Came over this problem in 4.52 just now. Checked any combination of current releases of cl32.dll and cl32ui.dll I could find, but no one worked. Then I replaced the newer versions wiht those from Mercury 4.01. That worked a little better, Properties Bottomn now works, but shows incomplete info (no Info for what the certificate is good). But no Startsl connection. Debug log:

 13:59:38.234: Connection from 11.22.33.44, Mon Sep 10 13:59:38 2007<lf>
13:59:38.234: << * OK xx.xx.de IMAP4rev1 Mercury/32 v4.52 server ready.<cr><lf>
13:59:38.234: >> A1 STARTTLS<cr><lf>
13:59:38.250: << A1 OK Begin SSL/TLS negotiation now.<cr><lf>
13:59:38.250: 21: Error -2 adding socket to CryptLib session (locus 0, type 0, code 0, '')
13:59:38.250: --- Connection closed normally at Mon Sep 10 13:59:38 2007. ---
13:59:38.250:

(copied from the Mercury list) 

I'm finding I can't get TLS working on an IMAP connection with the new version of Mercury.

Pegasus Mail gives me this error in the log:

Error -41 activating SSL session (locus 6014, type 4, code 0, 'No data was read because the remote system closed the connection (recv() == 0)')

and in the Mercury session log:

When I copy back the v4.01c files, it works fine:

10:21:49.548: << * OK blakecomp.com IMAP4rev1 Mercury/32 v4.01c server ready.<cr><lf>
10:21:49.598: >> A1 CAPABILITY<cr><lf>
10:21:49.598: << * CAPABILITY IMAP4rev1 STARTTLS X-MERCURY-1<cr><lf>
10:21:49.598: << A1 OK CAPABILITY complete.<cr><lf>
10:21:49.659: >> A2 STARTTLS<cr><lf>
10:21:49.659: << A2 OK Begin SSL/TLS negotiation now.<cr><lf>
10:21:49.919: [*] SSL/TLS session established: 3DES, CBC mode, keysize 192 bits

I have tried restarting Mercury (and the computer), recreating certificates (they are on a local drive), reselecting certificates, specifying a full path as well as just the cert name.

This problem seems to be associated with the inability to see the properties of the certificate. In 4.51, clicking once on the 'properties' button does nothing. I've discovered it displays OK after clicking 17 times (!) and will then continue to display correctly until I close the config window.

Has anyone got any suggestions of other things I can try?

(Mercury is running as administrator on NT4sp6 server.)

I have the same problem Paul has with TLS in v4.51 IMAP. The problem also existed when I tested SMTP and POP3. Same error in all 3. Same cert, individual certs, new certs, refreshed cert path, etc., all failed.

13:48:56.852: >> STARTTLS<cr><lf>
13:48:56.852: << 220 OK, begin SSL/TLS negotiation now.<cr><lf>
13:48:56.852: 20: Error -3 creating CryptLib session.

This is on a NT4 SP6a box using TBird 2.0 X11 to connect

I have the same problems on a system running Windows NT Workstation SP6a.
First I tried with an updated version of mercury then with a new installed system. Every time the same error.
On Windows XP SP2 everything works fine.

Any idea what goes wrong?

[:(]  I can't reproduce this here on any of the five systems I use to test Mercury. Furthermore, most of my test team are reporting that SSL/TLS problems in v4.5 are practically non-existent compared with v4.01.

The only thing I can think is that the later version of cryptlib used by v4.5 doesn't like something in the self-signed certificate created by the older version. Have you tried recreating the certificate entirely?

Also, although the manual used to say that you could have the same certificate used by multiple modules, in fact you can't: it's fine to use copies of the same file in different locations, but you can't have multiple modules accessing the same physical file.

We put quite a lot of time and effort into SSL/TLS in v4.5 - I'm quite disappointed to see that people are having trouble with it.

-- David --

Thank you David.  I have tried creating several completely new certificates and do not share them, but the problem remains.

The common factor appears (with this small sample) to be WindowsNT, so it may be an incompatibility there.  Later I will try moving my installation to W2000 and try again.

I also created entirely new certs for each module and still had no success. The common denominator here seems to be NT4 SP6-SP6a. Is anyone reporting success using v4.51 TLS/SSL on an NT4 box?

OK.  I copied the Mercury directory to a W2K box and set up a test user.  TLS worked fine with IMAP using my original certificate.  (The Properties button worked too!)

There must be some weirdness with WinNT.  As it is an old OS I don't suppose it will take high priority in the todo list :).  For me, I think I can work around this.

For me the work around will be going back to v4.01. The other option would be to purchase a newer windows version because all the boxes here are now linux, except this one box, and my Win2K and XP disks have all been passed on to others that needed them. Going back to v4.01 is no biggie for me. I'm low volume, have minimal requirements and v4.01 pretty much does the job I need done without issues.

I note that there has been no input concerning this issue since 6/20 and it remains unresolved. Is this an item being investigated, one that will be investigated or is it assumed that this problem on NT4 boxes is being created by admin error? It would be nice to know the status so I can plan accordingly.

Has anyone tried downloading the latest cryptlib from http://www.cs.auckland.ac.nz/~pgut001/cryptlib/download.html and register cl32.dll and cl32ui.dll using regsvr32 %1 - or combine the 4.01 released cryptlib dll:s on a NT4sp6 box?

The documentation also talks about activex components, are these included and registered on the nt4sp6 box or are these out of synch with the included cryptlib version 3.2?

[quote user="Peter Strömblad"] Has anyone tried downloading the latest cryptlib from...[/quote]

All I can say is that none of that works for me.

[quote]The documentation also talks about activex components, are these included and registered on the nt4sp6 box or are these out of synch with the included cryptlib version 3.2?[/quote]

I have no activex components installed - were you asked to accept any when you installed Mercury??

Stated ActiveX components at the cryptlib site, don't know if they're part of the M/32 install process.

What if you overwrite the cl32.dll and cl32ui.dll from M/32 4.01 release on top of the M/32 4.51 release?

Reverting back to the 4.01 cl32 files in v4.51 does resolve one issue. I now can review a certificate by clicking the Properties box once rather than a dozen or so time.

I do, however, still get a Cryptlib error. I get it using a v4.51 cert, my old v4.01 cert or when I create a new IMAP cert  using the 4.01 cl32 files in v4.51.

 Error message when using v4.01 cl32's in v4.51

09:39:15.089: >> 2 STARTTLS<cr><lf>
09:39:15.089: << 2 OK Begin SSL/TLS negotiation now.<cr><lf>
09:39:15.089: 21: Error -2 adding socket to CryptLib session (locus 0, type 0, code 0, '')

Error message when using v4.51 cl32's in v4.51 

13:48:56.852: >> STARTTLS<cr><lf>
13:48:56.852: << 220 OK, begin SSL/TLS negotiation now.<cr><lf>
13:48:56.852: 20: Error -3 creating CryptLib session.

I can confirm the above. I have the same behavior on my Win NT Workstation 4sp6a. Does this mean that we have come to an dead end? Or has anyone found a way for Mercury v4.51 to work properly on an NT box?

[quote user="Stefan Björkert"]I can confirm the above. I have the same behavior on my Win NT Workstation 4sp6a. Does this mean that we have come to an dead end? Or has anyone found a way for Mercury v4.51 to work properly on an NT box?[/quote]

One option is to use use SSL tunneling via OpenSSL if it works on these NT boxes.

Q: I need to use STunnel (http://www.stunnel.org) to access my corporate e-mail securely across the Internet from home. Please explain how can I do this?

A: In WinPMail, go to the Tools -> Internet Options... menu item, click on the Receiving (POP3) tab in the dialog and fill in the POP3 Host field as:
127.0.0.1
Then click on the Sending (SMTP) tab and fill in the SMTP Host field as:
127.0.0.1

Next, start up Windows Notepad and create a two-line Batch text file that starts STunnel. Below is an example of how the Batch file should look. You will need the change the path accordingly for where your copy of stunnel is located as well as the host names for your corporate POP3 and SMTP servers and the port numbers being used on each of those servers for STunnel:

    start /m C:\stunnel\stunnel-3.22.exe -c -d 110 -r pop.corp.com:995
    start /m C:\stunnel\stunnel-3.22.exe -c -d 25 -r smtp.corp.com:465

Save this as ST_PEG.BAT or similar (it must have a .BAT filename extension). Run this Batch file prior to running WinPMail in order to provide the STunnel redirection functionality.

For more information on setting up STunnel with Pegsasus Mail, look here: http://www.noderunner.net/~llin/old/pmail-ssl.html

MercuryC and MercuryD also work the same way.





 

OpenSSL 0.9.8e and STunnel 4.20 both apparently work on NT4 SP6a. I get an SSL connect from TBird 2.0.0.4 on Fedora 7 boxes to v4.51 smtp, pop3 and imap on my NT4 SP6a box with STunnel support. Thanks Thomas.

Thanks Thomas & Curt for the stunnel information.  That works well with ssl connections, but I don't think it works with StartTLS/plaintext in the same port.

(There are links on the website for a source patch which allows it for servers, but that's quite old and for an outdated version.)

Please let me know if anyone gets it working on the server end with TLS on windows.