emlynuk

Q: OCSP Service using up quite a bit of bandwidth

I have been tracking down an issue regarding our ISP bandwidth usage (very high).

 

I believe I have found an issue with the OCSP daemon (ocspd) using up quite a bit of bandwidth for no apparent reason - my initial tests seem to show that this daemon, under Mavericks, is using about 100MB of download bandwidth per day (approx 3GB per month).  This is huge considering that this process is meant to cache retrieved results (assuming of course it is getting results).

 

As a further test, I had 2 Macs running Mavericks and 1 running ML overnight, with all machines running RubberNet to monitor per process bandwidth.

On both Mav machines, the ocspd daemon used up the traffic as per above but ML used no bandiwdth for the same process.

 

The implications here is that users with bandwidth limited connections (e.g. Satallite or Mobile) will use up much of their allowance when at idle hence my interest.

 

Can someone verify these findings?

 

Just a wild thought: Perhaps because the keychain is now sent to iCloud in Mav, I wonder if the certificates are being checked more often for security reasons.

 

Thanks

Emlyn

iMac, OS X Mavericks (10.9)

Posted on Nov 10, 2013 5:48 AM

Close

Q: OCSP Service using up quite a bit of bandwidth

  • All replies
  • Helpful answers

first Previous Page 9 of 9
  • by ulibiz,

    ulibiz ulibiz Mar 5, 2015 7:40 AM in response to emlynuk
    Level 1 (0 points)
    Mar 5, 2015 7:40 AM in response to emlynuk

    Found this thread today, and I'm writing just to report that I'm having the same problem: I have to kill this connection

    ocspd    55471          root    9u  IPv4 0xffffff800cbcc6c0      0t0    TCP 192.168.8.101:54743->2.18.240.210:http (ESTABLISHED)

    since it was downloading a large amount of data (hundreds of MB) (and I pay for every MB :/)

     

    Date: March 5th, 2015

    OS: Mac OS X 10.7.5 (build 11G63b)

     

    I think that OS should have more options to control and turn off "auto-downloading" and "syncing" features when you are using a pay-per-use connection.

  • by gby1,

    gby1 gby1 May 5, 2015 5:46 AM in response to clockworkapps
    Level 1 (0 points)
    May 5, 2015 5:46 AM in response to clockworkapps

    I was seeing in Little Snitch lots being downloaded, captured just a few minutes and it was 8 Megs.  Went into my keychain certificates and there were three apple certificates that where expired.  Deleted those and the downloading stopped.

     

    Thanks so much!

  • by checks202,

    checks202 checks202 Jun 11, 2015 4:56 AM in response to emlynuk
    Level 1 (0 points)
    Jun 11, 2015 4:56 AM in response to emlynuk

    You can add another to the list. 340Gb this thing tore through in a mere 8 days.

     

    Be warned: Apple might ask you to test another network like your mobile. Beware you might get a minor bill shock.

  • by Mik B,

    Mik B Mik B Jun 13, 2015 11:48 AM in response to clockworkapps
    Level 1 (20 points)
    Jun 13, 2015 11:48 AM in response to clockworkapps

    Ellenburg dot org seems gone so here's the web archive of that article.

  • by seyed_m,

    seyed_m seyed_m Jun 22, 2015 9:37 AM in response to Mik B
    Level 1 (0 points)
    Jun 22, 2015 9:37 AM in response to Mik B

    I has same issue. I disabled OCSP and CRL.

    But I found a connection under com.apple.WebKit.WebContent process for ip 91.121.43.224. It uses 2 MB per minutes.

    After creating a rule for denying access this connection, I terminated it and after some few seconds it re-appeared under com.apple.WebKit.Networking process and com.apple.WebKit.WebContent process.

    At final I disabled it from accessing internet and I restarted Safari and anything is GOOOD!

  • by seyed_m,

    seyed_m seyed_m Jun 27, 2015 12:25 AM in response to seyed_m
    Level 1 (0 points)
    Jun 27, 2015 12:25 AM in response to seyed_m

    After restricting 91.121.43.224 and turning OCSP and CRL off, bandwidth usage is very low now. (for more than 5 days)

    Also it seems that Safari slow connections problem fixed!

    Safari is now as fast as Google Chrome in loading web pages.

  • by tingel,

    tingel tingel Aug 30, 2015 6:43 AM in response to emlynuk
    Level 1 (0 points)
    Aug 30, 2015 6:43 AM in response to emlynuk

    I came across this problem in a virtual OS X machine. Apart from the heavy bandwidth usage it also had the symptom of invalid certificates e.g. when checking for Little Snitch updates.

    When surfing with safari it complained the certificates were not valid yet. The reason for that was that the system clock was way off (about one year). When I opened up the time settings the clock set itself via NTP and the certificate issue was gone.

    In case of satellite systems that lack a NTP server this may be a possible reason for the ocspd problem?

  • by byronpk,

    byronpk byronpk Dec 31, 2015 11:54 PM in response to clockworkapps
    Level 1 (0 points)
    Dec 31, 2015 11:54 PM in response to clockworkapps

    My reply may be 2 years out of date, but your post just helped me fix this problem on Mac El Capitan. Yes, the problem still persists, even today.

  • by technicaltitch,

    technicaltitch technicaltitch Mar 1, 2016 10:33 AM in response to byronpk
    Level 1 (0 points)
    Mar 1, 2016 10:33 AM in response to byronpk

    Noticed the link to web archive was broken - here's a fixed URL:

     

    http://web.archive.org/web/20141228212733/http://www.ellenburg.org/index.php/201 3/10/23/osx-10-9-mavericks-appstore-issu…

     

    Huge thanks to all who investigated this - here in Ethiopia I pay nearly $60 for 8GB and if I overrun it costs about $20 a GB. Apple seems to think we all have limitless data and money. I'd gratefully switch back to Windows in a heartbeat if I didn't need Linux for work. Little Snitch has paid for itself many, many times over.

     

    I caught ocspd downloading from dev-images.cdn.apple.com. I killed the connection after 80MB (by pulling out the 3G device) then blocked ocspd in Little Snitch, and have now also disabled ocspd and crl in Keychain Prefs / Certificates. I thought I'd blocked everything apple.com in hosts, but it is subdomain specific - now looking at dnsmasq https://passingcuriosity.com/2013/dnsmasq-dev-osx/ .

  • by pacifico,

    pacifico pacifico Aug 7, 2016 2:33 PM in response to gby1
    Level 1 (4 points)
    Aug 7, 2016 2:33 PM in response to gby1

    same here. el capitan 10.11.6. deleting expired certificates in apple keychain did the thing. reduced bandwidth from 550K/sec to 0K/sec in a second.

first Previous Page 9 of 9