deadsimple BSD Security Advisories and Announcements

rpki-client 8.0 released

rpki-client 8.0 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

* Add suport for validating Autonomous System Provider Authorization
  (ASPA) objects conforming to draft-ietf-sidrops-aspa-profile-10.
  Validated ASPA payloads are visible in JSON and filemode (-f) output.
* Set rsync connection I/O idle timeout to 15 seconds.
* Unify the maximum idle I/O and connect timeouts for RSYNC & HTTPS.
* Rpki-client now performs stricter EE certificate validation:
    - Disallow AS Resources extensions in ROA EE certificates.
    - Disallow Subject Information Access (SIA) extensions in RPKI
      Signed Checklist (RSC) EE certs.
    - Check the resources in ROAs and RSCs against EE certs.
* Improve readability and add various information being printed in
  verbose mode.
* Extend filemode (-f) output and print X.509 certificates in PEM
  format when increased verbosity (-vv) is specified.
* Shorten the RRDP I/O idle timeout.
* Introduce a deadline timer that aborts all repository synchronization 
  after seven eights of timeout (-s). With this rpki-client has improved
  chances to complete and produce an output even when a CA is excessivly
* Abort a currently running RRDP request process when the per-repository
  timeout is reached.
* Permit multiple AccessDescription entries in SIA X.509 extensions. While
  fetching from secondary locations is not yet supported, rpki-client will
  not treat occurence as a fatal error.
* Resolve a potential for a race condition in non-atomic RRDP deltas.
* Fix some memory leaks.
* Improve compliance with the HTTP protocol specification.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.5, and a libtls library compatible
with LibreSSL 3.5 or later.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client can be found are on

Reporting Bugs:

General bugs may be reported to

Portable bugs may be filed at

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release

Assistance to coordinate security issues is available via