My changes to disable external port mapping exposed a flaw where the server socket was being closed immediately, before the client had read all the data - this caused the client to receive a RST and consequently error. The solution is to wait for the client to close the connection before closing the server connection. I'm surprised this hasn't been a problem elsewhere - it seems like it would be.

cacertsdir =	$(datadir)/purple/ca-certs
cacerts_DATA =	\
		Equifax_Secure_CA.pem \
		GTE_CyberTrust_Global_Root.pem \
		Microsoft_Secure_Server_Authority.pem \
		Verisign_RSA_Secure_Server_CA.pem \
		Verisign_Class3_Primary_CA.pem

EXTRA_DIST =	\
		Makefile.mingw \
		$(cacerts_DATA)