big revocation list downloads often

Hi


for a few weeks now I see that my Mac is downloading the crl about 50 times a day. Sometimes 5 times a minute. The crl itselve is about 24Mb big.


The url is:

http://devimages.apple.com/certificationauthority/wwdrca.crl


The agent behind is: ocspd


Does anyone know why it started to load this huge list so often? It is filling my firewall log.


Thanks

Rob

Mac mini, Mac OS X (10.7.5)

Posted on Nov 19, 2013 5:06 AM

Reply
15 replies

Nov 22, 2013 7:27 PM in response to LTLin

This was a good one! I too had this issue, after alittle squid experimentation I found ocspd was grabbing exactly 7seconds of http://devimages.apple.com/certificationauthority/wwdrca.crl regardless of how much bandwidth I gave it. I didn’t notice if it was using a http range, but I do know over the last week I’ve downloaded Gigs of wwdrca.crl. My solution was to wget the file (took about 28second) so it was loaded in squid and then my mac was able to get it from squid in under 7seconds (well, under one :-) and that shut up ocspd.


my long term solution is to tweak squid's quick abort settings to avoid this kinda thing in the future. Hope this helps you.

Nov 24, 2013 1:21 AM in response to roblogan

****, your right. I switch on duration column in my firewall log and now I see that this connections are all about 7 seconds. Right after is a second connection terminating at 16 seconds. Those two alternating all the time.


If the Mac is terminating the connection than the cache in my firewall is not complete. So I will download it manually and see if it is then cached properly.

Nov 28, 2013 9:41 AM in response to roblogan

thanks for your input. I have switched on tha caching on my firewall and since then it is more quite. It tries to download just a few times a day and not contignously. I haven't checked in detail yet but maybe there is also a ttl on the file so it have to download it from time to time.


On the bug report is no feedback yet from Apple. No comment, no rank not even accepted.


But currently I can live with it.

Dec 13, 2013 7:55 PM in response to bdiamond18

This problem has been given a pretty decent workover here...


https://discussions.apple.com/thread/5544915?start=75&tstart=0


although I do think roblogan [above] is on the money.


Current solution is to go to Keychain Access > Preferences> select Certificates and turn OFF OCSP and CRL


I'm no tech head and don't know what the consequences of this are but it stops my data allowance getting chewed up

Dec 14, 2013 6:23 AM in response to stevefrombraddon

stevefrombraddon - You only need to turn off the CRL Certificates. You can keep OCSP on. I ran tests like this on my two machines, and it was fine - seems to be confirmed in the thread you mentioned also.


I also don't know the full consequences of leaving them off other than it will impact certificate checking, so the less I leave off, the better.


Keep OCSP on, CRL off.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

big revocation list downloads often

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.