What is the proper mailing list for server issues?

What is the proper mailing list for server issues?

[Greywolf]

Hello,

I am having a server issue that neither I nor my ISP seem to be able to 
resolve with regards to connecting to Cygwin.com -- namely, only from my 
house, I get a 403 Forbidden.

I've been round with my ISP and they are unable to reproduce the issue; 
the response I get from here is "contact your ISP".  So who do I contact 
about this?  Not being able to automagically fetch the mirror list is 
annoying, and not being able to reach the site to see about updates and 
such is similarly so.

Regards,

				--*greywolf;


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What is the proper mailing list for server issues?

[cyg Simple]

On 4/21/2017 2:35 AM, Greywolf wrote:
> Hello,
> 
> I am having a server issue that neither I nor my ISP seem to be able to
> resolve with regards to connecting to Cygwin.com -- namely, only from my
> house, I get a 403 Forbidden.
> 

This is _your_ problem.  Something has caused you to not be able to
reach cygwin.com properly.  What IP address does cygwin.com resolve to?
Does using the IP address directly work for you?

$ ping cygwin.com

Pinging cygwin.com [209.132.180.131] with 32 bytes of data:


> I've been round with my ISP and they are unable to reproduce the issue;
> the response I get from here is "contact your ISP".  So who do I contact
> about this?  Not being able to automagically fetch the mirror list is
> annoying, and not being able to reach the site to see about updates and
> such is similarly so.
> 

Understandable but nothing we can do from here.

-- 
cyg Simple

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What is the proper mailing list for server issues?

[Jon Turney]

On 21/04/2017 07:35, Greywolf wrote:
> Hello,
>
> I am having a server issue that neither I nor my ISP seem to be able to
> resolve with regards to connecting to Cygwin.com -- namely, only from my
> house, I get a 403 Forbidden.
>
> I've been round with my ISP and they are unable to reproduce the issue;
> the response I get from here is "contact your ISP".  So who do I contact
> about this?  Not being able to automagically fetch the mirror list is
> annoying, and not being able to reach the site to see about updates and
> such is similarly so.

You might try contacting the overseers list to ask if this is a problem 
similar to [1].

[1] https://www.sourceware.org/ml/overseers/2016-q2/msg00019.html


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: What is the proper mailing list for server issues?

[Gluszczak, Glenn]

Agree, it's nothing to do with Cygwin.com.

Check for a firewall on your local machine.  Check your home router to see if it has a firewall with restrictions.
Perhaps you're passing through a proxy server or firewall at the ISP?
Try traceroute or wget to analyze what site you're really attaching to.



On 4/21/2017 2:35 AM, Greywolf wrote:
> Hello,
> 
> I am having a server issue that neither I nor my ISP seem to be able 
> to resolve with regards to connecting to Cygwin.com -- namely, only 
> from my house, I get a 403 Forbidden.
> 

This is _your_ problem.  Something has caused you to not be able to reach cygwin.com properly.  What IP address does cygwin.com resolve to?
Does using the IP address directly work for you?

$ ping cygwin.com

Pinging cygwin.com [209.132.180.131] with 32 bytes of data:


> I've been round with my ISP and they are unable to reproduce the 
> issue; the response I get from here is "contact your ISP".  So who do 
> I contact about this?  Not being able to automagically fetch the 
> mirror list is annoying, and not being able to reach the site to see 
> about updates and such is similarly so.
> 

Understandable but nothing we can do from here.

--
cyg Simple

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What is the proper mailing list for server issues?

[Erik Soderquist]

On Fri, Apr 21, 2017 at 9:46 AM, cyg Simple <cygsimple@gmail.com> wrote:
> On 4/21/2017 2:35 AM, Greywolf wrote:
>> I am having a server issue that neither I nor my ISP seem to be able to
>> resolve with regards to connecting to Cygwin.com -- namely, only from my
>> house, I get a 403 Forbidden.

if you try https rather than http, you should get a flag about a wrong
certificate if it is connecting to the wrong host (this sounds highly
likely).  perhaps the certificate information you get will show who
you are actually connecting to...?

>>
>
> This is _your_ problem.  Something has caused you to not be able to
> reach cygwin.com properly.  What IP address does cygwin.com resolve to?
> Does using the IP address directly work for you?
>
> $ ping cygwin.com
>
> Pinging cygwin.com [209.132.180.131] with 32 bytes of data:

I had similar problems and on watching packets with Wireshark, found
that _someone_ was hijacking DNS requests... I switched to dnscrypt
and have not had that problem since.

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What is the proper mailing list for server issues?

[Brian Inglis]

On 2017-04-21 09:06, Gluszczak, Glenn wrote:
> On 4/21/2017 2:35 AM, Greywolf wrote:
> Agree, it's nothing to do with Cygwin.com.
> Check for a firewall on your local machine. Check your home router to
> see if it has a firewall with restrictions.
> Perhaps you're passing through a proxy server or firewall at the ISP?
> Try traceroute or wget to analyze what site you're really attaching to.
>> I am having a server issue that neither I nor my ISP seem to be able 
>> to resolve with regards to connecting to Cygwin.com -- namely, only 
>> from my house, I get a 403 Forbidden.

Check your and Cygwin.com's IPs locally and from a web site providing 
DNS lookups and compare with whois lookups.

> This is _your_ problem. Something has caused you to not be able to
> reach cygwin.com properly. What IP address does cygwin.com resolve
> to?
> Does using the IP address directly work for you?
> $ ping cygwin.com
> Pinging cygwin.com [209.132.180.131] with 32 bytes of data:
>> I've been round with my ISP and they are unable to reproduce the 
>> issue; the response I get from here is "contact your ISP".  So who do 
>> I contact about this?  Not being able to automagically fetch the 
>> mirror list is annoying, and not being able to reach the site to see 
>> about updates and such is similarly so.
> Understandable but nothing we can do from here.

403 is a server response e.g. folder without {index,default,home}.htm{,l} 
or it could maybe result from a net block DNS BL or RBL provider hit, 
although my checks of eddie.starwolf.com on a few return no hits.

Try {wget,curl,lynx} and different browsers against combinations of 
http{,s}://{,www.}{cygwin.com,sourceware.org/cygwin}/{,index.html} 
(echo above to see the 16 urls) and see what results you get.

Then contact sourceware.org support sourcemaster at sourceware dot org 
to see what their server logs say.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What is the proper mailing list for server issues?

[Brian Inglis]

On 2017-04-21 08:06, Jon Turney wrote:
> On 21/04/2017 07:35, Greywolf wrote:
>> Hello,
>>
>> I am having a server issue that neither I nor my ISP seem to be
>> able to resolve with regards to connecting to Cygwin.com -- namely,
>> only from my house, I get a 403 Forbidden.
>>
>> I've been round with my ISP and they are unable to reproduce the
>> issue; the response I get from here is "contact your ISP". So who
>> do I contact about this? Not being able to automagically fetch the
>> mirror list is annoying, and not being able to reach the site to
>> see about updates and such is similarly so.
> 
> You might try contacting the overseers list to ask if this is a
> problem similar to [1].
> 
> [1] https://www.sourceware.org/ml/overseers/2016-q2/msg00019.html

A proxy server could also possibly cause the same symptoms. 
Are you accessing the web directly or via any type of proxy 
e.g at your ISP, or over a VPN? 

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What is the proper mailing list for server issues?

[Greywolf]

[-- Attachment #1: Type: text/plain, Size: 2892 bytes --]

Greetings,

I'm trying from several different machines in the house, some directly 
connected, as well as any thru the NAT interface.  This is the ONLY site 
I cannot reach normally.  I have to use the Tor browser to reach the 
site, and, even then, once I get a new cygwin setup .exe, the list of 
mirrors doesn't auto-fill because (surprise, surprise) I cannot connect 
via any known protocol to either www.cygwin.com or 209.132.180.131.

The SSL certificates I get from a successful Tor hit and an unsuccessful 
403 from home are identical

I am concluding that at least the address range 69.12.250.{40-47} are 
being blocked; and it probably extends beyond that.

Firewall is a Watchguard Firebox running pf_sense.  I get the 403 even 
with a direct (non-firewalled, non-routed connection)

I have attached two .txt file with runs from two servers within my 
house, one running NetBSD, one running Windows [thus the importance of 
cygwin].
Included are runs from 'host'/'nslookup', 'ping', 'traceroute', 'curl' 
and 'openssl'

This is NOT a local firewall issue, otherwise my other machines on 
different addresses would not have a problem.

smaug is my internal firewall.
stupidhead is the default next hop from said firewall.

"...it's nothing to do with cygwin.com."

Sooooo, why else would I get a refusal from the web server from this 
address when I can connect from elsewhere ** and the SSL certificate is 
the same ** ??

What am I missing?

"...but there's nothing we can do from here."

Where is "here"? If "here" == "cygwin.com", you can't tell me if my IP 
is on an internal blacklist (and, moreso, why?)??


On 2017-04-21 08:06, Gluszczak, Glenn wrote:
>
> Agree, it's nothing to do with Cygwin.com.
>
> Check for a firewall on your local machine.  Check your home router to see if it has a firewall with restrictions.
> Perhaps you're passing through a proxy server or firewall at the ISP?
> Try traceroute or wget to analyze what site you're really attaching to.
>
>
>
> On 4/21/2017 2:35 AM, Greywolf wrote:
>> Hello,
>>
>> I am having a server issue that neither I nor my ISP seem to be able
>> to resolve with regards to connecting to Cygwin.com -- namely, only
>> from my house, I get a 403 Forbidden.
>>
>
> This is _your_ problem.  Something has caused you to not be able to reach cygwin.com properly.  What IP address does cygwin.com resolve to?
> Does using the IP address directly work for you?
>
> $ ping cygwin.com
>
> Pinging cygwin.com [209.132.180.131] with 32 bytes of data:
>
>
>> I've been round with my ISP and they are unable to reproduce the
>> issue; the response I get from here is "contact your ISP".  So who do
>> I contact about this?  Not being able to automagically fetch the
>> mirror list is annoying, and not being able to reach the site to see
>> about updates and such is similarly so.
>>
>
> Understandable but nothing we can do from here.

[-- Attachment #2: cygwin-403-BSD.txt --]
[-- Type: text/plain, Size: 9951 bytes --]

--- output from 'nslookup www.cygwin.com', Windows@69.12.250.40
Non-authoritative answer:
Server:  galadriel.middle-earth.starwolf.com
Address: xx.xx.xx.xx

Name:    www.cygwin.com
Address:  209.132.180.131

--- output from 'ping www.cygwin.com', Windows@69.12.250.40

Pinging www.cygwin.com [209.132.180.131] with 32 bytes of data:
Reply from 209.132.180.131: bytes=32 time=89ms TTL=49
Reply from 209.132.180.131: bytes=32 time=78ms TTL=49
Reply from 209.132.180.131: bytes=32 time=77ms TTL=49
Reply from 209.132.180.131: bytes=32 time=78ms TTL=49

Ping statistics for 209.132.180.131:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 77ms, Maximum = 89ms, Average = 80ms

--- output from 'tracert www.cygwin.com', Windows@69.12.250.40
Tracing route to www.cygwin.com [209.132.180.131]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  smaug.middle-earth.starwolf.com [172.21.12.1]
  2    48 ms    49 ms    51 ms  69-12-250-1.static.dsltransport.net [69.12.250.1]
  3    48 ms    49 ms    49 ms  109.at-4-0-0.gw3.200p-sf.sonic.net [208.106.28.117]
  4    48 ms    49 ms    49 ms  0.ae2.gw.200p-sf.sonic.net [70.36.211.53]
  5    49 ms    49 ms    51 ms  as0.gw2.200p-sf.sonic.net [208.106.96.250]
  6    50 ms    51 ms    51 ms  303.ae4.gw.pao1.sonic.net [69.12.163.217]
  7    53 ms    51 ms    53 ms  te0-0-0-15.ccr21.sjc04.atlas.cogentco.com [38.104.141.81]
  8    52 ms    53 ms    53 ms  be2013.ccr41.sjc03.atlas.cogentco.com [154.54.5.105]
  9    53 ms    53 ms    53 ms  be3144.ccr22.sjc01.atlas.cogentco.com [154.54.5.101]
 10    65 ms    65 ms    65 ms  be3177.ccr22.lax01.atlas.cogentco.com [154.54.40.145]
 11    77 ms    77 ms    75 ms  be2932.ccr22.phx02.atlas.cogentco.com [154.54.45.161]
 12    77 ms    77 ms    77 ms  be2125.agr12.phx02.atlas.cogentco.com [154.54.1.102]
 13    77 ms    79 ms    77 ms  154.24.53.154
 14    77 ms    77 ms    77 ms  38.88.238.30
 15    89 ms    91 ms    93 ms  unused [66.187.228.249]
 16    89 ms    91 ms    89 ms  transit-21-180-132-209.redhat.com [209.132.180.21]
 17    77 ms    79 ms    81 ms  server1.sourceware.org [209.132.180.131]

Trace complete.

--- output from 'curl -vso /dev/null https://www.cygwin.com', 
--- Windows@69.12.250.40

* STATE: INIT => CONNECT handle 0x6000579c0; line 1413 (connection #-5000)
* Rebuilt URL to: https://www.cygwin.com/
* Added connection 0. The cache now contains 1 members
*   Trying 209.132.180.131...
* TCP_NODELAY set
* STATE: CONNECT => WAITCONNECT handle 0x6000579c0; line 1466 (connection #0)
* Connected to www.cygwin.com (209.132.180.131) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x6000579c0; line 1583 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x6000579c0; line 1597 (connection #0)
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [98 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2519 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=cygwin.com
*  start date: Mar  1 03:04:00 2017 GMT
*  expire date: May 30 03:04:00 2017 GMT
*  subjectAltName: host "www.cygwin.com" matched cert's "www.cygwin.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x6000579c0; line 1618 (connection #0)
} [5 bytes data]
> GET / HTTP/1.1
> Host: www.cygwin.com
> User-Agent: curl/7.52.1
> Accept: */*
>
* STATE: DO => DO_DONE handle 0x6000579c0; line 1680 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x6000579c0; line 1807 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x6000579c0; line 1817 (connection #0)
{ [5 bytes data]
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 403 Forbidden
< Date: Sat, 22 Apr 2017 19:39:30 GMT
* Server Apache is not blacklisted
< Server: Apache
< Vary: Accept-Encoding
< Content-Length: 382
< Content-Type: text/html; charset=iso-8859-1
<
{ [5 bytes data]
* STATE: PERFORM => DONE handle 0x6000579c0; line 1981 (connection #0)
* multi_done
* Curl_http_done: called premature == 0
* Connection #0 to host www.cygwin.com left intact

--- output from 'openssl s_client -connect www.cygwin.com:443', Windows@69.12.250.40 ---
- [input: HEAD / HTTP/1.1\nHost: defender.starwolf.com\n\n]
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = cygwin.com
verify return:1
---
Certificate chain
 0 s:/CN=cygwin.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgISAwwDovAR//+tUdLl4uqOp2efMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMDEwMzA0MDBaFw0x
NzA1MzAwMzA0MDBaMBUxEzARBgNVBAMTCmN5Z3dpbi5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDJCwkeLVu0Da5KV3ZJptJrWGwWEkDJni2arI3D
jKuKrNodipFu0YWH973s9KGFvrsEy1i5q/pSA6av+LnGJW2VSdOXFdtKYVadfIjG
UMoosTGDaMArrjjDprG6hvX9vbdHHPoK4/+9I+hWtCUMAVtHrkW5oyKTI8XDj/oV
FVm7o2WZnBz8LZCMScY1X+nU3Of++MwLJdh76pBDtaPi/4d2mgChegsscZ7AWUW3
UyAoOcvCRUoyKqLtF1T06vauLDXa9rpNrd8yf8VFigOn5dHQUvwpqCbo28j9+5U5
bR8yjVEdamSfyh/BVfK2pjFcYFGg/o5tmKuhxZJR+/G71gSVAgMBAAGjggJDMIIC
PzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFItTa1Nhu2F1NsYVV3FxTjvZPMwbMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAv
BggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
ME0GA1UdEQRGMESCCmN5Z3dpbi5jb22CCmN5Z3dpbi5uZXSCCmN5Z3dpbi5vcmeC
DmZ0cC5jeWd3aW4uY29tgg53d3cuY3lnd2luLmNvbTCB/gYDVR0gBIH2MIHzMAgG
BmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlm
aWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVz
IGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9s
aWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQB1X6TaJfYTWzETbPofnhqS2aF8M1qOSeCr72wN
TTJcM2n7DwfRAH6WR1OV9UMAvBYXy0TxbuAlMBbLJmIe09ybvqkDbiixvQxAk8xv
96Ik8Xyyl0cJLubKf8xnO39XQddvXKlhW/X8m3cFoVSf5VkF58HPGMPX60mgoO1c
hyg0cBeJsVGDA2RAp+TBPkr4HVTiJsUFDIsU1JIpbMnYqegmGKJD61j6e6FwVxug
AIhOV1GIE0XXhHH7dgANEknmKZaLjozhYJoIIokxkTcnzCEavbudpXZ1j9ilg1uz
31NkBdc3FQRfjI0BQMbUWwjEe2ngtVxGaLuSFtQopQiBYfY4
-----END CERTIFICATE-----
subject=/CN=cygwin.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3200 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E6B555893E514447A292ADA81A59729C74D28EA6675D26FF9E1FEBA011449206
    Session-ID-ctx:
    Master-Key: 396E35A0B888D9727A8D9A173F4FF55C65939F6000CA67AB2D1924EBCA86DE91DC51ADD014528C75F91257A3AEFAE29E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4b d7 3d 66 d5 fa 75 69-5d 05 c8 04 4b 88 56 fe   K.=f..ui]...K.V.
    0010 - b6 77 b6 37 11 4a df 00-31 4d a1 09 72 d1 1b c5   .w.7.J..1M..r...
    0020 - 91 d5 1b f7 29 43 88 57-84 f1 a9 4d 66 a2 f5 56   ....)C.W...Mf..V
    0030 - fc 1c 5d 60 57 e0 09 00-ae b5 b1 73 2b 81 29 ae   ..]`W......s+.).
    0040 - d9 19 32 fd 07 d6 e6 81-20 c8 1b f6 42 b6 d3 85   ..2..... ...B...
    0050 - d1 95 61 7f 98 d6 bb d0-fe 4c 07 95 c7 c2 a7 7c   ..a......L.....|
    0060 - f4 8e db b4 72 e6 50 74-f7 b8 a9 5f b4 73 71 5c   ....r.Pt..._.sq\
    0070 - 01 ce 93 1d 22 94 66 f2-21 e5 a7 6f c0 ab 50 96   ....".f.!..o..P.
    0080 - a6 11 88 78 8f 33 1a 11-11 1a 01 39 a9 ec 51 08   ...x.3.....9..Q.
    0090 - af f1 16 93 6b 42 18 5d-ad ea 25 e6 62 be 77 1a   ....kB.]..%.b.w.
    00a0 - b0 c0 35 0f d9 c2 f2 0b-21 72 2a 3d d0 df 66 07   ..5.....!r*=..f.
    00b0 - c5 03 19 70 a5 a7 19 2e-ac 4f b7 42 79 51 80 82   ...p.....O.ByQ..

    Start Time: 1492891391
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
HEAD / HTTP/1.1
Host: defender.starwolf.com

HTTP/1.1 403 Forbidden
Date: Sat, 22 Apr 2017 20:03:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

DONE


[-- Attachment #3: cygwin-403-Windows.txt --]
[-- Type: text/plain, Size: 8841 bytes --]

--- output from 'host www.cygwin.com', NetBSD@69.12.250.42 ---
www.cygwin.com has address 209.132.180.131

--- output from 'ping -c 4 www.cygwin.com', NetBSD@69.12.250.42 ---
PING www.cygwin.com (209.132.180.131): 56 data bytes
64 bytes from 209.132.180.131: icmp_seq=0 ttl=49 time=79.846013 ms
64 bytes from 209.132.180.131: icmp_seq=1 ttl=49 time=77.474827 ms
64 bytes from 209.132.180.131: icmp_seq=2 ttl=49 time=79.351679 ms
64 bytes from 209.132.180.131: icmp_seq=3 ttl=49 time=78.905822 ms

----www.cygwin.com PING Statistics----
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 77.474827/78.894585/79.846013/1.021435 ms


--- output from 'traceroute www.cygwin.com', NetBSD@69.12.250.42 ---
traceroute to www.cygwin.com (209.132.180.131), 64 hops max, 40 byte packets
 1  smaug (172.21.12.1)  0.624 ms  0.729 ms  0.742 ms
 2  stupidhead (69.12.250.1)  48.060 ms  48.074 ms  48.085 ms
 3  109.at-4-0-0.gw3.200p-sf.sonic.net (208.106.28.117)  49.581 ms  49.895 ms  48.096 ms
 4  0.ae2.gw.200p-sf.sonic.net (70.36.211.53)  48.048 ms  47.990 ms  47.695 ms
 5  as0.gw2.200p-sf.sonic.net (208.106.96.250)  49.986 ms  47.981 ms  48.082 ms
 6  303.ae4.gw.pao1.sonic.net (69.12.163.217)  51.906 ms  49.904 ms  51.928 ms
 7  te0-0-0-15.ccr21.sjc04.atlas.cogentco.com (38.104.141.81)  51.911 ms  51.831 ms  51.931 ms
 8  be2013.ccr41.sjc03.atlas.cogentco.com (154.54.5.105)  53.835 ms  52.215 ms  51.935 ms
 9  be3144.ccr22.sjc01.atlas.cogentco.com (154.54.5.101)  53.817 ms  51.847 ms
    be3142.ccr21.sjc01.atlas.cogentco.com (154.54.1.193)  51.932 ms
10  be3176.ccr21.lax01.atlas.cogentco.com (154.54.31.189)  64.101 ms  65.688 ms
    be3177.ccr22.lax01.atlas.cogentco.com (154.54.40.145)  65.787 ms
11  be2931.ccr21.phx02.atlas.cogentco.com (154.54.44.85)  76.030 ms  75.695 ms  76.179 ms
12  te0-0-1-0.agr13.phx02.atlas.cogentco.com (154.54.46.190)  75.759 ms
    be2125.agr12.phx02.atlas.cogentco.com (154.54.1.102)  78.004 ms  75.669 ms
13  154.24.53.154 (154.24.53.154)  78.072 ms  78.042 ms
    154.24.53.150 (154.24.53.150)  77.717 ms
14  38.88.238.30 (38.88.238.30)  89.966 ms  75.754 ms
    38.122.88.218 (38.122.88.218)  75.790 ms
15  unused (66.187.228.248)  81.882 ms
    unused (66.187.228.249)  93.647 ms  79.893 ms
16  transit-21-180-132-209.redhat.com (209.132.180.21)  100.019 ms  91.844 ms  93.896 ms
17  server1.sourceware.org (209.132.180.131)  76.150 ms !<10>  75.697 ms !<10>  80.028 ms !<10>


--- output from 'curl -vsko /dev/null https://www.cygwin.com',
--- NetBSD@69.12.250.42
[ -k because for some reason I don't have any SSL certs on the box
[ other than the ssh host key.
* Rebuilt URL to: https://www.cygwin.com/
*   Trying 209.132.180.131...
* Connected to www.cygwin.com (209.132.180.131) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/openssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [98 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2519 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* 	 subject: CN=cygwin.com
* 	 start date: Mar  1 03:04:00 2017 GMT
* 	 expire date: May 30 03:04:00 2017 GMT
* 	 issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* 	 SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: www.cygwin.com
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Date: Sat, 22 Apr 2017 19:54:49 GMT
< Server: Apache
< Vary: Accept-Encoding
< Content-Length: 382
< Content-Type: text/html; charset=iso-8859-1
< 
{ [382 bytes data]
* Connection #0 to host www.cygwin.com left intact

--- output from 'openssl s_client -connect www.cygwin.com:443', NetBSD@69.12.250.42
-- Input: "HEAD / HTTP/1.0\nHost: eddie.starwolf.com\n\n"
: eddie; openssl s_client -connect www.cygwin.com:443
CONNECTED(00000004)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=cygwin.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgISAwwDovAR//+tUdLl4uqOp2efMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMDEwMzA0MDBaFw0x
NzA1MzAwMzA0MDBaMBUxEzARBgNVBAMTCmN5Z3dpbi5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDJCwkeLVu0Da5KV3ZJptJrWGwWEkDJni2arI3D
jKuKrNodipFu0YWH973s9KGFvrsEy1i5q/pSA6av+LnGJW2VSdOXFdtKYVadfIjG
UMoosTGDaMArrjjDprG6hvX9vbdHHPoK4/+9I+hWtCUMAVtHrkW5oyKTI8XDj/oV
FVm7o2WZnBz8LZCMScY1X+nU3Of++MwLJdh76pBDtaPi/4d2mgChegsscZ7AWUW3
UyAoOcvCRUoyKqLtF1T06vauLDXa9rpNrd8yf8VFigOn5dHQUvwpqCbo28j9+5U5
bR8yjVEdamSfyh/BVfK2pjFcYFGg/o5tmKuhxZJR+/G71gSVAgMBAAGjggJDMIIC
PzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFItTa1Nhu2F1NsYVV3FxTjvZPMwbMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAv
BggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
ME0GA1UdEQRGMESCCmN5Z3dpbi5jb22CCmN5Z3dpbi5uZXSCCmN5Z3dpbi5vcmeC
DmZ0cC5jeWd3aW4uY29tgg53d3cuY3lnd2luLmNvbTCB/gYDVR0gBIH2MIHzMAgG
BmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlm
aWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVz
IGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9s
aWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQB1X6TaJfYTWzETbPofnhqS2aF8M1qOSeCr72wN
TTJcM2n7DwfRAH6WR1OV9UMAvBYXy0TxbuAlMBbLJmIe09ybvqkDbiixvQxAk8xv
96Ik8Xyyl0cJLubKf8xnO39XQddvXKlhW/X8m3cFoVSf5VkF58HPGMPX60mgoO1c
hyg0cBeJsVGDA2RAp+TBPkr4HVTiJsUFDIsU1JIpbMnYqegmGKJD61j6e6FwVxug
AIhOV1GIE0XXhHH7dgANEknmKZaLjozhYJoIIokxkTcnzCEavbudpXZ1j9ilg1uz
31NkBdc3FQRfjI0BQMbUWwjEe2ngtVxGaLuSFtQopQiBYfY4
-----END CERTIFICATE-----
subject=/CN=cygwin.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3200 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 630FE678D129F49799C155C4858C3D78529545B0F16A0D910627AFD8082E4EBC
    Session-ID-ctx: 
    Master-Key: 5B9F5F86A167EB804A43D0A25608655FA1C09B7D454A886154861A57F7CC507F539A8F0B2F91BA3F0C7FF33D08651068
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4b d7 3d 66 d5 fa 75 69-5d 05 c8 04 4b 88 56 fe   K.=f..ui]...K.V.
    0010 - ea 1b 31 8a 0f 6e a9 ad-f7 c3 78 40 49 26 b9 16   ..1..n....x@I&..
    0020 - 25 d4 35 55 4f 49 cf 11-bd a8 38 1e f6 4d e6 a2   %.5UOI....8..M..
    0030 - 38 ae b5 b4 29 18 38 f0-b9 2b 9c bf c8 68 18 7a   8...).8..+...h.z
    0040 - 2a 34 b7 40 52 8e f5 65-d2 4b b6 d0 67 7f 34 69   *4.@R..e.K..g.4i
    0050 - 63 a1 6d eb 2c c9 cd fe-4d 21 e4 85 4a 70 be 59   c.m.,...M!..Jp.Y
    0060 - f6 84 5c ba 2a ad a8 1e-cb f8 7d 8c 7d 14 f1 c1   ..\.*.....}.}...
    0070 - 03 45 7f e0 24 ca 58 12-99 d8 c0 9e d9 03 ab d3   .E..$.X.........
    0080 - 5c 36 64 30 b0 7f da 95-2d 3a 83 94 61 8d 8f 70   \6d0....-:..a..p
    0090 - 5c 9e 0e 1d 28 bb ef 80-2b 93 3c 20 89 19 e0 a5   \...(...+.< ....
    00a0 - d6 e0 a0 c7 ec 28 0a 9c-d5 3c f7 8b 0e 02 b5 63   .....(...<.....c
    00b0 - 5d 60 d8 56 1d e5 b7 fd-6a ae 19 d7 07 3d 08 bc   ]`.V....j....=..

    Start Time: 1492891084
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
HEAD / HTTP/1.1
Host: eddie.starwolf.com

HTTP/1.1 403 Forbidden
Date: Sat, 22 Apr 2017 19:58:12 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

DONE

[-- Attachment #4: Type: text/plain, Size: 219 bytes --]


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: What is the proper mailing list for server issues?

[Brian Inglis]

On 2017-04-22 21:04, Greywolf wrote:
> I'm trying from several different machines in the house, some
> directly connected, as well as any thru the NAT interface. This is
> the ONLY site I cannot reach normally. I have to use the Tor browser
> to reach the site, and, even then, once I get a new cygwin setup
> .exe, the list of mirrors doesn't auto-fill because (surprise,
> surprise) I cannot connect via any known protocol to either
> www.cygwin.com or 209.132.180.131.
> The SSL certificates I get from a successful Tor hit and an
> unsuccessful 403 from home are identical
> I am concluding that at least the address range 69.12.250.{40-47} are
> being blocked; and it probably extends beyond that.
> Firewall is a Watchguard Firebox running pf_sense. I get the 403 even
> with a direct (non-firewalled, non-routed connection)
> I have attached two .txt file with runs from two servers within my
> house, one running NetBSD, one running Windows [thus the importance
> of cygwin].
> Included are runs from 'host'/'nslookup', 'ping', 'traceroute',
> 'curl' and 'openssl'
> This is NOT a local firewall issue, otherwise my other machines on
> different addresses would not have a problem.
> smaug is my internal firewall.
> stupidhead is the default next hop from said firewall.
> "...it's nothing to do with cygwin.com."
> Sooooo, why else would I get a refusal from the web server from this
> address when I can connect from elsewhere ** and the SSL certificate
> is the same ** ??
> What am I missing?
> "...but there's nothing we can do from here."
> Where is "here"? If "here" == "cygwin.com", you can't tell me if my
> IP is on an internal blacklist (and, moreso, why?)??

Sourceware runs the servers. Contact sourceware.org support 
sourcemaster at sourceware dot org to see what their server 
logs say, or what their BLs are blocking.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: What is the proper mailing list for server issues?

[Gluszczak, Glenn]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 3775 bytes --]

Ok, I spoke too hastily.  It's possible a webserver blocks sites or the ISP blocks.
Also, perhaps cygwin.com can't resolve starwolf.com as Brian suggested.
Looking at your curl and openssl output I see this oddity

"No ALPN negotiated"
"ALPN, server did not agree to a protocol"

According to this site cygwin.com does not support HTTP/2.  Must be using 1.1.
https://tools.keycdn.com/http2-test

Does this get you a web page?

curl -v --http1.0 https://www.cygwin.com

You're not doing any port forwarding of 443?

Glenn

============================================================

Greetings,

I'm trying from several different machines in the house, some directly connected, as well as any thru the NAT interface.  This is the ONLY site I cannot reach normally.  I have to use the Tor browser to reach the site, and, even then, once I get a new cygwin setup .exe, the list of mirrors doesn't auto-fill because (surprise, surprise) I cannot connect via any known protocol to either www.cygwin.com or 209.132.180.131.

The SSL certificates I get from a successful Tor hit and an unsuccessful
403 from home are identical

I am concluding that at least the address range 69.12.250.{40-47} are being blocked; and it probably extends beyond that.

Firewall is a Watchguard Firebox running pf_sense.  I get the 403 even with a direct (non-firewalled, non-routed connection)

I have attached two .txt file with runs from two servers within my house, one running NetBSD, one running Windows [thus the importance of cygwin].
Included are runs from 'host'/'nslookup', 'ping', 'traceroute', 'curl' 
and 'openssl'

This is NOT a local firewall issue, otherwise my other machines on different addresses would not have a problem.

smaug is my internal firewall.
stupidhead is the default next hop from said firewall.

"...it's nothing to do with cygwin.com."

Sooooo, why else would I get a refusal from the web server from this address when I can connect from elsewhere ** and the SSL certificate is the same ** ??

What am I missing?

"...but there's nothing we can do from here."

Where is "here"? If "here" == "cygwin.com", you can't tell me if my IP is on an internal blacklist (and, moreso, why?)??


On 2017-04-21 08:06, Gluszczak, Glenn wrote:
>
> Agree, it's nothing to do with Cygwin.com.
>
> Check for a firewall on your local machine.  Check your home router to see if it has a firewall with restrictions.
> Perhaps you're passing through a proxy server or firewall at the ISP?
> Try traceroute or wget to analyze what site you're really attaching to.
>
>
>
> On 4/21/2017 2:35 AM, Greywolf wrote:
>> Hello,
>>
>> I am having a server issue that neither I nor my ISP seem to be able
>> to resolve with regards to connecting to Cygwin.com -- namely, only
>> from my house, I get a 403 Forbidden.
>>
>
> This is _your_ problem.  Something has caused you to not be able to reach cygwin.com properly.  What IP address does cygwin.com resolve to?
> Does using the IP address directly work for you?
>
> $ ping cygwin.com
>
> Pinging cygwin.com [209.132.180.131] with 32 bytes of data:
>
>
>> I've been round with my ISP and they are unable to reproduce the
>> issue; the response I get from here is "contact your ISP".  So who do
>> I contact about this?  Not being able to automagically fetch the
>> mirror list is annoying, and not being able to reach the site to see
>> about updates and such is similarly so.
>>
>
> Understandable but nothing we can do from here.
\0ТÒÐÐ¥\a&ö&ÆVÒ\a&W\x06÷'G3¢\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒ÷\a&ö&ÆV×2æ‡FÖÀФd\x15\x13¢\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöf\x17\x12ðФFö7VÖVçF\x17F–öã¢\x02\x02\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöFö72æ‡FÖÀÐ¥Vç7V'67&–&R\x06–æfó¢\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöÖÂò7Vç7V'67&–&R×6–×\x06ÆPРÐ

Re: What is the proper mailing list for server issues?

[Brian Inglis]

On 2017-04-24 08:59, Gluszczak, Glenn wrote:
> On 2017-04-21 08:06, Gluszczak, Glenn wrote:
>> On 4/21/2017 2:35 AM, Greywolf wrote:
>>> I am having a server issue that neither I nor my ISP seem to be able
>>> to resolve with regards to connecting to Cygwin.com -- namely, only
>>> from my house, I get a 403 Forbidden.
>> This is _your_ problem. Something has caused you to not be able to
>> reach cygwin.com properly. What IP address does cygwin.com resolve
>> to?
>> Does using the IP address directly work for you?
>> $ ping cygwin.com
>> Pinging cygwin.com [209.132.180.131] with 32 bytes of data:
>>> I've been round with my ISP and they are unable to reproduce the 
>>> issue; the response I get from here is "contact your ISP". So who
>>> do I contact about this? Not being able to automagically fetch
>>> the mirror list is annoying, and not being able to reach the site
>>> to see about updates and such is similarly so.
>> Understandable but nothing we can do from here.
>>> I'm trying from several different machines in the house, some 
>>> directly connected, as well as any thru the NAT interface. This 
>>> is the ONLY site I cannot reach normally. I have to use the Tor 
>>> browser to reach the site, and, even then, once I get a new 
>>> cygwin setup .exe, the list of mirrors doesn't auto-fill because 
>>> (surprise, surprise) I cannot connect via any known protocol to 
>>> either www.cygwin.com or 209.132.180.131.
>>> The SSL certificates I get from a successful Tor hit and an
>>> unsuccessful 403 from home are identical
>>> I am concluding that at least the address range
>>> 69.12.250.{40-47} are being blocked; and it probably extends
>>> beyond that.
>>> Firewall is a Watchguard Firebox running pf_sense. I get the 403 
>>> even with a direct (non-firewalled, non-routed connection)
>>> I have attached two .txt file with runs from two servers within 
>>> my house, one running NetBSD, one running Windows [thus the 
>>> importance of cygwin].
>>> Included are runs from 'host'/'nslookup', 'ping', 'traceroute', 
>>> 'curl' and 'openssl'
>>> This is NOT a local firewall issue, otherwise my other machines 
>>> on different addresses would not have a problem.
>>> smaug is my internal firewall.
>>> stupidhead is the default next hop from said firewall.
>>> "...it's nothing to do with cygwin.com."
>>> Sooooo, why else would I get a refusal from the web server from 
>>> this address when I can connect from elsewhere ** and the SSL 
>>> certificate is the same ** ??
>>> What am I missing?
>>> "...but there's nothing we can do from here."
>>> Where is "here"? If "here" == "cygwin.com", you can't tell me if
>>> my IP is on an internal blacklist (and, moreso, why?)??
>>>> Agree, it's nothing to do with Cygwin.com.
>>>> Check for a firewall on your local machine. Check your home
>>>> router to see if it has a firewall with restrictions.
>>>> Perhaps you're passing through a proxy server or firewall at
>>>> the ISP?
>>>> Try traceroute or wget to analyze what site you're really
>>>> attaching to.
> Ok, I spoke too hastily. It's possible a webserver blocks sites or
> the ISP blocks.
> Also, perhaps cygwin.com can't resolve starwolf.com as Brian
> suggested.
> Looking at your curl and openssl output I see this oddity
> "No ALPN negotiated"
> "ALPN, server did not agree to a protocol"
> According to this site cygwin.com does not support HTTP/2. Must be
> using 1.1.
> https://tools.keycdn.com/http2-test
> Does this get you a web page?
> curl -v --http1.0 https://www.cygwin.com
> You're not doing any port forwarding of 443?

I recall some issue in the past with http2 sites, TLS, http2/ALPN, 
spdy/NPN, and I remember having to run curl --no-alpn --no-npn to 
get it to work, but I can't find any email or script with it, so 
may have been an adhoc throwaway command, and/or something 
improperly set up on a web server or with curl that did not 
negotiate properly during connection setup.

Download testssl.sh from https://testssl.sh/ or clone it from the 
linked github repo and try it from your problem system with 
	.../testssl.sh cygwin.com
- takes a while - run it with a black background so you can see the 
yellow messages.
Many local problems highlighted in magenta are just warnings that your 
SSL installation disables insecure ciphers.
Something may be highlighted with your system or their server that you 
can discuss with
	sourcemaster at sourceware dot org.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple