Comment by passwordreset
4 years ago
ocsp.apple.com also has an IPv6 address. Firefox connects to it even with 0.0.0.0 in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.
Disable IPv6: sudo networksetup -setv6off Wi-Fi (where Wi-Fi is the name of the network service)
Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.
Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.
[1]: https://www.unix.com/man-page/FreeBSD/8/ipfw/
Just to confirm: Yes, that works fine. It's probably the better solution here.