emlynuk

Q: OCSP Service using up quite a bit of bandwidth

I have been tracking down an issue regarding our ISP bandwidth usage (very high).

 

I believe I have found an issue with the OCSP daemon (ocspd) using up quite a bit of bandwidth for no apparent reason - my initial tests seem to show that this daemon, under Mavericks, is using about 100MB of download bandwidth per day (approx 3GB per month).  This is huge considering that this process is meant to cache retrieved results (assuming of course it is getting results).

 

As a further test, I had 2 Macs running Mavericks and 1 running ML overnight, with all machines running RubberNet to monitor per process bandwidth.

On both Mav machines, the ocspd daemon used up the traffic as per above but ML used no bandiwdth for the same process.

 

The implications here is that users with bandwidth limited connections (e.g. Satallite or Mobile) will use up much of their allowance when at idle hence my interest.

 

Can someone verify these findings?

 

Just a wild thought: Perhaps because the keychain is now sent to iCloud in Mav, I wonder if the certificates are being checked more often for security reasons.

 

Thanks

Emlyn

iMac, OS X Mavericks (10.9)

Posted on Nov 10, 2013 5:48 AM

Close

Q: OCSP Service using up quite a bit of bandwidth

  • All replies
  • Helpful answers

first Previous Page 5 of 9 last Next
  • by Drew Reece,

    Drew Reece Drew Reece Dec 3, 2013 8:15 PM in response to Nolers
    Level 5 (7,552 points)
    Notebooks
    Dec 3, 2013 8:15 PM in response to Nolers

    Has everyone here upgraded from an earler OS, or migrated from another Mac? Anyone running a machine that has been erase+installed?

     

    I have run Little Snitch on a clean 10.9 install & all I see is occasional 13MB downloads for ocspd.

     

    It has used a few hundred MB, but that is over a period of about 18 hours. I have setup Mail, Find My Mac, iTunes & the App store. I don't see the regular pattern that everyone else has. I'm not denying it, but it may not be the default 10.9 behaviour?

     

    Are any of you running Xcode? Does this happen in safe mode?

     

    It could also be my location (UK). It seems a lot of the certs are on akamai & edgesuite CDN's. There are many hosts listed for some of the IP's used.

     

    I noticed the App Store seems to make ocspd grab a 13MB chunk before & after downloading an app.

  • by Elrainia,

    Elrainia Elrainia Dec 4, 2013 2:29 AM in response to Drew Reece
    Level 1 (0 points)
    Dec 4, 2013 2:29 AM in response to Drew Reece

    Drew Reece wrote:

     

    Has everyone here upgraded from an earler OS, or migrated from another Mac? Anyone running a machine that has been erase+installed?

     

     

    I've got an "odd" mixture.  A MBP that has been upgrade from 10.7 -> 10.8 -> 10.9 and exhibts no problems.  A brand new iMac shipped with ML and immediately upgraded to 10.9 and an older iMac that has had a clean install from a USB drive.  The two iMacs are the ones suffering.  I also had a MB Air that was upgraded and I think was exhibiting the problem (it was early days and can't be 100% sure), but I reverted it back to ML as it's a bit mission critical.

     

    Are any of you running Xcode? Does this happen in safe mode?

     

    It could also be my location (UK). It seems a lot of the certs are on akamai & edgesuite CDN's. There are many hosts listed for some of the IP's used.

     

    Xcode running on one iMac but not the other.  Also running on the MBP, so no correlation there for me.

     

    I'm a UK-ist and would say > 90% of my traffic is from Akamai.

     

    The (possibly) good news:  Following bdiamond18's suggestion of OCSP ON and CRL OFF.  I've now had 24 hours with no unsolicited downloads.  I started the Appstore about 12 hours ago and that triggered the only noticable ocspd download since this time yesterday.  I've deliberately not used the machine (much) in that period, so I'm intending to use it more normally today and see if I can get through another day without my bandwidth allowance being mugged in the street.

  • by Nolers,

    Nolers Nolers Dec 4, 2013 3:58 AM in response to Linc Davis
    Level 1 (0 points)
    Dec 4, 2013 3:58 AM in response to Linc Davis

    Following the advice of Linc Davis (Thanks!) in deleting the files in:

    Linc Davis wrote:

     

    Triple-click anywhere in the line of text below on this page to select it:

     

    /var/db/crls

     

    Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

    Go Go to Folder...

      

    from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.

     

    A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password. Reboot, empty the Trash, and test.

     

    I have gone from 3GB overnight to 8MB. Looks like it solved the problem....at least for now.

  • by bratman91,

    bratman91 bratman91 Dec 4, 2013 10:12 AM in response to Since 1986
    Level 2 (203 points)
    Mac OS X
    Dec 4, 2013 10:12 AM in response to Since 1986

    After seeing my broadband usage rocket over the past 10 days or so, I started another thread not realising that my problem was much the same as debated in this thread. Linc Davis advised turning off CRL and OCSP in Keychain-Preferences-Certificates and the early signs are that this has cured the problem, or at least the symptom. The discussions in this thread give me confidence that Linc's advice is sound and will be a lasting help to me. Now.... having apparently downloaded something like 100GB of data, where on earth has it all gone?

  • by Linc Davis,

    Linc Davis Linc Davis Dec 4, 2013 11:03 AM in response to bratman91
    Level 10 (207,990 points)
    Applications
    Dec 4, 2013 11:03 AM in response to bratman91

    Linc Davis advised turning off CRL and OCSP in Keychain-Preferences-Certificates and the early signs are that this has cured the problem, or at least the symptom.

     

    I want to be sure everyone understands that it's a workaround, not a solution. The solution has to come from Apple in a future update. After the next such update, you should re-enable CRL and OCSP and see whether the problem has really been solved.

  • by bratman91,

    bratman91 bratman91 Dec 4, 2013 12:02 PM in response to Linc Davis
    Level 2 (203 points)
    Mac OS X
    Dec 4, 2013 12:02 PM in response to Linc Davis

    Linc, you did indeed make it clear to me that your advice was a work around and needed to be reversed once Apple had implemented a proper solution.

  • by bdiamond18,

    bdiamond18 bdiamond18 Dec 4, 2013 1:16 PM in response to Linc Davis
    Level 1 (0 points)
    Dec 4, 2013 1:16 PM in response to Linc Davis

    I have re-enabled OCSP and turned off my firewall rules, and all seems well again.  Has been like this for nearly 24 hours.  It is only CRL that I have turned off completely.

     

    I was ranging from 6-9 GB a day before.

     

    Can anybody else confirm that only CRL needs to be turned off?  For the benefit of everybody else on the thread, it would be nice to at least re-enable something...

  • by undertheappletree,

    undertheappletree undertheappletree Dec 4, 2013 1:53 PM in response to bdiamond18
    Level 1 (0 points)
    Dec 4, 2013 1:53 PM in response to bdiamond18

    @bdiamond18 I have been running CRL off, OCSP best attempt for a couple of days across a few users and all seems well. Browsers at least are correctly identifying revoked certificates, and ocspd downloads only total 5MB for 48 hours.

     

    It is hard to verify whether apps like mail and app store are checking for revocation, so regard this as a workaround until the repeated downloads of CRLs are fixed by Apple. It's still better than having both off, although if you have many thousands of certificates it may actually use more bandwidth! I have a <200.

  • by Elrainia,

    Elrainia Elrainia Dec 4, 2013 2:14 PM in response to bdiamond18
    Level 1 (0 points)
    Dec 4, 2013 2:14 PM in response to bdiamond18

    Can anybody else confirm that only CRL needs to be turned off?  For the benefit of everybody else on the thread, it would be nice to at least re-enable something...

     

    Knocking on 36 hours with just CRL turned off and everything is looking good.

     

    I've been trying to establish how much of the CRL activity is covered by the OCSP.  There's definitely some overlap and I have a distinct feeling that to some degree OCSP has suceeded CRL, but not to the extent that CRL is considered to be depreciated.  I guess that makes sense in the context of Apple supporting both and having them both active by default.  It would be nice to know how much a system is being "compromised" by having OCSP turned on and CRL turned off....

  • by Drew Reece,

    Drew Reece Drew Reece Dec 4, 2013 2:21 PM in response to Elrainia
    Level 5 (7,552 points)
    Notebooks
    Dec 4, 2013 2:21 PM in response to Elrainia

    Isn't this all designed to update revoked certificates without requiring software update?

    If a certificate is revoked this list will be updated & then the clients will stop trusting them. Secure conections will no longer be allowed & users will get warnings untill there is updated certificates.

     

    So once these new features are disabled you are about as secure as the previous OS's that didn't constantly poll for updates.

     

    I can't pretend to fully understand this, but is that an accurate overview?

  • by Elrainia,

    Elrainia Elrainia Dec 4, 2013 2:47 PM in response to Drew Reece
    Level 1 (0 points)
    Dec 4, 2013 2:47 PM in response to Drew Reece

    Drew Reece wrote:

     

    So once these new features are disabled you are about as secure as the previous OS's that didn't constantly poll for updates.

     

    That is a good observation and actually quite reassuring in a strange sort of way

     

    Like you, I wouldn't make any claims to understanding this beyond a superficial level, but the last paragraph on Wikipedia's entry on CRLs was what triggered my generally vauge question:

     

    "An alternative to using CRLs is the certificate validation protocol known as Online Certificate Status Protocol (OCSP). OCSP has the primary benefit of requiring less network bandwidth, enabling real-time and near real-time status checks for high volume or high value operations."


  • by stevefrombraddon,

    stevefrombraddon stevefrombraddon Dec 4, 2013 4:37 PM in response to Elrainia
    Level 1 (0 points)
    Dec 4, 2013 4:37 PM in response to Elrainia

    I don't understand any of it at all!

     

    But my Apple [Senior Help Desk] got back to me today after maybe 5-6 days and said this ...

     

    "I’m sorry if I haven’t followed up on your case because the Engineering took a long time for a reply as well since they’re busy replying to other Senior Support’s email as well.

    However, to give you a direct answer regarding OCSP and CRL, it is safe to keep them turned off for now. Engineering is already working on the server and providing a future software update to keep it more stable."

  • by Nolers,

    Nolers Nolers Dec 4, 2013 5:49 PM in response to stevefrombraddon
    Level 1 (0 points)
    Dec 4, 2013 5:49 PM in response to stevefrombraddon

    After 12 hours of great sucess on deleting all the files in the cris folder, the problem returned just as before .

     

    I am now following plan B, which is shutting down OCSP and CRL in keychain. Glad to see Apple are working on it....wonder how long a "future update" takes

  • by bdiamond18,

    bdiamond18 bdiamond18 Dec 4, 2013 6:16 PM in response to Nolers
    Level 1 (0 points)
    Dec 4, 2013 6:16 PM in response to Nolers

    Nolers - you don't have to shut down OCSP, just CRL.  See some of the above posts confirming this....

  • by LyndonKL,

    LyndonKL LyndonKL Dec 9, 2013 7:12 PM in response to bdiamond18
    Level 1 (0 points)
    Dec 9, 2013 7:12 PM in response to bdiamond18

    I upgraded my imac with the server app and mavericks. I have not noticed any increase in traffic. So in reading these posts I checked the keychain preferences and under the Certificates tab both OCSP and CRL are in the default(??) position of 'off'. I say default since I never looked at this before and had thus made no change. My internet traffic does show a pulse of about 3 minutes (someone else reported 2.5 minute) but the data volume is very very low.

    So maybe just fxing the Certificate preferences as above will fix??

first Previous Page 5 of 9 last Next