Untrusted Server Certs & OCSP Revocation Check - Practical Settings?

See topic. Our SSL Inspection policy is currently configured to block untrusted server certificates and to perform OCSP Revocation Checks. We are seeing quite a few blocks in our logs for large companies such as FedEx, PayPal, etc. w/ the tag " Access Denied Due To Bad Server Certificate".

Are our settings too aggressive to be practical? Do most customers disable one or both of the two settings to avoid playing whack-a-mole with whitelisting every day?