Outlook Express Error 0x800CCC0B and the End of TLS 1.0 (Deprecated SSL Protocol)

Microsoft Outlook Express (OE) is an obsolete mail client that was available in Microsoft Windows XP, Windows 2003 Server and older Microsoft operating systems. It was no longer available on Windows Vista and later, though Windows Live Mail is relatively close in user interface and appearance.

Despite being obsolete and only working on operating systems no longer supported or updated by Microsoft, it still has some users who prefer its simple but powerful user interface. Some of those users will have had a frustrating experience recently, when various mail servers stopped working for outbound mail in OE. Specifically, these are mail servers that use SSL on submission port 465 or 587 for SMTP.

Secure Socket Layer (SSL) is a mechanism for encrypting data between a client and a server. You may know it from website URIs starting with “https:” and web sessions displaying a padlock symbol next to the URI. There are various protocol versions that can implement this encryption layer. One of these, TLS 1.0 which was conceived in 1999, has now been officially deprecated (made officially obsolete) as of the end of June 2018. Software now has to use more recent protocols, such as TLS 1.1, TLS 1.2 or the recently defined TLS 1.3.

Unfortunately, TLS 1.0 is all that OE will speak. It does not understand TLS 1.1 or later. Therefore it can not pick up mail from a POP server using SSL on port 995 or an IMAP server on port 993 or send mail to an SMTP server on port 465 (or 587) with SSL enabled.

Workaround
The only workaround I am aware of (other than switching to a more modern mail client) is to use Stunnel, a tool for Windows or Linux that acts as a proxy. You can configure it to establish an SSL connection to a given host and port when a connection to a given local port is made. Thus you could configure OE to connect to port 9465 on the machine running Stunnel, which might then connect via SSL to smtp.example.com:465 using a more modern TLS version supported by Stunnel (but not directly by OE).

Picasa: “Failed to download album list”

If you are still using the Picasa 3 desktop application by Google and got the above error message, here’s some bad news for you: Google has finally killed this app. On March 26, 2018 they announced that it would no longer be able to upload new albums. So this error message is not temporary and there is no direct fix.

I think it’s very regrettable that Google has been killing off Picasa step-by-step. This is only the latest nail in the coffin. I had been using Picasaweb and Picasa since 2010 and they were great products.

The good news is that you can still create albums from folders using a web browser. Say you have a folder named “2018-03-26 Cherry Blossom Party”. Just follow these steps (for Windows and Chrome):

1) Select its parent folder in Windows Explorer, then slowly click on the folder that you want to upload, twice: Once to select it, then once more to enable you to edit the folder name as if to rename it. When the name becomes editable, press Ctrl+C to copy the folder name, then press Esc to keep the name unchanged. This stores the folder name in the copy-and-paste clipboard, which will save you from having to manually retype the name later.

2) In Chrome, go to https://photos.google.com/ and click on “Upload” (on the top right). A file selector dialog will open up. Click through to the contents of the folder you want to upload. Select all files in the folder using Ctrl+A and click “Open” to confirm the upload.

3) The browser will upload all files and give you a choice of “Add to album” or “Shared album”. Select “Add to album”. To create a new album with the name of the folder, select “New album”. Click on the album name showing as “Untitled” and use Ctrl+V to paste the name you copied in step 1. Hit Enter and click on the check mark to confirm creation of the new album.

Voila, you have a new album online, with the same name as the local folder. Repeat as needed for multiple folders. This is as simple as it gets without the old Picasa app.

Strava Cycling Climbing Challenges

Strava is a popular service for logging bike rides and other activities, which provides a way of comparing one’s achievements with those of other cyclists and runners. Competition is a powerful stimulant and a main driver behind the success of the service. Monthly “challenges”, such as a Gran Fondo (a ride of at least 100 or 130 km, depending on the time of the year) or a monthly cumulative distance or elevation gain challenge, are particularly popular on Strava.

While I regularly participate in the Cycling Distance and Gran Fondo Challenge, I do not normally sign up for the Cycling Climbing Challenge, which is meant to encourage you do ride hilly courses. I love hilly courses. In fact, most of my weekend rides are hilly, usually going from close to sea level to over 900 m and back.

Last year I averaged one century ride (at least 160.9 km / 100 miles) about every other week, so the Gran Fondo challenge is not really that much of a challenge for me. My typical centuries are about 170-190 km with 1800-2100 m of elevation gain. Yet at 7500 to 8000 m the goal for the Cycling Climbing Challenge is set so high, I could do a hilly century ride four Saturdays in a row and still miss the climbing goal. So how do other people, who do not ride 170 km into the hills every other weekend complete the climbing challenge?

I think the Strava climbing goals are designed for people who record their rides with phones or other GPS devices that rely only on satellite data for elevation. GPS-based elevation data is much less precise than lattitude-longitude data. Other popular GPS units like the Garmin Edge 1000, Garmin Edge 520 (or my o_synce Navi2coach) use a barometer for more precise elevation tracking. The problem with GPS-based elevation is that it’s noisy, it will go up and down pretty randomly but all those little ups will be added up by Strava, resulting in a considerably inflated climbing total. If you’re using a GPS device measuring relatively accurate barometric elevation, you can’t really compete against all that noisy data ๐Ÿ™

I could confirm this in group rides with other people who were using mix of equipment, where I had a chance to compare the posted stats on Strava afterwards. The iPhone or Android-app recorded totals were often 50-100% higher than the Garmin-recorded totals, for one and the same course.

Here is one random example of 4 people doing the same course up a volcano in Tenerife, Gran Canria yesterday. Note, this not my ride, I just randomly stumbled on it while looking at high scorers in the March Cycling Climbing Challenge on the Strava website. Two of these cyclists were using the Strava iPhone app, the other two were using a Garmin Edge 520:

Strava iPhone App:
https://www.strava.com/activities/1437744625
5,080m

Strava iPhone App:
https://www.strava.com/activities/1437728113
4,635m

Garmin Edge 520:
https://www.strava.com/activities/1437709764
2,847m

Garmin Edge 520:
https://www.strava.com/activities/1437730812
2,556m

As you can see, the two cyclists using the phone app posted almost double the total climbing for the course as the Garmin users, despite riding the very same roads and posting the same elevation profile for the activity (i.e. no hill repeats).

Based on evidence like that, I don’t think elevation gain competitions on Strava are happening on a level playing field! ๐Ÿ˜‰

Downloading routes from RouteLabo (Yahoo LatLongLab)

Most of the brevets I ride are with AJ NishiTokyo, a randonneuring club based in the Machida/Sagamihara area. One thing I like about their rides is that they provide a link to a RouteLabo page for each event (RouteLabo is an online map service run by Yahoo Japan). This page shows a map of the course as well as download links for KML, GPX and TCX files of the course. By copying these files to your GPS device (Garmin or other) or by uploading a KML file to Google “My Maps” for your smartphone, you can almost completely do away with the need for paper cue sheets. I navigate all my brevets and many of my personal rides by following a “breadcrumb trail” on the screen of my GPS unit.

Unfortunately other clubs often only provide a map without any download option, like this Randonneurs Tokyo 2018 BRM421 Tokyo 600 Lake Hamana (BRM421ๆฑไบฌ600ๆตœๅๆน–้ฐป) page:

This does not help you much on the road. Without a link to the full RouteLabo page with download links, there’s no obvious way to obtain a GPX or KML file. You are still expected to navigate via printed turn instruction on a paper cue sheet, which I find cumbersome and error-prone.

However, there is a way!

The web page uses some Javascript code to display the map off the RouteLabo website, including a magic value that identifies the particular course to be shown. To see this value, view the source code of the page. This step varies by browser and operating system. On Chrome under MS Windows, Ctrl+U will show the source code, on a Mac under Chrome, Option+Command+U will do it. On Safari, once you enable the option via Safari > Preferences > Advanced > Show Develop Menu, you can also use Option+Command+U (just like in Chrome).

In the displayed HTML code, search until you find a line for Javascript like this one:

<script type="text/javascript" encoding="UTF-8" src="https://latlonglab.yahoo.co.jp/route/paste?
id=b86f940851b6ebed2538ffc5f80b2fc8&width=480&
height=640&mapstyle=map&graph=true&maponly=true"></script>

The value consisting of 32 hexadecimal characters (128 bit) after “id=” is the magic value you’re looking for. A full RouteLabo page URI with the download options will look like this:

https://latlonglab.yahoo.co.jp/route/watch?id=b86f940851b6ebed2538ffc5f80b2fc8

By replacing the value after “id=” in the URI with the ID from inside the HTML code using copy and paste, you will get a browser URI that will give you full access to the route, including route file download links to feed your GPS device of choice. You can then bookmark it for future reference. Bonne route! ๐Ÿ™‚

Huawei Nexus 6P Battery Upgrade

I’ve had my Huawei Nexus 6P for about two years now. The combination of a great camera, an excellent screen, good performance and decent battery life has made this my best smartphone ever.

However, a couple of months ago something happened as the battery capacity appeared to have collapsed dramatically. Sometimes the phone would shut down only 5 hours after I had disconnected it from the AC charger when I left home, starting off supposedly fully charged! I had to always carry a USB battery and cable with me to not risk losing the use of my phone in the middle of the day.

Attempts to recalibrate the capacity indicator helped only insofar as the phone would shut down at 14% charge instead of say 55% charge, so there was slightly more warning, but the number of hours was still too short. This actually seems to be a common problem with the Nexus 6P, which otherwise is still a great phone.

It’s not uncommon for Li-ion batteries to significantly lose capacity after about about three years, but if it happens after less than two years as in my case, that’s not very good. Fortunately, replacement batteries are available and any competent phone repair shop will be happy to do the necessary surgery to replace a battery that is on its way out. Unfortunately the days when you could simply pop open the phone case without any tools and swap the battery yourself are long gone. This is a trend started by Apple and almost every other phone maker has since followed suit. I think it’s meant to get people to buy a new phone sooner, which is good for Apple and its competitors, but bad for consumers and for the planet.

There are Youtube videos that will show you how you how to open the Nexus 6P case and disassemble the phone to swap the battery. This involves the use of a hairdryer or heat gun to soften the glue that holds it all together as well as a plastic card and a small screw driver. As I did not feel adventurous enough to attempt this myself, I contacted several phone repair shops here in Tokyo. Repair King Japan replied. Though they they didn’t have the Nexus 6P battery in stock they were happy to order one for me. Once they got it, I dropped the phone off and two hours later I could have it back with a new battery. So far it’s looking good: It’s been 40 hours since the last full charge (with battery saver mode inactive) and it’s still showing 64% with about 3 days of power left ๐Ÿ™‚

UPDATE: At 72 hours, it still had 23% charge left. At that point I connected it to a charger.

Hopefully with the new battery my Nexus 6P will be a great phone again for a few more years!

Adding Free SSL Certificates for HTTPS To Your Websites

I recently received a warning email from Google:

“Starting October 2017, Chrome (version 62) will show a ‘NOT SECURE’ warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

The recommended solution was to migrate the affected website(s) to HTTPS. This requires an SSL certificate. There are many companies selling those for hundreds of dollars. I didn’t really want to spend that money.

It turns out there is a free alternative: The Let’s Encrypt project (https://letsencrypt.org/) provides free SSL certificates with just enough functionality to run SSL with current browsers. It also provides automated tools that greatly assist you in obtaining and installing those certificates.

I had a default SSL host configured on my Apache 2.4 installation (inherited from a different server running Ubuntu) that I had to manually remove.

Then, when all virtual hosts only had port 80 (HTTP) enabled, I could run the certbot tool as root:

# certbot --apache

It enumerates all host names supported by your Apache installation. I ran it repeatedly, for each domain and the corresponding www. host name (e.g. joewein.net, www.joewein.net) in my installation and verified the results, one at a time. It will create a new virtual host file in /etc/httpd/hosts-enabled for those hosts for port 443 (HTTPS). I appended the content of that file to my existing port 80 (HTTP) virtual host file in /etc/httpd/hosts-available for that host name and deleted the new file created by certbot. That way I can track all configuration details for each website for both HTTP and HTTPS in a single file, but this purely a personal choice.

All it takes is an Apache restart to enable the new configuration.

You can test if SSL is working as expected by accessing the website with a browser using https:// instead of http:// at the start of the URI.

If you have iptables rules for port 80, you may want to replicate those for port 443 or the certificate generation / renewal may fail. Also, you want to make sure that SSLv3 is turned off on your Apache installation, to protect against the POODLE vulnerability. This required the following setting in ssl.conf:

/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2 -SSLv3

The free certificates will expire in 90 days, but it’s recommended to add a daily cron job that requests renewals so that an updated key will be downloaded after 60 days, long before the old key expires. Once that is in place, maintenance of SSL keys will be totally automatic.

UPDATE (2017-11-01): If you’re using WordPress on your website, you should change the WordPress base URI to HTTPS too. To do that, log into the WordPress Dashboard. In there select Settings > General. Change the “http://” in the WordPress Address (URI) and Site Address (URI) fields to “https://” and click the Save Changes button. This ensures that any messages from WordPress to you will include secure URIs.

Nexus 6P Flashing Charge Icon

Recently the USB-C quick charger that came with my Huawei Nexus 6P appeared to stop working. I normally leave the phone charging over night, but one morning I found its battery charge was low and it hadn’t been charging. When I disconnected and reconnected it to the cable (which is reversible with USB-C connectors on both ends), the lightning bolt inside the battery charge indicator kept blinking (flashing on and off), rather than being solid on as it normally would while the device is charging.

Disconnecting and reconnecting the device or unplugging and reconnecting the charger to the wall socket made no difference whatsoever. Reversing the cable direction did not help either.

My only way to still charge the phone was to use a USB-A to USB-C cable that draws power from a PC USB socket, which is a much slower way to charge the phone. So I decided that the charger must have failed after less than a year of use. I already started looking for USB-C quick chargers on Amazon (they exist but are much more pricey than USB-A chargers), but didn’t order one yet.

Today I decided to Google for the problem and found others who had the exact same issue. It turned out that simply powering down the phone and powering it up again will fix the problem: Yepp, it will charge again!

I’m not sure what the fundamental issue is, but it seems I won’t have to rush out and buy a new charger (which wouldn’t have helped anyway!), as the issue is on the phone side.

If a simple phone reboot fixes it and it doesn’t happen too often, I guess I can live with that. The Nexus 6P has worked great for me so far.

Porting iptables to ip6tables

A couple of days ago I received an email notification by the Berkeley Security Notifications Team that a Linux server of mine had less restrictive firewall rules for IPv6 than it had for IPv4. This prompted me to update my ip6tables settings on that host to make it is as secure via IPv6 as it was for IPv4.

If you have a dual stack server with IPv4 A records and IPv6 AAAA records published in DNS, you should have it protected with firewall rules on both protocols. Even if you only publish A records and not AAAA ones, you should secure IPv6 access because its address may leak to potential attackers in other ways.

The ip6tables tool is installed as part of iptables on recent distributions, but you need to set up one set of rules for each protocol. They’re independent of each other. A (not very secure) default ip6tables configuration might look like this:

# Generated by ip6tables-save v1.4.21 on Thu Sep 24 11:17:56 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1456:118498]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT –reject-with icmp6-adm-prohibited
COMMIT
# Completed on Thu Sep 24 11:17:56 2015

It’s relatively easy to port additional settings from iptables to ip6tables (e.g. in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for CentOS).

Below are some of the changes needed when porting common entries. As you can see, some names are replaced with those of IPv6 equivalents. Any IP addresses and CIDRs for ip6tables need to be written in IPv6 notation.

To easily port over IPv4 addresses, simply prefix them with “::ffff:”. If they’re followed by a bit count such as /24 (the routing prefix size), add 96 to that number (IPv6 addresses are 128 bits each versus 32 bits for IPv4). Add equivalent rules for the corresponding native IPv6 addresses as needed.

  1. Accept ping from any source:

    IPv4:

    -A INPUT -p icmp -j ACCEPT

    IPv6:

    -A INPUT -p ipv6-icmp -j ACCEPT

  2. Accept connection from white-listed address:

    IPv4:

    -A SSH-IN -s 123.45.67.89/32 -j ACCEPT

    IPv6:

    -A SSH-IN -s ::ffff:123.45.67.89/128 -j ACCEPT
    -A SSH-IN -s 2345:abcd:678:42::/64 -j ACCEPT

  3. Rule to block access (after all the exceptions):

    IPv4:

    -A INPUT -j REJECT –reject-with icmp-host-prohibited
    -A FORWARD -j REJECT –reject-with icmp-host-prohibited

    IPV6:

    -A INPUT -j REJECT –reject-with icmp6-adm-prohibited
    -A FORWARD -j REJECT –reject-with icmp6-adm-prohibited

Filco Majestouch-2 [FKBN104M/EB2]

Recently, the space bar of the keyboard on my main machine developed a problem, so I ordered a Filco Majestouch-2 (US layout, USB version with PS/2 adapter). It uses brown Cherry MX switches.

I have always liked the feel and feedback of the original IBM PC and IBM PC/AT keyboards (which I first used in 1981). If you’re a fan of the original IBM keyboards, you’ll love this one. The Filco keyboards are not cheap, but you get what you pay for.

There are various models from Filco, some with the blue or black Cherry switches. The brown switches are recommended for general use, including office work and programming. I am very happy with mine and will probably order another one for another of my machines.

Acer One D260 system restore

The hard disk in my wife’s Acer One D260 netbook got damaged. A new hard disk is about a quarter the price of a new netbook, so I wanted to install a new drive. Like with most PCs these days there aren’t any Windows install DVDs included.

The netbook came with Windows 7 Starter, which we needed to somehow install on the new hard disk. Fortunately, the damaged hard disk was still limping along enough to use the Acer eRecovery system to create two Recovery DVDs. These should allow restoring the initial system state to a hard disk in the machine, wiping all the data on the drive.

To replace the hard disk, I had to undo seven clips around the edge of the keyboard, lift off the keyboard and disconnect the keyboard ribbon cable to the motherboard connector. Then I needed to undo 4 screws underneath and push through, to pop out the cover on the bottom of the machine. This opened access to the single memory slot and drive cage.

The 1 GB memory module on the motherboard can be replaced with a 2 GB PC3-8500 1066MHZ DDR3 module available for about $20. This is a wortwhile investment and I already have the module on order.

I replaced the damaged 250 GB WD Scorpio Blue drive with a spare 500 GB drive (available new for about $60-$80). Then I closed the cover and reinstalled the screws and then the keyboard.

With the new drive it was possible to boot off the first Recovery DVD using a USB DVD drive. The eRecovery software copied data from both DVDs to the hard disks and then rebooted. However, that reboot failed because the new drive did not yet have a Windows Master Boot record (MBR) on it. You can install an MBR from within Windows, but not from the bootable eRecovery DVD. So I had a chicken and egg problem.

I overcame this hurdle by booting off a Ubuntu Live DVD (32 bit), installing the ‘lilo’ package and telling it to install the Linux equivalent of Microsoft’s MBR code:

sudo apt-get install lilo
sudo lilo -M /dev/sda mbr

At the next attempt to boot off the hard disk, Windows started installing its components and drivers and launched into its initial configuration, just like the first time we had unboxed the machine more than two years ago. So we are back to a working Winmdows 7 machine!

Thank you, Linux — you saved my day again! ๐Ÿ™‚