The Problem
Sometimes, you will want to test sites that do not have valid SSL certificates. Those tests will fail. To combat this, Sauce Connect Proxy will automatically replace all SSL certificates with its own, trusted certificate. This is called SSL Bumping.
SSL bumping occasionally causes problems for some sites, so it's possible to disable this feature for some or all domains. To begin with, Sauce Labs Support will often suggest you turn it off entirely, by adding -B all
to your Sauce Connect Proxy startup commands.
This solves the problem of valid sites not working, but now the original problem might re-occur for any sites without a valid certificate.
The Solution
Disabling SSL Bumping for a Known List Only
Sauce Connect lets you disable SSL bumping selectively, for only the sites you want. You can do this by passing a list of domain names to the -B
option. This list has no spaces and is separated by commas. For instance, if you wanted to disable SSL Bumping for first.com
and second.com
:
bin/sc -B first.com,second.com
Disabling SSL Bumping for All Subdomains
The -B
option lets you to disable SSL Bumping for any subdomain of a domain. You do this by inserting *
in place of the subdomain. For instance, if you want to disable bumping for alpha.company.com
, beta.company.com
and elsewhere.com
:
bin/sc -B *.company.com,elsewhere.com
Finding the Right List to Disable
It is very common to use resources from third parties as part of web development. Because of this, you can't assume that the problematic sites under test are just those you're trying to test directly.
To find out what sites you experiencing problems with when using SSL bumping:
- Start Sauce Connect Proxy without the
-B
option. - Open a manual session for the site you're testing.
- Click View Certificate once you receive the certificate warning.
- Check the domain name of the site the certificate is for and make note of it.
- Close the warning and click Continue once only.
- If it seems like nothing happened, there's probably another certificate causing issues. Repeat steps 3 through 6 until the dialog disappears.
- Stop the manual test.
- Shut down Sauce Connect Proxy.
Once you have a list of domains, you can pass them to the -B
option as described previously. Do not also add all
to this list.
You can then try your test again with your new list of bumped domains
- Start Sauce Connect Proxy with your new list passed to
-B
. - Repeat steps 2 to 8 above.
If you experience more certificate problems, add those certificates to the list and repeat.
Now you should be ready to run automated tests through the Sauce Connect Proxy tunnel without certificate problems. If you find that later parts of your test are experiencing errors, you can use the same process to check which certificates are being problematic.
Is There an Easier way?
Yes. If your site under test and all embedded resources use a properly installed, valid SSL certificate from a trusted certificate provider (not self-signed) and are served correctly, you should be able to fully disable SSL bumping.
Can Sauce Labs Do This for Me?
Sauce Labs can provide support for bumping problems and advice, but is unable to construct the list of resources that need bumping. We are also unable to create or install a valid certificate for your site under test.
Why Don't You Install My SSL Certificate in Your Environment?
Sauce Labs sessions are freshly cloned from base images intended to match a typical customer environment as closely as possible. We do not dedicate machines to customers, nor do we create custom environments.
In addition, while your development and test environment may trust an invalid or self-signed certificate, a typical customer's machine would not. To be as faithful as possible to the "real" customer experience, our machines operate the same way.
For more information, see the section on SSL bumping in our wiki article on Troubleshooting Sauce Connect.