OpenBSD Journal

rpki-client 8.2 released

Contributed by Peter N. M. Hansteen on from the all routed to go dept.

A new release of the OpenBSD rpki-client, a key component in BGP routing security is available.

The announcement by Sebastian Benoit (benno@) reads,

From: Sebastian Benoit <benno () openbsd ! org>
Date: Tue, 13 Dec 2022 23:18:32 +0000
To: openbsd-tech
Subject: rpki-client 8.2 released

rpki-client 8.2 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- Add a new '-H' command line option to create a shortlist of
  repositories to synchronize to. For example, when invoking
  "rpki-client -H -H", the utility
  will not connect to any other hosts other than the two specified
  through the -H option.

- Add support for validating Geofeed (RFC 9092) authenticators.  To
  see an example download and run
  "rpki-client -f geofeed.csv"

- Add support for validating Trust Anchor Key (TAK) objects. TAK
  objects can be used to produce new Trust Anchor Locators (TALs) signed
  by and verified against the previous Trust Anchor. See
  draft-ietf-sidrops-signed-tal for the full specification.

- Log lines related to RRDP/HTTPS connection problems now include the
  IP address of the problematic endpoint (in brackets).

- Improve the error message when an invalid filename is encountered
  in the rpkiManifest field in the Subject Access Information (SIA)

- Emit a warning when unexpected X.509 extensions are encountered.

- Restrict the ROA ipAddrBlocks field to only allow two
  ROAIPAddressFamily structures (one per address family).  See

- Check the absence of the Path Length constraint in the Basic
  Constraints extension.

- Restrict the SIA extension to only allow the signedObject and
  rpkiNotify accessMethods.

- Check that the Signed Object access method is present in ROA, MFT,
  ASPA, TAK, and GBR End-Entity certificates.

- In addition to the 'rsync://' scheme, also permit other schemes
  (such as 'https://') in the SIA signedObject access method.

- Check that the KeyUsage extension is set to nothing but
  digitalSignature on End-Entity certificates.

- Chect that the KeyUsage extension is set to nothing but keyCertSign
  and CRLSign on CA certificates.

- Check that the ExtendedKeyUsage extension is absent on CA

- Fix a bug in the handling of the port of http_proxy.

- The '-r' command line option has been deprecated.

- Filemode (-f) output is now presented as a text based table.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.5, and a libtls library compatible
with LibreSSL 3.5 or later.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client can be found are on

Reporting Bugs:

General bugs may be reported to

Portable bugs may be filed at

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release

Assistance to coordinate security issues is available via

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]