Outlook Express Error 0x800CCC0B and the End of TLS 1.0 (Deprecated SSL Protocol)

Microsoft Outlook Express (OE) is an obsolete mail client that was available in Microsoft Windows XP, Windows 2003 Server and older Microsoft operating systems. It was no longer available on Windows Vista and later, though Windows Live Mail is relatively close in user interface and appearance.

Despite being obsolete and only working on operating systems no longer supported or updated by Microsoft, it still has some users who prefer its simple but powerful user interface. Some of those users will have had a frustrating experience recently, when various mail servers stopped working for outbound mail in OE. Specifically, these are mail servers that use SSL on submission port 465 or 587 for SMTP.

Secure Socket Layer (SSL) is a mechanism for encrypting data between a client and a server. You may know it from website URIs starting with “https:” and web sessions displaying a padlock symbol next to the URI. There are various protocol versions that can implement this encryption layer. One of these, TLS 1.0 which was conceived in 1999, has now been officially deprecated (made officially obsolete) as of the end of June 2018. Software now has to use more recent protocols, such as TLS 1.1, TLS 1.2 or the recently defined TLS 1.3.

Unfortunately, TLS 1.0 is all that OE will speak. It does not understand TLS 1.1 or later. Therefore it can not pick up mail from a POP server using SSL on port 995 or an IMAP server on port 993 or send mail to an SMTP server on port 465 (or 587) with SSL enabled.

Workaround
The only workaround I am aware of (other than switching to a more modern mail client) is to use Stunnel, a tool for Windows or Linux that acts as a proxy. You can configure it to establish an SSL connection to a given host and port when a connection to a given local port is made. Thus you could configure OE to connect to port 9465 on the machine running Stunnel, which might then connect via SSL to smtp.example.com:465 using a more modern TLS version supported by Stunnel (but not directly by OE).

Picasa: “Failed to download album list”

If you are still using the Picasa 3 desktop application by Google and got the above error message, here’s some bad news for you: Google has finally killed this app. On March 26, 2018 they announced that it would no longer be able to upload new albums. So this error message is not temporary and there is no direct fix.

I think it’s very regrettable that Google has been killing off Picasa step-by-step. This is only the latest nail in the coffin. I had been using Picasaweb and Picasa since 2010 and they were great products.

The good news is that you can still create albums from folders using a web browser. Say you have a folder named “2018-03-26 Cherry Blossom Party”. Just follow these steps (for Windows and Chrome):

1) Select its parent folder in Windows Explorer, then slowly click on the folder that you want to upload, twice: Once to select it, then once more to enable you to edit the folder name as if to rename it. When the name becomes editable, press Ctrl+C to copy the folder name, then press Esc to keep the name unchanged. This stores the folder name in the copy-and-paste clipboard, which will save you from having to manually retype the name later.

2) In Chrome, go to https://photos.google.com/ and click on “Upload” (on the top right). A file selector dialog will open up. Click through to the contents of the folder you want to upload. Select all files in the folder using Ctrl+A and click “Open” to confirm the upload.

3) The browser will upload all files and give you a choice of “Add to album” or “Shared album”. Select “Add to album”. To create a new album with the name of the folder, select “New album”. Click on the album name showing as “Untitled” and use Ctrl+V to paste the name you copied in step 1. Hit Enter and click on the check mark to confirm creation of the new album.

Voila, you have a new album online, with the same name as the local folder. Repeat as needed for multiple folders. This is as simple as it gets without the old Picasa app.

Strava Cycling Climbing Challenges

Strava is a popular service for logging bike rides and other activities, which provides a way of comparing one’s achievements with those of other cyclists and runners. Competition is a powerful stimulant and a main driver behind the success of the service. Monthly “challenges”, such as a Gran Fondo (a ride of at least 100 or 130 km, depending on the time of the year) or a monthly cumulative distance or elevation gain challenge, are particularly popular on Strava.

While I regularly participate in the Cycling Distance and Gran Fondo Challenge, I do not normally sign up for the Cycling Climbing Challenge, which is meant to encourage you do ride hilly courses. I love hilly courses. In fact, most of my weekend rides are hilly, usually going from close to sea level to over 900 m and back.

Last year I averaged one century ride (at least 160.9 km / 100 miles) about every other week, so the Gran Fondo challenge is not really that much of a challenge for me. My typical centuries are about 170-190 km with 1800-2100 m of elevation gain. Yet at 7500 to 8000 m the goal for the Cycling Climbing Challenge is set so high, I could do a hilly century ride four Saturdays in a row and still miss the climbing goal. So how do other people, who do not ride 170 km into the hills every other weekend complete the climbing challenge?

I think the Strava climbing goals are designed for people who record their rides with phones or other GPS devices that rely only on satellite data for elevation. GPS-based elevation data is much less precise than lattitude-longitude data. Other popular GPS units like the Garmin Edge 1000, Garmin Edge 520 (or my o_synce Navi2coach) use a barometer for more precise elevation tracking. The problem with GPS-based elevation is that it’s noisy, it will go up and down pretty randomly but all those little ups will be added up by Strava, resulting in a considerably inflated climbing total. If you’re using a GPS device measuring relatively accurate barometric elevation, you can’t really compete against all that noisy data ๐Ÿ™

I could confirm this in group rides with other people who were using mix of equipment, where I had a chance to compare the posted stats on Strava afterwards. The iPhone or Android-app recorded totals were often 50-100% higher than the Garmin-recorded totals, for one and the same course.

Here is one random example of 4 people doing the same course up a volcano in Tenerife, Gran Canria yesterday. Note, this not my ride, I just randomly stumbled on it while looking at high scorers in the March Cycling Climbing Challenge on the Strava website. Two of these cyclists were using the Strava iPhone app, the other two were using a Garmin Edge 520:

Strava iPhone App:
https://www.strava.com/activities/1437744625
5,080m

Strava iPhone App:
https://www.strava.com/activities/1437728113
4,635m

Garmin Edge 520:
https://www.strava.com/activities/1437709764
2,847m

Garmin Edge 520:
https://www.strava.com/activities/1437730812
2,556m

As you can see, the two cyclists using the phone app posted almost double the total climbing for the course as the Garmin users, despite riding the very same roads and posting the same elevation profile for the activity (i.e. no hill repeats).

Based on evidence like that, I don’t think elevation gain competitions on Strava are happening on a level playing field! ๐Ÿ˜‰

Huawei Nexus 6P Battery Upgrade

I’ve had my Huawei Nexus 6P for about two years now. The combination of a great camera, an excellent screen, good performance and decent battery life has made this my best smartphone ever.

However, a couple of months ago something happened as the battery capacity appeared to have collapsed dramatically. Sometimes the phone would shut down only 5 hours after I had disconnected it from the AC charger when I left home, starting off supposedly fully charged! I had to always carry a USB battery and cable with me to not risk losing the use of my phone in the middle of the day.

Attempts to recalibrate the capacity indicator helped only insofar as the phone would shut down at 14% charge instead of say 55% charge, so there was slightly more warning, but the number of hours was still too short. This actually seems to be a common problem with the Nexus 6P, which otherwise is still a great phone.

It’s not uncommon for Li-ion batteries to significantly lose capacity after about about three years, but if it happens after less than two years as in my case, that’s not very good. Fortunately, replacement batteries are available and any competent phone repair shop will be happy to do the necessary surgery to replace a battery that is on its way out. Unfortunately the days when you could simply pop open the phone case without any tools and swap the battery yourself are long gone. This is a trend started by Apple and almost every other phone maker has since followed suit. I think it’s meant to get people to buy a new phone sooner, which is good for Apple and its competitors, but bad for consumers and for the planet.

There are Youtube videos that will show you how you how to open the Nexus 6P case and disassemble the phone to swap the battery. This involves the use of a hairdryer or heat gun to soften the glue that holds it all together as well as a plastic card and a small screw driver. As I did not feel adventurous enough to attempt this myself, I contacted several phone repair shops here in Tokyo. Repair King Japan replied. Though they they didn’t have the Nexus 6P battery in stock they were happy to order one for me. Once they got it, I dropped the phone off and two hours later I could have it back with a new battery. So far it’s looking good: It’s been 40 hours since the last full charge (with battery saver mode inactive) and it’s still showing 64% with about 3 days of power left ๐Ÿ™‚

UPDATE: At 72 hours, it still had 23% charge left. At that point I connected it to a charger.

Hopefully with the new battery my Nexus 6P will be a great phone again for a few more years!

Updated jwhois.conf File for CentOS for New gTLDs

The whois command on CentOS 6.x and 7.x doesn’t handle queries for many domains in new Top Level Domains (TLDs) that were added by ICANN in the last few years.

Domains from many of these new TLDs are selling as cheap as $0.99 a pop, making them attractive to snowshoe spammers who create them in large numbers. As a spam researcher, I see lots of new spam domains from TLDs such as .xyz, .online, .top. .club, .services, .win, .site, .bid, .life and .trade.

WHOIS is an important tool for me to track the domain registrants. CentOS uses jwhois as its WHOIS client, which relies on a configuration file to tell it what servers to query for detailed information. The configuration file that comes with recent CentOS versions is woefully out of date.

I have gone through the currently existing TLDs and counted 466 of them that are not supported by jwhois but appear to have a valid WHOIS server. I have been able to verify for about half of these TLDs that the WHOIS server works and have added them to my configuraion file, which you can download here.

Many of the rest of the new TLDs are hosted on Neustar, which performs rate limiting on lookups. Because of that I didn’t fully verify functioning of all those hosts, but I verified that CNAMEs exist for the WHOIS hosts that redirect to Neustar WHOIS servers and tested a small sample of those TLDs.

Getting Rid of the EMUI Launcher on the Huawei P9 Lite

Last time I switched mobile provider here in Japan, I signed up for a contract that included a Huawei P9 Lite. My biggest grip about it is its non-standard EMUI interface that runs on top of Android 6.0.1.

Previously I was using a Nexus 5, which had worked OK for me, though the picture quality of its camera was rather mediocre. One nice thing about the Nexus 5 was that it runs stock Android, with no customization. Its user interface is identical to that of my other phone, a Nexus 6P.

I really prefer stock Android without OEM customization. For one, stock Android means you can get version upgrades sooner and for longer (or at all!).

I found the EMUI launcher confusing. For example, I did not see any easy way to launch an app that didn’t have a desktop link.

It’s possible to switch from EMUI to the standard Google launcher. Here are the steps I performed:

1) Install “Google Now Launcher” via Play Store.

2) Swipe down, select Shortcuts and then Settings

3) Enter “def” into the search box at the top (may have to scroll up first)

4) Select “Default app settings”

5) Select “Launcher” and pick “Google” instead of “Huawei Home”. Ignore the warning that tries to scare you into sticking with EMUI (you can always change back by following the same steps and selecting “Huawei Home” again).

6) There you go!

The irritating long push home button

Another irritation that seemed to happen more on the Huawei than on my other phones was the Google screen that pops up (seemingly randomly) when I just try to go to the home screen. It has a “Want answers before you ask?” prompt at the bottom and a Google search box with voice search option at the top. I really don’t need this screen because the standard Android home screen already has a Google search bar at the top. I’d rather have the home screen with all my app shortcuts come up reliably whenever I push the Home button!

It took me a while to figure out that this Google search screen comes up on what the phone thinks is a long push of the Home button, which has a different meaning from a regular short tap. If that happens, just tap again and it will go to the home screen. Or just make it your habit to double tap the home screen to go to the home screen, then this should never happen ๐Ÿ™‚

Adding Free SSL Certificates for HTTPS To Your Websites

I recently received a warning email from Google:

“Starting October 2017, Chrome (version 62) will show a ‘NOT SECURE’ warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

The recommended solution was to migrate the affected website(s) to HTTPS. This requires an SSL certificate. There are many companies selling those for hundreds of dollars. I didn’t really want to spend that money.

It turns out there is a free alternative: The Let’s Encrypt project (https://letsencrypt.org/) provides free SSL certificates with just enough functionality to run SSL with current browsers. It also provides automated tools that greatly assist you in obtaining and installing those certificates.

I had a default SSL host configured on my Apache 2.4 installation (inherited from a different server running Ubuntu) that I had to manually remove.

Then, when all virtual hosts only had port 80 (HTTP) enabled, I could run the certbot tool as root:

# certbot --apache

It enumerates all host names supported by your Apache installation. I ran it repeatedly, for each domain and the corresponding www. host name (e.g. joewein.net, www.joewein.net) in my installation and verified the results, one at a time. It will create a new virtual host file in /etc/httpd/hosts-enabled for those hosts for port 443 (HTTPS). I appended the content of that file to my existing port 80 (HTTP) virtual host file in /etc/httpd/hosts-available for that host name and deleted the new file created by certbot. That way I can track all configuration details for each website for both HTTP and HTTPS in a single file, but this purely a personal choice.

All it takes is an Apache restart to enable the new configuration.

You can test if SSL is working as expected by accessing the website with a browser using https:// instead of http:// at the start of the URI.

If you have iptables rules for port 80, you may want to replicate those for port 443 or the certificate generation / renewal may fail. Also, you want to make sure that SSLv3 is turned off on your Apache installation, to protect against the POODLE vulnerability. This required the following setting in ssl.conf:

/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2 -SSLv3

The free certificates will expire in 90 days, but it’s recommended to add a daily cron job that requests renewals so that an updated key will be downloaded after 60 days, long before the old key expires. Once that is in place, maintenance of SSL keys will be totally automatic.

UPDATE (2017-11-01): If you’re using WordPress on your website, you should change the WordPress base URI to HTTPS too. To do that, log into the WordPress Dashboard. In there select Settings > General. Change the “http://” in the WordPress Address (URI) and Site Address (URI) fields to “https://” and click the Save Changes button. This ensures that any messages from WordPress to you will include secure URIs.

JWHOIS uses 100% of CPU on CentOS

Occasionally we hit a bug where the ‘whois’ command hangs on one of our CentOS servers and goes CPU-bound. This has been happening on several CentOS versions, including 6.8. Specifically, this is a problem in jwhois, the whois client included in CentOS.

Apparently, CentOS (and RHEL, on whose source code it’s based) is missing a number of fixes that have been added to other Linux versions including Fedora over the last couple of years. So the problem is actually known and a fix has been available for years, it’s just not included in the product.

Comparing the change logs for jwhois between CentOS and Fedora, everything matches up to and including build 4.0-18 in September 2009, but then the two diverge.

On Jan 26, 2010, Fedora received a fix (“Use select to wait for input (patch by Joshua Roys <joshua.roys AT gtri.gatech.edu>)”) for a new 4.0-19 build that resolved bug #469412 for precisely this issue. There are many more changes in Fedora’s jwhois after that, unlike its RHEL and CentOS equivalent, which in all the years since then received only a single update. This is also called 4.0-19, but it was made on Jun 23, 2011 and it includes only two fixes for unrelated issues that were fixed in Fedora’s jwhois updates 4.0-24 (Dec 20, 2010) and 4.0-26 (Mar 15, 2011), but not the earlier select fix or fixes for any of the other issues. CentOS is missing the “jwhois-4.0-select.patch” and that’s why WHOIS hangs.

Google broke Picasa uploads

Having used Google Picasaweb for picture-hosting for many years, Google’s transition to Google Photos has been a frustrating experience. The original Picasaweb has always worked better for me than its supposed replacement. Several friends of mine who had also been using Picasaweb have already switched to other services, including Facebook.

The latest nail in the coffin came a few days ago, when the Picasa 3 application failed to upload new albums to Google Photo. The error message was:

Error: Request failed
Click here to View Errors

The link revealed that it was a server error:

HTTP Error 400 – https://picasaweb.google.com/post?tok={long-token-here}[156]

It looks like someone at Google broke the upload servers. When they announced the transition a year ago, Google wrote:

Desktop application
As of March 15, 2016, we will no longer be supporting the Picasa desktop application. For those who have already downloaded thisโ€”or choose to do so before this dateโ€”it will continue to work as it does today, but we will not be developing it further, and there will be no future updates.

For now, the workaround appears to be to use “File | Export Picture to Folder” in the Desktop application to create files no wider than 1600 pixels (below the limit for unlimited free uploads) and then upload those file sets to Google Photo using its web interface.

At the moment it is still possible to share Google Photo images in blog and forum posts but for how much longer? First you must share the album, for example by clicking on the “share” icon in the album in Google Photo, then “Get Link” to generate a link, which you don’t actually have to use. Then you can view an image, right-click on it and select “Open image in new tab”. The URI above the new tab that opens can be used for embedding images in blogs and forums. If or more precisely, when Google also breaks this feature then Google Photos will become unusable for me.

I am looking for a good solution to be hosted on one of my own servers that will replace Google Photos, without size limits and without any hassle for resizing images for public sharing, that will let me control who can see what images like the old Picasaweb did.

Nexus 6P Flashing Charge Icon

Recently the USB-C quick charger that came with my Huawei Nexus 6P appeared to stop working. I normally leave the phone charging over night, but one morning I found its battery charge was low and it hadn’t been charging. When I disconnected and reconnected it to the cable (which is reversible with USB-C connectors on both ends), the lightning bolt inside the battery charge indicator kept blinking (flashing on and off), rather than being solid on as it normally would while the device is charging.

Disconnecting and reconnecting the device or unplugging and reconnecting the charger to the wall socket made no difference whatsoever. Reversing the cable direction did not help either.

My only way to still charge the phone was to use a USB-A to USB-C cable that draws power from a PC USB socket, which is a much slower way to charge the phone. So I decided that the charger must have failed after less than a year of use. I already started looking for USB-C quick chargers on Amazon (they exist but are much more pricey than USB-A chargers), but didn’t order one yet.

Today I decided to Google for the problem and found others who had the exact same issue. It turned out that simply powering down the phone and powering it up again will fix the problem: Yepp, it will charge again!

I’m not sure what the fundamental issue is, but it seems I won’t have to rush out and buy a new charger (which wouldn’t have helped anyway!), as the issue is on the phone side.

If a simple phone reboot fixes it and it doesn’t happen too often, I guess I can live with that. The Nexus 6P has worked great for me so far.