Sauce Connect Proxy 4.6.1

4.6.1

Sauce Labs is changing how we manage SSL certificates to improve assurance and compatibility with SSL-inspecting web proxies.

NEW FEATURES

1. Public Certificates

• Sauce Connect Proxy 4.6.1 supports public certificates; private certificates are no longer supported for this and all subsequent releases of Sauce Connect Proxy 

• The Operating System on which SC runs needs to have its certificate store set up correctly. Here are some details per Operating System:

• Linux

• OpenSSL stores CA certificates, which are accessed by the Sauce Connect Client

• The default OpenSSL certificates directory can be found using: openssl version -d

• Set the SSL_CERT_DIR environment variable to this folder or another containing certificates in PEM format

• You can also set the SSL_CERT_FILE environment variable to a file of certificates in PEM format

• Certificates will be automatically updated, manual certificate update can be achieved via command line: update-ca-certificates

• Windows:

• The SC Client loads certificates directly from the CA and ROOT Windows Store

• Windows Update will keep certificates up to date. See the following Microsoft documentation for more information:
  https://docs.microsoft.com/en-us/windows/desktop/secauthn/certificate-stores
  https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/about-certificate-directory#certificate-stores

• OSX:

• Certificates will be read from the MacOS Keychain Access automatically

• Alternatively, if the Homebrew OpenSSL package is installed, the default cert.pem file can be used: `--tunnel-cainfo /usr/local/etc/openssl/cert.pem
  
  

2. OCSP tunnel certificate validation

• This feature lets the SC client validate that the tunnel endpoint's public certificate has not been revoked

• OCSP relies on Public Key Infrastructure and needs to make additional HTTP requests to OCSP servers associated with the tunnel endpoint’s certificate chain; this is configurable via the following customer accessible SC parameters:

• "soft-fail" policy allows SC to run unless OCSP server returns “revoked” status; e.g., timeouts, unknown status, etc will not stop SC from connecting to tunnel; connection to OCSP server is set to timeout after 5 seconds

• "hard-fail" policy blocks SC from running unless OCSP server returns “good” status; e.g., timeouts, revoked certificate, unknown status, etc. will stop SC from connecting to tunnel; connection to OCSP server is set to timeout after 10 seconds

• “log-only” policy is similar to “soft-fail”, except it only logs errors and never blocks 

• "bypass" allows customers to skip OCSP checks

• Added CLI options:

--ocsp log-only # default, only logs OCSP
--ocsp attempt # soft-fail
--ocsp strict  # hard-fail
--no-ocsp-verify  # bypass

• OCSP supports the following existing flags:

--kgp-host, --kgp-port, --proxy, --pac, --no-autodetect, --proxy-tunnel, --tunnel-cainfo, --tunnel-capath

3. Selenium Relay 

• This feature is no longer enabled by default

• The feature may be enabled on a specified port using the --se-port option
  
  

4. Application Notarization - MacOS Catalina support

• All Sauce Connect Proxy executables beginning with this release will be Apple notarized to support the more stringent security standards introduced by MacOS Catalina
  
  

BUG FIXES

• Fix compatibility of --pac, --proxy and --proxy-userpwd flags

• Characters used in Tunnel identifiers must now be only ASCII, so that the Sauce Labs WebUI will work correctly

• Removed the ANSII color codes from the Sauce Connect log, for readability reasons

• Fixed handling of WebSockets on HTTP/2 servers

May 19 2020