OCSP Service using up quite a bit of bandwidth

I managed to burn through 185GB! last month before I noticed this issue. I'm pulling my hair out with up to 5GB a day lost.

The pattern I have seems to match what some others have reported:

1) 32MB download blocks

2) Exactly 7.5min apart

3) Seems to kick in for several hours, goes away for a few hours.

4) Little snitch showing high activity on "OCSPD" - particually on "devimages.apple.com"

5) I have tried go into the CRIS folder and deleted all the contents (there was 10-15 files in there)

6) After deleting those, two quickly reppeared at log-in. Cricache.db and ocspcash.db

Things seemed to have quitened down but I don't trust it to start again once I go to bed.......going to call in sick to work tomorrow and stay up all night watching the screen...

Has everyone here upgraded from an earler OS, or migrated from another Mac? Anyone running a machine that has been erase+installed?

I have run Little Snitch on a clean 10.9 install & all I see is occasional 13MB downloads for ocspd.

It has used a few hundred MB, but that is over a period of about 18 hours. I have setup Mail, Find My Mac, iTunes & the App store. I don't see the regular pattern that everyone else has. I'm not denying it, but it may not be the default 10.9 behaviour?

Are any of you running Xcode? Does this happen in safe mode?

It could also be my location (UK). It seems a lot of the certs are on akamai & edgesuite CDN's. There are many hosts listed for some of the IP's used.

I noticed the App Store seems to make ocspd grab a 13MB chunk before & after downloading an app.

Drew Reece wrote:

Has everyone here upgraded from an earler OS, or migrated from another Mac? Anyone running a machine that has been erase+installed?

I've got an "odd" mixture. A MBP that has been upgrade from 10.7 -> 10.8 -> 10.9 and exhibts no problems. A brand new iMac shipped with ML and immediately upgraded to 10.9 and an older iMac that has had a clean install from a USB drive. The two iMacs are the ones suffering. I also had a MB Air that was upgraded and I think was exhibiting the problem (it was early days and can't be 100% sure), but I reverted it back to ML as it's a bit mission critical.

Are any of you running Xcode? Does this happen in safe mode?

It could also be my location (UK). It seems a lot of the certs are on akamai & edgesuite CDN's. There are many hosts listed for some of the IP's used.

Xcode running on one iMac but not the other. Also running on the MBP, so no correlation there for me.

I'm a UK-ist and would say > 90% of my traffic is from Akamai.

The (possibly) good news: Following bdiamond18's suggestion of OCSP ON and CRL OFF. I've now had 24 hours with no unsolicited downloads. I started the Appstore about 12 hours ago and that triggered the only noticable ocspd download since this time yesterday. I've deliberately not used the machine (much) in that period, so I'm intending to use it more normally today and see if I can get through another day without my bandwidth allowance being mugged in the street.

Following the advice of Linc Davis (Thanks!) in deleting the files in:

Linc Davis wrote:

Triple-click anywhere in the line of text below on this page to select it:

/var/db/crls

Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.

A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password. Reboot, empty the Trash, and test.

I have gone from 3GB overnight to 8MB. Looks like it solved the problem....at least for now.

After seeing my broadband usage rocket over the past 10 days or so, I started another thread not realising that my problem was much the same as debated in this thread. Linc Davis advised turning off CRL and OCSP in Keychain-Preferences-Certificates and the early signs are that this has cured the problem, or at least the symptom. The discussions in this thread give me confidence that Linc's advice is sound and will be a lasting help to me. Now.... having apparently downloaded something like 100GB of data, where on earth has it all gone?

Linc Davis advised turning off CRL and OCSP in Keychain-Preferences-Certificates and the early signs are that this has cured the problem, or at least the symptom.

I want to be sure everyone understands that it's a workaround, not a solution. The solution has to come from Apple in a future update. After the next such update, you should re-enable CRL and OCSP and see whether the problem has really been solved.

Linc, you did indeed make it clear to me that your advice was a work around and needed to be reversed once Apple had implemented a proper solution.

I have re-enabled OCSP and turned off my firewall rules, and all seems well again. Has been like this for nearly 24 hours. It is only CRL that I have turned off completely.

I was ranging from 6-9 GB a day before.

Can anybody else confirm that only CRL needs to be turned off? For the benefit of everybody else on the thread, it would be nice to at least re-enable something...

@bdiamond18 I have been running CRL off, OCSP best attempt for a couple of days across a few users and all seems well. Browsers at least are correctly identifying revoked certificates, and ocspd downloads only total 5MB for 48 hours.

It is hard to verify whether apps like mail and app store are checking for revocation, so regard this as a workaround until the repeated downloads of CRLs are fixed by Apple. It's still better than having both off, although if you have many thousands of certificates it may actually use more bandwidth! I have a <200.

Can anybody else confirm that only CRL needs to be turned off? For the benefit of everybody else on the thread, it would be nice to at least re-enable something...

Knocking on 36 hours with just CRL turned off and everything is looking good.

I've been trying to establish how much of the CRL activity is covered by the OCSP. There's definitely some overlap and I have a distinct feeling that to some degree OCSP has suceeded CRL, but not to the extent that CRL is considered to be depreciated. I guess that makes sense in the context of Apple supporting both and having them both active by default. It would be nice to know how much a system is being "compromised" by having OCSP turned on and CRL turned off....

Isn't this all designed to update revoked certificates without requiring software update?

If a certificate is revoked this list will be updated & then the clients will stop trusting them. Secure conections will no longer be allowed & users will get warnings untill there is updated certificates.

So once these new features are disabled you are about as secure as the previous OS's that didn't constantly poll for updates.

I can't pretend to fully understand this, but is that an accurate overview?

Drew Reece wrote:

So once these new features are disabled you are about as secure as the previous OS's that didn't constantly poll for updates.

That is a good observation and actually quite reassuring in a strange sort of way 😐

Like you, I wouldn't make any claims to understanding this beyond a superficial level, but the last paragraph on Wikipedia's entry on CRLs was what triggered my generally vauge question:

"An alternative to using CRLs is the certificate validation protocol known as Online Certificate Status Protocol (OCSP). OCSP has the primary benefit of requiring less network bandwidth, enabling real-time and near real-time status checks for high volume or high value operations."

I don't understand any of it at all!

But my Apple [Senior Help Desk] got back to me today after maybe 5-6 days and said this ...

"I’m sorry if I haven’t followed up on your case because the Engineering took a long time for a reply as well since they’re busy replying to other Senior Support’s email as well.

However, to give you a direct answer regarding OCSP and CRL, it is safe to keep them turned off for now. Engineering is already working on the server and providing a future software update to keep it more stable."

After 12 hours of great sucess on deleting all the files in the cris folder, the problem returned just as before 😟.

I am now following plan B, which is shutting down OCSP and CRL in keychain. Glad to see Apple are working on it....wonder how long a "future update" takes

Nolers - you don't have to shut down OCSP, just CRL. See some of the above posts confirming this....