Outlook Express Error 0x800CCC0B and the End of TLS 1.0 (Deprecated SSL Protocol)

Microsoft Outlook Express (OE) is an obsolete mail client that was available in Microsoft Windows XP, Windows 2003 Server and older Microsoft operating systems. It was no longer available on Windows Vista and later, though Windows Live Mail is relatively close in user interface and appearance.

Despite being obsolete and only working on operating systems no longer supported or updated by Microsoft, it still has some users who prefer its simple but powerful user interface. Some of those users will have had a frustrating experience recently, when various mail servers stopped working for outbound mail in OE. Specifically, these are mail servers that use SSL on submission port 465 or 587 for SMTP.

Secure Socket Layer (SSL) is a mechanism for encrypting data between a client and a server. You may know it from website URIs starting with “https:” and web sessions displaying a padlock symbol next to the URI. There are various protocol versions that can implement this encryption layer. One of these, TLS 1.0 which was conceived in 1999, has now been officially deprecated (made officially obsolete) as of the end of June 2018. Software now has to use more recent protocols, such as TLS 1.1, TLS 1.2 or the recently defined TLS 1.3.

Unfortunately, TLS 1.0 is all that OE will speak. It does not understand TLS 1.1 or later. Therefore it can not pick up mail from a POP server using SSL on port 995 or an IMAP server on port 993 or send mail to an SMTP server on port 465 (or 587) with SSL enabled.

Workaround
The only workaround I am aware of (other than switching to a more modern mail client) is to use Stunnel, a tool for Windows or Linux that acts as a proxy. You can configure it to establish an SSL connection to a given host and port when a connection to a given local port is made. Thus you could configure OE to connect to port 9465 on the machine running Stunnel, which might then connect via SSL to smtp.example.com:465 using a more modern TLS version supported by Stunnel (but not directly by OE).

Example
Let’s say Outlook Express was configured to submit outbound mail to smtp.outboundmailserver.com, port 587 via SSL/TLS. This is our SMTP server. Once this server refuses to allow TLS 1.0 connections, Outlook Express will no longer work. Let’s say we also have a simple Linux server mylinuxserver.com. This could even be something like a Raspberry Pi single board computer booting off flash memory. It can run on a local IP in our LAN, if you don’t need to have access from outside your building (OE running on a desktop). On this server we install the stunnel package:

sudo yum install stunnel

Please read the documentation on how to enable the service and have it auto-start when the Linux server reboots.

Next we configure stunnel to act as a client on our behalf and configure it to accept TLS 1.0 connections from us and forward them to the real POP3, SMTP or IMAP server using the latest TLS on our behalf. We will create lines like these in /etc/stunnel/stunnel.conf:

client = yes

;cert = /etc/pki/tls/certs/stunnel.pem
;sslVersion = TLSv1
;chroot = /var/run/stunnel
;setuid = nobody
;setgid = nobody
;pid = /stunnel.pid
;socket = l:TCP_NODELAY=1
;socket = r:TCP_NODELAY=1

[smtp-outboundmailserver]
accept = 1587
connect = smtp.outboundmailserver.com:587

Create other entries for the services that you need TLS support for and restart the stunnel service. Then reconfigure Outlook Express to access the Linux host and the port number listed with “accept = ” in place of the original server that refused your Outlook Express TLS 1.0 connection. You should be good to go!

Long term you will still need to migrate to another mail client such as Thunderbird, Windows Mail or OE Classic, but this workaround will buy you some time for that.

8 thoughts on “Outlook Express Error 0x800CCC0B and the End of TLS 1.0 (Deprecated SSL Protocol)

  1. Yo, TLS is NOT a subset of SSL, but its successor and a completely different protocol.

  2. Jules, technically you are correct: TLS is the successor to SSL. However, people still commonly say SSL when they actually mean SSL/TLS (i.e. the original SSL and the TLS versions that replaced it) — a bit like some people say “the Internet” when they mean the WWW 🙂

  3. Thanks Joe, your post save me from a lot of headache 🙂

  4. OE6 also doesn’t properly implement IMAP which is no surprise since it is so old implementation. Using a stunnel won’t help with that because it doesn’t correctly do EXPUNGE, doesn’t support MOVE extension (which is an atomic version of the COPY + EXPUNGE commands which if not executed both one after another could leave copy of message in 2 folders without removing from one folder, so MOVE extension helps there) and also doesn’t have the concept of “Junk” (or “Spam”) IMAP folder. There are also other smaller things missing from its IMAP implementation such as compatibility with Apple Mail (or iOS Mail) colored flags. All of these are supported in OE Classic 3.0 (and later).

  5. Outlook Express 6 on Windows XP seems to be tied in with Internet Explorer 8’s configuration. Other web browsers seem to do OK for ‘padlock symbol browsing’, they seem to bring in their own SSL connectivity. To OE6 & IE8 there are some tweaks available to add TLSv1.1 and TLSv1.2 protocols + some extra ciphers, using Microsoft’s security updates KB4230450, KB94228 , KB401927. Another trick being used is use POSReady (to emulate a POS terminal running XP) in order to obtain updates from MS. That results in IE8 being able to browse more websites with TLS1.1 & 1.2 , and presumably OE6 benefits from this too to some extent.

    Having said that, when my hosting service provider ( TSOHost.com ) suddenly pulled the plug without any warning (usual behaviour for them) for TLSv1.0 and TLSv1.1, they only provided just two (!) ciphers on the server. The ciphers they chose weren’t the ones my OE6 had. This required me to use Stunnel instead of more hacking of OE6.

    I found Stunnel works fine, OE6 works as before seamlessly. The trick is to get OE to talk to Stunnel with clear text (don’t use secure) and then Stunnel deals with the mailserver’s quirky requirements.

    (Meanwhile at the time of writing my hosting provider TSOHost.com their own website happily talks with 26 weak ciphers on TLS 1.0 !)

  6. Here is the real way to fix this problem by upgrading Windows XP’s TLS support to version 1.2 which will work with Yahoo/AT&T’s email servers.

    Download this archive: https://clicknupload.co/720a8cmwslg7

    It contains two official Windows update installers for Windows XP:
    windowsxp-kb4019276-x86-embedded-enu_3822fc1692076429a7dc051b00213d5e1240ce3d.exe
    windowsxp-kb4467770-x86-embedded-enu_f61e16be7e32887953b29ae1b8ba90064f3ef0a5.exe

    and a registry file named Windows TLS Settings.reg which contains the necessary settings to enable TLS versions 1.1 and 1.2 on Windows XP.

    First run each of the two Windows update installers, but don’t restart after each one. Only restart after you have successfully run both update installers and then imported the “Windows TLS Settings.reg” registry file into your registry, e.g. by double-clicking on it.

    This is the contents of the registry file if you want to create it yourself:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    ;DefaultSecureProtocols Value Protocol enabled
    ;0x00000008 Enable SSL 2.0 by default
    ;0x00000020 Enable SSL 3.0 by default
    ;0x00000080 Enable TLS 1.0 by default
    ;0x00000200 Enable TLS 1.1 by default
    ;0x00000800 Enable TLS 1.2 by default
    ;This value is for the windowsxp-kb4467770-x86-embedded-enu_f61e16be7e32887953b29ae1b8ba90064f3ef0a5.exe update.
    ;For example, to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS
    ;to specify TLS 1.1 and TLS 1.2, add the value for TLS 1.1 (0x00000200) and the
    ;value for TLS 1.2 (0x00000800). The resulting registry value would be 0x00000A00.
    “DefaultSecureProtocols”=dword:00000800
    ;dword:00000A00 by itself does not make Outlook Express use TLS 1.2.
    ;”DefaultSecureProtocols”=dword:00000A00
    ;”DefaultSecureProtocols”=dword:00000A80 is all SSL and TLS up to 1.2

    ;Addition For 64-bit Windows
    ;[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    ;DefaultSecureProtocols Value Protocol enabled
    ;0x00000008 Enable SSL 2.0 by default
    ;0x00000020 Enable SSL 3.0 by default
    ;0x00000080 Enable TLS 1.0 by default
    ;0x00000200 Enable TLS 1.1 by default
    ;0x00000800 Enable TLS 1.2 by default
    ;This value is for the windowsxp-kb4467770-x86-embedded-enu_f61e16be7e32887953b29ae1b8ba90064f3ef0a5.exe update.
    ;For example, to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS
    ;to specify TLS 1.1 and TLS 1.2, add the value for TLS 1.1 (0x00000200) and the
    ;value for TLS 1.2 (0x00000800). The resulting registry value would be 0x00000A00.
    “DefaultSecureProtocols”=dword:00000800
    ;dword:00000A00 by itself does not make Outlook Express use TLS 1.2.
    ;”DefaultSecureProtocols”=dword:00000A00
    ;”DefaultSecureProtocols”=dword:00000A80 is all SSL and TLS up to 1.2

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ;The SecureProtocols registry entry that has value 0xA80 for enabling TLS 1.1 and 1.2.
    “SecureProtocols”=dword:00000A80
    ;”SecureProtocols”=dword:00000800 is just TLS 1.2

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    ;The SecureProtocols registry entry that has value 0xA80 for enabling TLS 1.1 and 1.2.
    “SecureProtocols”=dword:00000A80
    ;”SecureProtocols”=dword:00000800 is just TLS 1.2

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    ;For TLS 1.1 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry and set the value 0.
    ;This subkey and value is not created in the registry by default since these protocols are disabled by default.
    “DisabledByDefault”=dword:00000000
    ;To disable the TLS 1.1 protocol, you must create the Enabled DWORD entry and set the value to 0.
    ;To re-enable the protocol, change the DWORD value to 1.
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    ;For TLS 1.2 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry and set the value 0.
    ;This subkey and value is not created in the registry by default since these protocols are disabled by default.
    “DisabledByDefault”=dword:00000000
    ;To disable the TLS 1.2 protocol, you must create the Enabled DWORD entry and set the value to 0.
    ;To re-enable the protocol, change the DWORD value to 1.
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
    ;For TLS 1.3 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry and set the value 0.
    ;This subkey and value is not created in the registry by default since these protocols are disabled by default.
    “DisabledByDefault”=dword:00000000
    ;To disable the TLS 1.3 protocol, you must create the Enabled DWORD entry and set the value to 0.
    ;To re-enable the protocol, change the DWORD value to 1.
    “Enabled”=dword:00000001

    ;For use as a server, e.g. IIS.
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    ;For TLS 1.1 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry and set the value 0.
    ;This subkey and value is not created in the registry by default since these protocols are disabled by default.
    “DisabledByDefault”=dword:00000000
    ;To disable the TLS 1.1 protocol, you must create the Enabled DWORD entry and set the value to 0.
    ;To re-enable the protocol, change the DWORD value to 1.
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    ;For TLS 1.2 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry and set the value 0.
    ;This subkey and value is not created in the registry by default since these protocols are disabled by default.
    “DisabledByDefault”=dword:00000000
    ;To disable the TLS 1.2 protocol, you must create the Enabled DWORD entry and set the value to 0.
    ;To re-enable the protocol, change the DWORD value to 1.
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
    ;For TLS 1.3 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry and set the value 0.
    ;This subkey and value is not created in the registry by default since these protocols are disabled by default.
    “DisabledByDefault”=dword:00000000
    ;To disable the TLS 1.3 protocol, you must create the Enabled DWORD entry and set the value to 0.
    ;To re-enable the protocol, change the DWORD value to 1.
    “Enabled”=dword:00000001

  7. THIS is exactly what I was looking for. Not only that, the way you explain things puts many a so-called “tech” site to shame, in my opinion. Thank you so much.

  8. Hey, JD, your explanation is over-complicated and i can not understand it. Also file that you upload is no longer exist!
    Can you reupload that archive on file uploader that hold file for a long time
    Also write here explanation about registry much easy to understand – I DO NOT UNDERSTAND your super-complicated text.

Leave a Reply

Your email address will not be published. Required fields are marked *