top of page

rpki-client 8.5 released

rpki-client 8.5 has just been released and will be available in the

rpki-client directory of any OpenBSD mirror soon.

rpki-client is a FREE, easy-to-use implementation of the Resource

Public Key Infrastructure (RPKI) for Relying Parties (RP) to

facilitate validation of BGP announcements. The program queries the

global RPKI repository system and validates untrusted network inputs.

The program outputs validated ROA payloads, BGPsec Router keys, and

ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,

and supports emitting CSV and JSON for consumption by other routing


See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix

Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio

Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit

as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- ASPA support was updated to draft-ietf-sidrops-aspa-profile-16.

As part of supporting AFI-agnostic ASPAs, the JSON syntax for

Validated ASPA Payloads changed in both filemode and normal output.

- Support for gzip and deflate HTTP Content-Encoding compression was

added. This allows web servers to send RRDP XML in compressed form,

saving around 50% of bandwidth. Zlib was added as a dependency.

- File modification timestamps of objects retrieved via RRDP are now

deterministically set to prepare the on-disk cache for seamless

failovers from RRDP to RSYNC. See draft-ietf-sidrops-cms-signing-time

for more information.

- A 30%-50% performance improvement was achieved through libcrypto's

partial chains certificate validation feature. Already validated

non-inheriting CA certificates are now marked as trusted roots. This

way it can be ensured that a leaf's delegated resources are properly

covered, and at the same time most validation paths are significantly


- Improved detection of RRDP session desynchronization: a check was

added to compare whether the delta hashes associated to previously

seen serials are different in newly fetched notification files.

- Improved handling of RRDP deltas in which objects are published,

withdrawn, and published again.

- A check to disallow duplicate X.509 certificate extensions was added.

- A check to disallow empty sets of IP Addresses or AS numbers in RFC

3779 extensions was added.

- A compliance check for the proper X.509 Certificate version and CRL

version was added.

- A warning is printed when the CMS signing-time attribute in a Signed

Object is missing.

- Warnings about unrecoverable message digest mismatches now include the

manifestNumber to aid debugging the cause.

- A check was added to disallow multiple RRDP publish elements for the

same file in RRDP snapshots. If this error condition is encountered,

the RRDP transfer is failed and the RP falls back to rsync.

- A compliance check was added to ensure CMS Signed Objects contain

SignedData, in accordance to RFC 6488 section 3 checklist item 1a.

- Compliance checks were added for the version, KeyUsage, and

ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed


- A CMS signing-time value being after the X.509 notAfter timestamp was

downgraded from an error to a warning.

- A bug was fixed in the handling of CA certificates which inherit IP


rpki-client works on all operating systems with a libcrypto library

based on OpenSSL 1.1 or LibreSSL 3.5, a libtls library compatible

with LibreSSL 3.5 or later, and zlib.

rpki-client is known to compile and run on at least the following

operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,

Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt

rpki-client-portable to more distributions.

The mirrors where rpki-client can be found are on

Reporting Bugs:


General bugs may be reported to

Portable bugs may be filed at

We welcome feedback and improvements from the broader community.

Thanks to all of the contributors who helped make this release


Assistance to coordinate security issues is available via

Recent Posts

See All

We have released OpenBGPD 8.1, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: Include OpenBSD

We have released OpenBGPD 8.0, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: Include OpenBSD

bottom of page