vf1PuPC0oi6ftKZ1TagknhzmcZIdBfjsMmBfzwgAGyt0ApRSlFDskMIABDGBgGAw014s365uSnjsxtxOqt2Oa9N95vpiHImJ0lHzhU+QNVbsIOldgRf2F4T1Gq66sjl5qkuqE/p4FdX2J+bvnFpL3XP9VWa4+55dWG04C+X+YABNgAkyACQzRBHLFk/+Mp54FdRkdm2iS0Ub/XrbZpHKMVjcYrbqzWv3BDOx04gMSH5CKZqB31fzc7f7+qL4vj141RR6+4Nu53VSLjtudgoqCCgMYwAAGMDDIBiilhiGIZEdDBexowA0lBgYwUIAB/1Z88w+R3oVH53ZC9d32A8ksu1JM99yiXV9XbSFDRvNxhjJGq5eNVr80SfWzbELNzibU+f4jNkwyNkl61HhZ3bqrPKK+KDo8cohiSL4NE2ACTIAJVNME5OfXfUF06yh/t5PR6thsInpxZqB46jJa3Wd07LFMUj1rtHrHDGwT/rgfbPx/fPApuoH37m+WlxddJn+KnSm/dk6QnsuOkHu/t490HTOGYHKQg8lyX+3P8bNjBQMYwED+BiilCggVKZUolTCAAQxgYGMMtEwQb95B0rtwsvR1niL9t58rmaWXi3m4WUyirejX0hRS3MEmTwNp/3EbWa1+4y9ENwm1KJNU0WxC/TSrY2dn9MLv5AqrR1q/LDq8eTVlp7xXJsAEmAATKHACA+VTbIxJLmjsT6ofZLSaaxLqNqPVKqPVo+uLp78ZrdZSPvHBJc8PLkP24bmvu1XW3N8sr91xpbwQv0B+23KyrLjoULn1xL3FbeRWf4Sv+YevzIyZYQADGPhPA5RSlFLsdsAABjCAgSIamLW/pBccLX2LTpf+uy+V/mVXSca/JV/3vCG7ji7V63uOq2yyJ7+sesto9Xw2qX5vtEoarR4wWsWyWl1pkrGpkojtJ1rtRFlVYGjLy5gAE2AC5TQBEdlEwuFNcw8r9B9a6P+lW7eThNrbJKLHZXXsAqPVXUZHnzBavWh07O/rH4T4rtGql/KpbD4A8GH1o3agJaLi3+pv3fJZ8u4yR/5206Xy2IzjZOlZ+8nNU3eTrim7SCdFFbvJ2E2GAQxgAAN5GaCUKmIQuTGr5vk17K7AAAYwUCEG6sXznwvVPF686OHS23Wq9N9zmWQeciSzcraYnvk8G+qjruv5b+Wb9yRVn9Fq3fqc8Z8mqV4yWv154K5LfmEVOzt3O0B/Z9WS8GcGMsvw5rkMMxzetJzyV46VCTABJlCVE8j9we0/eNC/n6v/nCe9MNDfo8abRNsxWR37SVarmL/byejoi6w0oWjCgJLU8tnyUufF8njkeFl29gGy5LSQ3HrCXtzyj2A2r2CW3RP/uXuCeTAPDFSHAUopSil2SGAAAxjAwEYY8MunWftJet5BklZHSK9/O767LxHjF1AULcwAAx8yEF3nPx7EJNWd/iNDsj2xs/3dVX06uod0t+4sPfO/Kg/P317ub9+6KoNf3jQTYAJMYDgnkFs54K8g6F5Q65dOmZ7YwUZHp2V19Jysjs0xOnqL0eqRjI79iQ85lE8Y2DgD/T1t8uZd18iz1/1QfnXtVFl58WFy3xn7yuIT9mInFSUVJRUGMIABDHzIAKXURgSR7GqokF0NnGuKBwxgIE8DfgnVdqj0Xtcgve7J0nfHeZJ58FoxPa0fCuA37lqVa3rmVPUGktH3slo9ZbR6yCRj7dmEutokYica3XZURrft359Qe+cKK9263XDmtXxvJsAEmEDFTEBWtX3d/8PV38pqdOzkbFJd9m/PeXo4q9XvjFYvGK0yVf9DihUmfMAtogF/F9Urt14uzyz8gfy6+UTpuewIufeMfdlF9aFQkh0R1bEjgvPMecYABj5sgFIqz4CSgoqCCgMYwEDlGmiZIOn5h0jv9Y3Sd9N06bvzAulfdqWYlbPEJKJcpxfxOp3ci4LuXwaSKmu0emP9gvxH/d1VfmGV0dFwVreda7Q6NqPVt3M7rPTCbSsmKOaNMAEmwASKOQF5pPXL/Ym2CbniKRH7kUlGF+ae85SMrTZa/Tqj1XNGq1eMVp7R6v1//SHMD3c+4GFg0A30dbfKmmXN8uodV8hfOi6Q37acLCsvOlRuO2ksu6goqdg9gQEMYKAqDVBKUUqxcwIDGMBAVRuYvb+kFx4tfYu+l7sdX/+yqyTzcDO7ocgnBj2fIA/8xGLOGK3eNVr9LaPVM0arnxutlhsduymjoy0moU43iegR/t2n5NFZny1mtsvXYgJMgAmUxAREZJPcX+HwpuL/tWTJZrntpN1t9Vm94Bz//qhGx+7NJtVvB3Y7xf5ukuoto9UaM/AgQMonPtDwgaYEDfSunC/rHpwl7y6NyN9uulQen3GcLD1rP7np2F0pqQinqzKc/vAOCv6dXTUYqHwDlFKE0VUdRrPjpXJ3vHBuObcfaaBevOZ68aKHS2/XqdJ/z2WSWR6RjL8Tqme+GM1uKIqSTyxKyHaGP9vxyyp/of/bJqleM0n1ktHq+Uwyutok1G3ZZOwik4geJzo2Rn45f6tcjutnueuz3ZIImjkIJsAEmMAHE8j9IaW7Ropu3U5WXP9f/rbQ3kTbLpJs3dfo2PFZHQ33+3+4afU/65t6fhAN/w8izgHnYFAMpB6aLS91XSJPRKbJsrMPkCWnBmXxCXtyyz+KKooqDGAAAxVngFKKUopSCgMYwEBFGmgeL57/TKh5EyWtJklv5ynSf88lYlbOGZRrSMocyhwMlKaBTFI9a7TqzupoW66w0guO6l+txkmPqpHVC78meu6Oslx9zt+A8EFGzN+ZABNgAkWfQK4Zv79969xOp0TbLpmkOiD3nKdk9BT/OU9ZrRYYre7IavW/RqtX+aFSmj9UOC+cl6EykOlpkzfvvkaeve6H8qtrp8qKiw6T+87YV249YS92UxFOV1w4za6Yyt8VwznmHH/YAKUUYXRFhtEfuUOCc825xkDFG/Bvxdd2qPQunCy97knSd+d5knlwhpieNoooFrRiAAP/YWD941UeNTp6SyahZhsd+55JqCmZhDqwv2dBXa606m77EmVV0aN5viATqPwJiF64rayOWqLVPkbHbKOjp2WS6tqMjrb5xZPR0ZXrG/PXhyrg5vtQpmCgvA34u6j+edvl8szCH8ivnROk57JJcu8Z++Zu+ffhoI9/J/zFAAYwgIFSN0ApRUhd8SE1BRW3ccNA5RpomSDp+YdI7/WN0nfTdOm783zpX3almJWzxSS4FR/ZQ3lnD5y/YTl/aaPVn41WTxgdvd8k1CL/kS1ZHb3UaHVSRke/069bx/obHSo/VecdMgEmsFETEB3dI6NjE41W07PJ6OVGq8W5P0C0+nlWx540Wr2Yu9coKwP+Y2UAP+SG5Ycc56BCfh/2dbfKmmXN8uodV8hfOi6Q37acLCsvOkxuP3ksu6jYRcUuKgxgAANlYYBSilKKUgoDGMBAWRnwd0Nd1yB9i74n/XdfIv3LrpLMw81ielq5zq6Q62xyKnKqEjTgl1WvrN9d9YR/O0CjY7dnEtH5Wa0uNEl1guR2V1FWbVSIzy9iAuU4AVkd29P0xCZltbrEJGLK6OiqrFZ/MFr91ejY341Wbxqt1pqkypbgH2J8SOJDEgYq2EDvynmy9sGZ8s59TfI3/5lUTcfL0jP341lUBNNlEUyX+m4Ojo8dRxgYHAOUUoTRZRVGs+Olcne8cG45txsy0FwvXtvh0tt1qvTfc5lkljdJZsUsMT3zxWh2Q5F7UeBgYNgMvG+06jVavWu0esMk1UtGq+ezWv3GJNvuGdhhpc7NlVXdC3YoxwyeY2YCFT0B0eHNxX/Gk27fUR5p/bKsjo0W/1lPPeowSahTTUJdZ7RaarR6wWjVzx+2w/aHLWVKBZcp/L4a3N9X3kNz5G83XSJPRKbJsrMPkDtPrZPF0/akrKKsoqzCAAYwMOwGKKUopSilMIABDJSEgebx4s3aT9JzD5S0miS9nadI/z2Xilk1lyyCLAIDGKgEA29mtfpdNhHrzCaiM0THjvcfN9Obe+xM6yh5RH1RdOt2slxtKSKbVHQZwJtjAkM5gVz55P/m0q2jpFvtlrvVXiJ6hEm2fT+ro1cM3G5PrcrduzOpUoTkgxuSM1/mi4HhMZBJROWtu8Py3HU/lF+Gj5UVFx4q931/X7n1hL245R/h9LCH0+xEGZydKMyVuZayAUopwuiSCKM3tEOC/87uGQxUsIF68fxb8bUeKr0LJ0uve1LumVCZB2eI6WmrhACa90CRggEMbIyBNzI69iej1ZJsMrowdztAHZ2WSUQP6ddqH3/jhv8MK1kxZxvKqqFsMvheZTcBCYc3lZ9f9wX/NnuiF+5vdOzkfh09J6NjkayOXm+0us9opQdut5fb4rgxv0H5NfxBjgEMVKQBfxfVq7f/VJ5ZeLY8ETlBei6blCupbj52VwoKSioMYAADGBh0A5RSlFKUUhjAAAaGzEDLPpKef4j0Xt8ofTdNz5VQ/cuuFLNyNrfi43q/Iq/3WQw8PIuBK2Tur2S1+l+joytzz6/SqjWrY9cYraYbHbP9XVbSvaBWdNfIsisPOGAm8Gkm4Lez0r1gB+lprTMJdWQ2VzxFwyap7jRaPWC0+lVWq/8xWv3TaLWmQv5A4IckH5QwgIFBM9Df3SprljXLq7dfIX/puEB+23KSrLz4MLn95HHsoiKYHvRgupR3cnBs7DTCwOAZoJQijB6yMJodLxW844XfR/w++hgDsw+Q9HW29C36nvTfdbH4JVTm4WYxCXZDkZNRWGAAAwUYeN1o9aJ/K0Cj1SMmqe4xOtqR1bGf+IVVJhk9SHR0D/+OZZ8m9+e1TKAkJiBLwp+RRGw/k4idmNHRsEmoG33867cXvmi0esVo9Y7Ral0Bv5kGLeDlWPjDHQMYKGcDvSvnydoHWuTte2fIS12XyJOzT5Xl5x0ktxy/BwUFJRUGMIABDBTFAKXUxwSplCiUKBjAAAbyN+A/Gyr6HentOlX677lMMg82SWbFLDHd89kNxQJP8j8MYGBwDJj1G0LeMFq9bJKxv2ST6vdGR1eZRExldexSoxccJXrumJIoGjiI6p5Armjy70ep23eUlbGvyOrYaH/bn188ZXX0UqOjcaPVKpOM/sNolTFaGZNUWaPV++v/4g+SwfmDhLkyVwxg4CMN+M+j8v9Kr5gr/7z18lxJ9dD5h8idp9blnkl107G7sqOKkLooITW7UgZvVwqzZbalZoBSilKKHR4YwAAGCjLQMkG82ftJeu5ESceOlN6bT5fMfZcP7IBKRCmguKb9yGvacl40yrGz6LlMDbyfy/MHMn0/209ldNR/htVSo9UCSca+m+lRh4leGJCeBd8QvfC/c3dG++X8rWTJks2quz3h3X+qCcj97VvnMOnYmP6eBXX+Nj6/HfVvt5dNqmuNjt3r32rPaPXq+tKJHxx8eMAABjBQRgbeW+bICx0XyBPOCbLqksPlZ2ftJ7efNFa6jhlDQUFJhQEMYAADH2uAUoowuqAwmt0j+e8eYWbMrNwNNNeLN+dbkm47THqvaxjYCXX3JWIebuHasYyuHcs0VMcYxjAw+AbS/g4ro1W3/wyrrFY/Ngl1akZHv5PpafuWJBbsLrp1lOjW7eQ37Vt8qrKCF1fWBESHR8ojrV+W1WqcD8a/j2Q2Eb04k1Czs8lYu0mqnqxWv8ndai+p+vhBRMOPAQxgoPIM+Lf8e+Ouq+W5G86R37ScJPonR8mys/eXxdP2/NhQstRW7nM87CbBAAYwMDQGKKUopSilMIABDGzQwMxvDpRQNxy7/plQF0nm/mvW34qv8q6luD7mnGIAAxj4PwbWGK3+apKx1Uar+7LJ6MJMIjqjX0fPMcnoKf7jfmR1bM/chhh2VlVW2fThdyPL1Za57XQ9bd8yOmZnk7GrMjraZrRaYrR6yCTV4xmtnjNavWkon2jSB79JZ8bMGAMlaiDT0ybrHpwpr915lbzYeZE8Nec0SfzoSLn7u+PZRcXOCUpKDGAAAzkDlFKE0RsMo8t9VwfHz84kDBRkID3vIOltP1b6Fp+VeyZU//1XS2bFTK75SvSajwD9/wToWMUqBobGwFqTVK9ltXrKaPVLo9Uyk1C3+YVVVqtzTUIdKYloUB5RX5RweNMP9xv8ewlPwL9vo/TM/+r62+2dltFqZkZH7/VPdkarp3MtpVavGK18BOx8GprfcPzBxpwxgIGyNdC3an6upHr7vhnyj1t+JL+fO12Wn3+w3HL8HoTThNMYwAAGqtQApRSlFKUUBjBQ5QZaJkh64dHSt+gMySz9qWSWRySzcraYntayve6hqKGowQAGMDBMBpIqZbR62+jY3/3bAWa1+t+sVr8zCXVjxn+MUCJ2oui2/f3HDZVwLVN5hyYim4j/oLBHZ31W9Nwdc7fb627dWbTax/gPFvNPTlLdabT6udGqd33Z1G+0yqx/3tP7/KYapt9UBPF8IMUABirMQCYRlf6eNkk/PEdeufUn8uTsU+Sh8w+RO06py93u76Zjd5XOxlqC6ioNqrl12tDcOo05M+fhNkApVeVhNDtJCtpJQonD75uyNNAyQbxZ+0l67oGSjh0pvTd/VzL3/XSgfEq0iUlEud6rsOs98kPyQwxgoGQMJFXWaGVyHYdWftfRa3T0FaOjK41WHVkdvTRXWK2OWrk7xOmF/527JeCKOdvIkvBnKq8lGsR3JA/P397f6STdarf+ZFt9Rqtvm0S0IaujV2SSKupva1v/jCf/RPDDnxlgAAMYwEBJGFhzf7O8EL9AnnBOkJUXHyZLz9xPbj95LLf8o5yioMQABirQAKUU4XpZhuuUaZRpGPhkA8314s351sAzoRZOlt6u06T/nkvFPMyt+MjgyCAxgAEMlKyB942Ovm507DGjY/4d45qy/vOrEtEjMgl1YP9qNU4SbbvkNvusmLPNIFY7pf+l5efXfcFv8DJJdYDRC44yyeh3s1pdkk2o64yO3e4/CCyTVH80Wr1rtGKnE6FzSYTO/OFbsn/44oM/I0rKQO/KefLm3dfI8zecK79pOUn0j4+UZWcfIItP2ItwugLD6eHescH3Z9cQBobeAKUUpRSlFAYwUEEGZn1T0tHDBp4Jteh06V9ykWQeCIvpmV9S1xjkEeQRGMAABjCQpwF/U88r2aT6rUmqnqx/O8CEmp3V6kKjo6dldPQ7uWdYrYx9xb9LXek3SnkcoeiF20qPqjGJ2OT+hDo9d6s9rW7wWzuTVCuySfV7/16JA/dNzG1H44c+4TIGMIABDFSMgUxPW+6ZVK/deaW86F4kv597miR+dKTcffoEuemYMZRUlFQYwAAGytAApVQFhdHsHPnknSPMiBlVoIH0vIMHSqjFZ0r/3ZdK//1Xi1kxq2KuQfIMLXnfXH9jAAMYqC4Dfln1Zkar50xSPW6SsQf9TUIZ3dbq363OJGLHSEIdKLp1VMmXVbnyaXXrrka32tlE7If+fQ0zyeiD/kO5Mjr2p9yDurR6www8uMu/FyLYmQEGMIABDFSdgb7uVln74Ex5695r5e+LfiS/nztdHr7w23LLtD0JpsswmGaHytDvUGHmzLwUDFBKUUqxSwYDGCgzAzP3kfTCydK36AzJLP2pZJY3SWblrIFnQ3FNVnXXZGSSZLIYwAAGPsJAUvUZrdb6u6uMVi/6d7Hzd1lltLrP5O5ut+C0TE/sYFnV9nXR4c3z2LeU3y/1v7jc3761LFefy91z0H9YVo+q8ZuybDJ6XlZHW4xWiYyOPrO+bPLMwMH7bZtfPHHbPT7c8OEGAxjAAAY+xkAmERW/qPIeniOv3PoT+d2sU+Sh8w+RO04eJ4un7SE3HburdDbWUlhRWGEAAxgoIQOUUmUWRlfgLg8KEQxiYAMGWiaI59+Oz38uVOxI6b35u7kSKncrvp5WMYko1yYfc21CSPsRIS3z4vcMBjCAAb/jMet7n16jlWe0WmeS6hcmqe7M6mjYaDVdkgv2ldWx0dLd9iXpXrBDbhOT7hopIpt8ZCslS5ZsliudVi/8Wt/q2J79PWq8Sagj/XsLZpPqWqOjcaOVzmj1ND+g+AGFAQxgAAMYGHwDax9okRfiF8oTzgmy8qLDZOmZ35TbTx4nXdzyj2C+hIL5UtixwjGwc2o4DFBKbSAMpvzhNm8YwMBQG2geL96cAyTddqj0Ljxaem+aLv33XCpmxUxCVEJUDGAAAxjAwNAbeD+rY08aHV1pEjGVTaifGh2z/R1W/ToWktWtu0rP/K/6pdWIe08fv/djM46Lvrnkqrv6u1ufyN1PcOgPGCTMHAMYwAAGMPARBnpXzZc3775Gnm8/V37dfKLoHx8py87eX249YS9x2UVFSUVJhQEMDLkBSilKKXapYAADw2jA3wkVPWzgmVA3ny59Sy6UzANhbsX3EdcRLCYc/MWEzJgZYwADGNgoA2tyj3jqaV3dv+zKW3tvnNo2wm2sPfW2k8b2PXTBIfJ4ZJr87eZLpW/zkMLZAAAgAElEQVTVfIJBfqBjAAMYwAAGSsyAf7u/dQ/OlNfuvDK3k8p/JlXix0fKPadPyN3qbzh2DPA92amCAQxUmwFKqWEMo4d6Fwbfj50/GCgJA+n5h0hv+1TpW3ym9N99ifTff7WYFbO4VimxaxWC2Y0KZnGLWwxgoPoMrJwt/XddJL3uSdIbOzLrzdy3b0S8sea0Dy4k/WdX3HlqnTxwzkR5au703IPY+aHCDxUMYAADGMBAaRrwn0e19oGZ8tY9YXl50WXil1T+7f4WT9tzyHcOfPBZgr9TUGAAA5VugFKKUopdMhjAwCAbmLmvpBdOlr5FZ0hm6eWSWd4kGb+E8p8LRZjJDDCAAQxgAAOlb6CnTTLLrpa+Rd+TdNthkp5zgHj+bXfXL/j5j1Lq3y8gu47ZJfeQdX8H1R+jZ8ia+1skvWKu+Ku0+RBQmuEk54XzggEMYKC6DfT3tOV2O6cemi2vLP6J/G7WKbL8/IPljlPG5X6m+4tPOrnlH4Udt3vDAAY+lQFKqUEOo9mZ8q+L9Q8u2vk75irWQMsE8fzb8c0+QNKxI6T35u9KZukVYrrnDRRQiTbyJ4JXDGAAAxjAQDkY8H9mr5ormeUR6Vt8lqSjh4vXss9/FFH//nlmg6XUvxdU/j/7q66Tlx8tf7nxfHn9rqvFD7wIP6s7/OT8c/4xgAEMlIeB3pXzcrfn/d3sU6T70knys7P2z+2MvvnYXT9VMPvhzwr8OztkMICBajBAKUVB8O8X1PwzHjCQh4GWCZKee2BuxXTvdXZu9XT/PZdxK75yCBs5RjJQDGAAAxj4sAF/89LK2ZK5/xrpv+N86b2+UTx/wclGLDLb6FLqgwvMm44dI/eesY/84uop8nz7efL2vTPEv30QwWR5BJOcJ84TBjCAgeo24O+memdpk7zoXpjbSeUvOHngnANzu6nYRUWh8MHnPf6OBQxs2AClVB4B9EZckG7MRSu/hpljoEwNNNfndkH1qknSd+Px0nfLGblnQpnlTWLYBUWO9uFwk3/HBAYwgIHyMNAzXzIPXiv9t58jfR3HS3r+wRvcEbWhz3B5l1L/foF664l7y/LzDpJfXHOMPH/DubLuQR40Sdhb3WEv55/zj4H/x959B0d15uu+995V5+x761Tde889p2r/c+vWrdpDMA5jAyJjgsFE2xIgMpicc85ROQswWTmAEAqAJJQ9M55o7/HMeMae4LE99thjexzGAXp1r9VnP7fW0jAbYzASSK3Vvb67arYAC7p7vR91v+/vWb/3xUBYGWjNlq8+VR+X79OfcjfpN1lL9P3dz6p6+VAVTn+ILiq2OMMABjBwGwOEUmFaHCcga9ddq3cqHPDnuG+3AbsbKnucAmdmyixZIbsTyqo54GzpE1bzZAqj4VEYZZwYJwxgAAOhMWDfTHI1ToGydfKfnSX/0Ynt7oq63RzivkKpGwFV3pReKp3zmKqXDdXLCbP1wblddE/xAxGaHwiuM9cZAxjAQKcZsM+NvFaXrE8rD+r9kh16LXupXtgxWefn9aUwfZvC9I15EF/v3FHCteHaRKIBQimK87dbWPNnuPCugSgZqU/If3KqE0JZl3Y750nY2/nQDcUNewSRGMAABjAQ5gZaMmVV7VQgZ46MzLHypQyTLyHqvm926pRQ6ubFZt7UXiqM7aNLy4fqV+kLnO39fA1psrcLAmGYI6Twi2EMYAADnjJgf3b7mzKcbqq/XtirVzMXqWnzeCekKprxsPKnPSi2/CN0uHkeyK/x4AUDhFKED94NHxh7z4+9fU5E8pC2EOr5Z2QWL1Pwyn4Fm9MUbMkghGKt5Km1EjVOapwYwEBEGmjJdLqb7S7nQP4CGemj5Esa1OHt+e42Z+r0UOrWhah9BlX9hjH6TfYS2QWta7VJsu/EjshBYwLCuGIAAxjAgAcM2EHVnwu36pWUeWraMt7plC6b31cFsX3oqKKjCgMYiHgDhFIEE3dbZPPfMRIxBuyt+FJHyMh6Sv7jzypQtFRW9U624vPAfJ+aHcV2DGAAAx4y0JolqyFJ1pV9zme9cWRCp4dQt86NujyUuhFS2Vv8lS+M0vd3PeNsB/Th+d0KNGVQvGQygwEMYAADGAhjA3Y31eeX4vR27ka9kjxP39v5tGpWj3C6qXKn9Ir44vSNeQ5f6RDCgHcMEEoRONy6qOb3mIgYAwlRMlKGy39kggKnpytQuETmxc0K1h1WkJuLWbOE8ZqF4rqHius45b0KA+030Jwmq3q3zNKV8p+aJiNthHzx9781X3vmRSELpW5eqBdMe1CXlg/Ti3ui9dtjK5wt/tjejw8IJgkYwAAGMBD+BoyGNH1cvs8JqX6TtUQ/2P2s85lfOP0hAio6aDCAgYgwQChFANGehTbfg5OwMWB3Q2WPV+DMTOdMKPPiFtlb9gSb0tpf1KIAyLXCAAYwgAEMhIcB+4yo2oMKnFsl/+npMjLHyGdvzxsf2rlbt4RSNwIq+xyKktmPqmrJYKeD6k95m+ie4gc4PH6AGSfGCQMYwMBdDdjb9V6rS9anFQf1fvF2p1P6hZ2TVTa/X0QUpm/MZ/jqnQ4Zxpqxtg0QSoV2wRrqBTKPx/hGvAG7Gyp1hPwnpzohlHVptyy7E6oxhTOhmN/fdX7PTYThfxMhY8gYYsCjBprSZJZvkv/0jLYgKnlIyIOom+dY3RpK3bywt7f4se+ivrCgv35yaLo+PLdb9t3WZnMmH4pMjDCAAQxgAAMRYMDuivY3puv61RT9tWyvXs1YqKbN43R+7uPOHCB/am/ZN6zcPD/g14QAGMCA2wwQShFa3Lyg5td4cK+BqLY7n5MGy5c6XP7nn5FZvEzBK/sVbEpVsDmDECoC5tcUlz1aXMYu9QEMYOBuBloyna5n69IeBXLmONvz+pIGyZcQmu357jY/ck0odeti0y5MXV453Dmfwg6ovrySILb448OWCRcGMIABDESeAfuMSbuT6pWUeWraPF5Vy4Y4Z1IVxPYhoGK7NwxgwHUGCKUIIe62yOa/Y6TbDCQOkpH6hIyssfIfj3YOK7eqd7EV390Kd/x3irsYwAAGMBAJBuyt+eoTZXdBB/Kfk5E5Vr6EAd3aEXWnOZFrQ6mbQ6qSWY+oect4/Tpzsd4t3KprtUn8oETCDwqvAccYwAAGMHCLAfsGlM8vxTlnUr2SPE8v7JisK6tGOCFV3pReritO3zxf4dd09GDAGwYIpQgc7rS45s+xEXIDzlZ8w+U/MsE5FyJQuFjmxc0K1sUp2JrNPPOWeSY3t0XezW2MKWOKAQxgIFvBxmRZVTtkFi+X/0SMjOShrgyibp4nhUUodWOBb3dPlS+MUsvWibIPT7cPUrfvrgYfb0AYwAAGMICByDRgb+Vrf96/nbPRuTnlxT3RurRimIpmPExARQcNBjDQLQYIpQgebl5Q82s8hNyA3Q2VPV6BMzMVKFku8+IWWTUHFGxOozZCCIUBDGAAAxjwioHmDFlX9ilQvNQ5J9JIH+XarqjbzZXCKpS6EU7ZX4tmPqLKJYPUtGW8Xj+yzDlInYJkZBYkGVfGFQMYwAAGbANWa7bzef9JxQG9V7Rdr2Uv1fd2Pq0LC6K6pTB987yEX3ujQ4ZxZpxtA4RShBC3W1jzZ7joMgN2N1TaCKfgZJaskFm9W1btIQUbUzgTyiuFR14nRXYMYAADGHAMZCtYnyizbF1bEJX5pJxzouLDbx4WtqHUjaKAfSC6feZE6Zzv6sV9U/RO/manYBVozgQrb1gYwAAGMICBCDZgb/VnNKY7n/sfle3RqxkL1bh5nM7NfVyFsX2UN7W37HnCjTkDXwkUMICBzjBAKBV+i94uCwvCsADAtXCz36i2O5ztQ8hThsv//DMyS5Y7d0E7AVRzOiFUBM9ruQmPm/AwgAEMYOCbBrIVbMlUsDnd6Yz2n5wqI2VYWxCVEOX6Lfq+bd4Z9qHU7RaWFxcO0M8Oz9B7Rduccyn8bPFHUZbJKwYwgAEMeMaAvbXvX0p36pWUeWraPE5VSwerbH4/tvxjqzcCSgx0igFCKTcX9Xlu37b457+50Ie9FV/qE85B5P7j0QoULZVVvcspPn2zMEWxjmuCAQxgAAMY8ISBlkxZV+NlVm6TP2eOjPSR8sWHdwh16zw0IkOpG0FVwbQHdXXdaP0iZb7TQfXFpXhn6x9P4KX46pniK575QMYABjBwZwNWS5a+uByvdwu2OJ1U39/1jOrWjlL5gv6yz6q8MWfgKx00GMBAew0QSrmwsE/HUljfKXtrkSKif584UEbaSPmPTZb/dKwChYtlXtys4NU41q/UMDCAAQxgAANeNtCa1RZEVWyVWbRUxtGJYXVGVEfnbxEdSt1YWOZN6aWy+X3VuOkpvZwwW+8X75C/MZ0fdC//oPPa8Y8BDGDAkwbsLf8+qzzk3Kzy2pFl+vGBWNWuGamS2Y8SUNFFgwEMtMsAoRShVEcX3Xy/t83Y2+z4j05SIGeOzNJVzl3PwbrDdEMxF/fkXJyb6e58Mx3XhmuDAY8aaE6TVbVDgcJF8h9/VkbqcPnCfGu+9sx9PRFK3Qin7K/2XdH29n4NG8fqV+kL9WnFAdl3UfOD79EffCbC2McABjDgaQO++lR9VnlQfynZqd8fX6Uf7Zui6mVD21WYvnl+wa/pssGAdwwQSnk7YGjPIpvv8biRhIEyMscocGamzPNrZF3aI6suTsGmVAVbsz0976LuQt0FAxjAAAYwcMSZD1h1hxUoXuGcIWmkj5IvcaCnOt89F0rdKBjYB58XxPZRyaxH1bRlvN48s845KD3QnMkWfxRoWShgAAMYwIAHDdg3qdid1NfqkvVZ1SH99uhyvbBjstNtbc8Z8qb2lj1/uDGX4Kt3QgjGmrG+2QChlMcDB7YK9FTB5NsDxqi2bXWcc6FGyH9yiqzza2XVHlSwMaWtE6qVG2ApPlKAxgAGMIABzxuwb0ppyXTmBua51W1BVMow+RIHeXZe5dlQ6uaF5Y1fF896VC/sfFpv5WxwtvbxNaRRlPRgUdLzb5SMOT/3GMAABr5h4JOKA/p11mK1bp+kqqVDVDa/n4pmPExAxXZvGPCgAUIpQqlvDyq4PpF7faLkSxosI22EjKyx8p+c5mzHF6zZ31ZoYv70jfkTa2sK0RjAAAYw4GkDzelOt7RZvkn+MzPks4MobnByrgGh1G0W0nlTe6l62RD99PB0vXV2vXO3tNmcyQSLSTYGMIABDGAAA7pel6I/F27TqxmL9L2dT6t2zSiVL+iv/GkPElDcZl514+YfvtJtFCkGCKUIXSgmeMhA4kAZaSPlPzbZ2Y4vULxMVtV2BRuSmBMyJ8QABjCAAQxg4JsGWrNk1R6WeXGLAvnPych6qq2zmjDqa4EcodRdiif29n7165/Uz+Jm6o1Ta/RVDZNPTyfcvNl+882Wa8I1wQAGPGzAbMlyuqvfyd+s17KX6scHYlW7ZqRKZ3+XgOouc6xICSh4Hd4L2wilPBRIUDz4WvHAK2GckTJc/mOTFMiZI7N0pczKbQraZ0LZ2+54eM7Da6fbAQMYwAAGMPAtBhqSZFbYQdQCGccmy0ge6sl5VHvni4RS7SyY2N1T5+Y+7twN/e9Jc/XR+d0KNGUwKWVSjgEMYAADGMDAPwz46tP0aeVBvV+yQ78/vko/2j9Fl5YP5Syqds63CHi8F/CE45gTShFKtXexzfeFiRW7GypzrAJnZ8q0z4S6tEf24ePBplTnIHIKcN9SgGMO+I85IE5wggEMYMCDBlqyZF3Zr0DBYvmPTnS6q32JAwij2nFjF6HUPRRJ7O15SmZ/V5dWDHPOl/iqJlH29n6WfWgZkzKuAQYwgAEMYAADLxyR1ZIloyFN12qTnK2AXz+6XC/smKzz8/o6W/3lTelFWHUP87BwDDF4zpEVthFKhUnQ0I7FMKGR18Yyqm37HDuESn1C/pNTZdkhVO1BWY3JzuHjwdYs5jDMYzGAAQxgAAMYuL0Bu/Zvb8/XkKRAyYq2IMo+JypxIEFUB+fehFKdUAzJn9pbTVvG67fHluvj8v26Xpd8e7j8QHNdMIABDGAAAxh44YjTTfVa9hK1bpuoyiWDVTa/r4pmPMyWf50wLyMAiqwAyI3jSSjltSCD1xu24V1ClHxJg2WkjZCRNVb+k9Nklq5SsOYAW/ExH2U+igEMYAADGGingWyne9qqPSSzbL38J6cQQnUwgLrdXJJQqpOLH+ULovSDPdHO+VN/vbDXuUOa7ikPtm/yxt7ON3Zs8P6AAQxg4PrVFL1XtE2vZizS93Y+7WwVXL6gv9NN5caCPM+J0MfrBgilCGlut7Dmz1ziwu6CSh8l/7HJ8p+eoUDxMllV2xW0O6FYo3ENMIABDGAAAxhor4HmdGdrPvPCBgVyZrdtzWff8NIJgQz/Rn8RSnVyKHVjkV4Q+6AurxyuHx+Y5pwp8VnVIbb3a+8PPd/HBwQGMIABDHjUgL0VsD1neCdvs36TtcSZR9StHaXSOd+li6qL5mw35m58JWxrrwFCKZeEDxQEKIo4BqJkpAx3QqhAzhyZJStkVm5TsC6ObiiPzqUIH7nhCwMYwAAG7tmAvT3f1XiZ5RsVyJ0rI3u8fEmDmHN1wbybUKqLCxz2eRF2IenyiuH64d4YvZu/Rf6GNIqNTJAxgAEMYAADGLirAftMqk8rD+r94u363fMr9aP9U50zLXOn9CKk6uI5XHsDCr7Pe2EWoRShFHe3drMBuxsqc6wCZ2fJtM+EurRbVt1hZ2udIOc833Vucc+FOuZtXFsMYAADGIhUAy2Zsqp3yX92lvxHJjhnT/roiurSMI5QKoQFDTugKpn1qKqWDdFL8bP017K9CjRn0kEVqW9ovC4+rDGAAQxgoBMNWC1ZzrbAX9Um6bPKQ3r96HK9sGOSzs97XHlTe8sOqnJjehJWhXBuRyDlvUDKHnNCqW4OJLrgTk1CJhePqV0QShggI+UJ+U9Nk3V+jayaA7IakhVsTnMOGydk4Y54DGAAAxjAAAY6ZMC+icUOomoOKlC4REbWOBkpw5w5B/PC0MwLCaW6uXBRu2aUfp25WB+V7ZFdZLILTh36IerEYhePyxs4BjCAAQxgIDwNtIVUy9S6baIqFg/S+Xl9VTTjIUKqbp7nEVpFZmhFKBWahSoFAQ9eZzuAShrs3J1sd0L5T06TeW6VgrUHCZ9Y91MnwQAGMIABDNyfATuIakyRVXtIgZKVMo5OJITqxpu9CKVcUqywO6hatk3Ub48t1welO3WtjoNYKYyGZ2GUcWPcMIABDHSvAV99qt4r2qZXMxbqezufVu3qkSpf0F8F0x6ki8ol8z7CqvAOq8pm9dGHh4f/B6GJB0OTbly4R6w3eyu+9FHyH50k/+npChQvk1W1Q8GmlPsrPFG44/phAAMYwAAGMGAbaEqVeXmPzLJ18p+Olc/uiGJO1+3XgFDKZcUJe4u/yiWD9P1dz+i1I0v1cfk+mc2ZvInwQYIBDGAAAxjAQIcNWK3Z+qzqkN7J26TfZC3Rjw9M09V1o3VuzmMEVC6bAxJUhU9QdX5WH31weHi3L+RYTBOKhaUBuxvKDqGef1qBnNkyS1bIrNym4NU4Zxsdbmzp3htbuP5cfwxgAAMYiAgD9tZ8dYcVKFunwJmZMjLHyJc4kPm7i8I4Qim3FiRieqho5sOqXj5UL+yY7HRQ2Xc+R8QbA0VFxhEDGMAABjDQLQaMhjR9VnnQ6aT6w4nVeilupurWjlLRjIcJqdw6J+R5uc4moRRhUFiGQd1ZhEga4myR48+dJ7N8o8xLe2TVxTl3LgdfyO6Wz0PW1RRdMYABDGAAAxFooClNZvkm+c/MkP/IeLqiunP+d5fHJpQKg4V+7pSeTrGoYvFA/ejANP2lZIf8jemy737mDTQC30Ap1OIaAxjAAAZCYMCeR9jzCftMy79VHdYfT67VD/fG6OKigcqf2pvzqMJgjkh3Vfd0VxFKEUoRSn2bgSj5bnRD2Z1Q5Rtl1R6W1ZCsYHO6gqxhmeOEYI5DnYQ6CQYwgAGvGMh2Oq2ty3sVyF8gI2O0fMlD2+YidwlFmM9923yu6/8boVSYFhzOzX1cLyfM1ofnd+vLmkT5mzKY3DK5xQAGMIABDGCgUwx8eSVRb55epx/siVb1sqEqm99XxTMfkb3NMEFI9wQhXHf3XHdCqa5fpFIkCJNrnDBAvuQhMtJGyMh6Sv6zs2ReWC+rPoHwiflIp8xHKCp7pajM68Q6BjDQAQOtWbIak2XV7FegcJEzB/HZcxJCqLC6BoRSYRpK3ShMFMT20dUNY/TL1Of0XuE2fXE5nskfCwAMYAADGMAABjrNgL8xQx+d36PXjy5zOqnq1o5WxaKBThd3bkxPQqown0vemFPytf2hF6FUmAQmFCa6pjCRNFhG5pPyH3vaCaECpaucw8ODLZyDTEGxAwVF5mmdNk/DHe4wgAFvGMhWsCFJ5qXdMs+tkf9EjHyJg7pmrsMcMiTXlVAqQgoJ9p3LFxb0V/OW8Xo1Y6HeL94uX30aEx0muxjAAAYwgAEMdKqBLy8nODfCvH5kmX56aIaaNo3Thef600UVIXNKwqm7h1OEUoRSnroT177zOH2U/MefVSB3ngKlq2VW75LVkEg3FPOLTp1feKOoSvGcccYABjDQIQMtGbJqDihQvFz+U9NkpI8SXVGRMRcnlIrAAkJB7IOyz59q2TrBCag+rTjIZJEFAwYwgAEMYAADnW7A7qL6/FKc3i/ZoT+cXK2XDs9U3brRKpr5CB1UETjHJLBqC6wIpSJjIeypYKmjd/zaW/IdnahA3jyZFzY6dyVbV+MUbGbL+A4V0ph3dPq8g+tPMRsDGMCAFwxkK1ifqMC51W1BVPY4uqI6OpcLg+8nlIrggoG9pU7h9IdUNr+fE1C9W7BFRgPdU3yAeeEDjNeIcwxgAAOhNmC1ZstoSNdXNYn6rOqQ/nhqrbPd38VFA+iiiuD5pheDKkIpQqmIDLTsbqic2TLLN8qqPSSrIUnB5nS6oQiWCJYwgAEMYAADoTHQkimraqezPbDTEZU8RL6EqJBsJReRczuXB1OEUh4rEhTPelTf2/mM3s7ZIPsQc38jC41QF+14PArFGMAABjDgNQN2UPXWmfV6cW+MqpYO0fl5fZ0zqezth70YavCa775FnpuvEaEUoVTYFi7srfiShshIfcI5FNx/dpbMCxucu5GDL2SHpuBEYY/rjAEMYAADGMCAbcAOof5+TlQgb74zPwnbOZbLAyA3XldCKY+FUjcv8GvWjNTLibP1du5G545msyWLN0U+GDGAAQxgAAMY6FIDgaYMfXR+j14/uswJqerWjlbFooFOSGV3ed88V+HX4R3eROr4EUoRSrlxYX/H52SHUBlPyn9ssvxnZilQukrW5b1OIchrN0jwerkpCAMYwAAGMNDNBlqzZNUnOOdTmsXLZRyZwBlRHg20CKU8HErdKBTY3VP1G8bo50lz9U7+Zn1Zk9ilxSg+ALr5A4BiK74xgAEMYMBFBr66kqj3CrfptSPL9NND09W46SmVL4hiyz/mqK4NKAmlCKXuGAC5oahgd0PZW/Edf1aB3LnOeQxm9c627fha6YZiLcpaFAMYwAAGMNANBprTZVXvUqBoifwnpshIG8HWfG6YN3bjcyCUYsH/jwW/vYWOXQRqC6jm6MPzu0X3VDe8UbuoUMgHNeOPAQxgAAOhNOBvytDn1XF6v3iH/nBitV46PFNX141W8cxH/jFfuXFTDV/pououA4RShFKuC6WSh8o4Okn21jf2dnzmpd2yrsYp2JzBTRisrTCAAQxgAAMY6B4DrdnOOZWBkuXyn5wiI3OMfIkDOSOqG4MgN81hCaUIpW5b5CmI7aOyeX1Vu2akfpO9RL6rKd3zBsYHB9cdAxjAAAYw4EkDVmu2jIY05wzMTysP6s3T6/TDvTHOVn+cRUUg1V2BlP24hFKEUq5Y0Ntb8uXMllm+UVbNQVkNiQo2c15wKG+k4LG4cQcDGMAABjBwGwPN6TIvbJT/1DQZ6SPlSxpMEEUQ9Q0DhFKEUrcNpW5e6NvnOxTNeEhNW8brjZNr9FnlIadIZBeLePO9zZsvxVNcYAADGMAABrrEgD33sP/3VU2i3jqzXj/cN0WVSwbr3NzHnTOpCKsIq26ew3bVrwmlCKVCFkrZW/ElDXYO/jayxsp/dpbTCRWsT1TQWYuxHmM9ynoUAxjAAAYw0M0G7K356hNlVm13bphpC6GivhFChGz+RAAUFteeUIpQ6q6h1K0L+tK5j+knh6brrbPr9cnF/U5AxQdAN38AUPzskuInrnGNAQxgwP0GAs2Z+mvZXr1+dJle3BOjurWjdXHRACeksm+suXUew+8Jru7XAKEUoVSXFlWSh8iwu6COTZb/zEwFSlfJurJPwZZM5ruseTCAAQxgAAMYcIeBlkxZV+NlVu1QIH+BjMyx8tk30xAIcQ3aaYBQilDqnos1hbF9dGX1CP3kUKz+eHqt/lZ92B1vjHxAMQ4YwAAGMIABzxr4qiZJ7xVu02vZS/WTg7Fq3PSULi4cILqoCKPuN4y68fcJpQilOrXgYhdw0kfJf/wZBXLnKnButczqnbIakv7eDeX+mwO4gYMxwgAGMIABDHjEQEOyrIqtChQukv/5Z2WkDCOEaWcI06nzxwh4TEIpQql7DqVuLMxzp/TU+bmPq27tKP300HT9KXeTfPWpni2G8UHskQ9iCt78jGMAAxhwvYFAU4Y+r47T+8U79Pvjq/TS4Zm6uu5Jlcx6VDl0Ud33HPDGXNBrXwmlCKXuu6iQPFTG0UkK5D/nbMdnVu+SdTVOwZYM17+vstZhrYMBDGAAAxjwmIGWDFmX98pfuLgtiEobSVdUBIRC9z2fvc9rQChFKNWpBYn8qb11bu5jurLqCb2cONs5f4oPK499WFGkpZiAAQxgAAMuNGCfRWU0pOnLKwn6pCMLAUUAACAASURBVOKA3jy9Xj/aN0UViwfRRcV8uEPzYUIpQql7WcQb2eOdcxbM8o2yag44Zy8Em9PphnLh5wXrV9avGMAABjCAgSMKNiTJPL9G/uPPyrCDqKRBdEXdZxBzL3PISP07hFIswju0CO/InbD2OQ7503o7AdXvjq3QpxUHdP1qinNAOW/ufMBjAAMYwAAGMNDdBuygymzJ0vW6ZL2bv0Uvxc3UpRXDdW7u4yqe+bDsm206Mvfhe72xRSChFKHUHYsD9lZ89plQqU/IyB4nf958mRVbFWxKU7A1iwCKAIqbVjCAAQxgAAPuNNCarWBzmqyGRJkXt8h/IqatGyohiiCKIKpLDBBKEUqFrNhSPOsRtWydoDdOrtFfy/cRUPFB7M4PYsaFccEABjDgaQNWS5bT6f3GydXOmVT168eocvEglcx+lI4q5s3OvJlQilDqa6FUyjAZmWPkP/a0/DlzFChbJ6suztPvo919wwGPz00vGMAABjCAgXYasLfmqz0k8+Jm+c/OkpE+Sj6CqC4JYb42fyToEqEUi+uQhVI37h62Dxq/tGKYXtwbo9ePLtdfL+yle4oCKAt3DGAAAxjAgCsN2Fv+fVC6S797foXTSWXfYFO1dIgKYvuEfA51Yy7F1+7tyCKU8ngolTioLYQ6EaNA3nwnhDIv723rhuJ93JXv4xQm21mYxC9+MYABDHjDgN0VVZ/gBFGB/AXOOZe+pMEEMQRFITVAKEUo1a0FlaKZD+vyyuH64b4YvXFqjb64HO+NDwA+6BlnDGAAAxjAQNgZMJsznTOpPji3S2+cWqufJ81R0+ZxKpvfT/a2xYRF3RsWher6E0p5MJSyt+M7/qwChYtllm+SeXlP25lQdlGH93KuAQYwgAEMYAAD4WDA3p6vaoezvbDd4W1vN0xXlAfntS4J3wilCKVcUUCxu6dKZ39Xl5YP1U8OxeqD0p2yWljkscjlrj4MYAADGMCAew34G9P1ZU2ic27mu/mbnU6qK6ueUCFdVK6YX3ZVSEUo5YXFe5SMIxPlz18gs2Kbs62N1ZCkYHMGRbdwKLrxHHGKAQxgAAMYaDPQmi2r7rACJSvkPzpJRtoI+RIHhrQjhm3rvDB37vhrJJQilHJd0cC+09g+WPziwii9nDhbH//9/Cn77mQKc+4tzDE2jA0GMIABDHjdgNmSpUBzpq7VJund/C16KX6Ws2XxuTmPqWjGw8qb2tt1866uCm4i+d8llOr4otO1xYiEAfIlDZGROlxG9jj58+bJrNjathVfS6aCrVmsPyjqYQADGMAABjAQPgbsuUtTmuybaczza52bbJwQyp7zuKRDhucRQXPp+zBFKEUo5friSOH0h1S/YYx+nbFIfynd6RR6LLbKCJ8PRCYvjBUGMIABDHjYgD1n+VvVIb1xco1+cjBW9eufVOXiQSqZ/ajsTvFIDm8i9bURSoX5QjplWNuZUMcmy58zR4EL62VdZQtxr99UwOvnxhoMYAADGAhrA3YQVXNA5oUN8p+OlS9lOCHUfQQmBGddP98nlCKUCqtiSNlz/fX9Xc/oN1lL9JeSHbp+NYVCn4cLfWE9YWDc+NnFAAYw4EkDRkOaPjy3S789tkI/OzxTzVsmqGrpENk34URqiBNpr4tQqusXqZ1aCEga1BZCnYhRIG++AmXrZF7e29YNxfuwJ9+HWUNQeMYABjCAgYgw0JrlbM1nB1GB3Lkysp5iaz6CqLAJIwmlCKXCsgBSENtHlUsHq3X7JL1+ZJk+qzzIgopFNQYwgAEMYAADYWXA3u7vyysJ+uDcLr1xao1+njhHTZvH6cJz/emicvEcnVAqDEKp1BEyTkQrULhYZvkmmZf2yKpPVJDdFsLqPTIiCoZ8LmMOAxjAAAY620BjssyLm+TPndt2TlTK0LAJIjr1xiMCqLAed0IpFy94I+2u0q54Pfb5U8WzHnG2wXlhx2T9KWej7EPHWcBw1wsGMIABDGAAA+FmwJ7D2CHVJxf36528zXo5fraurBpBF5XL5uuEUi4MpRKiZBydqED+ApkV22TVHpTVkKhgcwbrgs4uhPHvYQoDGMAABjAQegN2V9SV/QrkL3Q6ouzzMH2cExXWoYzXAzpCKZctcrsiuPHKv2kHVPnTHlTZ/L76wZ5n9ZeSnbpWl+wcOB5uRSmeL4VUDGAAAxjAgMcNtGbL7qQKNGXoq9okvZu/WS/FzdTlFcNVOvu7Kpr+kPKm9g7Ljvdwn5sSSnVjKGUXX5IGy0gZLiNrnPx582RWbG3biq8lU0H7cO8XskNfKKI4xzXHAAYwgAEMYKAzDdhzGvucqLo4p/O7bWu+QQRRdEdFTBBHKEUoFbHFDPvw8EvLh+qXqfP154Kt+lt1nKwWe6Hq8SIXrx8DGMAABjCAgbA1YLVm6/Pqw3rj5Br95GCsrq570ukYL5n1KFv+hWheTygVylAqSr6UYW1nQh2dJH/OHAUubJB1NSFsf4ZZi7AWwwAGMIABDGDg9gayFWxMaeuIOrda/pNT5EscFDEhhNc7g3j9X19DEEqFaPEa7neEhvvzL575iBo2jNWrGYv0XtE2545ju6hz+w8BPhy5LhjAAAYwgAEMhIcBoyFNH53frd8eW6GfHZ6h5i3jVbV0iIpmPByxNx5197yUUOrrC8pOX2DbnVCZY+Q/EaNA3nwFytbJvLxXwWa26OZ9OTzelxknxgkDGMAABjpkoCVT1pV9Ms+tUeDsTBnpo+RLiCKMoisqog0QShFKeapgkTe1lyoWD1Tj5nF6JXmec7B4hz4ouLOcIA8DGMAABjCAAZcasLf7s8+k+qB0l944tUY/T5yjps3jdeG5/nRRdeKcn1CqC0KptBEy7BCqcLHM8o0yL+2RVZ/IVnwufa9h/USxFQMYwAAGMHCfBuwb5a/GyyxbL//Z2TKyx8mXRFdUp9/sRLDl2mCLUKoTF6jdfdcmj9+jQwFbYWwflS+IUvOWcXr96HJ9cTmeIhsLXwxgAAMYwAAGIsaAvzHdCak+Lt+vd/I26d8T56hm9QgVTn+oQ3Mm5phfn2MSSnVCKJUwQMbRSQrkL5BZsU1WzUFZDYkKtmREzM8fxbr7LNbxWcTPAgYwgAEMRKIBuyuqerf8Z2bJyBzrbFNMV1QnzC0Jn1wbPt0paCSUIpTyfFEiN6an8qf11rm5j6tl+0S9nbNR1+qSZRdy2OKPxSQFBQxgAAMYwEAkGLDnNGZzpjO/+aomUe/mbdZLcTN1ecVw2edR2UFV/tTesudFhFBfD6FuvR6EUh0oHCQMkM/ejs8+FyrrKflz58m8uEXBplQFmzMUtA/xfoEttSPhPYbXwGclBjCAAQxg4DYG7LlOU1rbOVF5z8nIGN3WEcX2fGEXotwpXOHPO7A2uCk8JJQilKLwcBsDZfP76ccHpuqdvM36rOqQU8Dhw/U2H66ReNcKr4m7sTCAAQxgwGMGPr8UpzdPr9PLCbOcMzirlg5W6ZzHnJDq1kCG3/cQodS3LDztDqjU4c6dv/7nn3bOhLIqtsq6msD7isfeV1g7sXbCAAYwgAHPGmjNktWQLOvyPgVKlss4OlE++0admwry/Ppb5pNcJ09YIZS6TSDBYvvb7w710vWx7xquXTPSuZP47dyNzhZ/Vot9RyeTC64BBjCAAQxgAAORZ8Dupvqk4oD+cHK1Xk6YrdZtE3V5xTCVzv4uNzL9fd1AKHVzESFKvuShzjkI/pNTFShYKPPCRmc7Prbii7z3B97zGVMMYAADGMDAtxhoTpdZvVNm6Ur5T8XKl/qEJ8IFArab58b8ur0eCKUIpSgwtNPA+fl91bBxrFOg+VPeZl2/mkI4RTiHAQxgAAMYwEDEGrC3/Ltel6yPyvborbPr9YvU+WrdPkmVSwYpf9qDnp1Dej6UsruhMkYrcCpWZtFSmeWbnDuBgw3JEfuzQAHuWwpwfAbgHgMYwAAGvGygNVNW7SEFzq2W/8wMGRlPypc4kDCKbicM3MUAoVQ7AwkvdQfxWr+9U8wuwtjb+9kdVK9mLNSnFQeYgHh5AsJrxz8GMIABDHjEgN1FZZ9H9cnF/fpz4Tb9Kn2hc8OO17qoPBlKJQ+V//izTghlVW1v64SyQ6iWTH7+PfLzTzBHMIcBDGAAAxi4yYDdFVW+Sf5T02VkjnE6x33xUQQRdwki2ttFw/dFfscVoRShlGfvcu2M8M0OqIpnPeIEVL9/fqW+vJLgnD9l31nMh/VNH9Ys1vGAAQxgAAMYiDgDZkuWjMZ0XatN1l9KduiVlHm6uu5Jlcx6VPYWyHlTeys3pmfEzTUjOpSyzztIGiwjZbhz/oG9HZ9VvVPBplQFm9MVtA/r5meZa4ABDGAAAxjAgNcM2DfiNKbIqtqhQM4cGfbWfEmD5EsgiCJAivwAqSvGmFCKUCriCgWdETbd679RPPMRZ1ubP55aq08uHpCvPlUEVIRTFG8wgAEMYAADXjJgb3H8p9yNeilhluo3jFHlksEqnfOY8qf2joh5Z0SFUvZWfKnDnTt8jWNPK5D3nKzKbQo2shWfl35mea18RmEAAxjAAAZuY6AlS1Z9gqxLexTIXyAj6yn57Bt46AbiGmDgvg0QShFKRURx4F5DpK76e3lTeqlq6RD95GCsfn98lbPNjX03MR/yt/mQ99rdNbxefg4wgAEMYMBDBuwt/z6tPKg/nFyjl+NnqWXbRF1aMcwJqbpqHtbV/254h1JRzvYyRtY4+U9OVSB/ocwLG9u242MrPt6bPPTexLqMdRkGMIABDNzRQH2izMrtMkuWO9sX213kBFF0A2Ggcw0QShFKEUp1sYGiGQ+rdvVI/fTQdL15dr2zxR/dU0x+7jj5oRhAQQgDGMAABiLUgD3/sbuoPirbozfPrNcvUp9zOsztTqqCaQ+GzZw07EIpuxsqY4wCp2IVKFrqnH9gXd7rbEHDfIQ5KQYwgAEMYAADGDiiYEuGrCv7FbCDqBMxMtJH0hVFNxBhZBcaIJTq4kCiq+/U5N/vETYFDLt76vy8vrq0fJheipupD0p3UnSL0KIbEzom9RjAAAYwgIG7G7C7qL6sSdTHF/fr3YKt+lX6QjVufsr1XVRhEUqlDJP/eLRMO4Sq3N7WCdWQrCDdUMy/mX9jAAMYwAAGMPCfBhqSFTi3xpk3GZljnLM16Yjp3I4YrifX83YGCKUIpcIm1ImkAM4+U8E+f8revuYXKfOc7f38jemy2OLvPycGTJK4FhjAAAYwgAFPGbBDKqMhTV/VJOn9kh16JXme6tY96cyZCmL7KG9qL+XE9Oz2uaurQin7XAP7kO2UYTKOTFSgYKGs6p2yGlMUbE4nhOI9xFPvIdwMcPebAbhGXCMMYMDbBrLb5kaNKTIvbpH/9HQZKcPkSxwkX3wUXTFd2BVzu1CCP/N2WEUoRSjV7Qv7SAqb7vW1FE5/SFfXP6nfHVuhj8v36Vpdstjij8mityeLjD/jjwEMYAADbQZ89an6U94mvZwwS/Xrx6hyySCnmyq/m7b869ZQKnGgjNThsu/kNY5Ndg7dtiq3sRUf4RPhEwYwgAEMYAADdzLQkinrapzTPe7PnSsjfbR8CYRQhELeDoW6e/wJpQilCKVcZCA3pqcuPNdPL+6J1m+PLdeH53Y7dwxTlKIwiQEMYAADGMAABo7IbMnSZ5UH9capNXopfpZatk5wOs9L5zwmex51rzcIdeTvhTSUsgsmdhdU1jj5T051QijzwkYFaw/SBXWnwhN/TlESAxjAAAYwgIHWLFlX42VWbpNZvFTG0YmcEUUnFN1wLjJAKOWiQKIji2G+N3zOkrrXsbK3qalePlQ/2PWsfnd8pT6rPsz2fkwsmVhiAAMYwAAGMPB3A3ZX+fWrKfqobI/ePLNOv0h9Tq3bJ6ly6WDZ86h7nYPd7e91eSiVMEBG5lgFTsUqULREZvlGWZf30g3Fzz4/+xjAAAYwgAEM3M1Ac7qs6l0KFC6S//lnZaQ+QVeUi4KI7u7O4fHd0x1GKEUo1WUL9rst6Pnv7QzWYnqqdPZ32wKqPdH64+m1CjRnMhG520SE/44RDGAAAxjAgKcM2F1UX9YkOlshv5u/Rb9KX6CmLeN1bs5jnTrf7ZJQKmWYc8C2WbTU2VrGqjmgYEMS3VD8DHvqZ5huUDqCMYABDGDgngy0ZsuqPezczON//hkZGaPlSxxIVwxhFAZcbIBQilCqUxfpBE3tDJru0V3elF6yz5+qWDRAL8fP0ofndsnfmO5sZXNPH9ws9FnoYwADGMAABjAQoQbsm3js86jsoOr94h36efJc1a0breKZj8g+j8qeV+Xcw5Z/9xVKJQxoK5IkD5VxZKIC+Qudu3mtxmQFm9IIoSLUIvN0iqwYwAAGMICBzjSQ3TZnakiWWbZO/uPPykgZRhDl4gCCDiX3dCi5ZSwIpe4xHCB86drwhevbvutrF1OqlgzWL1MXOOdPfXklQSZdVBQXKehgAAMYwAAGMHBHA0ZDmt7J26SXE2apfv0YVSweKPtMKjuoas8ctEOhVOIgGSnDZWQ8KePopLYQqnI7W/Hh844+KVp2ZtGSfwtPGMAABiLKQFOarLrDMi9ukf/sTPmSh9AJQxCFgTA1QChFKNWuxXd7Fuh8T/uCpK66TsWzHlHT5nH6deZi/aVkh67VJcs+ayGiJiAUMBhPDGAAAxjAAAY60YC95d9nVYec7ZFfip/lnElVs2qEyub3Ve6UnredJ39rKGWfB5X6hPxHJsh/OlaBgkUyL2xUsPaQgq1ZjF0njh1zXAqtGMAABjCAAQ8YaMl0tuYzK7YokDtfRuYY+ezO8zAtxPO86RjCQJsBQilCqdsutrsqOOHf7frgKn9ab1UuGaQXtk/SL9Oecw7/tgsuTNY8MFmj0INzDGAAAxjAwH0Z8Ddm6JOL+/V2zkb9OnORfrD7WV1eOVxFMx7+x5z5G6FU0mAZRyYocHamzOLlMi9ulnMmVHP6fT0X5m7M3TCAAQxgAAMY8KyBxmSZFVsVyJsv/7HJbdvzEUQRxmEgYgwQShFK/WOBTWDU9YFRqK9x4fQ+qlwyWK3bJ+t3x1fqi8vxdE9RrKNAhgEMYAADGMBAOw3Yned2SPVe0Xa9dmSZvr/rGdWtHKIPUycocCpWZulKWVU7ZNmdUI0pdEO187p6tsDG9eG9BwMYwAAGMHBnA61Zsq7skz9/gfxHJ8lIG0lXFCFMxIQwdEh9vUuOUIpQilDKAwbs7WcKpz+kc3Me04t7ovVe0TYFmjJEBxV3XVEUwgAGMIABDGCgfQbseZN9HtW1uiSZDSkKNqURQlFYu3NhjWvDtcEABjCAAQx8uwH7yAk7iLoaL7Nk5X92RCUOJIggjMJAhBsglPJAIBHq7hwez/0dV7kxPXXhuX768f6perdgiz6/FKdAU+a3TxaYTHF9MIABDGAAAxjAAAYwgAEMYAADGMAABu7ZQLaCjamy6g7LvLBB/lPT5IuPIoCI8ACCLqGvdwlxPfqLUIpQik4pjxuwO6hqVo/QL9MW6N38zW1b/HEGFRPMe55gtu9uc+7K5zphAAMYwAAGMIABDGAAAxjAAAY8YqA5wzlz0w6iAmdnyUgfJV8CYRThBGGNVw0QSnk8kKCryf1dTaEaI7t76vy8vmrePF4/T56rPxdsdbaoYYLokQkiIRRBJAYwgAEMYAADGMAABjCAAQxgAAOdZcDenq8+QWb5RgVy58o4MlG+pEF0RdEVhQEM0CkVqoI/j0P4E04G8qc9qPKFUWrYOFavZizSp5UHZdE9xcS0syam/DtYwgAGMIABDGAAAxjAAAYwgAEMRKaBlkxZ1TvlPztL/iMTZaQ+QVcUIQRBFAa+ZoBOKTql2L4PA3c2ENNThdP76Nzcx9Sw6Sm9fmy5Ak0Zsg/6Dtp3vDCB5BpgAAMYwAAGMIABDGAAAxjAAAYwgAEPG8hW0A6iag8pULRURvZ4GSnD5EsY8LUitFe3KeN1s0UfBr5pgFCKQOLOgQTXhmtzGwMlsx/V93c/o7fOrtdnVYfY4o+Jt4cn3mztSDCNAQxgAAMYwAAGMIABDGAAAx400JolqzG5LYg6t1pG9jgCKDphMICBdhsglLpN0T2ctlnjubItYHcZyJvSSxWLB+qluJl6O2ejPq044HRRMRn14GSUYI5gDgMYwAAGMIABDGAAAxjAAAYwEPkGmtJkXt4r8/wa+U9Nky91eLuL0HSLfLNbhGvCNfGqAUIpQim6gTBw3waKZz2iurWj9FL8LL2du1Ff1SRG/kSMyTZjjAEMYAADGMAABjCAAQxgAAMYwECkG7C7omoPOUFU4OxsGZlj5UscSBhFVwwGMHDPBgilCCTuO5Dork4dHtd9XWJ5U3vrwnP9VLtmpH4WN1Mfle2R2ZzJBDXSJ6i8PoxjAAMYwAAGMIABDGAAAxjAAAYiy0BjiszyjfKfmSG/fU5U8tB7LkB7tRuE100nFAZub4BQilCKUAoDXWIgf9qDOjf3MdWuHaVfZy3W55fiZLVkRdYEjQk344kBDGAAAxjAAAYwgAEMYAADGMBARBjIVrAlU9blfQoULJSR8aR8dhCVMIAwio4YDGCgUw0QShFIdEkgQReT+7qY3DAmTZvH6w8nVumzqkO6fjVFVms2E9eImLhyjhZnqWEAAxjAAAYwgAEMYAADGMAABsLOgB1CNSTLqjmoQOHitiCK4nunFt/plLl9pwzXxdvXhVCKUIpQCgMhNZAb01Nlz/XTD/ZE642Ta/TXC3vlb0wnnCKcwgAGMIABDGAAAxjAAAYwgAEMYAADoTDQkCzz0m4FSlbIfyJavqTBBDGEcRjAQMgMEEoRSIQ0kHBDtw7PwT1dXAWxfXR55XD95GCsfn9ilf5WdYgt/kIx+eQxWORgAAMYwAAGMIABDGAAAxjAAAa8ZaAlQ9aV/TLtIOpUrIyM0WzNRwgRshCCzihvd0bdOv6EUoRShFIY6HYDdvdU6ezv6sqqEfrhvhj9KXeTfPWp3pocshhgvDGAAQxgAAMYwAAGMIABDGAAAxjoVAPZCl6Nl3l+jfynY2VkPSVf0iCCCMIoDGCgWw0QShFIdHsgQeeSezqX3DAWeVN7OQHVpeXD9IvU5/RJxQGZLVlMSjt1Uso+32G3zzfjz3sABjCAAQxgAAMYwAAGMIABDLTXgH1WVPUuBXLmyEgbKV/yEPkSorq1CH1rpwS/p3MGA941QChFKEUohQHXG6haNkSvpMzTZ1WHdK0uWWZzJhPR9k5E+T6sYAADGMAABjCAAQxgAAMYwAAGItuAvTVfQ5Is+5yonNkyUp8ggKITBgMYcK0BQikCCdcHEm7o3uE5uKObq3T2o2rZOkGvZS/VB+d26frVlMieVLJoYHwxgAEMYAADGMAABjCAAQxgAAMYuJ2B1ixZ9Ykyq3cqULRExtFJnBFFCOHaEIKuKO92Rd1u7AmlCKUIpTAQdgbypvRSxeKBenFPtF4/ukwfnt8tf2MGk9TbTVL5M1xgAAMYwAAGMIABDGAAAxjAAAYix0BzuszK7QoULZX/5FT5nK4otua7XeGbPyMIwYA7DRBKEUiEXSBB15I7upbcMg5FMx5W9bIh+v6uZ/SHE6v11ZXEyJlosmhgLDGAAQxgAAMYwAAGMIABDGAAAxiwu6JqDypQusIJooz00fIlDqQrhs4oDGAgLA0QShFKEUphICIM2N1TJbMe1cWFA/Ti3hh9cH43Z0+xcGHhggEMYAADGMAABjCAAQxgAAMYCF8DzRkyyzfLf2KKjLSR8iUNli+erii6X9zZ/cK4MC7tNUAoRSAREYGEW7p2eB7u6eLKjemp8oVR+unh6Xq/ZIeu1SYp0JwZvhNRFhGMHQYwgAEMYAADGMAABjCAAQxgILINNKfLakiUWblN/tPT5UseQghFJ0xYdsK0N5zg+7wZZBFKEUoRSmEg4g3YAVXDxrF6NWOh3i/eri8ux8tqzY7siSwLFcYXAxjAAAYwgAEMYAADGMAABjDgfgMtmbKuxsus2qFA3nwZWU/JlzCAIIIwCgMYiFgDhFIEEhEfSNC95J7upe4eCzucOj+vr5q3TNCv0hc6HVRGfZr7J6gsIhgjDGAAAxjAAAYwgAEMYAADGMBAZBloTJZ5cYsChYvlPx79964ob3ZN0C3DuGPAWwYIpQilCKUw4EkDBdMeVOWSQWrZOlGvZizSpxUH6Z5igRNZCxzGk/HEAAYwgAEMYAADGMAABjDgLgMtGbKu7FOgaIn8x5+VkTaCrii6YSK2G4agyVtBU0fGm1CKQMKTgUR3d+zw+O7p3rK7p4pmPKTyBf3VuHmc3s7ZIN/VFHdNWllEMB4YwAAGMIABDGAAAxjAAAYwgIHwNdCQLPPcGvmff0ZG2kj5kgYRRBBGYQADnjVAKEUoRSiFAQzcZCB3Si+dm/u4frhvit7J36wvLico0JQRvhNfFi2MHQYwgAEMYAADGMAABjCAAQxgIIQGshVsTpPVkCSzfKP8J6e2dUMlRHm2AN2RDgq+l+4aDES+AUKpm4rRdK+4p3uFsWAs3GKgcslgvZI8T+8VbdNnVYcIqFjIhHAhc4THwhsGMIABDGAAAxjAAAYwgIFwMWBvzVd7SObFzfLnzJaRMVo+giiCOLqBMICBbxgglCKUoksGAxi4m4GYHiqZ/ajq1z+pf0+crT/lbtT1Orb4C4bLwoDnySIWAxjAAAYwgAEMYAADGMAABrrCQGuWrLo4meWbFChYKOPoRM6IogD/jQI8nT+R3/nDGHdsjAml7laM5r8TWGAAAzcZyJ3SUxee66emzeP086S5+qB0pwLNmUzuu2Jyz7+JKwxgAAMYwAAGMIABDGAAAxhwo4HmdFnVu+TPmy//0UkyUofTFUUYRRiFAQy00wCh1E3FZrdsF8bzYOs6DISHgYLYPiqb30/1G8botSPLdK0mkcWCGxcLPCdcYgADGMAABjCAAQxgAAMYyY7GgwAAIABJREFUwMD9GmjNlnU1XoGiJTKOTJCRNkK+xIEUodtZhKaTpGOdJFwvrlckGyCUIpSiCwYDGOgEA3lTeqlw+kNq2PSU3jy7Xp9fipfRkCarNZuJ//1O/Pn7GMIABjCAAQxgAAMYwAAGMICBUBuw1/NNaW3b851b7XREOSEU50QRxBHEYQAD92WAUKoTitF0tYRHVwvjxDiF0sCF5/rrB3ui9dbZDfq08qCMxnQWEKFeQPB4mMMABjCAAQxgAAMYwAAGMICBjhqwt+a7sl/mhQ3yn54hX+oT91V8jeRuB14b3TwYwMC9GCCUIpSiSwYDGOhCA4XT+6h2zUj9LG6G/nhqrRNQ0T11hEVRRxdFfD9mMIABDGAAAxjAAAYwgAEMdJ2BlkxZNQedICqQN19G5hj5EgYQRtENggEMYKALDBBKdWExOpRdGTwWXUAYcLeB3JieKp3zXdWuGaWfxc3UO3mb5atP7boJNYsVri0GMIABDGAAAxjAAAYwgAEMYODbDTSmyLy4Rf7cOc45Ub6UoRSgu6AAfS+dFPwdOnAwELkGCKUIpeiSwQAGQmwgf1pvnZ/XV1dWPaFfpMzXZ5UHOXuKhdK3L5S4PlwfDGAAAxjAAAYwgAEMYAADnWOgNUtWzQH57Y6o7HEy7O356IoijCOMwwAGQmaAUCrExWi6WdzdzcL4MD6hNpA3pZcKpj2oyyuH67Xspfq04oB8DWkyW7I6Z7LNooXriAEMYAADGMAABjCAAQxgAANeNtCapWBTmqzaQwoULnGCKF/iIPkSokJWgKXjI3I7PhhbxhYDHTdAKEUoRZcMBjDgIgP2Fn8v7Jis3z2/Qh+V7WWLPy8vnHjtFA4wgAEMYAADGMAABjCAAQzcu4HGFFlX9ilwfo38J6fKlzSYEIpOEAxgAAMuMEAo5aJidKg7NHg8uoIw4G4DFUsG6ccHpukPJ1Y7AVWgKePeJ+MsZLh2GMAABjCAAQxgAAMYwAAGMBDpBprTnSDKPL9WgbOzZKSPoiPKBQVoOkk63knCNeOaRbIBQilCKbpkMIABFxvIjemp4pmP6PKK4frB7mf1xqk1ulabzEIq0hdSvD6MYwADGMAABjCAAQxgAAMYaKeBbAXrE2SWrVPgzIy27fnoiqIbhDAOAxhwrQFCKRcXo+licXcXC+PD+ITagB1Q2dv72QHVj/ZP0fvF22U2Z7Zzkn6E72NBhwEMYAADGMAABjCAAQxgAAORY6AlU1bVTvntICprrIyUYXRFUYR3bRE+krteeG10dXXUAKEUoRRdMhjAQBgayJ3SSwWxfWRv8fdK8jx9Ur7POX/KbMmKnAUGi0XGEgMYwAAGMIABDGAAAxjAAAZuGGjNUrApVdblvQrkL5CR8aR8iYMIogiiCKIwgIEwM0AoFYbF6FB3Z/B4dARhwP0G8qf2Vu3aUfpN9lJ9cG6XvrySIKs1m8XLjcULX7GAAQxgAAMYwAAGMIABDGAg/Ay0ZsmqT2oLokpWyjg2meJzmBWfO9pBwffTdYOByDdAKEUoRZcMBjAQYQbK5vdTy7aJev3IMieg8tWnht/Cg8UiY4YBDGAAAxjAAAYwgAEMYMC7BprSZFbvklm6Uv6TU+VLHS5ffBSBFIEUBjCAgQgwQCgVYcVoOlrc39HCGDFGoTJQOL2PqpcN1fd2Pq3fZC3Wxxf3e3dBw2KWsccABjCAAQxgAAMYwAAGMOBuA3ZXVN1hmaWrFDg9XUbmGPkSB1KAjoACNJ0vkd/5whgzxh0xQChFKEWXDAYwEOEGcmN6qnjmw6pYPEjf3/2M3jyzTr6rdE8FWZC6e0HK+DA+GMAABjCAAQxgAAMY8IaBlgyZFzbIODlVRuZYGclD6IoiiCKMxAAGItgAoVSEF6ND1ZHB49D9g4HwMJA7pZcKYvuobH5f/fjANH1QulP29n6B5kxvLHZY1DLOGMAABjCAAQxgAAMYwAAGutdAS6aCjSmyqnYqkDtXRtpI+RIHyZfA9nwd6TTge+lMwQAGwtUAoRShFF0yGMCAxw1ULR2iV1Lm6y8lO/T55XgCKhao3btA5fpz/TGAAQxgAAMYwAAGMBB5BloyZdUnyLq8V4GCRTKynqILIoK7IMK1UM7zJuTBQGgMEEp5vBhNd0t4dLcwToxTKAyUzv6uGjc9pVdS5unPhdt0rS458hZCLG4ZUwxgAAMYwAAGMIABDGAAA6Ez0JAks2qHAsXL5T8eLZ+zNV9oip4Ul7nOGMAABtxpgFCKUIouGQxgAAPfMHBx0QC1bpuoX6Uv0PvFO+ieYtEaukUr15prjQEMYAADGMAABjCAgfA20JIhq+aAAsXL5D8xRUb6KPkSBtAZRWcUBjCAAQw4BgilKEZ/oxgdio4MHoPOHwy430BuTE8VTn9I5Quj1LR5nH73/Ap9VZMU3osjFreMHwYwgAEMYAADGMAABjCAga4xcDVe5rlV8p+IkZE5Rr6kwRSgKUBjAAMYwMA3DBBKEUoRSmEAAxi4qwE7oCqI7aPzcx9X05Zxejtng7O9X6A5U1ZrdtcsaFgocl0xgAEMYAADGMAABjCAAQy410BLpoKNyTIrtsl/ZqaM5KHyJQ6SLz7qGwVIttBy5xZajAvjggEMdIcBQimK0XctRtPR4v6OFsaIMeoOA+fnPa6fHZ6hd/I262/Vh+VvTHfvYomFLGODAQxgAAMYwAAGMIABDGDg/g00p8uyO6Lsc6Jy58pIG0EARRcEBjCAAQx0yAChFKEUoRQGMICB+zJgd1DVrh2lf0+co7dyNjgBldmSdf+LHRaMXEMMYAADGMAABjCAAQxgAAPdb6A1W9bVBJmV2xQoWCjj6CTOiKIA3aECdHd0YvCYdABhwL0GCKUoRt9XMbo7ujN4TLqCMOBeA+fmPq76DWP086Q5erdgi3z1qd2/gGIRyxhgAAMYwAAGMIABDGAAAxjouAG7K6p6lwL5C+Q//mxbV1QCW/NR6HZvoZuxYWwwEB4GCKUIpQilMIABDHS6gYLYB3VhQX/VrRvtdFB9Xn244wsgFo1cMwxgAAMYwAAGMIABDGAAA6E10Jolq/agAsXL2oKo9NHyJQ6gK4bOKAxgAAMY6DQDhFIUozu9GE0Xi3u7WBgbxqY7DORP663SOY+pfv2T+u2x5fricrwCTRmyWrNDu7hiMcv1xgAGMIABDGAAAxjAAAYwcIuBbAVbMhVsSJZ5YaP8J2JkpAyVL3GgfPF0RdF1ER5dF4wT44SB8DJAKEUoRSiFAQxgIKQGimY8pO/teFpvnVmvTysOOlv8EVAduWVhyO+DFAswgQEMYAADGMAABjCAga4z0JQmq+6wzIqt8p+ZIV/ykE67A57icHgVhxkvxgsDGAi1AUIpitEhLUZ3R5cGj0l3EAbcaSA3pqcqlgzSTw7G6o+n1+nji/sVaM7sukUXC1quLQYwgAEMYAADGMAABjDgZQMtmf8IogK582RkjZUvga35Ql2M5fEIADCAAa8bIJQilCKUwgAGMNDtBkpmPaqaNSP1o/1T9eaZdfqqJpHFspcXy7x2/GMAAxjAAAYwgAEMYKDzDDSlyry4RYG8+fIfe1pGynC25uNsGDrjMIABDHSbAUIpitHdXoymi8WdXSyMC+PSHQbs7qnz8/qqds1I/ezwDL2bv1lmS1bnLcZY2HItMYABDGAAAxjAAAYwgAEvGGjJkHV5r/wFC+U/NllG2gi6oihAd1sB2utdIbx+OqMw8HUDhFKEUoRSGMAABlxpIH9qbxXPfERXVj2hVzMW6W/VhxVoyhDnT3HeFOdNYQADGMAABjCAAQxgAAO3GGjNVrAlU8H6RJmlq/7eETVMvsSBBBGEURjAAAYw4CoDhFIUo11ZjO6ODg0ek84gDLjbQEHsg6pZPUKvH12mj8v36Xpdiiy6qLjL1Qt3ufIacY4BDGAAAxjAAAYwcFsD2bIaU9rOiSpbJ/+JGLqhKDy7qvBMd8jXu0O4HlwPDLQZIJQilCKUwgAGMBB2Bs7P76sX90Trd8dW6MOyPTIa0lik3naResvdk3wPTjCAAQxgAAMYwAAGMBD+BpozZNUclHlhvfxnZsrIGC1fQhRhBIEUBjCAAQyEhQFCKYrRYVeMppvF3d0sjA/jE0oDBbF9dGnFMP1gd7R+e2yFPqk4wBlUFBnCv8jAGDKGGMAABjCAAQxgAAPfMJAt62q8zLJ1CuTOk3F0ElvzUXwOi+IznSF0B2EAA7caIJQilCKUwgAGMBARBkpmP+oEVD/cN0VvnV0vX30qC9lvLGTpnOLsAQxgAAMYwAAGMIABDISVgeZ0WdW75M+dI+PIBPlShtEVRRhFGIUBDGAgrA0QSlGMjohidCg7M3gsOoEw4G4DeVN7q3jmI7q4cIB+fGCaPqs4KLM5U5Z98C8hDdcAAxjAAAYwgAEMYAADGHCzAXvd0pIpq/awAoVLZGSNk+EEUQPCugB5613y/J7OCQxgAAPeNUAoRShFKIUBDGAgog3kTemlqmVD9EryPH1wbpe+qk1iiz83L8J5bhSJMIABDGAAAxjAAAa8ZqA1S1ZjshNEmaUr2zqi6AIghMMABjCAgQg1QChFMTqii9F0tLi7o4XxYXxCbaBk1qNq2TpBr2Uv1fvF23WtNpkOKq8t+Hm9FLkwgAEMYAADGMAABtxioDld5uW9CpxbI/+pWPlSn5AvPooibIQWYekK8W5XCGPP2GPg6wYIpQilCKUwgAEMeM6A3T1VvnCAXtgxWb/JWuJ0UAWaM1mcu2VxzvPAIgYwgAEMYAADGMBApBqwu6JqD8o8v0aBnDkysp6SL4Gt+SjYfr1gy/XgemAAA5FsgFCKYrTnitGh7szg8egGwoC7DRTNeFiVSwarZdtE/eHkan15JYECQKQWAHhd2MYABjCAAQxgAAMY6C4DTakyL26S/8xMGdnj5EseSlcUHVF0xWEAAxjwpAFCKUIpQikMYAADGIjuodyYniqe+YjKF0bp+7ue1ltn1ztnT1n2QcPdtXDlcbn2GMAABjCAAQxgAAMYCE8D9jqiJVPWlf3y586VkfFkWxBFV5QnC7CR3PHAa6OjBwMY6KgBQimK0RSjMYABDGDgDgbKF/TXTw/P0PtF2/XF5XgFmjLCc0FMIYNxwwAGMIABDGAAAxjAQNcbsEOohmRZV/YpkL9ARuYYAhi6IDCAAQxgAAO3GCCUukMhku223L3dFuPD+GAAA6E0UBD7oGpWj9QvU+brz4VbnYDK5Ayqrl/UUzjhGmMAAxjAAAYwgAEMhIOBxmSZ1bsUKFkp/4mYv2/Nx53zHb1znu/HDAYwgAFvGCCUIpSiQwIDGMAABjpg4Py8vmreMl6vJM/Tnwu3yVefSqEgHAoFPEecYgADGMAABjCAAQx0poHmdFmX98osXaXA6VgZ6SPlS4jibvhb7oanwOyNAjPjzDhjAAMdMUAo1YFCZCjvyuex6ALBAAYw4G4DBdMe1MVFA1S/foxezVikjy/uZ5HfmYt8/i08YQADGMAABjCAAQy40UB9gsyydfKfipWROVa+pMEEUQRRGMAABjCAgQ4YIJQilKJDAgMYwAAG7tNA4fSHdOG5fmrZOkF/OLFKRkMaBQQ3FhB4TrjEAAYwgAEMYAADGLgXA/ZZUZf2yDg9XUbaSPmSh9AV1YHiY0funud76bbAAAYwEPkGCKXusxBJJ4O7OxkYH8YHAxjoDgP2GVSt2yfp3fwt+vxSnBNSWa3ZFADupQDA38ENBjCAAQxgAAMYwECoDbRkyGpIklW1U4GcuTLSRnAHPCEUBjCAAQxgoJMMEEoRStEhgQEMYAADXWQgb2pvVS4ZpJ8enK63zm7Q36oPK9CcSVEh1EUFHg9zGMAABjCAAQxgAAN3M9CaLas+UaYdRBUtlfH80/IlDqQA2UkFSDofIr/zgTFmjDGAgfYaIJTqokJkd9yZz2PSEYIBDGDAvQaKZz6ihg1j9XL8LL15Zr2+vJIouqeOUBy5W3GE/44RDGAAAxjAAAYw0LUGmtLagqjipfKfnCJf6nD54qMIowijMIABDGAAA11kgFCKUIoOCQxgAAMYCKGBvCm9dH5eX9WtG62XE+fo/ZIddE9RaOnaQgvXl+uLAQxgAAMYwAAGvm6gNUtW3SEFSlc6QZSR8SRdUV1UeGzvXfN8Hx0WGMAABrxjgFAqhIVIOhjc28HA2DA2GMBAdxiwz546N/dx1aweqdePLNOXNYlfXyxTPOB6YAADGMAABjCAAQxgoPMMtGTIrNgq4/izMtJHypc8RL4EuqIoBHunEMxYM9YYwIAbDBBKEUrRIYEBDGAAAy4xUDDtQdWtHaXXjizV55fi5KtPZYs/ijCdV4ThWnItMYABDGAAAxjwmoHmdFn1CTIvbpH/zEz5koeyFRMdURjAAAYwgIFuNkAo5ZJCZHfcoc9j0hmCAQxgwJ0GcmN66sKC/npxb4zeOLlGf72wV/7GdIooXiui8HoxjwEMYAADGMAABjpuoCVTVl2czKodCuQvkJH1FMXHbi4+uuGufJ4D3SEYwAAG3GOAUIpQig4JDGAAAxhwsQG7e+rS8mH66cFY/eHkGn1WeUhmc2bHF+cUNLhmGMAABjCAAQxgAAORbKAhydmaL1C4SP7nn2nbmo8whkAOAxjAAAYw4DoDhFIuLkTSweDODgbGhXHBAAa6xUBMT5XOeUw1q0foJ4em6+3cjfI1pFFYieTCCq8N3xjAAAYwgAEMYODbDdhdUVf2K1C42AmijLSR8iUMcF3xjbvz3XN3PmPBWGAAAxjofgOEUoRSdEhgAAMYwECYGcif9qATUFUuGax/T5qjv5bv+/bFOsUMrg8GMIABDGAAAxjAQCQZaEyVWbpSxrHJcoKoxEEEUXQCYAADGMAABsLEAKFUmBUiu+XufK4RBXsMYAADrjVgnz9lh1SXVwzXL1Lm69OKA7p+NUVmSxaFl0gqvPBa8IwBDGAAAxjAgJcNNKfLuhov88JG+U9Nky9xoHwJURQfw6T4SFdC93clMAaMAQYw4BIDQV98/48JpSi0urbQSgDHFmkYwAAGOm6gcHofvbBjsn7//Ep9cG6XvqpNktWaTRHHy0UcXjv+MYABDGAAAxgIRwPNGbJqDznnRPlz5shIH00IRQiFAQxgAAMYCE8Ddhj1ji+u70VfXN+YB87E9BibG93jHQp/HS/8cc24ZhjAAAYw4FYDeVN76+LCAfrezqf1+tFl+vjifgWaMijIhGNBhueMWwxgAAMYwAAGvGKgNbutI+riJgXyF8g4OqmtKyo8C3AUThk3DGAAAxjAQHz/v1yP75fnO9x/2ueJj/z3B+z/K57wnf8jN6bH5JzoHqdyonv81a3FNZ4XhV8MYAADGMDAvRkomvGwrqx8Qt/f9Yx+f3yVvqxJpHvKK4UdXidFTAxgAAMYwAAGwsGAvT3fpT0K5M6V3z4nKvUJ+RIGUMijmIsBDGAAAxgIUwPX4/t/4YvvV3I9vv+Ea/ED/9UJo27+fwcOPPDPBTG9/0fesz2Hn4n5TkFOdI//oPB3b4U/rhvXDQMYwAAG3Gogd0pPlcx6VBWLB+qH+6fqvaJtdE+FQ5GG50gxEQMYwAAGMICBiDSQreDVeAWKlsg4OlFG2kiCqDAtPLrknBIK1/jBAAYw4A4DPl9830vX4vuOu20YdXMwZf9aDzzwT6eW9fsvZ6L/rd+Z6J5lf++cstxaXON5UfjFAAYwgAEM3JuB3JieypvaS+ULovRywmx9eH63rtUmKdCcSdEnIos+RxhXxhUDGMAABjCAge41YJ9z2pwmqy5O5vm18h97um1rvoQoiojuKCIyDowDBjCAAQzcqwH7zKhPfPH9qoy4fsN0qt9/kR74p1vzp7v+/siE7/xLbsy/jc6J7ll4NrrHH+meureiH8VSrhsGMIABDISDgfypvVWzaoR+nblYfyndqS+vJMhsyerewgWFI64/BjCAAQxgAAMYCH8DTamyavbLvLBR/jMzZaQOv9eCF3+PYikGMIABDGDAXQbsMOpdX3z/Cn/C48/cNXRq7zcUPvWv/y0nuueEnOgeebnRPd4Jh8Iaz5ECMAYwgAEMYODeDNgdVGXz+6pl20T9Kn2Bs8WfvzE9/IshFLQYQwxgAAMYwAAGMBA6Ay2ZsmoPtQVROXNkZI5laz53FREp6jIeGMAABjBwPwb+wxff//3rcf3yfYf7T/vbgcf+r/bmTR36vrOx/8//ffbZ7zydE93jVE50j48o9t1bsY/rxnXDAAYwgIFwMZA/rbcqFg3UC9snOx1Un1zcL5Pt/UJXzKFwxrXGAAYwgAEMYCDcDDSlySzfpMDZ2fLb50SlDJMvnu35OHOp//0UPvm7FM4xgAEMuMjA9fj+X/ji+xddP9x/YrvOjOpQCnWbbz5w4IF/Lojp/T/OPtPjibPRPfJzonsEw6WwxvOkCIwBDGAAAxi4NwN291TRjId1ceEAvbDzab1xeq3onuKMpmC4Fcl4vhR2MYABDGAAA11jwO6KurxX/vznZGSPl5EynK4oFxUPCcQIxDCAAQxgoJMM+Hzx/aqvxfcdF5Iw6tZ8Sg888E8XYvv81/zof+t3NrrnhZzoHp/kRPewKPbdW7GP68Z1wwAGMICBcDFgB1T2+VMlsx7VD/ZE692CLbpWm0xIRZGra4pcXFeuKwYwgAEMYMB9BlqzFGxKk1V7WIGipTKOjJcvcaB8CXREdVLRj44AQj0MYAADGHCLAfvMqE98cf2qjYS+w3XkO/8iPfBPt+ZFIf/9kQnf+ZecZ/5t1NnonkVno3v8MSe6x3+ES2GN50kRGAMYwAAGMHB/BvKm9FLV0iH66eHpzvlTn1+KU4At/txXPKKgx5hgAAMYwAAGMHCfBqyGJFlX9sk8v1b+EzFtQRRFQ7cUDXkeWMQABjCAgc40YIdR7/ri+1X5E/pODnno1N4HLHzqX/9bTnTPCTnRPfJyonv+iSLf/RX5uH5cPwxgAAMYCDcDRTMeUuOmp/SLlPl6O3ejvrgcT/HnPos/bJHHNokYwAAGMIABDHSrgeYMWVf2yyxbJ/+pWBnpo+mIoujZmUVP/i08YQADGHCXgf/wxfd773pcv3xfXL9YJfX7P9ubD3Xr95VM+n//e84z33kmJ7rHqZzoHh+GW0GN50sRGAMYwAAGMHB/BvKm9lLZ/L6q3zBGv0idrw/P72Z7P8IpAkoMYAADGMAABsLJQH2CzPPrFDgz0zknypc8hKKhu4qGjAfjgQEMYAADnWrgenz/L67H9yu4frjv5G45M+p+U60DBx7451NP9/yfZ6K/M/Ks0znVw6TAd38FPq4f1w8DGMAABsLRQOH0h1S+IEpX1z+p32Qv0Zc1iRSkwqkgxXPFKwYwgAEMYMA7BprTZVXvlP/sLBmZY2WkDKMrioJnpxY8OXOrP9eTnykMYMCNBq774vtVXjvcd3xYhlG3hll64IF/ylvw//1v+dH/1i8npkd5bnTPz3Kie1jhWFTjOVMMxgAGMIABDNyHgZieyp/aW3ZI1bJtot44tcbZ3s/fmC6rNds7xR4Ke4w1BjCAAQxgAANuMdCapWBTqqzL+xQoWCgjc4x8iYMIoiiYurFgynPCJQYwgIHONfC/fPH9P/XF971kxD3+hDIG/+868MA/35rvhP3vL8T2+a9tnVM9i3Kie7yZE93jf1Hcu4/iXjR/Fz8YwAAGMBDeBuwt/n60b4reztmgTysOyGhIp0jlliIVzwOLGMAABjCAgcg00Jolqz6xLYgqXfX/s3fn4W2U997/FbdQlnShkIRycfWiiUZQUyjWjLOwhi2QxdEtJ0pYW5ZCoQVOSwstbQEVa5TE2WlDa6xbjp3dWci+O71+v57lOef0nOfp2X59zikFEvYtJLFmZMvJ93eNA4SlSRxbtiXN+684tjWa+dyvf/T5+p6R7K/GU/Llt+QjT/LEAAYwgIFCNtDh2NYeJ2GuzdoVY4t+6NTVC2gaM+R0rUJjddRIaxV6kUKxuAtF1o/1wwAGMICBnhrwdlCtv/8K+Sf7Znk+9Tfy7nNPSXvLvNIsgij4WFcMYAADGMAABvrDwM5Z0r7uF9K25LuS/W21uDOvFMeuLOTSjHOj1MUABjCAAQzkz8AhxzZf9p4Z5STMmMRHfKGr85yS+r0Gdd6X0tFgREeCz+pI6LWeFlq8nlIUAxjAAAYwUNwG0tUhWXbbJbL5oWvkH34Zkz1Nj4i7bRbFVX8UV7wn7jCAAQxgAAPFb8DbFbXpl9K25D5pe3ZK53OinORwCr78FXxkSZYYwAAGMFDwBjK2tS+TMBdmEuGqA/GLB5fUkKk7FxOPB8rqqkJn6YnDrj68c8poo1As7kKR9WP9MIABDGAgHwYaJp0vzd+2ZNMDo+UP02+TN5sfl/adc4u/HKLgYw0xgAEMYAADGOhtAztmSvuqH4lbN/nwc6JmXMquKErTgi9NHdaINcIABjCQbwMZx7ZWZ2xrbKs9Ykh35jcl/RoJBAY0x849daEaZqaUsUorY69WRi4fpRbHoBzFAAYwgAEMFLeBhkkXSNOUCzt3UP3n0/fKe+sS4m6fLbld8ym1ervU4vgYwwAGMIABDBS+gZa50rG9VnJrfyZZfau4s64SZ9pIcZLcno9Bh5XvgpPjUZpjAAMYKGwDBx278l3HDq9zkxVXycyLT5d4oKykh0v5uLjmWPnJqYnGlTpiLNbK+ItWxkHKxOIuE1k/1g8DGMAABvJpwBtQ7frJePmfugfkrZVPSOvmGYVfFlHosUYYwAAGMIABDOTTQMtcyW1NSm7949K28I7DO6IKuySjxGR9MIABDGAAA71nIOfY1h4nYa3PTjPH5GNO48tjNI0ZcrpWobGHb+sXejGfZRbHohzFAAYwgAEMFL+BhurzZfXdI+T3v1Dy37/5vry16klp2zGHwiufhRfHwhMGMIABDGCgsAxsnyHtz/3bDNTeAAAgAElEQVRU2hbdI9lnIuLMuIyCr/cKPrIlWwxgAAMYKHQDhw4Po8JNTsKMyYzLPu/LYVK+L7ouNvSLKRVSOhJ8VivjVUrE4i8RWUPWEAMYwAAG8m1g0dQLZeP3r5K/e3KS/GnBfXJg47TCKpAo9FgPDGAAAxjAAAa6a8DbFbX+F9K2+F7J/naSuLOv5tZ8lKSFXpJyfhjFAAYw0MsGMra1L5Ow0pkaa+KB+MWD8z2X8f3x4vFAWToWHJRSQ69NK0PriOHmu8zieBSkGMAABjCAgeI34O2eWnLLxbL+vsvlfz01RV5d8lPJbp9NCdbdEozXYQcDGMAABjDQfwa2TpP25Q9I9jdRcedcI870kRR8vVzw8QwqnkGFAQxgAANFYKDVscOrMrY1ttUeMcT3w6PeDsAbTjWNufj0dHUwnFLGaq2M/VoZHZSIxV8isoasIQYwgAEM5NtAw6QLZNHUb3Te4u8P02+Td1bHxd0+W9pb5vVfuUSxR/YYwAAGMIABDBzNQMtc6dheK7k1P5Hss1PFrb1cnGkj2RXFIIphJAYwgAEMYOCgY1t7vWdGubZ5tXebPokHynp7HsPxP5FA3b3mSQ2R0BVpZSzRyniB4RRlZr7LTI6HKQxgAAOlZSAdDcnWH1wn/z73bnl9+c87b/GX2zWfYuxoxRjfxwYGMIABDGCg9w3snCO5Lba0r31M2lK3iDtrNMUjxSMGMIABDGAAAx8YyDm2+bKTMDe4dsW1nxiR8N/+SqCu6pzTtAqN1VEjrVXoRQrE0ioQWU/WEwMYwAAG8m0gXR2S5m9b8rufjJf/fPoeeW3pz8TZOrP3SyeKPTLGAAYwgAEMYMAz4P1RzNaktK9+VNoa7xL31xPEmTbig/KJfykiMYABDGAAAxjwdkbtcZLmYidhxmTmxaf31/yF9z1GAovHBr+gI6FoKhqs18p4Nd8FFsejFMUABjCAAQyUnoGFky6Q5+65VP7fn0c6B1Rvr3pSctzej8KQ0hgDGMAABjDQGwZ2zJT2534qbY13SvYZJc7MK8WxKykeKR4xgAEMYAADGPjQQMa29mXssM4krMiB+MWDjzES4UeFkID3zKl0LDgoHTGuSytDa2VkKBBLr0BkTVlTDGAAAxjItwHv1n6Lb75InvvOKGl5dJzsXvhjcdk9RSHZG4Ukx8QVBjCAAX8Z8HZFbX5K2pZ8V7ILJoo7+2p2RVE8flg8OmRBFhjAAAYwcMRAq2ObKzM11rhWe8SQQpi3cA4nkIA3nFoQKx+Yrg6GUyr4nFZGK8+cosDMd4HJ8TCFAQxgoDQNeAOqRVO/ISvvqJS/faJaXln0aOft/drZQeWvEpHSmPXGAAYwgIHuGPCGUC1zpWPbDGlf9SNxfzVO3NrLxJk2kl1RR0o3CkiywAAGMIABDBw2cNC1rfc6nxlVE75G4iO+IPFA2QmMQvjVQkyg7l7zJB0denlaGUvef+ZUByViaZaIrCvrigEMYAADvWVg7Xcvk3+t/Za8suSnsm99Utp3zqWo605Rx2twgwEMYAADpWpg5yzJba6R9pU/lOyzU8StvZyyjcIVAxjAAAYwgIGjGcg5tvWKmzA3uTXW6EKcq3BOeUigruqc01LRYTcevq1f6MXeKq04LoUoBjCAAQxgoHQNeDuotj88Rv5tzl2yp/ER2b8hSblYquUi14VtDGAAAxg4noFd8w4Polb9SNoavi3uvDHiJIcfrXzi+xSTGMAABjCAAQwcdGxrt2ObS5yEGZO4eVoeRh8cotAT0BPP/7yOhKKpaLBeK+MVisPSLQ5ZW9YWAxjAAAZ6y0BD9fmy8g5LWh4ZK3+cdYe8vuzn0rZjDuXd8co7fo4RDGAAAxgoBQPbZ0j7yoelbeG3JfvrCeLMuIySkZIRAxjAAAYwgIFjGvBu0+faZr2TCEcPJCsGFfochfPLcwLeM6fSseAgrYJjtAql3n/mlPRWccVxKUUxgAEMYAADpWugaUq5rL57pOz40Q3yx9l3Suum6RSOpVA4cg04xgAGMICBjxpomSu5DU9IW9PdnYMod+aV7IqifDxm+eiQD/lgAAMYwMBhA62Oba7M2Ob4A/GLB+d51MHhii0Bbzjl7ZxKVwfDKRVaq5XhaGUcpDgs3eKQtWVtMYABDGCgtwykoyFpjJXLim+F5XePVclLDQ9LZvMMaW+ZR6n30VKPr/GAAQxgAAPFYGDXfOlomSsd22ZI29L7xZ1/w+HnRE0bQcFGyYoBDGAAAxjAwPEMHHJsa7+bMDe6dsW1e+OXfEnigbJim59wvr2cQHz06M+mI8Mu1cpYmlbGS1oZud4qrTguhSgGMIABDGDAHwaWfyssfx+fLHuaHpX31iXE3T5bOrySqxjKOM6RdcIABjCAAR8ayG2vldymX0r78gcl+5tqcRhCHa904+cUsxjAAAYwgIEjBjoc23rVTZib3ETFlb080uDwpZJAXdU5p6Wiw27UUSOtVehFSkN/lIasM+uMAQxgAAO9aaBh0gWy8YHR8s/JW+TF9MOy97mnJMdwirLXh2UvA9mncY97DBSigZY5ktsYl/aVP5Rs6mZx51wrTrKSgu1IwUYWZIEBDGAAAxg4toGDjm3tdpLmUidhxmTOqFNLZV7CdfRhAgti5QN1JBTtfOZU1Hi5N4sqjk0RigEMYAADGPCHAe8Wf8tvD8vWH1wn/zL9Vtnd+GNxt82ioCzEgpJzwiUGMICBEjcwXzo2J6R9xd9IW/p2cZ8eK860kRRuxy7cyId8MIABDGAAA582sDeTMFNOIhw9kKwY1IcjDN6qFBOQQGBAOhYclI4Eb0hFg/VaGfspDf1RGrLOrDMGMIABDPS2gYWTLpCVd1TK9h+OkX+dcbu8ueJxdk9RAJd4AcwuIXaKYQADBWBg52zJrfu5ZBtul+z8G8WpvYJdUZ8u1ygcyQQDGMAABjBwfAMHnKTZnLHN8a32iCGlOB/hmvoxgXg8UFYXG/pFPXGoVR811mhlZLUyDvZ2WcXxKUQxgAEMYAADpW/A2z3VOPnrsvSWb8rmB6+W5599SFo3TZf2lnkMqRhSMaTCAAYwgIGeGvBul9syV3Kba6St8Q5x510vbu3lPCvq+EUbZSQZYQADGMAABj5t4JBjWwfchLkxW1N53XvTLjpD4oGyfhxd8NZ+SCA+evRn66uDI7Uylmpl7NbKyFEYln5hyBqzxhjAAAYw0JcGFk39hux8ZKw8X/838u5zNeJsncmAqqelJK+n2MYABjDgHwO75ktue63kNjwp7Uvvl+yvJ1CqfbpUIxMywQAGMIABDHTdQIdjW696wyg3Gb7CD3MQrrEAE2iOnXtqKjrsRq2MBq2MF/qyqOK9KEYxgAEMYAAD/jGw9t7L5B+emiL/U/egvL3qSWnbOdc/pSIFMmuNAQxgAAMnYmDHLMmtf1zalj8o2WeniDvzSsq2rpdtZEVWGMAABjCAgU8bOOjY1m7HDi9zkhWTJT76lAIcVXBKfktgQax8YEqFlFahlI4aL1MS+qckZK1ZawxgAAMY6EsD3u6pTQ+Mln+smSp/fvYheW9dgqLyRIpKfhcvGMAABkrTwK55ktv4S2lf/qC0pW7pvD2fkxxOqfbpUo1MyAQDGMAABjBwYgbeydhh7dSEq/fHzbP8Nvfgegs8AQkEBqRjwUHezqlUNFivlbGvL0sq3otSFAMYwAAGMOAfA+nqkCy/vUI2PXC1/JN9s7yy+KfStmNOaRaNFMisKwYwgAEMHM2Atytq9Y8lWxcTd/4N4sy4TJxkJWXbiZVt5EVeGMAABjCAgU8bOODY5oqMbY5vtUcMKfDRBKfn9wTi8UBZgzrvSyn1teEpZax+/3lThygK/VMUstasNQYwgAEM9KWBhZO/Lktv+aas++7l8ofpt8qBDdMk1zKP508drcDk+5TbGMAABorXwK750tEyV3IbnpBs+jZx514rbi2DKOfTRRrlIplgAAMYwAAGTtzAIce2Mm7C3JS1rev3J4efKfFAmd/nHVx/kSXQHAt8Jh0xRuiIsez92/rl+rKk4r0oRTGAAQxgAAP+M+ANqbY8dK3816/ulbdWPiGZLbUMqCigi7eAZu1YOwxgwPtDi+0zOgdRbU13H74134mXTBRzZIYBDGAAAxjAwNEMdDgJ6zUnYW5wE+blRTaC4HRJ4K8n0Bw799RnI8Eb0spYqJXxFwpC/xWErDlrjgEMYAAD/WFg+e1h+X9+HpH//s335Y0Vv2BARblNuY0BDGCgeAxsmyHta38mbUu/J9nfVoszfdTRiiS+T8mIAQxgAAMYwEB3DHQ4trXbSVrLnWTFZImXn/zX232+SwJFnMCCWPnAlAqptDK0Vsae/iineE9KUQxgAAMYwID/DHi7p7zb+/3+cSV/WnC/vL3qyeIpJSmQWSsMYAAD/jGwc47k1j8u7cu+d/g5UbOv5hlRlIzdKRl5DW4wgAEMYOB4Bt7K2GHtJKxJ++PmWUU8cuDUSeD4CUggMCAdCw7SatjYVDRYr5Wxl3LQf+Uga86aYwADGMBAfxhIR0OHnz91nzegispfUj8Qd+ss/5SdFNusNQYwgIHCNLBturSveEiyv510+PZ80y89XpHEzykbMYABDGAAAxjojoEDjm2uyNjm+FZ7xJDjt/n8BgmUUALxeKDsmfFfPaOhOjgypYxVWhkHtTIO9UdBxXtSjGIAAxjAAAb8Z6Ch+nxZcvPFsvbeS+UffjlZ3lj+C549RVldmGU168K6YKA0DeycLbnnfirZ+qniejuiZlzKrijKxe6Ui7wGNxjAAAYw0BUDrpsIb85OM8d4O6NEAgNKaNTApZDAiSfgDagaqodW6oixTCvjFa2MHOWg/8pB1pw1xwAGMICB/jaw+u4R8m9z7pI3lv9cDmycJu0t80qzCKXgZl0xgAEM9L2BlrmS2zZdct5zotK3Hx5EUaJ1pUTjd3CCAQxgAAMY6J6BDidZ+YaTsNY7SeuyE2/teQUJ+CCB5ti5p2oVHKOjwUatjOf7u5ji/SlHMYABDGAAA/40sGjqN2TbD6+X/5h/j7y27OdyYNN0dlFRYPd9gU3mZI6B4jewa57kttjSvvYxaVt8r2R/PYFSrXulGrmRGwYwgAEMYKDrBjoc29rt1JgrnGTFZKkzT/LBaIFLJIGeJbAgVj5QTwxO1FEjrZWxm0LQn4Ug6866YwADGMBAIRhY851R8rvHqjp3UL227GfSvnNu8ZekFN2sIQYwgIHeNbBjlrR7O6IW3yPZZ5S4M6/k1nxdL9IoHckKAxjAAAYw0H0Db2YSVtqpsSbvTw4/s2ctPa8mAZ8lIIHAgHQsOChVbYxPRYP1aRV6txCKKc6BghQDGMAABjDgTwNNUy6U5+4ZJbt+Ml7+tOA+2bu2pncLTQpj8sUABjBQXAZ2zZeOTU9J++LvSvY31eLOvU6caSMo1bpfqpEd2WEAAxjAAAa6bmC/k7SWZ2xzfKs9YojPRglcLgnkNwHveVOp2IVfTkeGXZpSoWaKQH8Wgaw7644BDGAAA4ViIB0NyeKbLhLv+VO/f1zJnqZHpI3dU8VVHFP0s14YwEA+DeyYKbnVPxb3mYi4s0aLM32UOHYlJVrXSzSyIisMYAADGMBA9w1k3UR4c6sdvuFAsmKQSGBAftt5jkYCPk/AG1DpiUOtlAou15HQa1oZuUIpqDgPylIMYAADGMCAfw0sveVi+afETfLa0sdk/8Zp0rZjDoVvPgtfjoUnDGCgkAzsnCO5LUlpX/2otKVuFrf2coq07hdpZEd2GMAABjCAgRM34D0z6k0nYa13ktZlDKJ8PjTh8vsmgYY7zjulPmpcr1WoSSvjeUpA/5aArD1rjwEMYAADhWSgcfLXZeMDo+VfZ9wuuxf+WPZtSEquZR5lciGVyZwLHjGAge4YaJkruc010v7cT6Wt6e7Dt+Y78QKJ0o3MMIABDGAAAxjoiQFvGLXbsc2VTqJikjTHPtM3bTzvQgIk8GECC2LlA1ORYJVWRoNWxu5CKqU4F0pSDGAAAxjAgL8NLL3tEml5dJz8n5nf7rzFX2brTIrg7hTBvAY3GMBAfxrYXivtqx+Rtqa7JLugSpzay3pSJPFaikgMYAADGMAABrpr4PWMbTY4NdbkffFRX/6wIOcLEiCBvk9AAoEBdVWhs9JRY0IqGqzXyniHEtDfJSDrz/pjAAMYwEAhGVg4+euy6q7hsvPHN8ofZ98pb618goK5Pwtm3ht/GMDA8Qx4u6I2PNG5Iyr7jDr8nKhpw7tbIPE6ykcMYAADGMAABnpiYL+TtJZnaqxxrfaIIX3fvvOOJEACR03Ae95UKnbhl3V06OVaGUsLqYziXChHMYABDGAAAxhIR0PSNOVCaf62JdsfHiP/89sHxN06i3L4eOUwP8cIBjDQVwa2TZf2Zd8Td0HV+4OokT0pkHgtBSQGMIABDGAAAz0x4LoJc2OrHb7hQPziwTw36qhjAX5AAoWRQHMs8Bk9cailVWiFVsbrWhk5ykDKQAxgAAMYwAAGCsmAN6RacvNFnTuoXkw/LPs3TJPs9tmS2zWfArqvCmjeB2sY8LeBHbMkt8WW9pUPS/Y31eJM84ZQlT0pj3gt5SMGMIABDGAAAz0x4D0z6i3HDq9zE+bl3jOjGEYVxryBsyCBLifQcMd5p9RHjeu1CjWllPHnQiqiOBeKUQxgAAMYwAAGPjCQrj5f1t57mfxz8hZ5Qf9A3lkdl/adc/1dFjMsYP0xgIHeMLBztuQ2PSXtax6VbP1N4s4e3ZPiiNdSPGIAAxjAAAYwkA8D3jBqt5MIr3ISFZMYRHW5/ucXSaBwE1gQKx/4bNSYkFbGQq2M3R8UQPxLGYgBDGAAAxjAQKEZaJp6oWx6YLT8Ydqt8mLDj2TfepvdU71RTHNMBh4Y8JGB+dKxJdm5I6qt4Vvi/mq8ONO5NZ9DiZiPEpFj4AgDGMAABnpmIGG9lkmYC52EGdsXH/Xlwm3YOTMSIIFuJVBXFTorFQlW6UjwWa2MtwuthOJ8KEYxgAEMYAADGPjAgHd7v+Y7LNny0LWdA6pXFv9Eci3zfFQiP821MjTBAAZ6ZmDnHGlf8xPxBlHZX08QZ+aV3J6P4rBnxSH5kR8GMIABDOTPwH7HDi/L1FjjWu0RQ7pVdvMiEiCB4kggHg+UNUYvOLMhEroipUKLPih++JcSEAMYwAAGMICBQjXQGCuX5beHZfODV8u/z71L3n3uqZ4VtRTd5IcBDJSsgfnSsblG2hbf07kjyvUGUdNGUKDlr0AjS7LEAAYwgAEM9MyA6yTMDa3TwjcyjCqOeQJnSQJ5S0ACgQF195onNVQPrUypULNWxptaGblCLaM4L4pSDGAAAxjAAAY8A97zpxbf9A3Z+oPr5P8+8z15b11C3G2zuMVfyRbs7BjrYG0ZoB3LwK750rFjluQ2J6R9xUPi/mqCOMnh4iQrKcx6VpiRH/lhAAMYwAAG8mfAe2bU244dXucmw1dInXkSz43KW83PgUigOBNouOO8U9IR4zpv51RKGX+m9KP0wwAGMIABDGCgWAwsu/Wb8ndPVMvz9Q/JWyufFGfrTArsYxXY/AwfGCgNAztmSm5jXNqbfyjZupi4tZdTnOWvOCNLssQABjCAAQzkx4A3jNrtJMw1TjJcXZzNOWdNAiTQqwk0jRlyen0kNE5Hg41pZbxULGUU50lxigEMYAADGMBAY+zrsu6+K+Tvn5wkf372IXl3bY208wyq0ijfGaKwjhg4bGDXPMltrpH25h9IVt8q7vwbDu+Kyk9pRPlGjhjAAAYwgAEM5NPAq5mEudBJmLH3pl10Rq+W2hycBEig+BOoqwqdpScGJ6aiwfr3b+snlH2UfRjAAAYwgAEMFIuBZbdVdD5/6u/jk+X51N+we4pCn6EOBorbwM5ZnYOoNn2LZH81XpwZl+WzMOJYFJAYwAAGMIABDOTTwH4naS7N2OZ4nhlV/HMCroAE+jSBeDxQ5g2n0tHgVSkVatLKOFQsRRTnSWmKAQxgAAMYwIBnoGHSBbLs1ktk/f1XyB+St8ibzY8XdzHNYIH1w4B/DLTMldyGJyTbeIe4T48Vx7s9n/esKEozMsAABjCAAQxgoDANOI5trc/Y1tjW2sqz+7TI5s1IgARKKwEJBAY0x8pPbqgeWqmjxkqtjLe1MnKUfZR9GMAABjCAAQwUk4F09fnSGCuXdfddLv8x7zvyzppfSmZLLbf4Y8jhnyEHa13Ya71rnnTsmNV5e762xd8Vd94YcaaNECdZSfFWmMUb68K6YAADGMAABmzLe2bUO07CWu8mKq6Up4OfEwkMKK12nKshARLo1wSeHhv8XEoNvVZHjMVaGc+ze4oyspjKSM4VrxjAAAYw8FEDi6Z+Q7b98Hr504L7O3dQZTbXSm7X/MIurRkqsD4YKDkDuW0zJLf+cWlf+j3J/iYqzvSRFFyUnBjAAAYwgAEMFLoBbxi1x7HN59oSl0T6tbDmzUmABPyRQNOYIaenqo3xOhpsTCvjpY8WPHxN4YcBDGAAAxjAQDEZaKg+X9Z8Z6T8/vGo/Of8e+SN5selfefckiu+OxhmsKYYKBwDLXM6b83XtvxByT47Rdw517AjivKx0MtHzg+jGMAABjDgGTjk2NYrGdtsdOzwlL3xS77kjzacqyQBEiiYBBqjF5yZjgYjqWiwXivjjWIqoDhXClMMYAADGMAABj5poGlKeefzp7wB1X//9vuyd12C3VMMMgpnkMFaFP9abE5I27IHpC11s7jzb2BXFOUeBS8GMIABDGCgaAxkbGufkzQXZ2rCE1rtEUMKpqDmREiABPyXQDweKKurCp1Vr4Kj66PBRq2Mjk8WPPyf0g8DGMAABjCAgWIykI6GZOkt35Q1d4+Uv3uiWnY3/rj4y3AGGqwhBvrHwM7Zklv7M8mmbxV37nXizLiMXVEUkEVTQDqsFWuFAQxgAAO25Ti2uTZjW2NbayvP9l/7zRWTAAkUbAISCAxouOO8Uxqqh1amlLFKK+MdrYxcMRVQnCuFKQYwgAEMYAADnzSQrj5fGid/XVbdWSn/ZN8sbyz/hWS21HKLPwYc/TPgIPfCz71lrnTsmCW5DU9K28JvizN7tDjTRjKIotSk1MQABjCAAQwUk4GDjl35rpOw1rvJiqtkzqhTJR4oK9himhMjARIggafHBj+Xjg67Jq2MJVoZf9HKOPTJgof/U/phAAMYwAAGMFCMBhpj5bLx+1fJH2ffKa8t/Zns3zhN2lvmFX5RzjCDNcJA7xnYNV9yW6dJbt0vpG3xdyX766piKp04V0pSDGAAAxjAAAY+MNDh2NYexw6vyybDE2i5SYAESKDoEmgaM+T0+khoXFoZC9PKeKkYiyfOmcIUAxjAAAYwgIGjGVh22yXyu5+Ml3+fe7e8svgnktk8o/dKbwYKZIuBwjPg3Zpv3c+lbcl9kv3tJHFnXcWOKEq9D0o9/sUCBjCAAQwUk4FDjm294iTCTY4dniLTzS8WXRHNCZMACZDARxNIxc79ckqFVCoarNfKeP1oxQ7fp/TDAAYwgAEMYKAYDSyc/HVZffdI2fnjsfL//fo+eXt1nN1TDFAKb4DCmuRnTXbNk9zGuLQtvV/a6qeKO/d6cZLDi6l04lwpSTGAAQxgAAMY+NBAxrb2ecOoTI01sdUeMeSjnS5fkwAJkEBRJxCPB8rSseAg77Z+KWUs1MpoL8bSiXOmLMUABjCAAQxg4FgGltx8ceeAquXRcfKnZ+4Xd9us/BThDBTIEQP9a8B7TtSaR8StmyzunGvFmXEpu6Io9D4s9ByyIAsMYAADGCg+AxnHNp/L1FjjWmsrzy7q4pmTJwESIIFjJSCBwIDm2LmnNlQPrUwpY7VWxl6tjNyxyh1+RvmHAQxgAAMYwECxGUhHQ+LtoPJu8fe3T1TL7sYfS2ZLrbTtnNu/xTqDDfLHQNcMtMyVju21nc+JyqZuEce7Nd/0kQyiiq9woyRlzTCAAQxgAANHDBx07Mp3nYS5wbXNq2XmxadLPFB2rC6Xn5EACZBASSXQHCs/uV4FR6eVsUQr4y9aGQeLrXDifClJMYABDGAAAxjoioF0dUjWfGek/Mv0W2VP0yOyd22NtO2Y07VynCECOWGgbwy0zJXc1qTk1v5M2hrvEnfe9ZRYR0ossiALDGAAAxjAQPEa6HBs82UnYa3PJq1xJVUwczEkQAIk0J0EmsYMOb0+EhqXVsbCtDJe6kqxw+9QAGIAAxjAAAYwUKwGFk25ULY8dI3879pvde6g2r9xmuR2ze+b0p3hBjlj4NMGts+U9jWPStuieyT7GyVO7eWUbsVburF2rB0GMIABDGDgiIFDncMo21rk2OEpEh/xhe50t7yGBEiABEo2gSXjv3qGjoSiqWiwXivj9WItmjhvSlIMYAADGMAABrpioKH6fFl5Z6Xs+NEN8s/JW+S15T/n9n4MTD49MCGT3smkZU7nrfnaFt8rWe85UbNGc2u+IwUWZR5ZYAADGMAABorcQMa29mVsszGTsCKt9oghJVsoc2EkQAIk0NME4vFAWToWHJRSQ6/VymjQysh2pdThdyj/MIABDGAAAxgoZgPe86dW3TVctj88Rv5j/j2dt/dj99TTvTOMYMjj71y3z5D25Q9I9pmIuHOuEWf6KEq3Ii/dHM4fwxjAAAYwgIGPGsg4trkmY5vjW2srz+5pV8vrSYAESMA3CXjDqaYxF5/eUD20MqWCz2ll7NPK6CjmsolzpyzFAAYwgAEMYOB4BtLRkDRO/rosu/USaXl0nDxf/5A4W2olu2MOt/hjmOTvYVK31n++dLTMlY7ttZJb/Yi4v60+fGu+aSPFsSs/Wt7wNWUeBjCAAQxgAAPFbOCgY1t73YS50a0JXyPx8oESD5T5pkjmQkmABEgg3wk0x8pPTkeDV2llLNXKeEEr4+DxCh1+TumHAQxgAAMYwEBJGM83TLsAACAASURBVIgasuy2S+T3j0flBf1DeWfNL8XdNpvhRLcGFOy86vBLbjvnSG5L8vBzovSt4s6+uphLJs6dkhQDGMAABjCAgaMZ6PCeGeUNo7J2+IZ8d7IcjwRIgAR8n0DTmCGn10dC49LKWJhWxkslUTQpCkPWEQMYwAAGMICBrhlojJXLuvsul3+2b5a/pH4g761LSHvLPAZUfhm0cJ3HsT5fcltsaV/9iLQ13S3ugipxksOPVuDwfco9DGAAAxjAAAaK2cAhbxjlJM3Fjh2eIjMu+7zvi2MCIAESIIHeTKAuNvSLOhKKahVK6UjoNYqsrhVZ5EROGMAABjCAgRIx4O2euvUS2fbD6+UfEzd17qDKbJ5xnMKeXUK+2SXkt+HVjlnS/txjnYOo7IKIuDOvFCfJrfl4zpJVzEUj505RjgEMYAADRzWQsa19GdtsyNSYqtUeMaQ3O1iOTQIkQAIk8JEEvGdOpWPBQfVR43odNdI6YrgUbSVStLF7TLCMZQxgAAMY6KqBhZMukBXfCsvG718lf5x9p7y58gl2T/ltKOPL650vHZsT0r74u5JdUHX49nzTRhy1vGFAw4AGAxjAAAYwgIESMNDq2NbqjG2Ob62tPPsjNSlfkgAJkAAJ9GUC3nBqQax8oJ441Eqp0FqtjANaGR1dLXL4PUo/DGAAAxjAAAZKxUDj5K/L4psu6hxQ/efT90jrpunStmOO5HbNZxeVLwc3JbQ7zjPcMlc6ttdKe/MPxP31BHFrLxOHQRSDOP6SHgMYwAAGMFDaBg66tvWemzA3uXbFtRIf8QWJB8r6snvlvUiABEiABI6RQN295kmpicaVOmIs0yr0IsMpSsZSKRm5DixjAAMYwEB3DDRNuVB2PTpO/u8z98vbq54UZ8tM6WBAxYCumAZ0O2dLbnONtK98WLL1U8WdeQXFW2kXb6wv64sBDGAAAxg4bKDDsa1XvGFUtqbiumPUofyIBEiABEigEBKoqzrntPpIaJxWRkNaGS91p8ThNZR/GMAABjCAAQyUioF0dUhW3TVc/v7JyfLfv/m+vNn8uLTtnMtwppiGM34615a5kttUI+2rfiRtC+8Q9+kbKacoKDGAAQxgAAMY8IuBg45t7XFsc4ljh6dIvHxgIXStnAMJkAAJkEAXE1g8NviF+qhRrVUopZXxaqkUS1wHJSkGMIABDGAAA9014O2e2vC9K+UffhmTP9c9KPvW29zez08Dn0K+Vu/WfN4gquHbkv31BHG82/NRwJEBBjCAAQxgAAM+MZCxrX2ZhJV2EuHogfjFg7tYf/JrJEACJEAChZaA98yppuiwwVoFx+iokdbKyHS3xOF1FIAYwAAGMIABDJSKgYbq82XZbRWy/r4r5PePK3l16WPsnirkgU2pntuuuZLb8ETnjihvEOXOukqc5HDKN5+UbwwdLaxjHQMYwAAGPAOtjh1elakJT2i1RwwptG6V8yEBEiABEuhmAt5wSk88//N64lArFTXWaWU4WhkHS6VY4jooSTGAAQxgAAMY6K4Bb0C1+OaLZO29l8m/zLhd3lz5hGS3z2YHVakOgvrzurxnmrXMlY4ttrQvua/z1nyutyNq2ghKOUo5DGAAAxjAAAb8ZOCQY1v7Dz8zqvK6vfFLviTxQFk3a09eRgIkQAIkUOgJ1N1rnqSjQy/XEWPZ+8+c6uhuicPrKAAxgAEMYAADGCg1AwsnXyCbH7xG/nP+PfLWyifkwKbp0t4yj2dQ9ecwp9jfe/tMyW2MS/uKhyT720niTB/pp9KJa6VkxQAGMIABDGDgAwMdjm296iasLW6NNbrQO1TOjwRIgARIIM8J1FWdc1p9JDROK6Ph/eGUlFqpxPVQlGIAAxjAAAYw0F0D6WhIlt12iez6yXj5r1/dK68u+am4W2cxnCr2AVFfnf/O2ZLb+KS0r3xYsqmbxZ09+oMyhn8p5jCAAQxgAAMY8JuBg45t7XGS5lLHDk+RuHlanmtODkcCJEACJFBMCXTe1k8Zk9LK0FoZr3S3uOF1lH4YwAAGMIABDJSqgcbJX5c13xkpv/+Fkv/61Xfl3TW/lPadcxlQ9dWAp5jex7s1X/MPpE3fKu7TY8WZPspvpRPXS9GKAQxgAAMYwMCHBlzbei9jh7VTE64+EL94cDF1ppwrCZAACZBALybgPXOqKTpscDoSvOH94VRrqZZKXBeFKQYwgAEMYAAD3TXg7Z5acvPFsu67l8vvHquS//7tA5LZUstwqpiGRr1xri1zJLf2MWnTt0nWG0TNvEKc5PAPyxiHYoosMIABDGAAAxjwn4FWxw6vyiTCVa32iCG9WGtyaBIgARIggWJOwBtO1cWGflFPHGqllLFeKyOrlXGwu8UNr6P0wwAGMIABDGCgVA2kq8+XRVO/IavuHC7/aN8kry59TNxtsyXH86dKf0i3a750tMzrfE5UW9Nd4s4bI27tZQyi/Fe2UbCy5hjAAAYwgIGPGzjk2NYBNxHenLWt69+bdtEZEg+UFXNXyrmTAAmQAAn0YQLx0aM/m6oedllKBZdrZezRysiVaqnEdVGYYgADGMAABjCQDwOr7hohf5h2q7zZ/ITs35CUth1zSn9A0xs7jwrxmLvmS257reQ2PCntS78n2WcilFAfL6HIgzwwgAEMYAAD/jXQ4SSs19yEtcVNVlzVh/Ulb0UCJEACJFCKCdRVnXOaVqGxaWUs1Cr0Yj4KG45B8YcBDGAAAxjAQCkbWHzTN2T7D8fI/5l1h+xZ9Kgc2Did4VQhDpq6cE657TMlt+EJaV/+kGTrYuJ6t+bzb+HEtbP2GMAABjCAAQx81MBBx7b2OElruWOHp8icUaeWYjfKNZEACZAACfRTAgti5QO1MiZ1PnMqarxcykUS10ZRigEMYAADGMBAPgykq0PSfIclux4dL3+cfWfnLf7YPfV04Q/ods2T3KanpH35g5Ktv6nz9nw8I8r6aAHF1xSSGMAABjCAAQzszSSstJOwJh1IVgzqp7qStyUBEiABEij1BCQQGNAUHTZYq2HezimtlbE/H4UNx6D4wwAGMIABDGCg1A00TSmX1XePlJZHx8l//epeeW9tTeEPZ7qwk6ijlH5n5yxpb/6BZJ+dIu78G8SpvVycZCWlG6UbBjCAAQxgAAMYOGLggGObKzOJcFWrPWJIqXehXB8JkAAJkECBJBCPB8oa1HlfSqmvDU9FjXVaGe1aGYdKvUzi+ihMMYABDGAAAxjoqYF0NCSLpl4oy2+rkJ2PjJU9TY+Iu22W5HbNZ0jV1wMuL/OWOZJb/wvJNtwu7tzrxJlxKYOoI6UTBRxZYAADGMAABjDgGTjk2FbGe2ZUdpo5Zn9y+JkSD5QVSE3JaZAACZAACfgtgeZY4DM6GhyVUsHl+vBt/XI9LWt4PYUfBjCAAQxgAAN+MrD89gr5/RNReanhYdm33pbs9tkMqHprQNUyV3Lbpnc+J6pt0T3izrmWso2yDQMYwAAGMIABDPx1Ax2Obb3uJsKb3UTFlX7rPLleEiABEiCBAk+gruqc07zb+ulosFEr4wU/FUlcK8UpBjCAAQxgAAP5MLBw8gWy6YGr5V+m3yYvLfyRvLcuIbmWeQyo8jCg8gZR7et+Lm1L75fsMxFxpo+ifPrr5RO5kAsGMIABDGAAAwcd29rj2OYKxw5PkfjoUwq8luT0SIAESIAE/JzAglj5wPqoUa2jRvr9nVOSj5KGY1D2YQADGMAABjDgFwPeLf6W3vpN2f7wDfKvMw4PqDJbahlOnehwyrs134YnDg+i6iaLO+cabs1HyUbRigEMYAADGMDAsQ28k0lYaafGmnwgWTHIzx0n104CJEACJFBECUggMKApOmxwQ2ToOK1CKa2MfX4pkbhOClMMYAADGMAABvJpYOGkC6T5Dku2/fB6+d8zvy1vr3pS2tk9dewB3bYZRwZR88awK+rYxRPFHPlgAAMYwAAGMOAZOOAkzeZMIlzVWlt5dhHVkJwqCZAACZAACRxJIB4PlD0z/qtnNFQHR6ZU8DmtjINaGYfyWdRwLIo/DGAAAxjAAAZ8YSAakqZYuXjPn9r80DXypwX3i7ttluR2zT/2gOZEdxcV5e/Pl46dsyW39jHJpm4Sd/Y1hwdRyUpKNko2DGAAAxjAAAYwcGwDrpuwtrTa4Rv2x82zJB4oO9Ls8RUJkAAJkAAJFHECzbHAZ9IRY0RKBZdrZbyilZHzRYGkKApZZwxgAAMYwAAGesfAoqnfkN89ViV/fvZBeXfNU51Dqo6iHCo9feKDNe/WfNumS857TlT6dnFmjaZwOnbhRD7kgwEMYAADGMDABwY6nGTlG27C3OQmw1cUcd3IqZMACZAACZDA8RNojp17aio67EatQk1aGS9QUvVOSUWu5IoBDGAAAxjwl4GVdw6X//XUFHkx/XDnLf6y22ef+KCn0Adau+ZLbost7Wt/Jm2L7pHsryeIkxz+QbnCvxRtGMAABjCAAQxg4NgGOhzb2u3dps9JmDGJl598/CaP3yABEiABEiCBEklgQax8oI6EoloZDVoZeyjO/FWcsd6sNwYwgAEMYKB3DCy66Ruy6YHR8o+JqfJ8/UOyf0Oy+IdTO2dLu7cjyhtEPaPEnXWVONyaj9Lt2KUb+ZAPBjCAAQxg4OMG3srYZoM3jPJu01ci9SKXQQIkQAIkQAInloAEAgOaosMGp6qN8VqFUloZeymoeqegIldyxQAGMIABDPjLQMOk8w8/f+rBa+Qfa6bKnqZHpG3HnOIZUHm7ojbGpW3xvZL9bbW4c69jV9THiyWKNvLAAAYwgAEMYKArBg54O6MyiXBVa23l2SfW3PHbJEACJEACJFCiCcTjgbJU7MIvpyPDLq2PGmsozfxVmrHerDcGMIABDGCgdw0snHyBLLv1Etn4/avkj7PvlPfWJgp3OLVjluRWPyKuN4jydkRNHyWOXdmVwoXfoZjDAAYwgAEMYAADRwxk3YS5tXVa+MYDyYpBIoEBJVorclkkQAIkQAIk0LMEvAFVQ/XQSq1CK3Qk9JpWRo6iqneLKvIlXwxgAAMYwIC/DKSjIdnyN9fKnxbcL++sjktmS620t8zrh0HVfOnYOVtyW5OSW/MTyT47RZwZl1ImHSmTyIIsMIABDGAAAxg4EQPeM6PedBPmRjdhXt6zho5XkwAJkAAJkIDPEmiOnXvqs5HgDSkVWqSV8RfKMn+VZaw3640BDGAAAxjoGwPLbq+Q3/10QueA6q2VT4izdWbvD6da5kpuc0La1zwqbQvvEHfemBMpW/hdyjkMYAADGMAABjDwcQPeMGqPY5srvWdGSZ15ks9qRC6XBEiABEiABPKXwIJY+cCUCqm0MhZqZeyhoOqbgoqcyRkDGMAABjDgLwPeLf7W33+F/N2T1fKnBffJO6t/KbmW+fkdUO2YKe2rfixtjXdKdsFEcWov59Z8Hy+UKNjIAwMYwAAGMICBEzXwZiZhLvSGUfuTw8/MXyPHkUiABEiABEjAxwlIIDAgHQsOSkeNCVqFUmkVepeizF9FGevNemMAAxjAAAb6xoB3a7/FN18kG753pfzt41F5vv4hyWye0f3hVMscya37ubQ13S3Z30QPPycqyTOiHAq3Ey3c+H3MYAADGMAABj5u4IBjmysyNeEJrbWVZ/u4NuTSSYAESIAESKD3EvCeN9UYveBMHR16eUqFmimn+qacImdyxgAGMIABDPjTQEP1+bL0lm/Kc/dcKv+UuEnean5Ccl199tT2Wmlf/oC4C6oOD6KmjaRI+niRRB7kgQEMYAADGMBAdwxk3UR4c8a2xh6IXzxYJDCg95o4jkwCJEACJEACJPBhAvHRoz+bUl8bnj48nHpdKyNHYebPwox1Z90xgAEMYAADfWAgGhJvF1XznZXyb3Pu+sSzp+ZLx45ZkttiS/uqH4n7jBKncwjFjih2RFndKdt4DSUtBjCAAQxg4OMGvGdGveUmzI1uMnyFxANlDKM+rAj5ggRIgARIgAT6NoGGO847RavgGB0xFmtl/IVSqg9KKcV74AwDGMAABjDgZwMrvmXK26vihzp2zpbc5prDz4lK3Szu7KspkD5eIJEHeWAAAxjAAAYw0BMD3jBqj2Nbq51kxWRpjn2mb1s33o0ESIAESIAESOCoCSyIlQ/UE4MTdTTYqJWxx89FEddOUYoBDGAAAxjAQG8aWHHbJfKmvudQW8O3xf31eHGmj+pJ2cJrKeswgAEMYAADGMDAJw0kK9/IJMyFjh2esj85/MyjFmL8gARIgARIgARIoP8SkEBgQDoWHJSKBKu0CqW0Mt7pzUKGY1P4YQADGMAABjDgRwMrbr5QXk9efchJcns+bs/H7fkwgAEMYAADGMizgf2Oba7I1IQntNZWnt1/LRvvTAIkQAIkQAIk0OUE4vFAWWP0gjNTE40rUxFjmR/LIq6ZkhQDGMAABjCAgd4ysOKmcnm95opDeS5g+AvpT/6FNP/HBAYwgAEMYMBPBlw3YW7K2NbYVnvEEJ4Z1eUakF8kARIgARIggcJJwNs5VXeveVI6YozQUWOlVsabWhm53ipoOC7lHwYwgAEMYAADfjDAUIq/CGcgiQEMYAADGMBAXgx4z4x6202YG91ExZVSZ57EMKpwekXOhARIgARIgAR6lEDDHeedUh81rtcRY7FWxvN+KIy4RopRDGAAAxjAAAZ6wwBDqbyUUH76y2+ulZ0OGMAABjCAgY8b8IZRe5yEucZJVkxmENWjyo8XkwAJkAAJkEBhJ7AgVj7w/WdONWll7O6NooZjUgBiAAMYwAAGMFDKBhhKMZTir+MxgAEMYAADGOimgYT1WsY2Gx07PGVffNSXC7tF4+xIgARIgARIgATylkA6FhykJwYnahVKaWW8XcrFEddGMYoBDGAAAxjAQD4NMJTqZgn18b+Q5i/GyQMDGMAABjDgLwP7HdtckakJT2itrTw7bwUXByIBEiABEiABEiieBOLxQFldVeisdDR4Vf3h2/pJPgsbjkUBiAEMYAADGMBAKRpgKMVQir+OxwAGMIABDGCgywZc1zY3ZpLWOIZRxdMZcqYkQAIkQAIk0KsJSCAwoDlWfnJ9dXBkShmrtDLe0srIlWKJxDVRjmIAAxjAAAYw0FMDDKW6XELxF/D++gt41pv1xgAGMICBDwx0OHblu07C3OAmK66Sp4Of47lRvVrtcXASIAESIAESKN4EGu4475R0xLgurYwlWhnP97S04fUUfxjAAAYwgAEMlJoBhlIMpfjreAxgAAMYwAAG/qqBDse29jgJc62TDFcXbzvGmZMACZAACZAACfR5Agti5QOfjRoTUiq0SCtjd6mVSVwPBSkGMIABDGAAA901wFDqr5ZQH/xlNP/yV/IYwAAGMIABfxp41UmEm5xEeOp70y46o8+LLN6QBEiABEiABEigNBLwnjmVUiGlVSj1/m39eO6UosTrbonH67CDAQxgAAOlYIChFEMp/joeAxjAAAYwgIEPDex37PCyTCJcxTOjSqML5CpIgARIgARIoN8TiMcDZelYcJCeOOzq93dOHSqFQolroBjFAAYwgAEMYKA7BhhKfVhC8Zfw/vxLeNaddccABjCAAc+A49jW+kzSGpexza/0e3nFCZAACZAACZAACZReAhIIDHh6bPBz9dXBkSllrNbKeEcrI9edMofXUAJiAAMYwAAGMFCsBhhKMZTir+MxgAEMYAADPjVw0LEr33UT5kbXNq+WOaNOlXigrPQaMK6IBEiABEiABEig4BLwhlMpNfRarYylWhl/0cpg9xS39ePWjhjAAAYwgAFfGGAoRRHp0yKSnRHsjMAABjDgXwMdjm2+7NjhdZmkqQqupOKESIAESIAESIAE/JNA05ghpz8bNSa8f1u/3cX6F8+cN3+tjwEMYAADGMBAVw0wlGIoxVAKAxjAAAYw4BMDhxzbetWxrUVOIjx1b/ySL/mn8eJKSYAESIAESIAECjqBxugFZ6ZUSGkVSmllvNnVUoffowDEAAYwgAEMYKDYDDCUooj0SRHJjgj/7ohg7Vl7DGDAM7Dfsc0lmRprYmtt5dkFXUpxciRAAiRAAiRAAv5MIB4PlKVjwUHp6LBrUirUpJXRUWwlE+dLMYoBDGAAAxjAwPEMMJRiKMVQCgMYwAAGMFDCBpzO2/TZ5viMbX7Fnw0XV00CJEACJEACJFBUCUggMKA5du6pDdXBkSkVfE4rY69WRu54BQ8/pwTEAAYwgAEMYKAYDDCUoogs4SKS3RHsjsAABjDgTwMHHdva6ybMTW5N+BqJm6dJPFBWVGUUJ0sCJEACJEACJEACXgJPjw1+zts5pSPGMq2MF7QyDhVD2cQ5UopiAAMYwAAGMHA0AwylGEoxlMIABjCAAQyUiIEOxzZfdhLmhmwiXEWTRQIkQAIkQAIkQAIlk0DTmCGnPxs1JujDt/XbfbSSh+9TAGIAAxjAAAYwUOgGGEpRRJZIEcluCH/uhmDdWXcMYMAzcMixrVecpLnYSYSnynTziyVTQHEhJEACJEACJEACJPDRBFKxc7+sI6GoVqGUVsYbhV46cX4UoxjAAAYwgAEMfNIAQymGUgylMIABDGAAA8VqIGNb+7xhVKbGVK21lWd/tLPhaxIgARIgARIgARIoyQTi8UBZU3TY4HTEuK4+GmzUymj/ZNnD/ykAMYABDGAAAxgoVAMMpSgii7WI5LyxiwEMYMDXBjKOba7N1IQnZGzzKyVZOHFRJEACJEACJEACJHCsBDqHU2MuPj0dMUakVGitVsY+rYyOQi2gOC/KUQxgAAMYwAAGPAMMpXxd6HHbK257hQEMYAADxWTgoGtb77mJ8GbXrrhW4uUDJR4oO1ZXw89IgARIgARIgARIwBcJNMfKT9YTh12tI8YyrUIvamUcpPij+MMABjCAAQxgoBANMJRiKMVOAwxgAAMYwECBG+jwnhnlJsyN2aQ1zhfFEhdJAiRAAiRAAiRAAt1JoGnMkNOfjRoTtAo1aWXsLsQiinOiIMUABjCAAQz42wBDKYrIAi8ii+kv+DlXdpxgAAMYyK+BQ94wyrHNJU4iPFXiI77QnW6G15AACZAACZAACZCA7xJYMv6rZ9RHjeq0MrRWxuuUf/4u/1h/1h8DGMAABgrJAEMphlIMpTCAAQxgAAOFZiBjW/ucRLjJSYSjrfaIIb4rkrhgEiABEiABEiABEuhpAp3PnIoOG1wfNa5PK2OhVka2kAopzoWCFAMYwAAGMOBPAwylKCILrYjkfDCJAQxgwNcGMo5tPpdJhKsytvmVnnYxvJ4ESIAESIAESIAEfJ+AN5xaECsfmI4YI1JRY51WxgGtjA6KQH8Wgaw7644BDGAAA/1tgKGUr4s/bjOV39tMkSd5YgADGOiegYPezig3Ed6cram8zrtNn8QDZb4vkAiABEiABEiABEiABPKdQHOs/OR6FRydUsHlaWW8pJVxsL+LKd6fchQDGMAABjDgLwMMpRhKsSMBAxjAAAYw0E8GOrxnRnUOo+zwDfnuXDgeCZAACZAACZAACZDAURJoGjPk9FS1MV6rUJNWxm7KQH+Vgaw3640BDGAAA/1pgKEURWQ/FZHsJujebgJyIzcMYKAUDBxybPNlJ2kudRLhqTLjss8fpS7h2yRAAiRAAiRAAiRAAr2ZQIM670taGZPSytA6EnqtPwsq3puCFAMYwAAGMOAPAwylGEoxlMIABjCAAQz0lQHvNn0Z22x0asLVrfaIIb3ZsXBsEiABEiABEiABEiCBLiTgPXOqKTpscDoSvEEro0FHDJdS0B+lIOvMOmMAAxjAQH8YYChFEdlXRSTvgzUMYAADvjaQcWxzTSYRrsrY5le6UI/wKyRAAiRAAiRAAiRAAn2ZgDec0hPP/3w6YoxIKWO9VkaGZ05RVvZHWcl74g4DGMBAaRtgKOXrgrAUbgHFNXArMwxgAAOFa+CQY1v73YS1JWtb1++NX/IliQfK+rJb4b1IgARIgARIgARIgAS6kUDdveZJqYnGlSkVXP7+M6c6KAhLuyBkfVlfDGAAAxjoKwMMpRhKsXMBAxjAAAYwkGcDHY5tveomzK3ZmorrulGD8BISIAESIAESIAESIIFCSKBpzJDTU9XGeB0NNr4/nJK+Kqx4H8pRDGAAAxjAQGkaYChFEZnnIpIdC4W7Y4G1YW0wgIHeNnDQsc2XHTu8zEmEp0q8fGAhdCmcAwmQAAmQAAmQAAmQQA8TWDw2+IX6SHCyjhpprYxXKQlLsyRkXVlXDGAAAxjoCwMMpRhKMZTCAAYwgAEM9NRAxrb2ZWyzwUlYk1rtEUN6WHvwchIgARIgARIgARIggUJLwHvmVFN02OBUdNiNWhkN7z9zip1TigKzLwpM3gNnGMAABkrHAEMpisieFpG8HkMYwAAGfG2g1bGt1Zkaa2JrbeXZhdadcD4kQAIkQAIkQAIkQAJ5TsAbTtXFhn4xpb42PBUxNuqI4WplHKQsLJ2ykLVkLTGAAQxgoDcNMJTydZHY27dx4vjcKgwDGMBAaRo45NhWa+czo6aZY96bdtEZEg+U5bnu4HAkQAIkQAIkQAIkQAKFnkDdveZJDZHQFVqFVmhl7NHK6OjNEotjU5JiAAMYwAAGit8AQymGUuxwwAAGMIABDHTRQIeTsF7LJMxtrm1eXegdCedHAiRAAiRAAiRAAiTQRwnUVZ1zWqraGK+jwUatjN0UhsVfGLKGrCEGMIABDPSWAYZSFJFdLCLZ7VCaux1YV9YVAxjoioGDjm2+7CSt5U4iPFXi5ml9VG/wNiRAAiRAAiRAAiRAAsWUgJ54/udT0WBMR420VsarvVVmcVyKUgxgAAMYwEDxGmAoxVCKoRQGMIABDGDgaAZc23ovY5sNTo01+UD84sHF1IlwriRAAiRAAiRAAiRAAv2QgPfMqabosMFaDRv7/nCqleKweItD1o61wwAGMICBfBtg00RDdQAAIABJREFUKEURebQiku9jAwMYwICvDbQ6trU6k7AirbWVZ/dDncFbkgAJkAAJkAAJkAAJFHMC3nCqQZ33pZT62vBUxNioldGulXEo38UWx6MsxQAGMIABDBSXAYZSvi4cu3LLJn6HW3thAAMY8I+BQ45tZdyEuTVrh2/Ynxx+psQDZcXchXDuJEACJEACJEACJEACBZBAfPToz6aqh12mVWiFjhova2V0UCAWV4HIerFeGMAABjCQLwMMpRhKsRMCAxjAAAZ8b6DDsa3XMwlzm5usuKoAagtOgQRIgARIgARIgARIoBQTqKs657T6SGicVqGmtDJeyle5xXEoSjGAAQxgAAPFY4ChlO+LSHZA+GcHBGvNWmMAA580cNCxrT1O0mx2EuGpMmfUqaXYfXBNJEACJEACJEACJEACBZbAglj5wPpIcLJWRoNWxisUicVTJLJWrBUGMIABDPTUAEMphlLskMAABjCAAV8a2JuxzQYnYcYOxC8eXGA1BadDAiRAAiRAAiRAAiRQ6glIIDCgKTpscKraGK+jRlorY39PSy5eT1GKAQxgAAMYKHwDDKV8WUR+8i/l+T+7JzCAAQz4x0CrY4dXZRJWpLW28uxS7zq4PhIgARIgARIgARIggQJPIB4PlD0z/qtn6GhwlFbGhvefN3WIUrHwS0XWiDXCAAYwgIHuGGAoxVCKHRIYwAAGMFDyBg45tuV6z4zKTgvfuD9uniXxQFmB1xOcHgmQAAmQAAmQAAmQgN8SaI4FPuMNp9Iq1Pz+bf1y3Sm7eA0lKQYwgAEMYKBwDTCUKvkikt0P/tn9wFqz1hjAwCcNdDjJyjfchLnVTVRc6bdOg+slARIgARIgARIgARIo0gTqqs45TathY1MqtEir0IsUi4VbLLI2rA0GMIABDJyoAYZSDKXYIYEBDGAAAyVn4KBjW3sc21zpJMJT5eng54q0juC0SYAESIAESIAESIAE/JzAglj5QK2MSWllLNRR4+UTLb34fYpSDGAAAxjAQOEZYChVckXkJ/9Knv+zcwIDGMCAvwy8k0mYCx07POVAsmKQnzsMrp0ESIAESIAESIAESKAEEpBAYEBTdNjgdNSYoKNGWitjHwVj4RWMrAlrggEMYAADXTXAUIqhFDskMIABDGCgJAwc8HZGZRJWpLW28uwSqB+4BBIgARIgARIgARIgARI4kkA8HihLxS788sLqYZelosa6rhZf/B4lKQYwgAEMYKCwDDCUKokikl0Q/toFwXqz3hjAwEcNtGUS5vaMbY31dkZJPFB25JM7X5EACZAACZAACZAACZBACSbQHAt8pr46ODKtQs06EnpNKyNH4VhYhSPrwXpgAAMYwMDRDDCUYijFDgkMYAADGCg6Ax2Obb3pJqwtbjJ8RQnWDFwSCZAACZAACZAACZAACRw/gebYuadqNWysjhiLtTJeOFr5xfcpRjGAAQxgAAOFY4ChVNEVkR/963i+ZrcEBjCAAX8Z8IZRe5xEeJX3zCiJl598/E/q/AYJkAAJkAAJkAAJkAAJlHgCC2LlA+ujRrWOBht11HiZ4rFwikfWgrXAAAYwgIFPGmAoxVCKHRIYwAAGMFAUBt7O2GajN4zaHzfPKvFagcsjARIgARIgARIgARIggRNLQAKBAU3RYYNTkWBVWhlaK2PvJ0sw/k8xigEMYAADGOh/AwyliqKIZCeEv3ZCsN6sNwYw8FEDBxzbXJlJWJGMbX7lxD6Z89skQAIkQAIkQAIkQAIk4LME4vFAWWP0gjMbIl+7oj5qrKF87P/ykTVgDTCAAQxg4KMGGEoxlGKHBAYwgAEMFKSBbCZhbsskrXEH4hcPFgkM8FmdwOWSAAmQAAmQAAmQAAmQQM8SiI8e/dn66uBIHTVWamW8rpWR+2gpxteUpBjAAAYwgIG+N8BQqiCLyI/+hTxfs2MCAxjAgH8MeM+MestNhDe7iYorJR4o69mncF5NAiRAAiRAAiRAAiRAAiQQaI6de2oqOuzGtDKWaGW8QAHZ9wUkmZM5BjCAAQx8YIChFEMpdkhgAAMYwEC/G/CGUXsc21rtPTNK4qM/S3VAAiRAAiRAAiRAAiRAAiSQ5wQWxMoH6kgoqlWoSStjzwflGP9SlGIAAxjAAAb6zgBDqX4vItkB4Z8dEKw1a40BDPw1A29mbLPRSYSn7o+bZ+X5YzeHIwESIAESIAESIAESIAES+GgCEggMaIoOG6wnBiemlaHTKvQuRWTfFZFkTdYYwAAGMMBQiqEUOyQwgAEMYKBfDBxwkmZzpsaamLHNr3z0czJfkwAJkAAJkAAJkAAJkAAJ9HIC8XigrK4qdFZqonHl+8+cEopSilIMYAADGMBA7xtgKNUvReRf+0t5vscOCgxgAAP+MJB1E9aWjG2Ob7VHDBEJDOjlj9scngRIgARIgARIgARIgARI4GgJeDun6u41T9LR4CitjFVaGW9qZeQoJXu/lCRjMsYABjDgTwMMpRhKsUMCAxjAAAZ63YD3zKh33ER4s5usuMp7ZhTDqKO1AnyfBEiABEiABEiABEiABPopgebYuac+GwnekFbGEq2MFyhL/VmWsu6sOwYwgIHeNcBQqteLSHY++GPnA+vMOmMAA3/NQIdjmy87tvmckzBj0hz7TD99vOZtSYAESIAESIAESIAESIAEuprAglj5wJQKqZQKLdLK2EM52bvlJPmSLwYwgAF/GWAoxVCKHRIYwAAGMNALBpKVbziJcJOTCE/dnxx+Zlc///J7JEACJEACJEACJEACJEACBZJAOhYclI4GI2llaK2MdyhN/VWast6sNwYwgIHeMcBQqheKSHYL/LXdAnwPFxjAgF8M7HeSZnOmxpqYsc2vFMjHaU6DBEiABEiABEiABEiABEigOwnE44GyuqrQWfUqODqlgsspKHunoCRXcsUABjDgHwMMpRhKsUMCAxjAAAbyYsD1nhmVsc3x3jCKZ0Z15xM/ryEBEiABEiABEiABEiCBAk1AAoEBzbHyk3U0OCqtjNVaGW9pZeQoUf1TorLWrDUGMICB/BhgKJWXItIvf/3PdbLTBQMYwMDHDXQ4duW73jDKtc2rJV5+MsOoAi0ROC0SIAESIAESIAESIAESyFcCDXecd4pWwTFaGUu1Mv5CSZmfkpIcyREDGMCAPwwwlGIoxQ4JDGAAAxg4YQMdjm2+7CTMtU7CjDGIytene45DAiRAAiRAAiRAAiRAAkWUwIJY+UA9MThRR4zFWhl7KFP9UaayzqwzBjCAgZ4ZYCh1wkUkuwQ+vkuAPMgDAxjwm4HXHdta5NjWTfvio75cRB+ZOVUSIAESIAESIAESIAESIIHeSCAdCw5KqZBKK0NrZbxNWdmzspL8yA8DGMBAaRtgKMVQih0SGMAABjDQJQP7naTZnKmxJnrPjOqNz7IckwRIgARIgARIgARIgARIoEgTiMcDZd5wSk8cdnVKGUsoVEu7UGV9WV8MYAAD3TfAUKpLRaTfdgFwvex8wQAGMHDEgOva5sZMMjyBYVSRFgScNgmQAAmQAAmQAAmQAAn0VQISCAx4emzwc+nIsEu1Cj6nlfGOVkaO8rL75SXZkR0GMICB0jLAUIqhFDskMIABDGDgUwYOOra1102EN7s14WskPvoUiQfK+upzLO9DAiRAAiRAAiRAAiRAAiRQAgk03HHeKfVR43odMZZpZbxAqVpapSrryXpiAAMY6J4BhlKfKiLZHXBkdwBZkAUGMOA3Ax2Obb7sJKz1TqJiUgl8DOYSSIAESIAESIAESIAESIAE+juBBbHygalIsCp9+LZ+uykxu1dikhu5YQADGCgNAwylGEqxQwIDGMAABixxEtZrTtJc7NjWTe9Nu+iM/v7cyvuTAAmQAAmQAAmQAAmQAAmUWAJ1VaGzdCQUTStDa2W8RblaGuUq68g6YgADGDgxAwylKKMpozGAAQz43MB+J2ktzySsCM+MKrEP/VwOCZAACZAACZAACZAACRRaAvF4oKwpOmxwSg29NqVCi7QyDlJmnliZSV7khQEMYKC4DTCUooz2eRntt1uTcb3cjg8DRww4TsLckEmGJ2RmVJxTaJ9VOR8SIAESIAESIAESIAESIIESTkACgQHNsXNPTUeGXZpSobVaGXu1MjooWou7aGX9WD8MYAADxzfAUIqhFEMpDGAAAz4ycNC1rffchLXFtSuulbh5msQDZSX8UZdLIwESIAESIAESIAESIAESKPQEnh4b/Fw6YlyXUsHlWhkvaGUcotQ8fqlJRmSEAQxgoDgNMJSijPZRGc0OkSM7RMiCLPxmoMOxrVe8nVFOIhwt9M+knB8JkAAJkAAJkAAJkAAJkIAPE1gQKx+YigSrdMRYrJWxm7K1OMtW1o11wwAGMHBsAwylGEoxlMIABjBQwgYOObb1qmObS5yEdfPe+CVf8uFHWy6ZBEiABEiABEiABEiABEigmBJojF5wZn3UqNZRI62V8Sbl5rHLTfIhHwxgAAPFZYChFGV0CZfRftsJwvWy+wkDHzew30maSzM1pmqtrTy7mD6Dcq4kQAIkQAIkQAIkQAIkQAI+TyAeD5Q1RYcNPnxbv9AinjdVXIUrBTnrhQEMYODoBhhKMZRiKIUBDGCgxAw4jm2tzyTCVZkZFef4/KMsl08CJEACJEACJEACJEACJFDMCXjDqbqqc05LR4Zdmooa67Qy9jGgOnrRSQlMNhjAAAYK3wBDKcroEiuj2Sny8Z0i5EEefjFw0LWt99yEtSVbU3GdxMsHSjxQVsyfPTl3EiABEiABEiABEiABEiABEvhYAk+PDX4upYZem1LB5VqFXtTKOET5WvjlK2vEGmEAAxj4uAGGUgylGEphAAMYKGIDHY5tveImzE3ZZMXEj31g4z8kQAIkQAIkQAIkQAIkQAIkUIoJNI0ZcnoqEqzSEWOxVsZuys6Pl53kQR4YwAAGCtsAQynK6CIuo/2yA4TrZLcTBj5t4JBjW696z4xyEtbNMt38Yil+1uSaSIAESIAESIAESIAESIAESOCoCaRi535ZK2OSjhpprYw3KGELu4RlfVgfDGAAA4cNMJRiKMVQCgMYwECRGdjv2OYSpyZc3VpbefZRP6DxAxIgARIgARIgARIgARIgARIo9QS8Z041RYcN1io4RqtQk1ZGO6UnxTcGMIABDBSyAYZSlNFFVkazY+TTO0bIhEz8YiDj2OF1mRprYmZGxTml/tmS6yMBEiABEiABEiABEiABEiCBLifgDacWxMoH6mhwVEoZ67UyDmhldBRyKcm5UZpjAAMY8KcBhlIMpRhKYQADGChgAwcztrXPTZhbs7Z1vcRHfEHigbIufzDjF0mABEiABEiABEiABEiABEjAbwk0x8pPTkeHXaNVaEVaGS9pZRyk+PVn8cu6s+4YwEAhGmAoRRldwGW0X3Z/cJ3sdMLApw10eM+MchPhzVnbHO+3z5BcLwmQAAmQAAmQAAmQAAmQAAn0OIGmMUNOT0WCVTpiLNbK2F2IxSTnRGGOAQxgwH8GGEoxlGIohQEMYKCADBxybOsVxw4vcxLWzd7OqB5/EOMAJEACJEACJEACJEACJEACJODnBJaM/+oZ9ZHgZB010loZr1MA+68AZs1ZcwxgoJAMMJSijC6gMprdIp/eLUImZOInA/sd21rkJKxJrbWVZ/v5MyPXTgIkQAIkQAIkQAIkQAIkQAJ5TcB75lT9xK8NSUeCN+hosFErI1tIBSXnQmGOAQxgwD8GGEoxlGIohQEMYKCfDWQc21ybSViRzIyKc/L6wYuDkQAJkAAJkAAJkAAJkAAJkAAJHEnAG07pied/XkeDo7QyNmhlZHjmlH+KYEp/1hoDGCgEAwylKKP7uYz20y4QrpVdTxg4YsC7Td+BTMLclp1mjnl3uvlFiQfKjnxS4isSIAESIAESIAESIAESIAESIIFeTaA5Vn5yvQqOTqtQ8/vPnDpYCGUl50BpjgEMYKC0DTCUYijFUAoDGMBAHxrocGzrVTdhbs1OC9/Yqx+wODgJkAAJkMD/396dRMl11nmDTku2POBRDLKNDm0p701Xi/KguDcxxhhkBmN5yHhDVJhpw4pd96YX3+Y7faJLcVOYOp9xGWyQM95IWx5JDBRVBUVBVfeuV929LbCBAjwy2pYUNyQ7pegTtovRg4aMzBieBQfbyoy493l/irjx/503LgECBAgQIECAwJsL7Lt+01vuqaU3t8LM/a+WUz0D4fEeCFtf6ysDMrCWGVBKGUav4jDaLpE/7BJhwWLSMtDfGfVUOZ8/UjbzT/Vuu+acN/9k5CcIECBAgAABAgQIECBAYNUEFsMl57dqST2GdDFWZ55Zy4Gl5zYwlwEZkIHxzYBSSimllJIBGZCBQWagU+QvlM3KvnJ3/jcHvzB74ap9oPJEBAgQIECAAAECBAgQIHB8Av17Ti3MbdkUw/TOdkjvjdW0azA8voNha2ttZUAG1iIDSinD6EEOoz22fMnARGegUxbZtzrNvNopsouO75OQnyZAgAABAgQIECBAgACBNRPol1N761vPi7Xk6lZIv/NqOeWeU8EAey0G2J5T7mRgvDKglJrogfGkfX2Y8/WVeTIw+Az0v6bvYKeZ/Wv/nlHP77nsgl5jat2afZDyxAQIECBAgAABAgQIECBwcgJ7P5ed1q4lH2yHmaUY0idiSJcNiMdrQGw9racMyMBqZkAppZSyk0UGZEAGViADy2Uzf6bTzL5/aPf2j5zcJx6/TYAAAQIECBAgQIAAAQJDJ7Dv+k1vuaeW3twKM/fHkP5iNQeYnsvAXAZkQAbGJwNKKcPoFRhG230y+N0njBkPawaOlEX2ZFlkXyub+ad6jW1nD90HJwdEgAABAgQIECBAgAABAisn8MDO5NwYkltfuefUzDMGxeMzKLaW1lIGZGA1MqCUUkoppWRABmTgRDLQKfIXOkV2X9nM6geLqzat3Cccj0SAAAECBAgQIECAAAECQy3Qv+fUwtyWTYvVrTe+XE6FtLMag0zPYWAuAzIgA6OfAaWUYfSJDKP9jtzIwERn4GBZZN/s7M5Cp8guGuoPSg6OAAECBAgQIECAAAECBAYn0C+nFsMl5y/uSt7bCsl3Y0gPx5AeNTQe/aGxNbSGMiADg8qAUmqiB8vD+nVgjstX1cnA8GXgaFnknZfvGVXkO/fPv+etvcbUusF9svHIBAgQIECAAAECBAgQIDBSAns/l522WJ25NtbSr8da+mQM6fKgBpoe17BcBmRABkY3A0oppZQdLzIgAzLwBhlYLov82U6z8oNukV03Uh+IHCwBAgQIECBAgAABAgQIrL7A3lsuPuueWnpzK8zcH0P6C4Pj0R0cWztrJwMyMIgMKKUMo99gGG23yvDtVrEm1mS1MnCkLLIny/lsqWzmn+o1srNW/5OMZyRAgAABAgQIECBAgACBkRWIc5eeE0Ny66v3nHp6EINNj2lgLgMyIAOjlwGllFJKKSUDMiADf5yBTpG/0Glm95ZF5daDxVWbRvYDkAMnQIAAAQIECBAgQIAAgbUV6N9zamFuy6bWrvSmV8upgwbIozdAtmbWTAZkYCUzoJQyjP7jYbR/lgcZmOgMHCyL7Jtls1LrFNlFa/vJxbMTIECAAAECBAgQIECAwNgI9Mupu2961wWxllzdCsl3X73f1NGVHHJ6LENzGZABGRiNDCilJnoAvVpfA+Z5fOWcDAxvBo6WRd7t3zPq0Hx+4/5G9rZeY2rd2HzwcSIECBAgQIAAAQIECBAgMFwCjR07Tm3tmr4m1tKvx5A+9WpB1TNMHo1hsnWyTjIgAyebAaWUUsrOGBmQgYnMwHI5P/vLfhnV3Z3vGK5PKI6GAAECBAgQIECAAAECBMZeYO8tF5/V/1q/WE0fiCH9xckOOf2+QbkMyIAMjEYGlFITOYy2a2V4d61YG2sz6AwcKYvsybLIvl4W+Sd7t1995th/0HGCBAgQIECAAAECBAgQIDC8AnHu0nNiSG6NteS+V3dO2TUVRmOwrACwTjIgAyeSAaWUUsouGRmQgYnJwHOdIruvbFY+caBx+TuG9xOJIyNAgAABAgQIECBAgACBiRLoTU2dsjC3ZVO7lt4cQ7oYQ7r/RAadfseAXAZkQAaGPwNKqYkZRg9694XHt8NHBoY3AwfLIv9G2azUOkV20UR9sHGyBAgQIECAAAECBAgQIDA6Ao3G1LpW/d0b7901fU0rpN+JIT1qwDz8A2ZrZI1kQAaOJwNKKaWUXTIyIANjm4HD/XtGdYrspgPz29/ea0ytG51PIo6UAAECBAgQIECAAAECBCZaYKk+tb5dnX5fDOmjsTrzTAzp8vEMPf2sIbkMyIAMDGcGlFJjO4y2a2V4d61YG2szyAwsl0X+q04z+353fvsHJ/oDjJMnQIAAAQIECBAgQIAAgdEX2HvLxWctVLfe2A7pg+2Q/tyQeTiHzNbFusiADBxrBpRSSim7ZGRABsYiA0fKInvy5a/pK7Z/sndncvrof/JwBgQIECBAgAABAgQIECBA4FWBOHfpOa1aUo9hZl8M6VPHOvz0cwblMiADMjBcGVBKjcUwepC7Ljy2XT0yMPwZ+G2nyO4rm5VP9L+mzwcWAgQIECBAgAABAgQIECAwlgK9qalTFua2bIpzyVwM6WIM6QuGzcM1bLYe1kMGZODNMqCUUkrZJSMDMjCyGThQFpVHy2al1imyi8byA4eTIkCAAAECBAgQIECAAAECfy7QaEytu6/2V29drG65thXSf3yzAag/NySXARmQgeHJgFJqZIfRdq8M/+4Va2SNBpWBw51m5QedIrvpYHHVpl5jat2fX5/7dwIECBAgQIAAAQIECBAgMBECjR07Tm1Xp98XQ/poDOmzMaQvGT4Pz/DZWlgLGZCBP8+AUkopZZeMDMjASGRguSzyX3ea2b9257d/sNebOmUiPlw4SQIECBAgQIAAAQIECBAgcCwCS/XNZy5Ut94YQ/pQDDM/+/MhqH83GJcBGZCB4ciAUmokhtGD2m3hce3kkYHhz8CRssieLJvZN/v3jOo1tm04lmtxP0OAAAECBAgQIECAAAECBCZSIM5dek4M6cdbYeb+WEufNIQejiG0dbAOMiAD/5UBpZRSyi4ZGZCBoc3Ab8pmZV9Z5J88ML/97RP5YcJJEyBAgAABAgQIECBAgACB4xXoTU2dsjC3ZVO7llRjSBdjSJ/7r2Go/zcYlwEZkIG1zYBSamiH0XawDP8OFmtkjQaVgQNlUXm0szsLnSK76Hivvf08AQIECBAgQIAAAQIECBAgMDU1tVSfWr/3lpm3tWvJB1sh+ZZB9NoOovnzlwEZ6GdAKaWUsktGBmRgaDJwqH/PqM585eaDX5i90H2jfIQiQIAAAQIECBAgQIAAAQIrINDfObVU37ahXZ1+Xzuk34gh/VUM6UsG5AbkMiADMrD6GVBKDc0welA7Ljyu3TwyMNwZWC6L/Lf9Mqq7O9/Ra+w4VRm1Ah84PAQBAgQIECBAgAABAgQIEHgtgaX65jNjmN4Zq+nDMcz8zEB69QfSzJnLwGRnQCmllLJLRgZkYE0ysFwW2ZNlkX2rbFY+0S+jXuta2X8jQIAAAQIECBAgQIAAAQIEBiBwV33b2Qu1dFespg/EWvqkIflkD8mtv/WXgdXLgFJqTYbRdq4M984V62N9Bp2BX5VFfn/ZzD+1v5G9bQCX1h6SAAECBAgQIECAAAECBAgQeDOB/tf67atNv6MVpkMM6WI7zPzOYHr1BtOsWcvAZGZAKaWUsktGBmRg1TJwoCwqj3Z2Z6FTZBe92bWxPydAgAABAgQIECBAgAABAgRWQWCpPrW+XU/evhCSHbGWft2gfDIH5dbdusvA6mRAKbVqw+hB77zw+Hb3yMDwZuBQt5l9rzNfublfRrln1Cp8oPAUBAgQIECAAAECBAgQIEDgeAX6O6fu3Jmc3to1fU0MybdiSH8dQ/qSQfXqDKo5c5aByciAUkopZZeMDMjAQDKwXBazv+uXUd3dlQ/1Gts2KKOO99OAnydAgAABAgQIECBAgAABAmsksFTffGarNn1DrKYPxzDzM8PyyRiWW2frLAODz4BSaiDDaDtWhnfHirWxNoPOwHJZZE+WReXbZVG5tbdUX79Gl8+elgABAgQIECBAgAABAgQIEDhZgbvq286O1ZlaO6QPxlr6pIH14AfWjBnLwHhnQCmllLJLRgZkYIUyMD/7y3I+e6Bs5p/aP/+et57sda/fJ0CAAAECBAgQIECAAAECBIZEYF9t+h39ciqGdDGG9LeG5uM9NLe+1lcGBpcBpdQKDaPtPhn07hOPL2PDnIEDZZF9vbM7C/17Rg3J5bLDIECAAAECBAgQIECAAAECBFZSYKk+tb5dT97erk1/qBWSRwytBze0ZstWBsY3A0oppZRdMjIgAyecgW63Wflup1m5pXPb9ovdM2olr/Q9FgECBAgQIECAAAECBAgQGFKB3tTUKYufveSMWNv6/laY+YdXd04tG6KP7xDd2lpbGVi5DCilTngYPcy7NhybXUUyMLgMHCmL/LluM/tet9j+4V5jxxm9xtS6Ib1MdlgECBAgQIAAAQIECBAgQIDAIAX65dQ91eRjr+6c+k+D65UbXLNkKQPjmQGllFLKLhkZkIFjysByWeRPlc38H8uicqtdUYO8ovfYBAgQIECAAAECBAgQIEBgxATuqm87e6GWVGNIH4ohfcIwfTyH6dbVusrAyWdAKXVMw2i7Tga364Qt21HIwLNlkT1YNvNPvdC4euOIXRY7XAIECBAgQIAAAQIECBAgQGC1BPr3nFqopbtiSBdjSH9jgH3yA2yGDGVgvDKglFJK2SUjAzLwuhnYXxbZ1zu7s9ApsotW6/rV8xAgQIAAAQIECBAgQIAAAQIjLNBoTK37Sm36Ha2w9cOtkD5ooD5eA3XraT1l4OQyoJR63WH0KOzdBvTWAAAgAElEQVTecIx2GcnAYDLQ7Taz73Tm87myecU7R/gy2KETIECAAAECBAgQIECAAAECayXQm5o6Zam++cxY2/r+WEu/HUP6XAzpsoH2yQ20+fGTgdHOgFJKKWWXjAzIwMsZONIt8ue7zex7h3Zv/0ivkZ3Va0ytW6vrVs9LgAABAgQIECBAgAABAgQIjJHA4mcvOSOG5PoYZr4Ww8zPDNVHe6hu/ayfDJx4BpRSCgmFhAxMeAaWyyJ/qtvM/rmc3/43Y3S561QIECBAgAABAgQIECBAgACBYRO4q77t7DiXzMVq+nAM6RMG2yc+2GbHTgZGMwNKKYXEhBcSvv5uMF9/NxquzfyZcj57qFtkn35+z2UXDNt1quMhQIAAAQIECBAgQIAAAQIExlSgXU/eHkP68RjSxRjSXxuuj+Zw3bpZNxk4/gwopZRSSikZmMAM7C+L7Gtls1LrFNlFY3p567QIECBAgAABAgQIECBAgACBYRZoNKbWLcxt2bRQSz+6UE0fiCE9YsB9/ANuZsxkYLQyoJRSSExgITEau3gmeQfT4M697BbZP3fm87myecU7h/m61LERIECAAAECBAgQIECAAAECEyLQL6f23nLxWbG29f2tkP5jDOkLMaTLBu2jNWi3XtZLBo4tA0oppZRSSgbGPANHOkX+QqeZ/euhIv9or7Ht7F5jat2EXNY6TQIECBAgQIAAAQIECBAgQGCUBO7cmZze3znVDjNLMcz8LIb0qEH3sQ26OXGSgdHIgFJKITHmhYRdUYPbdTTststlkT/dbWbf6X9N3yhdfzpWAgQIECBAgAABAgQIECBAYMIF7qpvOzvOJXMxpA/FkD5h2D4aw3brZJ1k4M0zoJRSSimlZGDMMnC0bObPlEXl4W6Rffq5xpXnT/hlrNMnQIAAAQIECBAgQIAAAQIERlVg7y0zb2tXk7+JIV2MIf2VgfebD7wZMZKB4c6AUkohMWaFxLDv3nF8g925tb+czx8pd1d2dYrsolG93nTcBAgQIECAAAECBAgQIECAAIHfC/TvObUwt2VTDMn1C9X0gRjSlwzdh3vobn2sjwy8fgaUUkoppZQMjEEGyrKZ/VOnmVfL5hXv/P1Fm38gQIAAAQIECBAgQIAAAQIECIyLQL+cevlr/Wpb3x9D+k8xpAdiSJcNv19/+M2GjQwMXwaUUgqJMSgk7D4a7O6jYfU9Uhb5/k4z+/6hPdn1vcZV5/YaU+vG5TrTeRAgQIAAAQIECBAgQIAAAQIEXlfgzp3J6e1q+pF2mFlqh/TnMaRHDd+Hb/huTayJDPxlBpRSSimllAyMWAaWyyJ/utvM/+XQ/Pa517048wcECBAgQIAAAQIECBAgQIAAgXEXeHnn1FwyF0P6UAzpEwbgfzkAZ8JEBoYrA0ophcSIFRLDumvHcQ1+t9bRfhnVv2dUt8g+3ft8dt64X1c6PwIECBAgQIAAAQIECBAgQIDAMQncV/urt7ZqSb0d0ntjSH9pCD9cQ3jrYT1k4A8ZUEoppZRSMjACGdhfzmcPlc38450iu+iYLsb8EAECBAgQIECAAAECBAgQIEBgkgT695xamNuyqVWbvqEVZu6PIX3RIPwPg3AWLGRgODKglFJIjEAhYRfS4HchDatxWRb5P3Z2Z6FsXvHOSbqOdK4ECBAgQIAAAQIECBAgQIAAgRMS6JdTce7Sc2Jt6/tbIf1ODGknhvSIgfxwDOStg3WY9AwopZRSSikZGLIM9L+m70CnmX3/0J7KDb/7fHZeb6m+/oQuwvwSAQIECBAgQIAAAQIECBAgQGCSBZbq2za0a9MfirX06zGkv1BOKUQmvRBx/mv/d0AppZAYskJiWHfsOK7B79ZaLpv5M91m9r1DRXbTJF8vOncCBAgQIECAAAECBAgQIECAwIoK7Lt+01viXDIXQ/pQDOkTBvNrP5i3BtZgUjOglFJKKaVkYI0z0N8Z9XRZZF/rFtmne42rzl3Riy4PRoAAAQIECBAgQIAAAQIECBAg8IrAgze964IYklvbIb03hvTZSR2KO2+FkAysXQaUUgqJNS4k7EAa/A6kYTbeX85nD5TNrH7wC7MXuj4kQIAAAQIECBAgQIAAAQIECBAYsED/nlOL9UsujGF6Zwwz+2JIDxnQr92Anj37ScuAUkoppZSSgTXIQKcsKt8um5Va57btFw/4UsvDEyBAgAABAgQIECBAgAABAgQI/LlAv5zaW9963r27pq9pheS7sZp23XNKQTJpBYnzXf3MK6UUEmtQSAzzzh3HNridW/2v6TvYaVZ+cKjIdz6/57ILekv19X9+PeTfCRAgQIAAAQIECBAgQIAAAQIEVllgqb5tQ5ybvi7W0q+/es+pI4b1qz+sZ858EjKglFJKKaVkYMAZWC6L/NlOM/v+oT2VG1b5ksrTESBAgAABAgQIECBAgAABAgQIHKvAvus3vaVVTW5ph/TBV8up3iQMyZ2jMkgGVi8DSimFxIALCTuPBrfzaNht+zujnirns6VukX26d9s15xzr9Y+fI0CAAAECBAgQIECAAAECBAgQWEOBxXDJ+TEkt8Zacl8M6bMG9qs3sGfNetwzoJRSSimlZGAAGdhfFvn9ZVG59eAXZi9cw0soT02AAAECBAgQIECAAAECBAgQIHAiAv17Ti3WL7mwtSu9KYaZfa/ec8rOqaA0GffSxPkNNuNKKYXEAAqJYd/B4/gGt3urUxbZP5TNSq1z2/aLT+R6x+8QIECAAAECBAgQIECAAAECBAgMkcDL5VS45Px7d01f06rO/EsM6eEYUvecUk4pKGXghDKglFJKKaVk4CQz0P+avrJs5v92aD6/cf/8e97aW6qvH6JLJ4dCgAABAgQIECBAgAABAgQIECCwEgJ7P5ed1q4lH4whfTTW0idjSJftKhnsrhK+fMctA0ophcRJFhJ2HQ1u19Gw2y6XRf7sy2VUkX90Ja5rPAYBAgQIECBAgAABAgQIECBAgMAICOy7ftNbWtXklnZIH4whfWLchubORxEkA4PLgFJKKaWUkoHjzMCRssifKovs690i+3Svse3sEbhUcogECBAgQIAAAQIECBAgQIAAAQIrLbC3vvW8herMJ2ItuS9WZ54xyB/cIJ8t23HJgFJKIXGchcSw795xfIPdubW/bFb2lc3KJw5+YfbClb6O8XgECBAgQIAAAQIECBAgQIAAAQIjJvDyPafql1zYrqU3v1xOhbQzLsNz56EIkoGVz4BSSimllJKBY8jAwbLIvlXuruzq3Lb94hG7NHK4BAgQIECAAAECBAgQIECAAAECgxbol1N33/SuC9rV6ffFkH4vhvSlGNKjhvorP9RnynSUM6CUUkgcQyFh99Fgdx8Nq+/Rssi7r9wzKrtpfyN7W68xtW7Q1y8enwABAgQIECBAgAABAgQIECBAYMQF9n4uO601l34ghvTRGNKnY0iXR3mI7tiVQDKwchlQSimllFIy8GcZWC7nZ39ZNrN/7xbZdSN+CeTwCRAgQIAAAQIECBAgQIAAAQIE1kpg3/Wb3tKqJre0Q/pgDOkTBvsrN9hnyXJUM6CUUkj8WSExrLt2HNfgd2sdKYv8qbKoPNotsk/3GtlZa3W94nkJECBAgAABAgQIECBAgAABAgTGSCDOXXpOqzbzyRhm9r26c6o3qgN1x60MkoGTy4BSSimllJKBTpG/UDYr+8pm5RMHi6s2jdElj1MhQIAAAQIECBAgQIAAAQIECBAYBoH+PacW65dc2N85FWvJfTGkBw33T264z4/fKGZAKaWQUEpNdAYOlkX2zbKZf7xTZBcNw/WJYyBAgAABAgQIECBAgAABAgQIEBhjgX451aq/e+O9u6aviSH9Xgzp0VEcrDtmhZAMnFgGlFITXUj4SrzBfyXesBof7t8z6tB85eYD89vf3mtMrRvjSx2nRoAAAQIECBAgQIAAAQIECBAgMIwCjR07To21re9vh/QbsTrzTAzpskH/iQ36uXEblQwopZRSdkpNTAaWyyL/Vb+M6u7OdwzjdYhjIkCAAAECBAgQIECAAAECBAgQmECBvbdcfNY9tfTmGNKHYkh/MSrDdcepCJKB48+AUmpiColh3bHjuAa/W+tIWeRPlUX+jbKZf6p3+9VnTuCljVMmQIAAAQIECBAgQIAAAQIECBAYdoE4d+k5C9WZT7TCzP0xpE8b+B//wJ8Zs2HPgFJKKWWn1Fhn4LmyWdlXFvknDzQuf8ewX3c4PgIECBAgQIAAAQIECBAgQIAAgQkX6E1NnbJYv+TCOJfMtUN6bwzp/mEfsjs+RZAMHHsGlFJjXUjYhTT4XUjDanywLLJvls38453btl884ZcyTp8AAQIECBAgQIAAAQIECBAgQGDUBJbqU+vvq/3VWxerW65theS7hv7HPvRnxWqYM6CUUkrZKTVWGTjcv2dUp1m55WBx1aZeY2rdqF1vOF4CBAgQIECAAAECBAgQIECAAAECfyLQ2LHj1Nau6WtiLf1mDOmzMaTLwzx0d2xKIRl4/QwopcaqkBjWXTuOa7A7tpbLIv912cz/rbs739HrTZ3yJ2/a/oUAAQIECBAgQIAAAQIECBAgQIDAOAjsveXis1q70ptiNX04hvQXBv+vP/hnw2ZYM6CUUkrZKTWyGThSFvlTZZF9q2xu/1TvzuT0cbi2cA4ECBAgQIAAAQIECBAgQIAAAQIE3lAgzl16TgzJrbGaPhBD+tSwDt8dl2JIBv4yA0qpkS0k7D4a7O6jYff9bVnk95fN/FMHGpe/4w3fpP0hAQIECBAgQIAAAQIECBAgQIAAgXET6E1NnbIwt2VTK0yHdkjvjSF9QQHwlwUAEybDlgGllFLKTqmRysCBssi/Ue6u7Orctv3icbuWcD4ECBAgQIAAAQIECBAgQIAAAQIEjktgqT61fu8tM29r15IPtkL6j8M2gHc8SiEZ+NMMKKVGqpAY9t07jm9wu7cOd5qVH3SalVsOfmH2wl5jat1xvTn7YQIECBAgQIAAAQIECBAgQIAAAQLjLrBU37Yh1ra+P4bkWzGkv4ohXVYI/GkhwIPHWmdAKaWUslNqaDOwXBb5b/tlVHd35UO9pfr6Xm/qlHG/dnB+BAgQIECAAAECBAgQIECAAAECBE5KYKm++czWrvSmVkgeaYf052s9hPf8iiAZ+EMGlFJDW0jYdTS4XUfDbnukLPKnymb2D2Vz+6d6jW0bTupN2C8TIECAAAECBAgQIECAAAECBAgQmESBOHfpOa1aUm+H9MEY0qcUA38oBliwWKsMKKWUUnZKDVUGflPOZw90i+zTB+a3v30SrxWcMwECBAgQIECAAAECBAgQIECAAIEVE+hNTZ2yMLdlU6xO19ohvTeG9Pm1GsZ7XkWQDKQ9pdRQFRLDvoPH8Q1u99aBssi/Ue6u7Orctv3iFXvT9UAECBAgQIAAAQIECBAgQIAAAQIECExNLdWn1rfrydvj3PR1rVfuOdVTECiJZGD1M6CUUkrZKbWmGTjUaWbf78znc50iu8g9o1whESBAgAABAgQIECBAgAABAgQIEBigQH/n1J07k9MXq1uubYWZf4gh/XUM6bJyYvXLCeaTaa6UWtNCws6jwe08GmbbI2Ux+7tOs/KDbrH9w/17RimjBnih4aEJECBAgAABAgQIECBAgAABAgQIvJbAUn3zmQvVrTfGMPO1dkh/riSZzJLEuq/uuiullFJ2Sq1aBpbLIn+qLCrfLovtn+w1dpz6Wu+F/hsBAgQIECBAgAABAgQIECBAgAABAqsoEOcuPSeG9OMxpA/FWvqkkmJ1Swrek+WtlFq1QmKYd+44tsHv2Pp1WWQPdovs0/sb2dtW8S3VUxEgQIAAAQIECBAgQIAAAQIECBAg8GYC/a/1W5jbsmmhlu5qh/Tedpj5nbJkssoS6706662UUkrZKTXQDBwoi/wb5e7Krs5t2y9+s/c+f06AAAECBAgQIECAAAECBAgQIECAwBoKLNWn1n+lNv2Odm36Q62QPqqoWJ2igvPkOCulBlpI2IE0+B1Iw2p8qNvMvteZz+f6ZZR7Rq3hhYSnJkCAAAECBAgQIECAAAECBAgQIHC8Av2dU4ufveSMxeqWa2Mt/XYM6a9jSA8rTyanPLHWg1nrRz61rffM7muHdbDvuCa31BnFtT9SFvlznWblB4d2b/9Ir7HjjF5jat3xvt/5eQIECBAgQIAAAQIECBAgQIAAAQIEhkhgqb75zFjb+v5WbfqrsZr+RwzpssJiMIUF1/F3VUrZKeXr+046A8tlkT9VNrN/KpuVT/SW6uuH6C3ToRAgQIAAAQIECBAgQIAAAQIECBAgsBICS/VtG+Lc9HUvl1Mh+ZFyavwLFCXZyq+xUuqkC4lR3NHjmFdqB9r87C/L+eyhbrPymf3z73nrSry3eQwCBAgQIECAAAECBAgQIECAAAECBIZYYG9963kLtfSjrVpyezskP48hPaq8WPnygul4miqllFJ2Sp1QBg6UReXRcndlV/+eUUP8FunQCBAgQIAAAQIECBAgQIAAAQIECBBYaYH+PafuvuldF7Sr6VUxpHcuhKRUooxniWJdV3ZdlVInVEjYabRSO41G73G63Wb+L51mXi2bV7yz15s6ZaXfzzweAQIECBAgQIAAAQIECBAgQIAAAQIjItAvp+7cmZy+WN16WQxJK4b06RjSFxUZK1tk8BwfT6WUUspOqTfNwJFOkb/QaWbfP1TkH+01srN6jal1I/K26DAJECBAgAABAgQIECBAgAABAgQIEFgNgcaOHae2wsx7Xr7nVDX9D/ecGp8iRSm2cmuplHrTQsKuqNHbzbRSa7ZcFvnT3Wb2z2Wz8gm7olbjndtzECBAgAABAgQIECBAgAABAgQIEBhxgaX6tg3tWvLBGNK9MaQ/VE6tXKGhHBp9S6WUUspOqdfMwLPlfPZQt1n5zAuNqzeO+NugwydAgAABAgQIECBAgAABAgQIECBAYLUFHtiZnBtDcn0MyRdjSH4WQ3pUqTL6pYo1PLk1VEq9ZiGxUjttPM7o7bI6UBaVR8tmpda5bfvFq/0+5fkIECBAgAABAgQIECBAgAABAgQIEBgjgf49p+6+6V0XLOxK3tsvp1oh6Sg1Tq7U4DfafkoppZSdUi9noNstKt/tzGehvO3yzWP0tudUCBAgQIAAAQIECBAgQIAAAQIECBBYa4F+ObX42UvOWJjbcnk7JDGG9NkY0hcVLKNdsFi/418/pZRSaoJLqSNlke/vNCs/OLQnu77X2HZ2rzG1bq3fnzw/AQIECBAgQIAAAQIECBAgQIAAAQJjLNDYsePUxV1bZ1++51Q1/Y8Y0peUG8dfbjAbTTOllFJqAkup5bLIn+42K98tm1l9jN/enBoBAgQIECBAgAABAgQIECBAgAABAsMqsFTftqFdSz74cjkV0h/GkC4rWkazaLFux75uSiml1ISVUs+WReXhbrPymef3XHbBsL4fOS4CBAgQIECAAAECBAgQIECAAAECBCZE4IGdybntavKx/j2nYpj+zxjSI0qOYy85WI2WlVJKKTUhpdT+cj5bKpv5xzu3bb94Qt7OnCYBAgQIECBAgAABAgQIECBAgAABAqMg0L/n1N03veuCdnX6ff1yqhWSA8qW0SpbrNexrZdSSik15qVU2W1m3+nMZ6G87fLNo/D+4xgJECBAgAABAgQIECBAgAABAgQIEJhQgX45tVTffObC3JbLYy1px5D+yj2njq3sUAqNhpNSSik1hqXUkbLID3SalR8c2lO5oXfbNef0lurrJ/RtzGkTIECAAAECBAgQIECAAAECBAgQIDCKAo0dO06Nc1vzP7rn1EuKl9EoXqzT66+TUkopNUal1HLZzJ/pNvN/Kecru0bxfcYxEyBAgAABAgQIECBAgAABAgQIECBA4E8ElurbNrTm0g/8UTm1rPR4/dKDzXDbKKWUUmNQSh3tl1HlfP5It1n5zHONK8//kxdt/0KAAAECBAgQIECAAAECBAgQIECAAIFRF4hzl57TriYfa4fpO2JIfhpDekQBM9wFjPX5y/VRSimlRryU2l8W2dfK3fnfdIrsolF/X3H8BAgQIECAAAECBAgQIECAAAECBAgQeF2B/j2nWvXNG1u7pq+JIfliKyQvKD7+svhgMrwmSiml1IiWUmW3yP65bFZq5W2Xb37dF2l/QIAAAQIECBAgQIAAAQIECBAgQIAAgXET6JdTe2+5+KxY23JFDNOLMSS/iSF1z6kwvGWMouyVtVFKKaVGqJQ6Whb5gbKZ/9uhIt/5u89n5/WW6uvH7f3E+RAgQIAAAQIECBAgQIAAAQIECBAgQOCYBZbqU+vbu5LKK/ecSn4UQ/qiAkQ5NawZUEoppUaglFru3zOq08z+9XDzyuoxvxj7QQIECBAgQIAAAQIECBAgQIAAAQIECEyKwFJ924bWXPqBVm36qzG8XE4tD2sx4bgmtzRTSimlhriUOtovo/r3jOo2K5/pfT47b1LeP5wnAQIECBAgQIAAAQIECBAgQIAAAQIETkjgrvq2s1u16RtidfrvY0h/EkN6RAk0uSXQsK29UkopNaSl1P6yqDxcNrN6p8guOqEXX79EgAABAgQIECBAgAABAgQIECBAgACBSRTo33OqVd+8cbE6c20MyRdbIXlu2MoJxzOZRZlSSik1ZKVUWTazfyp3V3aVt12+eRLfL5wzAQIECBAgQIAAAQIECBAgQIAAAQIEVkSgX07tu/7yt8TalivaIb23HZLfxZD6Wr8wmYXQMBSBSiml1BCUUkfLIu+UzezfD83nNz6/57ILekv19SvyoutBCBAgQIAAAQIECBAgQIAAAQIECBAgQGBqaqk+tb41l2yPId0bQ/pYDOmLw1BSOIbJKsiUUkqpNSyllssif7bTzL5/aL5ys/cFAgQIECBAgAABAgQIECBAgAABAgQIEBiwwFJ924bWXPqBVm36qzEkP7JzarJKobUuAZVSSqk1KKX6O6OeLuezpW6z8ple46pzB/wy6+EJECBAgAABAgQIECBAgAABAgQIECBA4I8F9t5y8VkxTO+M1em/b4X0xzGkR9a6sPD841+QKaWUUqtcSu0v57OHyqJya6fILvrj10D/TIAAAQIECBAgQIAAAQIECBAgQIAAAQKrKNC/51SrvnnjKzunkttbIfmtYmj8i6G1XGOllFJqNUqpbpE/Xxb5N8pm/vGyecU7V/Fl1VMRIECAAAECBAgQIECAAAECBAgQIECAwBsJ9Mupu+rbzo61LVe0Q3pvKyTP2zmlnBpEeaWUUkoNsJQ6Uhb5/rLI7y/n82teaFy9sbdUX/9Gr33+jAABAgQIECBAgAABAgQIECBAgAABAgTWUGCpPrV+MaRXxpDuffVr/Q4PopzwmJNZeimllFIDKKUOl0X+i7LIH+4UWWUNXz49NQECBAgQIECAAAECBAgQIECAAAECBAiciMBSfduGxerMtQvV6a/EkPwohnRZkTSZRdJKrrtSSim1gqXUcllkj3WaeetgUflY7/arzzyR1zq/Q4AAAQIECBAgQIAAAQIECBAgQIAAAQJDIrBU33xmDNM7Y0jvfHXn1JGVLCk81mQVXUoppdTKlFLZk2WRf/ngntkbnmtcef6QvFw6DAIECBAgQIAAAQIECBAgQIAAAQIECBA4WYH+Pada9c0bF0Kyo1VLbm+F5NfKpMkqk1ZqvZVSSqmTLKV+1S1mF/o7o/r3jDrZ1za/T4AAAQIECBAgQIAAAQIECBAgQIAAAQJDKtAvp+LcpefE2pYrYi25rxWS/TGkdk4FBdWxllZKKaXUCZRSR8siP1AW+f3dZvb+/s6oXmNq3ZC+TDosAgQIECBAgAABAgQIECBAgAABAgQIEFhpgaX61PqFuS2Xt6rJPTGkP4khPXysxYSfm9wSSymllDqOUupwWeRPlPP5Iy/+7XuuWOnXMI9HgAABAgQIECBAgAABAgQIECBAgAABAiMmsPdz2WmL1ZlrF6rTX4khfSyGdFnpNLml05utvVJKKXUMpdRyWWSPdYo89r+mr9fYccaIvSw6XAIECBAgQIAAAQIECBAgQIAAAQIECBAYpMDiZy85I4bpne2QfCmG9HFf66eYeq2CSimllHrjUip7spzPv9Qp8p39r+kb5GuWxyZAgAABAgQIECBAgAABAgQIECBAgACBERbo33OqVd+8Mc5NX9eqJbfHkPzytYoJ/21yCyullFLqdUqpX3Wb2T0H98ze8ELj6o0j/DLo0AkQIECAAAECBAgQIECAAAECBAgQIEBgNQX65dQDO5Nz+/eciiHZ1wpJJ4b0qDJqcsuo/1p7pZRS6o9KqaNlkR8s57MHuvOVa5/fc9kFvcbUutV8rfJcBAgQIECAAAECBAgQIECAAAECBAgQIDBGAo3G1LpWbfqvY0j3xpD+NIb08H8VFP5/8koqpZRSqizyw2WRP1XO548cLvK/HqOXO6dCgAABAgQIECBAgAABAgQIECBAgAABAsMgsPdz2WmxtvX9C9Xpr8SQPhZDuqyUUkr90a6Znn8e+8LqpbLIH+808/ah3dn1vTuT04fhtckxECBAgAABAgQIECBAgAABAgQIECBAgMCYCty5Mzl9sbr1xlhNvhxD+rhyarKKKTulxr54er1y8YlyPv9Sp8h3Pte48vwxfXlzWgQIECBAgAABAgQIECBAgAABAgQIECAwbAL9e07dfdO7LmjXpj8UQ/LFVjV5xq6pySinlFITVkrNz/6y28zuObhn9ob+PaOG7bXI8RAgQIAAAQIECBAgQIAAAQIECBAgQIDAhAj0y6m99a3nLYb0yhiSfQshKZVT411OKaUmppTqlPPZA9352Q/2y6heY2rdhLysOU0CBAgQIECAAAECBAgQIECAAAECBAgQGHaBRmNq3T23JO9uVZN7Ypj5WQzpYQXV+BVUSqmxLqVeLIv86c/jYZAAABGNSURBVLLIHz5c5H897K85jo8AAQIECBAgQIAAAQIECBAgQIAAAQIEJlxg7+ey01q7pq9ZqE5/JYbkR+45NV7FlFJqLEupl8oif7xTZIuHivyjvca2DRP+Mub0CRAgQIAAAQIECBAgQIAAAQIECBAgQGCUBO7cmZzeqk3f0ArJXTGkjymnxqOcUkqNXSn187LIv9yZz2/sfT47b5ReYxwrAQIECBAgQIAAAQIECBAgQIAAAQIECBD4vUD/nlN33/SuC1ph64djSL7YCtNP+0q/0S6nlFJjU0o9221m9xzcM3vDC42rN/7+L61/IECAAAECBAgQIECAAAECBAgQIECAAAECoyzQL6cWwyXnt3cllVhL2gshKZVTo1lOKaVGvpQ6WBb5/d3d+Y5+GdXrTZ0yyq8tjp0AAQIECBAgQIAAAQIECBAgQIAAAQIECLyuQGPHjlNbtem/blWTe9oh/XkM6WEF1egUVEqpkSylXiyL/NlyPn/ocFG5vNeYWve6f0H9AQECBAgQIECAAAECBAgQIECAAAECBAgQGDeBvZ/LTmtXp9/Xqk1/NYbkR+45NRrFlFJqpEqpfhn1eKc5e++h3bMf6e3NThu31xHnQ4AAAQIECBAgQIAAAQIECBAgQIAAAQIEjlngzp3J6e1q8rFWSO6OIX1MOTXc5ZRSamRKqZ+VRXZXZz6/sff57Lxj/gvpBwkQIECAAAECBAgQIECAAAECBAgQIECAwDgL9O85dfdN77qgXU0/EkPyxVZInoohPepr/YavoFJKDX0p9Wy3md1zcM/sDf17Ro3z64ZzI0CAAAECBAgQIECAAAECBAgQIECAAAECJyzQL6cWwyXnL4TprFVLFhZCUiqmhquYUkoNbSl1oGzm+7q78x3759/z1l5v6pQT/ovoFwkQIECAAAECBAgQIECAAAECBAgQIECAwCQJ9O85tVjdelm/nIohfSKG9LCCau0LKqXUUJVS/XtG/aosZh88WMxe2WvsOFUZNUmvks6VAAECBAgQIECAAAECBAgQIECAAAECBFZUoF9OtavT74sh3RtD+kP3nFrbYkopNRSlVL+M+nGnyO/rFrMf7pdRK/qXzoMRIECAAAECBAgQIECAAAECBAgQIECAAIFJFliqb9sQQ3L9QnX6KzGkjymn1qacUkqteSn1024xe3dnPr+x17jq3El+TXDuBAgQIECAAAECBAgQIECAAAECBAgQIEBgYAK/v+dULf1oDMkXY0j6X+t31Nf6rV5BpZRao1KqmT/TbWb3HNwze8MLjas3DuwvmQcmQIAAAQIECBAgQIAAAQIECBAgQIAAAQIE/iDQL6fuvuldFyzu2jrbrk1/dSEkpWJqdYoppdSql1L7X/mavuy6/Y3sbe4Z9YfXAf9EgAABAgQIECBAgAABAgQIECBAgAABAgRWTaBfTvW/1m9hbsvlCyFpxVr6ZAzpiwqqwRVUSqlVKaX694z6dTmfPdD523x7r7FtgzJq1V5WPBEBAgQIECBAgAABAgQIECBAgAABAgQIEHhjgb2fy06LteTqGNK9MaQ/dM+pwRRTSqmBllL9MuonZTPf191d+VBvqb7+jVPvTwkQIECAAAECBAgQIECAAAECBAgQIECAAIE1E+jvnGpX04+0atNfjSH5kXJqZcsppdTASqmfdIv8K535/MZe46pz1+wvkCcmQIAAAQIECBAgQIAAAQIECBAgQIAAAQIEjk9gMVxyfgzJ9e0wfUcMyS9iSI/6Wr+TL6iUUitcSjXzZ7rN7J6DReVjLzSu3nh8KffTBAgQIECAAAECBAgQIECAAAECBAgQIECAwFAI9O85dfdN77qgXU2viiG5ayEkpWLq5IoppdTKlFLdIn++05y9t/81ffsb2dvcM2ooXjIcBAECBAgQIECAAAECBAgQIECAAAECBAgQODmBfjl1587k9FjbckU7JDGG9OkY0hcVVMdfUCmlTqqUeqks8t+WRX5/528rWa+x4wxl1Mn93fbbBAgQIECAAAECBAgQIECAAAECBAgQIEBgaAUaO3acurAreW+rmtwTQ/pD95w6vmJKKXVCpdSLZZH/pF9GdYvsul5jat3Q/gVxYAQIECBAgAABAgQIECBAgAABAgQIECBAgMDKCizVt21o16Y/9Eo5lfxIOXVs5ZRS6rhLqR93i/yrnfn8xt5t15yzsin2aAQIECBAgAABAgQIECBAgAABAgQIECBAgMDICOytbz2vXU0+1g7Td7RD8vMY0qO+1u/1Cyql1DGXUk93m9k9B4vKx15oXL1xZP5COFACBAgQIECAAAECBAgQIECAAAECBAgQIEBgcAL9e0616u/eGGvJ1e2QfGkhJKVi6rWLKaXUG5dS3SJ/vlNki91i9sMH5re/fXCp9cgECBAgQIAAAQIECBAgQIAAAQIECBAgQIDAyAr0y6nFz15yxmJIr4y1pB1D+mwM6YsKqj8UVEqp1yylXiqL/Lmyme/r/O3sbO/2q89036iRfRlw4AQIECBAgAABAgQIECBAgAABAgQIECBAYHUFGjt2nNquple9cs+p9IfuOfVKMaWU+pNS6sWyyH9azmcPdHfnO1Y3oZ6NAAECBAgQIECAAAECBAgQIECAAAECBAgQGCuBpfq2DQsh2dGqJQsxJD+a9HJKKfX7UurxbpHv7cznN/Ya284eq9A7GQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDtBPbWt57Xqk3f0A7Td8SQ/CyG9Ogkfq2fUip/utvM7jm0J7v+hcbVG9cukZ6ZAAECBAgQIECAAAECBAgQIECAAAECBAgQGFuB/j2nWvV3b2xXp98Xq9N/3wpJZ9KKqQkupZ7rNPP2od2zHzkwv/3tYxtyJ0aAAAECBAgQIECAAAECBAgQIECAAAECBAgMj0C/nFqqbz5zMaRXxjC9GEP6qxjSlyahoJqwUuqlbpE/XzbzfWUzf0/v7y5/S68xtW54kuhICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgYkRaOzYcerirq2zrWpyz6v3nBrrcmpCSqnDZZH9Z1nMPthtzn5gYsLsRAkQIECAAAECBAgQIECAAAECBAgQIECAAIHhF1iqb9uwEJIdrVqy8Go5tTyOO6fGvJQ6Whb54/17RnV25zf2GtvOHv7kOUICBAgQIECAAAECBAgQIECAAAECBAgQIEBgIgUe2Jmc26pN39C/51QM0/8ZQ3pknMqpMS6lnu4W+d6DReVjz++57IKJDK+TJkCAAAECBAgQIECAAAECBAgQIECAAAECBEZLoH/PqVb93Rtjbev722H6jlZIDoxLMTV+pdTs7zrNvH2oyD96YH7720craY6WAAECBAgQIECAAAECBAgQIECAAAECBAgQIDA1NdUvp/becvFZrblkezuk98aQ/iaGdKTvOTUmpdRyp8hfKIv8/rJZeW//a/p6jal1QkuAAAECBAgQIECAAAECBAgQIECAAAECBAgQGHmBxo4dp8a5rfkr95xKHxvVcmrES6nDZZH/rJzPHyrn82tGPlROgAABAgQIECBAgAABAgQIECBAgAABAgQIECDwegJL9W0b2rXkg6+UU8mPYkiXR+mr/Ua0lDpaFvnj3WJ2oVPkO3t/d/lbXm99/HcCBAgQIECAAAECBAgQIECAAAECBAgQIECAwFgJxLlLz4lhemcM6Z0xpD+NIT0yCuXUCJZST3WL/KsH98ze8Pyeyy4YqxA5GQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIDAsQj07znVqm/euFidubYdpu9oheSFYS+mRqiU+m2nyOOhPdn1+xvZ245lPfwMAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGCsBfrl1L7rL39Lay7ZHmvJfe0w87th/Vq/IS+llssi31/OZw+Uzdn39W675pxeY2rdWIfHyREgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIETkRgqT61fiFMZ6/ccyp9PIb0xWHaPTWkpdThssh/Xhb5w2Wz8t4Tcfc7BAgQIECAAAECBAgQIECAAAECBAgQIECAAIGJFFiqb9vQriUfbFWTe2JIHxuWnVNDVkodKYv88U4zb3WKfGevkZ01kWFx0gQIECBAgAABAgQIECBAgAABAgQIECBAgACBkxW4q77t7Bimd8aQ3hlD+tMY0iNruXNqiEqpp7pF/pV+GfX8nssuOFlnv0+AAAECBAgQIECAAAECBAgQIECAAAECBAgQmHiB/j2nWvXNG/s7p9ph+o5WSJ5bq2JqCEqp33SKPB4sKh/b38jeNvHhAECAAAECBAgQIECAAAECBAgQIECAAAECBAgQWGmBfjnV3znVmku2x5DsiyF5frW/1m+NSqn+1/TtL+ezB8r5/Jpe46pze42pdSvt6/EIECBAgAABAgQIECBAgAABAgQIECBAgAABAgT+TGCpPrW+X061aslCK6Q/jiF9cTV2T61yKXW4LPJflPP5I52/nZ39MwL/SoAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsFoCS/VtG1pz6Qda1eSeGNLHBr1zapVKqf7OqMf7X9PXv2dU7/arz1wtT89DgAABAgQIECBAgAABAgQIECBAgAABAgQIECDwBgJ7b7n4rMXq1hvbIflSDOlPYkiPDGLn1CqUUk91i9m7+2XU83suu+ANTtkfESBAgAABAgQIECBAgAABAgQIECBAgAABAgQIrIVA/55TrfrmjQsh2dEO03e0QvLblS6mBlhK/brTzFsH98zesH/+PW9dCz/PSYAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgcBwC/XIqzl16zsv3nArJ/a2Q7F+pnVMrXEodLYv8QFnMPtidr1z7XOPK83uNqXXHcap+lAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYBgElupT6xdDemWrliy8+rV+L57M7qkVKqUOl0X2ZDmfP9IpssowODkGAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBFRBYqm/b0JpLPxBDujeG9LEY0uUTKadOspRaLov88U4zbx/cPXtD7/arz1yBU/MQBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECwyawVN985mJ1642xmny5FdIfH+/X+p1EKfV0WWR3debzG5/fc9kFw+bieAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBFZYoH/PqVZ988Y4N31dO0zf0QrJr49119Rxl1J73nuw3PPe+/tl1P7597x1hU/FwxEgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECAy7QL+cemBncm5rLtkeq8kDrZAcjCE9+kYF1TGXUnuuWj50x0f+38Nf3BleuP3qjb3G1Lph93B8BAgQIECAAAECBAgQIECAAAECBAgQIECAAAECAxZYqk+tX5jbcnmrlizEkP40hvTwa5VTb1hKzb+n1/27a492v3TzEy997X/5773/+3b3jBrwunl4AgQIECBAgAABAgQIECBAgAABAgQIECBAgMBICizVt21YrM5cG0O6N4b08RjS5T8up16zlJqf7XX/x3W9Q3v/Zv+Lj/yv//bS94rrer3eKSMJ4KAJECBAgAABAgQIECBAgAABAgQIECBAgAABAgRWT2Dxs5ec0dqV3hRDclcrpD+OIT3SL6ce+eT/fOSZ/+N9ZVnkvZf/93cf6B2Onzn64qP/2y9e+t6ez/f+/c5phdTqrZNnIkCAAAECBAgQIECAAAECBAgQIECAAAECBAiMvED/nlOt+uaN7dr0h9ph+o4Ykl8+dOulh57679mT5W3ve+nQwieXX/zmf+u99L3b/r/l/+uOT/T+7ctvHfmTdgIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQJrI9Avp/bWt563GNIrH/7kpV/5xX+78u8O/Y/rbnzpu83//cX/84v7ev/+5f+p9//sPW1tjs6zEiBAgAABAgQIECBAYHQE/n/D0e/oWAE8RgAAAABJRU5ErkJggg=="/>
+</defs>
+</svg>
diff --git a/ui_src/src/connectors/assets/kafkaIcon.svg b/ui_src/src/connectors/assets/kafkaIcon.svg
new file mode 100644
index 000000000..be1b4a0f0
--- /dev/null
+++ b/ui_src/src/connectors/assets/kafkaIcon.svg
@@ -0,0 +1,10 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<circle opacity="0.23" cx="10" cy="10" r="10" fill="#4A495C" fill-opacity="0.8"/>
+<rect x="4" y="4" width="12" height="12" fill="url(#pattern0)"/>
+<defs>
+<pattern id="pattern0" patternContentUnits="objectBoundingBox" width="1" height="1">
+<use xlink:href="#image0_9050_753" transform="scale(0.000833333)"/>
+</pattern>
+<image id="image0_9050_753" width="1200" height="1200" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABLAAAASwCAYAAADrIbPPAAAgAElEQVR4AezdB7hlZXU/4N8MvTdBRRBQUbChgoKxRrH9FQ32it2oiWIndtSoxBo0FuxiJxobdrE3IqhBLKggqLSAgPQyTP7Pl5xx7gx3Zu49e++z23ueZ56ZuXPuPvt7v7W+u9eaXRIvAgQIECDQnMB6SXZJ8jdJDkjyuCTPS3JYkvck+XSS7yQ5Lsmvkpw8+XVekvLroiT/M/l1yeRr5eu/n7zvpMn3fi/JZ5O8L8nrk7wgyROSPCDJHZPcIMkGzQ3TlgkQIECAAAECBAgQIECAAAECBLossE2SOyR5dJKXJnlvkmMmDaYr5zSgVjSi2vp9WZLTknw7yQeSHJrksUnukmT7LgPbNwIECBAgQIAAAQIECBAgQIAAgYUJrD85k6mcSVWaP0cl+UWS5R1qUlVpjpUzu8qZXIcnecrkzK1NFkbjXQQIECBAgAABAgQIECBAgAABAm0I7JTk4UneMrlM7/KBNKoW0+QqZ5CdkOSdSQ5KcsM2JsJnEiBAgAABAgQIECBAgAABAgQIJEuT3CrJPyb5SJI/jLBZtdDG1plJPpnk2Un2TVLOTPMiQIAAAQIECBAgQIAAAQIECBBoQOBaSR6S5IgkZ2hY/fVm8QttZK1438VJPj+57PD6DcyTTRIgQIAAAQIECBAgQIAAAQIERiNQzrLaO8khk3s9Xa1pNXXTakXzar7fy5MUy3209k+y0Wiiy0AJECBAgAABAgQIECBAgAABAlMKrJfkbpN7OJ2jYdVIw2q+JtaKr12Q5INJ7ptkwynn0LcRIECAAAECBAgQIECAAAECBAYnUM60uuPkLCCXBmbmTasVzavVfz8/yZFJylMcNxhc1BkQAQIECBAgQIAAAQIECBAgQGABArdM8q9J/uRMq840rVZvYq34ezkbrjzZcL8FzKu3ECBAgAABAgQIECBAgAABAgR6LbDx5EbsX9O06nzTakXzavXffzW5L1m5qb4XAQIECBAgQIAAAQIECBAgQGAwAjdLcliSP2tc9bZxtXoj6/IkR01u/r5kMJFqIAQIECBAgAABAgQIECBAgMCoBMp9kx6T5DhNq8E0rVZvYq34+y+TPC3JpqOKcIMlQIAAAQIECBAgQIAAAQIEeiuwZZKDk/xB42rwjasVDawVv5enGB6e5Hq9jV47ToAAAQIECBAgQIAAAQIECAxaYNfJZYLl6XUrGhp+H6fFFZMnGJZLR70IECBAgAABAgQIECBAgAABAq0LlCbFx5JcpXGlcbdaDFyd5HNJbtt6lNoBAgQIECBAgAABAgQIECBAYJQC5YyrI5IsW61p4ayrcZ51ta55L0+evM0oM8WgCRAgQIAAAQIECBAgQIAAgZkLXH/SuHLGlUbVuppWq//78iSfT7LXzKPWBxIgQIAAAQIECBAgQIAAAQKjECg35n5HknJ/o9UbE/7OZDExUC4t/FCSG40icwySAAECBAgQIECAAAECBAgQaFxgkySHJLlI40rjruYYuHLy1MKtG49iH0CAAAECBAgQIECAAAECBAgMVuCAJL+vuWmxmDN1vHccZ3b9OcnBSdYbbCYZGAECBAgQIECAAAECBAgQIFC7QLnZ9nc0rpxxNeMY+GWSe9cezTZIgAABAgQIECBAgAABAgQIDEpghyTvT1LuUeTsJwZtxcAnk+wyqMwyGAIECBAgQIAAAQIECBAgQKAWgYckOUfjSuOuIzFwyeTeay4rrCW9bYQAAQIECBAgQIAAAQIECPRbYNckX+5I06KtM358bnfPNvtJklv3O8XsPQECBAgQIECAAAECBAgQIDCtwNIkT/F0QWdc9aB5WZ5WeFiSjaYNdt9HgAABAgQIECBAgAABAgQI9E/g5kmO7UHjwplR3T0zqo25+UWS2/cv3ewxAQIECBAgQIAAAQIECBAgsBiBJZOzrsr9hdpoQPhM7lVjYNnkbKwNFhP43kuAAAECBAgQIECAAAECBAj0Q6A8YfBojSuNu4HEQDmDcPd+pJ69JECAAAECBAgQIECAAAECBBYicK8kZw6kcVH1DB7fP5yzwC6cnFG4kBzwHgIECBAgQIAAAQIECBAgQKCjApskOTzJcs0rZ14NOAY+mWTbjuag3SJAgAABAgQIECBAgAABAgTWInCTJOWm1844YjCGGDg1yd5ryQf/RIAAAQIECBAgQIAAAQIECHRM4H5Jzte80rwbWQxcnuTJHctFu0OAAAECBAgQIECAAAECBAisJlCeMnhIkqtH1rgYwxlGxrjwM+mOTFIun/UiQIAAAQIECBAgQIAAAQIEOiawXZIva1w560oM/G8MHJ9kl47lqN0hQIAAAQIECBAgQIAAAQKjFrh1kt9rXGheiYFVYuDsJHcZ9cpg8AQIECBAgAABAgQIECBAoCMC90pyocbFKo0Ll9st/HK7oVtdleQpHclVu0GAAAECBAgQIECAAAECBEYpUG5YXQr0oTchjM8cV42Bw5OUe8R5ESBAgAABAgQIECBAgAABAjMSKIX4oRpXGndiYFEx8IkkG88oR30MAQIECBAgQIAAAQIECBAYtUApwD+ucbGoxkXVs3d8/3DOAPt+kmuNegUxeAIECBAgQIAAAQIECBAg0LDA9kmO1bzSvBIDlWLgl55Q2PBKZfMECBAgQIAAAQIECBAgMFqB6yT5ucZFpcaFM6mGcyZV1bk8I8nNRruaGDgBAgQIECBAgAABAgQIEGhA4PpJfqt5pXklBmqNgbOS7NVAvtokAQIECBAgQIAAAQIECBAYncBuSU7RuKi1cVH17B3fP5wzuc5Lst/oVhUDJkCAAAECBAgQIECAAAECNQrsmeR0zSvNKzHQaAxclORuNeatTREgQIAAAQIECBAgQIAAgdEI7J3kXI2LRhsXzqQazplUVefy4iT3GM3qYqAECBAgQIAAAQIECBAgQKAGgVtoXmlcaV7OPAYuTfK3NeSvTRAgQIAAAQIECBAgQIAAgcEL7J7kTM2LmTcvqp7B4/uHcTbXJUnuOPhVxgAJECBAgAABAgQIECBAgEAFgfK0wVM1rzSvxECrMXBBknIJrxcBAgQIECBAgAABAgQIECCwmsD1kpyscdFq48JZVMM4i6qOeTwnyU1Xy1F/JUCAAAECBAgQIECAAAECoxbYPskvNa80r8RAp2LgrCQ3GfXKZPAECBAgQIAAAQIECBAgQGAisGWSn2lcdKpxUccZPLYxjLO5TklyHasVAQIECBAgQIAAAQIECBAYs8D6Sb6seaV5JQY6HQPHJdlszAuVsRMgQIAAAQIECBAgQIDAuAXernHR6caFs6iGcRZVHfN4dJL1xr1cGT0BAgQIECBAgAABAgQIjFHghZpXmldioFcx8M4xLlTGTIAAAQIECBAgQIAAAQLjFXhIkqs1L3rVvKjjLB7b6P8ZXQePd9kycgIECBAgQIAAAQIECBAYk8Adk1ymeaV5JQZ6GQOl8XzgmBYsYyVAgAABAgQIECBAgACB8QnsnOS/NS562bhw9lT/z56qaw4vTnLz8S1fRkyAAAECBAgQIECAAAECYxDYKMmxmleaV2JgEDHwmyRbj2HhMkYCBAgQIECAAAECBAgQGJfAuzUuBtG4qOssHtvp/xldn0uydFzLmNESIECAAAECBAgQIECAwJAFnqx5pXklBgYZAy8Z8sJlbAQIECBAgAABAgQIECAwHoFbJ7lU82KQzQtnUfX/LKqqc1hu6n6f8SxnRkqAAAECBAgQIECAAAECQxTYPskfNK80r8TAoGPgz0l2G+ICZkwECBAgQIAAAQIECBAgMHyBJUnKPXKqnuHh+xmKge7HwI+TbDD8Zc0ICRAgQIAAAQIECBAgQGBoAv+geaV5JwZGFQOvGNoiZjwECBAgQIAAAQIECBAgMGyBPZNconkxquaFs6S6f5ZU03NU7od112EvbUZHgAABAgQIECBAgAABAkMR2CjJTzWvNK/EwChjoNzzbpuhLGbGQYAAAQIECBAgQIAAAQLDFXiDxsUoGxdNn91j+/05w+uo4S5vRkaAAAECBAgQIECAAAECQxC4S5JyGZFmAwMxMO4YeNQQFjRjIECAAAECBAgQIECAAIHhCWyW5BTNK807MSAGklyQ5HrDW+aMiAABAgQIECBAgAABAgT6LvBvGhcaF2JADMyJgU/2fVGz/wQIECBAgAABAgQIECAwLIF9XTqocTGnceHywXFfPjh3/g8c1lJnNAQIECBAgAABAgQIECDQV4ENk5yoeaGBJQbEwDwxcIanEvZ1abffBAgQIECAAAECBAgQGJbAK+YpWueegeHPzsYRA+OOgXcOa8kzGgIECBAgQIAAAQIECBDom8AeSS7XwHLmjRgQA2uJgeVJ7ta3xc3+EiBAgAABAgQIECBAgMAwBJYk+cFailZn3Yz7rBvzb/7nxsCvk5TLjb0IECBAgAABAgQIECBAgMBMBR6jeeWsGzEgBhYRA8+d6QrlwwgQIECAAAECBAgQIEBg9AKbJjltEYXr3DMx/NmZOWJgnDFwYZLrjH71BECAAAECBAgQIECAAAECMxN4leaVM2/EgBiYIgaOmNkq5YMIECBAgAABAgQIECBAYNQCOye5ZIrC1Vk34zzrxryb97kxcHWSvUe9gho8AQIECBAgQIAAAQIECMxE4OOaV6M/8+bSJH9M8rMkxyQ5avLrfUnKGTbl13vnfP0rSX4yuexU81ND61szWal8CAECBAgQIECAAAECBAiMVuBOSZZrYI2igXVlkhOSfDjJIUkemuS2SbavIfq3TXKbJA9M8rwk709yfJLLxdYoYquckfXgGuLIJggQIECAAAECBAgQIECAwLwC39dgGGyDoZxR9bEkz5hc4rXhvBHQ7BfXT3KLJH+f5MgkvxNvg4233yQp8+1FgAABAgQIECBAgAABAgRqFfh/mgmDaiZcluRrk7OrunxPovLUuoMmlyNeIAYHFYOPr3WFsjECBAgQIECAAAECBAgQGL3AkiTHah70vnlQLtH7/KQhtEUPo3qjJAdMzs66UDz2Ph5PTdLGmX49DH27TIAAAQIECBAgQIAAAQILEfg7zYJeNwtK8/GJSbZcyGT35D2bJHlkkm+6L1uvY/OpPYk3u0mAAAECBAgQIECAAAECHRdYOrmZd7nxsl/9MShP+3t7kr06Hl917N7uSV6f5Hwx2rscLfde27iOILANAgQIECBAgAABAgQIEBi3wMM1BXrVFDg7yaFJthth2G6e5ClJThKzvYrZg0cYq4ZMgAABAgQIECBAgAABAjUKlLOvfqUZ0ItmwJlJnpmk3Cdq7K/ydLvHJTlF7PYmdjcde9AaPwECBAgQIECAAAECBAhML3CgBkDnGwDnJnleEg2Aa8Z5uUF4ucfS6eK483H8tGtOn68QIECAAAECBAgQIECAAIGFCXxf4d/Zwv+qJEck2X5hUznqd5XmXrms8lLx3Nl4PjnJeqOOUoMnQIAAAQIECBAgQIAAgakE9lPsd7bYPybJTaea1XF/065J/kNcdzauyxmfXgQIECBAgAABAgQIECBAYFECn1Tod67QL0/ZKzcpX7KomfTm1QUOSFKefuepmt0y+N7qE+XvBAgQIECAAAECBAgQIEBgbQI3SLJMgd+pBkc5c+g6a5s0/7Yoga2TvFeMdyrGS0Px9ouaRW8mQIAAAQIECBAgQIAAgVELvFVh35nCvty36eBRR2Ozgy+XrZUb4TsbqxsG5cxPLwIECBAgQIAAAQIECBAgsE6BcmbKxQr6TjQ0fpxk93XOmDdUFbhekm+I+U7EfDnzs5wB6kWAAAECBAgQIECAAAECBNYq8AyFfCcK+SOTbLLWmfKPdQqUJ+CVJxUuF/+tx/9r65xY2yJAgAABAgQIECBAgACBYQr8lwK+1QL+8smN2ocZXd0f1YOTXCgHWs2BM5Ns0P1QsYcECBAgQIAAAQIECBAg0JbAfgr3Vgv3Pye5S1uT73P/KnDzJKfJhVZzodybzIsAAQIECBAgQIAAAQIECMwr4Kls7d3I+uQke8w7K77YhsB1kxynidVaE+uLbUy6zyRAgAABAgQIECBAgACB7gts6ebtrRXrpVGyffdDZHR7uEWSr2titZIX5Wbu1x9dxBkwAQIECBAgQIAAAQIECKxT4KkK9VYK9f9Msu06Z8cb2hLYKMmn5UYruVFuqu9FgAABAgQIECBAgAABAgRWEXC51OwvH/xGks1XmQV/6aJAuaH4UZpYM29i/SHJ0i4GhH0iQIAAAQIECBAgQIAAgXYEbqI4n3lx/gPNq3aCfcpPXU8Ta+Y58j8eajBltPo2AgQIECBAgAABAgQIDFTgZRpYMy3Of5pkm4HG0pCHtWGSL8iVmebK24YcUMZGgAABAgQIECBAgAABAosTOFFRPrOivFi759Xi4rNL7940yffky8zy5ewk5ew3LwIECBAgQIAAAQIECBAYucDNFeMzK8bPTLLLyONtCMPfLslJ8mZmeXP3IQSNMRAgQIAAAQIECBAgQIBANYFXKsRnUohfmmS/alPluzskcIMk5eygcp8mv5o1eFeH5t2uECBAgAABAgQIECBAgEBLAr9WgDfegFie5IEtza+PbU7gzkmulD+N58+5ScqTIL0IECBAgAABAgQIECBAYKQCeym+Gy++y9k5rx1pfI1h2AfLoZnk0L3HEEzGSIAAAQIECBAgQIAAAQLzC7xc8d148f11N6GeP/gG9NUPyKPG8+jtA4oXQyFAgAABAgQIECBAgACBRQr8UOHdaOFdbtq+/SLnxNv7J7CZm7o3mkflLMbf9y8s7DEBAgQIECBAgAABAgQI1CGwbZJlGliNFd7lvlf3rWOibKMXAnsnuUI+NZZPpYm1Ry8iwU4SIECAAAECBAgQIECAQK0Cj1BsN1ps/2uts2VjfRB4oZxqNKee3YcgsI8ECBAgQIAAAQIECBAgUK/ABxXbjRXbv0mySb3TZWs9EFiaxGW5aSyvvtqDGLCLBAgQIECAAAECBAgQIFCjQCm0z9LAaqTQLpcO3r3GubKpfgnc3KWEjeRVuYTw8iSb9ysc7C0BAgQIECBAgAABAgQIVBHYR/OqsSL7iCoT43sHIfBK+dVYft1vEBFiEAQIECBAgAABAgQIECCwIAH36mnmMqdzkmy9oBnwpiELbJTkZE2sRppYbxly4BgbAQIECBAgQIAAAQIECKwq8EXFdSPF9d+vyuxvIxY4UI41kmM/GXFMGToBAgQIECBAgAABAgRGJbAkyZ8V17UX1ycmWX9UkWSw6xL4ijyrPc+WJdlqXfD+nQABAgQIECBAgAABAgT6L1BuMl1uiOxXvQb37H9oGEHNAnsluVqu1b7W3KPmebI5AgQIECBAgAABAgQIEOigQLnMTfOqXoPvdXCe7VI3BI6Sb7WvN4d2Y2rtBQECBAgQIECAAAECBAg0KXCkgrr2gvquTU6Ybfda4MZJrpJztebc13sdEXaeAAECBAgQIECAAAECBBYk8DvFtGJ6QZHiTXUJfFjO1ZpzF7nfXF2haTsECBAgQIAAAQIECBDopsB1FNK1FtLlUkz3vupmrHdpr26ZZLncqzX39u7SBNsXAgQIECBAgAABAgQIEKhX4ABFdK1F9M+TlKc6ehFYl4AnEtZ737mnrAvcvxMgQIAAAQIECBAgQIBAfwVeqIFVawPrcf0NBXs+Y4Fypp6HJ9Rn8G8znj8fR4AAAQIECBAgQIAAAQIzFPi4Irq2JsK5STae4dz5qP4L/Er+1ZZ/3+5/OBgBAQIECBAgQIAAAQIECKxJ4JcK6NoK6DeuCdnXCaxB4AXyr7b8O9/lu2uIMl8mQIAAAQIECBAgQIBAzwU2SnKVArq2AvqmPY8Huz97gWsluVwO1paD15/9FPpEAgQIECBAgAABAgQIEGha4DYK59oK5x80PVm2P1iB/5CHteXhfQcbJQZGgAABAgQIECBAgACBEQs8XuFcW+H8jBHHkaFXE3ioPKwtD8tDKbwIECBAgAABAgQIECBAYGAC5Z5NnoJW3eDqJDsOLDYMZ3YCmyW5WC7WshZ9dHbT5pMIECBAgAABAgQIECBAYFYCn1Y011I0f2tWE+ZzBivgaaDVG8mlGX/sYCPEwAgQIECAAAECBAgQIDBigZ9pYNXSwHrOiGPI0OsReJRcrCUXz65nOmyFAAECBAgQIECAAAECBLokcIGiuZaiec8uTap96aVAeRphuRTVJb3VDTbvZQTYaQIECBAgQIAAAQIECBCYV2BbxXItzYI/zKvriwQWL1Auf9PAqm5ws8XT+w4CBAgQIECAAAECBAgQ6KrAbRTLtTQLjujqBNuv3gm8Qk7WkpP3693M22ECBAgQIECAAAECBAgQWKPAgxTLtRTLj16jsH8gsDiB/eVkLTn5j4tj924CBAgQIECAAAECBAgQ6LLAcxXLtRTLu3V5ku1brwTKvZuukpeV8/KNvZp1O0uAAAECBAgQIECAAAECaxU4XKFcuVA+Y63C/pHA4gWOl5eV8/KTi2f3HQQIECBAgAABAgQIECDQVYGPKpQrF8qf6erk2q/eCrxDXlbOy2/3dvbtOAECBAgQIECAAAECBAhcQ+CrCuXKhXK56bYXgToFniYvK+fliXVOiG0RIECAAAECBAgQIECAQLsCP1EoVy6UH9zuFPr0AQrcQV5WzsuzBhgXhkSAAAECBAgQIECAAIHRCpyqUK5cKN9ktNFj4E0JbJVkudyslJtXJlnS1ATZLgECBAgQIECAAAECBAjMVuASRXKlInlZkg1mO2U+bSQC5Qyi//GrkkFpBHoRIECAAAECBAgQIECAQM8FNlEcVyqOS3OhnMHmRaAJgR/Kz8r5ecMmJsY2CRAgQIAAAQIECBAgQGC2AjspkCsXyN+c7ZT5tBEJfEx+Vs7P240oXgyVAAECBAgQIECAAAECgxW4hQK5coH8gcFGh4G1LfAa+Vk5P+/V9iT6fAIECBAgQIAAAQIECBCoLrCPArlygXxY9WmwBQLzCjxLflbOzwfMK+uLBAgQIECAAAECBAgQINArgTsokCsXyM/v1Yzb2T4JPFp+Vs7Ph/Rpwu0rAQIECBAgQIAAAQIECMwv8LcK5MoF8hPmp/VVApUF7iM/K+dnaQJ6ESBAgAABAgQIECBAgEDPBcr9YcqT9Pya3uDAnseA3e+uwL5ys/La9MTuTq89I0CAAAECBAgQIECAAIGFCtxfgVy5QL73QrG9j8AiBW4pPyvn59MWae7tBAgQIECAAAECBAgQINBBgQcrkCsXyHfr4LzapWEI3ER+Vs7Pg4cRCkZBgAABAgQIECBAgACBcQs8UoFcuUAuN8L3ItCEwK7ys3J+vqCJibFNAgQIECBAgAABAgQIEJitwEEK5MoFcrlPkReBJgR2kp+V8/PFTUyMbRIgQIAAAQIECBAgQIDAbAWcgTX9zdtX3Pj+jrOdMp82IoHdNLAqN7CcgTWihDFUAgQIECBAgAABAgSGK/AQBXLlAvnuww0PI2tZYA/5WTk/n9XyHPp4AgQIECBAgAABAgQIEKhB4AEK5MoF8n1qmAebIDCfwF7ys3J+Pn0+WF8jQIAAAQIECBAgQIAAgX4JlObLikvh/D6dxYP6NeX2tkcCt5efldenJ/dovu0qAQIECBAgQIAAAQIECKxBYH8FcuUC+SlrsPVlAlUFDpCflfPzsVUnwfcTIECAAAECBAgQIECAQPsCd1EgVy6QX9j+NNqDgQo8Tn5Wzs9HDDQ2DIsAAQIECBAgQIAAAQKjEthXgVy5QH7DqCLGYGcp8Bz5WTk/HzjLCfNZBAgQIECAAAECBAgQINCMwI0VyJUL5A83MzW2SiCvk5+V8/Nu4ogAAQIECBAgQIAAAQIE+i+wvQK5coH8vf6HgRF0VODf5Wfl/LxVR+fWbhEgQIAAAQIECBAgQIDAIgQ2UCBXLpD/tAhvbyWwGIHj5Gfl/NxlMeDeS4AAAQIECBAgQIAAAQLdFbhIkVypSL46ycbdnV571mOBc+Vmpdz8nyRb9Xj+7ToBAgQIECBAgAABAgQIzBH4oyK5cpF8yzme/kigDoFrycvKebksyZI6JsM2CBAgQIAAAQIECBAgQKB9gRMUypUL5Ue1P432YGACd5eXlfOynMHmRYAAAQIECBAgQIAAAQIDEThGoVy5UP6XgcSCYXRH4GB5WTkvT+rOdNoTAgQIECBAgAABAgQIEKgqcKRCuXKh/KWqk+D7Cawm8F55WTkvv7Gaqb8SIECAAAECBAgQIECAQI8FXqNQrlwon5dkaY9jwK53T+CX8rJyXn6ge9NqjwgQIECAAAECBAgQIEBgWoF/UChXLpTL085uOu0E+D4Cqwlsl2S5vKycl/+8mqu/EiBAgAABAgQIECBAgECPBR6gUK5cKJcG1pN7HAN2vVsC95eTteTkU7s1rfaGAAECBAgQIECAAAECBKoI3EaxXEux/KEqk+B7CcwReL2crCUn7zfH1B8JECBAgAABAgQIECBAoOcC11Ys11Isn+0+WD3PhO7s/glyspacvFV3ptSeECBAgAABAgQIECBAgEBVgSVJLlIw11Iw71N1Mnz/6AV2kou15GK5rHfr0UcTAAIECBAgQIAAAQIECAxM4DhFcy1F80sHFheGM3uBci+10nzxq5rBmbOfOp9IgAABAgQIECBAgAABAk0LfETBXEvD4PimJ8r2By/wRblYSy5+c/CRYoAECBAgQIAAAQIECBAYocDLFM21FM3lrJndRxg/hlyPwDZJrpCLteTiO+qZElshQIAAAQIECBAgQIAAgS4JPFTRXEvRXBpYL+7SxNqXXgk8SR7WlofP6tXM21kCBAgQIECAAAECBAgQWJDALRXOtRXOP1+QuDcRuKbA1+VhbXl472vy+goBAgQIECBAgAABAgQI9F1gkyTLFM+1Fc/79T0g7P/MBXZLcrUcrC0Hi6cXAQIECBAgQIAAAbfM8McAACAASURBVAIECAxQ4BeK59qK5/cMMD4MqVmBf5Z/teXfBUmWNjtdtk6AAAECBAgQIECAAAECbQl8SAFdWwF9cZIt25pIn9s7gfWT/En+1ZZ/3+hdBNhhAgQIECBAgAABAgQIEFiwQLnpcbkJuV/1GLiJ9IJDb/RvfJi8q3Xd+ZfRRxQAAgQIECBAgAABAgQIDFjgzoroWovoU5OUM2u8CKxL4Edyr9bcK09V9SJAgAABAgQIECBAgACBgQps7ibStRbR5Uy2cmaNF4G1CdxV86r2vLvB2sD9GwECBAgQIECAAAECBAj0X+DXiulai+njkyzpf1gYQYMCX5RztebceXKuwWi1aQIECBAgQIAAAQIECHRE4EjFdK3FdDkL68COzK3d6J7A7eVb7fn21e5Nsz0iQIAAAQIECBAgQIAAgboFnqSgrr2gPjHJ0ronyvYGIXCMfKs93142iMgwCAIECBAgQIAAAQIECBBYq8DuCuraC+pyFtYj16ruH8co8LdyrZFcu8sYg8mYCRAgQIAAAQIECBAgMEaB0xXWtRfWf0yy2RiDyZjnFShn5B0nz2rPs8uTbDyvuC8SIECAAAECBAgQIECAwOAEPq6wrr2wLmdhubRpcKky9YCeKscaybFvTT0jvpEAAQIECBAgQIAAAQIEeifwNMV1I8X1JUl27l002OG6BbZJ8t9yrJEce2Xdk2V7BAgQIECAAAECBAgQINBdgZsprhsprstZWJ/r7rTbsxkJvEt+NZZfd5/RHPoYAgQIECBAgAABAgQIEOiIwB8U2Y0V2Q/tyBzbjdkLlBuML5dbjeTWpUk2mf2U+kQCBAgQIECAAAECBAgQaFPgnYrsRorschbWWUm2bXNyfXYrAuXm4ifJq8by6uhWZtWHEiBAgAABAgQIECBAgECrAg9QaDdWaJcm1qdanV0f3obAW+VUozlV7t3nRYAAAQIECBAgQIAAAQIjE9gsyWUK7kYL7sePLKbGPNx7uXSw0VwqTeFdxhxgxk6AAAECBAgQIECAAIExC3xFA6vRovuiJDcac4CNZOzXnlw2WposfjVj8PORxJJhEiBAgAABAgQIECBAgMA8As9ScDfecDghSTnbzWuYAusn+ZY8ajyPXjvM8DEqAgQIECBAgAABAgQIEFiIwK4ue2q88C5n5Hx4IZPhPb0UeIPm1Uxy6I69jA47TYAAAQIECBAgQIAAAQK1CRyrAJ9JAX5wbTNmQ10ReJgG8Exy5/QkS7sy6faDAAECBAgQIECAAAECBNoReK4G1kyK8GVJypMfvYYhcNskl8idmeTOm4cRMkZBgAABAgQIECBAgAABAlUEdnYWyUyK8HIpYWl43K7KZPneTgjsluRszauZ5c1+nZh1O0GAAAECBAgQIECAAAECrQv8QDE+s2L8jCQ3aH3G7cC0AjskOUm+zCxfTk2yZNrJ8n0ECBAgQIAAAQIECBAgMCwBTyPMzArycibWaUl2GVYIjWI0WyU5XvNqprnyL6OILIMkQIAAAQIECBAgQIAAgQUJ7Jik3KOpNFf8mo3Br5Nce0Gz401dENgiyQ/lx8zXh326MPn2gQABAgQIECBAgAABAgS6I3C04nzmxfkvkly3OyFgT9YgUM68+p78aCU/1jAlvkyAAAECBAgQIECAAAECYxV4kAJ95gV6Odvt9+6J1emU2zbJsXKjldx4dqcjw84RIECAAAECBAgQIECAQCsCGyb5b4V6K4V6uSfWHq3Mug9dm8BOScpZci6rnb3B5UmutbbJ8W8ECBAgQIAAAQIECBAgMF6BNynWW2tWnJfkruMNvc6N/BZJ/iAfWsuHj3cuIuwQAQIECBAgQIAAAQIECHRG4GYK9tYK9nKWTznr5FGdiYbx7sh9klwoF1rNhXuMN/yMnAABAgQIECBAgAABAgQWIvADhXurhfvyJK9Lsv5CJst7ahVYkuSfPJGz1fhfcV+4pbXOrI0RIECAAAECBAgQIECAwOAEHq6B1XoBX4r4Y5JsP7jo6u6AtkzyH2K/E7H/wu6GiT0jQIAAAQIECBAgQIAAga4IbJDkTwr5ThTyf0zyt10JjAHvx95JThLznYj5S5JsN+BYMzQCBAgQIECAAAECBAgQqFGgnAHhyWvdMLg6yWFJylMiveoVKJepvSDJFeK9M/n+jnqn2NYIEFigwOZJdkmyT5J7T+7H+Mwkr5j8DCoPeTli8uvDSY6a/Prq5OzV8vdPzHnPWyff95okz03yuCQHJPmbJDfWqF7grHgbAQIECBAgQIDAOgXK4+svVdR3pqgvzcTjk9xqnTPnDQsVuFGSb4rxTsV4uf/bHgudQO8jQGDBAuWeirtOnnT7+ElT6sgk30lSzvQtDxBp4z+tyn/QnJ3kuCT/nuT1Sf4hyX2T3DTJJgseoTcSIECAAAECBAiMWuBdLR3QtnEQ3ZfPvDLJax3UV8rLUsgdokHbSrG6rjz7QqWZ9c0ECJQHUdwgyYFJXjZpCv0myVU9/nl+RpJylldpbh2U5NbOSBboBAgQIECAAAECqwvcLEk5I2JdRad/n71RKUjK/1B7LU7gzkl+JqY7m9P3WNx0ejeB0QvcJEk5o+qdScoThC8cyfpW/jPn50k+muQ5SW6vqTX6XABAgAABAgQIEPBUto4XA19Ksqc4XadAua9LuTeLZmt3DX6apJw94kWAwPwCG03uH/X8JJ9J8t/WtFXW9HLbg3JJZLnn1v2SbDs/o68SIECAAAECBAgMVaA8nc1ZWN0t+ktDpvxPdLmx7s5DDcIK49o+yRtdLrhKkdfVJt6DKsyzbyUwRIHS0C2Xy5WHqnw7yWUaVotay8qxy4lJ3pzknkk2HmKQGBMBAgQIECBAgMCqAl900Lyog+a2GgTlJrxvSbLjqtM3yr9tl+TVSS4Su72I3XIpUHkipBeBsQtsk+ShSd6f5EzrV63r1yVJjk7yj0luOPZAM34CBAgQIECAwFAFyiOv22rK+NzF21+R5ANJbjHUgFzLuEpR8m9JSqEidvpj8LC1zKl/IjB0gXL2bLmP0/eSLLN2zWztLveSfEOS2w09wIyPAAECBAgQIDA2gWMcVM/soLquxku5fOIrSR6YZIMBB2w5c+feST6l+OtdjJZY/6WzrwacnYa2JoFypuwzJ00rl+m332w/Jclhk0s21zRnvk6AAAECBAgQINATgfL0troaK7Yze8uzJgfn5cmSQ3mVs61enuQ0sdnr3HzUUALSOAisQ+BaSZ6e5FtJrrZudXbdKmdmvSrJTdcxn/6ZAAECBAgQIECgwwJfcMDd2QPuxTQFy/2GXppkjw7H2pp2bdckz0vyY7E4iFj8RZL11jTZvk5gAALlRux3S/KxJOU+hYtZq723fa/vJ3lckk0HEIuGQIAAAQIECBAYlcAt/a/x4IqP303uGXXfJJt3MJo3SbL/5EmCpdmhoBuWwQEdjDm7RKAOgeskOSTJb61bg1i3L0jytiS3qiM4bIMAAQIECBAgQGA2Ah90MD6Ig/H5GkFXJTkuyeGTp2DdqIV7E5UzrP4uyeuT/CBJuSH9fPvqa/13+fZsliyfQmCmAndP8skkV1q7Brt2lzOAn5Rk45lGlg8jQIAAAQIECBBYtMAuLoMY7EH5fE2hi5Mcm+Q9SV6U5JFJylMprzflwfuGSa47eepTeVR8OUPhiMmNjMv/cM+3D742PJdy0+p9F736+AYC3RQoD8l4dJKfWMNGtYafneRlScq9zbwIECBAgAABAgQ6KvAmB+mjOkhfWwOpNLjKTdSPn5y99Z0kX5v8KjcqLmd0lV/lCU8XihtxM4mBozq6ttktAosR2CrJ85P80do26rXtkiRvT7L7YoLHewkQIECAAAECBGYjsG2Scxywj/qAfW1NLf82vDOm6pzTcmlVuTzVi0BfBXaa3JfvL34O+jk4JwbKkyU/neT2fQ1s+02AAAECBAgQGKrA3885aKuzuLUtzQ8xMOwYKPc38yLQR4HtkxyW5FI//zSu1hED5Uzk2/YxyO0zAQIECBAgQGCIAksn90bSbBh2s8H8mt86Y+DMJOWyKy8CfRLYLsmhLoPWtFpH02q+tbI0sm7Tp2C3rwQIECBAgACBoQrsk6ScMj/fQZuvcREDYmD1GHjYUBdD4xqkwBaTB014wIS1bPW1bDF/Lw+t+HySvQaZJQZFgAABAgQIEOiRwPs1sDTwxIAYWEAMfL1H65pdHbdAeargc5Kct4C4Xkwjw3vH3QhbNnmi77XHnV5GT4AAAQIECBBoT6AciJ3vIF8DQwyIgbXEwBVJ9mxvmfLJBBYscN8kv15LLGtCjbsJVcf8l5v/vyDJRguOSm8kQIAAAQIECBCoTeAJDvY1L8SAGFhLDJQbX3sR6LJAabB+eS0xXEfjwjY0v+bGwG+TPKDLSWHfCBAgQIAAAQJDFFiSpNyodO6BmT/zEANioMRAOZtlkyEufMY0CIFtkhye5Eo/w/wMbykGyvHTzQeRTQZBgAABAgQIEOiJwC5JLmrp4E+jRKNEDHQzBspDHu7UkzXMbo5P4IAkp/u5pXHVgRi4atJI3Wx8aWjEBAgQIECAAIF2BJ7ZgYNAjYxuNjLMyzjn5c3tLEU+lcBaBa6b5FN+XmlcdTAGTk6y/1qj1z8SIECAAAECBAjUIrA0yXc7eECoeTLO5ol5b3feT0myeS0ri40QqEegXO7+lCTlJtrWBwZdjYHlSY5Msl09YW8rBAgQIECAAAECaxK4cZKLFQeKIzEw6hgolw7eZU2LhK8TaEFgD//BMuo1qavNqrXt1xlJDmwhV3wkAQIECBAgQGBUAk/SvFAoiIFRx8CbRrXiGWyXBcpZVwcnucyaNOo1aW2Noq7/20eSbNXlJLNvBAgQIECAAIG+C3xCsaBYEAOjjIETkmzc9wXM/g9CYIckR1uHRrkOdb0ptdj9Oy3JnQeRlQZBgAABAgQIEOigQHk0+R8UDgoHMTCqGCiXD5dLtbwItC1wryRnWn9Gtf4stinUt/eXS7MPT7Jh28nl8wkQIECAAAECQxQo98ApB1x9O0i0v+ZMDEwXA08c4kJmTL0S2GRS5JcbYctjBkOMgf9MsnuvstLOEiBAgAABAgR6InCYIkIRJQZGEQNH9WRNspvDFbh5kl9Zb0ax3gyxMbWYMV2Y5JHDTWUjI0CAAAECBAi0I7B+km8qKBQUYmDQMXBKknLZsBeBtgQe7gm4g15jFtPcGdN7yyWFG7SVdD6XAAECBAgQIDBEgXIj3T9pYCguxMAgY6A83W3vIS5cxtQLgfKfJOVMX5cMulxwTI2ruWP9XpLr9iJb7SQBAgQIECBAoCcC+yW5QgNjkA2MuQfS/jy+IvLxPVmD7ObwBK6V5Ot+rvi5IgZydpK/HV6KGxEBAgQIECBAoD2BZznIVGiIgUHFwL+1t5z45JELlLP+TrWeDGo98R8g1f4D5Kokh4x8XTB8AgQIECBAgECtAh9VcCg4xMAgYuD7Hude69poYwsXeFSSy60jg1hHNK2qNa3m8zsiSbm01osAAQIECBAgQKCiQHnE+Y8UHgoPMdDrGDgjyY4V1wLfTmAagZe431Wv1475Gi6+Vn8T68tJtpgmwXwPAQIECBAgQIDAqgLXSXKaBoYiRAz0MgYuTbLvqintbwQaFyhnlLzTmtHLNUODqv4G1UJMf57k+o1npg8gQIAAAQIECIxA4KZJLlCMKEbEQK9i4OokfzeC9ckQuyVQziT5orWiV2vFQhos3tN8Y6ucLespsd1az+wNAQIECBAg0FOB+yVZpihRlIiB3sRAeRCDF4FZCpQzSMqZJJodDMTAdDFwYZL7zDJpfRYBAgQIECBAYKgCz1SYKMzEQC9iwBMHh7oKd3dcN0nyR+tDL9YHzaXpmkuzcitPKHxkd1PdnhEgQIAAAQIE+iPwagWKAkUMdDoGPp9kvf4sKfZ0AAK3THKWdaHT68Ksmi8+p57mWLkE/EkDWBsMgQABAgQIECDQqsCSJO9SqChUxEAnY+AHSTZrdYXw4WMTKPfsOcd60Mn1QDOpnmZSW47Lkzx7bAuK8RIgQIAAAQIE6hYoZ3ccpWBRsIiBTsXAz5JsU3ey2x6BtQjcMclfrAOdWgfaarb43OaaZYetJQf9EwECBAgQIECAwAIENkzyFYWLwkUMdCIGfpPk2gvIW28hUJfAXZNcJP87kf+aR801j7piq4lV18plOwQIECBAgMBoBcrj0sslS105wLMf5mKMMXBakp1HuwoZeBsC90hymbXfzz4xMNMYeF0bye4zCRAgQIAAAQJDEtgyyQ8dxM70IHaMTRpjnr85eXqS3Ye0oBhL5wXulOQSa741Xwy0EgMv7/wKYQcJECBAgAABAh0X2CrJjxzMtnIwq7Ezf2NnDC5/1Lzq+Mo4vN27dZLzrfXWejHQagy8YHhLixERIECAAAECBGYroIk13kbKGJpFXRvjH5LcaLYp7tNGLnCLJOdqXLTauOjaOmR/2vm5X55O+LSRr0eGT4AAAQIECBCoLLB1kv9U4ChwxECjMfD7JLtVzlYbILBwgZskOVteN5rXmkHtNIP66n51kscsPIW9kwABAgQIECBAYD6BcmP3byh0FDpioJEYOCXJLvMlnq8RaEigxFu5XLWvhb79NndDjYGrkhzYUN7bLAECBAgQIEBgNAIbJfmkgkfBJwZqjYFfJNlpNKuIgXZBoDyk4wR5XGseD7WZYlztNArL00D/pguLhX0gQIAAAQIECPRZYL0k71H4KHzEQC0xUB6SsF2fFwT73juBDZJ8Tf7Wkr+aO+00d8bifo4HevRufbXDBAgQIECAQAcFliR5vQJIASQGKsXA55Ns2sH8tkvDFShr9/vlbaW8HUvzxDi70Zz7XZLth7skGRkBAgQIECBAYHYCz0tSbjjqQJeBGFhcDLwvyfqzS1WfROB/BV5mvfbzSgz0Lga+naTcwsGLAAECBAgQIECgokC50eglDoh7d0Cs4bS4hlNdXuUx6f+cpJwJ40VglgLlyWYl/uqKZdthKQZmFwMf8XNjlsulzyJAgAABAgSGLLBPkjMURgpDMbDWGCg35X3kkBcCY+usQLkZ9BXyc635qRkzu2YM6+msX97ZFcaOESBAgAABAgR6JrBjkuMVSAokMTBvDJSb8d6pZzltd4chcO0kf5KX8+alRsp0jRRu7biVWzbcdxjLklEQIECAAAECBNoX2CLJpxVKCiUxsEoM/CTJzu2npz0YoUB54uB35eMq+aj50k7zhXs97uclueEI1zJDJkCAAAECBAg0IlDu7fPCJMsUTYomMZB/T7JZI5lmowTWLXC4HLQOi4HBxcB/eYLtuhc/7yBAgAABAgQILEbgLknOcuA8uANn/4u+sP9FvyrJIW66u5glw3trFij3W5OvDMTAMGPgozWvFzZHgAABAgQIEBi9wE5JfqSIUkSOLAbK/YbuMPrsB9CmwC09Hda6O7J1d4yNume2ucj4bAIECBAgQIDAEAU2TvJ2B9KKqZHEwNeT7DDERDam3ghsnuS3I8m3MTYtjHmYZ1RNM69XJrldb1YmO0qAAAECBAgQ6JHAA5Kcq6jSyBpoDJR7vr0yyXo9ykm7OkyB9w00x6Yp8H2PZs/QY6A0q0vT2osAAQIECBAgQKBmgfI49y8prjSxBhYDpya5c825YnMEphE4cGC5NfTmg/FpsNURA++dZrHwPQQIECBAgAABAusWKE8pPDjJFQotjawBxMBRSbZed9h7B4HGBa7nLFdr6gDW1DoaOmPcxsMaX2F8AAECBAgQIEBgxAJ7JznBwbaCq6cxUC6HffCI89fQuyWwNMkxPc2lMTYbjNmZV3XHwJ+TlAfneBEgQIAAAQIECDQksGGSVyQpNyKt+2DO9pg2FQOfS7JjQzlhswSmEXi+NdTPEDEw+hj4RpLSzPYiQIAAAQIECBBoUGCvJD9x8D36g++mGk51bfesJC7TaHAhsOmpBG7hkmxrp5+fYmASA8+ZahXxTQQIECBAgAABAosS2CDJi5Nc5kDcgXjHYmB5kg8k2XZREe3NBJoXKE+9/FHH8qWuhrHtOItWDCw+Bi5JcoPmlx6fQIAAAQIECBAgUARumORoBZkmVkdi4OQk95CaBDoq8KyO5IlGw+IbDcyYNRUDX01SHpjjRYAAAQIECBAgMCOBA5KcojjTyGopBsr/Yh+aZJMZxbuPIbBYgV2SXNRSfjRVeNuupo4YqCcGHrvYBcX7CRAgQIAAAQIEqgmU5kFpIrissJ4DWoXBwhw/n2TXaqHruwk0LvBlzSsNfjEgBtYQA+WphNdufBXyAQQIECBAgAABAtcQ2DnJEUmuXsOBmsbMwhoznNbu9NMkd7pG9PkCge4JlLMr5DMDMSAG1hYDH+3e0mWPCBAgQIAAAQLjEdgnSXlM9NoO2Pwbn8XGwGlJnpCk3BDbi0DXBbZPcq510M8BMSAGFhAD9+36gmb/CBAgQIAAAQJDF9g/yc8WcOC22EaG94+r+VWaAIck2XjoCWN8gxIoZ6NaqxiIATGwkBj4XZKNBrUCGgwBAgQIECBAoIcC5WyZxyT5tWJOMbvIGLhwcm+1LXoY93Z53AJ7JVm2yHhfSJHrPZohYmC4MfD8cS+bRk+AAAECBAgQ6I5AaWQ9MskvFHUaWeuIgb8kOSxJuQTLi0AfBVxCPdwmgwaSuW0qBsrPPjd07+OKb58JECBAgACBwQosTXJAkuPX0cRo6gDRdrtbfJwzOeNqm8FGv4GNQeBB1jZNejEgBqaMgfeMYZE0RgIECBAgQIBA3wRKI+t+SY6Z8iBPI6q7jajFzs0fkhycZNO+BbH9JbCaQLlP28nWNM2LOTFQLiU9b/LrjEl8nDrna5fNee9i107vH87PwRVzWZ7ifJvV1hV/JUCAAAECBAgQ6JBAuV/MB5Jc7kB+VIXfj5I8KsmGHYpFu0KgisALrWGjWsNKs+E3ST6b5PAkz0ryd0n2S7J7kq0XGEyleb9zklsnuU+Sv0/y2iQfS3JcEk2u4TWqVjSs5vv9O0mWLDB2vI0AAQIECBAgQKAlgeskeVWSMxWBgy0CS5PyyCS3bSnGfCyBpgTKPdvKgwfmK0h9bRgu5WEk70vy5CS3S7JZU8G02nbLPST3SPLQJG9I8oMkV4i1QefagavFgL8SIECAAAECBAh0VGCDJOXg7Que5DWYA/TTkrzEDWo7mnF2qw6B12soDGa9WtFwLJc3vyvJAzv4UIlyueqdk7x6ck/J5eJvUPH38yTlVgteBAgQIECAAAECPRIol1W8PEm5Z8iKosLv/bC4JMmHktzdgXiPMs6uTiNw3SQl3q1N/Tc4MclLk9x8mkBo8XvK0+uelOSr/uNnMHn4iBbjyUcTIECAAAECBAhUECj/E3m3yf+G/1mh2NkD9HIWQLl/xxOSbFFhvn0rgT4JvMWa1Nk1aSFNxdOT/HOSm/Up6Nayr+Vy1qcl+U9x2eu4LJeslstHvQgQIECAAAECBHosUG76XZ5g+GH3nOnEwXlpWv0wyXOT7NrjuLLrBKYRKGeJegBF/868KjdgPzrJ/ZOsP83E9+R7bpXkbUn+opnViZ+XC2mozn3PY3sSZ3aTAAECBAgQIEBgAQKbTO5PUm6se7YD9JkdoJfir5xpdXCSnRYwT95CYKgCR1h3ZrbuzC3sp/1zudTz7ZOnBA41Jucb15aT/2Qo9yOc1s73zd7u5CTlvqBeBAgQIECAAAECAxMolxnuO7kU5KcO0msvUs6dPNb9cUnKEyO9CIxd4AZJrrTW1L7WNNEoKWcgvSLJdiMP2tIMeXSSk8RtL+K25MJTRh6zhk+AAAECBAgQGIVAOTPooCTvdxP4qQ7UlyX5fpKXTR4Z714co0gbg1yEQDmTp4lmi23W53pxksM0rq4R1eWyyccn+b0Y7nwOl7Ow/Py9Rgj7AgECBAgQIEBg2AK7TQ7Yj0xylYP2axy0l0LvmMlZCvdwE/ZhJ4PRVRa4licPXmMN6VLjrVzmXP7zojwh0mvNAuWeks9LcoGfiZ2O54eseQr9CwECBAgQIECAwNAFyuVwXSq22tyXNya57cBvZDz0eDa+2QuUMxPbzFufvWb/cuZoWdO8Fi6wQ5J3JymNP7HVPYMfLXwqvZMAAQIECBAgQGBoAhpYKw/Q7zS0yTUeAg0LbJTkTIV+5xod5T5X5cES5X6IXtMJ3D7JiWK7c7Fdmop+Vk8X076LAAECBAgQINB7AQ0sDazeB7EBtCbwZAV+5wr8zyW5XmsRMawPLpcVHprkCnHeqTj/zLDCzGgIECBAgAABAgQWKqCBpYG10FjxPgJzBZYk+aXCvjOF/aWTs67mzpE/1yNw8yQniPXOxPryJHvWM7W2QoAAAQIECBAg0CcBDSwNrD7Fq33tjsD9FPSdKeiPTbJ7d0JjkHuyWZIjxHxnYv6dg4wygyJAgAABAgQIEFirgAaWBtZaA8Q/EliDwJcU850o5ktTpVzq5jUbgYcnKU+qdYP3dg3KGYdbz2bKfQoBAgQIECBAgEBXBDSwVh6EuzFsV6LSfnRdYOckyxTxrTYxLkvyhK4HykD3b48kvxL/rcZ/aSA+daDxZVgECBAgQIAAAQJrENDA0sBaQ2j4MoE1CrxC8d5q8X56kr3XODv+YRYC2yQ5Rh60mgfHz2KifQYBAgQIECBAgEB3BDSwNLC6E432pA8C6yU5TeHeWuH+8yS79CFQRrCP6ycp92JyOWF7BrcZQZwZIgECBAgQIECAwERAA2vlgbdLCKUFgXULuHn7yjVj1o2LryfZct1T5B0zFChP43y5JlZrTbx3zHCufRQBAgQIECBAgEDLAhpYK4tRDayWg9HH90Lgc4r1Vor1o5Ns3IsIGedOPj3J1XJj5rlxYZLNxxlyRk2AAAECBAgQGJ+ABpYG1vii3oinFbhukqsU6TMv0j+RZINpJ833zUzgMfJjGCd3fgAAIABJREFU5rlRzoJ8/Mxm2AcRIECAAAECBAi0KqCBpYHVagD68F4JPF/zauYFemlelfuOefVDoDRTlsuTmebJN/sRGvaSAAECBAgQIECgqoAGlgZW1Rjy/eMROE5hPtPC/MtJNhpPeA1mpP8gT2aaJ+XSzR0HEz0GQoAAAQIECBAgsEYBDSwNrDUGh38gMEfghorymRblX3PPqznR178/HiJfZpovz+hfiNhjAgQIECBAgACBxQpoYGlgLTZmvH+cAi9SkM+sID8xyVbjDLNBjfotcmZmOfPdQUWOwRAgQIAAAQIECMwroIGlgTVvYPgigdUE/ksxPpNi/PQk11/N3l/7KbA0yWfkzUzyptx3TN70M0/sNQECBAgQIEBgwQIaWBpYCw4WbxytwE0U4TMpwi9JcuvRRtkwB75Zkp/Kn5nkz7OHGUJGRYAAAQIECBAgsEJAA0sDa0Us+J3AmgRepgCfSQH+2DVNgK/3WmCXJOfIocZz6Ee9jhI7T4AAAQIECBAgsE4BDSwNrHUGiTeMXuBniu/Gi+9/HX2UDRvg3knK0/L+x6/GDMplhDsNO4yMjgABAgQIECAwbgENrJUFxZ3GHQpGT2BegfJ4+lIYKrybM/h+kg3m1ffFIQkcKo8aX0eeNKSAMRYCBAgQIECAAIFVBTSwVhalGlirxoa/ESgCT1R0N1p0X5Rkd6E2CoFyU/dvyadG8+mTo4gkgyRAgAABAgQIjFRAA0sDa6Shb9gLFPh3BXejBfdBC5wHbxuGwG5J/iKnGsupYutsxmHkilEQIECAAAECBK4hoIGlgXWNoPAFAhOB9ZOcr9hurNh2tsg4U+1xcqqxnCqXOt9lnGFl1AQIECBAgACB4QtoYGlgDT/KjXBagXJZrXtfNWNwQZLrTTsxvq/3Al+RW42tLa/tfXQYAAECBAgQIECAwLwCGlgri1P3wJo3RHxxxAKvUWQ3VmQ/YcRxZejJrknK/c80iOs3KE9N9SJAgAABAgQIEBiggAbWyoNnDawBBrghVRI4XoHdSIOh3Mh7SaWZ8c1DEHiB/Gokv8pTU8vTU70IECBAgAABAgQGJqCBpYE1sJA2nJoEtkyyTIFde4FdTPeqaY5spt8CGyY5SY7VnmPlrLaH9Ts07D0BAgQIECBAgMB8AhpYGljzxYWvEbiXwrqRwvqdQovAHIH7y7NG8uwtc4z9kQABAgQIECBAYCACGlgaWAMJZcOoWeAVCuvaC+u/JNmh5nmyuf4LfE2u1Z5r5fJnLwIECBAgQIAAgYEJaGBpYA0spA2nJoFjFNW1F9WH1jQ3NjMsgX2SlPs2uaF7fQblUt0thhUmRkOAAAECBAgQIKCBtfKA2U3c5QOB/xNY3xPSam8mnJ9kGwFGYA0Cn9PAqj3n9l+DtS8TIECAAAECBAj0VEADSwOrp6FrtxsU2FsxXXsx/aIG58um+y9QbuzvLKyVP4/rOBvt5f0PCyMgQIAAAQIECBCYK6CBtfKA2RlYcyPDn8cscLAGVq0NrAuTbDXmgDL2BQkcLe9qzbuvLkjdmwgQIECAAAECBHojoIGlgdWbYLWjMxP4iEK61kL6jTObOR/UZ4G7yrta8+6CJEv6HBD2nQABAgQIECBAYFUBDSwNrFUjwt8IJCcqpGsrpK9Kcn1BRWCBAsfKvdpyr1yGuOsC3b2NAAECBAgQIECgBwIaWBpYPQhTuzhDgY2SXKmIrq2IPmqGc+ej+i/wGLlXW+6VBtb9+x8SRkCAAAECBAgQILBCQANLA2tFLPidQBG4tQK61gL6HsKKwCIENklynhysLQdfsgh7byVAgAABAgQIEOi4gAaWBlbHQ9TuzVjgsYrn2ornU5IsnfH8+bj+C7xVDtaWg5/ofzgYAQECBAgQIECAwAoBDSwNrBWx4HcCReD1iufaiucXCykCUwjsJQdry8FfTuHvWwgQIECAAAECBDoqoIGlgdXR0LRbLQmUR8+Xe8f4Vd3ghi3NoY/tv4AHKVTPv7KGLUtSLsv0IkCAAAECBAgQGICABtbKg+Q7DWA+DYFAVYEzNa9qad6Vp8l5EZhW4GXysJY8LE2svaedBN9HgAABAgQIECDQLQENLA2sbkWkvWlTYAtFc21F83PanEif3XuBm8jF2nLx4b2PBgMgQIAAAQIECBD4XwENLA0sqUBghcAtFc21Fc27rUD1O4EpBVxGuPLnc5VLml84pb9vI0CAAAECBAgQ6JiABtbKA2SXEHYsOO3OzAUeoIFVSwPrVzOfOR84RIE3yMda8vGIIQaHMREgQIAAAQIExiiggaWBNca4N+b5BZ6lYK6lYH7T/Ly+SmBRAneXj7XkY3kwhRcBAgQIECBAgMAABDSwNLAGEMaGUJPAmxXMtRTM96ppPmxm3AIbJblITlbOyd+OO4yMngABAgQIECAwHAENLA2s4USzkVQV+IxiuXKxfFWSzatOhO8nMBH4mpysnJNXJFkqoggQIECAAAECBPovoIGlgdX/KDaCugR+pliuXCz/uK7JsB0CSQ6Vk5VzstwAfifRRIAAAQIECBAg0H8BDSwNrP5HsRHUJXCBYrlysfyWuibDdggk2V9OVs7J0sDykBbpRIAAAQIECBAYgIAGlgbWAMLYEGoQ2FihXEuh/Iga5sImCKwQ2CLJ1XKzcm4+ZAWo3wkQIECAAAECBPoroIGlgdXf6LXndQqUS2zKmQp+VTPYs85JsS0CScpNyOVlNYOniiQCBAgQIECAAIH+C2hgrTwodolB/+PZCKYXuJUiuXKT4PIk608/Bb6TwLwC/yE3K+fmS+aV9UUCBAgQIECAAIFeCWhgaWD1KmDtbGMCd1ckVy6Sj2tsdmx4zAJu5L7y5/S0Z6K9ecwBZOwECBAgQIAAgaEIaGCtPDB2BtZQoto4phF4qAZW5QbWh6eB9z0E1iHwMLlZOTePXIexfyZAgAABAgQIEOiBgAaWBlYPwtQuzkDg6YrkykXyq2YwTz5ifAL7ys3KufnF8YWNERMgQIAAAQIEhieggaWBNbyoNqJpBF6mSK5cJD9xGnjfQ2AdAjvIzcq5eew6jP0zAQIECBAgQIBADwQ0sDSwehCmdnEGAuUeMdPeX8b3/Z9duY+YF4G6BZYkuVh+Vlqfflf3pNgeAQIECBAgQIDA7AU0sFYW7e6BNfv484ndEThCgVypQC5NvD26M532ZGACv5WflfLz9IHFg+EQIECAAAECBEYpoIGlgTXKwDfoawi8X4FcqUAuDaztr6HqCwTqEfih/KyUn+VYx4sAAQIECBAgQKDnAhpYGlg9D2G7X5PARxXIlQrk5UnWr2kubIbA6gJHy89K+Xnh6qD+ToAAAQIECBAg0D8BDSwNrP5FrT1uQuCTCuRKBfJ5TUyKbRKYCHxQflbKzytEEgECBAgQIECAQP8FNLA0sPofxUZQh8DnFMiVCuQ/1jEJtkFgDQJvl5+V8rNc4ltuhu9FgAABAgQIECDQYwENLA2sHoevXa9R4CsK5EoF8sk1zoVNEVhdwFNCV/6snvappxutjurvBAgQIECAAAEC/RLQwFp5UOwphP2KXXtbr8A3NbAqNbB+Ve902BqBVQQOk5+V8rM0vbZYRdRfCBAgQIAAAQIEeieggaWB1bugtcONCHxPgVypQP6vRmbFRgn8n8Ar5Wel/CwNrGsJJgIECBAgQIAAgX4LaGBpYPU7gu19XQLfVSBXKpBPrGsibIfAPAKvlp+V8rM0sLaex9WXCBAgQIAAAQIEeiSggaWB1aNwtasNCnxDgVypQP5Ng3Nj0wTeID8r5WdpYG0ijAgQIECAAAECBPotoIGlgdXvCLb3dQl8VYFcqUA+ra6JsB0C8wi8VX5Wys/SwFpvHldfIkCAAAECBAgQ6JGABpYGVo/C1a42KPAFBXKlAvmsBufGpgm8W35Wys9lQogAAQIECBAgQKD/AhpYGlj9j2IjqEPgMwrkSgXylUmW1DERtkFgHoFPyc9K+XnJPKa+RIAAAQIECBAg0DMBDSwNrJ6FrN1tSOAoBXKlArlcorRlQ3NjswS+KT8r5ef5QogAAQIECBAgQKD/AhpYGlj9j2IjqEPgvQrkSgVyaWDtVsdE2AaBeQTKUy5LjPk1nYFLfOcJKl8iQIAAAQIECPRNQANr5cHwnfo2efaXQI0Cb1IcV24O7FvjfNgUgbkCpQGjeTW9gYcszI0mfyZAgAABAgQI9FRAA2vlAbEGVk+D2G7XInCoArlyg+AhtcyEjRBYVWCTJMvlZ6X8/K9VSf2NAAECBAgQIECgjwIaWBpYfYxb+1y/wHMVyJUK5HJ2zAvqnxZbJJA95Wbl3DxGHBEgQIAAAQIECPRfQANLA6v/UWwEdQg8SZFcuUh+ex0TYRsEVhP4f3Kzcm6Wh1R4ESBAgAABAgQI9FxAA0sDq+chbPdrEnigIrlykfzVmubCZgjMFXim3Kycm++YC+rPBAgQIECAAAEC/RTQwNLA6mfk2uu6Be6gSK5cJHvSWd1RaXtF4N1ys3JuvlIoESBAgAABAgQI9F9AA0sDq/9RbAR1CNxQkVy5SC73wdqhjsmwDQJzBI6Vm5Vz8+A5nv5IgAABAgQIECDQUwENLA2snoau3a5ZYDNFcuUiuTSw9q95Xmxu3AJLk1wkNyvn5qPHHUZGT4AAAQIECBAYhoAGlgbWMCLZKOoQuFChXLlQ/qc6JsI2CEwEbiYnK+dkaSzfR0QRIECAAAECBAj0X0ADSwOr/1FsBHUJ/EaxXLlY/nxdk2E7BJI8RU5WzsnSwCqNQC8CBAgQIECAAIGeC2hgaWD1PITtfo0CxyiWKxfL5yUpl315EahD4Eg5WTknSwOrXCLtRYAAAQIECBAg0HMBDSwNrJ6HsN2vUcDTzlauB6XonfaXsz1qDMqRb+qUCnE4bfwO7fvOHnkMGT4BAgQIECBAYDACGlgri9Q7DWZWDYTAdAIvUixP3bSaW/Q/azp+30VgFYHd5WMt+fijVVT9hQABAgQIECBAoLcCGlgaWL0NXjteu8DDFcy1FMxfrn1mbHCMAs+Qj7Xk48fGGDzGTIAAAQIECBAYooAGlgbWEOPamKYT2FfBXEvBfFmSTaebAt9F4K8CX5SPteTja/4q6g8ECBAgQIAAAQK9FtDA0sDqdQDb+VoFtlMw11Iwl8sJH1DrzNjY2AQ2T3KpfKwlH8uTHL0IECBAgAABAgR6KrBjkvsleVmScqbA3Hu3jPnPlyc5Psn7khyc5K5JtunpHNttAtMKlBsej3kdqGvsH5l2AnwfgSSPkIe1rUP7iygCBAgQIECAAIF+COw0ORPgFUmOTnKGg+JFHxSfmuSzSV6Z5IFJrtuPqbeXBKYS+IY1YtFrxHxNrwuTbDLVDPgmAsln5GEteVhy8zoCigABAgQIECBAoHsCS5PsleSZST6V5CwHwLUdAK9eoP42yQeSPCnJnkmWdC8c7BGBqQTeat2obd148FQz4JvGLrBVknJG8Oo/d/x98Sb/PfZgMn4CBAgQIECAQFcE1kuyT5LnJPlckvMc8LZ2wH9O/u9/zJ+XZL8k63clSOwHgUUKPM06Uts6Us569SKwWIGnysHacvDri8X3fgIECBAgQIAAgfoEdk3y9CSfT/IXB7m1HeTW/T/b5yc5KskTkpR7jnkR6IvAna0rta0ry5Ls3JeJt5+dEThODtaWg2/qzKzaEQIECBAgQIDACATKWVZ7Jzk0STmoXe7AtrYD27qbVmvb3slJDk9Sbia74Qji1hD7K1AuX7raOlPbOvPy/oaCPW9BoNwGYG0/S/zb4nwe18Ic+kgCBAgQIECAwKgEtk1yUJKPJyln8jhgHZZBOXOu3KPs0Um2HFVkG2xfBE6y7tS27v4xyQZ9mXj72brAu+VebblXjp3KbRa8CBAgQIAAAQIEahbYNMlDJpcGXuEAttYD2C43AMuNesvloKVhqZlVc1LZ3NQCH7EG1boGlWa1F4F1CeyQ5DK5V1vulUt4PQl0XVHn3wkQIECAAAECCxQoTauHJfkPB621HbB2uVm1rn27dBILD0+y+QJjyNsINCHwbEV0rWvST5uYJNscnMCr5F2teffzwUWIAREgQIAAAQIEZixQnk53QJKPJbnYwWqtB6vrahD16d9LM+vfk9wvSbkPmheBWQrc0dpU+9p0j1lOoM/qnUD5T4tz5V2teffO3kWBHSZAgAABAgQIdETghkleneR0B6i1HqD2qSk17b7+aRI7N+pILNuN4QtsluQqa1Wta9X3hx82RlhB4EXyrdZ8Kz9vH1NhPnwrAQIECBAgQGB0AhtN7mv1NU8PrP3AdNpmUN+/rzyJ8ilJSoPBi0CTAscqqGtft+7T5ITZdm8FypM//yzfas+33XobEXacAAECBAgQIDBDgZsnOdwBae0Ho31vPtW5/+XplG9LcqsZxrWPGpfA6xXUta9hpQG9ZFxhZLQLEHiFXKs9185YgLu3ECBAgAABAgRGK1CKkv0nT5Rb7mC09oPROps/Q9vW9yZn+rlX1miXn0YGfn/rWCPr2KMamS0b7avA9dwPs5E8+0RfA8J+EyBAgAABAgSaFCiXCR6U5ETFXiMHoUNrNjU5npOTHJJk6yYD3rZHI7Btkquta7Wva+Wedi4BHk0arXOgH5ZjtedY+Tn7zHXKewMBAgQIECBAYEQCOyZ5jacGNXLg2WSTZwzbLpcXvi7JziPKR0NtRuAExXUja1y5ZMyLwH7uj9lIfpWf8/sILwIECBAgQIAAgWSPJB9McoXCrrEDzzE0mWYxxvIUuY8luaXEJTClwJusc42sc5clufGUc+LbhiGwfpKfyK9G8uvcJC6pH0aeGAUBAgQIECAwpcCeSY70aPlGDjZn0cwZ82eUe7J9PsneU8a+bxuvwL0U2I2ted9yQ/fxJtbkcu8x/1xqcuwfGXVkGTwBAgQIECAwaoGbThpXyxRyjRVyTR7I2nb+Om8rGlkurRj1kraowW+c5BJr319zqO715MmLmg1vHorArm7c3lhOlRx99FACxTgIECBAgAABAgsVuEWSo9zEuNGDzLqLQdtb2axam0VpZH0mya0XmgzeN2qBL2lgNbYOXpCkNDO8xiNQLm37jpxqLKfKgyd2GE84GSkBAgQIECAwdoEbTRpXpchfWxPAv/HpewyUGP+se2SNfclb5/ifZS1s9GfBd92vZ50xOKQ3vEQ+NZpPPx5SsBgLAQIECBAgQGBNAtsl+Vc3Z2/0wLLvDZ+h7n/5H+v3JilP1vQiMFfgWkk+p+BufF186Vx0fx6swL7uo9l4Lr1ysNFjYAQIECBAgACBJOUeLy9Icr4irfEDy6E2gIYyrouTHJpkMysDgST3TnKGdXEm62J5YuhdRd2gBbZNcop8ajyf/mbQUWRwBAgQIECAwGgFliR5VJJTHVA2fkA5lAbPWMZRmhZPclnTaNfGTZK8NYnLqGd7mfTZSXYabdQNe+BLk3zZsUbjxxpn+bk17EQyOgIECBAgMFaBOyQ5zsFk4weTY2n4DHWcJyS551gXiZGO+zZJfmltbG1t/FGSjUYae0Me9qvk1Exy6m1DDiJjI0CAAAECBMYnsH2S9zmzYCYHkkNt6oxxXOUeSLuMb7kY1YjLk9H+yT0AO7E2fihJOUPYaxgCj3DMMbO8usswQsYoCBAgQIAAgbELlGLgoCTn+F/QmR1IjrHRM+QxXzq5P9aGY19MBjj+6yf5lrWxU2tjuRedV/8F7pTkcrk1k9wql76XRrwXAQIECBAgQKDXAnsnOdYB5EwOIIfcwDG2/7sf0M+T3LHXK4KdnyvwmCQXWB87tz6W+489fu5E+XPvBPZI8me5NbPcOrx3EWKHCRAgQIAAAQJzBLZOUg5oljmAnNkBpCbPbG/63JZ3Ka6PTFIuyfXqp8BWST5sbez02lh+dj2sn+E1+r3e2QNiZp5btx991AEgQIAAAQIEeitwgMe/z/zgsa1mis9tr2lWLsl9nPv19G6d3D/JHzWverFGXpHkPr2LsHHv8I5Jfie/Zppff/BzaNxJZ/QECBAgQKCvAtsk+aADx5keOGogtddA6op9eTz8Tn1dNEa03xsneZMbSvdufSz3n/M00H4k6nWT/MIxyMxz7HX9CA97SYAAAQIECBBYKXBvZxXM/KCxKw0U+9F+E63cR+kpK9PRnzomcLMkP1VY93aNLGdiPbBjMWV3VhUoT2r9jRxrJcf2XHUq/I0AAQIECBAg0F2Bcq+r9ztobOWgUeOo/cZR1+bgU+6N1anFcmmS53oS2iDWx6uSPLJT0WVnVgjcJEm5jK1r6/EY9uc7KybB7wQIECBAgACBrguUe4P8yUGjg2Yx0KkYODvJgV1fPEawf+VG0sfIjU7lRtWGwtVJnj+C2O3TEMtTWc+VZ63lWXmSqhcBAgQIECBAoNMCGyU5LEk5mK9aEPh+hmKgmRg4Ksm2nV5JhrtzD0nyZ+vjYH8+vCfJBsMN396M7MFJyj3K/Axpx6Bcur5pb6LFjhIgQIAAAQKjFLhxkp84YHTALAZ6EQOnJfF489kt1eWS6g/LjV7kRtWmR3l4ggbx7HJr7ieVS3MP9UCE1vPsrXMnxZ8JECBAgAABAl0TOCjJRYqz1g8aqxZevr+d/61uy73cu6cUe6Xo82pOoDQKT7Y+jmp9LPddul1zIWXL8whsmeTT8qwTeXareebHlwgQIECAAAECrQtskeRDDhg7ccDYVhPE5/a/6fU5Z4w0spZumORfXFI92vWxXML2pEYiy0ZXF9gnye8ci3Qi1364+uT4OwECBAgQIECgCwJ7ezR1Jw4WNZD630Dqwhy6pLDeVfVmSX6qoLZGJvmkBnG9yTVna+Xs0UOSXCnXOpNrD50zP/5IgAABAgQIEOiEwBM8/r0zB4tdaH7Yh2E00UoR+NwkSzqxyvRzJ4rdwUkuU1BbI+fEQHkq7z37GdKd3etdknxjjrGfQ+3/HDolyXqdjRg7RoAAAQIECIxOoDxd6W0OGBVmYmDQMVAuKdxqdKtb9QHvmOQrcmPQuVG1SfKBJNtVD7VRb6E0SJ7lvpudzLNnjjoyDZ4AAQIECBDolMC1k3xHcdbJg8aqRZXvb/9/rrs2B79KsnunVqBu78yDk5xrfbQ+LiAGzk7yaGc6TpXQt0ly7AKMu7aejmF//pxk86lm1TcRIECAAAECBGoWKAeNpzpoVJyJgVHFwF+S3K/mtWRomysPsjhCXowqL+pqRvw4yd8MLSEaGk85a+3wJMvkWmdz7Z8bmnubJUCAAAECBAgsSuDx7ufS2QPGugop23EG1ppi4KokLguZf8m8Y5Jyz5c12fk6m3XFwNVJjkyy2/whNvqvljN6XpikNNPXZenf2zO6PMl1Rx+tAAgQIECAAIFWBcp9Jsr/eDooZCAGxMC7k2zY6orUnQ8v9wJ8tbNB/Gyo8edjeYDCO5Ps3J0wb3VPNkny7CTlcks/f7pvUH4+eBEgQIAAAQIEWhPYNMlnHTg6cBYDYmBODJR74G3f2qrUjQ/eI0m59EtRzaCJGChnsrwnyU27Ee4z34ttk7woyZlyrDdrzBVJdp15pPhAAgQIECBAgMBEoNys/T8dPPbm4LGJIso2FedrioHfj7S4XpLk6UkusTZaG2cQA8uTHJ3knkmWjuDopDSG3+LJgr3MrbePID4NkQABAgQIEOiowJ7u6dLLA8g1NRt8XSOqiRgoT5sa082nr5PkCzNoWjQxV7bZ/zWgNI1fkuR6HT1umHa3ypneByX5rtzq7XHHZQOMy2nj2fcRIECAAAECMxYoBek5DiR7eyCpUO1/odqnOSyXOj1oxmtUGx937yRnWBetix2IgXLD9+8lOThJaar28bVRkgMmN653Y/b+/8x6Ux+D0D4TIECAAAEC/Rd4ZJJSkPapgLav5ksMtBsD5QmFT+z/8jfvCMrTz8qNicUYgy7GwLIk30xySJJbzhvB3flieTpdeZrxUUkukFODWVMuTlJuOeFFgAABAgQIEJipQPnf3HK/jS4epNsn8yIGuh0DZe148UxXrOY/bL8kv7Um+pnQoxg4PclHk/xjklslKU8Rbut1/STlP8X+LckJji8Gm0eHtRVgPpcAAQIECBAYr0ApPDUIGIgBMVA1Bkqx2vebTa+f5NAk5cyyqh6+n2GbMVDOjjk2ybuSPCPJPZLsnmTDmg53ykMNdkxyh8nZVW9M8rUkZ8mdUawd5T6I5YmRXgQIECBAgACBmQmU/z1r8wDbZ/MXA8OKgXKJ0AYzW8Hq/aBS3P/ImuhnwsBjoNxH64+T5tYXk3woyb8mKccDL51cklguSyy//mny9dcleV+Sz07uwXWSWw6MPk9KU9SLAAECBAgQIDATgfI/p28e+EG6xsiwGiPmsz/zWZ7WV27U3KdXeRLaRdbE0Rfl1pn+rDPmqr25+mWP/6OiTz+X7CsBAgQIECAwuS/GexVqCjUxIAYajIFyZsfGPVhxt0/ymQYdFNntFdns2YuBZmLgXj1Y2+0iAQIECBAgMACBcu+LcomPgzoGYkAMNB0DX+p4E+ueScqNr5t2sH3GYkAMDCUGymWkXgQIECBAgACBxgXKE4k+oVhTrIoBMTDDGPhykk0aX90W9wFlfw73ZDR5MMM8GErzwjjG3Yi7IsmNF7fcejcBAgQIECBAYPECpXn1MQfrCjYxIAZaiIGvdKiJtU+SX7dgoPAfd+Fv/s3/EGLg9Ys//PQdBAgQIECAAIHFCZTH2n9AwaZxIQbEQIsx8LUkmy5u6ar13aWJ/+IkV7ZoMIQC1hg0YsTAOGPg1CSb17oq2xgBAgQIECBAYDWB8rTBtyvYNC7EgBjoQAyUJlYbTyfcJcm3OzB+hf84C3/zbt6HEAMHrHZ86a8ECBAgQIAAgdoFXqdo07gQA2KgQzHwqcmTUGtf7NawwYckOb9D4x9CIWsMGjJiYFwx8KE1rK++TIAAAQKNVruiAAAgAElEQVQECBCoTeA1ijaNCzEgBjoYA++obZVb84a2TvKRDo5d4T+uwt98m+++x8C5SXZY81LrXwgQIECAAAEC1QXKvV76ftBk/82hGBhuDLyy+jK3xi3cM8np1kA/A8SAGBADlWPgMWtcaf0DAQIECBAgQKAGgUd6PHzlAzaNk+E2Tsxtd+b2uTWsd3M3sXGSw5JcrWj9/+zdB7gtVXk/4N+lN6mCioiK0aDYsAQL9haNJCrBGsUSsUZiEsX8ExVr7N0kGKKoIZagscXeKxKVaEREKTYQAZHeIf9n6bncy73nnrPP3jN71sy8+3nuc0/Ze/bMu7619vq+M7PGGCgGxIAYmDkGPpekrKXqQYAAAQIECBBoRaCceeAuW/Uk6Iol2kIMbDgGrkrS1F/3b5vkOAnrzAmreN1wvLJhM6YYKGsH7t7KTNVGCRAgQIAAAQJJ9k5yngROAicGxECPYuDyJA+eYQTfKMlzk1zao2MeUxLsWBV9xEA/Y+ARM4zLXkqAAAECBAgQWFJgtyQ/l8ApXIgBMdDDGLgwyR2XHOEW/2U5O+ALPTxeCX0/E3rtpt3GEgNHLD7k+ikBAgQIECBAYHaBHZMcL4lTuBADYqDHMVAWXS+F+EkfByQ5u8fHO5ZE2HEq+oiBfsXASUm2nXQg9jwCBAgQIECAwEoEyqLFX5HEKVyIATEwgBg4JsmWywyAOyR57wCOVVLfr6Ree2mvMcRAuaT7TsuMwX5NgAABAgQIEJha4HCJnMKFGBADA4qBo5KUda0We9w7yc8GdKxjSIgdo8KPGOhPDPz9YgOvnxEgQIAAAQIEmhD4K4mcwoUYEAMDjIGXrjNAbp7kNUmuHOCxSu77k9xrK2015Bj4fJKN1xl7fUuAAAECBAgQaETgfknKqd5Dnkw5Nu0rBsYZA1cleezCSHmLJMca64z1YkAMiIHWYqCc2bpzI7NTGyFAgAABAgQIrCNwU4sXtzaJUzAZZ8FEu9fX7pckeV2SiyWtxjsxIAbEQGsxUMbafdaZZ/qWAAECBAgQINCIwLWSfN9ErrWJnEJGfYUMbaJNxIAYEANiQAy0EwNPbmR2aiMECBAgQIAAgXUEysLGH1G8UrwSA2JADIgBMSAGxIAYmDEG3rXOPNO3BAgQIECAAIHGBF4840TFXy/b+eslV65iQAyIATEgBsRAn2LgW0m2aGyGakMECBAgQIAAgbUEyqLt7sBlctynybF9Fa9iQAyIATEgBuqLgdOS7L7WHNOXBAgQIECAAIHGBK6TpEw2TAIZiAExIAbEgBgQA2JADEwbAxcm+YPGZqg2RIAAAQIECBBYS6Cse/UZxSvFOzEgBsSAGBADYkAMiIEZYuCKJH+y1hzTlwQIECBAgACBRgUOnWGiMu1f57zOX3bFgBgQA2JADIgBMTCsGPiLRmeoNkaAAAECBAgQWEvg3knKX8tMIBmIATEgBsRAjTHwoySPTPIrn1U+q8VA1THw2rXml74kQIAAAQIECDQqYN0ryWqNyap9EpdiQAysjoHDkmy98Ml3uyTnKGBUXcBY3W7+H18fPipJWZLCgwABAgQIECDQuMCqJJ+UCEgExIAYEANioMIYKGdb7bfIJ9/dk1xU4f4q2IyvYKPN17R5WUd1i0X6qx8RIECAAAECBBoReIYEQNIqBsSAGBADFcZA+ePKrkt80t0vySUV7reCxpqCBovxWHw9yTZL9Fe/IkCAAAECBAjMJLBHkvNN/iWuYkAMiAExUFEMlDOrDk5SzhBe7vEw6zeK3Ypid6wFu2OT7LBcZ/V7AgQIECBAgMC0AmV9gi+Z9Jn4iwExIAbEQEUx8N9Jfn+FH2xPrWj/x1rAcNzjOdNq3bb+YZKylqoHAQIECBAgQKA1geeY8EtaxYAYEANioJIYKHfBfUmSTaf81PvLJFdVcizrJvi+H29xZ+ht/+Mk15uyz3oZAQIECBAgQGAigb2SXGyiL3EVA2JADIiBCmLgpCR3mejTa+knPU0RSzxXEM9DL1qtPr5SvNp96S7ptwQIECBAgACB2QQ2SXKMCZ5JvhgQA2JADFQQA+9Psv1sH2vXePVjklxewXGtTvL97+yrIcbAD5Jc/xo9zzcECBAgQIAAgRYEXmhiL2kVA2JADIiBjmPgrCRlAfY2HopYikZDLBrVckzfTnLtNjqubRIgQIAAAQIE1ha4qUsHJa0dJ621TMDthwRXDHQXA5+Zw9kb+yW5xHjnM08MNBoD5Qz+HdeeWPqaAAECBAgQINCGQLkd+edN5BqdyEmAu0uA2bMXA/2LgYuS/EWS8nk0j8cf+6ONzzzznsZi4LNJtp5Hx/UeBAgQIECAAIHHmsQ1NomTOPcvcdZm2kwMdBsD30lyiw4+ivdNUi5X1P4MxMD0MfDBJFt00H+9JQECBAgQIDBCgXK6969M4CUwHcfAuUnKXYu+keRjSd6Z5HVJXpHk0CSHLPx7epJyN7HV379g4TmvSXJEko8m+XqSE5Kc3fExSYimT4jYjcPuyoX+u1mHn72/n6Tc6VDMMRADK4+B1yfZqMP+660JECBAgACBkQm8zcRd4jKnGPjZQnGqFKaelaSsQ3OrJNdqsc9ttXBmxx8leUaSVyf5UJKTk1w1p+OWFK08KWI2fLOfJLl7i31/JZveJck3jQc+C8XAxDFwxcIlvyvpZ55LgAABAgQIEJhJ4C5Jyl/AJYsMmo6BHyZ5x8IE9x5JdpgpUtt58bZJ7prkqUlKIff7+oOxwHg4lxh4d5Lt2unWU2+1FLs/rP3n0v5Nf97Y3nznMBckKWvIeRAgQIAAAQIE5iawaZLvmaybrDcQA+UvsUcvnN30J0l2nlsUN/9GpdBWztZ6WZIvJ7m8AR/J1XyTK971epfLeh/RfLdtbIsbJ3mLPu9zUQxsMAZ+meQOjfU4GyJAgAABAgQITChQLuGS6DGYNgbKumnvSvKoJDtNGHN9fFo5S2T/JIcn+YU+Y8wQA1PHQLlL2W49GQTKWnuXauup23razxWvq3tOcmySG/akD9tNAgQIECBAYEAC5SwTd16qe6JY40T+p0nKYun7jHjR1r0Xzs4qC87X2Eb2SbvUFgOXJPmrHo4Z5RL7U/Vz45wY+G0MlBurbDmgebBDIUCAAAECBHokUBbRri3JsT91tslpSd6QpCRzq3oU4/PY1dsneWWSshi1+GUgBtaPgXKZerlRQ18f103yFf3b+DbiGChnIpYzEj0IECBAgAABAp0I7JGk/EVcssVgQzFQFvb/TJIDkpS10jyWFii3EL9vkvcnuUzfMraIgd/e4fOwJGVh9L4/NknyCm2qX48wBsoZiOWPVx4ECBAgQIAAgc4EPjjCSdiGCjV+fs0iXpmsHppk986is/9vfJ0khyQ5WT+T8I40Bn6e5D7978rrHcGfJblwpG3qs/Kan5Vj8PhSkvJ55kGAAAECBAgQ6Ezg7ibfkupFYqBc5nNgks06i8zhvXG5m1k5g+2bi3iPIflxjONLeEubvzdJWWNxqI9bunuvz9CBj+nlrsIvTlLOPPQgQIAAAQIECHQmUC5z+tbAJ16S5pUlzZ9Ocn9rW7XeJ++W5MPJby+rEqMri1Fe/fA6J0k5Q2kMjy2SvF5/Vsga4HzqlCT7jqETO0YCBAgQIECgfoHHDnCyJbmdLrktt7O/c/0hO7g9vG2Sj+iHEt+BxUC51OiGg+utyx9QKf6Xm1z4HGIwhBg4Msl2y4e9ZxAgQIAAAQIE2hcolzOdYKI9+kTjawNdm6b9HtTsO9x6YcH3ISQ9jmG8yfvlC2vmlc+XsT62T/Ien62j/2zt8zh4bpKDxtqBHTcBAgQIECBQp8ATTbBHPcE+PsmD6gzNUe/VPZJ8R98cdd/sa+J7XJK9R917r3nwT05yvr6sL/csBj6X5MbXDGXfESBAgAABAgS6Fdg0yUk9m1T1Namrbb/PXrgjnsXZu+2DS717WZvucUl+qY9KfnsQA1clOSzJ1ksF9Uh/t2uSD/SgDWv7nLI/8z+L8zcLZ12tGmlfddgECBAgQIBAxQLlL8MmiOMyuDLJPybZqeK4tGvXFNg2yauSXKa/Gq8qjYGy3tMDrhm2vltE4OEK0vpwpX24zAXfn+S6i8StHxEgQIAAAQIEOhcoZ1+dXPFESmGt+cLa95PcqfPIswPTCtwqydH6rAS4shgoZxZde9qgHuHrymLYb0xS/pjgc45BDTFQCtD7j7AvOmQCBAgQIECgRwJPNXkeTfJwSZIXJHG5YI866AZ2tSyK/ewkF+i/o+m/NSS4i+3DeUmesIE49ePlBe6WpKxBuJitn3GZRwyUmy2UYmo5y9eDAAECBAgQIFCtwOZJfmbiPIrE4Zgkt6g2Eu3YtAJlcd2yyO48khzvwXndGCh3Ld1j2uD1uqsFymfxc5Ocoy8by+YcA58yN7i6H/qCAAECBAgQqFzA2VfDT0ivSPKyJOVSUY9hCpRF3kvye+mcE591ixm+H/54srqNyzpsf5+knAno0ZzAzgtrE5YzYlZb+59FGzHwoyT7NRe6tkSAAAECBAgQaFegJL1lAtPGxMg263D9aZJ7tBtGtl6RwC2TfE+fNqa1HANlzcS7VhT3Q9yV319YSNtnaR2fpUNqh/OTHJqknPXnQYAAAQIECBDojcBDW05yhjTh6+OxHJVk+95Eox1tSmCrJIfr24pYLcTAVUn+KUmJMY/5CNw/yf+20JZ9/Eyzz7MV8y5O8oYku8wndL0LAQIECBAgQKBZga+aFA8yyS2XDD4nyapmw8XWeibw5CRl0X5JH4MmYuD0JA/uWR8Yyu6WyzQPdMa0sWzK8bxcWl4Kz7sNpUM4DgIECBAgQGB8An8w5USoiUTINtpLqM9Mcr/xhbMj3oDA7ZKcoq9LfGeMgU8mud4GYsyP5ydQLvs/wB0L9ecJ+/OVC5eh/t78QtQ7ESBAgAABAgTaESiXlykkDcvg20l2bydcbLXHAmVR6C/o78a7KWLggiQH9Tj2h7rr5YysP1PI0qc30KfLDQDeneSmQ+0AjosAAQIECBAYl8BNkpTLzBSwhmPwkSRbjyuMHe0KBDZL8i593pi3ghj4pgR4BT2sm6eWM7IeneT7K2hXn/vD+dxfty3PS/K6JDfsJhy9KwECBAgQIECgHYG3muwOKpF9W5JN2gkVWx2QQFkTrdx5qizEvW7i43smq2Og/HHjFUlK0dOjPwL7Llwu5o9T4+vLZX26Mrbv2J9wtacECBAgQIAAgckEyl3pLpTADiKBL+tbPHuyZvcsAlcLlMWgy6K+qwsW/mexOgZOTHLnqyPFF30UKOsdvTHJufr44Me47y4s7q/Y3Meeap8JECBAgACBiQT+wqR2EJPa8lf2UojwIDCNwAOTXGQsGMRYsLr4NOv/5RLTa00TTF5TpUBpy7J+2XH6+aD6+cULZ9rdt8qos1MECBAgQIAAgYYFvmcy2/vJbDl75mENx4XNjU/gXknONx70fjyYtXBV7lz6kPGF/2iOuKyTde8k79Tfe93Xv5XkKUm2HU3kOlACBAgQIEBg9ALl0pBZkx2v79awnDVTzp7xINCEQBkTfmNcGO24+PEk120ikGyjFwLbJHlcks8lKZeg+zyv2+CMJG9JsncvostOEiBAgAABAgQaFniHCWuvJ+yleFXOmvEg0KRASY7ONjb0emxYaSGijCXPSFIW9vcYp8DuSf4uyQ/1/ar6/q+THJ7k/m7OMs6O6agJECBAgACB3wlsZ/H2qiapK004y2WDfySYCbQk8AdJyi3YVxqXnt8/s3IZ+a1biiOb7afAHkkOTvJVdyntZAwsN9Z5f5L93P2znx3IXhMgQIAAAQLNCzxTctrJxLSJBP/yJA9tPiRskcA1BO5hYffejhGTjDPlxg8vT7LpNVrdNwSuKXD9JE9N8kl3K211PChnvr1+4Uyrza/ZBL4jQIAAAQIECBCweHv/zpQoSWlZp+TRwpfAnAT+UNLaatI6SaGpjeeckuRuc4ohbzMcgbJg+MOTHJbkBH8Em2lsuCDJR5I8LcmNhxMijoQAAQIECBAg0LzAPiaeM00820goJ91mOXPOg8A8BR7pMqLejheLjSvl7nPuXDbPHjTc99o1yWOS/EuSH5tXLDlOnJvkE0men+SeSZxlNdx+4cgIECBAgACBhgXeZKK55ERzsaSvhp+9ruE4sDkCkwo8z5jRyzFj7XGrLAZ9wKQN7nkEphC4QZLHJilzjLJ+1vkjHjd+muTIhZsjlDXmNp7C00sIECBAgAABAqMX2CTJ6SOeVK6d0PXp64+aAI++73YN8FbjRm+LWJ9NslvXAeT9RylQztIqi5EfmqR8jp0xsHGk3FDluCTvSnLIwrFed5Qt7aAJECBAgAABAi0IPGBgk8c+FaGm3ddvJtmqhViwSQIrESjF77KQ87Rx7HXd2L0iyaqVNLTnEmhZoBS1yhpsT0jy0iTvSXJMkrMrHV8uTnJ8ko8n+cckz0myf5Kb+cNSy5Fi8wQIECBAgMDoBY6odIIouV08uT0tyfVGH7UAahHYPsmPjCG9KuK9spbgsR8EJhDYMcntkzwoyYFJ/jrJq5K8Y+EMrqOTlJsQlGLXtAWvcjOU8tqfJTk2yaeT/HuSNy+cKfYXScraf3fx+TtBi3kKAQIECBAgQKAlgS2SlIVEFYv6YXBZkn1bigWbJTCtwC2TlDtoGUf6YXDStA3tdQR6JFDOUt4hyc5J9ljrX1mXq/y8/Nu0R8djVwkQIECAAAECoxcoC/hKOvtj4I6Do++y1QKUsxOMJf0xuEO1kWTHCBAgQIAAAQIECBAgsIjABySdvUm6371I+/kRgZoEXm886c144jLCmnqOfSFAgAABAgQIECBAYEmB7ZKUhUidNVG/wQlJtl6yNf2SQPcC5XKc/zam9GJMPdlC7t13GHtAgAABAgQIECBAgMBkAo+WaPYi0bw8yT6TNalnEehc4CZJzjO29GJscRlh593FDhAgQIAAAQIECBAgMIlAuU21s6/qN/jbSRrTcwhUJPDnxpZejK0uI6yo09gVAgQIECBAgAABAgQWF9hkhttNK3rNr+j1pSQbL96EfkqgagHr681vnJh2THY3wqq7kJ0jQIAAAQIECBAgQKAI3MsZEtWfIXFBkhsJVwI9Fbh2kjOMM9WPM3v1NL7sNgECBAgQIECAAAECIxF4ncSy+sTyL0cSiw5zuAKPMc5UP848Z7jh58gIECBAgAABAgQIEBiCwI8kllUnlt906eAQupljSPIRY03VY83nRSkBAgQIECBAgAABAgRqFbi5hLLqhLLcdfC2tQaP/SKwQoHd3ZWw6vHmsiTbrbBNPZ0AAQIECBAgQIAAAQJzESiXjEy76K/XtW/38rlEgTchMD+BZxtzqh5z/3R+oeCdCBAgQIAAAQIECBAgMLnAFyST1SaTpybZZvKm9EwCvRDYNMnxxp1qx5239yKK7CQBAgQIECBAgAABAqMS2CLJxRLJahPJx44qGh3smATua9ypdtz5ZZJVYwpGx0qAAAECBAgQIECAQP0C95ZEVptEloXbJZH19yF7OL3Afxl/qh1/bjd9s3olAQIECBAgQIAAAQIEmhd4sQSyygTyqiR3br65bZFAVQJ7JimLhltLrz6Dv6kqUuwMAQIECBAgQIAAAQKjF/iq5LHK5Pk/Rx+ZAMYi8DZjUJVj0EfHEoCOkwABAgQIECBAgACB+gW2SnKp5LG65LGcfXWb+sPHHhJoRGD3JJcYh6obh85JsnEjLWwjBAgQIECAAAECBAgQmFHg/pLG6pLGcinV+2ZsVy8n0DeBtxiLqhyL9u5bINlfAgQIECBAgAABAgSGKfAPksbqksYrktx8mOHmqAhsUOB6SS40HlU3Hh28wRbzCwIECBAgQIAAAQIECMxR4BsSxuoSxn+fY/t7KwI1CbzBeFTdeGQtvpp6iH0hQIAAAQIECBAgMFKBLdz9q7pksVw+6JKdkXZIh53djEnVjUm/TrKR2CRAgAABAgQIECBAgECXAvs426G6ZPGzXQaE9yZQgUA5A7EUcv2rx+CWFcSFXSBAgAABAgQIECBAYMQCz5AkVpckP2jE8ejQCRSB2xuXqhuXDhKaBAgQIECAAAECBAgQ6FLgCIliVYni8UlWdRkQ3ptAJQKfNzZVNTYdVklc2A0CBAgQIECAAAECBEYq8H1JYlVJ4tNGGocOm8C6Ag81NlU1Nn173QbyPQECBAgQIECAAAECBOYlsE2SKySJ1SSJFybZfl6N730IVC6wSZJTjU/VjE+XJSk3/fAgQIAAAQIECBAgQIDA3AXuITmsJjksi1X/69wjwBsSqFvgH4xRVY1Rd6w7XOwdAQIECBAgQIAAAQJDFfhryWFVyeGdhhpojovAlAJ7JLnSOFXNOOUS5ykD2csIECBAgAABAgQIEJhNwK3q67lF/fdma0qvJjBYgc8qYFVTwDp8sFHmwAgQIECAAAECBAgQqFrgfyWG1SSGz606Uuwcge4EnmCcqmacOra7MPDOBAgQIECAAAECBAiMVaAskHyJxLCKxPCqJDceayA6bgLLCOyQ5FJjVRVjVVnIffNl2suvCRAgQIAAAQIECBAg0KjAzSSEVSSEZfH2oxttWRsjMDyBjxqvqhmv9hpeeDkiAgQIECBAgAABAgRqFvgTCWE1CeFf1Rwo9o1ABQKPNV5VM17tX0E82AUCBAgQIECAAAECBEYkcIiEsIqEsFw+eIMRxZ1DJTCNwLYuea5ivCpnjP7dNA3oNQQIECBAgAABAgQIEJhW4J0KWFUkhBZFnjaCvW5sAp82ZlUxZr1rbIHneAkQIECAAAECBAgQ6FbgGMlgFcngy7sNA+9OoDcCzzZmVTFmlc8ODwIECBAgQIAAAQIECMxFYFWScyWDVSSDd5tLi3sTAv0X2NOYVcWYdX6S8hniQYAAAQIECBAgQIAAgdYFri8RrCIRPCfJJq23tjcgMByBU4xdVYxduw0npBwJAQIECBAgQIAAAQI1C9xVElhFEvgfNQeJfSNQocA/GruqGLvuW2Fs2CUCBAgQIECAAAECBAYo8ChJYBVJ4DMGGFsOiUCbAo8wdlUxdh3UZiPbNgECBAgQIECAAAECBFYLPFcSWEUSeNvVDeJ/AgQmEnD5c6oYu14yUWt5EgECBAgQIECAAAECBGYUeLMCVudJYFkI2fpXMwayl49S4CfGr87HryNGGXkOmgABAgQIECBAgACBuQt8SALYeQL46bm3ujckMAyBI41fnY9fnxtGKDkKAgQIECBAgAABAgRqF/iWBLDzBPDQ2oPE/hGoVODpxq/Ox68TKo0Nu0WAAAECBAgQIECAwMAEzpAAdp4APnhgMeVwCMxLYB/jV+fj18VJVs2rwb0PAQIECBAgQIAAAQLjFNgiyVUSwM4TwN3HGX6OmsDMAlsnudIY1vkYdu2ZW9IGCBAgQIAAAQIECBAgsITATSR+nSd+v3H2whIR6lcElhf4kXGs83Fs7+WbyTMIECBAgAABAgQIECAwvcCdJH6dJ35fnr75vJIAgSQfMI51Po7tJxIJECBAgAABAgQIECDQpsCDJH6dJ35vbrOBbZvACATKTRD+z79ODR4/gjhziAQIECBAgAABAgQIdCjwGElfp0lfSbqf2WH7e2sCQxB4hHGs83Hsr4YQSI6BAAECBAgQIECAAIF6Bf5C4td54vdH9YaHPSPQCwF3Iuz+DLSX9CJS7CQBAgQIECBAgAABAr0VeKECVucFrL16Gz12nEAdArsYxzofx95SRyjYCwIECBAgQIAAAQIEhirwBolf54nfNkMNLsdFYI4C5xvLOh3LjpxjW3srAgQIECBAgAABAgRGKPBOSV+nSd8ZI4w5h0ygDYHvG8s6Hcs+0Uaj2iYBAgQIECBAgAABAgRWC3xE0tdp0vet1Q3hfwIEZhL4L2NZp2PZ0TO1nhcTIECAAAECBAgQIEBgGYGvSPo6Tfo+uUz7+DUBApMJOJu024XcT5ismTyLAAECBAgQIECAAAEC0wl8RwGr0wLWv03XbF5FgMA6Aq81lnU6lp2+Tnv4lgABAgQIECBAgAABAo0KWDem27MWXt9oa9oYgfEK/D8FrE4LWGePN/QcOQECBAgQIECAAAEC8xAol338n3+dGfz9PBrZexAYgcBBxrHOxrHyGXLBCGLMIRIgQIAAAQIECBAg0KHAKZK+TpO+p3fY9t6awJAE9jeWdTqWXT6kYHIsBAgQIECAAAECBAjUJ3CqpK/TpO/x9YWEPSLQS4EHGss6HcvKWVgb9TJy7DQBAgQIECBAgAABAr0QOEPS12nS9+heRImdJFC/wH2MZZ2OZaWAtXn9YWIPCRAgQIAAAQIECBDoq8A5kr5Ok75y2ZMHAQKzC+xrLOt0LCsFrGvN3oy2QIAAAQIECBAgQIAAgcUFLpL0dZr07bd4s/gpAQIrFLijsazTsawUsHZcYZt5OgECBAgQIECAAAECBCYWuELS12nS94CJW8oTCRBYSuA2xrJOx7JSwLruUg3kdwQIECBAgAABAgQIEJhF4EpJX6dJ3/1maTyvJUDgaoFbGss6HctKAev6V7eGLwgQIECAAAECBAgQINCwwCWSvk6Tvgc13J42R2CsArc3lnU6lpUC1s5jDT7HTYAAAQIECBAgQIBA+wLnSfo6Tfoe2n4TewcCoxC4s7Gs07GsFLC2G0WkOUgCBAgQIECAAAECBDoROEvS12nS94hOWt2bEhiewD2NZZ2OZaWAteXwwsoRESBAgAABAgQIECBQi8AvJX2dJn2PrSUQ7AeBnguUGyKUIop/3Rls3PMYsvsECBAgQIAAAQIECFQs8BMJX6cJ75Mrjg27RqBPAn9sLOt0LCt3tPUgQIAAAQIECBAgQIBAawI/lvR1mvQ9t7WWtWEC4xJ4vLGs07HsonGFm6MlQIAAAQIECBAgQGDeAsdJ+jpN+kDZ7AIAACAASURBVF457wb3fgQGKvDXxrJOx7JzBhpXDosAAQIECBAgQIAAgUoE/kfS12nSd3glcWA3CPRd4OXGsk7HsjP6HkD2nwABAgQIECBAgACBugWOlvR1mvR9qO7wsHcEeiNwmLGs07Hsp72JFDtKgAABAgQIECBAgEAvBT4p6es06ftKL6PGThOoT+ADxrJOx7Lv1BcS9ogAAQIECBAgQIAAgSEJvEfS12nSd9KQgsmxEOhQ4BvGsk7Hss912PbemgABAgQIECBAgACBEQi8VdLXadJ3WZKNRxBnDpFA2wKnG8s6Hcv+o+0Gtn0CBAgQIECAAAECBMYt8FJJX6dJ3/8l2X3cIejoCcwssGWSq4xlnY5lZQ0yDwIECBAgQIAAAQIECLQm4Nbz6TTpKwWse7TWujZMYBwCt1C86nwce8U4Qs1REiBAgAABAgQIECDQlcATJH6dJ34HdtX43pfAQAQeZBzrfBw7ZCCx5DAIECBAgAABAgQIEKhU4CESv84Tv5dUGht2i0BfBJ5lHOt8HDuoL8FiPwkQIECAAAECBAgQ6KfA3SV+nSd+H+pn6NhrAtUIHG4c63wc27+aaLAjBAgQIECAAAECBAgMUuCWEr/OE7+TBxlZDorA/ASONo51Po6VP4Z4ECBAgAABAgQIECBAoDWBHSV+nSd+5e5p27bWwjZMYNgCGyW5wDjW+Th2o2GHmaMjQIAAAQIECBAgQKAGgfMlf50nf3etIRDsA4EeCtzM+NX5+HVlkk17GDt2mQABAgQIECBAgACBngkcLwHsPAF8es9ixu4SqEXgT41fnY9fp9YSDPaDAAECBAgQIECAAIFhC3xaAth5Avhvww4xR0egNYHXGb86H7++0Vrr2jABAgQIECBAgAABAgTWEvhXCWDnCeApa7WHLwkQmFzgGONX5+PX+yZvLs8kQIAAAQIECBAgQIDA9AKHSgA7TwD/L8lu0zehVxIYpcBWSS41fnU+fr1mlNHnoAkQIECAAAECBAgQmLvAkySAnSeApYB1wNxb3hsS6LfAvYxdVYxdB/c7jOw9AQIECBAgQIAAAQJ9EbifJLCKJPCNfQkY+0mgEoHnG7uqGLseVkk82A0CBAgQIECAAAECBAYusKcksIok8IcDjzOHR6Bpga8Yu6oYu27ddMPaHgECBAgQIECAAAECBBYT2CzJ5RLBKhLBmyzWQH5GgMB6Atsbt6oYs65IssV6reMHBAgQIECAAAECBAgQaEngRwpYVSSDT2+pfW2WwNAEyppxZe04/7o1+PHQAsvxECBAgAABAgQIECBQt8CHJYJVJMIfqTtM7B2BagTebswyZlUTjXaEAAECBAgQIECAAIG5CfyDZLCKZPACl+PMLea9UX8FNkpyqjGrijHrVf0NI3tOgAABAgQIECBAgEAfBQ6UDFaRDJbLoR7axwCyzwTmKLCv8aqa8eoJc2x3b0WAAAECBAgQIECAAIHcUUJYTUL4XvFIgMCSAm82XlUzXt1pyZbySwIECBAgQIAAAQIECDQssE2SqySFVSSFFybZuuH2tTkCQxFw+WC3i7avu2j+DkMJLMdBgAABAgQIECBAgEB/BH6mgFVFAaskiA/vT9jYUwJzFbincaqacaqsQ+ZBgAABAgQIECBAgACBuQt8SmJYTWL4wbm3vjck0A+BfzZOVTNOfbQfIWMvCRAgQIAAAQIECBAYmsArJIbVJIaXJbne0ALM8RCYUWDLJL8xTlUzTj1/xvb0cgIECBAgQIAAAQIECEwlsL/EsJrEsFxG+NypWtGLCAxX4PHGqKrGqAcON9QcGQECBAgQIECAAAECNQvsLjmsKjk8McmqmgPGvhGYs8DXjFFVjVG7zLn9vR0BAgQIECBAgAABAgSuFvilBLGqBPFeV7eMLwiMW2BPd0qtamw6Zdzh6OgJECBAgAABAgQIEOhaoCzKu+5t0n3fncn7uw4I70+gEoE3GZuqGpuPqiQu7AYBAgQIECBAgAABAiMVeKEksaok8YokNxlpLDpsAqsFdkhyvrGpqrHJGn2ro9P/BAgQIECAAAECBAh0IvAgSWJVSWI5++0NnUSCNyVQj8DfGZeqG5fuXU942BMCBAgQIECAAAECBMYosLNEsbpEsZx5Us5A8SAwRoHNk1ibr7vLmBe7hPzyJNcaYzA6ZgIECBAgQIAAAQIE6hI4WRGruiLW39YVIvaGwNwEnmg8qm48+ubcWt8bESBAgAABAgQIECBAYAmBIySM1SWMZzjjYYmI9auhCmyc5IfGo+rGo1cMNeAcFwECBAgQIECAAAEC/RI4UMJYXcJYLuM5pF9hZG8JzCzg7Ku6Lh1cfTnhA2duWRsgQIAAAQIECBAgQIBAAwI3UMCqsoB1VpJtG2hfmyDQB4FNk5xkLKpuLCrrXxmH+tCD7CMBAgQIECBAgACBkQicKHGsLnEsZz+8YCTx5zAJPM0YVOUYdLTQJECAAAECBAgQIECAQE0Cb5M8Vpk8npNkp5oCxb4QaEFgyyQ/NwZVOQa9soX2tkkCBAgQIECAAAECBAhMLfBoyWOVyWM5C+vNU7eqFxLoh8ALjT/Vjj/Wv+pHH7KXBAgQIECAAAECBEYjcL0kV0kiq0wiyxo0e40mEh3o2AR2S3KBsafKsecyd0MdW3d0vAQIECBAgAABAgT6IXC8JLLKJLKchfW5foSQvSSwYoEjjTvVjjufXXFregEBAgQIECBAgAABAgTmIPAmiWS1iWQpYu03hxjwFgTmKXBnZ35WPeY8e57B4L0IECBAgAABAgQIECAwqcD9FbCqTiZ/kmSbSRvT8whULrBJkm8bc6oec25aeQzZPQIECBAgQIAAAQIERiqwaZJy17tyto9/dRq8ZqSx6bCHJ/A840zV4+wJwws5R0SAAAECBAgQIECAwJAE3i+prDqpvDJJuezKg0CfBcqZPRcZa6oea17b5wCz7wQIECBAgAABAgQIDF/gsZLKqpPKcmbcd5OUs+U8CPRRYFWSzxhnqh9n7t3H4LLPBAgQIECAAAECBAiMR2CnJFdILqtPLl8wnpB0pAMTeKrxpfrx5dwkmw0s7hwOAQIECBAgQIAAAQIDFPiyBLP6BPPyJHcaYOw5pGEL7JnkQuNL9ePLfww7DB0dAQIECBAgQIAAAQJDEXiOBLP6BLNcSnhSkm2HEnSOY/AC5bLXY4wtvRhbHj74aHSABAgQIECAAAECBAgMQuD3JZm9SDJLEeuIQUScgxiDwKuNK70YV8oZcluPISAdIwECBAgQIECAAAECwxAoC4WXAol/9Rs8ahgh5ygGLHD/JOUOmsaT+g3eN+A4dGgECBAgQIAAAQIECAxQ4HmSzd4k2xcl2XuAMeiQhiGwe5IzjSe9GU8eNoywcxQECBAgQIAAAQIECIxFoCSdzpio/2yJ1We0/DjJ9mMJTsfZG4Etkvy34lVvilfnJdmyN9FlRwkQIECAAAECBAgQILAg4G6E/SlglULWR5NsJHoJVCRwuOJVb4pXZQz5t4pix64QIECAAAECBAgQIEBgYoGnSj57lXyWBPTQiVvXEwm0K/B040fvxo8/bjckbJ3AXAVWJdk5yR5Jbpbk9gv/7pHkvkn+MMkBa/17yMLPy+/ustbzfy/JdZJsMte992YECBAgQIAAAQIrEtgpyWWS0F4loVcl+bMVtbInE2he4IFJLjd29GrsODfJ5s2Hgi0SaFxg0yQ3XShAlT+0vTDJm5OUGxB8Icn3k5ze0jII5yQpl+wfneRjSd6Z5HVJDk5SCsC3TrJt40dsgwQIECBAgAABAhMJlMvSVq+z5P9+WFya5J4Tta4nEWhe4LZJylpKxov+Gfxrkm2aDwlbJLBigXI5fDlrqpwV9ddJ/inJp5Oc1JPi+FlJvpXkqCSvTPLYJLdJstmKJbyAAAECBAgQIEBgYoFHSUR7mYifneTmE7eyJxJoRmC3JL8wZvRyzFhdcDwxyZ2aCQdbITCRwMZJ9kryuCSvT/KlARfBy1nt30tyZJJDkpSzVcvliR4ECBAgQIAAAQINCGyVpJwyvzq58X9/LE5JUgoKHgTmIbDjQmJmjOjPGLGhtiqXf77Amj/z6DajfI9rJ3lYkjcm+XqSC80x8qMkRyT58yS3SFLW7/IgQIAAAQIECBCYQuAtJpe9LeAdn2SXKdrcSwisRKCs+fJN40Rvx4kNFbK+luTGKwkEzyWwiEApbpdLAUvB6rstrU21oRju689/vXBn4XKW1u0UtBaJKj8iQIAAAQIECGxA4FYS014npv+TZIcNtK0fE5hVoJylWS756WuiaL+XbruyuPuBswaJ149KoFwSWO7099okxypYNTI2lkXpyxlaj0xSCoIeBAgQIECAAAECSwiU0/wlev01KHdMutYS7etXBKYRKAsSf9LYMIqxsdzhTSF8ml4yjteUQnY5y+odSc40JrQ6JlyxcOnl8xcWhh9HhDlKAgQIECBAgMAKBMpf4BWw+m3wjSTbr6DNPZXAUgJbJvm4cWFU4+LPktxrqaDwu1EJlLWsnpDkQ0kuMhZ0Nhb8MMmLFhbCH1UAOlgCBAgQIECAwIYESrJa1mRQxOq3QbmcY+cNNbKfE5hQYOsknzUejHI8vGphLaPNJ4wVTxuWQDnrcr8k709yqTGgujHguCSHJtlzWGHnaAgQIECAAAECKxcoC7AqYPXf4AdJdl1583sFgd8KlMvIyiWpxoJxG3wnyc31idEI3DHJm5Ocpe/3Zuz7VpKnJSk32fAgQIAAAQIECIxOoNzaWdI6DIOTkvze6CLYAc8qUAqf5S5ixgEGJQbKZWNPd4e0WbtVta+/XpJyF7xyVo8+31+DC5K8Pcmdq400O0aAAAECBAgQaEngiyayg5nIl4V279JSnNjs8ATK3UjLGkgSWQbrxsDHkuwyvJAf7RGVs63+zSWCgxzr/jfJs9yQYbR924ETIECAAIHRCZS1L9ZNXnzfX5NLkjx6dFHsgFcqcN8k5+j7xr4lYuCMhbWRVhpbnl+HwEYL7feZJdrYZ31/P+vXbbvy2f8ua2XV0fnsBQECBAgQINCewKokZQ2ldSdDvu+vyZVJntteyNhyzwX+PMll+rwxb4IYKAu8vzVJuemHRz8Eyp0E/zbJzydoX5/z/f2c31Dblc//Dzgbux+d1V4SIECAAAEC0wmUhHZDkyE/76/Nvycpd5fzIFAEyt3GSjFCn2aw0hgof+TYWzeqWqCsb/WGhXXMVtq+nj/MMeFrSR6WpJyN50GAAAECBAgQGIxAuX36LyW2g0zsv2dx98H001kO5PpJvq6PD7KPz6v4cGmS50iGZ+mGrby29O1yR+GL9W/9ewMx8MOFpQUUslrpgjZKgAABAgQIdCHwdxuY+MwrOfI+7f0F+DfWsumiS1XznvdIcrr+LbltKAY+n+QG1UT3eHdktyRvVrjSr1fQr8uC7+WMrLJ0hAcBAgQIECBAoNcCOyYpt2ZWSBqmQVnL5vVJtuh1lNr5lQhskuTQJJfr18a1hmPg7CQPX0kwem5jAuWMq3IpcFm02+c1g2li4DtJHtxYRNoQAQIECBAgQKAjgXIZwjSTIa/pj9t3k+zVUXx52/kJ3Nglg8ayOYznRyTZdn5hPep3KusZvtAfmvTrBvv1N5Lcc9S9ysETIECAAAECvRa4kbuTjWJyfFGSZ7qMoNd9damdf2yScxtMchSo+1Og7qKtTnLHs6W648y/K+sWPS7JL/TpUXw+d9GHj0pS/ujhQYAAAQIECBDoncDbTJJHM0n+SpI9exehdnhDAuUuZOX26V0kQN5z3O5XJHlFkk03FJx+PpXAPs6kNJ7NaUwvN2koZ+E7o3KqrupFBAgQIECAQFcCuycpExkJ6TgMytlYz0tS1kvy6KdAOUPjGc66MmZVMG6XS5Ju0s9uVNVel7NhylkxPocZzDsGTk1yoDO0qxoP7AwBAgQIECCwjEBZIHbekybv1635sUn+YJm48Ov6BG6V5Gv6q/Gqohg4L8kT6usqvdij8oeE5yS5sKL29Nnc7WdzV/7fTHKbXvQaO0mAAAECBAiMXqBcilTOzOlq4uR9u7Evdyp8f5JyFp5H3QLlrqHlcg93GOymrxijlncvl7PuVHc3qmrvSrHgGJ+75h0VxUD5fCmfM+UGAh4ECBAgQIAAgaoF3JFw+QRtqEls+ev/oUm2qDpCx7lz5QyNg5KcWVGSM9R+4LhmHwNPT/LAcXbViY96q4X1w8o6YmKOQY0xcGKS+0wc0Z5IgAABAgQIEOhAwFlYJtKnLFwKZH2sDjrgOm9Z1rl6RJLjJbmS/J7FwJVJXpNk83Vi2re/K+6VcbbGooV90i5rx0A5Q/uwJNvpuAQIECBAgACBWgVK0rH2BMbX4/Q4IcljkpQiisd8BVYleUiS7+qLxqKex8D/JNlrvt2n2ne7VpK397w9zQfGOR8oi7w7q7LaocWOESBAgACBcQvsnOQck2yJ80IMfD/JI92xcC6DQikW/kmSb+l/+t+AYqCsrfjMkd/hbJ8kPx5Qmypkja+QVc7GepNlBuYyF/AmBAgQIECAwAoFnmuiLYFeJwZ+kuSQJNuvMJY8fXmBcpnV45Ict465JHF8SeKQ2/zTSXZdvjsM6hmlKH1wkkv1bZ+pA4mBHyS57aB6qYMhQIAAAQIEei9QEuqTBjLZGnJC2MWx/WZh8eEb9j7Kuz+AsubcC5L8Sl+T3I4kBs5Isl/3XW8ue1DGyC+PpF27+Czynt0V+C9O8pcjP6tyLoOINyFAgAABAgQmFzjAxFtSvUQMlEWaP5HkYUk2nTysRv/MjZM8KMkHk1y2hK/krLvkjH379v+UpNyJb6iPctm1S/HbjyN9tVvjTya57lA7seMiQIAAAQIE+iVQFpL+igRbEWuCGDg9ySuT3KZfIT7Xvd0zyaFJfjaBp6Ss26SM/3z8y901bz/XXtj+m22W5C36uM/NEcVAWeD9Lu13Le9AgAABAgQIEFheYO8k5UwbCR2DSWPg5CRvHGBiunxvWf8Z5RKisv7NV/UhY4gYWDQGLl8o7JYzE/v+KDdA+bx2XrSdJ/388Lx+zjVKPy5rZHoQIECAAAECBDoXeJcJuQn5lDFQ7mBYzsy610guMyxJ+F2TvCTJt6c0k8D1M4HTbrO12xeT7N75p930O1D6/Wn6vM/KkcfAO5NsOX038koCBAgQIECAwOwCuyW5cOSTMsnpbMlp8TsvyX8meUqSmw9o8debJnlikvclOVs/kcCKgaljoNwgoqwd1bfH091lcOo299k6+2drbYbfSXLjvnVi+0uAAAECBAgMS6CcGl7bJMn+9LtNzkrykYXLDvZNsk0Pukz5y/I+SZ6d5ANJytpf4pCBGGg2Bt6dZNsejAdbJDnCGGAMFAPrxcCvk9y7B33YLhIgQIAAAQIDFSh3mfueSdp6kzSJa3OJ61VJTly4O9+Lkvxpklt1VNgqhapbJHlIkucneX+SHya5Qh/QB8TAXGLglCSlsF3rY6ckXxMLc4kFn7PNfc7O0/LSJI+vtQPbLwIECBAgQGD4AuUuMxZ07+dEcp6T1jbe68wkxywUkl6b5P8leXKShya5e5K9kuyxcNnCDknKv1KE2nzh6/J9WVC9PKdcvni3heLUkxbOAHt1kvck+YazqiSkihLVxEApGJf15MofUGp63CTJCeKkmjhp4zPHNpuZ65Q/TJU/SJW7WnsQIECAAAECBOYucJhJu0m7GBADYkAMzDEGSvH6ZnP/tFv8De+oyC325xj7QymklbOYyyW3HgQIECBAgACBuQps505LJu8m72JADIiBOcfARUkOnuun3fpv9oCFm1EMpajgOJo5y4jjZI7lkttrr9+t/IQAAQIECBAg0K7Ao+ecuJgcTjY55MRJDIiBocfAB5OU9afm/XiaNfAUbc19Zo6BHyQpd7b2IECAAAECBAjMVeDTJnIzT+SGnmg6PsUUMSAG2oiBU5Pcb46feC/2eefzTgw0FgMnL6xXOccu7K0IECBAgACBsQuURWzPN6FrbELXRpJnm4oHYkAMDDUGyuLQr5/Dujqv9Dnnc04MNB4Dv0iy59gn0o6fAAECBAgQmK/AU03qGp/UDTXZdFwKKWJADLQRA8cluW0LH33lrmmlQNbGPtsmVzGQ/KqlvtvCcGCTBAgQIECAwBAEygT/v0zwJThiQAyIATHQYQxcnOSQJBs19MFaPtve1OHxKG4ocI0lBn6T5M4N9VubIUCAAAECBAgsK3D9JGeb6EtexYAYEANioOMY+GSS6y37qbX0E0oR7PCOj2MsxQvHqVBXYuC8JPsu3S39lgABAgQIECDQnIC7EpqESkTEgBgQAzXEwJlJHjLlx9vGSd6heKUQKwbmHgPnJrnjlP3WywgQIECAAAECKxZ4nwnf3Cd8NSSL9kHRQgyIgRpj4F1JtlnBJ1m5bPBffI75HBMDncVAuZxw7xX0WU8lQIAAAQIECEwtsFOS00z8Opv41ZhA2ieFDTEgBrqMgZOT3GXCT7VX+fzy+SUGOo+BsrD7zSfss55GgAABAgQIEJhJ4EFJyq3Nu0xYvDd/MSAGxIAYWB0DlyX5f0nK5YEbepQF4Fc/3/8sxEC3MfCzJDfaUGf1cwIECBAgQIBAkwL+it3txM/Em78YEANiYP0Y+HKSGy7yYffn/vCieKeAWV0MnJhk10X6qx8RIECAAAECBBoV2CTJV00Gq5sMSmjXT2iZMBED44qBslD0QWt94pXF3i/3eeXzSgxUGQPfT7LdWv3VlwQIECBAgACBVgRukOQsE8IqJ4QS9nEl7Npbe4uB9WPgyCT7J7nE55TPKTFQdQx8Mkn5w6gHAQIECBAgQKBVAethrZ80SSSZiAExIAbEgBgQA2Jg8hg4vNXZqo0TIECAAAECBBYEXukvm1X/ZdMEevIJNCtWYkAMiAExIAa6iYHnmVkTIECAAAECBNoWKKd9f0URSxFLDIgBMSAGxIAYEANiYMoYKHe4/rO2J622T4AAAQIECBAo62H9asoJi790dvOXTu7cxYAYEANiQAyIgZpi4OIkdzGtJkCAAAECBAi0LVAmHBbLNRGuaSJsX8SjGBADYkAMiIF+xcDpSa7f9qTV9gkQIECAAAECBzoLy6UDYkAMiAExIAbEgBgQAzPEwNeTbGZaTYAAAQIECBBoW+BNM0xY/JW0X38l1V7aa4wxcJoxTmIuBsSAGGg9Bsp80oMAAQIECBAg0KrAxkk+bmLX+sRujIUDx6xg1nUMnJxklyQPTXKmcc44JwbEgBhoNQYe3+qM1cYJECBAgAABAkl2TPJjk7pWJ3VdJ/LeXzFpbDFwbpJbrjXCXyfJfxnnjHNiQAyIgdZioCzqfru1xl1fEiBAgAABAgRaEdgrSUn4xpbkOl5tLgaGFwOXJbn3IiPlqiTPdgML47zPOjEgBlqLgZOSbLfI+OtHBAgQIECAAIFGBR6YpCR+EnoGYkAM9DkGnrjMyHjrJP9rrDPWiwExIAZaiYEjlxmD/ZoAAQIECBAg0IjAY5JcZULXyoSuzwUB+66g1ZcYePmEI+EWSV6R5ErjnfFODIgBMdB4DJT5pAcBAgQIECBAoHWBvzORa3wi15fk334qVPU5Bv4jyUYrHCHvm+QXxjxjnhgQA2Kg0Rg4J8mNVzgeezoBAgQIECBAYCqBfzSRa3Qi1+eigH1X1OpDDHwtyZZTjXbJtZN8yJhnzBMDYkAMNBoDX01S7nbtQYAAAQIECBBoVaCcxXCUiVyjE7k+FAHso2JVH2Pgewt3U511UHxckvONe8Y9MSAGxEBjMfCCWQdmrydAgAABAgQITCJQzmb4iklcY5O4PhYG7LOCVu0x8OMk151kQJvwOTdLcoxxz7gnBsSAGGgkBi5PcqcJx19PI0CAAAECBAjMJLBjku+bxDUyiau9EGD/FKv6FgNl7aobzTTCLf7iTZO8LMkVxj5jnxgQA2Jg5hg4Lslmiw+3fkqAAAECBAgQaFZglyQ/MIGbeQLXt+KA/VXQqjkGzkxyi2aHuvW2Vs4aONHYZ+wTA2JADMwcAy9cb4T1AwIECBAgQIBASwLXl8jNPHmruRhg3xSr+hQD5ya5Q0tj3bqb3TbJYZJX458YEANiYKYYuDTJXusOsL4nQIAAAQIECLQlcIMkJ5vAzTSB61ORwL4qatUYAxcluWdbg9wS2z0gya+Nf8Y/MSAGxMDUMXC0uxIu8SnjVwQIECBAgEDjAnsk+bnJ29STtxoLAvZJoaovMXBxkj9sfFSbfIM3TPIl45/xTwyIATEwdQw8c/Ih1zMJECBAgAABArML3DTJqSZvU0/e+lIssJ8KWzXFwIVJ7jf78DXzFlYlOThJuRymJh/7oj3EgBjoQwycl6Sc0e9BgAABAgQIEJibwM2T/EoCJ4EVA2JgDjFwQUeXDS41oJY1uE6Yw7H3ISG1jwonYkAMrCQGjlpqcPU7AgQIECBAgEAbAnsm+ZkETgFDDIiBFmOgFK/u1cYA1sA2t0zyxiRXtXj8K0kKPVcRQQyIgb7EQA1n1DbwMWATBAgQIECAQJ8EypowP5K8KWCIATHQQgyck+TOPRgQy7pcv2zh+PuSiNpPRRMxIAZWGgPfT7JJD8Z3u0iAAAECBAgMTOC6Sb4reVPAEANioMEY+E2SfXo0Vu6S5GMNHv9Kk0HPV0AQA2KgbzHwlB6N8XaVAAECBAgQGJDATkmOkbwpYIgBMdBADJye5HY9HB/LAu/PSlLulti3RNL+ajMxIAbmHQNnJNm+h2O9XSZAgAABAgQGIHCtJF+UuElcxYAYmCEGTkxyk56Ph7d0Vqo+MEMfmHcRYZr3OzvJd5J8MMlbkrxooXj7mCQHJHlAkvuu82//JA9P8rQkf5/k9UneneSrC3c2tpbcOAtor+35eG/3CRAgQIAAgR4LlEWNXUYzzknoNEmQ14iVtWPgW0mu0+Pxb+1d8zvKewAAIABJREFU3zxJScwk5WJ87Rjv29cXJfnKQpHqoCR3SrLd2oHe4Nelz+yV5JFJ/mFhLuFux8PvP5cmuWmDcWRTBAgQIECAAIEVCZRFOd828L8+9y0Jsb/DTwL63safSrLNikaafjy5nIVyqvHQGVk9iYHzknwoybMX1qDbtIJudrMkByY53J2PB9uPjqwgzuwCAQIECBAgMHKB5zn7YLCTzb4XS+x/XQW9dyWpIVFua8guawR+oCcFDH2jrr4xj/b4cZJXJblXks3a6gQNbrdcovs3Sb6U5Er9ahDzjNKO5ew7DwIECBAgQIBApwKPsKDxICaX80iivMf4EufS5q9MUhY/H8PjSUnOl3AbEyuIgZ8s9L0+3ixh7bHi+kkOTvL1Ckx9hs32GXbU2g3rawIECBAgQIBAVwL7JjnL5FLSJgbEwFoxcHmSZ3Y1KHX4vr+X5Oi1HCS9syW9/Cb3uyxJKRKUBdY36rAPtPXWN0/yuiRn6l+9/Kwp6wXu3VZw2C4BAgQIECBAYCUCZYHOcpmCZIOBGBADv164O9lKxpAhPbesE/jiJFcYE30mzCEGzkhy6IBukLDcWFAWg39ckv+Zg63Ps2Y/zz66XOP6PQECBAgQIEBgXgLXTvJlE0oJmxgYdQwcl6ScheSR3DXJyfrDqPtDmwWQ8kejpyQpdwce6+N+ST6tj/Wqj+0z1mB13AQIECBAgEB9AmWh5jeZTPZqMtlmgmXbzf71unbPjyTZtr5hqdM9Kh5lEfva287+9aeNyvpWZb21cqafx+8EylIGX9DPejHOfFzQEiBAgAABAgRqE3hskotMJnsxmZS49idxrbWtytomLx/oujtNja3lhhdnGxONiTPEQFlrsqwr14c7CTbVb1a6nfskOXYG41rH2CHtV/m8KHea9CBAgAABAgQIVCVwW5fPSNYkEoOPgYsX1qOpavCpdGdu4CyRwfeHNgoN5YYIhyUpl+l7LC9QFrAva2Sd7vOn2v729uWb0TMIECBAgAABAvMX2Mn6FNVOINtItGxzXGdznZCkFKo9JhcoyfUhSS6VXBsbJ4iBrya5xeTh5ZlrCWyX5K1JrpzA2WfXfD+7Lkmy61pt5UsCBAgQIECAQDUCGyd5ZZJy2rhJIgMxMIwY+Pck16pmlOnfjtwuyfHGRJ8JG4iB85I8w2W5jXTssj7WDzbg7POou8+jctm5BwECBAgQIECgWoEHJznTJFLCJgZ6HQNlbbuDqh1l+rVjWyX5R8X9XveHNgogn0+ye79Cufq93TzJq52NVVVfK2sCblN95NhBAgQIECBAYNQC10nyCQWMqiaRbSRgttndX7XbtC+XDN5m1CNYOwf/gCSnGRdHPy6Wta4OTVLOWvZoR+DeSX6ur1XT1w5up5ltlQABAgQIECDQnEBZA+Z5SS4ziaxmEtlm0cO2h1HM+jd/LW9uEFxkS6W4/1/GxNGOiScnuf0iceFHzQuUtTn1tTo+l05Msqr5JrZFAgQIECBAgEDzAvskOUnCNtqETWGrjgRiuXYoa/E8qfnub4uLCJRErqx7VC7TXK5d/H44Rp9KUooqHvMTKH9Ie5FLCqsYZ+47v2b3TgQIECBAgACB2QS2TXKkZK2KSaSEeDgJcVNt+cUkN56ti3v1FALlrnPHGhdHMS7+g0sGp+ghzb2krM1ZivRNjZm2s3LL9zbXnLZEgAABAgQIEJiPwCMt8G4CLYmoJgbKGUB/6Q5o8xn8NvAumyV5lTNEqukTTRcmyiX0T9xA2/vxfAVubV2sTvvZJUl2nm+TezcCBAgQIECAwOwCuyT5D0WMTieSTSdptrfyv0Z3bXZ0kj1n78620JCARaf714eW68PnJHHZVEMdpKHNXN9Zj53OPf66oXa0GQIECBAgQIDA3AX2S3KqQlank8nlEjC/H15SXc4IeUWSTefe473hcgLbJSmL6Ot3/Tf4dZI/WK7B/b4TgW2SfE4/62Sc+aHF3DuJeW9KgAABAgQINCRw7STvMZHsZCIpSe5/krzSNvxWknIZjUfdAgdar6fXY+JpSfaqO8RGv3dbJfm0uUcn/exuo48+AAQIECBAgEDvBR6S5Jcmk51MJldaBPH8/hW+zk3yLItI92qc3CPJ142JvRsTf5Hkpr2KtPHu7OZJPqaPzb2PvX28IefICRAgQIAAgSEJlMtn3pjkchPKuU8oFaX6V5SatM0+muQGQxooRnQsmyQ5JEm57HPS9va87qzOSFLuLOnRH4FyE4VP6F9zHV9+k6QUDz0IECBAgAABAoMQuE2Sr5pQznVCKentLulty/7kJA8axIjgIMpaSj8yJlY9Jpak/HZCtZcC5XLCL+lfc+1fZQ1UDwIECBAgQIDAYARWJXl8kl+ZVM51UtlWMcV251cguzTJy5JsOZjRwIEUgWslKZfe6Ev1GVyU5M7CtNcC2yc5Tv+a2/hSblbhQYAAAQIECBAYnMAOSd6S5AoTy7lNLCXI9SXIk7bJx5PcfHCjgANaW+BPk5Q73E0aE57XrtWVSUqbePRf4IbW4pzbuHKeP7L0v8M4AgIECBAgQGDDAuXSjC9I2uY2uZT0tpv0Nu37P0nut+Hu4zcDE7h+ks8aD6sYD58zsNga++HcIckF+tZc+tbDxh5sjp8AAQIECBAYvsB9kxxrcjmXyWXTRRbba74odmqSg9xdcPgD3yJHWC6zPjjJJcbDzsbDIxdpFz/qv8Aj9am59Kn39j9UHAEBAgQIECBAYHmBjZM8IcnPTTLnMslUeGq+8DSr6flJXpBk6+W7i2cMXOC21u7pZBwsZz2Wxb89hinwevOL1vtVOdNNHxpm/3FUBAgQIECAwCICZZHqcov5cvenWQsCXs+wDzFwWZK3JbneIv3Bj8YrUMbCNye5ylg4l8+Cs5PsMd5wG8WRb5rky/pT6/3JnXJH0Z0cJAECBAgQILC2wE5JXpPkQpPN1iebfSjyDHEfS+HqXyXNa3d7Xy8i8ECLUM9lDHz4IvZ+NDyBGyQpxcohfqbUckxvGl7YOCICBAgQIECAwGQCuyR5ZZJyeVUtkzP7oS1miQGFq8n6vmetEfh741+r4/8Ra6h9NQKBUqycZQz32qX9fjyCGHKIBAgQIECAAIElBcoZWS9Jco6Jp4l3T2OgFK4OT3LjJSPdLwmsL+Cyp6UT5lkKCicn2XZ9cj8ZuEApWs4SN167tN9NBx4/Do8AAQIECBAgMJHA9gsLXf/a5NPkuycxcKnC1UR925MWFyjFlVL8lDA3b1DWFyt3wfUYn8AOSU7Tr1obV/5ifCHliAkQIECAAAECGxYoSV1Z7N1dC5tP6iTKzZiemeSlFmffcCf2m4kEHiLJbi3JfvtELeBJQxX4U32rtb718aEGjeMiQIAAAQIECMwiUO4q9Mgk3zARbW0iqqC1soLW8UmekqTcRc6DwKwC/2hsa2VsOz3JjrM2jtf3XuBD+lcr/esin4G97xsOgAABAgQIEGhZYJ8k73G5TSuTUUWs5YtYn01Sbh++quU4t/lxCZQFkfW/5g2eOK4wcrQbELhRkov1sVbGmHttwNyPCRAgQIAAAQIE1hK4fpKXJznLpLSVSalkek0yfV6StyW59Vrx50sCTQnsagxrZQz7VpKNmmok2+m9QLnU2+da8wbl7qkeBAgQIECAAAECEwpskeRRST6T5EoTVBP0BmPg60melGSbCWPR0whMI/CIBmNWgv67BL0s3L7vNI3hNYMV2DrJL/S1xucInxhsxDgwAgQIECBAgEDLAuWsrLLo+0kmqY1PUseSGP8myWFJbtNyrNo8gdUCbzVeNT5elTWPPAisK3CQvtZ4Xzs3ycbrQvueAAECBAgQIEBgcoFy2cj9k7w3ySUmrI1PWIdWzLpi4Qy+cqOAzScPM88k0IjAd41RjY5R5ewrBehGQnNwGyk3hDlRf2u0v5X5gP42uK7igAgQIECAAIGuBModqP48yaeTXG7i2vjEta/FrHK56ZeTPCPJdbsKTu87eoEdXPrc+Jj0/tFHFYClBB5nHtB4n3v6UuB+R4AAAQIECBAgMJ3AtZM8eeFsm3LWTV+LL/Z7urYrZ2aUda3+Mkm53NSDQNcC9zMONToOlz5+q64b1ftXLVAud3MW1nSfoRuaexxZdYvbOQIECBAgQIDAAAR2TvKUJJ9NopjV7GR2Q5PcLn5ezrQ6OsnfJLnhAOLWIQxL4G8VsBotYFlQelj9o62jKWfedvF5NNT3PKWthrJdAgQIECBAgACB9QXKZYYHLCze7S5F/Z/Y/zpJuYyoLNi76/rN7ScEqhH4oES60ULCfappWTtSs8BWSc7U9xrte+VyaA8CBAgQIECAAIE5C5QF4O+Q5PlJvuHsrEYnuG3+9fnYJC9Psq87Is25x3i7WQR+KolubIwpi+F7EJhU4KX6XmN9r3y2321SeM8jQIAAAQIECBBoT2CnJI9K8i9JjjfhbXTCO0tB60dJ3p7k8dazai/4bblVgV2MJ42OJxaSbjVcB7fxckl5ucR8ls8hr13jVy7L9CBAgAABAgQIEKhMoCSdD03y+iT/7c6Gc5n8lySjnF3x5iQPT3K9ymLC7hCYRuD+kufGxo8Lk2w3TSN4zagFypppilDNGPzzqCPJwRMgQIAAAQIEeiKwTZKSiL4oyceSnGpCPHNCcHqSkli8LMmDk1hboyedwW6uSKDcDVPy3IzBO1Yk78kEfiewvz7Y2BhU7vDrQYAAAQIECBAg0EOBUnApazEdnORdSY5zqcIGJ8mnJflokkOT7Jdkjx62t10mMI1AuSxZAasZg3tO0wBeM3qBTZOUm37oh7MbnJ9k1egjCgABAgQIECBAYCAC2yb5VxPlqxOFjzuzaiCR7TCmFfia8eDq8WCWAsIv3bhh2hD0uoW1FGeJP69dU/zyByhdigABAgQIECAwIIFylzyT3d8ZvHtA7epQCEwj8BvjQSPjYVkbz4PAtAIP0A8b6YdlblMu+fcgQIAAAQIECBAYiIAC1poCngLWQILaYUwlUG5EoJjdjMHdp2oBLyLwO4FNkpylPzYyHj1LUBEgQIAAAQIECAxHQAFrTcKqgDWcuHYkKxe4m4S5kYT57CSlAOFBYBaB9+iPjfTH187SCF5LgAABAgQIECBQl4AClgJWXRFpb7oSeJyEuZGE+X1dNaD3HZSA/rjms3mWM0M/OKiocDAECBAgQIAAgZELKGCtmSQ7A2vknWHkh/9CBaxGCliPH3kcOfxmBHZ2p+BG+uOxzTSHrRAgQIAAAQIECNQgoIClgFVDHNqH7gWOUMBqJGG+QfdNaQ8GIvA/+uTMffKcgcSCwyBAgAABAgQIEEiigKWApSMQKAJflizPnCz/VCgRaFDgrfrkzH2yXH64Q4NtYlMECBAgQIAAAQIdCihgKWB1GH7euiKBUyTLMyfLZeFtDwJNCTxan5y5T5YC1u2aahDbIUCAAAECBAgQ6FZAAUsBq9sI9O61CFwsWZ45WX5mLY1pPwYhcEN9cuY+WQpY+w0iGhwEAQIECBAgQICASwjXShAs4q5DjFVg+7X6wSx3/Br7a+8y1gBy3K0JnKlvzlzEekJrrWPDBAgQIECAAAECcxVwBpYzsOYacN6sSoE9JckzJ8lXJdm2yta1U30W+Ly+OXPffE6fA8C+EyBAgAABAgQIrBFQwFLAWhMNvhqrwD0lyTMnySeNNXgcd6sCb9Q3Z+6br2i1hWycAAECBAgQIEBgbgIKWApYcws2b1StwMMlyTMnyR+ptnXtWJ8Fnqxvztw3/6XPAWDfCRAgQIAAAQIE1ggoYClgrYkGX41V4CmS5JmT5NePNXgcd6sC99E3Z+6b/9lqC9k4AQIECBAgQIDA3AQUsBSw5hZs3qhagedKkmdOkg+utnXtWJ8F9tA3Z+6bX+5zANh3AgQIECBAgACBNQIKWApYa6LBV2MVeIkkeeYk+Y/HGjyOu1WBTZNcoX/O1D9/0GoL2TgBAgQIECBAgMDcBBSwFLDmFmzeqFoBC0WvGQf+b8piwd7Vtq4d67vAz6eMyWljeWivK34eBAgQIECAAAECAxBQwFqTuL57AO3pEAhMI3CEBHmmMzxKwr/bNPBeQ2ACgWP1z5n6568mMPYUAgQIECBAgACBHggoYClg9SBM7WLLAkdJkGdKkEsBa6uW28jmxyvwGf1zpv55znhDx5ETIECAAAECBIYloIClgDWsiHY00wh8RII8U4J84TToXkNgQoH36p8z9c+LJ3T2NAIECBAgQIAAgcoFFLAUsCoPUbs3B4GPS5BnSpBPm0MbeYvxCvyz/jlT/7xyvKHjyAkQIECAAAECwxJQwFLAGlZEO5ppBFyitGYcmGYB61OmQfcaAhMKvEkBa6YCVunTm0xo7WkECBAgQIAAAQIVCyhgrUlcLeJecaDatVYFvihBnilBPqHV1rHxsQu8Wv+cqX+WAtbWYw8ix0+AAAECBAgQGIKAApYC1hDi2DHMJvBVCfJMCfL3ZuP3agJLCrxU/5ypf5YC1g5LCvslAQIECBAgQIBALwQUsBSwehGodrJVAQWsNePANJcQKmC1Gp6j3/iLFbBmLmDtNPooAkCAAAECBAgQGICAAtaaxNUlhAMIaIcwlcDnJcgzJcg/nErdiwhMJvAq/XOm/lmK0ttMRu1ZBAgQIECAAAECNQsoYClg1Ryf9m0+Ap+QIM+UIJ88n2byLiMVeKP+OVP/LAWsTUcaOw6bAAECBAgQIDAoAQUsBaxBBbSDmUrgwxLkmRLkU6dS9yICkwn8s/45U/+8ajJmzyJAgAABAgQIEKhdQAFLAav2GLV/7Qv8hwR5pgT5/PabyDuMWODf9c+Z+uclI44dh06AAAECBAgQGJSAApYC1qAC2sFMJfBvEuSZEuRyidIWU8l7EYHlBT6lf87UP89dntgzCBAgQIAAAQIE+iCggKWA1Yc4tY/tCrxdgjxTglwKWLu220S2PmKBb+ufM/XPM0YcOw6dAAECBAgQIDAoAQUsBaxBBbSDmUrgnyTIMyXIpYB166nkvYjA8gKn6J8z9c9fLE/sGQQIECBAgAABAn0QUMBSwOpDnNrHdgVeI0GeKUEuBawHtdtEtj5SgY2SXKp/ztQ/Txhp7DhsAgQIECBAgMDgBBSwFLAGF9QOaMUCfytBnilBLgWsp69Y3QsILC9wA31z5r751eWZPYMAAQIECBAgQKAPAgpYClh9iFP72K7AkyXJMyfJr2q3iWx9pAJ31zdn7psfHmnsOGwCBAgQIECAwOAEFLAUsAYX1A5oxQIPkyTPnCQftWJ1LyCwvMCB+ubMfbPcpMKDAAECBAgQIEBgAAIKWApYAwhjhzCjgLM81owD5XLAaf4dP2MbeDmBxQRePWU8ThPDQ32NsyMXiyw/I0CAAAECBAj0UEABa02y+u4etp9dJtCEwF6S5KmKVmsn/Fck2aqJxrANAmsJfFLfnLlvHrKWpy8JECBAgAABAgR6LKCApYDV4/C16w0JXEeSPHOSXIpZt2+oPWyGwGqB0/TNmfvmk1Zj+p8AAQIECBAgQKDfAgpYClj9jmB734TApkmukijPnCj/eRONYRsEFgR20Sdn7pOlsPwQEUWAAAECBAgQIDAMAQUsBaxhRLKjmFXgV5LlmZNli0XPGoVev7bAQ/XJmftkKWDtszaqrwkQIECAAAECBPoroIClgNXf6LXnTQocI1meOVk+ockGsa3RC7xWn5y5T5YCVjmTzYMAAQIECBAgQGAAAgpYClgDCGOH0IDA+yTLMyfL5TJMyXIDwWgTvxU4Wp+cuU9ekGSVeCJAgAABAgQIEBiGgAKWAtYwItlRzCrwSsnyzMlyOdvjgFkbwusJJNk2yWX65Mx98vuiiQABAgQIECBAYDgCClgKWMOJZkcyi8DTJMszJ8ulgGUdrFmi0GtXC+yvPzbSHz+6GtT/BAgQIECAAAEC/RdQwFLA6n8UO4ImBP5QwtxIwvxLlyw1EY6j38bh+mMj/fFNo48kAAQIECBAgACBAQkoYClgDSicHcoMAr8vYW4kYS5nYd1uhnbwUgJlzaZf6I+N9Me/Ek4ECBAgQIAAAQLDEVDAUsAaTjQ7klkEtkhypaS5kaS5jKseBKYVuIt+2Eg/LMXkh07bCF5HgAABAgQIECBQn4AClgJWfVFpj7oSOEni3EjiXBzd+ayrKO7/+5bL3krxxb/ZDfbsfzg4AgIECBAgQIAAgdUCClhrJsjvXo3ifwIjFfhPSXNjRYM7jDSGHPZsAhslOVU/bKQfXpRk49maw6sJECBAgAABAgRqElDAUsCqKR7tS7cCL5I4N5I4lzNn3tBtU3r3ngrcVx9srA9+u6cxYLcJECBAgAABAgQ2IKCApYC1gdDw4xEK/KnkubHk+awkZV0xDwIrEXifPthYH3z7SuA9lwABAgQIECBAoH4BBSwFrPqj1B7OS+BmkufGkudyFtaj59Vw3mcQAjsluUQfbKwPPnsQUeEgCBAgQIAAAQIErhZQwFLAujoYfDF6gbL+zoUS6MYS6C+OPqIArETgr/W9xvpeKSCXyzE9CBAgQIAAAQIEBiSggKWANaBwdigNCHxTEt1oEv0HDbSJTQxfYJMkP9H3Gu17uww/bBwhAQIECBAgQGBcAgpYCljjinhHu5zA2yTRjSbRRy4H7vcEkjxKv2u03/1SVBEgQIAAAQIECAxPQAFLAWt4Ue2IZhF4gkS60UT68iS7z9IgXjsKgXLHvHLZm3/NGHxwFFHjIAkQIECAAAECIxNQwFozWX73yNre4RJYTMBC7mvGhKaKCW9dDNrPCCwI/JHCVeOFu78SXQQIECBAgAABAsMTUMBak6wqYA0vvh3RygVWJfmVhLrRhPqyJDdeeVN4xQgESn87Rn9rtL+VwrO150bQeRwiAQIECBAgMD4BBSwFrPFFvSNeTuBDEurGE+rDl0P3+1EKPExfa7yvXZRks1FGk4MmQIAAAQIECAxcQAFLAWvgIe7wphB4jqS68aS6rIV1iynawkuGK1DuPHicvtZ4X/vicEPGkREgQIAAAQIExi2ggKWANe4e4OgXE7iLpLrxpLpc1vTZxbD9bLQCB+tnrfSzl442ohw4AQIECBAgQGDgAgpYClgDD3GHN4XA5kkully3klw/eIr28JLhCeyY5Cx9rJU+9sDhhYsjIkCAAAECBAgQKAIKWApYegKBxQQ+L7luJbn+UZItFgP3s1EJ/LP+1Ur/KjdM2HZUkeRgCRAgQIAAAQIjElDAUsAaUbg71BUIPFeC3UqCXS4lfNkK2sFThydw5yRX6l+t9C/rXw2vvzgiAgQIECBAgMDVAgpYClhXB4MvCKwlcCsJdisJdilglQXd917L2pfjESiX51q4fc3nbukPTf47ZDyh5EgJECBAgAABAuMTUMBaM3l+9/ia3xETWFLg5w0nl00mqn3f1reSbLqkvl8OUaCcfdf32K15/28zxKBxTAQIECBAgAABAr8TUMBak0woYOkVBK4p8C+S7VaLDe6Wds14G/p3+ya5Qp9qrU+dlmTV0IPI8REgQIAAAQIExiyggKWANeb4d+xLC+wv2W4t2S5nsZR1kO61dBP47UAEtktyiv7Uan/614HEisMgQIAAAQIECBDYgIAClgLWBkLDjwmkJN3lrl41XzLU9337aZKdxNrgBd6nH7U+jhww+ChygAQIECBAgACBkQsoYK1Jzl1COPLO4PAXFfiCxLv1xPtTSTZeVN8PhyDwbH2o9T5UCu3bDyFYHAMBAgQIECBAgMCGBRSwFLA2HB1+QyB5huS79eS7nEVWFvf2GJ7AXZzFOJf+87HhhY4jIkCAAAECBAgQWFdAAUsBa92Y8D2BtQWuY+HpuSTgVyVxCdTakdf/r2+U5HQF4Ln0nwP7Hy6OgAABAgQIECBAYDkBBSwFrOVixO8JfE4SPpck/OIk5Ywdj/4LbJvke/rNXPrNJclv1+vrf9Q4AgIECBAgQIAAgSUFFLAUsJYMEL8kkOQpEvG5JOLlUsKzktxU1PVaYNMkn9Fn5tZnPtTraLHzBAgQIECAAAECEwsoYClgTRwsnjhagWsnuVxCPreE/MQku4422vp94GUx/vfqK3PrK6Xo++h+h4y9J0CAAAECBAgQmFRAAUsBa9JY8bxxC5Q75ZVk0b/5GJyQpKw/5tEfgVVJDtNH5jpGlMtuy+WaHgQIECBAgAABAiMQUMBak4y+ewTt7RAJTCvwRIn5XBPzUij8TpIdpm0wr5urQClevVEfmXsfOWqurezNCBAgQIAAAQIEOhVQwFLA6jQAvXlvBLZJcp4Efe4J+nFJrtebKBnnjiperfkcnfcZmn80zpBz1AQIECBAgACBcQooYK2ZeDsDa5x9wFFPLnC4AtbcC1ilIPDDJLtN3kyeOUeBsubVO/SLTvrFz5MUfw8CBAgQIECAAIGRCChgKWCNJNQdZgMC+0jUO0nUSxHrlCQ3b6ANbaI5ga2TfESf6KxPvLi5prQlAgQIECBAgACBPggoYClg9SFO7WM9AsdK2DtL2M9Ocq96QmHUe3LdJP+tL3TWF65McsNRR6CDJ0CAAAECBAiMUEABSwFrhGHvkGcQeKakvbOkvZyJdWmSA2doPy+dXeDWSX6iH3TaDz45ezPaAgECBAgQIECAQN8EFLAUsPoWs/a3W4Htklwoee80eS+FrMOSbNZtKIzy3R+V5ALx33n87z/K6HPQBAgQIECAAIGRCyhgKWCNvAs4/CkE3imB7zyBL0WsrybZdYr285KVC2ya5A3ivoq4Pz1JaQ8PAgQIECBAgACBkQkoYClgjSzkHW4DAreXyFeRyJci1plJ/qSBNrWJDQvcOMnXxHw1MX/ohpvKbwgQIECAAAECBIYsoIClgDXk+HZs7Ql8UUJfTUJfCln/nGSr9pp7tFt+YpLzxXo1sX5Rkl1GG40OnAABAgQIECAwcgEFLAWskXfPx+rpAAAgAElEQVQBhz+lwH6S+mqS+lLAKv9OTnK/KdvTy64pUC7N/KAYry7G/+mazeQ7AgQIECBAgACBMQkoYClgjSneHWtzAquSHC/Bry7BvyrJO5Ls2FxTj2pLGyd5lrOuqovrUqC9MsnNRhWNDpYAAQIECBAgQOAaAgpYCljXCAjfEFiBwJMVsKpM9Euy/+skByfZZAXtOfan7pPkaDFdbUyXM+I8CBAgQIAAAQIERiyggKWANeLwd+gzCmyR5FcS/moT/lLI+l6S+87YzkN/eVmk/f3iuOo4LrG879AD0fERIECAAAECBAgsLaCApYC1dIT4LYGlBZ4v8a8+8S/J/+eT3HXpphzdb3dLUtZUulQMVx/D3xhddDpgAgQIECBAgACB9QQUsBSw1gsKPyCwAoHtk/xGAaD6AkApYpV/n0hyjxW07xCfeqMkb0pysbjtTdw+cIiB6JgIECBAgAABAgRWJvBGE/irJ/BHJSkLU3sQILAygb83jlw9jqwuFNX+/zFJHjGyNbLukOS9SS4Xr72K16+tbDjybAIECBAgQIAAgaEI7JHkoCTvSvJTk/j1JvHnJflMkkMW1tvYbCgN7zgItCiwjbWw1htLai9grd6/05K8Ikn5bBjiY8skByyM66uP2f9rzjzug8W9hxiYjokAAQIECBAgQGB9gXLL6b9M8tEkZytYrTjJPD/JpxYKWrden9dPCBBYEHiO8WXF40tNxYMrk3w6yROS7NDzqC53XvzDJO9IUsbwmpzty8ra4ws9j0W7T4AAAQIECBAgsIRA+WtzmbiX9T1ONHFvPHH5eZK3JXlIknLWiQcBAr8T2CrJL405jY85XRQ8yqLm5Y8eT0yya08CfOskD05yWJKzxOEg4rDEvjsP9qQD2k0CBAgQIECAwKQCZRHlxy0kHBeauM9t4l6SvHK54VOS7DxpY3kegQELPMv4M7fxZ16FrauSHLtwmeGDkpTPmxoemya5U5K/WThz7BKxN7jY+2QNgWYfCBAgQIAAAQIEZhfYLsljF4pWJu4ruyShjcTvioVi1pOTXHv25rUFAr0U2MLaeoMrIqw7XpZLDb+3cKbT05PcfQ5FrbIW4W0XPvNeleSLSS5SsBp0rJXC6R17OQraaQIECBAgQIAAgd8KlEn8w5J8OImiVfdFq3UTu9XflztclXWz/ixJuaTTg8CYBB6lsDDowsLqcW7d/8vlo19PcmSSlyX5/+3dCbhuZVk38P/hMIOMCiKDgAMoooADqDiVihEImhiZYl8qnxaJWgmmJZfmJ5l9ipVEZRokJlpYWlmIiqKiYBGDoCYiIsioDDKec/yu5+s9tjmeYe+95rV+73Vxcc7e77uG33Pfz7ue+zzrWcckKbHw7CSPTfLQ2ULx5ZbEssZWmbVaFo4v/z0mydNm32/lISO/m+Qvk3wqybc8NXCS8VQeNONFgAABAgQIECAwQIE9Z7dvXGdgOLgL+VtmMxWs4zHAxHPIixJYkuRz+qrB9VWrFqT8vb//SDL2tilLIey8qN7HhwgQIECAAAECBDoRKAuEl9vRvmQgOJqBYLnt5tgk23QSUXZKoD2BxyUpt5qNfaDt/LSxGKg/Bt7UXldlTwQIECBAgAABAlUEdpvNtrrJ4G+0g99y+2e5PWLvKoHiswR6LvB+fdho+zBFm/qLNkz/2/SqJOWJpl4ECBAgQIAAAQI9Fii3mJ1hrY/JDfjOTXJEkqU9jk2HRmAxAtsnKbfQGpgzEANiYL4x8ILFdDY+Q4AAAQIECBAg0LzA+rOnKpVby+Z7ced947T6ZpJXJdmo+bCzBwKtCRyvb9O3iwExMM8YOKe1nsmOCBAgQIAAAQIE5i1QniZY1rcqT1dSkGIwNwa+l+S1bqGYdy55Y78FSkH2Mv2cfl4MiIF1xMA9bqvvd2fu6AgQIECAAIHpCZTCVXlEeFnjYW7Rwp95rBoDNyQ5IclW00sTZzwygQMs6K6/950nBtYRA28dWb/ndAgQIECAAAECgxUohatjkly7jgu4VYsY/q6wdXOSN5iRNdjcd+D/LfBefZ8ChhgQA2uIgcuTbKyzJECAAAECBAgQ6FZgyWyB7rK+kWIUgyoxcH2SY5OUddO8CAxNYAszT30H+B4UA6uJgRVJfmZoHZrjJUCAAAECBAiMTeCZSb66mou1KkUMn1UEK/9SXZ5aWIqjXgSGJHCw/lABQwyIgVVi4OQhdWKOlQABAgQIECAwNoG9kpy1ygWawpPCU90xcF6S/ceWPM5n9AJ/q29UwBADYmAWA+WhJVuOvtdzggQIECBAgACBHgqUi7B3JbnXxbmL85ZiYHmS9yXZrof54JAIrE5g+yTldti6C7q2x1QMDC8Gnru6TsLPCBAgQIAAAQIEmhMot3IdZYF2A9IOB+U/SHJckvKwAC8CfRf4uSRl3RsFBwZiYLoxcErfOyrHR4AAAQIECBAYm8A+Sb5gIGYg2pMYuCjJU8aWZM5nlAJ/1pOcUUCZbgFF23fX9mUtx81G2bM5KQIECBAgQIBADwU2mM14udsgTPGqZzFQZraUf9kuT33zItBXgU2TXNaz3FHQ6K6gwX469vckeUJfOybHRYAAAQIECBAYm8CTknzNwEvhqucxcE2Sw8eWfM5nVAL7JfGPANMpXChSaesSA789ql7MyRAgQIAAAQIEeipQZgycmGRZzwsXBgkGCXNj4Iwk9+9pTjksAq/Xn/rHADEwmRg4J8lS3R4BAgQIECBAgECzAk9N8m0X2ZO5yJ5bABrDn69LcmizKWLrBBYlsF6ST+lb9a1iYPQxcEOSHRfVS/gQAQIECBAgQIDAvATWT3KCWVejv7AeQ5FqPudwqoVz55X33tSuwLb+gUAfq4A16hhYnuSgdrsVeyNAgAABAgQITEtg1yTnuqge9UX1fIo+Y3tPWTi7rD3kRaBPAvsmuUN/q78VA6OMgeP61Nk4FgIECBAgQIDA2ASOSnKbC+lRXkiPrSC1mPMpT4EqMwvL7VteBPoicLQ+V58rBkYXAx9LsqQvnYzjIECAAAECBAiMSWCzJB90AT26C+jFFHmm8Jl/SVJu3/Ii0BeBv9T/6n/FwGhi4PIkW/Slc3EcBAgQIECAAIExCTwsyUUunEdz4TyFAlQd53hVkv3HlMjOZdACGyX5in5YPywGBh8DZRb7XoPujRw8AQIECBAgQKCnAr+Q5BYXzIO/YK6joDPFbdyVpNy+5UWgDwK7JPm+/lh/LAYGGwMrkrygD52JYyBAgAABAgQIjEmgPGXwxCTlYmuKhQvnrN3nxsBpSTYdU4I7l8EKPC7J7fpl30tiYJAxYNH2wXa9DpwAAQIECBDoq8DWST7l4niQF8dziy7+XG8R7oIkD+pr0jquSQk8L8lyfbQ+WgwMKgZOmVQv5WQJECBAgAABAi0I7J7kay6KB3VRrFBVb6FqbZ7fS1JmwHgR6Frgdfpp/bQYGEwMlAeDlJntXgQIECBAgAABAjUJPCnJdS6IB3NBvLZCi981V9Qqt28dXlPO2QyBKgLv0V/rr8VA72Pg4iRbVkl0nyVAgAABAgQIELivwJFJ7nQh3PsLYYWp5gpTC7Eta8OdcN8U8jcCrQusl+Rj+m39thjobQyUWbs7t94z2CEBAgQIECBAYMQCb3Hx29uL34UUVby3/eJWWdNk6Yj7BqfWf4HNknxBH64PFwO9i4Gbkuzd/y7EERIgQIAAAQIEhiFQBt4nu+jt3UWvQlT7hagq5mUGzMbDSHlHOVKBcnvS+fpyfbkY6E0M3JLk8SPtb5wWAQIECBAgQKB1gQ2TfNjFbm8udqsUUHy2+4LXZ5Js0XoW2yGB/xG4f5JL9On6dDHQeQzckeTp/5Oa/kSAAAECBAgQIFBFoNxy8kkXuZ1f5Co8dV94qrMNLkiyXZXE9FkCFQVK/F2mb9e3i4HOYuDuJAdXzGMfJ0CAAAECBAgQmAls61aTzi5s6yyW2FY/i19fT7KL3oZAhwIPTvIdBQz9vBhoPQbuTfK8DnPfrgkQIECAAAECoxIot5hc6KK29YtaxaZ+FpuaapdvKWKNqt8c4sk8LEl5+llTMW67bMXAfWNgWZIXDbGzcMwECBAgQIAAgT4KbJ2k3OLkopOBGGg+BsoMmN362BE4pskI7Jrkv/T5vvPEQOMxUG4bPGIyPYsTJUCAAAECBAg0LPCAJP/pIrbxi1iFoeYLQ0MyLkWs3RvObZsnsDaBHSzsrt/33d9oDNyV5PC1JaHfESBAgAABAgQIzF9A8UpRZUhFn7EdqyLW/Psq72xGYHv/gNFoAWNsfZbzmf81w+1JntVM2toqAQIECBAgQGB6AltZ88rAxb++dx4DVyTZcXrdjzPukYCHd8y/KKGAw2o+MfCDJE/sUY47FAIECBAgQIDAoAU2TXKu4kXnxYv5XAh7z/gHTJck2WbQPYqDH7rAFkk+5zvBd4IYqBwD1yfZd+gdguMnQIAAAQIECPRFYIMk/+QitfJFqsLS+AtLbbbxl5Ns3pdOwnFMUmCjJKf7bvDdIAYWHQPlwQgPn2Tv4aQJECBAgAABAg0ILEnyAReni744bbOgYV/TK5CdnaQUEbwIdCVQviNO8B3hO0IMLDgGvpikrCvqRYAAAQIECBAgUJPAu1yULviiVCFpeoWkLtv8zCRLa8p3myGwWIGXJbnH94XvCzEwrxj4SJJNFptsPkeAAAECBAgQIPDTAse7EJ3XhWiXxQv7ViwrMVAKzV4EuhYoT1C7xfeG7w0xsNYYOCnJel0nq/0TIECAAAECBMYk8AtJlrsIXetFqOKR4lGfYuDXxtQBOZfBCuyT5Lu+O3x3iIGfioEyQ/Hlg81sB06AAAECBAgQ6KnAfklud/H5UxeffSpWOBbFs1VjYFmSQ3rapzisaQncP8mnfIf4DhEDP4mB65I8Y1rdgLMlQIAAAQIECDQv8CD/ev6TC85VCwT+rmjU9xi4Ncmjm+8m7IHAOgXWT3JikhWKGL5TJh4Dn0+ywzozxhsIECBAgAABAgQWJLB5kgsnfqHZ9wKF41NEW1cMXJlk+wVlvjcTaE7gMOtiKWBN+LrilCQbNJdetkyAAAECBAgQmKZAeRT6GRO+yFxXUcDvFY6GFAPl8ewbTrMrc9Y9FNgjyaW+XxSyJhQDdyb5lR7mokMiQIAAAQIECIxC4LcndGE5pEKEY1U4W2wMvHsUPZOTGIvAlkk+4ntGEWsCMVCKtXuPJXGdBwECBAgQIECgbwJlYdF7J3BRudhCgM8pIg01Bo7qW2fjeCYvUGKyrNU21Jxy3NpubTFwapLNJp/lAAgQIECAAAECDQnsnOR6gwmDKTEwyhgoTxN9VEN9h80SWKzArknO1eeMss9ZW3FnzL8r11HPXWxC+BwBAgQIECBAgMC6BcrCogYR/jV5zIMK55Z8I0m5fcuLQJ8EylMKT0iyTCFLIWvgMXBWkvIEZy8CBAgQIECAAIEGBcoaOQb4DMTA+GPgww32IzZNoIrAgUmu8F3ku3iAMXBHkmOTlIfgeBEgQIAAAQIECDQocFCSFQO8YFRsGX+xRRs308b/q8H+xKYJVBHYNMmJZmMpYg3omuRzSfasEvQ+S4AAAQIECBAgMD+BByS5dkAXigoazRQ0uE7LtayHtcf8ugjvItCJwD5JLvDdpJDV4xj4wWzW1XqdZIidEiBAgAABAgQmJlCmun+8xxeHiirTKqpo73bbuxQHNpxYn+d0hyVQ1sY6LsmdvqcUsnoWA+XaaadhpZOjJUCAAAECBAgMW+DVPbsgVMBot4DBm/fbh92FOfqJCJTZguf4vlLE6kEMfDfJYRPJO6dJgAABAgQIEOiNwF7+VdtgoAeDAUW0botoy5M8tTe9kgMhsGaBMmP4yCRX6bd8d3UQA2WR9rcm2WzNIeo3BAgQIECAAAECTQiU9Rq+0MEFoGJFt8UK/vxXFwPlqW8GZU30tLbZhMAms9sKb/UdppDVUgyU2wV3ayKYbZMAAQIECBAgQGDdAq9v6aJvdYNlP1NEEQP9i4F3rrvb8A4CvRLYMcmpnqCriNXg9cy/m6Haq5x3MAQIECBAgMAEBR6epEyFV0RgIAbEwMoYWJbkgAn2h055+AJPTvJF32m+02uMgauTvDyJpwsOv39wBgQIECBAgMCABcrF2OdqvMhbOfj1f4UQMTD8GLgsycYD7t8c+rQFnpnkfN9vClkVYuCG2e2p5TZVLwIECBAgQIAAgY4FjqlwYadAMfwChTbUhuuKgd/vuI+yewJVBMpC789PcrHvOoWsBcTAjUmOtxZgldTzWQIECBAgQIBAvQLbJ/nhAi7o1jXQ9XvFEDEwvhi4O8kj6u16bI1A6wKlkHVEkst95ylkrSUGbktyYpKtWo9QOyRAgAABAgQIEFirwGlruYhTiBhfIUKbatPFxsBZa+1J/JLAcASWJnlhki/7/lPImhMD35vdKqhwNZxcdqQECBAgQIDAhATKIrcr5ly8LXZg63OKImJgGjFQZq94ERiTwIFJzkhSHligH5umwTeSHGutvzGltXMhQIAAAQIExiZQ/gX6QhfsBixiQAwsIAa+m2TzsXWGzodAkockOSnJjxaQDwpewy54nZvk0CTl1lIvAgQIECBAgACBHgu82kW6woUYEAOLiIG397hfc2gEqgpsN7uN7JuLyA0Frf4XtMqan3+a5DFVA8XnCRAgQIAAAQIE2hF4QJIfuDhXvBADYmARMVAWdH9YO12VvRDoTKDMynlGktOT3LWIPFHM6lcxq8y2emmSTTuLKDsmQIAAAQIECBBYlEC5TcLFNYMSA7cm+XaSC2b/fTZJWay7/PfpOT8vsxE8rVLMrOw3yppBXgSmIrBtktckudR356CuHW5M8n+TPHIqgeo8CRAgQIAAAQJjE9g9SZlBsXIg6v/jtigFqi8mOSXJ8Ul+Mcn+SXZIsuEignv9JNsneVySFyT5rSTvTXKOWX2Tyqny8IcnLCJ+fITA0AX2S/IHs8K/78/+fX/ekuTUJIcs8jtu6PHp+AkQIECAAAECoxL4kOLVaAsN98weC/+uJOVpcWVR4rYXp31wksNmA7xyy4Zbb/o3wKtr0P2ZUfWMTobAwgRK31r+MeCPklzle7XT79Xbk5Rrm8M9SXBhQezdBAgQIECAAIE+C5RZM2XmRF0DWNvp3rI8/rvcEvqcnq7tsdFsHZl3JLlI7I0u9w7uc4fn2Ai0JLBekifPillf08+10s9dn+S02T/WWNeqpUC3GwIECBAgQIBAmwJnu7Bu5cK66cLehUl+Z6ALae+S5LVJzlNMHUUslqLk0jY7MfsiMACBXZO8Msk/JLnN924tfd2y2e3wv5vk8UlK0dCLAAECBAgQIEBgpALPdBFdy0V008WpNW3/miRvS7LniOKzDPLeZC2ZQcdlidcXjygmnQqBugXKWoM/m6TMQv1SknKr95r6eT+/r83Xk/xVkiOTlIX0vQgQIECAAAECBCYiUBbZdnE8LINyu+cnkzwvSVk8fayv8i/pz07y0STlX9nF6bAMyi1TZkOMNTudV90CmyR5apI3JvknD7/4SX9fHi5THjjyztlaVtvVDW97BAgQIECAAAECwxB4mqLATy6Sh1AcKQufvy/JXsMIr1qPsjwl8z1uuxlUvJacemGtUWBjBKYjUIq/j0rystl6hp9OcuPIv7PvSHLBbHZVuaW8FPRKYc+LAAECBAgQIECAQM4a+cXwEIpS8znGO5OUJwjuIGazTZK3JLlV7A6imFXWwmr7iZfShMCYBR6U5KAkr58tVl7WDbxuYP1hWf+r9A1nJnnrbMH1chu8dfPGHLnOjQABAgQIECBQQeCJA7vgnU+hZ2zvKWuivDfJjhXaeawfvf9s7ZgfiePeF7LKra5eBAg0K1CeuFdm5x6S5DdmTz78+ySfT1Ju5y1P51veQn95S5L/mj2Qo9wKefKs2HbEbJH10nd7ESBAgAABAgQIEFiQQLmwHFvBZ0zn84kkeyyoRaf55p2TnO7Jhb3O5a+ahTXN5HTWvRQoi54/PEn5R6xDZ7OffjHJ0bP/jk1y3Oy/t8/W5Cp//6057ykPaCgFqefPbvMrhbMHJtmgl2fsoAgQIECAAAECBAYt8GjFq94O+C+f3R4y6ADr4OCflKQUSsZUxBzTuZRbnrwIECBAgAABAgQIECBAgMCCBMrjp8c0OB7Dudyb5MQkGy+oJb15rkBZ9LjMIijrq4whJsZ0Dv88t6H8mQABAgQIECBAgAABAgQIrEugPIK6LAo+psHx0M/l/CRlVpxXPQLliYVni/Fe5fiKJGWRZi8CBAgQIECAAAECBAgQIDAvgTcb2PdmYF8G9Scl2XBeLedNCxEoT74ra7ncJd57E+/lgQReBAgQIECAAAECBAgQIEBgnQIbJbnWgL4XA/rvzBa/XWejeUMlgX2TXCbmexHztyfZplJr+jABAgQIECBAgAABAgQITELgpQbyvRjIfzbJ9pOIuH6c5OZJPiz2exH75WlmXgQIECBAgAABAgQIECBAYK0CXzaI73QQX24ZLAu1L11rK/llEwLllsLfTrJMDnSaA1cmKYvtexEgQIAAAQIECBAgQIAAgdUK7G3g3unAvazF9EurbRk/bFPgOUlulQud5sKz22xw+yJAgAABAgQIECBAgACBYQm826C9s0H7TUmeNqxwGfXRPipJWYNs6E+vHOrx/+2oo8vJESBAgAABAgQIECBAgMCiBcri7TcYsHdSsCi3TD180S3ng00J7JjkYjnRSU6U2YjbNtWwtkuAAAECBAgQIECAAAECwxV4oYF6JwP1K5LsNtywGf2Rb53kPLnRSW4cO/rocoIECBAgQIAAAQIECBAgsGCBTxqktz5IvyTJDgtuKR9oW2DLJOfKj9bz46K2G9r+CBAgQIAAAQIECBAgQKDfAuVWqeUG6K0O0C9Lsl2/w8LRzRHYPMmX5EirOVLW73rcnDbwRwIECBAgQIAAAQIECBCYuMBrDcxbHZiXxcEfPPGYG+Lpl5lYF8iVVnPlD4cYKI6ZAAECBAgQIECAAAECBJoRMLOkvafNXZ1k12aa0VZbEHhAkssVsVorYpUHHCxpoV3tggABAgQIECBAgAABAgR6LrBLkhUG5K0MyG9Lsm/P48HhrVugLLr/fTnTSs6U2wgPWHeTeAcBAgQIECBAgAABAgQIjF3gOAPxVgbiy5I8d+zBNKHzK2sz3S53Wsmdd00orpwqAQIECBAgQIAAAQIECKxB4KsG4a0Mwn9jDf5+PFyBI8xebCV3vptkveGGiSMnQIAAAQIECBAgQIAAgaoCD1W8amUAfmrVhvL53gq8Qw61kkMH9jYCHBgBAgQIECBAgAABAgQINC7g6YPNL95+YZJNG29JO+hKYGmSTypiNV7EOrGrBrZfAgQIECBAgAABAgQIEOhe4CwD70YH3rck2b37ZnYEDQtsl+RaudRoLl3ccBvaPAECBAgQIECAAAECBAj0VGDzJHcZdDc66D6qp23vsOoXeLb1sBrNpfI0wgfX32y2SIAAAQIECBAgQIAAAQJ9F3ie4lWjA+6P9j0AHF/tAifJqUZz6pW1t5gNEiBAgAABAgQIECBAgEDvBf7cYLuxwXa5nWyb3keAA6xbYOMkl8urxvLq43U3mO0RIECAAAECBAgQIECAQL8FliS52kC7sYH2C/rd/I6uQYGnupWwsby6wwMRGoxcmyZAgAABAgQIECBAgEAPBfZSvGpskH1mD9vbIbUr8Gfyq7H8ema7TWlvBAgQIECAAAECBAgQINClwK8ZYDcywL49yY5dNqx990JgyyTXybFGcuwtvWhhB0GAAAECBAgQIECAAAECrQh82OC6kcH1G1tpPTsZgsAr5FgjOXbOEBrfMRIgQIAAAQIECBAgQIBAPQLfM7iufXB9lfV56gnOkWxlvSTny7Pa8+yuJJuMJEacBgECBAgQIECAAAECBAisRWAPg+raB9U/TnLkWsz9apoCT5drjeTa06YZTs6aAAECBAgQIECAAAEC0xI42qC69kH1xUnKjBsvAqsKnCXfas+331sV2d8JECBAgAABAgQIECBAYHwCpxlQ1z6gPnx8YeKMahI4QL7Vnm+fqqltbIYAAQIECBAgQIAAAQIEeixwmQF1rQPqC5Is6XF7O7TuBf5JztWacz+Qc90HtSMgQIAAAQIECBAgQIBAkwL3S7LcYLrWwfQRTTaYbY9C4ClyrtacK2vOPWwUkeEkCBAgQIAAAQIECBAgQGC1AmXx4zL48189Bt9Osv5qpf2QwH0FviTvau13PDThvvHlbwQIECBAgAABAgQIEBiVwOsMomsdRL96VNHhZJoUeKHcqzX3/rDJxrJtAgQIECBAgAABAgQIEOhW4G8MomsbRN+WZItum9PeByRQZupdLf9qy79PD6jtHSoBAgQIECBAgAABAgQILFDgcgPo2gbQf7FAe28n8Fb5V1v+3ZJkPSFFgAABAgQIECBAgAABAuMT2MQC7rUNnssaYk8YX4g4o4YFdpWDtebg7g23l80TIECAAAECBAgQIECAQAcCjzb7o7bB80UdtJ9djkPg3+RhbXn4c+MICWdBgAABAgQIECBAgAABAnMFftHAubaB8xvmwvozgQUI/Ko8rC0PX7MAd28lQIAAAQIECBAgQIAAgYEIvNnAubaB80MH0uYOs38CWyW5Wy7Wkosn9695HREBAgQIECBAgAABAgQIVBU43aC5lkHz+VUbwucnL/AJuVhLLn5m8pEEgAABAgQIECBAgAABAiMU+KpBcy2D5jeNMDacUrsCL5eLteTite02m70RIECAAAECBAgQIECAQNMCS5LcZtBcy6D5sU03lu2PXmCnJCvkYy35WG7J9CJAgAABAgQIECBAgACBkQhsb7Bcy2D5+iTrjSQmnEa3AuVJlj/2X2WDfbptRnsnQIAAAQIECBAgQIAAgZ4PyRcAAB5bSURBVDoF9jNQrjxQLsWGU+tsFNuatMA75GQtOXnIpKPIyRMgQIAAAQIECBAgQGBkAocZLNcyWH7ZyOLC6XQnUAovZmBVN3hVd01ozwQIECBAgAABAgQIECBQt8AxBsu1FAseUXfD2N5kBbZOslxeVs7L359sBDlxAgQIECBAgAABAgQIjFDg7QbKlQfKN1v/aoSZ0e0pXSovK+flX3fbhPZOgAABAgQIECBAgAABAnUKnGagXHmg/C91NohtEUjyPnlZOS/PFkkECBAgQIAAAQIECBAgMB6BTxsoVx4onziecHAmPRE4Vl5Wzsuv96QtHQYBAgQIECBAgAABAgQI1CBwsYFy5YHyi2poB5sgMFfgGfKycl7eNBfUnwkQIECAAAECBAgQIEBg2AJXGyhXHig/atgh4Oh7KLCtvKycl8usTdfDyHZIBAgQIECAAAECBAgQWKTAjwyUKw2UVyTZeJH2PkZgbQI3ys1KufnjJFuuDdjvCBAgQIAAAQIECBAgQGAYAhsaIFceIJcZbF4EmhC4QH5Wzs9dm2gY2yRAgAABAgQIECBAgACBdgW2N0CuPEA+t90ms7cJCXxEflbOz30nFC9OlQABAgQIECBAgAABAqMV2MMAufIA+W9GGx1OrGuBd8jPyvn5M103ov0TIECAAAECBAgQIECAQHWB/Q2QKw+Q31m9GWyBwGoFXic/K+fn81cr64cECBAgQIAAAQIECBAgMCiBpxkgVx4gHz+oFnewQxJ4qfysnJ8vGlKDO1YCBAgQIECAAAECBAgQWL3AswyQKw+QX756Wj8lUFng5+Vn5fwsRUAvAgQIECBAgAABAgQIEBi4wMEGyJUHyL8w8Bhw+P0VeKL8rJyfr+hv8zoyAgQIECBAgAABAgQIEJivwOEGyJUHyD83X2zvI7BAgcfIz8r5+esLNPd2AgQIECBAgAABAgQIEOihwBEGyJUHyD/bw3Z1SOMQ2FN+Vs7P144jFJwFAQIECBAgQIAAAQIEpi1QFjj+sf8qGRw47RBy9g0K7CY3K+Vm6dte32D72DQBAgQIECBAgAABAgQItCRwlAFy5QHy/i21ld1MT2An+Vk5P984vbBxxgQIECBAgAABAgQIEBifgBlY1WegPXl8YeGMeiJgBlb1/DQDqyfB7DAIECBAgAABAgQIECBQReAFZnhUnuHxM1UawGcJrEVgD/lZOT+PXYuvXxEgQIAAAQIECBAgQIDAQASea4BceYD8nIG0tcMcnsCj5Wfl/HzV8JrdERMgQIAAAQIECBAgQIDAqgIHGSBXHiA/b1VUfydQk0BZX81DFqoZvKymtrAZAgQIECBAgAABAgQIEOhQ4BkGyJULBAbIHQbwyHd9sPysnJ8vHnmMOD0CBAgQIECAAAECBAhMQqAsQG6GRzWD4yYRKU6yCwFPCa2Wm6VvO6KLhrNPAgQIECBAgAABAgQIEKhX4HEKWJULeO+ot0lsjcBPBF4rPyvnZ1nnz4sAAQIECBAgQIAAAQIEBi7wKAPkygPkDww8Bhx+fwX+j/ysnJ9lnT8vAgQIECBAgAABAgQIEBi4wI4GyJUHyJ8deAw4/P4KfEh+Vs7Px/e3eR0ZAQIECBAgQIAAAQIECMxXYGMD5MoD5Cvni+19BBYocJ78rJyfuy/Q3NsJECBAgAABAgQIECBAoKcCtxskVxokL0uyQU/b1mENW+D7crNSbpZF3LcYdgg4egIECBAgQIAAAQIECBBYKVBmEHkSYTWDPVdi+j+BmgS2TLJCblbqm+5JsqSm9rAZAgQIECBAgAABAgQIEOhY4AKD5EqD5FL8O6LjNrT78Qk8RV5WzstrxhcWzogAAQIECBAgQIAAAQLTFfhXA+XKA+W3TDd8nHlDAr8mLyvn5cUNtY3NEiBAgAABAgQIECBAgEAHAh80UK48UP6HDtrNLsctcLK8rJyXnhA67hxxdgQIECBAgAABAgQITEzgJAPlygPlaycWM063eYGvysvKefnR5pvJHggQIECAAAECBAgQIECgLYHfNFCuPFAu62Dt3laD2c/oBe6XpDzd0sMVqhm8c/SR4gQJECBAgAABAgQIECAwIYHnGyjXUih4yYRixqk2K/BsOVlLTh7TbDPZOgECBAgQIECAAAECBAi0KbCvwXItg+U/b7PR7GvUAuWhAGZfVTc4ZNRR4uQIECBAgAABAgQIECAwMYGtDZZrKRZcNbG4cbrNCXxFTtaSk49srolsmQABAgQIECBAgAABAgS6EPihAbMBcxeBZ58/JXD/JMvlYy35uNlP6foBAQIECBAgQIAAAQIECAxa4EID5loGzK8bdBQ4+D4I/LJcrCUXv9+HxnQMBAgQIECAAAECBAgQIFCvwJkGzbUMms+pt1lsbYICH5aLteTieROMHadMgAABAgQIECBAgACB0QuUx81bNLq6Qbn1a8fRR4sTbEqg3PL2I7lYS1/0waYayXYJECBAgAABAgQIECBAoDuBlxo01zJoLkXAY7trRnseuMCR8rC2PDxu4LHg8AkQIECAAAECBAgQIEBgNQL7GjjXNnD+0mp8/YjAfATcylt9FuTKmaQHzwfcewgQIECAAAECBAgQIEBgWAIbJblHEau2ItZew2p+R9sDge3lYG35V4pYO/WgTR0CAQIECBAgQIAAAQIECDQgcIkCVm0D6Hc10D42OW6BcsvbytlD/l/N4qZxh4qzI0CAAAECBAgQIECAwLQFTjeArq2AcGOSjacdTs5+AQJLknxd/tWWf59dgL23EiBAgAABAgQIECBAgMDABN5gAF3bALrMoPmVgbW/w+1O4CC5V2vu/XF3TWnPBAgQIECAAAECBAgQINC0wM8bRNc6iL44SZlZ40VgXQJnyb1ac+8V6wL3ewIECBAgQIAAAQIECBAYrkBZRNraO/UaPGe44eDIWxJ4jLyrvd/Zr6W2sxsCBAgQIECAAAECBAgQ6EjgmwbTtQ6mz+6oHe12OAIflHO15tytSZYOp/kdKQECBAgQIECAAAECBAgsRuADBtO1DqbLjLZnLKYhfGYSAo9MslzO1Zpz/zaJyHGSBAgQIECAAAECBAgQmLhAWTvGbYT1Gpw78Zhy+msW+Ih8q72/efOauf2GAAECBAgQIECAAAECBMYisJcBde0D6lIQtBbWWDKkvvPYJ8kK+VZ7vj2zviayJQIECBAgQIAAAQIECBDoq0B5at5NBtW1D6ovTbJ+XxvdcXUiUG51M9uxXoN7k9yvk9a0UwIECBAgQIAAAQIECBBoXeATBtaNFBZ+vfWWtMO+CrxAjjWSYxf0tcEdFwECBAgQIECAAAECBAjUL3C8wXUjg+sbk2xTf3PZ4sAENk5yhRxrJMdOGlgsOFwCBAgQIECAAAECBAgQqCCwn8F1I4PrcrvYX1RoFx8dh8Db5Fdj+XXwOELEWRAgQIAAAQIECBAgQIDAfATKOljXGGQ3Msgui3ZbZHo+UTjO9+yd5B651Uhu3Zlk03GGjbMiQIAAAQIECBAgQIAAgTUJfMAgu5FBdpmF9c0km6wJ3s9HK7A0yZflVWN59a+jjRwnRoAAAQIECBAgQIAAAQJrFDjSQLuxgXYpYr1njfJ+MVaBN8qpRnPqNWMNHOdFgAABAgQIECBAgAABAmsW2DrJMgPuxgbc5VbCQ9bM7zcjE3hskrvlU2P5VIrCe4wsZpwOAQIECBAgQIAAAQIECMxT4AsG3I0OuL+fZLt5toW3DVdg89lto6XI4r9mDMpTHb0IECBAgAABAgQIECBAYKICv2vA3XjB4dNJ1p9ofE3ltD8sjxrPoz+dSjA5TwIECBAgQIAAAQIECBD4aYHyxDQzRpo3+IOfpveTkQj8phxqpQ951kjixWkQIECAAAECBAgQIECAwCIFvmYA3vgAvKyHdcQi28fH+ivw9CT3yp/G8+cGsxj7mwSOjAABAgQIECBAgAABAm0JnGAA3vgAvMxyuyPJAW01qv00LvCQJNfLnVZy5+TGW9MOCBAgQIAAAQIECBAgQKD3AnsahLcyCC9FrDKT5KG9jwgHuC6BbZN8Q960ljfPWFeD+D0BAgQIECBAgAABAgQITEPgIoPx1gbj5ZbNUgDxGqbApkm+KF9ay5drkywdZqg4agIECBAgQIAAAQIECBCoW+BNBuStDcjLTKz/SLJ13Y1oe40LbJjkn+VKq7nyx423qh0QIECAAAECBAgQIECAwGAEyno+nkbYrkGZxbP5YCLEgZZZQGfIk9b7iQOFHgECBAgQIECAAAECBAgQmCvwFYPz1gfnn1bEmhuCvf1zmXn1EfnRen5cmWS93kaFAyNAgAABAgQIECBAgACBTgSONkBvfYBeZr2db02sTuJ9vjvdKMmZcqOT3Pi9+TaS9xEgQIAAAQIECBAgQIDAdATul+Q2A/VOBur/nmS76YTaYM50iySfkROd5MSyJDsPJlIcKAECBAgQIECAAAECBAi0KvAXBuudDNbLTKwrkjyi1da2s7UJPChJKSxaG64bg0+srXH8jgABAgQIECBAgAABAgSmLfAEA/ZOCxY3J3n6tEOwF2e/d5Kr5EKnuXBYLyLBQRAgQIAAAQIECBAgQIBAbwUuNHDvdOB+d5JX9TY6xn9gL3QrbafxX2a8XZNk/fGHmjMkQIAAAQIECBAgQIAAgSoCxyhgdT6AL4P405JsWqUhfXZBAqVgcmKSFeK/8/h/24JazpsJECBAgAABAgQIECBAYJICW5mB0vkAfuW6S2UNpj0mGYXtnnRZLPwchatexH1ZvH23dpvf3ggQIECAAAECBAgQIEBgqALvNpjvxWC+FLLuSHJskiVDDaaeH/fzk9wk3nsT72f0PF4cHgECBAgQIECAAAECBAj0SKDMgLjXoL43g/pSyPpYkh16FCNDP5Stk7xfjPcqxkuc7z/0wHL8BAgQIECAAAECBAgQINCuwIcN7ns3uP/hbDbWeu2Gwuj2dmiS74rv3sV3uY3TiwABAgQIECBAgAABAgQILEjgCQb4vRvgr1wb67NJ9l5Qa3pzEXhIkn8U172N68OEKQECBAgQIECAAAECBAgQWIyAha3T28H+8iSnJtluMQ07sc9sluSEJHcqXvU2nr+exMzCiSWm0yVAgAABAgQIECBAgEBdAs814O/tgH/lbKybkxyfpBRpvO4rsGGSX09yjTjufRwffd+m8zcCBAgQIECAAAECBAgQIDB/gTIj4lKD/94P/ksx67okr0myyfybd7Tv3CDJy5NcKXYHEbulwChuR5uOTowAAQIECBAgQIAAAQLtCByhCDCIIsDKGVnXJzlxok8s3Hy2yP13xOygYvaYdroyeyFAgAABAgQIECBAgACBMQssSfIfCgKDKgiUYtaPkpycZJ8xB+fs3PZI8s4k5SmNKwt5/j8Mi1Js3GgCMeoUCRAgQIAAAQIECBAgQKAFAWthDaMYsKaizflJyhpDW7UQK23toqz59ZIk5UEDKxSuBlu4e0VbAWM/BAgQIECAAAECBAgQIDANgfMUCQZbJFhZ2LoryceTHJVkiwGG7cZJDp09ffE28Tj4ePx2krLQvhcBAgQIECBAgAABAgQIEKhN4CAFg8EXDFYWssr/701ybpLjkjw2SblVtI+v3Wazx85IcosYHFUMlkKqFwECBAgQIECAAAECBAgQqF3g8woIoyogzC1ofS9JKRIdm+TxHc2MWT/Jo5O8KsnfeIrgaGOtxN3lSZbW3kPZIAECBAgQIECAAAECBAgQSPIk6w2Nuqgwt6BVZmhdkuRDSX4nyS8lOSDJA2vIhPvPimTlCZdlBtipswcF3K1AOpn4el4NcWQTBAgQIECAAAECBAgQIEBgjQKnKzJMpsgwt6A1989lLa0yY+uiJJ9J8tHZ7K2/TnLK7L/3z35WZnWdneTCJN9Ncof4mXz8lHjwIkCAAAECBAgQIECAAAECjQrslOR2RYjJFyHmFrT8edhPqWyz/ZbNbhNttJOycQIECBAgQIAAAQIECBAgUATerIClgCUGxMAiYuBPdaEECBAgQIAAAQIECBAgQKAtgU0ssK14sYjiRZszfeyrf7PCbk5S1j/zIkCAAAECBAgQIECAAAECrQmURb0VCRiIATEw3xgoT7j0IkCAAAECBAgQIECAAAECrQosSfJ5RSxFPDEgBuYRA19LskGrPZSdESBAgAABAgQIECBAgACBmcAeSe6cx+B1vjM0vM9sHjEwvhhYnuRAvSYBAgQIECBAgAABAgQIEOhSwILu4ys4KCJp0zpjwMLtXfbQ9k2AAAECBAgQIECAAAEC/19gwySXmIXlNjIxIAZWEwPXJNlKX0mAAAECBAgQIECAAAECBPogsH+SZasZvNY5i8O2zAoSA8OLgcP70EE5BgIECBAgQIAAAQIECBAgsFLgJAUsM3DEgBiYEwNnrOwc/J8AAQIECBAgQIAAAQIECPRFYPMkV84ZvJotM7zZMtpMm9UVAzcneWBfOifHQYAAAQIECBAgQIAAAQIE5go81a2EZuAoYoqBJC+a2zH4MwECBAgQIECAAAECBAgQ6JvAHyhgKGCIgUnHwKl965QcDwECBAgQIECAAAECBAgQWFVggyRfVsCYdAGjrtvQbGd4tzRekWSLVTsFfydAgAABAgQIECBAgAABAn0UeGiS2xSxFLHEwKRi4N4kT+xjh+SYCBAgQIAAAQIECBAgQIDAmgReqXgxqeKF2VLDmy1Vd5v93po6Az8nQIAAAQIECBAgQIAAAQJ9FviYIpYilhiYRAycm2Rpnzsjx0aAAAECBAgQIECAAAECBNYksG2SbytgTKKAUfdsHtsbzoyuG5LssqZOwM8JECBAgAABAgQIECBAgMAQBB6T5EeKWIpYYmCUMbA8yUFD6IgcIwECBAgQIECAAAECBAgQWJfAixUvRlm8MEtqOLOkmmqr49aV/H5PgAABAgQIECBAgAABAgSGJPBeRSxFLDEwqhgoa9wtGVIn5FgJECBAgAABAgQIECBAgMC6BDZI8nkFjFEVMJqa1WO7/Z/Z9fUkW64r6f2eAAECBAgQIECAAAECBAgMUeCBSa5RxFLEEgODjoHbkuw1xA7IMRMgQIAAAQIECBAgQIAAgfkKPN6i7oMuXpgd1f/ZUU220bIkh8032b2PAAECBAgQIECAAAECBAgMWeAFScrTy5ocaNs2XzFQfwz8xpA7HsdOgAABAgQIECBAgAABAgQWKvB6BSwFPDEwqBj4o4UmufcTIECAAAECBAgQIECAAIExCPyJAsagChhmNNU/o2koph9PsnQMnY5zIECAAAECBAgQIECAAAECCxUoA+J/UMRSxBIDvY6B85NsttDk9n4CBAgQIECAAAECBAgQIDAmgfsl+XcFjF4XMIYyS8hx1j9D7L+SbDemDse5ECBAgAABAgQIECBAgACBxQo8IMmliliKWGKgVzFwdZLdFpvUPkeAAAECBAgQIECAAAECBMYosGOSbylg9KqAYUZT/TOahmJ6fZJHjrGjcU4ECBAgQIAAAQIECBAgQKCqwC5JrlTEUsQSA53GwA+T7Fc1mX2eAAECBAgQIECAAAECBAiMWeBhSa5RwOi0gDGUWUKOs/4ZYrcnOXDMHYxzI0CAAAECBAgQIECAAAECdQnsneRGRSxFLDHQagzckeTpdSWx7RAgQIAAAQIECBAgQIAAgSkIlFuYblDAaLWAYUZT/TOahmJaZl49cwodi3MkQIAAAQIECBAgQIAAAQJ1C+yZpDwJbShFAMeprYYYA2XNqyfXnby2R4AAAQIECBAgQIAAAQIEpiSwm6cTKuApYjYWAzcn2X9KHYpzJUCAAAECBAgQIECAAAECTQmUpxN+QxGjsSLGEGcNOebqs92+n6SsN+dFgAABAgQIECBAgAABAgQI1CSwfZL/VMRSxBIDtcTAd5KUJ356ESBAgAABAgQIECBAgAABAjULbJvkiwoYtRQwzGCqPoNpqIaXJNm55ty0OQIECBAgQIAAAQIECBAgQGCOwEZJTlfEUsQSA4uKgU8l2WpOPvkjAQIECBAgQIAAAQIECBAg0JDAkiQnKGAsqoAx1FlDjrv6jLH3J9mgoZy0WQIECBAgQIAAAQIECBAgQGANAi9Lco9ClkKWGFhrDKyYFXxL4deLAAECBAgQIECAAAECBAgQ6EDgWUluUcBYawHD7KXqs5eGanh3kpd0kJd2SYAAAQIECBAgQIAAAQIECKwi8Jgk31LEUsQSA/eJgWuTPGWVXPFXAgQIECBAgAABAgQIECBAoEOBLZKcqYBxnwLGUGcNOe7qM8bOT7JLh/lo1wQIECBAgAABAgQIECBAgMAaBMoaP8clWa6QpZA14Rg4JcmGa8gRPyZAgAABAgQIECBAgAABAgR6InBwkpsnXMAwg6n6DKYhGt6Z5Fd7koMOgwABAgQIECBAgAABAgQIEJiHwEOTXKSIZSbWRGKgrAG3zzzywlsIECBAgAABAgQIECBAgACBnglsnOREtxQqYo28iHVGkq17lnsOhwABAgQIECBAgAABAgQIEFigwLOSXDPyIsYQb3lzzNVudbwlyUsWmAveToAAAQIECBAgQIAAAQIECPRY4AFJ/lERy2yskcTAeUke0uN8c2gECBAgQIAAAQIECBAgQIBABYGjktw+kiKGGUzVZjAN0e/e2W2xG1TIAR8lQIAAAQIECBAgQIAAAQIEBiDwyCRfVMQyG2tgMXBxkv0HkF8OkQABAgQIECBAgAABAgQIEKhJYEmSo5PcOrAixhBnDTnmajPF7pnNutqopti3GQIECBAgQIAAAQIECBAgQGBgAg9K8veKWGZj9TQGvpCkzBj0IkCAAAECBAgQIECAAAECBAjkiCTX9bSIYQZTtRlMQ/QrTxg8Nsl6cpMAAQIECBAgQIAAAQIECBAgMFdg2ySnJFmmkGVGVkcxsCLJh5LsODcw/ZkAAQIECBAgQIAAAQIECBAgsKrAI5J8sqMCxhBnCznmemaIfTXJU1YNRn8nQIAAAQIECBAgQIAAAQIECKxN4NAk31LIMhur4Ri4YXa74NK1BaPfESBAgAABAgQIECBAgAABAgTWJLDhrLhQ1iQy04hBnTFQni54UpIt1hR8fk6AAAECBAgQIECAAAECBAgQWIjAA5O8J8ldClkKeRVj4N4kf5Vk14UEoPcSIECAAAECBAgQIECAAAECBOYrsNNs1oxCltlYC52NtTzJGUkePt9g8z4CBAgQIECAAAECBAgQIECAQBWBXWZPLCyzaRZayPD+aZmVJwt+PMk+VQLOZwkQIECAAAECBAgQIECAAAECixXYI8mpScp6RgpTDObGQJlx9XdJ9l1scPkcAQIECBAgQIAAAQIECBAgQKBOgbJG1glJblbImnwhr9xeWoqae9YZYLZFgAABAgQIECBAgAABAgQIEKhL4H6zpxZ+RyFrcoWs65OcmGSHuoLJdggQIECAAAECBAgQIECAAAECTQpskOSXk3xFIWv0haxLk/zvJJs0GVC2TYAAAQIECBAgQIAAAQIECBBoUuCRs5k5NypmjaaYdefsiYLPTLKkyeCxbQIECBAgQIAAAQIECBAgQIBAmwIbJzkiyVlJypPp5i747c/D8CizrY5Lsk2bgWNfBAgQIECAAAECBAgQIECAAIEuBB6R5B1JrJXV/8LVtUn+OMljuwgU+yRAgAABAgQIECBAgAABAgQI9EFgr9kTDK8wK6s3s9Jumj1J8NAk6/chSBwDAQIECBAgQIAAAQIECBAgQKAPAusleWqSP0lSZv24rbBdg1K0el+SZyta9SEdHAMBAgQIECBAgAABAgQIECAwBIEyM6ust1TWzLpHQauRgl5Z0+rEJGUx9g2HEBSOkQABAgQIECBAgAABAgQIECDQV4GyaHhZAP6UJFcrZi26mHVbko8nOTrJTn1tbMdFgAABAgQIECBAgAABAgQIEBi6QLnV8FFJXpnktCTWzlrzrYal2Pe3SV6dZL8kS4fe+I6fAAECBAgQIECAAAECBAgQIDBUgQfNZmi9O8lXktw5wVladye5MMl7k/xykl2H2piOmwABAgQIECBAgAABAgQIECAwBYEy02j3JOUpeickOSNJWe9p+UgKWzcnOTfJSUmOSvLYJBtPoWGdIwECBAgQIECAAAECBAgQIEBg7AJbJNk/yZFJ3pDkz5P8W5JvJikzmPry5MN7Z7dGnj17MuCbkrw4yZOSlPXAvAgQIECAAAECBAgQIECAAAECBCYoUNbW2jnJAUkOSfLSJK9L8rbZ4vF/l+ScJBckuTjJt2b/3ZCkzIi6dU4B7PbZz26a874yA6x89nNJzkzyl7MnAP5Wkl+ZzRYrBapy69/6E/R3ygQIECBAgAABAgRGIfD/AIaOsBxeuiLQAAAAAElFTkSuQmCC"/>
+</defs>
+</svg>
diff --git a/ui_src/src/connectors/assets/s3LogoIcon.svg b/ui_src/src/connectors/assets/s3LogoIcon.svg
new file mode 100644
index 000000000..1312b04a8
--- /dev/null
+++ b/ui_src/src/connectors/assets/s3LogoIcon.svg
@@ -0,0 +1,10 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<circle opacity="0.2" cx="10" cy="10" r="10" fill="#E05243"/>
+<rect x="3" y="3" width="14" height="14" fill="url(#pattern0)"/>
+<defs>
+<pattern id="pattern0" patternContentUnits="objectBoundingBox" width="1" height="1">
+<use xlink:href="#image0_9050_755" transform="translate(-0.0909091 -0.0909091) scale(0.00461648)"/>
+</pattern>
+<image id="image0_9050_755" width="256" height="256" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQAAAAEACAYAAABccqhmAAAgAElEQVR4Ae2dCXQc1ZnvFRLOyXmZc16YSWLAm9QlS7aFrS5JXoQXSVXyFryoSpaNWRICJAEmLwPJJGFLYjIY2+q2Dd6wIYAhhNUrGMzkzYSZyQKT2MkAkwdMsLplY2MMBsu7tdT3znerbqtUrpZackvqLv11Tp/qqi5V3fuv+v/ud++tujcnB39QAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEo4K8A5eR8xv8XbIUCUCCwCrDxn6vL+azMINXVJb7LbVhCASgQMAW8xt85ecxFu0tLL5TZBAikElhCgQAp4DX++jHDLloaHn7XQ+NHvbfX0HbvM/WF7uwCBG418B0KZKkCXuOvLBryt9Fw3p1RVTm4pjSfNowrPLW/tpo+WjCdGgxtdwwgyNIrjWRDAZcCyYwfUUMH15aNoFUlCi0Ph9o2jCs82mBoZ+Km3naobhodrgMIXDLiKxTILgVSMX5EVVqiqtJWHw5xBNAUN7SWRlOnmKG1xk299UOAILsuOlILBVIxfjSstETUUFtUVSiqKpYPAKyYqVsxEyDAHQUFskKBbhs/rFhRNWQlBYChWXGOBgCCrLj+SOQAVeA8jM+lf9IIgM0fZ/MDBAP0zkK2M1qBNBg/FQAwBACCjL4TkLgBpUAajd8dAAAEA+ouQ2YzToFeMH5PAAAQZNydgQQFWoFeNP75AAAgCPRdh8xlhALul3Tkk3vuB3g6dOe1t+pLY6e69O0GdOr+0uhdLbvfWLh48QUZITISAQUyWYFeNL4ERDoAIAHRbRBksvZIGxToNwW49K8vUX4YUUMfyEd201TiS+PLZToBkBIIYrX6n+M12iwWl6s4/SYyTgwFMk0BaYj6cbkXr1AVeqAknyJhpTnx5F7PQ31peO+yNwDQGQjOnlg0i2JG1auZpj3SAwX6XQE3ACJhpYkf1omw6dNvfAmC3gTAOSCIm1oLv2wUr9Vf7HexkQAokGkKdARA6ARHAQIA9lN70rTpXPYFABIg4JeM+JXjmKm9lGnaIz1QoN8VCDgAGAQCAHGzGgDo97sNCcg4BQCAjLskSBAU6DsFAIC+0xpnggIZpwAAkHGXBAmCAn2nAADQd1rjTFAg4xQAADLukiBBUKDvFAAA+k5rnAkKZJwCAEDGXRIkCAr0nQIAQN9pjTNBgYxTAADIuEuCBEGBvlMAAOg7rXEmKJBxCgAAGXdJkKCBoAAbT5qvP/Mr08CvA0fCgXsZKGPfBZC69+e1x7n7QQG+8O6htzgJPCOu+PTDYBXyRgQAevdmkNd9cU5Oh6HJMBty7+qeMUeXN4BM0NbxI//unbmTLpXr7mVfAgEAcCufvu9s9MWVlZ/zGp7PUJeT89knpo7N211aeqE8I0AglQjY0mv89WOGXbSsOO/u9eMK391bU3W00dR/Eze0SIOpz99bVz3ML/u0ePEFVFn5OWlWv316uk0eExFATxW0/08aXurpPtrG0tILlxXnF0XU/BtWhpWNS4vz3ny8fPSxRlP/Y8zQr3TvCxC41cji717jy8E2o6pycG1pPq0tKzjVYGhtPFjFpwtn0Afzp3F99WTM1P4Qr9FWN9Tq17xXV5nvd0MkgJCGkW7lDQsApH6zsWadGX5xZe7n60vzS6Lh0C2RsLIpWqK8wzMjry7Np/VlI4gHXXlsYtEpvuZ8/RsMbXfM1Be6U+B33d2/43uGKpDM+O7htevDobZ1ZQWfNhja2bipt8UMrTluam37TJ14+CoGAk+VHTP1M7Fa/c2YqW+Mm/oNjbVVRbu/1R42Sgn4nCJC6AEQAACpYvKlvKYc0vvttW706L+JqPnl0ZL826Kq8kw0rMR4GvQ1pfm0rmwE3V+SL0ZUiqih1qiqNC8rzrM2lY8+ETf1szw1Ol/zw3UAgZ+2WbXN3bgnS3y38XmU3aiqtEbCIVpXVnC0wdCaG3lGXEOzYobOs+NacTFFtgBCK//GpQQDgUuKuKm3xA3t3ZihPx439VviplYSu67y816R3ECQBvfuI9fl74gApCL2yMF8Ld3Xs/3XnJxV4dwvRsL5lfVq6Pb6ktC2SFg5wGMp8mjKa0tH0KoSMQkqRcOhloh9zdsiqhxnUbGWF+fRpvLRJ3m0IjEjsoFp0d36ZvX3ZMZPjLKrKpYfAMSNYAPAnibb0C17qmw7QuCSgoFwcH41fbJwBn0sxrnT22KmHovV6M/EjOrb4oZefriu8m/8BBQRAvc2eHoa5PpABgBr0JnhV6v5X46W5M9YEQ79NFKs7IqoymEO47l051J+pWN4YXY2fFhp42nQhemdGZF5Xc6O7AMA51p3DQK/a4ttGaAAlwrRcN6d3hI/Yfz2UXaTAsA7O44NAE0AIS4jBENrixsiEmjh/Q/Mr6YjC2bQkYUzOEKguKkdiJv6tpip3xGbX10Zq6n8op88XMfkz+LFdrdUUAHA4LSjJ3tMQDY71987M/yq0uGXRML586Jq/tJoifLraFj5dKXb8MLUIUuU8KrCpXxbVA2xwRMmd333DqjqFwF0OsFJzNT2NBpanYS13/XEtn5SQNYLIyXKtx8aXyAaeLqYUCNlAHiBYFcRRFWB2wcSEYIbCO/XVovogKMEblOIGdrhuFG1K2ZWL44Z+syDcyq/5CfVg+UFg6Oq/SBQJzev92buyXpfjgrM+bdHBTaqdvnlm00VVfOGR0ryF0TU0IpoWPl9NKwc5zCeG+y44Y7NHwkLwzdHwwrX49t45GRZwjtLaf6uNPEFgHOtzwWBobcwwERVsaYyl/MAEPhdyX7aJgGwQg3dzDdLRA01CwO1l/jeG+J8AOCU8lzSi4/TbuD+rrXZbQUiSrAYCHwDcTsCf4/Xap/EjapXY6Z+X6xWr3l3tjaYpbs0J+d/RcKh44mbPRjDgot2E87/vtrqbZxPvl4rikMFUTX/2khJaF1EDe2JhJVTPCEKG56XYmh0NcT19uaIaLOxQ3oXGFM1u/fa83pnAEhcV24X4mvMbUMxU7Pihn5yX42mcB4AgH4yu99pJQCiaugmrg/aDX0iHPS7+OIGSNYG4FPiyxsitaWsJvCNY2p2hCCqDFor9zTwTbW/tlq0OB9dOEO0J8RM7cQ+U//Nm3OmblyhKqdlPdVZJsvD+Wzv6wig7dD8afTm7Mlv16uhDVFV+UtUVc4yrLkOnzB8ONQWDSt2Ce+dGIVL//QBMRUAyOvNxrc4kosb+ulGUw8BAH4u7MdtEgAcAQgAqKKlv7MbJp0RgLxROlvabQiigVH0MrRxT0PM0Jvjht31yCUkNy5yd1V9em92P1D0NQA48mn746zLRYMd51GU8OFQK0dr3DXnTIRiRex6vIB0Gg3v1aA7AGDjAwD96O8uT50FAPDAwWlUbI8QrEZTb317bkXLqpJ8ASdXqOu9edOx3tcAENWg12de3lYfDnE3rGihl3l0TN8ZsNORZ/cxAIAuXZVFO2QfABLtBwIMXC3gBqa351ZYDID6cIhv1l4xhGhIU5UEANzPQZx39cduE/HAzn7Ggts+XptZzueV+ZJLtzH76jsAkEX+7jKpAQCAaGF+e24FrbKrAGk1Ard3cDgtWs0duCwPh+jBcYXH9tZUtcQMzXkQih+Gkg1fvK0jqHoKCD6+AwCu3qQ1bz2sJgAAXboqi3YAAJyn3pxGsnbDh7jrzPuxVqiKxT0ND08Y+cmhumlnP6zjFnq7a7PB0Pi5eAZC4mO3hNvrPYEAAJBFZsrGpA50ALQbXvSVew0vSlw2/KoSu1qxrDhk3VU07NT3C4ce3Ti+6Pgr2rgzb82eyqG7dahumvVB3TQGggjl0wEEACAbXZVFaR5oAGg3/DmluzA/h8WO4YX5lxWH6CdFufSPhUOtW5TBdN3wi62rhw1qvXroIJo/+EvWoqFfab0x7xK6a3SetXF8kfVSVRm9YQNBvBjFQOCuSy79ewIEACCLzJSNSQ06ADozfFS169T8LLx8AcZleLqZDZ97MV07bBBdNXQQXT1skMXfvzb8Yv5Y1w2/mL4+/GK6Ztgg68ohX2Eg0KKhX6Eb8i6hO0fn0YPjRtPOShsIMVMjhgG/OdcdIAAA2eiqLEpzUAHgU3+nZIb/cVEufb9wqG1429DS8ML80vCuJYPAYgg4HwYBA4HXGQjkBsL1uZfQHaNyaf240fRCZRn9+Yopoo0gFSAAAFlkpmxMahABIM3vZ/ilxSH6cdFwYfib7JBeGNYp4d2GlyV9Yukq/RPbHCic838cGXCEIIHAkYGMEBgIPxqVS+vKRtOOilL6kwTC/HMjhL01VSJieG1mOXoBstFgmZ7mIAGAn5Lj+jsvuUuQ6/Ns+LuLhtP3CofSTcqlMmQXJTyX1N0xtTR7T5YSCE6VQVQVGAgcKXwj9xL64cjhtLZsFG2vKKU9X50s2gt4LAWuMhyqm06vz7wcAMh0M2Vj+oICgHfmVopGvLtHD6MfjBxK3x0xhL4Vsg0vS+HOzM77dPV7T4zf8X8S7QcCRLINgc/LEULd4C8ngPCPhcPpgdKR9PwUlfZ8dQr9bgYigGz0V8anOQgAkC3sv66eQI9NHENLi0fQrQXDRMnKpfyCwV9OmOtqV6kvDdjRpOkFwbXD7GqA9xxync3PH06n9/O14YPoJoUbFIfRSjksV/8/DIQHgTLe1d1IYLYDQD5ow8sD86cRP5jDT85xl9tbc6bSv1ZPoGcmh2lN2Sj6SVFINPRxGC7r5AuGfFl8Z/OxKd2hujSpXHYWIXT2G/+/2+jchchtDnxOPh/3Gvx9/mD6XuEQYfafjcklftqQX/rh3gmu1rS3a9jfe/gUXzqeJAQAuuGvjN812wHAreQSAmz6vc5TeLyNH8jhtwQZCs6oxfTuvEp6feYk0Rr/yIQxtKy4gL5fOJy4YY4NyWG4rJuzUdm4HiiIln53D4DsCXCDgo/F0Ya7cZG7FL8dupS+O2Iw/XDkUNEYuWRsXqJuL7sj2fjS4G7j8zZel7/10xIAyHhXdyOB2Q4ANroEgFwyFORHQoGX/Du/OMQRAnfBMRi4T56h8ebsqfQv1RPo6UlhWl06in6cJFq4auhXLCdasK4ddrF4LoCfA3CX6gwCLtVv4VK9YAjdMWoY3XNZLvEzBmxgd8kuzS6NnmyZIeZn+AAA3fBXxu8aFABIELiXEgJeMDAMJBhkBGFHCzYU3NHCayJaKKVHJlwmooXvFQzjaEFAgKMD7vvnxsaelOp+ZpdG59/6qYTv6rwAQMa7uhsJDDIA3DBwf5eml4CQSwmFTqOFGs367zkV9EJl6al7LsttdUp1fkkoUV/PwlK9K9O7fwcAuuGvjN91IALADQP5XUKA1+V3XvpECxZHCO/Oq2haVaLw+IlsDjEQiV+JLkty+VuGlupug3f1HQDIeFd3I4EAQPL39mMODDxQEOMSvjl7SlNUDKktQvUEAGQIHwCjJwMBANANf2X8rgBAcgDI6MC95EE/uBHxrTlTBQCcx437c4SeZEbtre0AQMa7uhsJBAAAgG5GKwBAN/yV8bsCAAAAAJDxNu29BAIAAAAA0Hv+yvgjAwAAAACQ8TbtvQQCAMkBwN2Anh4A7iIUvQBvzZ7atMKeRIUb2zo0Asquv24aq7ca7dJ9XLQB9J4d+/7IAxkASQzu+xyAfDaAB//kl47+MqeiqT4cauahup35AoTR+CEg+SBQMgBkOSAAgL63ae+dMcgA6KHBxfsC+2qrxTsDbPaD89vH8dtraNZ7NVX0n7PKT2wcX9hyf6mYqktMFrK0OI+WjM2l+8byc/95tLw4JF70cRs+AIAAAHrPjn1/5GwHQFcml0/yuUrwTg3O+/Mbg2/MnsKz8dCvq8fTzsoSen5KMT1RXkQbx48U8wI8NH5ky3s1VdZfa6p4X+t1Z9+Xqkpoc/u+YnQiNj1HCucAItw9QLhBkiy66IPtAEDf27T3zhg0AHCdnd/4S1aCs8H/x2vwqg4G79S0PD0Xl+4bx4/kWYHExJf7TF08HOSNFro614bxhZ2ei8cEcKoYiXp8BkAAAOg9O/b9kbMdALKRTj6t5zZdj0rlLsJ2nhmIjckAaGifCoynBUu8N5CuaGPDuHZAsPGl+eWyD0r7BHhc5wIA+t6mvXfGbAcAm41LfC7Vf3n5ZcSmecCul/uH3V0Y3HWjd7j5XaZLCgAJIwkA75LhxB+5PZVohasjPLLRy1WlIj/J0teH2wGA3rNj3x85KADgyUHZpByee8PmNDe8+QJARiDJlmz6ngCC/4ffPvzDrEkAQN/bI/hnDAoA3plbIerTrpI6WQneYXsPSs4eASAZGOT2ZIDgiIFHLcK8AMH3Yr/kMCgA6K3pwX0A0SsAkCDwLhkMmB68X6wxME4KALQPwOljdr9oAQAozqNN5aNPxk29lYHFvSFecCXWDV30lMQN/XSjqYfYVZST85mB4a4syCUAAACkCD4JQzQCZoGvU04iAAAAAAAp2yV4OwIAAAAAEDxfp5wjAAAAAABStkvwdgQAAAAAIHi+TjlHAAAAAACkbJfg7QgAAAAAQPB8nXKOAAAAAABI2S7B2xEAAAAAgOD5OuUcAQAAAACQsl2CtyMAAAAAAMHzdco5AgAAAAAgZbsEb0cAAAAAAILn65RzBAAAAABAynYJ3o4AAAAAAATP1ynnCAAAAACAlO0SvB0BAAAAAAier1POEQAAAAAAKdsleDsCAAAAABA8X6ecIwAAAAAAUrZL8HYEAAAAACB4vk45RwAAAAAApGyX4O0IAAAAAEDwfJ1yjgAAAAAASNkuwdsRAAAAAIDg+TrlHAEAAAAAkLJdgrcjAAAAAADB83XKOQIAAAAAIGW7BG9HAAAAAACC5+uUcwQAAAAAQMp2Cd6OAAAAAAAEz9cp5wgAAAAAgJTtErwdgwKAd+ZW0P0l+RQJh+Q89oml37Zu3vSJY0VVxVoeDtHG8SNbGgzNips6xZwlf+/pJ2ZofByKm/ZSrjcYGu2vrabXZpZTvU/eziMf7jx157u1vDiPNpWPPhk39dYu82/o1j7WxdBPN5p6iB1EOTmfCZ6TsjRHQQHA23MrxE28rDhPQECafoWqkPwkM4vcN9nvnu09AoA0tGMYYXa5TS7Z7PLD2yRMDs6fRn+YdTkAkKUey+hkBwUA/zOvkh4vL6K1ZQW0siRfwGB5cYjuG5tLS8bm0tLiPGI4cCnKhpeml3DgpcfoiXW5r/O7LwCkiXticC4huZR/v7aa2OwH5lcTb+Nj/rWmit6ZV0n/rJUBABntpCxNXLYDQBpOLvfWVNH/m1tBe746iX4zfaIwzvYKlZ6aNIYemTDKBoSqCAAwEBgODAkGBIe2EhASBhIQcj1ZFYDNKktvXrpL8MZzDD6N9tXaBpfp3e1K77aKsEjvzyeMojWlI2glw8kFLQ+QEqBypbE3t6EKkKVe9012tgNAGk0uGQTnlqjTEiXqezVV9Jc5U+mPsybRf0yfQK9opbR1aph+OekyenjCKFrtGI5N5geISDgkDCDbANjcjaZuuUtwLsV5ndO019CIqyd7vjqZfjtjIv1KL6MdFSo9M3kMPTrRARJHLGFFAKiriKWfzc9gAQB8nZSlG4MEADac+5OsRJaAOOCE3Bx6s5F5fw65/3vOVFHn/vdpE2iXVkpbphbTk5dfRg+NH8mAsNiEG8ePbOVGQP6fd+ZVWn++YjL9fkY5/Ys+jl6sVOnZyWPpsYmjaf24AlolqyTh86uSZID5AYAs9XnSZGc7ALjE9/tIEMiqgVx3L/0AwSBIAGL+NFEn9wDCYkD8dvrEk4+XF7VsGFfIBrc4/Obqw31jnWqF0+bAPQZsXGleWaXoRptDb4bzPTk2IoCkbsrCH4IKAD8ouLcxCDqDA/8uASGh4fy/9cH8adzO0LS8ONTsGFxEBQyBABi8KygAAFno86RJHqgAcMPA73sngBD1/TdnT21aoSotTsObiABkI5ws7eV6wJYAQFI3ZeEPAIB/FcIPCryNH/rhKsFbc6Y2RQUAxINHHQAQMMN7IwIAIAt9njTJAAAA0E1gAQBJ3ZSFPwAAAAAAkIXGTVeSAQAAAABIl5uy8DgAAAAAAGShcdOVZACgawDIHgHRCGjq1vvzp9FbcyuOrSzJP6cXIOA9ANwgiDaAdJkvE44DAHQEQMzvwaLaaorzh3sBaqqs/UYVvTljYtOyoiHNy8fm8kM+ohdgRekIWiGe+rNfRpIla8CgAABkgnHTlYaBCgB3qZ7o8pNGd57jj9VUUWxuBTVcMZkarphEsZpKis+fZr3/dYMavnPdqadrZ7SunxKmFSUjrGWXDaN7Cy+hJaMGE3+vL84T3WcMhHYwdHzjMEvBAACky3yZcJyBAIBOze68dhubV0mxOVNso8+ZIkr7xoWzaP83r6SDP7iZPrz3Dvp4bT19+ouHqWnLU9bxF56n4zueoyPP/cKKP7Sa/rzkLnr11m/R1mtq6JHp5XT/+JEU4bcNR11K9468hJYWDSUnWqBodkMBAMgE46YrDUECQKdG95bqs51SfZ4o1WnftfPowHe+TofuupU+itxDRx5aTUeffZyatj1Dx3ZuoeO7ttOxnVvp2AvPW8e2P8vbLf4wBE7u3GKd3rWdzv7zC/ydjm59mj74xcP09sol9Ps7/oFe+uYienKeTmsnjRXmX3bZUBEt3MfRwpjhHaOFkhFiH1l9kMsMihYAgHSZLxOOk+0AiBl2HZ7NL+rvsq7O66JUn2qX6rOn2O/oL5hJ+29YQAe//2368J9up49XL6NPn9hITVt+Scd2PEfHX94mPsde3CLWHbNT09an7Y9t/AQAGBAMAjb90S1P2cDY/iydeOF5OvXSNgEFhgMf5+Nnn6CGDffTnp/dQf/63Rto86I59HD1BFo1rlBAYMnIS2mJEy3U220LdrTgvE2YIRAAADLBuOlKQ7YDQI6hx/X4xnmVdn19zlTxIk/jVbPp/Vu+Rh/c+Q90ePlP6cjG++noM5tsk77olOoviVKdjm1/Tmx3Gd1etw2eMLaICLY/KwzNppaAkEsHCGJ/CQVe8u9OtEBndu0QYDjx4mb6dMtTdPDxjfSX6D/Rb3/0f2jn9QvpF3OqaE35ZWIQkKWjh9C9Iy+lZWNzRZsCQ6CfQQAApMt8mXCcbAeAbLXnkXX++o1a+nDxD+jYhpV08plNdJzD9x3PUdPOLdTE4fuLm5OV6h3M7jYzf+/JR4LAfSyxjSMF32hhK53dtYNOv7RNpPHI5iep4ZF1tPveu+hXN3+NHq0qE20KskrQj0sAIBOMm640ZD0ADE0M5sGj7qyZWERPzNPpV3//DfqvJXfTwcc2iLCdTXX65W0iLGdDug3oZ9SeGL6z/+FznAMCjiy4WrHtaWpiyLzwvADV0R3P09HNv6Qjj66jw5F76NAd36XD376K/vOKyRgTMF03PY7TrkBwAFBJK3lADg6ZCy6mZUVDaFVZAT0+czK98s2r6E/33E4HHl0vTHfm5e105pUdxCF4Aghb7fp7OoDQmeGPOVHJca6CvLydml7cLAz/0c/X0Af33U37b/smxa6ZK6owe6+YRO/Nupz2zauk12ZMBADab1t8S5cCwQFAhRh6K8KDcpTaLencFy/650deQsuKhgogbJo5iXYJIPyIDjyyzo4QzhMIPTL8w2z4u4Th49fOI27MbJg9mWL84Z4JHrCEey7MauInDzEvQLrueByngwKBA4B38gynz5373r1AWFlWQI/NuJx23biI9iz+Eb2fHAjW0a1PcbcftxWI7r9j258VS7kuftv6tOVfwj9JHz28mj5Ywoa/keLXzE1qePnEofPYsei54PEHAIAOty1W0qVA4AHgDKmdaDRzAYEf1JERwtKiIbSy1AbCywIIP3QBYZusMtjPANgNeVZTR8NbHNJzQ+PRzS7D3yoNr/mW8H6Gl+YXS0MT8wUAAOm643GcDgoMCAB4Jv3o2I1mP6rLEUIk7AXCCHp0ejm9fMOV1u7FP7D2/3wtVxnaTu/a3nb2lR2iDn9s55bWo5uftD5+aDUdWnKntf/WGy27hE/N8CLU56cR/d5BcJ5SRATQ4ZbFSjoVGIgASEQDDhhSAIK1tGiItbJ0BD/m2/ziDQvPvnHvnScOL/vJ6YO33Xi28Zq5LfwgUsPsyVaMP646vLeEZ8MnMzuX+N4PHxcASOcdj2N1UAAA6PiCDsMhORBC1vIxw8Wz/WuK8z5tuGLy2cY5U2SjnSXM7jyJmAjjXXP8ec2dyjoA0OF2xUq6FQAAzgWAT4TAr/var/zyHAAl+bRxwqhjcbO6pVG01Ov2LMGmbsUNzepOCd8VBACAdN/xOF4HBbIbAJrFBuGpud6eW2HxBB1O6d1bo/QKEPAEIBvGj2yKGVozTySSjunBk4FAjkL82sxyq94Zd8CBUW/l0TsKsHcdTwJ2cFCWr2QZAERJG+eSVny0tpihtTaaevPbcyvaeAouxyS9aQ42Im0YV9gUN7SWPgKA9frMcs5ba1RVmqOq0hoJi4jEiqj2YCRy6Y1eemEdAMhyz3dIfsYCwNA5lHZCaxFW83pb3NS5wa2ZS0aegPPDuml07MqZtNeoElN0day/dx3e98AgfQ0A2Qho3V+i0PqyEfQAd2VyW4UaaouGleYog4GBIKBgAyHaHi14S/DzXQcAOjgoy1ckAKJq6KY1pdwVxrPdhCynhPG7WUSYva6s4GhDekNgp1QXLeGJEp5L2biht3DdmlvDP1ownZnDymcAAAmISURBVD5dOEOYIl6rfRIztH9735z2sz/Omnz9ClU56cy5F6QIoPXDuun07ryK3y0bm3tlRM1fv0JV9kTCyikGgQBCaTsQImqoOaIKILR5qgrp0qQ7ALDihm5xlBQ39FONph5iu1BOzmey3DbBSb4EQKRY+Y4DgDPt5vcFQboAkDB8zCntRQlvm72F68Rs+I8dw++r5b5y7XDMqNoVM7Wfxgx95sE5lV+SV2LsoJwvRNTQCVEy9l7px0Ds0wiAIx6GXqOpvyDzygaKqnnDI8X5CyJqaEU0HPpdNKwcW+VECKtL82ml3ZvBIG+OCqgrHC1YEacx0wMHP9An25YKAKy4qYnoLW7obTFTa4sbevP+uZX5nAcAQF7JDFg+V5fzWU5GVA0tYgDwzRNVQ20cCSQBQY8AwCZ36u78GKz83iZKeFMThj8wv5qOLJxBnyyc4fSHawfiprYtVlt9e2x+deXeuur/7ZVM3kwPlhcMlgBwbu5kN/D5bu9TAHAbBwMgVqO9xHmX18urw6rS4ZdEwvnzVqih+6IloV9Hw8onDIF1ZSOIr6sAArcXhEMtEXtOQztCkLAUVQin+uB5cMpTTeoMAO3Gt9toRBvJ0Sv5empH9s2ddimnW14zbx6w3s8KLC9WqiKq8gqXJHzTSBDYdUvRP85hZKoAsOvwhia7xuw6vKE1x03RcEcH51cLs3Mpz6V/zNRjMUN7OmZU3xYzqyceunb6F/wkocrKz1Fd3Wf5RpI3U/243IslAFyl3Pma3e//+xgAegcAsB4y3wyDZECIlhZ8KVqSPyOqhn4SDSsvR1TlMEdHEgh8jdnYAgYdIgQJAbH0qzYkAUCixOfrLYzvgPxU3NTW76+zS3+/64ltGaZAZKyiuUHgNDa1OCDwBYBTqtulO5vebsBrjZtac8zUuaWeeFptrr8frpvOJXxz3NDfaTSqNsVN/ZZ4bbUau67y814p+GZ/lQ2/ePEF0uzufeS2oAMgXlMtIgB33t3fWYfOgLAqnPvFSDi/sl4N3V4fVrZFVeV9BsDashHiI4HA1YWIGuL5DpwIwX7+wQG/KACWF+fRpvLRJ+Om3spVNdENylGdn/Frp41wpxPfM1gBvoGkoTiZviBQuWoQIm8jYMwULfV8QzRznW+fqdOhOtvw3FIfM/UzMVN/I2bqG+NG9fWNdfro3d8qvdArB59flPCLF1/g/c1vXaZ3oAPAqw3rsjgn5wLZxuP9PTJ20BdWlORPjIRDt0aLlaejaqghGlbaOPLjKOF+OQ4hNyjaXY+JRkU3AGzzu0p8Q7dLfJfxRbSW4vX0phPr/aCAHwiirqoB94OvLSs40mBoZ5xuubb9tbrokju6cIYo6eOmfjJm6n+IGfoDcUO/el+NpnAp7s2OKNmdEt77WyrrAEAqKtnVBgkEqZn7PxdX5n5+RXG+Wq+Gbo6ElU3REuUdnv6c24QkEJweltZlxXmtm8pHH4+b+hkGPbfbcCu/CPWdhj4+NozvVjgLv/uBIKIqu7hBaW1ZQRu30jddOZMO2ENuN8UM/T/ihl7faOrz35s3fahfloXhnfq73+/d3SZvZkQA3VUuJ6czIGwsLb0wquaPXlEcuj6ihjZEVeWNqKqcYSBwlPDYxNGWaJw09NMxruPD+N2/ANnyH14QLBk7TH9wXOHm92qq/u8+U/9Z3Ky6omGuPsgvP6IUSKPhvecAALyK9HxdAoGX3qPwtvrSfGVlOHTVfWOGr37i8qLfNNZWP+hu3EOJ71UtYOteEPhlr7cN7z0nAOBVJH3rrC1fcz8gSN35bDB++jTPiiPxTSETKlroe7GEl+dJtpQ3IqoAyRRK33YJBHn9RXXOp10nfWfEkaBAFwoAAF0IhJ+hQJAVAACCfHWRNyjQhQIAQBcC4WcoEGQFAIAgX13kDQp0oQAA0IVA+BkKBFkBACDIVxd5gwJdKAAAdCEQfoYCQVYAAAjy1UXeoEAXCgAAXQiEn6FAkBUAAIJ8dZE3KNCFAgBAFwLhZygQZAUAgCBfXeQNCnShAADQhUD4GQoEWYGAA4DH2RODgnY1JmCQrzHyBgWSKtARAEqTM9KtPWWWPX2W38i+57OtL0YFFiMpi/kCDb2Fx1SMG9qLSUXAD1BgoCogAcDj4vOYdTxbDs+OwwNc2jDgsfATI9uej/Hl//YmANqNz6MqG3przNDOnlg0i8fce3WgXmPkGwp0qQAPUhFVQ7dHw8qHPNT1yhIxdx5PgiFAIIc0Zyic56c3ACCHUefRk23jm1orj6oshlA39P+Km9VXsAgSeF0Kgh2gwEBU4L7xI/8uWqzcHQ0rhxgEYrx7Mda9BEHSCS9SBUM6AZAwfmIeBcNl/Br9T7EabdFAvI7IMxTotgJyqCr+RwmCiKocbAeBmBbLrhq4Z9LtXlSQDgCcY3yeAixR4jvGd5f2fkOqd1sg/AMUCLoCbBo3CFYWDfnbaDj/TjcInBmQXVUDOR1WStWD8wFA58Y39T/FarVFHYxfV5cYfzHo1w75gwJpU6AXQdATAMD4abuyOBAU6IYC/iDIuzOqhhJVg25GBN0BgCWmzpLz5/Fceu5QHyV+N64kdoUC56FAGkGQCgDajW/q/J3nTGyv48P453El8a9Q4DwUSAMIOgNAR+ObtvH5QR5nRuQ9qOOfx8XDv0KBdClwHiDwBUAi1OcS32P8BlPbHTP1he6082w67nV8hwJQoB8U6DYIVMUfAH7GN2D8frikOCUU6L4CqYNAaePp0TeMK2yKG1pLo93AJ+r4MtRvgPG7fwHwH1AgExRIBQTLw6G2DeMKjzYY2pm4qbfJB3hg/Ey4gkgDFEiDAslBoBxcU5rPEcCp/bXV9NGC6QTjp0FwHAIKZKICXhCsHzPsoqXh4Xc9NH7Ue3sNbfc+NO5l4mVDmqBAehXwgmDn5DEX7S4tvVCeBa36UgksoUCAFfCCAMYP8MVG1qBAMgUYBMl+w3YoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoAAUgAJQAApAASgABaAAFIACUAAKQAEoAAWgABSAAlAACkABKAAFoMCAVuD/A083ZjRVZgfaAAAAAElFTkSuQmCC"/>
+</defs>
+</svg>
diff --git a/ui_src/src/connectors/index.js b/ui_src/src/connectors/index.js
new file mode 100644
index 000000000..e30de359b
--- /dev/null
+++ b/ui_src/src/connectors/index.js
@@ -0,0 +1,12 @@
+import S3LogoIcon from './assets/s3LogoIcon.svg';
+import KafkaIcon from './assets/kafkaIcon.svg';
+import KinesisIcon from './assets/awsKinesis.svg';
+
+import { kafka } from './kafka';
+import { kinesis } from './kinesis';
+
+export const connectorTypes = [
+    { name: 'kafka', icon: KafkaIcon, comment: 'Supported version: v1.0.3', inputs: kafka },
+    // { name: 'kinesis', icon: KinesisIcon, inputs: kinesis },
+    { name: 's3', icon: S3LogoIcon, disabled: true }
+];
diff --git a/ui_src/src/connectors/kafka.js b/ui_src/src/connectors/kafka.js
new file mode 100644
index 000000000..5271ecef6
--- /dev/null
+++ b/ui_src/src/connectors/kafka.js
@@ -0,0 +1,187 @@
+export const kafka = {
+    source: [
+        {
+            name: 'name',
+            display: 'name',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'bootstrap.servers',
+            display: 'bootstrap.servers',
+            type: 'multi',
+            options: [],
+            required: true,
+            placeholder: 'localhost:9092',
+            description: 'list of brokers'
+        },
+        {
+            name: 'security.protocol',
+            display: 'security.protocol',
+            type: 'select',
+            options: ['SSL', 'SASL_SSL', 'No authentication'],
+            required: true,
+            description: 'SSL / SASL_SSL / No authentication',
+            children: true,
+            SSL: [
+                {
+                    name: 'ssl.mechanism',
+                    display: 'ssl.mechanism',
+                    type: 'string',
+                    required: true
+                },
+                {
+                    name: 'ssl.certificate.pem',
+                    display: 'ssl.certificate.pem',
+                    type: 'string',
+                    required: true
+                },
+                {
+                    name: 'ssl.key.password',
+                    display: 'ssl.key.password',
+                    type: 'string',
+                    required: true
+                }
+            ],
+            SASL_SSL: [
+                {
+                    name: 'sasl.mechanism',
+                    display: 'sasl.mechanism',
+                    type: 'select',
+                    options: ['PLAIN', 'SCRAM-SHA-256'],
+                    required: true
+                },
+                {
+                    name: 'sasl.username',
+                    display: 'sasl.username',
+                    type: 'string',
+                    required: true
+                },
+                {
+                    name: 'sasl.password',
+                    display: 'sasl.password',
+                    type: 'string',
+                    required: true
+                }
+            ],
+            'No authentication': []
+        },
+        {
+            name: 'group.id',
+            display: 'group.id',
+            type: 'string',
+            required: true,
+            description: 'consumer group id'
+        },
+        {
+            name: 'offset',
+            display: 'offset',
+            type: 'string',
+            required: false,
+            description: 'earliest / end / specific offset (int)'
+        },
+        {
+            name: 'topic',
+            display: 'topic',
+            type: 'string',
+            required: true,
+            description: 'topic name'
+        },
+        {
+            name: 'partition',
+            display: 'partition',
+            type: 'string',
+            required: false,
+            description: 'partition number'
+        }
+    ],
+    sink: [
+        {
+            name: 'name',
+            display: 'name',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'bootstrap.servers',
+            display: 'bootstrap.servers',
+            type: 'multi',
+            options: [],
+            required: true,
+            placeholder: 'localhost:9092',
+            description: 'list of brokers'
+        },
+        {
+            name: 'security.protocol',
+            display: 'security.protocol',
+            type: 'select',
+            options: ['SSL', 'SASL_SSL', 'No authentication'],
+            required: true,
+            description: 'SSL / SASL_SSL / No authentication',
+            children: true,
+            SSL: [
+                {
+                    name: 'ssl.mechanism',
+                    display: 'ssl.mechanism',
+                    type: 'string',
+                    required: true
+                },
+                {
+                    name: 'ssl.certificate.pem',
+                    display: 'ssl.certificate.pem',
+                    type: 'string',
+                    required: true
+                },
+                {
+                    name: 'ssl.key.password',
+                    display: 'ssl.key.password',
+                    type: 'string',
+                    required: true
+                }
+            ],
+            SASL_SSL: [
+                {
+                    name: 'sasl.mechanism',
+                    display: 'sasl.mechanism',
+                    type: 'select',
+                    options: ['PLAIN', 'SCRAM-SHA-256'],
+                    required: true
+                },
+                {
+                    name: 'sasl.username',
+                    display: 'sasl.username',
+                    type: 'string',
+                    required: true
+                },
+                {
+                    name: 'sasl.password',
+                    display: 'sasl.password',
+                    type: 'string',
+                    required: true
+                }
+            ],
+            'No authentication': []
+        },
+        {
+            name: 'offset',
+            display: 'offset',
+            type: 'string',
+            required: false,
+            description: 'earliest / end / specific offset (int)'
+        },
+        {
+            name: 'topic',
+            display: 'topic',
+            type: 'string',
+            required: true,
+            description: 'topic name'
+        },
+        {
+            name: 'partition',
+            display: 'partition',
+            type: 'string',
+            required: false,
+            description: 'partition number'
+        }
+    ]
+};
diff --git a/ui_src/src/connectors/kinesis.js b/ui_src/src/connectors/kinesis.js
new file mode 100644
index 000000000..d003e46c8
--- /dev/null
+++ b/ui_src/src/connectors/kinesis.js
@@ -0,0 +1,97 @@
+export const kinesis = {
+    source: [
+        {
+            name: 'name',
+            display: 'Name',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'access_key',
+            display: 'access_key',
+            type: 'string',
+            required: false
+        },
+        {
+            name: 'secret_key',
+            display: 'secret_key',
+            type: 'string',
+            required: false
+        },
+        {
+            name: 'role',
+            display: 'role',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'kinesis_stream_name',
+            display: 'kinesis_stream_name',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'shard_iterator_type',
+            display: 'shard_iterator_type',
+            type: 'select',
+            options: ['LATEST', 'TRIM_HORIZON', 'AT_SEQUENCE_NUMBER', 'AFTER_SEQUENCE_NUMBER', 'AT_TIMESTAMP'],
+            required: true
+        },
+        {
+            name: 'shard_id',
+            display: 'shard_id',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'region',
+            display: 'region',
+            type: 'string',
+            required: true
+        }
+    ],
+    sink: [
+        {
+            name: 'name',
+            display: 'Name',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'access_key',
+            display: 'access_key',
+            type: 'string',
+            required: false
+        },
+        {
+            name: 'secret_key',
+            display: 'secret_key',
+            type: 'string',
+            required: false
+        },
+        {
+            name: 'role',
+            display: 'role',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'region',
+            display: 'region',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'kinesis_stream_name',
+            display: 'kinesis_stream_name',
+            type: 'string',
+            required: true
+        },
+        {
+            name: 'partition_key',
+            display: 'partition_key',
+            type: 'string',
+            required: true
+        }
+    ]
+};
diff --git a/ui_src/src/const/apiEndpoints.js b/ui_src/src/const/apiEndpoints.js
index b9f38d51a..0e8a69089 100644
--- a/ui_src/src/const/apiEndpoints.js
+++ b/ui_src/src/const/apiEndpoints.js
@@ -52,6 +52,10 @@ export const ApiEndpoints = {
     PRODUCE: '/stations/produce',
     ATTACH_DLS: '/stations/attachDlsStation',
     DETACH_DLS: '/stations/detachDlsStation',
+    CREATE_CONNECTOR: '/stations/createConnector',
+    REMOVE_CONNECTOR: '/stations/removeConnector',
+    START_CONNECTOR: '/stations/startConnector',
+    STOP_CONNECTOR: '/stations/stopConnector',
 
     //Async Tasks
     GET_ASYNC_TASKS: '/asyncTasks/getAsyncTasks',
diff --git a/ui_src/src/domain/administration/index.js b/ui_src/src/domain/administration/index.js
index 2aa72bc73..b1294f1f3 100644
--- a/ui_src/src/domain/administration/index.js
+++ b/ui_src/src/domain/administration/index.js
@@ -60,10 +60,7 @@ function Administration({ step }) {
             case 'cluster_configuration':
                 return <ClusterConfiguration />;
             case 'system_information':
-                if (!isCloud()) {
-                    return <SoftwareUpates />;
-                }
-                break;
+                return <SoftwareUpates />;
             case 'usage':
                 return <Requests />;
             case 'payments':
diff --git a/ui_src/src/domain/stationOverview/stationObservabilty/ProduceConsumList/index.js b/ui_src/src/domain/stationOverview/stationObservabilty/ProduceConsumList/index.js
index 71f658fc9..bd90619c0 100644
--- a/ui_src/src/domain/stationOverview/stationObservabilty/ProduceConsumList/index.js
+++ b/ui_src/src/domain/stationOverview/stationObservabilty/ProduceConsumList/index.js
@@ -13,13 +13,18 @@
 import './style.scss';
 
 import React, { useContext, useEffect, useRef, useState } from 'react';
-import { Space } from 'antd';
+import { Space, Popover } from 'antd';
 import { Virtuoso } from 'react-virtuoso';
 import { FiPlayCircle } from 'react-icons/fi';
-
 import { ReactComponent as WaitingProducerIcon } from '../../../../assets/images/waitingProducer.svg';
 import { ReactComponent as WaitingConsumerIcon } from '../../../../assets/images/waitingConsumer.svg';
 import { ReactComponent as PlayVideoIcon } from '../../../../assets/images/playVideoIcon.svg';
+import { ReactComponent as PurplePlus } from '../../../../assets/images/purplePlus.svg';
+import { ReactComponent as ProducerIcon } from '../../../../assets/images/producerIcon.svg';
+import { ReactComponent as ConnectIcon } from '../../../../assets/images/connectIcon.svg';
+import { IoPlayCircleOutline, IoRemoveCircleOutline, IoPause } from 'react-icons/io5';
+
+import { HiDotsVertical } from 'react-icons/hi';
 import OverflowTip from '../../../../components/tooltip/overflowtip';
 import { ReactComponent as UnsupportedIcon } from '../../../../assets/images/unsupported.svg';
 import StatusIndication from '../../../../components/indication';
@@ -29,12 +34,41 @@ import Button from '../../../../components/button';
 import Modal from '../../../../components/modal';
 import { StationStoreContext } from '../..';
 import ProduceMessages from '../../../../components/produceMessages';
+import ConnectorModal from '../../../../components/connectorModal';
 import { ReactComponent as ErrorModalIcon } from '../../../../assets/images/errorModal.svg';
+import { ApiEndpoints } from '../../../../const/apiEndpoints';
+import { httpRequest } from '../../../../services/http';
+import { loader } from '@monaco-editor/react';
+import Spinner from '../../../../components/spinner';
+
+const overlayStylesConnectors = {
+    borderRadius: '8px',
+    width: '230px',
+    paddingTop: '5px',
+    paddingBottom: '5px',
+    marginBottom: '10px'
+};
+
+const overlayStyleConnectors = { borderRadius: '8px', width: '150px', paddingTop: '5px', paddingBottom: '5px' };
+
+const MenuItem = ({ name, onClick, icon, disabled, loader }) => {
+    return (
+        <div className="item-wrapper-connectors" onClick={onClick} style={disabled ? { opacity: 0.5, cursor: 'not-allowed' } : {}}>
+            <span className="item-name">
+                {icon}
+                <label style={disabled ? { opacity: 0.5, cursor: 'not-allowed' } : {}}>{name}</label>
+            </span>
+            {loader && <Spinner alt="loading" />}
+        </div>
+    );
+};
 
 const ProduceConsumList = ({ producer }) => {
     const [stationState, stationDispatch] = useContext(StationStoreContext);
     const [selectedRowIndex, setSelectedRowIndex] = useState(0);
     const [producersList, setProducersList] = useState([]);
+    const [connectorsSourceList, setConnectorsSourceList] = useState([]);
+    const [connectorsSinkList, setConnectorsSinkList] = useState([]);
     const [cgsList, setCgsList] = useState([]);
     const [openProduceMessages, setOpenProduceMessages] = useState(false);
     const [cgDetails, setCgDetails] = useState([]);
@@ -44,15 +78,126 @@ const ProduceConsumList = ({ producer }) => {
     const [produceloading, setProduceLoading] = useState(false);
     const [openNoConsumer, setOpenNoConsumer] = useState(false);
     const [activeConsumerList, setActiveConsumerList] = useState([]);
+    const [openProducerPopover, setOpenProducerPopover] = useState(false);
+    const [openConnectorPopover, setOpenConnectorPopover] = useState(false);
+    const [openConnectorPopoverItem, setOpenConnectorPopoverItem] = useState(null);
+    const [selectedConnector, setSelectedConnector] = useState(null);
+    const [openConnectorModal, setOpenConnectorModal] = useState(false);
+    const [loading, setLoader] = useState(false);
 
+    const producerItemsList = [
+        {
+            action: 'Produce Synthetic Data',
+            onClick: () => {
+                setOpenProduceMessages(true);
+                setOpenProducerPopover(false);
+            }
+        },
+        {
+            action: 'Develop a Producer',
+            onClick: () => {
+                setOpenCreateProducer(true);
+                setOpenProducerPopover(false);
+            }
+        },
+        {
+            action: 'Produce using REST',
+            onClick: () => {
+                // setOpenProduceMessages(true);
+                setOpenProducerPopover(false);
+            },
+            disabled: true
+        },
+        {
+            action: 'Add a Source',
+            onClick: () => {
+                setOpenConnectorModal(true);
+                setOpenProducerPopover(false);
+            }
+        }
+    ];
+
+    const removeConnector = async (type) => {
+        setLoader(true);
+        try {
+            await httpRequest('POST', ApiEndpoints.REMOVE_CONNECTOR, {
+                connector_id: selectedConnector?.id
+            });
+            if (type === 'source') {
+                let newConnecorList = [...connectorsSourceList];
+                newConnecorList.splice(openConnectorPopoverItem, 1);
+                setConnectorsSourceList(newConnecorList);
+            }
+            if (type === 'sink') {
+                let newConnecorList = [...connectorsSinkList];
+                newConnecorList.splice(openConnectorPopoverItem, 1);
+                setConnectorsSinkList(newConnecorList);
+            }
+            setLoader(false);
+            setOpenConnectorPopover(false);
+        } catch (error) {
+            setLoader(false);
+        }
+    };
+
+    const startConnector = async (type) => {
+        setLoader(true);
+        try {
+            await httpRequest('POST', ApiEndpoints.START_CONNECTOR, {
+                connector_id: selectedConnector?.id
+            });
+            if (type === 'source') {
+                let newConnecorList = [...connectorsSourceList];
+                newConnecorList[openConnectorPopoverItem].is_active = true;
+                setConnectorsSourceList(newConnecorList);
+            }
+            if (type === 'sink') {
+                let newConnecorList = [...connectorsSinkList];
+                newConnecorList[openConnectorPopoverItem].is_active = true;
+                setConnectorsSinkList(newConnecorList);
+            }
+            setLoader(false);
+            setOpenConnectorPopover(false);
+        } catch (error) {
+            setLoader(false);
+        }
+    };
+    const stopConnector = async (type) => {
+        setLoader(true);
+        try {
+            await httpRequest('POST', ApiEndpoints.STOP_CONNECTOR, {
+                connector_id: selectedConnector?.id
+            });
+            if (type === 'source') {
+                let newConnecorList = [...connectorsSourceList];
+                newConnecorList[openConnectorPopoverItem].is_active = false;
+                setConnectorsSourceList(newConnecorList);
+            }
+            if (type === 'sink') {
+                let newConnecorList = [...connectorsSinkList];
+                newConnecorList[openConnectorPopoverItem].is_active = false;
+                setConnectorsSinkList(newConnecorList);
+            }
+            setLoader(false);
+            setOpenConnectorPopover(false);
+        } catch (error) {
+            setLoader(false);
+        }
+    };
+
+    const handleNewConnector = (connector, source) => {
+        source ? setConnectorsSourceList([...connectorsSourceList, connector]) : setConnectorsSinkList([...connectorsSinkList, ...connector]);
+    };
     useEffect(() => {
         if (producer) {
             let [result, activeConsumers] = concatFunction('producer', stationState?.stationSocketData);
             setProducersList(result);
+            setConnectorsSourceList(stationState?.stationSocketData?.connectors?.filter((connector) => connector?.connector_type === 'source'));
             setActiveConsumerList(activeConsumers);
         } else {
             let result = concatFunction('cgs', stationState?.stationSocketData);
             setCgsList(result);
+            setConnectorsSinkList(stationState?.stationSocketData?.connectors?.filter((connector) => connector?.connector_type === 'sink'));
         }
     }, [stationState?.stationSocketData]);
 
@@ -153,46 +298,62 @@ const ProduceConsumList = ({ producer }) => {
             <div className="pubSub-list-container">
                 <div className="header">
                     {producer && (
-                        <>
-                            <p className="title">Producers {producersList?.length > 0 && `(${producersList?.length})`}</p>
-                            <Button
-                                className="producer-btn"
-                                width="100px"
-                                height="30px"
-                                placeholder={
-                                    <div className="producer-placeholder">
-                                        <PlayVideoIcon width={18} alt="playVideoIcon" />
-                                        <span>Produce</span>
-                                    </div>
-                                }
-                                colorType={'purple'}
-                                radiusType="circle"
-                                border={'gray-light'}
-                                backgroundColorType={'white'}
-                                fontSize="12px"
-                                fontFamily="InterSemiBold"
-                                onClick={() => setOpenProduceMessages(true)}
-                            />
-                        </>
+                        <span className="poduce-consume-header">
+                            <p className="title">
+                                Sources {(producersList?.length > 0 || connectorsSourceList?.length > 0) && `(${producersList?.length + connectorsSourceList?.length})`}
+                            </p>
+                            <Popover
+                                overlayInnerStyle={overlayStylesConnectors}
+                                placement="bottomLeft"
+                                content={producerItemsList?.map((item, index) => (
+                                    <MenuItem key={`${index}-${item.action}`} name={item.action} onClick={item.onClick} disabled={item?.disabled} />
+                                ))}
+                                trigger="click"
+                                onOpenChange={() => setOpenProducerPopover(!openProducerPopover)}
+                                open={openProducerPopover}
+                            >
+                                <PurplePlus alt="Add source" className="add" />
+                            </Popover>
+                        </span>
+                    )}
+                    {!producer && (
+                        <span className="poduce-consume-header">
+                            <p className="title">
+                                Consumer groups {(cgsList?.length > 0 || connectorsSinkList?.length > 0) && `(${cgsList?.length + connectorsSinkList?.length})`}
+                            </p>
+                            <Popover
+                                overlayInnerStyle={overlayStylesConnectors}
+                                placement="bottomLeft"
+                                content={producerItemsList?.map((item, index) => (
+                                    <MenuItem key={`${index}-${item.action}`} name={item.action} onClick={item.onClick} />
+                                ))}
+                                trigger="click"
+                                onOpenChange={() => setOpenProducerPopover(!openProducerPopover)}
+                                open={openProducerPopover}
+                            >
+                                <PurplePlus alt="Add source" className="add" />
+                            </Popover>
+                        </span>
                     )}
-                    {!producer && <p className="title">Consumer groups {cgsList?.length > 0 && `(${cgsList?.length})`}</p>}
                 </div>
-                {producer && producersList?.length > 0 && (
+                {producer && (producersList?.length > 0 || connectorsSourceList?.length > 0) && (
                     <div className="coulmns-table">
                         <span style={{ width: '100px' }}>Name</span>
                         <span style={{ width: '100px' }}>Count</span>
                         <span style={{ width: '35px' }}>Status</span>
+                        <span style={{ width: '20px' }}></span>
                     </div>
                 )}
-                {!producer && cgsList.length > 0 && (
+                {!producer && (cgsList.length > 0 || connectorsSinkList?.length > 0) && (
                     <div className="coulmns-table">
                         <span style={{ width: '60px' }}>Name</span>
                         <span style={{ width: '100px', textAlign: 'center' }}>Unacknowledged</span>
                         <span style={{ width: '80px', textAlign: 'center' }}>Unprocessed</span>
                         <span style={{ width: '35px', textAlign: 'center' }}>Status</span>
+                        <span style={{ width: '20px' }}></span>
                     </div>
                 )}
-                {(producersList?.length > 0 || cgsList?.length > 0) && (
+                {(producersList?.length > 0 || connectorsSourceList?.length > 0 || connectorsSinkList?.length > 0 || cgsList?.length > 0) && (
                     <div className="rows-wrapper">
                         <div
                             className="list-container"
@@ -204,55 +365,124 @@ const ProduceConsumList = ({ producer }) => {
                                 })`
                             }}
                         >
-                            {producer && producersList?.length > 0 && (
+                            {producer && (producersList?.length > 0 || connectorsSourceList?.length > 0) && (
                                 <Virtuoso
-                                    data={producersList}
+                                    data={[...producersList, ...connectorsSourceList]}
                                     overscan={100}
                                     itemContent={(index, row) => (
-                                        <div className={returnClassName(index, row.is_deleted)} key={index} onClick={() => onSelectedRow(index, 'producer')}>
-                                            <OverflowTip text={row.name} width={'100px'}>
-                                                {row.name}
-                                            </OverflowTip>
-                                            <OverflowTip text={row.connected_producers_count} width={'70px'}>
-                                                {row.connected_producers_count}
+                                        <div className={returnClassName(index, row?.is_deleted)} key={index} onClick={() => onSelectedRow(index, 'producer')}>
+                                            <span className="connector-name">
+                                                {row?.connector_connection_id ? <ConnectIcon /> : <ProducerIcon />}
+                                                <OverflowTip text={row.name} width={'80px'}>
+                                                    {row.name}
+                                                </OverflowTip>
+                                            </span>
+
+                                            <OverflowTip text={row.count} width={'70px'}>
+                                                {row.count || 1}
                                             </OverflowTip>
-                                            <span className="status-icon" style={{ width: '38px' }}>
+                                            <span className="status-icon">
                                                 <StatusIndication is_active={row.is_active} is_deleted={row.is_active} />
                                             </span>
+                                            <Popover
+                                                overlayInnerStyle={overlayStyleConnectors}
+                                                placement="bottomLeft"
+                                                onOpenChange={() => {
+                                                    setOpenConnectorPopoverItem(index);
+                                                    setSelectedConnector(row);
+                                                    setOpenConnectorPopover(!openConnectorPopover);
+                                                }}
+                                                open={openConnectorPopover && openConnectorPopoverItem === index}
+                                                content={
+                                                    <>
+                                                        <MenuItem
+                                                            name={!row?.is_active ? 'Pause' : 'Play'}
+                                                            onClick={() => (row?.is_active ? stopConnector('source') : startConnector('source'))}
+                                                            icon={row?.is_active ? <IoPause /> : <IoPlayCircleOutline />}
+                                                        />
+                                                        <MenuItem
+                                                            name={'Disconnect'}
+                                                            onClick={() => removeConnector('source')}
+                                                            icon={<IoRemoveCircleOutline />}
+                                                            loader={loading && openConnectorPopoverItem === index}
+                                                        />
+                                                    </>
+                                                }
+                                                trigger="click"
+                                            >
+                                                <div
+                                                    className={`connector-options${openConnectorPopover && openConnectorPopoverItem === index ? '-selected' : ''}`}
+                                                    onClick={(e) => row?.connector_connection_id && e.stopPropagation()}
+                                                >
+                                                    {row?.connector_connection_id && <HiDotsVertical alt="actions" />}
+                                                </div>
+                                            </Popover>
                                         </div>
                                     )}
                                 />
                             )}
-                            {!producer && cgsList?.length > 0 && (
+                            {!producer && (cgsList?.length > 0 || connectorsSinkList?.length > 0) && (
                                 <Virtuoso
-                                    data={cgsList}
+                                    data={[...cgsList, ...connectorsSinkList]}
                                     overscan={100}
                                     itemContent={(index, row) => (
-                                        <div className={returnClassName(index, row.is_deleted)} key={index} onClick={() => onSelectedRow(index, 'consumer')}>
-                                            <OverflowTip text={row.name} width={'80px'}>
-                                                {row.name}
-                                            </OverflowTip>
+                                        <div className={returnClassName(index, row?.is_deleted)} key={index} onClick={() => onSelectedRow(index, 'consumer')}>
+                                            <span className="connector-name">
+                                                {row?.connector_connection_id ? <ConnectIcon /> : <ProducerIcon />}
+                                                <OverflowTip text={row.name} width={'80px'}>
+                                                    {row.name}
+                                                </OverflowTip>
+                                            </span>
                                             <OverflowTip
-                                                text={row.poison_messages.toLocaleString()}
+                                                text={row?.poison_messages?.toLocaleString()}
                                                 width={'80px'}
                                                 textAlign={'center'}
-                                                textColor={row.poison_messages > 0 ? '#F7685B' : null}
+                                                textColor={row?.poison_messages > 0 ? '#F7685B' : null}
                                             >
-                                                {row.poison_messages.toLocaleString()}
+                                                {row?.poison_messages?.toLocaleString()}
                                             </OverflowTip>
-                                            <OverflowTip text={row.unprocessed_messages.toLocaleString()} width={'80px'} textAlign={'center'}>
-                                                {row.unprocessed_messages.toLocaleString()}
+                                            <OverflowTip text={row?.unprocessed_messages?.toLocaleString()} width={'80px'} textAlign={'center'}>
+                                                {row?.unprocessed_messages?.toLocaleString()}
                                             </OverflowTip>
                                             <span className="status-icon" style={{ width: '35px' }}>
-                                                <StatusIndication is_active={row.is_active} is_deleted={row.is_deleted} />
+                                                <StatusIndication is_active={row?.is_active} is_deleted={row?.is_deleted} />
                                             </span>
+                                            <Popover
+                                                overlayInnerStyle={overlayStyleConnectors}
+                                                placement="bottomLeft"
+                                                onOpenChange={() => {
+                                                    setOpenConnectorPopoverItem(index);
+                                                    setOpenConnectorPopover(!openConnectorPopover);
+                                                }}
+                                                open={openConnectorPopover && openConnectorPopoverItem === index}
+                                                content={
+                                                    <>
+                                                        <MenuItem
+                                                            name={!row?.is_active ? 'Pause' : 'Play'}
+                                                            onClick={() => (row?.is_active ? stopConnector('sink') : startConnector('sink'))}
+                                                            icon={row?.is_active ? <IoPause /> : <IoPlayCircleOutline />}
+                                                        />
+                                                        <MenuItem name={'Disconnect'} onClick={() => removeConnector('sink')} icon={<IoRemoveCircleOutline />} />
+                                                    </>
+                                                }
+                                                trigger="click"
+                                            >
+                                                <div
+                                                    className="connector-options"
+                                                    onClick={(e) => {
+                                                        if (row?.connector_connection_id) e.stopPropagation();
+                                                    }}
+                                                >
+                                                    {row?.connector_connection_id && <HiDotsVertical alt="actions" />}
+                                                </div>
+                                            </Popover>
                                         </div>
                                     )}
                                 />
                             )}
                         </div>
                         <div style={{ marginRight: '10px' }} id={producer ? 'producer-details' : 'consumer-details'}>
-                            {producer && producersList?.length > 0}
+                            {producer && (producersList?.length > 0 || connectorsSourceList?.length > 0)}
                             {!producer && cgsList?.length > 0 && (
                                 <Space direction="vertical">
                                     <CustomCollapse header="Details" status={false} defaultOpen={true} data={cgDetails.details} />
@@ -262,7 +492,8 @@ const ProduceConsumList = ({ producer }) => {
                         </div>
                     </div>
                 )}
-                {((producer && producersList?.length === 0) || (!producer && cgsList?.length === 0)) && (
+                {((producer && producersList?.length === 0 && connectorsSourceList?.length === 0) ||
+                    (!producer && cgsList?.length === 0 && connectorsSinkList?.length === 0)) && (
                     <div className="waiting-placeholder">
                         {producer ? <WaitingProducerIcon width={62} alt="producer" /> : <WaitingConsumerIcon width={62} alt="producer" />}
                         <p>{`No ${producer ? 'producers' : 'consumers'} yet`}</p>
@@ -307,15 +538,7 @@ const ProduceConsumList = ({ producer }) => {
                     </div>
                 )}
             </div>
-            <Modal
-                width="1200px"
-                height="780px"
-                clickOutside={() => {
-                    setOpenCreateConsumer(false);
-                }}
-                open={openCreateConsumer}
-                displayButtons={false}
-            >
+            <Modal width="1200px" height="780px" clickOutside={() => setOpenCreateConsumer(false)} open={openCreateConsumer} displayButtons={false}>
                 <SdkExample withHeader={true} showTabs={false} stationName={stationState?.stationMetaData?.name} consumer={true} />
             </Modal>
             <Modal
@@ -405,6 +628,12 @@ const ProduceConsumList = ({ producer }) => {
                 <p className="no-consumer-message--p">The message will not be stored</p>
                 <label className="no-consumer-message--label">When using ack-based retention, a message will not be stored if no consumers are connected.</label>
             </Modal>
+            <ConnectorModal
+                open={openConnectorModal}
+                clickOutside={() => setOpenConnectorModal(false)}
+                newConnecor={(connector, source) => handleNewConnector(connector, source)}
+                source={producer}
+            />
         </div>
     );
 };
diff --git a/ui_src/src/domain/stationOverview/stationObservabilty/ProduceConsumList/style.scss b/ui_src/src/domain/stationOverview/stationObservabilty/ProduceConsumList/style.scss
index 057dc117a..343a3faee 100644
--- a/ui_src/src/domain/stationOverview/stationObservabilty/ProduceConsumList/style.scss
+++ b/ui_src/src/domain/stationOverview/stationObservabilty/ProduceConsumList/style.scss
@@ -8,16 +8,30 @@
     box-shadow: 0px 0px 4px 3px rgba(204, 204, 204, 0.19);
     border-radius: 8px;
     padding: 15px 0px 15px 0px;
+    .connector-name {
+        display: flex;
+        align-items: center;
+        gap: 4px;
+    }
     .header {
         display: flex;
         justify-content: space-between;
         border-bottom: 1px solid #e9e9e9;
         line-height: 35px;
         padding: 0 15px 5px 15px;
-        .title {
-            font-family: 'InterSemiBold';
-            font-size: 14px;
-            margin: 0;
+        .poduce-consume-header {
+            display: flex;
+            align-items: center;
+            justify-content: space-between;
+            width: 100%;
+            .title {
+                font-family: 'InterSemiBold';
+                font-size: 14px;
+                margin: 0;
+            }
+            .add {
+                cursor: pointer;
+            }
         }
         .add-connector-button {
             cursor: pointer;
@@ -50,7 +64,7 @@
     .rows-wrapper {
         position: relative;
         width: calc(100%);
-        height: calc(100% - 90px);
+        height: calc(100% - 70px);
         overflow: auto;
         padding-left: 10px;
         display: flex;
@@ -70,10 +84,35 @@
                 padding: 5px;
                 margin-right: 10px;
                 margin-top: 5px;
+                .connector-options-selected {
+                    background-color: #e3e0ff;
+                    height: 20px;
+                    width: 20px;
+                    display: flex;
+                    justify-content: center;
+                    align-items: center;
+                    border-radius: 3px;
+                    cursor: pointer;
+                    color: var(--purple);
+                }
+                .connector-options {
+                    background-color: transparent;
+                    height: 20px;
+                    width: 20px;
+                    display: flex;
+                    justify-content: center;
+                    align-items: center;
+                    border-radius: 3px;
+                    cursor: pointer;
+                    color: rgba(154, 154, 160, 0.8);
+                }
                 .status-icon {
                     position: relative;
                     display: flex;
                     justify-content: center;
+                    align-items: center;
+                    gap: 4px;
+                    width: 38px;
                     .circle-status {
                         border-radius: 32px;
                         width: 18px;
@@ -214,3 +253,27 @@
         opacity: 0;
     }
 }
+.item-wrapper-connectors {
+    padding-left: 5px;
+    padding-right: 5px;
+    margin: 0 5px;
+    height: 34px;
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    gap: 5px;
+    cursor: pointer;
+    .item-name {
+        display: flex;
+        align-items: center;
+        gap: 5px;
+    }
+    label {
+        cursor: pointer;
+    }
+}
+.item-wrapper-connectors:hover {
+    background: #e3e0ff;
+    border-radius: 4px;
+    color: var(--purple);
+}
diff --git a/ui_src/src/domain/stationOverview/stationObservabilty/components/functionsOverview/style.scss b/ui_src/src/domain/stationOverview/stationObservabilty/components/functionsOverview/style.scss
index c51369edc..7ee05681d 100644
--- a/ui_src/src/domain/stationOverview/stationObservabilty/components/functionsOverview/style.scss
+++ b/ui_src/src/domain/stationOverview/stationObservabilty/components/functionsOverview/style.scss
@@ -85,11 +85,11 @@
                     width: 100%;
                     position: absolute;
                     left: 0;
-                    top: 48.5px;
+                    top: 50px;
                     display: flex;
                     flex-wrap: nowrap;
                     overflow: hidden;
-                    height: 61px;
+                    height: 62px;
                 }
 
                 &-left {
diff --git a/ui_src/src/domain/stationOverview/stationOverviewHeader/index.js b/ui_src/src/domain/stationOverview/stationOverviewHeader/index.js
index d3540e5d9..7933815da 100644
--- a/ui_src/src/domain/stationOverview/stationOverviewHeader/index.js
+++ b/ui_src/src/domain/stationOverview/stationOverviewHeader/index.js
@@ -249,10 +249,10 @@ const StationOverviewHeader = () => {
                                     <b style={{marginRight: '5px'}}>Dead-letter for: </b>
                                     {
                                         stationState?.stationSocketData?.act_as_dls_station_in_stations && stationState?.stationSocketData?.act_as_dls_station_in_stations.length ?
-                                            <OverflowTip text={stationState?.stationSocketData?.act_as_dls_station_in_stations.join(', ')} maxWidth={'70px'}>
-                                                {stationState?.stationSocketData?.act_as_dls_station_in_stations.join(', ')}
-                                            </OverflowTip>
-                                            : <MinusOutlined style={{ color: '#2E2C34' }} />
+                                        <OverflowTip text={stationState?.stationSocketData?.act_as_dls_station_in_stations.join(', ')} maxWidth={'70px'}>
+                                            {stationState?.stationSocketData?.act_as_dls_station_in_stations.join(', ')}
+                                        </OverflowTip>
+                                        : <MinusOutlined style={{ color: '#2E2C34' }} />
                                     }
                                 </p>
                             </div>
@@ -285,7 +285,9 @@ const StationOverviewHeader = () => {
                                     <p className="schema-title">Schema validation</p>
                                     {stationState?.stationSocketData?.schema !== undefined && Object.keys(stationState?.stationSocketData?.schema).length !== 0 && (
                                         <div className="schema-details sd-flex">
-                                            {stationState?.stationSocketData?.schema?.updates_available && <ActiveBadge content="Updates available" active={false} />}
+                                            {stationState?.stationSocketData?.schema?.updates_available &&
+                                            stationState?.stationSocketData?.schema?.updates_available.length &&
+                                                <ActiveBadge content="Updates available" active={false} />}
                                         </div>
                                     )}
                                 </div>
@@ -307,7 +309,7 @@ const StationOverviewHeader = () => {
                                     <p>v{stationState?.stationSocketData?.schema?.version_number}</p>
                                 </div>
                             )}
-                            {stationState?.stationSocketData?.schema === undefined ||
+                            {stationState?.stationSocketData?.schema &&
                                 (Object.keys(stationState?.stationSocketData?.schema).length === 0 ? (
                                     <>
                                         <div className="add-new">
@@ -346,7 +348,8 @@ const StationOverviewHeader = () => {
                                             boxShadowStyle="float"
                                             onClick={() => setDeleteModal(true)}
                                         />
-                                        {stationState?.stationSocketData?.schema?.updates_available && (
+                                        {stationState?.stationSocketData?.schema?.updates_available &&
+                                        stationState?.stationSocketData?.schema?.updates_available.length && (
                                             <Button
                                                 width="80px"
                                                 height="16px"
diff --git a/ui_src/src/domain/stationOverview/stationOverviewHeader/style.scss b/ui_src/src/domain/stationOverview/stationOverviewHeader/style.scss
index 490ef98fa..28d506558 100644
--- a/ui_src/src/domain/stationOverview/stationOverviewHeader/style.scss
+++ b/ui_src/src/domain/stationOverview/stationOverviewHeader/style.scss
@@ -64,13 +64,13 @@
     }
     .details {
         margin-top: 30px;
-        display: flex;
         justify-content: space-between;
         height: 85px;
         align-items: center;
         width: 100%;
         display: grid;
         grid-template-columns: 20% 55% 20%;
+        min-height: 114px;
         .main-details {
             font-size: 12px;
             padding: 0 15px;
diff --git a/ui_src/src/domain/stationOverview/style.scss b/ui_src/src/domain/stationOverview/style.scss
index e41ab2715..0bf65e093 100644
--- a/ui_src/src/domain/stationOverview/style.scss
+++ b/ui_src/src/domain/stationOverview/style.scss
@@ -3,16 +3,15 @@
     transition: .3s ease-in-out;
     position: absolute;
     padding: 1vw;
-    height: calc(100%);
     overflow: auto;
     display: flex;
     flex-direction: column;
     justify-content: space-between;
+    gap: 30px;
     .overview-header {
         min-width: 1370px;
     }
     .station-observability {
-        margin-top: 20px;
         min-width: 1280px;
         height: 100%;
         display: flex;
diff --git a/ui_src/src/domain/stationsList/stationBoxOverview/index.js b/ui_src/src/domain/stationsList/stationBoxOverview/index.js
index 64c6366d2..d858b7e49 100644
--- a/ui_src/src/domain/stationsList/stationBoxOverview/index.js
+++ b/ui_src/src/domain/stationsList/stationBoxOverview/index.js
@@ -27,7 +27,7 @@ import { ReactComponent as ReplicasIcon } from '../../../assets/images/replicasI
 import { ReactComponent as TotalMsgIcon } from '../../../assets/images/totalMsgIcon.svg';
 import { ReactComponent as PoisonMsgIcon } from '../../../assets/images/poisonMsgIcon.svg';
 import { ReactComponent as RemoteStorageIcon } from '../../../assets/images/remoteStorage.svg';
-import { ReactComponent as ClockIcon } from '../../../assets/images/TimeFill.svg';
+import { ReactComponent as ClockIcon } from '../../../assets/images/timeFill.svg';
 import { ReactComponent as UserIcon } from '../../../assets/images/userPerson.svg';
 import { ReactComponent as SchemaIcon } from '../../../assets/images/schemaIconActive.svg';
 import { ReactComponent as StationIcon } from '../../../assets/images/stationsIconActive.svg';

From 01753b8cd602db50fde6efc3f67c431e65c68596 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Thu, 7 Dec 2023 10:42:36 +0200
Subject: [PATCH 08/16] add missing function

---
 server/client.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/server/client.go b/server/client.go
index d088f1cd3..3f65f542f 100644
--- a/server/client.go
+++ b/server/client.go
@@ -1984,6 +1984,13 @@ func (c *client) sendErrAndDebug(err string) {
 	c.Debugf(err)
 }
 
+// *** added by Memphis
+func (c *client) sendErrAndWarn(funcName, err string) {
+	c.sendErr(err)
+	// c.Warnf("[tenant: %s]%s: %s", c.acc.GetName(), funcName, err)
+}
+// added by Memphis ***
+
 func (c *client) authTimeout() {
 	c.sendErrAndDebug("Authentication Timeout")
 	c.closeConnection(AuthenticationTimeout)

From dd35708d394de2567262c3f266515d770fb05c73 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Thu, 7 Dec 2023 10:51:47 +0200
Subject: [PATCH 09/16] align with cloud

---
 db/db_cloud.go                       |  4 ++++
 server/memphis_handlers_user_mgmt.go | 11 ++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/db/db_cloud.go b/db/db_cloud.go
index fdccba3a7..7fb6c1e4a 100644
--- a/db/db_cloud.go
+++ b/db/db_cloud.go
@@ -55,3 +55,7 @@ func DeleteAndGetAttachedFunctionsByTenant(tenantName string) ([]FunctionSchema,
 func DeleteAllTestEvents(tenantName string) error {
 	return nil
 }
+
+func DeleteScheduledFunctionWorkersByTenant(tenantName string) error {
+	return nil
+}
\ No newline at end of file
diff --git a/server/memphis_handlers_user_mgmt.go b/server/memphis_handlers_user_mgmt.go
index ef57bf312..f5bb551c0 100644
--- a/server/memphis_handlers_user_mgmt.go
+++ b/server/memphis_handlers_user_mgmt.go
@@ -161,17 +161,22 @@ func removeTenantResources(tenantName string, user models.User) error {
 		return err
 	}
 
-	err = deleteConnectorsTenantResources(tenantName)
+	err = sendDeleteAllFunctionsReqToMS(user, tenantName, "github", "", "", "aws_lambda", "", true)
 	if err != nil {
 		return err
 	}
 
-	err = db.RemoveStationsByTenant(tenantName)
+	err = db.DeleteScheduledFunctionWorkersByTenant(tenantName)
 	if err != nil {
 		return err
 	}
 
-	err = sendDeleteAllFunctionsReqToMS(user, tenantName, "github", "", "", "aws_lambda", "", true)
+	err = deleteConnectorsTenantResources(tenantName)
+	if err != nil {
+		return err
+	}
+
+	err = db.RemoveStationsByTenant(tenantName)
 	if err != nil {
 		return err
 	}

From 814496bf9b71ba881396089eb6ecd3f03b1729d5 Mon Sep 17 00:00:00 2001
From: otabekgh <otabek@memphis.dev>
Date: Tue, 5 Dec 2023 14:16:39 +0300
Subject: [PATCH 10/16] Add indication on station page whether is a DLS of
 another station

---
 .../domain/stationOverview/stationOverviewHeader/index.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ui_src/src/domain/stationOverview/stationOverviewHeader/index.js b/ui_src/src/domain/stationOverview/stationOverviewHeader/index.js
index 7933815da..4a4998b82 100644
--- a/ui_src/src/domain/stationOverview/stationOverviewHeader/index.js
+++ b/ui_src/src/domain/stationOverview/stationOverviewHeader/index.js
@@ -249,10 +249,10 @@ const StationOverviewHeader = () => {
                                     <b style={{marginRight: '5px'}}>Dead-letter for: </b>
                                     {
                                         stationState?.stationSocketData?.act_as_dls_station_in_stations && stationState?.stationSocketData?.act_as_dls_station_in_stations.length ?
-                                        <OverflowTip text={stationState?.stationSocketData?.act_as_dls_station_in_stations.join(', ')} maxWidth={'70px'}>
-                                            {stationState?.stationSocketData?.act_as_dls_station_in_stations.join(', ')}
-                                        </OverflowTip>
-                                        : <MinusOutlined style={{ color: '#2E2C34' }} />
+                                            <OverflowTip text={stationState?.stationSocketData?.act_as_dls_station_in_stations.join(', ')} maxWidth={'70px'}>
+                                                {stationState?.stationSocketData?.act_as_dls_station_in_stations.join(', ')}
+                                            </OverflowTip>
+                                            : <MinusOutlined style={{ color: '#2E2C34' }} />
                                     }
                                 </p>
                             </div>

From ea9e624a545693b7b686d7067e90aa240824531d Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Thu, 7 Dec 2023 11:16:32 +0200
Subject: [PATCH 11/16] bugfix

---
 server/reload.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/reload.go b/server/reload.go
index 953623429..b2bb329bc 100644
--- a/server/reload.go
+++ b/server/reload.go
@@ -1067,7 +1067,7 @@ func imposeOrder(value interface{}) error {
 		sort.Strings(value.AllowedOrigins)
 	case string, bool, uint8, int, int32, int64, time.Duration, float64, nil, LeafNodeOpts, ClusterOpts, *tls.Config, PinnedCertSet,
 		*URLAccResolver, *MemAccResolver, *DirAccResolver, *CacheDirAccResolver, Authentication, MQTTOpts, jwt.TagList,
-		*OCSPConfig, map[string]string, JSLimitOpts, StoreCipher, *OCSPResponseCacheConfig:
+		*OCSPConfig, map[string]string, JSLimitOpts, StoreCipher, *OCSPResponseCacheConfig, map[string]int: // ** map[string]int added by Memphis
 		// explicitly skipped types
 	default:
 		// this will fail during unit tests

From 1b175586a6d3bf85f76b1aaf97db52092a616d28 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Thu, 7 Dec 2023 13:56:59 +0200
Subject: [PATCH 12/16] bugfix

---
 server/parser.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/parser.go b/server/parser.go
index 8501879ab..85fea811a 100644
--- a/server/parser.go
+++ b/server/parser.go
@@ -16,6 +16,7 @@ package server
 import (
 	"bufio"
 	"bytes"
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/textproto"
@@ -919,6 +920,13 @@ func (c *client) parse(buf []byte) error {
 					c.argBuf = nil
 				} else {
 					arg = buf[c.as : i-c.drop]
+
+					d := json.NewDecoder(strings.NewReader(string(arg)))
+					err := d.Decode(&c.opts)
+
+					if err != nil {
+						return err
+					}
 				}
 				if err := c.overMaxControlLineLimit(arg, mcl); err != nil {
 					return err

From ce2becc61d756001298ed937d41f15430de5254a Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Thu, 7 Dec 2023 15:30:04 +0200
Subject: [PATCH 13/16] bugfix

---
 server/memphis_cloud.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/memphis_cloud.go b/server/memphis_cloud.go
index 0bfc6c973..cbfe57876 100644
--- a/server/memphis_cloud.go
+++ b/server/memphis_cloud.go
@@ -1835,6 +1835,9 @@ func (mh MonitoringHandler) GetBrokersThroughputs(tenantName string) ([]models.B
 	if streamInfo.State.FirstSeq > 0 {
 		startSeq = streamInfo.State.FirstSeq
 	}
+	if streamInfo.State.LastSeq > ws_updates_interval_sec {
+		startSeq = streamInfo.State.LastSeq - ws_updates_interval_sec + 1
+	}
 
 	cc := ConsumerConfig{
 		OptStartSeq:   startSeq,

From 8d2db48bf7491a9083ca3938cbfe6cdb5ee0d050 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Fri, 8 Dec 2023 15:13:31 +0200
Subject: [PATCH 14/16] remove unnecessary replicas mention

---
 server/memphis_helper.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/server/memphis_helper.go b/server/memphis_helper.go
index b89c008a5..25f135080 100644
--- a/server/memphis_helper.go
+++ b/server/memphis_helper.go
@@ -541,13 +541,11 @@ func tryCreateInternalJetStreamResources(s *Server, retentionDur time.Duration,
 
 	// create function tasks consumer
 	if shouldCreateSystemTasksStream() && !FUNCTIONS_TASKS_CONSUMER_CREATED {
-		replicas := GetStationReplicas(1)
 		cc := ConsumerConfig{
 			Durable:       FUNCTION_TASKS_CONSUMER,
 			DeliverPolicy: DeliverAll,
 			AckPolicy:     AckExplicit,
 			MaxAckPending: 1,
-			Replicas:      replicas,
 			FilterSubject: systemTasksStreamName + ".functions",
 			AckWait:       time.Duration(90) * time.Second,
 			MaxDeliver:    5,

From 985887f18d9a6b9b7ebdf403aec5fb8f3d3b4253 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Sun, 10 Dec 2023 11:25:00 +0200
Subject: [PATCH 15/16] add time based retention layer for the throughput
 stream

---
 server/memphis_helper.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/memphis_helper.go b/server/memphis_helper.go
index 25f135080..743b61ebd 100644
--- a/server/memphis_helper.go
+++ b/server/memphis_helper.go
@@ -486,6 +486,7 @@ func tryCreateInternalJetStreamResources(s *Server, retentionDur time.Duration,
 			MaxConsumers: -1,
 			MaxMsgs:      int64(-1),
 			MaxBytes:     int64(-1),
+			MaxAge:       time.Second * ws_updates_interval_sec, // since it stores only 1 msg per second
 			Discard:      DiscardOld,
 			MaxMsgsPer:   ws_updates_interval_sec,
 			Storage:      FileStorage,

From 3db4ecf617ee44f51b557467334606f1ed702a60 Mon Sep 17 00:00:00 2001
From: idanasulinStrech <idan@memphis.dev>
Date: Mon, 11 Dec 2023 10:09:36 +0200
Subject: [PATCH 16/16] update the memphis package

---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index d27980bf9..8a0f6b6dc 100644
--- a/go.mod
+++ b/go.mod
@@ -113,7 +113,7 @@ require (
 	github.com/leodido/go-urn v1.2.4 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/memphisdev/memphis.go v1.2.0
+	github.com/memphisdev/memphis.go v1.2.1-beta.1
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
diff --git a/go.sum b/go.sum
index 7dcbca35f..9d4e27a1f 100644
--- a/go.sum
+++ b/go.sum
@@ -275,8 +275,8 @@ github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Ky
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/memphisdev/memphis.go v1.2.0 h1:kRqpUwLTLeh5YWpV2/uMUllTP6fmYxcr0FGgqy4n/Jo=
-github.com/memphisdev/memphis.go v1.2.0/go.mod h1:IkB6GmtCq2lvtu1t1UmaIstKHioiN3+cwGR3q8mALok=
+github.com/memphisdev/memphis.go v1.2.1-beta.1 h1:Si3/QRkZZj63jwlNTnriBrCiyVXYx5cd+YxiU4C8Uz4=
+github.com/memphisdev/memphis.go v1.2.1-beta.1/go.mod h1:IkB6GmtCq2lvtu1t1UmaIstKHioiN3+cwGR3q8mALok=
 github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
 github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLTk+kldvVxY=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=