1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.ANN

  • rpki-client 9.4 released

    From Sebastian Benoit@21:1/5 to All on Wed Jan 8 08:17:24 2025
    rpki-client 9.4 has just been released and will be available in the
    rpki-client directory of any OpenBSD mirror soon. It is recommended
    that all users upgrade to this version for improved reliability.

    rpki-client is a FREE, easy-to-use implementation of the Resource
    Public Key Infrastructure (RPKI) for Relying Parties to facilitate
    validation of BGP announcements. The program queries the global RPKI
    repository system and validates untrusted network inputs. The program
    outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads
    in configuration formats suitable for OpenBGPD and BIRD, and supports
    emitting CSV and JSON for consumption by other routing stacks.

    See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
    Origin Validation help secure the global Internet routing system.

    rpki-client was primarily developed by Kristaps Dzonsons, Claudio
    Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
    as part of the OpenBSD Project.

    This release includes the following changes to the previous release:

    - rpki-client 9.4 will gradually stop accepting ultra long-lived TA
    certificates. The utility now warns about TA certificates with an
    expiry date more than 15 years into the future. After February 2nd,
    2026, such certificates will be rejected, and from March 3rd 2027
    onwards, TA certificates with a validity period exceeding 3 years will
    be rejected. This is done to encourage reasonably frequent reissuance
    of TA certificates and ensures that changes in the SubjectInfoAccess
    and Internet Number Resources are propagated to the entire ecosystem.
    It also strengthens the mitigations for TA replay attacks introduced
    via the TA tie breaking mechanism. For further background see:
    https://mailarchive.ietf.org/arch/msg/sidrops/-Y5NfXnGfDbeGOCAFj5xHgU90Zo/
    https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ta-tiebreaker/

    - The generated BIRD config file was reworked. BIRD versions 1.x are no
    longer supported and the -T option to customize the ROA table name was
    removed. The config file now includes the ASPA-set by default and is
    therefore only compatible with BIRD 2.16 and later. If compatibility
    with older BIRD versions is required, the ASPA-set can be excluded
    with the -A flag. Operators should delete any remaining bird1v4 and
    bird1v6 output files.

    - Validated ROA payloads from AS0 TALs are by default excluded from the
    output files as they are not recommended for automatic filtering of
    BGP routes. This precaution can be overridden with the new -0 flag.

    - Various improvements to the ibuf API, including a new reader API
    which is used to make all message parsing in rpki-client memory safe.

    - Warn about gaps in manifest issuance. Such gaps can appear for example
    if rpki-client isn't run frequently enough, if there are issues with
    an RFC 8181 publication server or if there is an operational error on
    the side of the CA.

    - Work around a backward compatibility break accidentally introduced
    in OpenSSL 3.4.0, which resulted in all RPKI signed objects being
    rejected. Earlier and later versions of OpenSSL are not affected.

    - Improved validity period checking in file mode. The product's lifetime
    and the expiration time of the signature path are now taken into
    account.

    - Better cleanup in case of a fallback from RRDP to RSYNC. In rare
    circumstances, files were moved to the wrong place in the cache.

    rpki-client works on all operating systems with a libcrypto library
    based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with
    LibreSSL 3.6 or later, expat and zlib.

    rpki-client is known to compile and run on at least the following
    operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
    Rocky, Ubuntu, macOS, and of course OpenBSD!

    It is our hope that packagers take interest and help adapt
    rpki-client-portable to more distributions.

    The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html

    Reporting Bugs:
    ===============

    General bugs may be reported to [email protected]

    Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable

    We welcome feedback and improvements from the broader community.
    Thanks to all of the contributors who helped make this release
    possible.

    Assistance to coordinate security issues is available via
    [email protected].

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)