Downloading resources on Android devices returns unknown file in Google Chrome, or internal browser but not in Firefox for Android!

Short version

  • Do not rely on self signed certificate for android when downloading resources: android download manager wont work (below Android 4.1.4 SSL was even not supported in download manager)
  • Android do not support all kind of SSL Cipher, check the compatibility table below

Long Story

On some Android devices clicking the download link return back an error and show an 'Unknown file'. The file of an initial size of 790kb get partially and randomly downloaded: sometimes you get 140kb, sometimes 224kb or more.

There is a workaround: if one lets the cursor on the link and clicks 'Save' then the saved document is correct and can be opened.

This issue appear on some Android phone, not on Android tablet (???) and never on iOS (sic)

Looking  at the logs, we have found that In Apache access log the resource-size returned is not the same as in Tomcat access log (only when client is Android). Using Desktop class browser (Google Chrome, Firefox, Opera, Safari) the sizes returned by Tomcat and Apache is the same!

After  a lot of try and error we found out that Android is able to download properly the resource when connecting directly to tomcat (e.g. without SSL), however in this case there is a VERY strange behaviour:

So, when we try to download the resource via HTTP, android needs to connect twice! The first connection seems to abort and only the second connection (Android download manager) is able to fetch everything. 

After that, we enabled the debug logging in Apache and had look at the output.

[Tue Jan 26 16:06:29 2016] [info] Initial (No.1) HTTPS request received for child 0 (server skye3.innoveo.com:443)
[Tue Jan 26 16:06:29 2016] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //localhost:8443/xx.pdf
[Tue Jan 26 16:06:29 2016] [debug] proxy_util.c(1525): [client 172.16.2.176] proxy: http: found worker http://localhost:8443/ for http://localhost:8443/xx.pdf
[Tue Jan 26 16:06:29 2016] [debug] mod_proxy.c(1026): Running scheme http handler (attempt 0) [Tue Jan 26 16:06:29 2016] [debug] mod_proxy_http.c(1982): proxy: HTTP: serving URL http://localhost:8443/xx.pdf [Tue Jan 26 16:06:29 2016] [debug] proxy_util.c(2102): proxy: HTTP: has acquired connection for (localhost) [Tue Jan 26 16:06:29 2016] [debug] proxy_util.c(2158): proxy: connecting http://localhost:8443/xx.pdf to localhost:8443 [Tue Jan 26 16:06:29 2016] [debug] proxy_util.c(2285): proxy: connected /xxxxx.pdf to localhost:8443 [Tue Jan 26 16:06:29 2016] [debug] mod_proxy_http.c(1741): proxy: start body send [Tue Jan 26 16:06:29 2016] [info] [client 172.16.2.176] (104)Connection reset by peer: core_output_filter: writing data to the network [Tue Jan 26 16:06:29 2016] [info] [client 172.16.2.176] (103)Software caused connection abort: SSL output filter write failed. [Tue Jan 26 16:06:29 2016] [debug] mod_proxy_http.c(1851): proxy: end body send [Tue Jan 26 16:06:29 2016] [debug] proxy_util.c(2120): proxy: HTTP: has released connection for (localhost) [Tue Jan 26 16:06:29 2016] [info] [client 172.16.2.176] Connection to child 3 established (server skye3.innoveo.com:443) ... ~removed useless debug output~ [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1966): [client 172.16.2.176] SSL virtual host for servername skye3.innoveo.com found [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 read client hello A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 write server hello A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 write certificate A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 write key exchange A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 write server done A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 flush data Tue Jan 26 16:06:29 2016] [debug] ssl_engine_io.c(1929): OpenSSL: read 5/5 bytes from BIO7f1a4c1230d0 [mem: 7f1a4c17a493] (BIO dump follows) ... ~removed useless debug output~ [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 read client key exchange A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_io.c(1929): OpenSSL: read 5/5 bytes from BIO7f1a4c1230d0 [mem: 7f1a4c17a493] (BIO dump follows) ... ~removed useless debug output~ [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 read finished A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 write session ticket A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 write change cipher spec A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 write finished A [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1853): OpenSSL: Loop: SSLv3 flush data [Tue Jan 26 16:06:29 2016] [debug] ssl_engine_kernel.c(1849): OpenSSL: Handshake: done [Tue Jan 26 16:06:29 2016] [info] Connection: Client IP: 172.16.2.176, Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA (256/256 bits) [Tue Jan 26 16:06:29 2016] [info] [client 172.16.2.176] (70014)End of file found: SSL input filter read failed. [Tue Jan 26 16:06:29 2016] [info] [client 172.16.2.176] Connection closed to child 2 with standard shutdown (server skye3.innoveo.com:443) [Tue Jan 26 16:06:29 2016] [info] [client 172.16.2.176] Connection to child 0 established (server skye3.innoveo.com:443) ...

So we see, the intial SSL connect works, we can see the request issued and the proxy request. Body is written and then "connection reset by peer"

After careful search it is pretty sure that we are running into this problem: https://code.google.com/p/chromium/issues/detail?id=440951
Summary: 
when you try to download stuff with chromium it works (even from unsecure sources), this is why the first connect is okay. however chromium interrupts the download to hand it over to android download manager (this is why actually displaying pictures works, despite the fact that they are delivered though the same pipeline, e.g. skye code, tomcat version, apache and ssl). this is also why we see two downloads per click in the log files. Problem is however that android download manager does NOT NEVER EVER download stuff from unsecure sources (e.g. selfsigned certs) and thus the final download fails. this is also true for the default andoid browser, because they also use the android download manager.

Solution: the only solution was be to upgrade to valid SSL  certificates (Verizon, Verisign or any other) instead of self signed. This increase the number of Android device working but unfortunately  some Android devices were still NOT able to download resources with a valid SSL cert...

By using the Android SDK debug console (adb.exe logcat > file.txt) of android, we saw the following:

	Line 7487: D/DownloadManager( 3054): [1] Starting
	Line 7489: W/DownloadManager( 3054): [1] Stop requested with status HTTP_DATA_ERROR: Handshake failed
	Line 7491: D/DownloadManager( 3054): [1] Finished with status WAITING_TO_RETRY

This show again that the initial connect to our server happen correctly but return partial content but is then forwarded to the download manager that try to build another connection that is still fail

Solution: change Apache cipher suite according to the table below.

Android compatibility table

http://developer.android.com/reference/javax/net/ssl/SSLEngine.html

Depending on which version of android you would like to support you'll  have to find a cipher suite that is supported by iOS, Android while not sacrificing too much security. 

Android Version Released API Level Name Build Version Code
Android 6.0 August 2015 23 Marshmallow Android.OS.BuildVersionCodes.Marshmallow
Android 5.1 March 2015 22 Lollipop Android.OS.BuildVersionCodes.LollipopMr1
Android 5.0 November 2014 21 Lollipop Android.OS.BuildVersionCodes.Lollipop
Android 4.4W June 2014 20 Kitkat Watch Android.OS.BuildVersionCodes.KitKatWatch
Android 4.4 October 2013 19 Kitkat Android.OS.BuildVersionCodes.KitKat
Android 4.3 July 2013 18 Jelly Bean Android.OS.BuildVersionCodes.JellyBeanMr2
Android 4.2-4.2.2 November 2012 17 Jelly Bean Android.OS.BuildVersionCodes.JellyBeanMr1
Android 4.1-4.1.1 June 2012 16 Jelly Bean Android.OS.BuildVersionCodes.JellyBean
Android 4.0.3-4.0.4 December 2011 15 Ice Cream Sandwich Android.OS.BuildVersionCodes.IceCreamSandwichMr1
Android 4.0-4.0.2 October 2011 14 Ice Cream Sandwich Android.OS.BuildVersionCodes.IceCreamSandwich
Android 3.2 June 2011 13 Honeycomb Android.OS.BuildVersionCodes.HoneyCombMr2
Android 3.1.x May 2011 12 Honeycomb Android.OS.BuildVersionCodes.HoneyCombMr1
Android 3.0.x February 2011 11 Honeycomb Android.OS.BuildVersionCodes.HoneyComb
Android 2.3.3-2.3.4 February 2011 10 Gingerbread Android.OS.BuildVersionCodes.GingerBreadMr1
Android 2.3-2.3.2 November 2010 9 Gingerbread Android.OS.BuildVersionCodes.GingerBread
Android 2.2.x June 2010 8 Froyo Android.OS.BuildVersionCodes.Froyo
Android 2.1.x January 2010 7 Eclair Android.OS.BuildVersionCodes.EclairMr1
Android 2.0.1 December 2009 6 Eclair Android.OS.BuildVersionCodes.Eclair01
Android 2.0 November 2009 5 Eclair Android.OS.BuildVersionCodes.Eclair
Android 1.6 September 2009 4 Donut Android.OS.BuildVersionCodes.Donut
Android 1.5 May 2009 3 Cupcake Android.OS.BuildVersionCodes.Cupcake
Android 1.1 February 2009 2 Base Android.OS.BuildVersionCodes.Base11
Android 1.0 October 2008 1 Base Android.OS.BuildVersionCodes.Base

It is always a good idea to validate your SSL settings by using one the these online services (In no particular order). Some even report if you are vulnerable to some common SSL attacks ()

comments powered by Disqus

You might like also

No Thumbnail was found
Usually, a percentage of the tokens is sold to ICO participants and a percentage kept for the company’s needs. The token distribution and allocation of the token is usually a chapter in the future company whitepaper. A pie chart displays how and to whom tokens will be allocated. But how much tokens are allocated (amount) and what are they used for? how much token should I spend for advisor? is 15% of all tokens too much for founder? How many …
139 Days ago
No Thumbnail was found
introduction This is my attempt to list all possible blockchain consensus out there, I welcome pull request of the blockchain community! let's make it the main reference for blockchain consensus. Visit also Tokens-Economy.com to keep track of new developments in the distributed ledger technology space. Blockchain Consensus? At the core of the Blockchain disruption is a consensus algorithm: Consensus algorithms enable network participants to agree on the contents of a blockchain in a distributed and trust-less manner. “Consensus decision-making is a group …
150 Days ago
Initial Coin Offering security checklist
Blockchain technology and cryptocurrencies have revolutionized the way companies raise capital but at the same time are bringing their own sets of challenges. To ensure that your startup will go through that (ad)venture in a safe manner, you should always adhere to best security practices, for your company AND your investors.  This mind map will present you in a visual way lots of valuable information like: A compilation of the most dangerous threats to the ICO industry and how to mitigate, …
171 Days ago
Initial Coin Offering in most relevant countries
 This new rendering will allow you to better compare countries The rendering being dynamic you can also pass some parameters like https://ico.tokens-economy.com/statistics/collage.html?width=800&height=800 The default size is width=450&height=450 Filter by year ico end. e.g all ico ended in 2017 https://ico.tokens-economy.com/statistics/collage.html?year=2017  Filter by category and year https://ico.tokens-economy.com/statistics/collage.html?category=Cryptocurrency  And more ICO with no raised amount is also displayed now. ICO webpage has been added Text in bubble scale now properly and are always centered     …
185 Days ago
2751 coins, 47 Consensus and 82 cryptographic algorithms
The innovation speed in Blockchain landscape is just breathtaking and being able to (or to be honest trying to...) follow all these rapid changes is a chance for all software engineers. At the core of the Blockchain disruption are consensus algorithm: Consensus algorithms enable network participants to agree on the contents of a blockchain in a distributed and trust-less manner. And the consensus algorithm plays a crucial role in maintaining the safety and efficiency of blockchain. Using the right algorithm may bring a significant increase to the …
193 Days ago
Initial Coin Offering in Blockchain-Friendly countries
Ever since Vitalik Buterin and Ethereum settled on Switzerland for its Foundation and Initial Coin Offering (ICO), Switzerland has been popular among blockchain-based businesses and is considered the number one in a list of the top 10 European countries for starting a blockchain company (source cointelegraph.com). PwC also found that ICO volume reached new record highs in the first half of 2018 ($13.7 Billion so far), already doubling the volume of the previous year! That inspired me a way to compare at the same time …
201 Days ago
Evaluating Blockchain Projects With Token Economy Canvas
Business Model Canvas is a strategic management and lean startup template for developing new or documenting existing business models. It is a visual chart with elements describing a firm's or product's value proposition, infrastructure, customers, and finances. It assists firms in aligning their activities by illustrating potential trade-offs. Business Model Canvas: nine business model building blocks, Osterwalder, Pigneur & al. 2010 After reading this great article https://medium.com/@pstehlik/evaluating-blockchain-projects-with-token-economy-canvas-908bc1bab6 I felt the need to create an online editor. "Token Economy Canvas consists of …
237 Days ago
ICO friendliness rating index
Do you want to relocate your Blockchain company to an ICO friendly country? the ICO friendliness rating index is a interactive way to go through the list of countries that are hostile or favorable to ICO and Cryptocurrencies. Attention! a disclaimer is required: No Legal Advice or Attorney-Client Relationship: This chart is provided for informational purposes only and is not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Recipient should …
237 Days ago
Joomla 3.8.7 and WTLib WinNMP 18.03
As always updating to the latest version of all your developement components is never without any issues, here is what  you need to take into consideration when upgrading Joomla 3.8.7 and WinNMP 18.03 Install WinNMp 18.03 from https://winnmp.wtriple.com/ in any directory, default is C:\WinNMP\ Unpack Joomla 3.8.7 to C:\WinNMP\WWW\dev for example When starting WinNMP, you can click reload, to see the site appearing    Now edit Nginx virtual server    And cut and paste the following config (you can get it from http://winnmp.wtriple.com/nginx.phpJoomla-Nginx-configuration)   …
264 Days ago
The cryptocurrency hack of Bob
Bob did a lot of (obvious) mistakes, but you will still be able to learn a lot by going through this mindmap. The names have been changed to protect the innocent. Hack of Bob   …
293 Days ago