X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 1D3553836C4D
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1612635825;
	bh=YgzbO2osSPDf3Spq+a5023Zbn3Vw7VFoksKASa+kpL4=;
	h=To:Subject:Date:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=Tls5L8yZa2Hj4ri+3ndbKoZZ1BHs2Zz4u5X/p907r/8SM8F3uRsXCp+SsszbDs4Pr
	G9x2x+/Q08VeD+tknMXNHX92Jt9LSegrytC3bkVx3QEA4wJ73S2MwoaEOby3FdfXSV
	lqXq2RYG39pxl7mT5CIwKHR/uWtPbnPbP5gkLSAc=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.3.2 sourceware.org 147953857C5E
ARC-Seal:	i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
	b=STgKPOk8SwRGQ8al0t5pKR88XJBng7cSZdNiRvY35yM/kMsbDt2Lr9GBOVcmvZsMb/3vT/LLXQCvID9p2dpCS4N5JgpUfe7yNnld8vmiHiwtsWCXc3a/Hg5+/OrfTPveGMLNrhYYu/m8yrU+XaGRb1HQYTWPdQM9BQa0NIILCGmhC290CnXNZVdV1Av6tJyG4DFr8d0D0VeISknclakHn56sTHZQUuV5u/Dsfi0ArxiUP0d5uGB6XbQccelmYQPIpW181gmLuMNNchpK2TU7LZ9BYX5xuDQxzNYqreWp+AXVXXFro6zHW6pnQTwywtr68FRD7XxTroU34w+21Ghz4Q==
ARC-Message-Signature:	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
	s=arcselector9901;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=gCbaXbr2cYqUXQPp4V0+uK6H3LF6uQvbL6iGdLIbag4=;
	b=QpGrAk9CoDjfx/GKdrLzRopW+EJXw/0SmhhLnHI83MUzQsrXfXx1U6uv3yDm24n5Em6FgP+GFI3SXFyGKnWN1D4VZPTW15EqByPrZzOb084a6hYhckVckNYZiuN32HDOOtgDU8USv58O/HksfuhaVUGyGIJ9cew9dZ2LWDlu7GsMja/MxhDvESNSxZDT+6+MgEP8I4HGLXOIKWqhuFyoBY0MlVcgjIxAFwPy8A1Dxo+dEADKoonTGaAFJJ8kftfZVXaK6oMS6Hx55ANnWeNr8bhAL+6bIUnGW35S61k5uDVzOzdqmugzyk20bUxO2yXgnERMLPS0BrBuTkhgOR710Q==
ARC-Authentication-Results:	i=1; mx.microsoft.com 1; spf=none; dmarc=none;
	dkim=none; arc=none
To:	"cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject:	Re: TLS version problem downloading mirrors.lst?
Thread-Topic:	TLS version problem downloading mirrors.lst?
Thread-Index:	AQHW/CM9OQWtZDgBnkuxFieuhT70X6pLa+ZM
Date:	Sat, 6 Feb 2021 18:23:31 +0000
Message-ID:	<BYAPR07MB5942B98E2713C42E29B5CF13B6B19@BYAPR07MB5942.namprd07.prod.outlook.com>
References:	<BYAPR07MB59425A659F71A5C1246B588EB6B19 AT BYAPR07MB5942 DOT namprd07 DOT prod DOT outlook DOT com>,
	<595f4a6c-ad35-14ba-918e-06014bc7bb96 AT SystematicSw DOT ab DOT ca>
In-Reply-To:	<595f4a6c-ad35-14ba-918e-06014bc7bb96@SystematicSw.ab.ca>
Accept-Language:	en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker:	OriginalChecksum:AA18779C537FD3BD9777869857CA3251C14DB71F92C68E6E7509C19ACD902748;
	UpperCasedChecksum:2038A421ABC625806E3BC1E28A1C0D356C6A2F801D1F4888FC108D823CC63714;
	SizeAsReceived:7094; Count:44
x-ms-exchange-messagesentrepresentingtype:	1
x-tmn:	[v4Jjtdppf9BMa4V+mCLGapQLOemPgilCsxiMsZxg2lVqaEObQudc+LftsdfgLYSf]
x-ms-publictraffictype:	Email
x-incomingheadercount:	44
x-eopattributedmessage:	0
x-ms-office365-filtering-correlation-id:	e8711ff5-fda6-49b0-a9f2-08d8cacc4ea7
x-ms-traffictypediagnostic:	SN1NAM04HT208:
x-microsoft-antispam:	BCL:0;
x-microsoft-antispam-message-info:	F9jb+dg8dfhSZssegib+tuOVbq1FnJSbW8TH4/Oxt51ylUGhG5VVxXYaVUY/icn+4P7eLNl+Pa7iojLINoYtiH2j/jGfl6Izy8IxT3F39pMTZBTCykJbVE94eAqqGDmjeNt10IeRCxA31FJw6MzsSQjnRTSkpfBBr6z8tcbLfLDsu3Tcg8VhcxC4Sz5Zo/cJom5tTDewunpRmtIgX6SBWCzf2bhRZK+Qu6NpzuUGmBx9TyrAkbDQ6q+mCUN8YGPTt5Va4AYDOvDpq6zFPr5ynGuU7S+eRQj3iSlI0jOHKjbeZSx6AnYHC1DgECVUoTPIu2T0bKtchEONHhnJBirz8lkrvPMCO3bOSfaWZZ3ianTxN9eqRzMe3Dh4e8UR8MLYKRKh/2U1opyrpJuZ+di2v4tdya6NBO6aUiUoNyMjZCFk/9483use8dJdr6/1nWm8
x-ms-exchange-antispam-messagedata:	P7MlyPwDuKHIzR1MpLo88obSBaOjIiNq1NanjEMwgRdd5jJCTBRBAMe0nV0sjvRhMZkAbFdhpm7wvaUuV01F01X/v+RnMWneBXQ5N/PpK8U/vzm6M+z3N90me0VZZ9qtuMCZFJg7+iWDoCDP0GwNUDF5a3HtPVIfCN7vyc+K/EyNDR0MAdFVbZ+dTBqVJAlfOXU0WhU7vlTTwqyUCSuGsw==
x-ms-exchange-transport-forked:	True
MIME-Version:	1.0
X-OriginatorOrg:	hotmail.com
X-MS-Exchange-CrossTenant-AuthAs:	Anonymous
X-MS-Exchange-CrossTenant-AuthSource:	SN1NAM04FT050.eop-NAM04.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:	00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id:	e8711ff5-fda6-49b0-a9f2-08d8cacc4ea7
X-MS-Exchange-CrossTenant-originalarrivaltime:	06 Feb 2021 18:23:31.3635 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader:	Internet
X-MS-Exchange-CrossTenant-id:	84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg:	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped:	SN1NAM04HT208
X-Spam-Status:	No, score=-1.6 required=5.0 tests=BAYES_00, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS,
	TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version:	SpamAssassin 3.4.2 (2018-09-13) on
	server2.sourceware.org
X-Content-Filtered-By:	Mailman/MimeDel 2.1.29
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.29
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Brad Wetmore via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Brad Wetmore <bradfordwetmore AT hotmail DOT com>
Sender:	"Cygwin" <cygwin-bounces AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 116IOCS8012130

Hi Brian, and thanks for the response.

Horray for conflicting information from MS.  🙂

I will look at the IIS tool mentioned in one of the posts.

My registry entries for SCHANNEL and the TLSv1.2 look to be the same between my previous Windows 2012 install and this new Windows 2016 one, so a little surprising.

Do you happen to know if the cygwin.com server hosting cygwin.com/mirrors.lst was recently upgraded to no longer support the earlier TLS versions?

Is mirrors.lst cached somewhere during the install, and where would I find it?  Just wondering why I can't seem to find it on different Windows instances but can still connect.

> Are any of them running legacy Server instances?

I think you are asking whether the mirror server (sonic.net) that I eventually contacted still has TLSv1.0 on.  Probably.  I can check that next week.

Thanks,

Brad





________________________________
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Sent: Friday, February 5, 2021 7:53 PM
To: cygwin AT cygwin DOT com <cygwin AT cygwin DOT com>
Subject: Re: TLS version problem downloading mirrors.lst?

On 2021-02-05 18:00, Brad Wetmore via Cygwin wrote:
> I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list:
>      2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst
> Using Wireshark and configuration options in Firefox, the root cause appears
> to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to
> download this file, but the download is failing as the response is a fatal
> TLS alert: invalid protocol (2/70). Many Internet servers have been shutting
> off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that?
> If so, the setup app needs to be updated.

Cygwin setup is a Windows app using Windows libraries built using open tools.

> I can specify a specific server URL after the mirrors.lst download fails and
> can at least get something installed.
> Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3?
> Or is this something that the MSDN version of Windows 2016 Server has
> configured?
> More details/symptoms:
> I am behind a firewall, but the proxy settings in IE allow me to tunnel out.
> The corresponding "Use System Proxy Settings" in Firefox works fine. But when
> I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3,
> I see the same alert being returned to Firefox.
> Wireshark reports:
> CONNECT cygwin.com:443 HTTP1.0 ->
> User-Agent: ...deleted
> <- HTTP/1.0 200 Connection established
> ClientHello ->
> v1.0
> <- Fatal Alert: 2/70
> Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the
> setup app is written.

*NOT* by default on W2016 for SCHANNEL and may need enabled for both CLIENT and
SERVER uses:

https://github.com/MicrosoftDocs/windowsserverdocs/issues/2783

https://social.technet.microsoft.com/Forums/en-US/cb1a695b-a15c-4fa7-94f0-1aaa20c1279d/enabling-tls-12-on-windows-server-2012-amp-2016?forum=winserversecurity

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-and-disable-tls-12

Cygwin setup is written like most other Windows GUI apps, but you can clone the
sources, modify, and build it using only Cygwin tools.

> https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
> https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows

> My previous installs of cygwin aren't having any problems when trying to
> incrementally add software, maybe the mirrors file is cached somewhere?

Are any of them running legacy Server instances?

> Thanks for any tips,

It's possible that W2016 might not support the root CA, support available TLS
1.2 Cipher suites (although that seems unlikely with the WEAK ratings), TLS 1.3,
HTTP2, etc:

        https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -