This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: What is the proper mailing list for server issues?

From: Brian Inglis <Brian dot Inglis at SystematicSw dot ab dot ca>
To: cygwin at cygwin dot com
Date: Mon, 24 Apr 2017 14:58:02 -0600
Subject: Re: What is the proper mailing list for server issues?
Authentication-results: sourceware.org; auth=none
References: <8f4e32c2-799d-61c5-ccc3-f786bb79bf71@starwolf.com> <59902487-dd66-9004-e71f-dc2930b4f72a@gmail.com> <91DCAC3CB99C724EB365BB64677FBE7B16F226@MX204CL04.corp.emc.com> <afed718f-3add-3097-5cb0-e98a277bca54@starwolf.com> <91DCAC3CB99C724EB365BB64677FBE7B17006C@MX204CL04.corp.emc.com>
Reply-to: Brian dot Inglis at SystematicSw dot ab dot ca

On 2017-04-24 08:59, Gluszczak, Glenn wrote:
> On 2017-04-21 08:06, Gluszczak, Glenn wrote:
>> On 4/21/2017 2:35 AM, Greywolf wrote:
>>> I am having a server issue that neither I nor my ISP seem to be able
>>> to resolve with regards to connecting to Cygwin.com -- namely, only
>>> from my house, I get a 403 Forbidden.
>> This is _your_ problem. Something has caused you to not be able to
>> reach cygwin.com properly. What IP address does cygwin.com resolve
>> to?
>> Does using the IP address directly work for you?
>> $ ping cygwin.com
>> Pinging cygwin.com [209.132.180.131] with 32 bytes of data:
>>> I've been round with my ISP and they are unable to reproduce the 
>>> issue; the response I get from here is "contact your ISP". So who
>>> do I contact about this? Not being able to automagically fetch
>>> the mirror list is annoying, and not being able to reach the site
>>> to see about updates and such is similarly so.
>> Understandable but nothing we can do from here.
>>> I'm trying from several different machines in the house, some 
>>> directly connected, as well as any thru the NAT interface. This 
>>> is the ONLY site I cannot reach normally. I have to use the Tor 
>>> browser to reach the site, and, even then, once I get a new 
>>> cygwin setup .exe, the list of mirrors doesn't auto-fill because 
>>> (surprise, surprise) I cannot connect via any known protocol to 
>>> either www.cygwin.com or 209.132.180.131.
>>> The SSL certificates I get from a successful Tor hit and an
>>> unsuccessful 403 from home are identical
>>> I am concluding that at least the address range
>>> 69.12.250.{40-47} are being blocked; and it probably extends
>>> beyond that.
>>> Firewall is a Watchguard Firebox running pf_sense. I get the 403 
>>> even with a direct (non-firewalled, non-routed connection)
>>> I have attached two .txt file with runs from two servers within 
>>> my house, one running NetBSD, one running Windows [thus the 
>>> importance of cygwin].
>>> Included are runs from 'host'/'nslookup', 'ping', 'traceroute', 
>>> 'curl' and 'openssl'
>>> This is NOT a local firewall issue, otherwise my other machines 
>>> on different addresses would not have a problem.
>>> smaug is my internal firewall.
>>> stupidhead is the default next hop from said firewall.
>>> "...it's nothing to do with cygwin.com."
>>> Sooooo, why else would I get a refusal from the web server from 
>>> this address when I can connect from elsewhere ** and the SSL 
>>> certificate is the same ** ??
>>> What am I missing?
>>> "...but there's nothing we can do from here."
>>> Where is "here"? If "here" == "cygwin.com", you can't tell me if
>>> my IP is on an internal blacklist (and, moreso, why?)??
>>>> Agree, it's nothing to do with Cygwin.com.
>>>> Check for a firewall on your local machine. Check your home
>>>> router to see if it has a firewall with restrictions.
>>>> Perhaps you're passing through a proxy server or firewall at
>>>> the ISP?
>>>> Try traceroute or wget to analyze what site you're really
>>>> attaching to.
> Ok, I spoke too hastily. It's possible a webserver blocks sites or
> the ISP blocks.
> Also, perhaps cygwin.com can't resolve starwolf.com as Brian
> suggested.
> Looking at your curl and openssl output I see this oddity
> "No ALPN negotiated"
> "ALPN, server did not agree to a protocol"
> According to this site cygwin.com does not support HTTP/2. Must be
> using 1.1.
> https://tools.keycdn.com/http2-test
> Does this get you a web page?
> curl -v --http1.0 https://www.cygwin.com
> You're not doing any port forwarding of 443?

I recall some issue in the past with http2 sites, TLS, http2/ALPN, 
spdy/NPN, and I remember having to run curl --no-alpn --no-npn to 
get it to work, but I can't find any email or script with it, so 
may have been an adhoc throwaway command, and/or something 
improperly set up on a web server or with curl that did not 
negotiate properly during connection setup.

Download testssl.sh from https://testssl.sh/ or clone it from the 
linked github repo and try it from your problem system with 
	.../testssl.sh cygwin.com
- takes a while - run it with a black background so you can see the 
yellow messages.
Many local problems highlighted in magenta are just warnings that your 
SSL installation disables insecure ciphers.
Something may be highlighted with your system or their server that you 
can discuss with
	sourcemaster at sourceware dot org.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- What is the proper mailing list for server issues?
  - From: Greywolf
- Re: What is the proper mailing list for server issues?
  - From: cyg Simple
- RE: What is the proper mailing list for server issues?
  - From: Gluszczak, Glenn
- Re: What is the proper mailing list for server issues?
  - From: Greywolf
- RE: What is the proper mailing list for server issues?
  - From: Gluszczak, Glenn

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]