rpki-client 9.8 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users upgrade to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties to facilitate
validation of BGP announcements. The program queries the global RPKI
repository system and validates untrusted network inputs. The program
outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads
in configuration formats suitable for OpenBGPD and BIRD, and supports
emitting CSV and JSON for consumption by other routing stacks.

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker,
Job Snijders, Theo Buehler, Theo de Raadt, and Sebastian Benoit as part
of the OpenBSD Project.

This release includes the following changes to the previous release:

- Various refactoring for improved compatibility with various libcrypto
  implementations and in CA/BGPsec certificate handling.

- Fixed an accounting issue in HTTP gzip compression detection.

- Added a warning in extra verbose mode (-vv) about standards
  non-compliant Issuer and Subject ASN.1 string encodings.

- Added a check for canonical encoding of ASPA eContent in alignment
  with draft-ietf-sidrops-aspa-profile-22.

- Ensure that a repository timeout correctly stops repository
  processing. Thanks to Fedor Vompe from Deutsche Telekom for reporting.

- Fixed a defect in Canonical Cache Representation ROAIPAddressFamily
  sort order. As a result, rpki-client 9.8 cannot parse rpki-client
  9.7's .ccr files and vice versa. Thanks to Bart Bakker from RIPE NCC
  for reporting.

- Fixed an issue in the parser for the locally configured constraints.
  Thanks to Daniel Anderson.

- A malicious RRDP Publication Server can cause a NULL dereference.
  Thanks to Daniel Anderson for reporting.

- A malicious RPKI Publication Server can cause an incorrect error exit.
  Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua University,
  and Teatime Lab for reporting.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or later, LibreSSL 3.6, a libtls library compatible with
LibreSSL 3.6 or later, expat and zlib.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client is available can be found on
https://www.rpki-client.org/portable.html

Reporting Bugs:
===============

General bugs may be reported to tech@openbsd.org

Portable bugs may be filed at
https://github.com/rpki-client/rpki-client-portable

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.

Assistance to coordinate security issues is available via
security@rpki-client.org.