Community Discussions and Support
Mercury and OpenSSL 1.1?

The OpenSSL team publishes source code only, and expects that operating system maintainers (mainly Linux but also the communities for Apple and Windows) to compile it themselves into executable code and redistribute those compiled copies in the usual fashion.

 While there's a guy in Minnesota and some random person on the Internet who do the compilation work and provide executables as a service for the Windows community, the rule with security-sensitive software like this is that it's only trustworthy if you compile it yourself from source code that you've confirmed matches the official release's source code, using a compiler that you know to be good and trustworthy. David's tried to do that a few times, and I appreciate him putting in the effort to make sure we're safe, but the last we heard he couldn't get the resulting executable to say it was compiled correctly.

 On a side note, I don't recommend using the binaries I've linked above with the current versions of Pegasus and Mercury. The 1.1.1 releases refuse to work at all. The 1.0.2 releases do work, to a point. And then someone using Outlook Mail for iPhone tries to connect over IMAPS and pull a few thousand messages and a mismatch in memory allocation causes Mercury to crash. But using 1.0.2 and dealing with the constant crashes is better, for me in my situation, than using the copy that came with Mercury that doesn't support TLS 1.2. That said, I eagerly await an official Mercury update with up-to-date OpenSSL.

<p>The OpenSSL team publishes source code only, and expects that operating system maintainers (mainly Linux but also the communities for Apple and Windows) to compile it themselves into executable code and redistribute those compiled copies in the usual fashion.</p><p> While there's <a mce_href="https://slproweb.com/products/Win32OpenSSL.html" title="Shining Light Productions OpenSSL for Windows" href="https://slproweb.com/products/Win32OpenSSL.html">a guy in Minnesota</a> and <a mce_href="https://bintray.com/vszakats/generic/openssl" title="Victor Szakats' OpenSSL Builds for Mac Homebrew and Windows" href="https://bintray.com/vszakats/generic/openssl">some random person on the Internet</a> who do the compilation work and provide executables as a service for the Windows community, the rule with security-sensitive software like this is that it's only trustworthy if you compile it yourself from source code that you've confirmed matches the official release's source code, using a compiler that you know to be good and trustworthy. David's tried to do that a few times, and I appreciate him putting in the effort to make sure we're safe, but <a mce_href="http://www.pmail.com/devnews.htm" title="Pegasus Mail Developer News (Dec 2019)" href="http://www.pmail.com/devnews.htm">the last we heard</a> he couldn't get the resulting executable to say it was compiled correctly.</p><p> On a side note, I don't recommend using the binaries I've linked above with the current versions of Pegasus and Mercury. The 1.1.1 releases refuse to work at all. The 1.0.2 releases <i>do work, to a point</i>. And then someone using Outlook Mail for iPhone tries to connect over IMAPS and pull a few thousand messages and a mismatch in memory allocation causes Mercury to crash. But using 1.0.2 and dealing with the constant crashes is better, for me in my situation, than using the copy that came with Mercury that doesn't support TLS 1.2. That said, I <u>eagerly</u> await an official Mercury update with up-to-date OpenSSL. </p>

Does anyone know if the DLLs from OpenSSL 1.1 will work with Mercury v4.80?  Up until now, I've been updating libeay32.dll and ssleay32.dll in the MERCURY folder with the latest version, taking care to use DLLs with no external dependencies.  But, the 1.0 series that Mercury 4.80 was originally distributed with are End of Life and 1.0.2u us the last version.

Does anyone know if the DLLs from OpenSSL 1.1 will work with Mercury v4.80?  Up until now, I've been updating libeay32.dll and ssleay32.dll in the MERCURY folder with the latest version, taking care to use DLLs with no external dependencies.  But, the 1.0 series that Mercury 4.80 was originally distributed with are End of Life and 1.0.2u us the last version.

This is what David wrote on the matter on pmail.com:

"The reason we are not issuing support for the current 1.1.1 build of OpenSSL is because we simply have not been able to produce a build that will pass its own internal self-tests. Once we've got this issue sorted out, there will be another update that includes the more up-to-date version of OpenSSL." 

<p>This is what David wrote on the matter on pmail.com:</p><p><font face="Verdana, Arial, Helvetica, sans-serif" style="font-size: 10pt;"><span style="font-size: 13.3333px;">"The reason we are not issuing support for the current 1.1.1 build of OpenSSL is because we simply have not been able to produce a build that will pass its own internal self-tests. </span></font><span style="font-size: 13.3333px; font-family: Verdana, Arial, Helvetica, sans-serif;">Once we've got this issue sorted out, there will be another update that includes the more up-to-date version of OpenSSL." </span></p>

Hi Rolf,

As per today OpenSSL 1.1.1g is published and available. But I'm taking for granted that the dev team is observing it as well.

<p>Hi Rolf,</p><p>As per today OpenSSL 1.1.1g is published and available. But I'm taking for granted that the dev team is observing it as well. </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft