From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.9]) by sourceware.org (Postfix) with ESMTPS id 5CCDB388C01D for ; Sat, 6 Feb 2021 03:53:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 5CCDB388C01D Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca Received: from [192.168.1.104] ([24.64.172.44]) by shaw.ca with ESMTP id 8EfFlRIvmeHr98EfHlndQ5; Fri, 05 Feb 2021 20:53:43 -0700 X-Authority-Analysis: v=2.4 cv=Yq/K+6UX c=1 sm=1 tr=0 ts=601e12c7 a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=mxXg7-MiAAAA:20 a=yMhMjlubAAAA:8 a=2oS-sqozAAAA:8 a=peu1w8bez-P9xwn8WR4A:9 a=QEXdDO2ut3YA:10 a=SUS125LeZg4A:10 a=eGwVjFvZLeMA:10 a=sRI3_1zDfAgwuvI8zelB:22 a=WiNvAwpe8B6hZcWahKGt:22 Reply-To: cygwin@cygwin.com To: cygwin@cygwin.com References: From: Brian Inglis Organization: Systematic Software Subject: Re: TLS version problem downloading mirrors.lst? Message-ID: <595f4a6c-ad35-14ba-918e-06014bc7bb96@SystematicSw.ab.ca> Date: Fri, 5 Feb 2021 20:53:41 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4xfGVSFZPLjxvmPcUJO6jDOrrSBiRG3mxAYLSpGW5tUZ7Rf6rZjPneEovX3wTk7LqOhxPNXkHBggJ4/TowvveUXIZk7jQNzgT3Js66hL9XC7DDTX9glUbh f8ugUotiGdLnAfo465I1dwTXIDebFde0ttyLQC7wrxKdhtXLsmbpuay7T64DaHOB+bdYTeVEtln1ekE+IfpLCewoGDI4UnO8yHc= X-Spam-Status: No, score=-5.7 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Feb 2021 03:53:46 -0000 On 2021-02-05 18:00, Brad Wetmore via Cygwin wrote: > I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list: > 2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst > Using Wireshark and configuration options in Firefox, the root cause appears > to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to > download this file, but the download is failing as the response is a fatal > TLS alert: invalid protocol (2/70). Many Internet servers have been shutting > off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that? > If so, the setup app needs to be updated. Cygwin setup is a Windows app using Windows libraries built using open tools. > I can specify a specific server URL after the mirrors.lst download fails and > can at least get something installed. > Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3? > Or is this something that the MSDN version of Windows 2016 Server has > configured? > More details/symptoms: > I am behind a firewall, but the proxy settings in IE allow me to tunnel out. > The corresponding "Use System Proxy Settings" in Firefox works fine. But when > I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3, > I see the same alert being returned to Firefox. > Wireshark reports: > CONNECT cygwin.com:443 HTTP1.0 -> > User-Agent: ...deleted > <- HTTP/1.0 200 Connection established > ClientHello -> > v1.0 > <- Fatal Alert: 2/70 > Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the > setup app is written. *NOT* by default on W2016 for SCHANNEL and may need enabled for both CLIENT and SERVER uses: https://github.com/MicrosoftDocs/windowsserverdocs/issues/2783 https://social.technet.microsoft.com/Forums/en-US/cb1a695b-a15c-4fa7-94f0-1aaa20c1279d/enabling-tls-12-on-windows-server-2012-amp-2016?forum=winserversecurity https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-and-disable-tls-12 Cygwin setup is written like most other Windows GUI apps, but you can clone the sources, modify, and build it using only Cygwin tools. > https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- > https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows > My previous installs of cygwin aren't having any problems when trying to > incrementally add software, maybe the mirrors file is cached somewhere? Are any of them running legacy Server instances? > Thanks for any tips, It's possible that W2016 might not support the root CA, support available TLS 1.2 Cipher suites (although that seems unlikely with the WEAK ratings), TLS 1.3, HTTP2, etc: https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in binary units and prefixes, physical quantities in SI.]