TLS version problem downloading mirrors.lst?

TLS version problem downloading mirrors.lst?

[Brad Wetmore]

Hi,

I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list:

    2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst

Using Wireshark and configuration options in Firefox, the root cause appears to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to download this file, but the download is failing as the response is a fatal TLS alert: invalid protocol (2/70). Many Internet servers have been shutting off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that? If so, the setup app needs to be updated.

I can specify a specific server URL after the mirrors.lst download fails and can at least get something installed.

Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3? Or is this something that the MSDN version of Windows 2016 Server has configured?


More details/symptoms:

I am behind a firewall, but the proxy settings in IE allow me to tunnel out. The corresponding "Use System Proxy Settings" in Firefox works fine. But when I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3, I see the same alert being returned to Firefox.

Wireshark reports:

CONNECT cygwin.com:443 HTTP1.0 ->
User-Agent: ...deleted

<- HTTP/1.0 200 Connection established

ClientHello ->
v1.0

<- Fatal Alert: 2/70

Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the setup app is written.

https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows

My previous installs of cygwin aren't having any problems when trying to incrementally add software, maybe the mirrors file is cached somewhere?

Thanks for any tips,

Brad

Re: TLS version problem downloading mirrors.lst?

[Brian Inglis]

On 2021-02-05 18:00, Brad Wetmore via Cygwin wrote:
> I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list:
>      2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst
> Using Wireshark and configuration options in Firefox, the root cause appears 
> to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to
> download this file, but the download is failing as the response is a fatal
> TLS alert: invalid protocol (2/70). Many Internet servers have been shutting
> off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that?
> If so, the setup app needs to be updated.

Cygwin setup is a Windows app using Windows libraries built using open tools.

> I can specify a specific server URL after the mirrors.lst download fails and
> can at least get something installed.
> Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3? 
> Or is this something that the MSDN version of Windows 2016 Server has
> configured?
> More details/symptoms:
> I am behind a firewall, but the proxy settings in IE allow me to tunnel out.
> The corresponding "Use System Proxy Settings" in Firefox works fine. But when
> I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3,
> I see the same alert being returned to Firefox.
> Wireshark reports:
> CONNECT cygwin.com:443 HTTP1.0 ->
> User-Agent: ...deleted
> <- HTTP/1.0 200 Connection established
> ClientHello ->
> v1.0
> <- Fatal Alert: 2/70
> Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the
> setup app is written.

*NOT* by default on W2016 for SCHANNEL and may need enabled for both CLIENT and 
SERVER uses:

https://github.com/MicrosoftDocs/windowsserverdocs/issues/2783

https://social.technet.microsoft.com/Forums/en-US/cb1a695b-a15c-4fa7-94f0-1aaa20c1279d/enabling-tls-12-on-windows-server-2012-amp-2016?forum=winserversecurity

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-and-disable-tls-12

Cygwin setup is written like most other Windows GUI apps, but you can clone the 
sources, modify, and build it using only Cygwin tools.

> https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
> https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows

> My previous installs of cygwin aren't having any problems when trying to
> incrementally add software, maybe the mirrors file is cached somewhere?

Are any of them running legacy Server instances?

> Thanks for any tips,

It's possible that W2016 might not support the root CA, support available TLS 
1.2 Cipher suites (although that seems unlikely with the WEAK ratings), TLS 1.3, 
HTTP2, etc:

	https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

Re: TLS version problem downloading mirrors.lst?

[Brad Wetmore]

Hi Brian, and thanks for the response.

Horray for conflicting information from MS.  🙂

I will look at the IIS tool mentioned in one of the posts.

My registry entries for SCHANNEL and the TLSv1.2 look to be the same between my previous Windows 2012 install and this new Windows 2016 one, so a little surprising.

Do you happen to know if the cygwin.com server hosting cygwin.com/mirrors.lst was recently upgraded to no longer support the earlier TLS versions?

Is mirrors.lst cached somewhere during the install, and where would I find it?  Just wondering why I can't seem to find it on different Windows instances but can still connect.

> Are any of them running legacy Server instances?

I think you are asking whether the mirror server (sonic.net) that I eventually contacted still has TLSv1.0 on.  Probably.  I can check that next week.

Thanks,

Brad





________________________________
From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
Sent: Friday, February 5, 2021 7:53 PM
To: cygwin@cygwin.com <cygwin@cygwin.com>
Subject: Re: TLS version problem downloading mirrors.lst?

On 2021-02-05 18:00, Brad Wetmore via Cygwin wrote:
> I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list:
>      2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst
> Using Wireshark and configuration options in Firefox, the root cause appears
> to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to
> download this file, but the download is failing as the response is a fatal
> TLS alert: invalid protocol (2/70). Many Internet servers have been shutting
> off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that?
> If so, the setup app needs to be updated.

Cygwin setup is a Windows app using Windows libraries built using open tools.

> I can specify a specific server URL after the mirrors.lst download fails and
> can at least get something installed.
> Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3?
> Or is this something that the MSDN version of Windows 2016 Server has
> configured?
> More details/symptoms:
> I am behind a firewall, but the proxy settings in IE allow me to tunnel out.
> The corresponding "Use System Proxy Settings" in Firefox works fine. But when
> I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3,
> I see the same alert being returned to Firefox.
> Wireshark reports:
> CONNECT cygwin.com:443 HTTP1.0 ->
> User-Agent: ...deleted
> <- HTTP/1.0 200 Connection established
> ClientHello ->
> v1.0
> <- Fatal Alert: 2/70
> Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the
> setup app is written.

*NOT* by default on W2016 for SCHANNEL and may need enabled for both CLIENT and
SERVER uses:

https://github.com/MicrosoftDocs/windowsserverdocs/issues/2783

https://social.technet.microsoft.com/Forums/en-US/cb1a695b-a15c-4fa7-94f0-1aaa20c1279d/enabling-tls-12-on-windows-server-2012-amp-2016?forum=winserversecurity

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-and-disable-tls-12

Cygwin setup is written like most other Windows GUI apps, but you can clone the
sources, modify, and build it using only Cygwin tools.

> https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
> https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows

> My previous installs of cygwin aren't having any problems when trying to
> incrementally add software, maybe the mirrors file is cached somewhere?

Are any of them running legacy Server instances?

> Thanks for any tips,

It's possible that W2016 might not support the root CA, support available TLS
1.2 Cipher suites (although that seems unlikely with the WEAK ratings), TLS 1.3,
HTTP2, etc:

        https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

Re: TLS version problem downloading mirrors.lst?

[Brian Inglis]

On 2021-02-06 11:23, Brad Wetmore via Cygwin wrote:
> On 2021-02-05 18:00, Brad Wetmore via Cygwin wrote:
>> I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list:
>>       2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst
>> Using Wireshark and configuration options in Firefox, the root cause appears
>> to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to
>> download this file, but the download is failing as the response is a fatal
>> TLS alert: invalid protocol (2/70). Many Internet servers have been shutting
>> off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that?
>> If so, the setup app needs to be updated.
> 
> Cygwin setup is a Windows app using Windows libraries built using open tools.
> 
>> I can specify a specific server URL after the mirrors.lst download fails and
>> can at least get something installed.
>> Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3?
>> Or is this something that the MSDN version of Windows 2016 Server has
>> configured?
>> More details/symptoms:
>> I am behind a firewall, but the proxy settings in IE allow me to tunnel out.
>> The corresponding "Use System Proxy Settings" in Firefox works fine. But when
>> I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3,
>> I see the same alert being returned to Firefox.
>> Wireshark reports:
>> CONNECT cygwin.com:443 HTTP1.0 ->
>> User-Agent: ...deleted
>> <- HTTP/1.0 200 Connection established
>> ClientHello ->
>> v1.0
>> <- Fatal Alert: 2/70
>> Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the
>> setup app is written.
> 
> *NOT* by default on W2016 for SCHANNEL and may need enabled for both CLIENT and
> SERVER uses:
> 
> https://github.com/MicrosoftDocs/windowsserverdocs/issues/2783
> 
> https://social.technet.microsoft.com/Forums/en-US/cb1a695b-a15c-4fa7-94f0-1aaa20c1279d/enabling-tls-12-on-windows-server-2012-amp-2016?forum=winserversecurity
> 
> https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-and-disable-tls-12
> 
> Cygwin setup is written like most other Windows GUI apps, but you can clone the
> sources, modify, and build it using only Cygwin tools.
> 
>> https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
>> https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows
> 
>> My previous installs of cygwin aren't having any problems when trying to
>> incrementally add software, maybe the mirrors file is cached somewhere?
> 
> Are any of them running legacy Server instances?
> 
>> Thanks for any tips,
> 
> It's possible that W2016 might not support the root CA, support available TLS
> 1.2 Cipher suites (although that seems unlikely with the WEAK ratings), TLS 1.3,
> HTTP2, etc:
> 
>          https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com

 > Horray for conflicting information from MS.  🙂
 >
 > I will look at the IIS tool mentioned in one of the posts.
 >
 > My registry entries for SCHANNEL and the TLSv1.2 look to be the same between 
my previous Windows 2012 install and this new Windows 2016 one, so a little 
surprising.

Please check that your server TLS/SCHANNEL registry entries match those in the 
referenced article for TLS 1.2 well down the page in the Enabled case.

 > Do you happen to know if the cygwin.com server hosting cygwin.com/mirrors.lst 
was recently upgraded to no longer support the earlier TLS versions?

See the ssllabs test results and comments above.

 > Is mirrors.lst cached somewhere during the install, and where would I find 
it?  Just wondering why I can't seem to find it on different Windows instances 
but can still connect.

Every Cygwin install has /etc/setup/setup.rc which contains a copy of the then 
active mirrors list as well as your most recently selected mirror, and a list 
could even be baked into Cygwin setup at build time.

>>> My previous installs of cygwin aren't having any problems when trying to
>>> incrementally add software, maybe the mirrors file is cached somewhere?

 >> Are any of them running legacy Server instances?
 >
 > I think you are asking whether the mirror server (sonic.net) that I 
eventually contacted still has TLSv1.0 on.  Probably.  I can check that next week.

Are any of your previous installs of Cygwin also on legacy Server 2016 or 2012 
instances that you also have installed from the same source?

These SCHANNEL entries are *Disabled by Default* and have registry entries to 
that effect!

[Previous post restored: this is why keeping and trimming comments and replying 
inline is so important in this and similar groups, so everyone understands the 
context; TOFU/Jeopardy style is okay for org emails about simple business 
issues, and simple technical issues answered in a one liner.]

Check using:

$ regtool list -v 
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 
1.2/Server/

and you can save the contents in a .reg file to diff vs other servers using:

$ regtool save -v 
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 
1.2/Server/ \
	HKLM-SYS-CCS-C-SP-SCHANNEL-Protocols-TLS-1.2-Server.reg

Cygwin setup, mirrors list, key, and other critical information is fetched only 
from https://cygwin.com/ (unless something proxies or redirects that).

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

Re: TLS version problem downloading mirrors.lst?

[Brad Wetmore]

Just a quick update in case others are looking for a quick workaround:

I wrote:

> I am trying to install a new instance of cygwin on Windows 2016 Server
> MSDN instance and am having problems downloading the mirrors list:
> 2021/02/05 14:21:39 connection error: 12029 fetching
https://cygwin.com/mirrors.lst
> Using Wireshark and configuration options in Firefox, the root cause
> appears to be that the setup-x86_64.exe is trying to use TLSv1.0 and
> SSLv3 to download this file...deleted... Many Internet servers have
> been shutting off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is
> this a case of that?

I was able to work around the download of mirrors.lst problem by enabling TLSv1.1/1.2 in the IE control settings menu. This workaround didn't appear to change the registry values in HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, but gets me to the point where I can download/install Cygwin. We use SCHANNEL (or whatever this controls) very rarely (normally Java/OpenSSL/NSS), so this is fine for me.

To your comment:

[Previous post restored: this is why keeping and trimming comments and replying
inline is so important in this and similar groups, so everyone understands the
context...]

Sorry for using my normal reply style. Many groups I participate in like to keep the amount of repeated/duplicated info to a minimum, with heavy use of *SNIP*s. Apologies for any faux paus here.

Further comments inline below:

On 2/8/2021 4:15 PM, Brad Wetmore wrote:
> Hi Brian,

> On 2021-02-06 11:23, Brad Wetmore via Cygwin wrote:
>> On 2021-02-05 18:00, Brad Wetmore via Cygwin wrote:
>>> I am trying to install a new instance of cygwin on Windows 2016 Server MSDN instance and am having problems downloading the mirrors list:
>>>       2021/02/05 14:21:39 connection error: 12029 fetching https://cygwin.com/mirrors.lst
> <https://urldefense.com/v3/__https://cygwin.com/mirrors.lst__;!!GqivPVa7Brio!MniJHwIN6y0BlJXA6LXt7IV2QGfTo_en5ZDYApqwG5hQrsl_ffm4aKvubYZOonaZVQEN_w$>
>>> Using Wireshark and configuration options in Firefox, the root cause appears
>>> to be that the setup-x86_64.exe is trying to use TLSv1.0 and SSLv3 to
>>> download this file, but the download is failing as the response is a fatal
>>> TLS alert: invalid protocol (2/70). Many Internet servers have been shutting
>>> off TLSv1.0/SSLv3 in favor of TLSv1.2/1.3 these days, is this a case of that?
>>> If so, the setup app needs to be updated.
>>
>> Cygwin setup is a Windows app using Windows libraries built using open tools.
>>
>>> I can specify a specific server URL after the mirrors.lst download fails and
>>> can at least get something installed.
>>> Is there any workaround to force setup-x86_64.exe to default to TLSv1.2/1.3?
>>> Or is this something that the MSDN version of Windows 2016 Server has
>>> configured?
>>> More details/symptoms:
>>> I am behind a firewall, but the proxy settings in IE allow me to tunnel out.
>>> The corresponding "Use System Proxy Settings" in Firefox works fine. But when
>>> I set the TLS settings in Firefox's "about:config" to use only TLSv1.0/SSLv3,
>>> I see the same alert being returned to Firefox.
>>> Wireshark reports:
>>> CONNECT cygwin.com:443 HTTP1.0 ->
>>> User-Agent: ...deleted
>>> <- HTTP/1.0 200 Connection established
>>> ClientHello ->
>>> v1.0
>>> <- Fatal Alert: 2/70
>>> Supposedly SCHANNEL has TLSv1.2 on by default, but have no idea how the
>>> setup app is written.
>>
>> *NOT* by default on W2016 for SCHANNEL and may need enabled for both CLIENT and
>> SERVER uses:
>>
>> https://github.com/MicrosoftDocs/windowsserverdocs/issues/2783
> <https://urldefense.com/v3/__https://github.com/MicrosoftDocs/windowsserverdocs/issues/2783__;!!GqivPVa7Brio!MniJHwIN6y0BlJXA6LXt7IV2QGfTo_en5ZDYApqwG5hQrsl_ffm4aKvubYZOonaj00EzXQ$>
>>
>> https://social.technet.microsoft.com/Forums/en-US/cb1a695b-a15c-4fa7-94f0-1aaa20c1279d/enabling-tls-12-on-windows-server-2012-amp-2016?forum=winserversecurity
> <https://urldefense.com/v3/__https://social.technet.microsoft.com/Forums/en-US/cb1a695b-a15c-4fa7-94f0-1aaa20c1279d/enabling-tls-12-on-windows-server-2012-amp-2016?forum=winserversecurity__;!!GqivPVa7Brio!MniJHwIN6y0BlJXA6LXt7IV2QGfTo_en5ZDYApqwG5hQrsl_ffm4aKvubYZOonbZaiSLRA$>
>>
>> https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-and-disable-tls-12
> <https://urldefense.com/v3/__https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs*enable-and-disable-tls-12__;Iw!!GqivPVa7Brio!MniJHwIN6y0BlJXA6LXt7IV2QGfTo_en5ZDYApqwG5hQrsl_ffm4aKvubYZOonYAsnbbMQ$>
>>
>> Cygwin setup is written like most other Windows GUI apps, but you can clone the
>> sources, modify, and build it using only Cygwin tools.
>>
>>> https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
> <https://urldefense.com/v3/__https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-__;!!GqivPVa7Brio!MniJHwIN6y0BlJXA6LXt7IV2QGfTo_en5ZDYApqwG5hQrsl_ffm4aKvubYZOonYRnK4Fvg$>
>>> https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows
> <https://urldefense.com/v3/__https://docs.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows__;!!GqivPVa7Brio!MniJHwIN6y0BlJXA6LXt7IV2QGfTo_en5ZDYApqwG5hQrsl_ffm4aKvubYZOonZ290_rJg$>
>>
>>> My previous installs of cygwin aren't having any problems when trying to
>>> incrementally add software, maybe the mirrors file is cached somewhere?
>>
>> Are any of them running legacy Server instances?
>>
>>> Thanks for any tips,
>>
>> It's possible that W2016 might not support the root CA, support available TLS
>> 1.2 Cipher suites (although that seems unlikely with the WEAK ratings), TLS 1.3,
>> HTTP2, etc:
>>
>>          https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com
> <https://urldefense.com/v3/__https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com__;!!GqivPVa7Brio!MniJHwIN6y0BlJXA6LXt7IV2QGfTo_en5ZDYApqwG5hQrsl_ffm4aKvubYZOonaErD3JmQ$>

I think that only shows the current state of the server, nothing historical. I didn't see an option for previous runs to answer the question why I'm now seeing this problem: i.e. "As of X months ago, the server now denies TLSv1.0 requests..."

>   > Horray for conflicting information from MS.  🙂
>   >
>   > I will look at the IIS tool mentioned in one of the posts.
>   >
>   > My registry entries for SCHANNEL and the TLSv1.2 look to be the same
> between
> my previous Windows 2012 install and this new Windows 2016 one, so a little
> surprising.
>
> Please check that your server TLS/SCHANNEL registry entries match those
> in the
> referenced article for TLS 1.2 well down the page in the Enabled case.

The only thing in Protocols in my default Windows 2016 server install's registry is:

$ regtool list -v "/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols"
SSL 2.0\ ()

so I was hoping the doc'd wording applied, which is that TLSv1.2 should be supported and enabled by default, but that doesn't appear to be the case in reading your linked articles, and now personal experience. (Thanks for that.)

I'm guessing the github.com issue is for the MS doc team? I'm not sure what their new processes are, they used to be a very closed shop.

>   > Do you happen to know if the cygwin.com server hosting
> cygwin.com/mirrors.lst
> was recently upgraded to no longer support the earlier TLS versions?
>
> See the ssllabs test results and comments above.
>
>   > Is mirrors.lst cached somewhere during the install, and where would
> I find
> it?  Just wondering why I can't seem to find it on different Windows
> instances
> but can still connect.
>
> Every Cygwin install has /etc/setup/setup.rc which contains a copy of
> the then
> active mirrors list as well as your most recently selected mirror, and a
> list
> could even be baked into Cygwin setup at build time.

That's helps, thanks! That probably explains why I don't see this on machines I've setup years ago. I update frequently, but haven't seen this problem before as it's rare that I do a from-scratch deployment of Cygwin.

>>>> My previous installs of cygwin aren't having any problems when trying to
>>>> incrementally add software, maybe the mirrors file is cached somewhere?
>
>   >> Are any of them running legacy Server instances?
>   >
>   > I think you are asking whether the mirror server (sonic.net) that I
> eventually contacted still has TLSv1.0 on.  Probably.  I can check that
> next week.
>
> Are any of your previous installs of Cygwin also on legacy Server 2016
> or 2012
> instances that you also have installed from the same source?

This is my first Server 2016 install, and my last 2012 Server and Windows 10 was approximately July 2019. Didn't see that problem then.

> These SCHANNEL entries are *Disabled by Default* and have registry
> entries to
> that effect!

As above:

$ regtool list -v "/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols"
SSL 2.0\ ()

There are no entries for any of the TLS protocols, only the SSL 2.0.

$ regtool list -v "/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.2/Server/" Error (2): The system cannot find the file specified.

I have what I need now, so thanks for getting me through that hurdle.

Best wishes,

Brad

> [Previous post restored: this is why keeping and trimming comments and
> replying
> inline is so important in this and similar groups, so everyone
> understands the
> context; TOFU/Jeopardy style is okay for org emails about simple business
> issues, and simple technical issues answered in a one liner.]
>
> Check using:
>
> $ regtool list -v
> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS
>
> 1.2/Server/
>
> and you can save the contents in a .reg file to diff vs other servers using:
>
> $ regtool save -v
> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS
>
> 1.2/Server/ \
>          HKLM-SYS-CCS-C-SP-SCHANNEL-Protocols-TLS-1.2-Server.reg
>
> Cygwin setup, mirrors list, key, and other critical information is
> fetched only
> from https://cygwin.com/
> <https://urldefense.com/v3/__https://cygwin.com/__;!!GqivPVa7Brio!MniJHwIN6y0BlJXA6LXt7IV2QGfTo_en5ZDYApqwG5hQrsl_ffm4aKvubYZOona6Np_wlQ$>
> (unless something proxies or redirects that).
>
> --
> Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
>
> This email may be disturbing to some readers as it contains
> too much technical detail. Reader discretion is advised.
> [Data in binary units and prefixes, physical quantities in SI.]
>