X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:references:to:from:reply-to:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=nLuDM5zUFn0ka8Mr DxYpnW+tlM9SO8DWPsXVzhxZW+OpEp5JfIcFfiONpOMHb2epu+vjBbMl3WEZjZk5 URLlXpMnm/m5qN3xMo8Js0OVTA/mohaYs/PK55NgGY0v6Ow36j/w9nOtYnu3fq+3 UTaehm03Tcs55D4QVi3vAPHK6z4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:references:to:from:reply-to:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=vIVe4+mqz+jNfua9dkuBM+ kQT2g=; b=oE4dAC/D/FlNK3Jy2rCtzfAIbU3fZSa+Qr73ddC2oceTV71VOqxj6N g/TuXZsqUUEV1gv03L144RYDXgVVvzfU9pus/OHYVHlHMwXQfmKsQxzwGdth9Iyn jSgc527kzGfzL3y9BZMbNGrxgZwi09usAcLxZmoXWhDteaY+tUXBg= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW,RCVD_IN_SORBS_SPAM autolearn=no version=3.3.2 spammy=yellow, negotiate, According, house X-HELO: smtp-out-no.shaw.ca X-Authority-Analysis: v=2.2 cv=a+JAzQaF c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=NSCwcSNHAAAA:8 a=U82vbgvvAAAA:8 a=Zc4wXQ1fAAAA:8 a=HFoR8K3KvpqhHbQbIDwA:9 a=JU_A8vcjofOqgdFR:21 a=gvEUhxYWcOMKyvMT:21 a=QEXdDO2ut3YA:10 a=sRI3_1zDfAgwuvI8zelB:22 a=4MKyjXYte67ZW2GxI3LT:22 a=1GuDLVucXtSrQ2P2kv1D:22 a=qvbPMyv-Ktz_Y5h9_EV2:22 Subject: Re: What is the proper mailing list for server issues? References: <8f4e32c2-799d-61c5-ccc3-f786bb79bf71 AT starwolf DOT com> <59902487-dd66-9004-e71f-dc2930b4f72a AT gmail DOT com> <91DCAC3CB99C724EB365BB64677FBE7B16F226 AT MX204CL04 DOT corp DOT emc DOT com> <91DCAC3CB99C724EB365BB64677FBE7B17006C AT MX204CL04 DOT corp DOT emc DOT com> To: cygwin AT cygwin DOT com From: Brian Inglis Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca Message-ID: <644c0cdb-d0ec-4c70-1977-71fbc5ea7f8d@SystematicSw.ab.ca> Date: Mon, 24 Apr 2017 14:58:02 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <91DCAC3CB99C724EB365BB64677FBE7B17006C@MX204CL04.corp.emc.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4wfGssVdViJZFyFzK1brWvajiDApW3t0ks1N83PNvvIi0+JbJZyQXsiW9vKI4OZKxL+ZWSqHEMmqYwFwIJDjlYy6/N/5uOXrG05Pc3AMoGvjDx7ah8xgYw hPUQLtF6nvUjOi1CYjoukHwOJ9Du75ay3Kvp+WFBiNdKGMDDj70tAla5FPd7C+4lU3LvjkCX2E0Pew== X-IsSubscribed: yes On 2017-04-24 08:59, Gluszczak, Glenn wrote: > On 2017-04-21 08:06, Gluszczak, Glenn wrote: >> On 4/21/2017 2:35 AM, Greywolf wrote: >>> I am having a server issue that neither I nor my ISP seem to be able >>> to resolve with regards to connecting to Cygwin.com -- namely, only >>> from my house, I get a 403 Forbidden. >> This is _your_ problem. Something has caused you to not be able to >> reach cygwin.com properly. What IP address does cygwin.com resolve >> to? >> Does using the IP address directly work for you? >> $ ping cygwin.com >> Pinging cygwin.com [209.132.180.131] with 32 bytes of data: >>> I've been round with my ISP and they are unable to reproduce the >>> issue; the response I get from here is "contact your ISP". So who >>> do I contact about this? Not being able to automagically fetch >>> the mirror list is annoying, and not being able to reach the site >>> to see about updates and such is similarly so. >> Understandable but nothing we can do from here. >>> I'm trying from several different machines in the house, some >>> directly connected, as well as any thru the NAT interface. This >>> is the ONLY site I cannot reach normally. I have to use the Tor >>> browser to reach the site, and, even then, once I get a new >>> cygwin setup .exe, the list of mirrors doesn't auto-fill because >>> (surprise, surprise) I cannot connect via any known protocol to >>> either www.cygwin.com or 209.132.180.131. >>> The SSL certificates I get from a successful Tor hit and an >>> unsuccessful 403 from home are identical >>> I am concluding that at least the address range >>> 69.12.250.{40-47} are being blocked; and it probably extends >>> beyond that. >>> Firewall is a Watchguard Firebox running pf_sense. I get the 403 >>> even with a direct (non-firewalled, non-routed connection) >>> I have attached two .txt file with runs from two servers within >>> my house, one running NetBSD, one running Windows [thus the >>> importance of cygwin]. >>> Included are runs from 'host'/'nslookup', 'ping', 'traceroute', >>> 'curl' and 'openssl' >>> This is NOT a local firewall issue, otherwise my other machines >>> on different addresses would not have a problem. >>> smaug is my internal firewall. >>> stupidhead is the default next hop from said firewall. >>> "...it's nothing to do with cygwin.com." >>> Sooooo, why else would I get a refusal from the web server from >>> this address when I can connect from elsewhere ** and the SSL >>> certificate is the same ** ?? >>> What am I missing? >>> "...but there's nothing we can do from here." >>> Where is "here"? If "here" == "cygwin.com", you can't tell me if >>> my IP is on an internal blacklist (and, moreso, why?)?? >>>> Agree, it's nothing to do with Cygwin.com. >>>> Check for a firewall on your local machine. Check your home >>>> router to see if it has a firewall with restrictions. >>>> Perhaps you're passing through a proxy server or firewall at >>>> the ISP? >>>> Try traceroute or wget to analyze what site you're really >>>> attaching to. > Ok, I spoke too hastily. It's possible a webserver blocks sites or > the ISP blocks. > Also, perhaps cygwin.com can't resolve starwolf.com as Brian > suggested. > Looking at your curl and openssl output I see this oddity > "No ALPN negotiated" > "ALPN, server did not agree to a protocol" > According to this site cygwin.com does not support HTTP/2. Must be > using 1.1. > https://tools.keycdn.com/http2-test > Does this get you a web page? > curl -v --http1.0 https://www.cygwin.com > You're not doing any port forwarding of 443? I recall some issue in the past with http2 sites, TLS, http2/ALPN, spdy/NPN, and I remember having to run curl --no-alpn --no-npn to get it to work, but I can't find any email or script with it, so may have been an adhoc throwaway command, and/or something improperly set up on a web server or with curl that did not negotiate properly during connection setup. Download testssl.sh from https://testssl.sh/ or clone it from the linked github repo and try it from your problem system with .../testssl.sh cygwin.com - takes a while - run it with a black background so you can see the yellow messages. Many local problems highlighted in magenta are just warnings that your SSL installation disables insecure ciphers. Something may be highlighted with your system or their server that you can discuss with sourcemaster at sourceware dot org. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple