Previous 1 2 Next 17 Replies Latest reply: Aug 10, 2009 9:44 PM by bbulmer
DCIFRTHS Level 1 Level 1 (20 points)
After updating to OS X 10.5.7, I started to get messages, from Little Snitch (LS), stating that "ocspd" wants to connect to certinfo.mac.com using TCP Port 80. As I was somewhat confused by this request, I did a quick search, and found out that the OS is checking to see if the the root certificates have been revoked. Is this accurate? Also, based on the information I found, I created a rule to allow this connection FOREVER. Comments please.

What I find strange is that tonight, I started to get a message from LS regarding "ocspd" but this time it wants to connect to "EVIntl-ocsp.verisign.com" (also using TCP 80). The reverse DNS name is "TGV.ANYCAST-FO.CHI.versign.com". What is this connection alert coming from? If Apple has created a method to check for revoked certs, why is "ocspd" attempting to connect to "EVIntl-ocsp.verisign.com" at 199.7.48.72. Any information on this would be greatly appreciated.

Thanks.

Unibody 15" MBP, Mac OS X (10.5.6)
  • schalliol Level 1 Level 1 (0 points)
    I also wonder the same thing. I've had the same calls as you have. I don't have the answers, but am interested in any info people have.
  • Barry Hemphill Level 8 Level 8 (36,450 points)
    Hello d:

    I am not trying to be facetious, but have you ever had a system penetration problem? If not, I would get rid of the _third party_ software (little snitch) and enjoy the Mac. I am assuming, of course, that you have the OS X internal firewall enabled.

    Barry
  • varjak paw Level 10 Level 10 (169,820 points)
    ocspd is the "Online Certificate Status Protocol" daemon that processes all certificate validation. This handles both CRL - Certificate Revocation Lists & OCSP - Online Certificate Status Protocol validation of certificates. It's part of both the part of the Keychain and certificate framework. Verisign is one of the common providers of Internet certificates so it's one of the services the ocspd process will contact for certificate updates and verification.

    You do want to allow this process to connect, yes. Only if it were attempting to contact some completely unknown site would it be cause for followup to verify the site.

    Message was edited by: Dave Sawyer
  • gumsie Level 4 Level 4 (2,150 points)
    I'll add a thanks here, I was wondering myself what this was.
  • Glynn Level 4 Level 4 (1,375 points)
    That was a great answer Dave!!! I'm so glad I use this forum!!

    Be reading from your posts soon.

    Cheers,
    Glynn
  • DCIFRTHS Level 1 Level 1 (20 points)
    Hi Barry,

    I understand that some people choose to use their computers the way you described, and that is fine. On the other hand, that is not the way I like to "compute". I prefer to be proactive, and prevent any nefarious activity before it happens. Additionally, I really enjoy discovering why things do what they do.

    Thanks.
  • DCIFRTHS Level 1 Level 1 (20 points)
    Hi Dave,

    I had never seen this request before I upgraded from 10.5.6 to 10.5.7. Has Apple changed the way the OS checks for valid certificates?


    Thanks for your detailed answer. As you can see, other people also appreciated your first answer
  • varjak paw Level 10 Level 10 (169,820 points)
    I had never seen this request before I upgraded from 10.5.6 to 10.5.7. Has Apple changed the way the OS checks for valid certificates?

    Sorry, I don't know. But as is often the case with updates that involve security patches, it's entirely possible. Or there may be something in Little Snitch that changed/reset due to the update.
  • DCIFRTHS Level 1 Level 1 (20 points)
    Thanks Dave. I appreciate the information.

    If anyone else has an answer or thoughts on why I started getting these alerts, after upgrading to 10.5.7, I would love to hear from you.
  • garbageman Level 2 Level 2 (365 points)
    {quote}If anyone else has an answer or thoughts on why I started getting these alerts, after upgrading to 10.5.7{quote}

    I'm pretty sure I started getting the messages after I installed the Little Snitch 2.1.1 update that was released the day before 10.5.7 was released.
  • AmplifiedLife Level 1 Level 1 (15 points)
    this helped me too.

    i had the same question and feel the same way about little snitch. i enjoy seeing all the processes occurring on my mac and what gets in & out, etc.

    peace,

    L
  • thirteen53 Level 1 Level 1 (0 points)
    I am running 10.5.7 and recently upgraded to Little Snitch 2.1.3. The ocspd thing is a Little Snitch problem and not an OS problem. I just looked, and ocspd was listed as Deny Until Quit in Little Snitch Configuration. To fix this, just create a new rule for ocspd and Allow All Connections, or select Allow All Connections when the question box comes up again.

    As for "get[ting] rid of the third party software (little snitch) and enjoy[ing] the Mac," no thank you. I'm a suspenders-and-belt kind of guy, and Little Snitch is a powerful defense against the bad people out there.
  • nerowolfe Level 6 Level 6 (13,070 points)
    Welcome to Apple Discussions:
    Yes, more knowledge is always better than less. An informed user is a good user. Ignorance is not bliss - it is ignorance.
    I use LittleSnitch and have discovered some interesting items such as the regularity with which the Apple time server is accessed, the actual locations of various Apple servers, such as the autosoftware update server, etc.
    Useful?, I don't know; but it is interesting, yes.
    Taking an active interest in things, to me, is much more valuable than a passive shrug
  • robogobo Level 2 Level 2 (290 points)
    Barry, network monitors are not just for security. They're also great for diagnosing problems and just being aware of who your machine is talking to. System penetrations are one thing. Sneaky applications are another.
Previous 1 2 Next