The security of Sauce Connect Proxy communication to both the Sauce Labs API and the virtual machine hosting your tests in the Sauce Labs cloud is managed through public key certificates.
For connection to the API, Sauce Connect Proxy uses certificates issued by certificate authorities, which are are integrated into the operating system of the machine where Sauce Connect Proxy is running.
For connection to the Sauce Labs virtual machines, Sauce Connect Proxy uses a self-signed certificate that is part of the application itself.
See the following sections for more information:
Setting Revocation Information for SSL Certificate Verification
When securing Sauce Connect, be sure to whitelist these sites so that the Sauce Connect SSL certificates can be verified:
CRL: & http://g.symcb.com/GeoTrustPCA-G3.crl
Sauce Connect will try to resolve the entire certificate chain at runtime and check if it can reach the OCSP servers and CRLs in the entire chain. Because the chain is resolved during runtime, and certificates change and are constantly renewed, it's possible that the OSCP/CRL sites listed in the certification check might change over time as well. For this reason, the best way to get the list of certificate sites to be verified is to run the Sauce Connect doctor diagnostic check by running
sc --doctor in the command prompt/terminal window.
In the log, look for the entries following these lines to get the list of certificate authority sites:
"checking OCSP entry"
"checking CRL distribution point"
In addition to whitelisting these sites, you should consult the list of domains at the RapidSSL website and add them to your whitelist as well to make sure that Sauce Connect can connect to all appropriate certificate-issuing authorities.
Connecting to the Sauce Labs REST API
Connections to the Sauce Labs API go through. The way in which Sauce Connect is able to access the certificates to secure the connection depends on the operating system of the machine where Sauce Connect is installed.
On Linux machines, Sauce Connect will look for the directory where the certificate bundle is installed, typically something like
/etc/ssl/certs. If it can't find the directory, it will generate an error when trying to connect to the Sauce Labs API.
On Windows machines, certificates are managed through the Security Support Provider Interface API over SChannel, which requires access to the OCSP and CRL URLs to verify certificates. If you have set up highly restrictive firewalls or proxies on the machine where Sauce Connect is running and it can't connect to these URLs, you'll get an error when attempting to connect to the Sauce Labs API.
On OS X machines, certificates are pre-installed as part of the Trust Store and are accessible through the Keychain. If Sauce Connect is installed on an OS X machine, no troubleshooting should be necessary as long as it can access the Keychain.
Tunnel Connection to the Sauce Labs Virtual Machine over SSL/TLS
Connections from Sauce Connect to the virtual machine that run your tests on browsers in the Sauce Labs cloud are managed through the SSL/TLS protocol, and a Sauce Labs self-signed certificate that is included in the application. If you would like Sauce Connect to use public certificates, you must use Sauce Connect client version 4.5.4 or higher, and use the
tunnel_cert: public command line option.