Contributed by rueda on from the all the good routes dept.
The OpenBSD project has announced the release of version 9.5 of rpki-client:
rpki-client 9.5 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - rpki-client now includes arin.tal which is no longer legally encumbered. See https://www.arin.net/announcements/20250116-tal/ - rpki-client reports Certification Authorities that do not meaningfully participate in the RPKI as non-functional CAs. By definition, a CA is non-functional if there is no currently valid Manifest. The number of such CAs is printed at the end of each run and more detailed information is available in the JSON (-j) and ometrics (-m) output. - OpenBSD reliability errata 014: Incorrect internal RRDP state handling in rpki-client can lead to a denial of service. Affected are rpki-client versions 7.5 - 9.4. - Termination of rsync child processes with SIGTERM is no longer treated as an error if rpki-client has sent this signal. This only affects openrsync. - Do not exit filemode with an error if a .gbr or a .tak object contains control characters in its UTF-8 strings. Instead, only warn and emit a sanitized version in JSON output. Upcoming breaking change: - Starting with release 9.6, rpki-client will emit all key identifiers (AKI and SKI) encoded in JSON as bare hex strings without colons.
rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
This release is both a welcome collection of fixes and improvements and a sure sign that a new OpenBSD release is just around the corner.