OS X 10.9 and Apps from the MAS keep on loading the same CRL on every start

Question

Level 1

14 points

OS X 10.9 and Apps from the MAS keep on loading the same CRL on every start

After upgrading to Mavericks I see a massive internet activity on each start of an App from the MAS. Using CocoaPacketAnalyzer, I found out that upon each start of an App from the Mac App Store, a CRL (Certificate Revocation List) is requested by an agent named ocspd:

GET /certificationauthority/wwdrca.crl HTTP/1.1

Host: devimages.apple.com

Accept: */*

Accept-Language: en-us

Connection: keep-alive

Accept-Encoding: gzip, deflate

User-Agent: ocspd/1.0.1

And then downloaded:

HTTP/1.1 200 OK

Server: Apache

ETag: "5542b57b22bfd44b8d2ae1a8e61dedec:1385330422"

Last-Modified: Sun, 24 Nov 2013 22:00:22 GMT

Accept-Ranges: bytes

Content-Length: 32436955

The file size of the CRL is 31 MByte. Upon repetitive loads, I noted that the ETag of the downloaded file didn't change and therefore my expectation is that ocspd would took the most recent version from its cache instead of downloading the same CRL again and again.

In effect, in my case this sums up to a massive waste of internet bandwidth. My provider automatically reduces the overall bandwidth at the end of the month when I pass a certain limit of total traffic. So, I am interested to avoid completely sane traffic. Am I the only one seeing this? I already repaired the access rights to no avail. Are there any other measures, that I could take?

Change the provider or don't re-start MAS Apps is not a viable solution for me, please don't suggest this.

Posted on Nov 27, 2013 3:49 AM

Reply

Answer 1

Top-ranking reply

Linc Davis

Level 10

209,649 points

Nov 27, 2013 10:49 AM in response to rolfheinrich

Back up all data.

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.

From the menu bar, select

Keychain Access ▹ Preferences ▹ Certificates

There are three menus in the window. Change the selection in the top two to

Require if certificate indicates

Log out, log back in, and test. Repeat for all other user accounts, if any. If there's no improvement, change the menu selections to Off, but only as a last resort. That setting could compromise your security on the Internet.

Reply

Answer 2

rolfheinrich Author

Level 1

14 points

Nov 27, 2013 11:24 AM in response to Linc Davis

Many Thanks for your reply.

In Keychain Access > Preferences > Certificates, I need to switch the second pop-up menu [Certificate Revocation List (CRL)] to Off in order to stop the MAS Apps from downloading any CRL at each start.

This is not exactly the cure, I was looking for, since with that a CRL is never ever loaded anymore. I would have preferred a solution that makes ocspd send the ETag of the last loaded CRL in an if-match header field, or at least send an if-modified-since header, in order to give the server a chance to respond with status code 304 - not modified.

Perhaps, I am wanting too much. For the time being, I keep CRL off, which seems to have been the default before 10.9. Later I will install Squid on my border-line server, and hopefully this will take care of caching CRLs and other things.

Reply

Answer 3

Linc Davis

Level 10

209,649 points

Nov 27, 2013 11:33 AM in response to rolfheinrich

What happens if you change Priority to OCSPD?

Reply

Answer 4

rolfheinrich Author

Level 1

14 points

Nov 27, 2013 11:49 AM in response to Linc Davis

The Priority was OCSP, and changing it CRL doesn't help either.

Am I the only one seeing 31.5 MByte CRL download on each start of a MAS app?

Reply

Answer 5

Linc Davis

Level 10

209,649 points

Nov 27, 2013 11:59 AM in response to rolfheinrich

Others have reported high bandwidth use by the ocspd process. I don't know what causes it. Maybe a bug.

Reply

Answer 6

rolfheinrich Author

Level 1

14 points

Nov 27, 2013 12:38 PM in response to Linc Davis

Eventually, to me it looks not like a bug. The ocspd is by design not able to take advantage of caching. It doesn't send any if-match or if-modified-since headers in its download requests, it is a quite simple unconditional downloader.

Take this and the fact that the CRL is rapidly growing in size 0.5 MByte in the last 3 days, it means that each CRL checking would cause a lot of traffic. If the CRL continues to grow at the said rate, we will be at 80 MByte per check in one year.

I had a look at an older Mac installation (Mac OS X 10.6.8) and there OCSP and CRL was OFF by default.

The ocspd daemon seems to be a quite old tool, first seen in Mac OS X 10.4, and it is still at Version 1.0.1. At that time, the CRL was perhaps 10 kBytes in size.

My conclusion is, that OCSP and CRL has been turned to ON with Mavericks, and we are seeing the effect of putting in charge an outdated daemon which was meant to load kBytes and not MBytes.

So, until Apple comes up with a modernized daemon which does incremental CRL loading, we are urged to turn CRL off or to use external caches like Squid on our firewall server.

Reply

Answer 7

Linc Davis

Level 10

209,649 points

Nov 27, 2013 12:50 PM in response to rolfheinrich

You may be right, but I don't recall seeing any complaints about this issue before Mavericks was released.

Reply

Answer 8

rolfheinrich Author

Level 1

14 points

Nov 27, 2013 12:55 PM in response to Linc Davis

Because OCSP and CRL checking was OFF by default before Mavericks and has been switched ON by default with it.

Reply

Answer 9

Nov 27, 2013 5:14 PM in response to rolfheinrich

Having the same issue... 3000Mb downloads per day. Noboday had an explaination until I saw this post. I am turning off CRL also and hoping it resolves. Started right after I installed Mavricks.

Reply