-
All replies
-
Helpful answers
-
Nov 20, 2013 7:28 AM in response to voojagigby LTLin,Three of my Macs running Mavericks are acting the same way, constantly download the 24MB files from the following URLs.
http://devimages.apple.com/certificationauthority/wwdrca.crl
http://developer.apple.com/certificationauthority/wwdrca.crl
They filled out my Internet usage at home and exceed my monthly limit already. I have no choice but put them to sleep.
-
Nov 20, 2013 2:26 PM in response to LTLinby voojagig,As a first step I created a dedicated rule for this update and disabled logging on my firewall. So I get rid of the entries in the log file.
Right now I switch on web caching and hope I can prevent the Mac of downloding useless giga from the net. Will see how caching works.
Using a Fortigate 60C at home
-
Nov 21, 2013 3:12 PM in response to voojagigby voojagig,Just opened a bug against this. All 8 minutes I get a firewall entry. Latest download was 30MB.
Bug report: 15529619
Hope Apple will fix it.
-
Nov 21, 2013 6:31 PM in response to voojagigby LTLin,Thank you. I was about to do this but you did it already.
-
Nov 21, 2013 6:34 PM in response to voojagigby LTLin,My problem is that my Internet is exceeding the monthly limit. I am paying extra money caused by this stupid bug. I have setup a firewall rule to block the specific outgoing traffic. Stopping this annoying activity for now until Apple fixes it.
-
Nov 22, 2013 7:27 PM in response to LTLinby roblogan,This was a good one! I too had this issue, after alittle squid experimentation I found ocspd was grabbing exactly 7seconds of http://devimages.apple.com/certificationauthority/wwdrca.crl regardless of how much bandwidth I gave it. I didn’t notice if it was using a http range, but I do know over the last week I’ve downloaded Gigs of wwdrca.crl. My solution was to wget the file (took about 28second) so it was loaded in squid and then my mac was able to get it from squid in under 7seconds (well, under one :-) and that shut up ocspd.
my long term solution is to tweak squid's quick abort settings to avoid this kinda thing in the future. Hope this helps you.
-
Nov 23, 2013 12:29 AM in response to robloganby voojagig,You mean once ocspd got the file fast enough it was quite?
-
Nov 23, 2013 7:27 AM in response to voojagigby roblogan,No, once ocspd got the entire file it was quite.
My internet connection isn't fast enough to send a 31M file in under 7 seconds, but with squid's help it is once preloaded.
The bug is: why does ocspd stop transfering after 7 seconds? or: why doen't ocspd use http accept-ranges?
-
Nov 24, 2013 1:21 AM in response to robloganby voojagig,****, your right. I switch on duration column in my firewall log and now I see that this connections are all about 7 seconds. Right after is a second connection terminating at 16 seconds. Those two alternating all the time.
If the Mac is terminating the connection than the cache in my firewall is not complete. So I will download it manually and see if it is then cached properly.
-
Nov 28, 2013 9:41 AM in response to robloganby voojagig,thanks for your input. I have switched on tha caching on my firewall and since then it is more quite. It tries to download just a few times a day and not contignously. I haven't checked in detail yet but maybe there is also a ttl on the file so it have to download it from time to time.
On the bug report is no feedback yet from Apple. No comment, no rank not even accepted.
But currently I can live with it.
-
Dec 1, 2013 8:28 PM in response to voojagigby bdiamond18,Any updates on this thread? Any feedback from Apple?
-
Dec 1, 2013 8:55 PM in response to bdiamond18by voojagig,Nope. Current workaround is still to have a local cache.
My Apple bug ID is: 15529619 which is a dublicate of: 15432402.
I don't have access to the second one so I don't know what there is going on. Maybe solved silently with the next update.
-
Dec 13, 2013 7:55 PM in response to bdiamond18by stevefrombraddon,This problem has been given a pretty decent workover here...
https://discussions.apple.com/thread/5544915?start=75&tstart=0
although I do think roblogan [above] is on the money.
Current solution is to go to Keychain Access > Preferences> select Certificates and turn OFF OCSP and CRL
I'm no tech head and don't know what the consequences of this are but it stops my data allowance getting chewed up
-
Dec 14, 2013 6:23 AM in response to stevefrombraddonby bdiamond18,stevefrombraddon - You only need to turn off the CRL Certificates. You can keep OCSP on. I ran tests like this on my two machines, and it was fine - seems to be confirmed in the thread you mentioned also.
I also don't know the full consequences of leaving them off other than it will impact certificate checking, so the less I leave off, the better.
Keep OCSP on, CRL off.