Over the last few days we have noticed API errors from 2 different APIs, Shopify and Klaviyo,
For Shopify, the weird thing is that it happens only when we pull Product and Product related information, SOMETIMES, and some other times it just works.
For Klaviyo, it can happen on any entity, but similar issue is here: It may happen SOMETIMES, and usually it works.
We have noticed that it fails at some point when we pull data for some time (e.g. when we pull a list of products from Shopify or a list of members from Klaviyo).
We are using python 3.10 for both cases. For Shopify, we use the official python client to access the API, and for Klaviyo we are using custom implementation with tornado async HTTP agent.
Example error from Shopify:
This one occurs when we pull CustomCollection entity by id
...
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/shopify/base.py", line 196, in find
collection = super(ShopifyResource, cls).find(id_=id_, from_=from_, **kwargs)
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/pyactiveresource/activeresource.py", line 386, in find
return cls._find_every(from_=from_, **kwargs)
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/pyactiveresource/activeresource.py", line 525, in _find_every
response = cls.connection.get(path, cls.headers)
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/pyactiveresource/connection.py", line 329, in get
return self._open('GET', path, headers=headers)
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/shopify/base.py", line 23, in _open
self.response = super(ShopifyConnection, self)._open(*args, **kwargs)
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/pyactiveresource/connection.py", line 290, in _open
raise Error(err, url)
pyactiveresource.connection.Error: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>
We get similar errors when pulling Product or InventoryItem, for example, but usually not when pulling Customer or Order data.
Example error from Klaviyo:
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/tornado/gen.py", line 767, in run
value = future.result()
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/tornado/simple_httpclient.py", line 340, in run
stream = await self.tcp_client.connect(
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/tornado/tcpclient.py", line 292, in connect
stream = await stream.start_tls(
File "/home/airflow/.local/.virtualenvs/agents310/lib/python3.10/site-packages/tornado/iostream.py", line 1367, in _do_ssl_handshake
self.socket.do_handshake()
File "/usr/local/lib/python3.10/ssl.py", line 1342, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)
Those has started to occur very recently. We have not changed anything to our procedure that pulls data, neither to the software of it.
Some googling indicates that there is some mismatch during the TLS handshake because of unsupported ciphers in either the server or the client.
But I am not sure that this is the issue here, because:
- This seems to happen randomly, and mostly when pulling Product and Product-related data (for Shopify)
- We can pull Customer and Order data in most cases, if not always, using similar procedure and software (for Shopify)
- Same for Klaviyo, we start pulling some data, then at some point there is this SSL error I have tried some of the failed request using cURL, and they succeed, so it doesn't seem to be a problem with a particular endpoint, but something different
- I have checked the TLS versions that are supported by our OpenSSL and they seems legitimate (
TLSv1.3is supported)
So if this was indeed cipher issue, I'd expect that it would not work, at all. But here this works most of the time.
From within the server that we run that:
$ openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
and from the python instance:
>>> import ssl
>>> print(ssl.OPENSSL_VERSION)
OpenSSL 1.1.1n 15 Mar 2022
Note that the same thing occurs for different Shopify stores (from different clients of ours). Same for Klaviyo, occurs for a different number of clients (hence different accounts).
Do you have any ideas / suggestion why this may happen?
Could it be something else, irrelevant from the TLS handshake? E.g. some server issue or API limits (I know they should return a 429 status, but you never know with custom implementations today)?
Any tips on how to troubleshoot this?
Many Thanks!