rpki-client 9.7 released

13 January, 2026 • by benno@openbsd.org
openbsd
rpki-client 9.7 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users upgrade to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties to facilitate
validation of BGP announcements. The program queries the global RPKI
repository system and validates untrusted network inputs. The program
outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads
in configuration formats suitable for OpenBGPD and BIRD, and supports
emitting CSV and JSON for consumption by other routing stacks.

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker,
Job Snijders, Theo Buehler, Theo de Raadt, and Sebastian Benoit as part
of the OpenBSD Project.

- The Canonical Cache Representation underwent a breaking change after the
  adoption of https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ccr/
  as a SIDROPS working group item. Apart from several CMS-related cosmetics,
  it now uses a IANA-assigned content type. As a result, rpki-client 9.7
  cannot parse rpki-client 9.6's .ccr files and vice versa.

- Support for Ghostbusters Record objects (RFC 6493) has been removed.
  Nobody showed interest in deploying this and there are other, widely
  supported ways of exchanging operational contact information such as
  RDAP. RFC 6493 is undergoing a status review to be marked as historic:
  https://datatracker.ietf.org/doc/status-change-rpki-ghostbusters-record-to-historic/

- Prepare the code base for the opaque ASN1_STRING structure in OpenSSL 4.

- Fixed two reliability issues: one where a malicious RPKI Certification
  Authority can trigger a crash, one where malicious Trust Anchor can
  provoke memory exhaustion. Thanks to Xie Yifan for reporting.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with
LibreSSL 3.6 or later, expat and zlib.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client is available can be found on
https://www.rpki-client.org/portable.html

Reporting Bugs:
===============

General bugs may be reported to tech@openbsd.org

Portable bugs may be filed at
https://github.com/rpki-client/rpki-client-portable

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.

Assistance to coordinate security issues is available via
security@openbsd.org.