X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5C9E23A15C47
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1612573233;
	bh=88Ms/g9XxHMliR+9lPTmNJcgOYq17tuVmmjzjsK6AP4=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=EdE31CHQQLGQHgTWADs65sFxeSbFXZh8pcI9tuvCxE9NR0nvstj9Lka5rHSFyktDY
	 HFcl9VbGNQP+SEXjj2jTGhEdT1feR7s+fWxsCgS3lgSW0z7cLCN0VP2KkkheAzBby0
	 oaG+G5rYVpe4tTQPvAnoDzXepOlpvPddGDIZiBME=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 01BAA385781D
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=QJ67EAaJK/wmG8qj/8ip3P//GQHzwfM6wm0J7zeJG0NM9Yfj+goj+XybyKZwBQansNKWWOCt4nRB9ONmkmcdfV/83bA5iYoGHiwf5A75t6ZLs/PaYVflSeBSWqSPvoucAui2qLEGxZqKvcTTlVLSzOuMMDQEG8QMM521Y3tbJ0O4IYshEyJZ4rOVgi7thwEZrRZKaTmcg7GkZGLYDkFOKeWqvWYIoZskriqHlSxEcduAxEm+IftBOPnytTSSXCJK8CyyE/gF382xWs8oYJIGGOh1t2XwlcaWcWHIAqrt06tfW0dgTCTrIdMLMPfrV0poWbJU7LU1SBfwmqCq+8n+8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=VJo7Zro5jxf9av4O34X6+vP2/ZlMTjhwOvHj9sMyF64=;
 b=Cb8dr6SIK08EniOP/aCv/ilLuBeL0SKav9rXCigLwyTsQaztqgZxHHAub7txW/zjecRpL6Do8id6WLpWSS0gpn5gA6Viud5GB9kiUEG6ZEI2dhf+XICdqkQ0a11rsXLnOSI1oobdN71ptfoORe4qWiXA38eKFcHVaUVOqwCdxrTRATyhneh1CW14XkvHFvb9/iXnAifu0O/KRxOgSlXyBHUhyt9Na6eSdVsT58r7VNjSMynzXDOQCv1PNjXHKaw0lavwYotXCGPTWEbnDTbgb89+BzLfCf4pqmWwZvd2YPxdj63n3gqn42RaN9l6FZZZWxRThFLM00atcMVCFbNGRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: TLS version problem downloading mirrors.lst?
Thread-Topic: TLS version problem downloading mirrors.lst?
Thread-Index: AQHW/CM9OQWtZDgBnkuxFieuhT70Xw==
Date: Sat, 6 Feb 2021 01:00:28 +0000
Message-ID: <BYAPR07MB59425A659F71A5C1246B588EB6B19@BYAPR07MB5942.namprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-incomingtopheadermarker: OriginalChecksum:C1E9F86A863DFA35FC61D43A08C6EB7EC597BD3936984E07938E2CBAF03EAAD4;
 UpperCasedChecksum:F060995878260A023259B2AF119FD8B7FC2D0A2BA0643944FA06D02BAD500C1B;
 SizeAsReceived:6862; Count:42
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [KlLl0P0FFg29d6QlmGIRxMMU1ita6afjPey4a3x6768dg9pXpaF3d2F4gt6rD7Xb3d85dfNwWBs=]
x-ms-publictraffictype: Email
x-incomingheadercount: 42
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: e0ab50e0-1fd1-443f-c2ba-08d8ca3a982f
x-ms-traffictypediagnostic: DM6NAM10HT083:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yNzj+tidaA/Vuiu7BOz9GF8X9hMzREaofhfugixAEpFbmVGpPrlQ9Ryeqc/TUunSn3gBuJkYgSjjElyVfGa1I1TwrQNkloL6hsWXwy0SD5Di43iDNmJR+xqc7Jpmal8HBSHkyW7RyMRFdcwxAJ/CwAryeHul0v1XPntl3Z1hrSapENMY3PM8GUzIUUMmjqFgkQ3FNbVO2UsKWGAD9WJhMY7SpR69Ao8JC8fbtsFyO3gFCxuD3OuoC2WpIfZAP9FzUeoN0M7HI4gNfStPW70LKdh2c3B1O8wZlkN3ymHUxOK7AzCT+LjZem/jvVzJ0Jo9xRfOJCiTExNDScR7bRzRhZyh+GGo61MXZmhNULxxxWwgg0CMHEc3yEiu8GBnpdSexptCfjeuz3Wi+RX9XQub/qytUKsZLt2kC2j6cL5bxaClCyw66Os2DmY0FWexNf9V
x-ms-exchange-antispam-messagedata: k73FQqBVdeWlOs9Adv1dccU9gY1Na97dBhRPxMO6TBaCaUczElsNjxJ391irTAm7So+6nEyyWrCDCCK5U0qjEH/gypTR36XH+armY7Huh4zVE8UMpBX3kCUSD2vvv7lXTqCW8O6D4m5Tzq1o2KyuQkO75BAzXoIEGmpqCSQ9UPMVxwazNHTGE4G2RVMvNFToEcy3fTeEj7SzDmI8076I0Q==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM10FT014.eop-nam10.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: e0ab50e0-1fd1-443f-c2ba-08d8ca3a982f
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2021 01:00:28.2516 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6NAM10HT083
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Brad Wetmore via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Brad Wetmore <bradfordwetmore AT hotmail DOT com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Cygwin" <cygwin-bounces AT cygwin DOT com>

Hi,

I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list:

    2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst

Using Wireshark and configuration options in Firefox, the root cause appears to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to download this file, but the download is failing as the response is a fatal TLS alert: invalid protocol (2/70). Many Internet servers have been shutting off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that? If so, the setup app needs to be updated.

I can specify a specific server URL after the mirrors.lst download fails and can at least get something installed.

Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3? Or is this something that the MSDN version of Windows 2016 Server has configured?


More details/symptoms:

I am behind a firewall, but the proxy settings in IE allow me to tunnel out. The corresponding "Use System Proxy Settings" in Firefox works fine. But when I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3, I see the same alert being returned to Firefox.

Wireshark reports:

CONNECT cygwin.com:443 HTTP1.0 ->
User-Agent: ...deleted

<- HTTP/1.0 200 Connection established

ClientHello ->
v1.0

<- Fatal Alert: 2/70

Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the setup app is written.

https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows

My previous installs of cygwin aren't having any problems when trying to incrementally add software, maybe the mirrors file is cached somewhere?

Thanks for any tips,

Brad


--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple