The Sauce Labs Cookbook

Sauce Headless

Front End Performance Testing


External Resources

More Info

Skip to end of metadata
Go to start of metadata

Sauce Labs is pleased to announce the release of Sauce Connect Proxy 4.6.1.

This release includes these changes. Use the download links to get that latest and previous versions.

Version NumberChange DescriptionRelease Date


Sauce Labs is changing how we manage SSL certificates to improve assurance and compatibility with SSL-inspecting web proxies.


1. Public Certificates

  • Sauce Connect Proxy 4.6.1 supports public certificates; private certificates are no longer supported for this and all subsequent releases of Sauce Connect Proxy 

  • The Operating System on which SC runs needs to have its certificate store set up correctly. Here are some details per Operating System:

    • Linux

      • OpenSSL stores CA certificates, which are accessed by the Sauce Connect Client

      • The default OpenSSL certificates directory can be found using: openssl version -d

      • Set the SSL_CERT_DIR environment variable to this folder or another containing certificates in PEM format

      • You can also set the SSL_CERT_FILE environment variable to a file of certificates in PEM format

      • Certificates will be automatically updated, manual certificate update can be achieved via command line: update-ca-certificates

    • Windows:

    • OSX:

      • Certificates will be read from the MacOS Keychain Access automatically

      • Alternatively, if the Homebrew OpenSSL package is installed, the default cert.pem file can be used: `--tunnel-cainfo /usr/local/etc/openssl/cert.pem

2. OCSP tunnel certificate validation

  • This feature lets the SC client validate that the tunnel endpoint's public certificate has not been revoked

  • OCSP relies on Public Key Infrastructure and needs to make additional HTTP requests to OCSP servers associated with the tunnel endpoint’s certificate chain; this is configurable via the following customer accessible SC parameters:

    • "soft-fail" policy allows SC to run unless OCSP server returns “revoked” status; e.g., timeouts, unknown status, etc will not stop SC from connecting to tunnel; connection to OCSP server is set to timeout after 5 seconds

    • "hard-fail" policy blocks SC from running unless OCSP server returns “good” status; e.g., timeouts, revoked certificate, unknown status, etc. will stop SC from connecting to tunnel; connection to OCSP server is set to timeout after 10 seconds

    • “log-only” policy is similar to “soft-fail”, except it only logs errors and never blocks 

    • "bypass" allows customers to skip OCSP checks

  • Added CLI options:

--ocsp log-only # default, only logs OCSP
--ocsp attempt # soft-fail
--ocsp strict  # hard-fail
--no-ocsp-verify  # bypass

  • OCSP supports the following existing flags:

--kgp-host, --kgp-port, --proxy, --pac, --no-autodetect, --proxy-tunnel, --tunnel-cainfo, --tunnel-capath

3. Selenium Relay 

  • This feature is no longer enabled by default

  • The feature may be enabled on a specified port using the --se-port option

4. Application Notarization - MacOS Catalina support

  • All Sauce Connect Proxy executables beginning with this release will be Apple notarized to support the more stringent security standards introduced by MacOS Catalina


  • Fix compatibility of --pac, --proxy and --proxy-userpwd flags

  • Characters used in Tunnel identifiers must now be only ASCII, so that the Sauce Labs WebUI will work correctly

  • Removed the ANSII color codes from the Sauce Connect log, for readability reasons

  • Fixed handling of WebSockets on HTTP/2 servers

May 19 2020

Latest Version: 4.6.3

Sauce Connect Proxy Download Link

SHA1 Checksum

Download Sauce Connect v4.6.3 for Mac OS 10.8+
Download Sauce Connect v4.6.3 for Windows 7+
Download Sauce Connect v4.6.3 for Linux
Download Sauce Connect v4.6.3 for Linux 32-bit