OpenBSD Journal

rpki-client 8.4 released

Contributed by rueda on from the key issues dept.

Version 8.4 of rpki-client has been released, with a number of improvements and new features:

rpki-client 8.4 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing
See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- The synchronisation protocol used to sync the repository is now
  included in the OpenMetrics output.

- In filemode (-f option) the applicable manifests are now shown as
  part of the signature path.

- A new -P option was added to manually specify a moment in time
  to use when parsing the validity window of certificates. Useful
  for regression testing. Default is invocation time of rpki-client.

- The -A option will now also exclude ASPA data from the JSON output.

- Improved accounting by tracking objects both by repo and tal.

- For consistency, emit an explicit 'AS 0' Provider entry for ASPAs
  containing implicit information for one AFI.

- Fix missing whitespace in ASPA-set output for OpenBGPD.
  (This bugfix was also released as OpenBSD 7.3 errata 001.)

- Disallow X.509 v2 issuer and subject unique identifiers in certs.
  RPKI CAs will never issue certificates with V2 unique identifiers.

- Check whether products listed on a manifest were issued by the same
  authority as the manifest itself.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.5, and a libtls library compatible
with LibreSSL 3.5 or later.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client can be found are on

Reporting Bugs:

General bugs may be reported to

Portable bugs may be filed at

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release

Assistance to coordinate security issues is available via

So all a nice refresh for the security of your routing infrastructure.

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]