Hi
for a few weeks now I see that my Mac is downloading the crl about 50 times a day. Sometimes 5 times a minute. The crl itselve is about 24Mb big.
The url is:
http://devimages.apple.com/certificationauthority/wwdrca.crl
The agent behind is: ocspd
Does anyone know why it started to load this huge list so often? It is filling my firewall log.
Thanks
Rob
Mac mini, Mac OS X (10.7.5)
Three of my Macs running Mavericks are acting the same way, constantly download the 24MB files from the following URLs.
http://devimages.apple.com/certificationauthority/wwdrca.crl
http://developer.apple.com/certificationauthority/wwdrca.crl
They filled out my Internet usage at home and exceed my monthly limit already. I have no choice but put them to sleep.
As a first step I created a dedicated rule for this update and disabled logging on my firewall. So I get rid of the entries in the log file.
Right now I switch on web caching and hope I can prevent the Mac of downloding useless giga from the net. Will see how caching works.
Using a Fortigate 60C at home 🙂
Just opened a bug against this. All 8 minutes I get a firewall entry. Latest download was 30MB.
Bug report: 15529619
Hope Apple will fix it.
Thank you. I was about to do this but you did it already.
My problem is that my Internet is exceeding the monthly limit. I am paying extra money caused by this stupid bug. I have setup a firewall rule to block the specific outgoing traffic. Stopping this annoying activity for now until Apple fixes it.
This was a good one! I too had this issue, after alittle squid experimentation I found ocspd was grabbing exactly 7seconds of http://devimages.apple.com/certificationauthority/wwdrca.crl regardless of how much bandwidth I gave it. I didn’t notice if it was using a http range, but I do know over the last week I’ve downloaded Gigs of wwdrca.crl. My solution was to wget the file (took about 28second) so it was loaded in squid and then my mac was able to get it from squid in under 7seconds (well, under one :-) and that shut up ocspd.
my long term solution is to tweak squid's quick abort settings to avoid this kinda thing in the future. Hope this helps you.
You mean once ocspd got the file fast enough it was quite?
No, once ocspd got the entire file it was quite.
My internet connection isn't fast enough to send a 31M file in under 7 seconds, but with squid's help it is once preloaded.
The bug is: why does ocspd stop transfering after 7 seconds? or: why doen't ocspd use http accept-ranges?
****, your right. I switch on duration column in my firewall log and now I see that this connections are all about 7 seconds. Right after is a second connection terminating at 16 seconds. Those two alternating all the time.
If the Mac is terminating the connection than the cache in my firewall is not complete. So I will download it manually and see if it is then cached properly.
thanks for your input. I have switched on tha caching on my firewall and since then it is more quite. It tries to download just a few times a day and not contignously. I haven't checked in detail yet but maybe there is also a ttl on the file so it have to download it from time to time.
On the bug report is no feedback yet from Apple. No comment, no rank not even accepted.
But currently I can live with it.
Any updates on this thread? Any feedback from Apple?
Nope. Current workaround is still to have a local cache.
My Apple bug ID is: 15529619 which is a dublicate of: 15432402.
I don't have access to the second one so I don't know what there is going on. Maybe solved silently with the next update.
This problem has been given a pretty decent workover here...
https://discussions.apple.com/thread/5544915?start=75&tstart=0
although I do think roblogan [above] is on the money.
Current solution is to go to Keychain Access > Preferences> select Certificates and turn OFF OCSP and CRL
I'm no tech head and don't know what the consequences of this are but it stops my data allowance getting chewed up
stevefrombraddon - You only need to turn off the CRL Certificates. You can keep OCSP on. I ran tests like this on my two machines, and it was fine - seems to be confirmed in the thread you mentioned also.
I also don't know the full consequences of leaving them off other than it will impact certificate checking, so the less I leave off, the better.
Keep OCSP on, CRL off.
I've upgraded to 10.9.1. This problem seems to be fixed.
big revocation list downloads often
