7.323 Sep 2021 06:45
Rpki-client 7.3 has just been released and will be available in the
Rpki-client directory of any OpenBSD mirror soon.
Rpki-client is a FREE, easy-to-use implementation of the Resource.
Public Key Infrastructure (RPKI) for Relying Parties (RP) to.
Facilitate validation of the Route Origin of a BGP announcement. The.
Program queries the RPKI repository system and outputs Validated ROA.
Payloads in the configuration format of OpenBGPD, BIRD, and also as.
CSV or JSON objects for consumption by other routing stacks.
See RFC 6811 for a description of how BGP PreOrigin Validation.
Secures the Internet's global routing system.
Rpki-client was primarily developed by Kristaps Dzonsons, Claudio.
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit.
as part of the OpenBSD Project.
This release includes the following changes to the previous release:
Improve the HTTP client code (status code handling, http proxy.
In RRDP, do not access URI with userinfo.
Improve RRDP syncing by considering a notification file serial.
Jumping backwards as synced repository.
Make -R (rsync only) also apply to the fetching of TA files.
Only sync *. cer,crl,gbr,mft,roa files via rsync and exclude all others.
When producing output for OpenBGPd, make use of the 'roa-set.
Expires' attribute to prevent machines from loading outdated roa-sets.
In RRDP, limit the number of deltas to 300 per repo. If more deltas.
Exist, downloading a full snapshot is faster.
Limit the validation depth of X509 certificate chains to 12, double.
The current depth seen in RPKI.
Rpki-client works on all operating systems with a libcrypto library.
Based on OpenSSL 1.1 or LibreSSL 3.3, and a libtls library compatible.
With LibreSSL 3.3 or later.
Rpki-client is known to compile and run on at least the following.
Operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat.
Rocky, Ubuntu, macOS, and of course OpenBSD!.
It is our h
7.228 Jul 2021 21:18
Use RRDP as default protocol for syncronizing the RPKI repository data, with rsync used as secondary. At startup, warn if the filesystem containing the cache directory is probably too small. 500 MB is the suggested minimum size. Handle running out of disk space more gracefully, including cleanup of temporary and old files before exiting. Improve the HTTP/1.1 request headers being sent. Improved validation checks for ROA and MFT objects.
7.118 May 2021 21:52
Add keep-alive support to the HTTP client code for RRDP. Reference-count and delete unused files synced via RRDP, as far as possible. In the JSON output, change the AS Number from a string ("AS123") to an integer ("123") to make processing of the output easier. Add an 'expires' column to CSV JSON output, based on certificate and CRL validity times. The 'expires' value can be used to avoid route selection based on stale data when generating VRP sets, when faced with loss of communication between consumer and valdiator, or validator and CA repository. Make the runtime timeout ("-s" option) also triggers in child processes. Improved RRDP support, upstream encourages testing of RRDP with the "-r" option so that RRDP can be enabled by default in a future release. In the portable version additionally: Improve support for older libressl versions (although the latest stable release is recommended). Add missing compat headers in release packages so they build on Alpine Linux and macOS.
7.015 Apr 2021 23:28
Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support as a 'technology preview'. To use it, the "-r" flag needs to be used. Support the use of more than one URI in the TAL file sorting with a preference for https. Validation of ghostbuster records (RFC 6493). Fixed checks of the manifest validity interval. The rsync connection is now killed when the rsync server stalls. Limited the URL embedded in .cer files to alphanumeric characters and punctuation. Added a "-V" option to show version. Included the default cert.pem file path in tls_load_file error messages. Use of the ibuf (imsg) API for data exchange between the rpki-client processes. In the portable version additionally: Emit all output formats, no need to choose with options. Changes to for using GitHub actions for automatic testing. The RRDP support requires HTTPS connections, necessitating a dependency for libtls from LibreSSL. Support for building rpki-client on Mac OS X. Added expat as an extra dependency, needed for RRDP support.
6.8p112 Nov 2020 20:33
Incorporate OpenBSD 6.8 errata 006 of November 10, 2020: rpki-client incorrectly checks the manifest validity interval. Add compat code for the LibreSSL ASN1_time_parse() and ASN1_time_tm_cmp() functions. Those are needed to properly check the validity of MFT files.
6.8p020 Oct 2020 21:07
Improve how repositories are downloaded: do not fetch symlinks and clean extraneous files in the repositories after download using the cryptographically signed RPKI manifest listings. Fix a bug where rpki-client could hang after calling rsync. Remove the -f option, no longer needed. Improved validation of the trust anchors. Add new option '-s timeout' to make rpki-client automatically terminate after a timeout (default 1 hour). This helps when rpki-client is run via cron to prevent a hanging process to cause problems. Portability improvements: Replace warnc() with warnx() + strerror(), replace b64_pton() with code using the libcrypto EVP_Decode* functionality, adjust for OpenSSL 1.1.x compatible use of the EVP_ENCODE_CTX struct.
6.7p130 Jul 2020 22:54
Incorrect use of "EVP_PKEY_cmp" allowed an authentication bypass.
6.7p019 May 2020 00:38
* Document the suggested interval for running rpki-client in man page.
* Always initialize cachedir and outputdir.
* Print statistics as comments at the top of the output files which can take comments, including the date and time when the files were produced, and runtime statistics when producing them.
* Improve log messages to clarify what's happening.
* Fix a bug where rpki-client would not properly wait for exiting rsync processes, causing rpki-client to hang.