public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
From: Brad Wetmore <bradfordwetmore@hotmail.com>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: TLS version problem downloading mirrors.lst?
Date: Sat, 6 Feb 2021 01:00:28 +0000	[thread overview]
Message-ID: <BYAPR07MB59425A659F71A5C1246B588EB6B19@BYAPR07MB5942.namprd07.prod.outlook.com> (raw)

Hi,

I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list:

    2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst

Using Wireshark and configuration options in Firefox, the root cause appears to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to download this file, but the download is failing as the response is a fatal TLS alert: invalid protocol (2/70). Many Internet servers have been shutting off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that? If so, the setup app needs to be updated.

I can specify a specific server URL after the mirrors.lst download fails and can at least get something installed.

Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3? Or is this something that the MSDN version of Windows 2016 Server has configured?


More details/symptoms:

I am behind a firewall, but the proxy settings in IE allow me to tunnel out. The corresponding "Use System Proxy Settings" in Firefox works fine. But when I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3, I see the same alert being returned to Firefox.

Wireshark reports:

CONNECT cygwin.com:443 HTTP1.0 ->
User-Agent: ...deleted

<- HTTP/1.0 200 Connection established

ClientHello ->
v1.0

<- Fatal Alert: 2/70

Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the setup app is written.

https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows

My previous installs of cygwin aren't having any problems when trying to incrementally add software, maybe the mirrors file is cached somewhere?

Thanks for any tips,

Brad



             reply	other threads:[~2021-02-06  1:00 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-06  1:00 Brad Wetmore [this message]
2021-02-06  3:53 ` Brian Inglis
2021-02-06 18:23   ` Brad Wetmore
2021-02-06 21:38     ` Brian Inglis
2021-02-09  1:15       ` Brad Wetmore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BYAPR07MB59425A659F71A5C1246B588EB6B19@BYAPR07MB5942.namprd07.prod.outlook.com \
    --to=bradfordwetmore@hotmail.com \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).