rpki-client 9.6 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CCR, CSV, and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Theo Buehler, Job Snijders, Claudio Jeker, Kristaps Dzonsons, Theo de Raadt, and Sebastian Benoit as part of the OpenBSD Project. - The parser process now uses parallel threads for object validation. The new -p option can be used to adjust the number of threads. - Support for Canonical Cache Representation has been added. CCR is a new DER-encoded data interchange format to support audit trail keeping, validated payload dissemination, and analytics pipelines. https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ccr - Certificate parsing and validation has been completely reworked. In particular, a more stringent set of compliance checks based on RFC 6487, RFC 8209, and RFC 8608 is imposed on end entity certificates. - Filemode is now able to detect most file types without recourse to the file name extension. - Experimental support for P-256 Trust Anchor keys was added. - Marshalling and unmarshalling of privsep messages was improved. - In verbose mode, warnings are emitted about uncompressed HTTP/RRDP transfers larger than one megabyte. Publication server operators are strongly encouraged to offer gzip compressed HTTP content-encoding, see draft-ietf-sidrops-publication-server-bcp, section 6.3. - As announced in the release notes for rpki-client 9.5, rpki-client 9.6 emits all key identifiers (AKI and SKI) encoded in JSON as bare hex strings without colons. - Fixed numerous minor issues flagged by the Coverity static analyzer. - Support for the OpenSSL 1.1 branch now requires at least OpenSSL 1.1.1w. This support will be removed in the course of 2026. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.