The Sauce Labs Cookbook

Sauce Headless

Front End Performance Testing


External Resources

More Info

Page tree
Skip to end of metadata
Go to start of metadata

Effective November 5, 2020: Sauce Connect Proxy versions below 4.6.0, which were supporting Private Certificates, reached their end of life and are no longer available for download. Additionally, on October 5, we ended technical support for these versions. In line with security best practices, Sauce Connect Proxy will only support certificates signed by a Public Certificate Authority going forward.

  • If you're running a Sauce Connect version below 4.6.0, upgrade as soon as possible to continue using Sauce Connect
  • If you're running version 4.6.0 or 4.6.1, we strongly advise upgrading to 4.6.2 to take advantage of our latest enhancements and security updates
  • If you're using the Sauce Labs Jenkins Plugin, make sure you're using the most recent version

This table lists changes for each version of Sauce Connect Proxy, as well as the release date for that version. To see notes on Sauce Connect Proxy previous versions or other historical information, please file a support ticket request.

Change Logs by Version

Version NumberChange DescriptionRelease Date



  • SC Proxy incorrectly handling server response when parsing a HEAD request that uses a “Transfer-Encoding: chunked” header.

Jun 01 2020


Sauce Labs is changing how we manage SSL certificates to improve assurance and compatibility with SSL-inspecting web proxies.


1. Public Certificates

  • Sauce Connect Proxy 4.6.1 supports public certificates; private certificates are no longer supported for this and all subsequent releases of Sauce Connect Proxy 

  • The Operating System on which SC runs needs to have its certificate store set up correctly. Here are some details per Operating System:

    • Linux

      • OpenSSL stores CA certificates, which are accessed by the Sauce Connect Client

      • The default OpenSSL certificates directory can be found using: openssl version -d

      • Set the SSL_CERT_DIR environment variable to this folder or another containing certificates in PEM format

      • You can also set the SSL_CERT_FILE environment variable to a file of certificates in PEM format

      • Certificates will be automatically updated, manual certificate update can be achieved via command line: update-ca-certificates

    • Windows:

    • OSX:

      • Certificates will be read from the MacOS Keychain Access automatically

      • Alternatively, if the Homebrew OpenSSL package is installed, the default cert.pem file can be used: `--tunnel-cainfo /usr/local/etc/openssl/cert.pem

2. OCSP tunnel certificate validation

  • This feature lets the SC client validate that the tunnel endpoint's public certificate has not been revoked

  • OCSP relies on Public Key Infrastructure and needs to make additional HTTP requests to OCSP servers associated with the tunnel endpoint’s certificate chain; this is configurable via the following customer accessible SC parameters:

    • "soft-fail" policy allows SC to run unless OCSP server returns “revoked” status; e.g., timeouts, unknown status, etc will not stop SC from connecting to tunnel; connection to OCSP server is set to timeout after 5 seconds

    • "hard-fail" policy blocks SC from running unless OCSP server returns “good” status; e.g., timeouts, revoked certificate, unknown status, etc. will stop SC from connecting to tunnel; connection to OCSP server is set to timeout after 10 seconds

    • “log-only” policy is similar to “soft-fail”, except it only logs errors and never blocks 

    • "bypass" allows customers to skip OCSP checks

  • Added CLI options:

--ocsp log-only # default, only logs OCSP
--ocsp attempt # soft-fail
--ocsp strict  # hard-fail
--no-ocsp-verify  # bypass

  • OCSP supports the following existing flags:

--kgp-host, --kgp-port, --proxy, --pac, --no-autodetect, --proxy-tunnel, --tunnel-cainfo, --tunnel-capath

3. Selenium Relay 

  • This feature is no longer enabled by default

  • The feature may be enabled on a specified port using the --se-port option

4. Application Notarization - MacOS Catalina support

  • All Sauce Connect Proxy executables beginning with this release will be Apple notarized to support the more stringent security standards introduced by MacOS Catalina


  • Fix compatibility of --pac, --proxy and --proxy-userpwd flags

  • Characters used in Tunnel identifiers must now be only ASCII, so that the Sauce Labs WebUI will work correctly

  • Removed the ANSII color codes from the Sauce Connect log, for readability reasons

  • Fixed handling of WebSockets on HTTP/2 servers

May 19 2020