Self-signed and invalid SSL certificates, commonly used in test environments, are not trusted by stock browsers, such as those installed on the Sauce Labs infrastructure. This causes tests to be interrupted with security warnings that can't be dismissed by Selenium. As a workaround, we've created a fix called SSL Bumping, whereby Sauce Connect automatically re-signs these certificates. This is enabled by default when you download Sauce Connect.
During the course of testing, SSL Bumping executes a type of "man-in-the-middle" interception of encrypted test traffic, decrypting it. Traffic is encrypted using the Selenium Project’s CyberVillains certificate, which is inherently trusted by the Selenium server on the Sauce Labs virtual machine where your test is running. This lets you avoid SSL error pop-ups that could disrupt your test execution.
There are simply too many different certificates for Sauce Labs to add each one. We'd have to add a certificate to every requested browser for every user with a self-signed certificate. This can't always be done automatically, so every new client would have to wait for Sauce Labs staff to re-create all of our images before they could run their tests.
Using SSL Bumping and How It Works
The solution, known as SSL Bumping, works like this:
- When Sauce Labs creates VMs, an SSL certificate called CyberVillains is installed and controlled from the Sauce Labs side.
- When needed, the Sauce Labs browser requests resources from the Sauce Connect server.
- Sauce Connect server passes that request to the Sauce Connect client, running on your side. All SSL internet traffic between the Sauce Connect client (on your network) and the Sauce Connect server (inside our network) is encrypted twice: once by the original server and again by Sauce Connect.
- Sauce Connect client fetches the resource and returns it through the encrypted connection, back to the Sauce Connect server.
- Sauce Connect server decrypts the traffic. If it's SSL traffic, the Sauce Connect server decrypts it again.
- Sauce Connect re-encrypts SSL traffic using the CyberVillains certificate and returns it to the browser. Re-encryption only occurs once the traffic is safely received by the Sauce Labs network. SSL Bumping impacts only the traffic being returned to the browser through Sauce Connect.
- Browser trusts the CyberVillains certificate and accepts the traffic.
Throughout the process, traffic going through Sauce Connect is fully secure. Sauce Connect isn't an attacker; it is only in use by your tests and isn't sending secret traffic to any unauthorized party. No security holes are opened into your network.
Situations Where You Would Need to Disable SSL Bumping
When to Disable SSL Bumping
SSL Bumping is enabled by default for Sauce Connect Proxy, but there are some situations where it's recommended that you disable it:
- If you're working with sites that are highly dependent on AJAX
- Some network components, such as browsers and servers that use WebSockets, won’t work if the traffic to them has been altered, which Sauce Connect appears to do
- If you're running browser and mobile app tests on Android older versions 4.4 and 5.0, as those platforms do not respect the CyberVillains certificate at the system level. SSL Bumping must be disabled for all tests on those platforms, including browser and app tests; otherwise all SSL encryption will fail. This applies to both Android Emulators and Real Devices. For tests on the native Android browser, a certificate error dialog box will pop up warning about certificate issues. On the other hand, app tests might not show this error message since pop up dialog box is dependent on the app itself. App tests will fail to authenticate the login due to the certificate issue.
- Effective with Android version 5.1, support has been added for the CyberVillains certificate, so disabling SSL bumping would not be necessary that version and higher
- If you're running iOS 10.3 on iPad Pro (12.9 inch) simulator or iPad Pro (9.7 inch) simulator
How to Disable SSL Bumping
-B (--no-ssl-bump-domains) argument when you start Sauce Connect and specify which domains should not be bumped or specify
all so that all domains that passed through the tunnel are not bumped.
NOTE: Keep in mind that when SSL Bumping is disabled, test traffic will not be decrypted, and will pass through directly to the browser running your tests along with the SSL certificate of the site under test. Because resources are no longer cached on the Sauce Labs side, your tests will execute more slowly. If there are issues with the originating site’s SSL certificate, these may generate SSL errors that interfere with test execution.