What is OCSP?
Apple OCSP (Online Certificate Static Protocol) Service is responsible for validating the Certificate Status of Applications. macOS Devices use OCSP to validate the developer certificate hasn't been revoked before the application is launched.
OCSP is an internet standard protocol. You can read more about it here.
How does macOS handle communication to OCSP?
If the macOS device cannot reach the Apple OCSP Service it skips the check and launches the application without the validation.
If the Apple OCSP Service is accessible but degraded or slow to respond, it will cause macOS Devices to launch third-party applications to open very slowly or not at all, the device would never skip the check, because the service is still reachable.
This communication happens over port 80 to the url http://ocsp.apple.com.
The results of the OCSP call are cached on the Mac for up to half a day. If a user opens an application multiple times while the OCSP cache is current for the application, the OCSP call is not made.
Can I disable Apple OCSP?
You can block the connection to this service but there is no method of disabling this connection natively in macOS.
We strongly discourage blocking this connection as this service is a major part of the overall security macOS Devices provide.
Big Sur Release
Following the release of macOS 11 Big Sur, this service became degraded and impacted large amounts of devices across entire fleets, if not all macOS devices.
Many immediately implemented a block to ocsp.apple.com during this time to help mitigate the problem.
While it was understandable to block during the outage, we strongly recommend removing the block to this service at this time.
I added a host file entry to block this Service - how can I remove it?
You can use the script referenced below to remove this entry from your host file.
If you do not have this entry, it will notify you in the output the entry did not exist.
#!/bin/sh # Check if there is a line in /etc/hosts containing ocsp block # if ocsp was blocked another method, this would not account for that method. if grep -q "ocsp.apple.com" /etc/hosts; then echo "Redirect exists for ocsp.apple.com for hosts file , replacing with new..." # Remove line /usr/bin/sed -i_bak -e '/ocsp.apple.com/d' /etc/hosts # Reset DNS /usr/bin/killall -HUP mDNSResponder else echo "ocsp.apple.com was not found in your hosts file" fi
More information is available below: