You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

OCSP Service using up quite a bit of bandwidth

I have been tracking down an issue regarding our ISP bandwidth usage (very high).


I believe I have found an issue with the OCSP daemon (ocspd) using up quite a bit of bandwidth for no apparent reason - my initial tests seem to show that this daemon, under Mavericks, is using about 100MB of download bandwidth per day (approx 3GB per month). This is huge considering that this process is meant to cache retrieved results (assuming of course it is getting results).


As a further test, I had 2 Macs running Mavericks and 1 running ML overnight, with all machines running RubberNet to monitor per process bandwidth.

On both Mav machines, the ocspd daemon used up the traffic as per above but ML used no bandiwdth for the same process.


The implications here is that users with bandwidth limited connections (e.g. Satallite or Mobile) will use up much of their allowance when at idle hence my interest.


Can someone verify these findings?


Just a wild thought: Perhaps because the keychain is now sent to iCloud in Mav, I wonder if the certificates are being checked more often for security reasons.


Thanks

Emlyn

iMac, OS X Mavericks (10.9)

Posted on Nov 10, 2013 5:48 AM

Reply
130 replies

Dec 3, 2013 7:00 PM in response to emlynuk

I managed to burn through 185GB! last month before I noticed this issue. I'm pulling my hair out with up to 5GB a day lost.User uploaded file

The pattern I have seems to match what some others have reported:


1) 32MB download blocks

2) Exactly 7.5min apart

3) Seems to kick in for several hours, goes away for a few hours.

4) Little snitch showing high activity on "OCSPD" - particually on "devimages.apple.com"

5) I have tried go into the CRIS folder and deleted all the contents (there was 10-15 files in there)

6) After deleting those, two quickly reppeared at log-in. Cricache.db and ocspcash.db


Things seemed to have quitened down but I don't trust it to start again once I go to bed.......going to call in sick to work tomorrow and stay up all night watching the screen...

Dec 3, 2013 8:15 PM in response to Nolers

Has everyone here upgraded from an earler OS, or migrated from another Mac? Anyone running a machine that has been erase+installed?


I have run Little Snitch on a clean 10.9 install & all I see is occasional 13MB downloads for ocspd.


It has used a few hundred MB, but that is over a period of about 18 hours. I have setup Mail, Find My Mac, iTunes & the App store. I don't see the regular pattern that everyone else has. I'm not denying it, but it may not be the default 10.9 behaviour?


Are any of you running Xcode? Does this happen in safe mode?


It could also be my location (UK). It seems a lot of the certs are on akamai & edgesuite CDN's. There are many hosts listed for some of the IP's used.


I noticed the App Store seems to make ocspd grab a 13MB chunk before & after downloading an app.

Dec 4, 2013 2:29 AM in response to Drew Reece

Drew Reece wrote:


Has everyone here upgraded from an earler OS, or migrated from another Mac? Anyone running a machine that has been erase+installed?



I've got an "odd" mixture. A MBP that has been upgrade from 10.7 -> 10.8 -> 10.9 and exhibts no problems. A brand new iMac shipped with ML and immediately upgraded to 10.9 and an older iMac that has had a clean install from a USB drive. The two iMacs are the ones suffering. I also had a MB Air that was upgraded and I think was exhibiting the problem (it was early days and can't be 100% sure), but I reverted it back to ML as it's a bit mission critical.


Are any of you running Xcode? Does this happen in safe mode?


It could also be my location (UK). It seems a lot of the certs are on akamai & edgesuite CDN's. There are many hosts listed for some of the IP's used.


Xcode running on one iMac but not the other. Also running on the MBP, so no correlation there for me.


I'm a UK-ist and would say > 90% of my traffic is from Akamai.


The (possibly) good news: Following bdiamond18's suggestion of OCSP ON and CRL OFF. I've now had 24 hours with no unsolicited downloads. I started the Appstore about 12 hours ago and that triggered the only noticable ocspd download since this time yesterday. I've deliberately not used the machine (much) in that period, so I'm intending to use it more normally today and see if I can get through another day without my bandwidth allowance being mugged in the street.

Dec 4, 2013 3:58 AM in response to Linc Davis

Following the advice of Linc Davis (Thanks!) in deleting the files in:

Linc Davis wrote:


Triple-click anywhere in the line of text below on this page to select it:


/var/db/crls


Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.


A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password. Reboot, empty the Trash, and test.


I have gone from 3GB overnight to 8MB. Looks like it solved the problem....at least for now.

Dec 4, 2013 10:12 AM in response to Since 1986

After seeing my broadband usage rocket over the past 10 days or so, I started another thread not realising that my problem was much the same as debated in this thread. Linc Davis advised turning off CRL and OCSP in Keychain-Preferences-Certificates and the early signs are that this has cured the problem, or at least the symptom. The discussions in this thread give me confidence that Linc's advice is sound and will be a lasting help to me. Now.... having apparently downloaded something like 100GB of data, where on earth has it all gone?

Dec 4, 2013 11:03 AM in response to bratman91

Linc Davis advised turning off CRL and OCSP in Keychain-Preferences-Certificates and the early signs are that this has cured the problem, or at least the symptom.


I want to be sure everyone understands that it's a workaround, not a solution. The solution has to come from Apple in a future update. After the next such update, you should re-enable CRL and OCSP and see whether the problem has really been solved.

Dec 4, 2013 1:16 PM in response to Linc Davis

I have re-enabled OCSP and turned off my firewall rules, and all seems well again. Has been like this for nearly 24 hours. It is only CRL that I have turned off completely.


I was ranging from 6-9 GB a day before.


Can anybody else confirm that only CRL needs to be turned off? For the benefit of everybody else on the thread, it would be nice to at least re-enable something...

Dec 4, 2013 1:53 PM in response to bdiamond18

@bdiamond18 I have been running CRL off, OCSP best attempt for a couple of days across a few users and all seems well. Browsers at least are correctly identifying revoked certificates, and ocspd downloads only total 5MB for 48 hours.


It is hard to verify whether apps like mail and app store are checking for revocation, so regard this as a workaround until the repeated downloads of CRLs are fixed by Apple. It's still better than having both off, although if you have many thousands of certificates it may actually use more bandwidth! I have a <200.

Dec 4, 2013 2:14 PM in response to bdiamond18

Can anybody else confirm that only CRL needs to be turned off? For the benefit of everybody else on the thread, it would be nice to at least re-enable something...


Knocking on 36 hours with just CRL turned off and everything is looking good.


I've been trying to establish how much of the CRL activity is covered by the OCSP. There's definitely some overlap and I have a distinct feeling that to some degree OCSP has suceeded CRL, but not to the extent that CRL is considered to be depreciated. I guess that makes sense in the context of Apple supporting both and having them both active by default. It would be nice to know how much a system is being "compromised" by having OCSP turned on and CRL turned off....

Dec 4, 2013 2:21 PM in response to Elrainia

Isn't this all designed to update revoked certificates without requiring software update?

If a certificate is revoked this list will be updated & then the clients will stop trusting them. Secure conections will no longer be allowed & users will get warnings untill there is updated certificates.


So once these new features are disabled you are about as secure as the previous OS's that didn't constantly poll for updates.


I can't pretend to fully understand this, but is that an accurate overview?

Dec 4, 2013 2:47 PM in response to Drew Reece

Drew Reece wrote:


So once these new features are disabled you are about as secure as the previous OS's that didn't constantly poll for updates.


That is a good observation and actually quite reassuring in a strange sort of way 😐


Like you, I wouldn't make any claims to understanding this beyond a superficial level, but the last paragraph on Wikipedia's entry on CRLs was what triggered my generally vauge question:


"An alternative to using CRLs is the certificate validation protocol known as Online Certificate Status Protocol (OCSP). OCSP has the primary benefit of requiring less network bandwidth, enabling real-time and near real-time status checks for high volume or high value operations."

Dec 4, 2013 4:37 PM in response to Elrainia

I don't understand any of it at all!


But my Apple [Senior Help Desk] got back to me today after maybe 5-6 days and said this ...


"I’m sorry if I haven’t followed up on your case because the Engineering took a long time for a reply as well since they’re busy replying to other Senior Support’s email as well.

However, to give you a direct answer regarding OCSP and CRL, it is safe to keep them turned off for now. Engineering is already working on the server and providing a future software update to keep it more stable."

OCSP Service using up quite a bit of bandwidth

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.