Tags: rpki-client/rpki-client-portable
Tags
rpki-client 9.7 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt, and Sebastian Benoit as part of the OpenBSD Project. - The Canonical Cache Representation underwent a breaking change after the adoption of https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ccr/ as a SIDROPS working group item. Apart from several CMS-related cosmetics, it now uses a IANA-assigned content type. As a result, rpki-client 9.7 cannot parse rpki-client 9.6's .ccr files and vice versa. - Support for Ghostbusters Record objects (RFC 6493) has been removed. Nobody showed interest in deploying this and there are other, widely supported ways of exchanging operational contact information such as RDAP. RFC 6493 is undergoing a status review to be marked as historic: https://datatracker.ietf.org/doc/status-change-rpki-ghostbusters-record-to-historic/ - Prepare the code base for the opaque ASN1_STRING structure in OpenSSL 4. - Fixed two reliability issues: one where a malicious RPKI Certification Authority can trigger a crash, one where malicious Trust Anchor can provoke memory exhaustion. Thanks to Xie Yifan for reporting. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 9.6 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CCR, CSV, and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Theo Buehler, Job Snijders, Claudio Jeker, Kristaps Dzonsons, Theo de Raadt, and Sebastian Benoit as part of the OpenBSD Project. - The parser process now uses parallel threads for object validation. The new -p option can be used to adjust the number of threads. - Support for Canonical Cache Representation has been added. CCR is a new DER-encoded data interchange format to support audit trail keeping, validated payload dissemination, and analytics pipelines. https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ccr - Certificate parsing and validation has been completely reworked. In particular, a more stringent set of compliance checks based on RFC 6487, RFC 8209, and RFC 8608 is imposed on end entity certificates. - Filemode is now able to detect most file types without recourse to the file name extension. - Experimental support for P-256 Trust Anchor keys was added. - Marshalling and unmarshalling of privsep messages was improved. - In verbose mode, warnings are emitted about uncompressed HTTP/RRDP transfers larger than one megabyte. Publication server operators are strongly encouraged to offer gzip compressed HTTP content-encoding, see draft-ietf-sidrops-publication-server-bcp, section 6.3. - As announced in the release notes for rpki-client 9.5, rpki-client 9.6 emits all key identifiers (AKI and SKI) encoded in JSON as bare hex strings without colons. - Fixed numerous minor issues flagged by the Coverity static analyzer. - Support for the OpenSSL 1.1 branch now requires at least OpenSSL 1.1.1w. This support will be removed in the course of 2026. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 9.5 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - rpki-client now includes arin.tal which is no longer legally encumbered. See https://www.arin.net/announcements/20250116-tal/ - rpki-client reports Certification Authorities that do not meaningfully participate in the RPKI as non-functional CAs. By definition, a CA is non-functional if there is no currently valid Manifest. The number of such CAs is printed at the end of each run and more detailed information is available in the JSON (-j) and ometrics (-m) output. - OpenBSD reliability errata 014: Incorrect internal RRDP state handling in rpki-client can lead to a denial of service. Affected are rpki-client versions 7.5 - 9.4. - Termination of rsync child processes with SIGTERM is no longer treated as an error if rpki-client has sent this signal. This only affects openrsync. - Do not exit filemode with an error if a .gbr or a .tak object contains control characters in its UTF-8 strings. Instead, only warn and emit a sanitized version in JSON output. Upcoming breaking change: - Starting with release 9.6, rpki-client will emit all key identifiers (AKI and SKI) encoded in JSON as bare hex strings without colons. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 9.4 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - rpki-client 9.4 will gradually stop accepting ultra long-lived TA certificates. The utility now warns about TA certificates with an expiry date more than 15 years into the future. After February 2nd, 2026, such certificates will be rejected, and from March 3rd 2027 onwards, TA certificates with a validity period exceeding 3 years will be rejected. This is done to encourage reasonably frequent reissuance of TA certificates and ensures that changes in the SubjectInfoAccess and Internet Number Resources are propagated to the entire ecosystem. It also strengthens the mitigations for TA replay attacks introduced via the TA tie breaking mechanism. For further background see: https://mailarchive.ietf.org/arch/msg/sidrops/-Y5NfXnGfDbeGOCAFj5xHgU90Zo/ https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ta-tiebreaker/ - The generated BIRD config file was reworked. BIRD versions 1.x are no longer supported and the -T option to customize the ROA table name was removed. The config file now includes the ASPA-set by default and is therefore only compatible with BIRD 2.16 and later. If compatibility with older BIRD versions is required, the ASPA-set can be excluded with the -A flag. Operators should delete any remaining bird1v4 and bird1v6 output files. - Validated ROA payloads from AS0 TALs are by default excluded from the output files as they are not recommended for automatic filtering of BGP routes. This precaution can be overridden with the new -0 flag. - Various improvements to the ibuf API, including a new reader API which is used to make all message parsing in rpki-client memory safe. - Warn about gaps in manifest issuance. Such gaps can appear for example if rpki-client isn't run frequently enough, if there are issues with an RFC 8181 publication server or if there is an operational error on the side of the CA. - Work around a backward compatibility break accidentally introduced in OpenSSL 3.4.0, which resulted in all RPKI signed objects being rejected. Earlier and later versions of OpenSSL are not affected. - Improved validity period checking in file mode. The product's lifetime and the expiration time of the signature path are now taken into account. - Better cleanup in case of a fallback from RRDP to RSYNC. In rare circumstances, files were moved to the wrong place in the cache. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 9.3 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - Avoid a quadratic complexity issue in ibuf_realloc() due to misuse of recallocarray(). Transferring a manifest with a large FileAndHash list across a privsep boundary could cost significant resources. - RRDP sessions are periodically reinitialized to snapshot at random intervals. RRDP deltas and snapshots can diverge content-wise over time, leaving stale files in the cache. Reinitialization is triggered at random with increasing probability with increasing snapshot age, at least once every three months. This helps garbage collection. - The internal state file format changed. The first run after an upgrade may produce harmless warning messages about invalid last_reset. - Signed Prefix List statistics are now only emitted when rpki-client is run with -x. This changes the JSON output: without -x some keys are missing from 'metadata'. - The -r command line option formerly enabling RRDP has long been the default and is now removed. - The CRL number extension in CRLs is checked to be in the range [0..2^159-1] and otherwise the CRL is considered invalid, see https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-crl-numbers rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 9.2 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - Ensure synchronization jobs are stopped when the timeout is reached. - Fix a corner case in repository handling. If the last RRDP repository failed to load, rpki-client would fail to fall back to rsync due to an ordering bug in the event loop. - Improve detection of duplicate file paths. Only trigger a duplicate error if a valid path is revisited otherwise a bad CA could prevent legitimate files from being considered valid. - Normalize internal representation of the caRepository to have a trailing slash and ensure that the rpkiManifest is a file inside it. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 9.1 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users update to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - Impose same-origin policy for RRDP This addresses an oversight in the original RRDP specification (RFC8182) which allowed any publication server to cause load on another server by tricking RPs into making cross-origin requests. Imposing a same-origin policy in RRDP client/server communication isolates resources such as Delta and Snapshot files from different Repository Servers, reducing possible attack vectors. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rrdp-same-origin - Introduce tiebreaking for trust anchors Instead of always using newly-retrieved trust anchors, compare a fetched TA with one stored in the cache. Later notBefore and earlier notAfter are used to identify a trust anchor certificate as newer. This prevents certain forms of replay attack. https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebreaker - Fix internal identification of CA resource certificates The rpki-client utility tracks CA certificates across privilege separation boundaries. The original design was to use the subject key identifier, which is problematic because the SKI is not guaranteed to be globally unique. On the one hand, operators could choose to reuse their keys for multiple CAs and on the other hand, publishing a CA cert in the RPKI requires no proof of possession: anyone can publish CA certificates with any public key they please. - Verify self-signage for trust anchors In other PKIs, trust anchors come from a trusted source and contain little to no important information apart from the public key. Therefore, libcrypto's chain verifier does not check their signatures by default because this "doesn't add any security and just wastes time". None of this is true in the RPKI and therefore trust anchors need an extra verification step. - Introduce a check for filenames as presented by publication points Filenames presented by publication points are unsigned data, they must match the location in the signed object's EE certificate SIA extension which is signed data. This prevents some forms of replay attack. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers - Improved compliance with RFCs 6487 and 8209 for certificates and CRLs The issuer field of certificates and CRLs is checked to comply with section 4.4 of RFC 6487. Various aspects of URIs provided in SIA, AIA and CRL distribution points were improved. Criticality of key usage is now enforced and the extension is inspected for all certificate types. - Presence of CMS signing-time is now enforced and presence of CMS binary-signing-time is disallowed, per RFC 9589. https://www.rfc-editor.org/rfc/rfc9589.html - Lowered the maximum acceptable manifest number to 2^159 - 1, per https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers - Limit number of validated ASPAs per customer ASID, per https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile - Ignore the CRL Number extension in CRLs, per https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-crl-numbers - Various minor bug fixes and improvements in logging and error reporting rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 9.0 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users update to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - Added support for RPKI Signed Prefix Lists Signed Prefix Lists carry the complete list of prefixes which an Autonomous System may originate its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object. This list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist Signed prefix lists are only parsed in filemode or if rpki-client is run with the new -x flag. - Added an -x flag to opt into parsing and evaluation of file types that are still considered experimental. At this point in time this covers the signed prefix lists. - Added a metric to track the number of new files that were moved to the validated cache. In the OpenMetrics output, per-repository counters are shown. The main process and the JSON output only show the total. - Per the announcement in the last release, the stale manifest counters were removed from the OpenMetrics and the JSON output. - Ensure that the FileAndHashes list in a Manifest contains no duplicate file names and no duplicate hashes. - Various refactoring work, notably to reduce the warning spam generated by OpenSSL 3's deprecations and to remove unergonomic internal structs. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 8.9 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users update to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - The handling of manifests fetched via rsync or RRDP was reworked to fully conform to RFC 9286. The issuance date and manifest number of the purported new manifest file must have been increased, otherwise the cached version is used. - As a consequence of the above changes, some warnings for .mft files were reworded. The notion of a stale manifest is no longer used. The following counters will be removed in rpki-client 9.0: - The stalemanifest counter in JSON output. - The "stale" state for manifest objects in Open Metrics output. - A race condition between closing an idle connection and scheduling a new request on it could trigger an assert in rare circumstances. - The evaluation time specified with -P now also applies to trust anchor certificates. - Check that the entire CMS eContent was consumed. Previously, trailing data would be silently discarded on deserialization of products. - In file mode do not consider overclaiming intermediate CA certificates as invalid. A warning is still issued. - Print the revocation time of certificates in file mode. - Be more careful when converting OpenSSL numeric identifiers (NIDs) to strings. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
rpki-client 8.8 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - A failed manifest fetch could result in a NULL pointer dereference or a use after free. - Reject non-conforming RRDP delta elements that contain neither publish nor a withdraw element and fall back to the RRDP snapshot. - Refactoring and minor bug fixes in the warning display functions. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
PreviousNext