rpki-client / rpki-client-portable Goto Github PK
View Code? Open in Web Editor NEWPortability shim for OpenBSD's rpki-client
Home Page: https://rpki-client.org
License: ISC License
Portability shim for OpenBSD's rpki-client
Home Page: https://rpki-client.org
License: ISC License
When syncing on a new install, a number of repos are failing.
rsync: failed to connect to rpki.admin.freerangecloud.com (206.83.8.10): Connection refused (111)
rsync: failed to connect to rpki.admin.freerangecloud.com (2a0f:9400::10): Network is unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]
rpki-client: rsync rsync://rpki.admin.freerangecloud.com/repo failed
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/2/5D35939557110CC43429AE301F7CEF0E5889942B.mft: No such file or directory
rpki-client: rpki.cnnic.cn/rpki/A9162E3D0000/73/CfUv1bVUg5EXd8PcpEpl08lfhYA.mft: No such file or directory
rpki-client: rpki.cnnic.cn/rpki/A9162E3D0000/643/PgsdlIaQ7Nxy4-Rg5eY-3pU8JOg.mft: No such file or directory
rpki-client: rpki.cnnic.cn/rpki/A9162E3D0000/423/Xb2Ek-hXQR0lkZ2GO7t9n_zfQCY.mft: No such file or directory
rpki-client: rpki.cnnic.cn/rpki/A9162E3D0000/2564/AnmNftzNSoJtCq5V0ivwHr_IVVI.roa: certificate revoked
rpki-client: rpki.cnnic.cn/rpki/A9162E3D0000/2564/WKekqyaWF89H6rKKH9ZgO10Ojw0.roa: certificate revoked
rpki-client: rpki.cnnic.cn/rpki/A9162E3D0000/577/Bnno7GYZdNImrE2NgOtA7VopH8Q.roa: certificate revoked
rpki-client: rpki.cnnic.cn/rpki/A9162E3D0000/577/HYSK6j9Pm4k6HObs3ehVIuOsemE.roa: certificate revoked
rpki-client: rpki.cnnic.cn/rpki/A9162E3D0000/577/JBqQNzyD7FX-A-kfxLTc29DLKUk.roa: certificate revoked
rpki-client: rpki-repo.registro.br/repo/FMn2RzF1dWSDso9K5bc7e9pWQxGMSSZ8LBGGfETtysRb/0/765A933C6C72EE2FEB3E9CD5814A88CEC6E9EDC2.mft: mft expired on Oct 8 06:00:00 2020 GMT
rpki-client: rpki-repo.registro.br/repo/Gva1RNWLQZKX2mKGX3ABNzDf2GUEmHtudn8iaAwPJ59b/0/59D5CE263BFC184A853E43C720B032327746D3F2.mft: mft expired on Oct 7 06:00:00 2020 GMT
rpki-client: rpki-repo.registro.br/repo/7MDsxHLp73maFuum97qTwY4sCSEve8jVP9X59WE1Czro/0/B585900CF5CFE343A114731C2BC86CDB52565A36.mft: mft expired on Oct 7 00:00:00 2020 GMT
rpki-client: rpki-repo.registro.br/repo/6tSMwGvMYudeQGttkP1cDt5DQGPrSgkBvhwYzfFwsvvD/0/24AE5DB2E35C9E374F3103B44A7914C203A9494F.mft: mft expired on Oct 4 12:00:00 2020 GMT
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/0/C8935FDCA5028AE8209FEC82AD8AE8CFB7C6E776.mft: No such file or directory
rsync: safe_read failed to read 1 bytes [Receiver]: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(276) [Receiver=3.1.3]
rpki-client: rsync rsync://rpki-ca.idnic.net/repo failed
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/1/DC9B0FC0FAE1CB3BD28B9D01AAFC3563FDA951DA.mft: No such file or directory
rpki-client: rpki-ca.idnic.net/repo/IDNIC-ID/1/C5E33A13006F4F97F48DD65B504E99749247F589.mft: No such file or directory
rpki-client: rpki-ca.idnic.net/repo/IDNIC-ID/0/38DC96F54A3D191028A636E98EE068E4AE207D76.mft: No such file or directory
rpki-client: rpki-ca.idnic.net/repo/IDNIC-ID/2/47C3384A753C3CB1369BF24D2BEAB816059D46C3.mft: No such file or directory
rpki-client: rpkica.mckay.com/rpki/MCnet/Jp4Tjp_GB5I1RfeaOGhKZNlDmAQ.mft: mft expired on Aug 26 11:03:34 2020 GMT
rpki-client: rpkica.mckay.com/rpki/MCnet/UEh2SAvdIgPsUFdv92RSSaNqBnY.mft: No such file or directory
This is showing a small, but significant, difference in ROAs compared to Routinator 3000. Is there an issue with the TAL files?
Validator: #IPv4/IPv6 records
Routinator 3000: 23:55:54 158440/27070
rpki-client: 156690/26644
My unrelated documentation-only commit 32b8c63 lead to a GitHub Action failure:
/usr/bin/ld: rpki_client-http.o: in function `http_handle': http.c:(.text+0x13aa): undefined reference to `inflate' /usr/bin/ld: http.c:(.text+0x19a6): undefined reference to `inflateReset' /usr/bin/ld: http.c:(.text+0x19b8): undefined reference to `inflateEnd' /usr/bin/ld: rpki_client-http.o: in function `http_free': http.c:(.text+0x1f87): undefined reference to `inflateEnd' /usr/bin/ld: rpki_client-http.o: in function `http_read': http.c:(.text+0x2a9a): undefined reference to `inflateInit2_' /usr/bin/ld: rpki_client-http.o: in function `http_done': http.c:(.text+0x4113): undefined reference to `inflateReset' /usr/bin/ld: http.c:(.text+0x4125): undefined reference to `inflateEnd' clang: error: linker command failed with exit code 1 (use -v to see invocation)
Looks like zlib is a new dependency and should make it into configure
etc.?
can use better documentation on how to interpret the metrics
Our nightly GitHub Action for the container image failed with:
/usr/lib/gcc/x86_64-alpine-linux-musl/10.2.1/../../../../x86_64-alpine-linux-musl/bin/ld: rpki_client-rsync.o: in function `proc_rsync':
/tmp/rpki-client-portable/src/rsync.c:330: undefined reference to `mkpath'
environment: debian bullseye, linux 5.9.0
./build_libtls.sh
was run successfully before building rpki-client-portable
the thing hangs here:
$ sudo ./src/rpki-client -r -t /etc/tals/afrinic.tal -v
rpki-client: ta/afrinic: pulling from https://rpki.afrinic.net/repository/AfriNIC.cer
rpki-client: ta/afrinic: loaded from network
rpki-client: https://rrdp.afrinic.net/notification.xml: pulling from network
^C
it appears it is stuck in some kind of poll()
related loop, strace shows
[pid 2171457] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1) = 1 ([{fd=6, revents=POLLHUP}])
[pid 2171457] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1) = 1 ([{fd=6, revents=POLLHUP}])
[pid 2171457] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1) = 1 ([{fd=6, revents=POLLHUP}])
[pid 2171457] poll([{fd=5, events=POLLIN}, {fd=6, events=POLLIN}], 2, -1) = 1 ([{fd=6, revents=POLLHUP}])
@robert-scheck saw the same on red hat / fedora
After the commit in response to my issue and the installation of LibreSSL-portable, I could now run autogen and configure. But when I run make, a new error occurs:
http.c:61:10: fatal error: vis.h: No such file or directory
#include <vis.h>
^~~~~~~
I have tried to install vis, but nothing seems to work.
Do you see any chance to upload the public key of RSA key B5B6416FEA6DDA05EA562A9FCB987F2783972FF9, being used for signing rpki-client release tarballs, to keys.openpgp.org? This would allow Fedora to switch from the current binary GnuPG output blob (manually created) to the ASCII format provided there.
Having conferred with Job off line he thought it would be worth at least a report so here it is.
On a Debian 10.x stable x86 64-bit system with OpenSSL, building the 6.7p1 release tarball resulted in some messages I thought you'd want to at least know about if you didn't already in the hope that this may help clean up any lingering issues going forward.
Only other unrelated, minor thing I didn't see mentioned that was /usr/local/var/cache/rpki-client
needs to be setup with the default build and instantiation before rpki-client can be successfully run.
Everything otherwise builds successfully and is functional. Happy to provide more information if needed.
rpki-client-portable-6.7p1$ make
[...]
Making all in include
make[1]: Entering directory '/home/jtk/dl/rpki-client-portable-6.7p1/include'
make[1]: Nothing to be done for 'all'.
make[1]: Leaving directory '/home/jtk/dl/rpki-client-portable-6.7p1/include'
Making all in compat
make[1]: Entering directory '/home/jtk/dl/rpki-client-portable-6.7p1/compat'
CC recallocarray.lo
recallocarray.c: In function ‘recallocarray’:
recallocarray.c:60:28: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘int’ [-Wsign-compare]
if (d < oldsize / 2 && d < getpagesize()) {
CC strlcat.lo
CC strlcpy.lo
[...]
CCLD libcompat.la
ar: `u' modifier ignored since `D' is the default (see `U')
CCLD libcompatnoopt.la
ar: `u' modifier ignored since `D' is the default (see `U')
make[1]: Leaving directory '/home/jtk/dl/rpki-client-portable-6.7p1/compat'
Making all in src
make[1]: Entering directory '/home/jtk/dl/rpki-client-portable-6.7p1/src'
Our nightly GitHub Action for the container image fails since yesterday with:
#34 16.10 Copying rrdp_notification.c
#34 16.11 Copying rrdp_snapshot.c
#34 16.11 Copying rrdp_util.c
#34 16.12 Copying rsync.c
#34 16.12 Copying tal.c
#34 16.12 Copying validate.c
#34 16.12 Copying version.h
#34 16.13 Copying x509.c
#34 16.14 Applying patch patches/0001-Allow-overriding-default-user-and-file-locations.patch
#34 16.15 1 out of 6 hunks FAILED -- saving rejects to file main.c.rej
After running rpki-client, I discovered that most ROAs are about to expire in the next 1,2 days. Actually, the most long-living ROA will expire in six days. Is that actually the case or something is wrong?
I end up like this on Alpine 3.14 using the rpki-client 7.3 release (but it works e.g. at Fedora 34):
/ # rpki-client -vvv
rpki-client: ta/apnic: pulling from https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
rpki-client: ta/afrinic: pulling from https://rpki.afrinic.net/repository/AfriNIC.cer
rpki-client: ta/lacnic: pulling from https://rrdp.lacnic.net/ta/rta-lacnic-rpki.cer
rpki-client: ta/ripe: pulling from https://rpki.ripe.net/ta/ripe-ncc-ta.cer
rpki-client: poll[2]: bad fd
/ # rpki-client -V
rpki-client-portable 7.3
/ #
P.S.: The 7.2 release works fine on Alpine 3.14.
This blurp needs to move up a bit into inside the if (outputdir != NULL) {
stanza. Right now we are not generating all formats in portable it seems
Currently the check at https://github.com/rpki-client/rpki-client-portable/blob/master/configure.ac#L206 trows an WimplicitFunctionDeclaration for the _exit funtion given that it does not include unistd.h. Currently the macports install proccess trows a warning for this.
I propose changing this check to also include unistd.h For more information see https://trac-test.macports.org/wiki/WimplicitFunctionDeclaration
Our nightly GitHub Action for the container image failed with:
#37 110.1 libtool: link: cc -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wsign-compare -Werror-implicit-function-declaration -Wno-pointer-sign "-DRPKI_PATH_TAL_DIR=\"/etc/tals\"" "-DRPKI_PATH_BASE_DIR=\"/var/cache/rpki-client\"" "-DRPKI_PATH_OUT_DIR=\"/var/lib/rpki-client\"" -g -O2 -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_GNU_SOURCE -o rpki-client rpki_client-as.o rpki_client-cert.o rpki_client-cms.o rpki_client-crl.o rpki_client-gbr.o rpki_client-io.o rpki_client-ip.o rpki_client-log.o rpki_client-main.o rpki_client-mft.o rpki_client-mkdir.o rpki_client-output.o rpki_client-output-bgpd.o rpki_client-output-bird.o rpki_client-output-csv.o rpki_client-output-json.o rpki_client-parser.o rpki_client-roa.o rpki_client-rsync.o rpki_client-tal.o rpki_client-validate.o rpki_client-x509.o ../compat/.libs/libcompat.a ../compat/.libs/libcompatnoopt.a -lcrypto -lfts
#37 110.4 /usr/lib/gcc/x86_64-alpine-linux-musl/10.2.1/../../../../x86_64-alpine-linux-musl/bin/ld: rpki_client-main.o: in function `main':
#37 110.4 /tmp/rpki-client-portable/src/main.c:1064: undefined reference to `proc_http'
#37 110.5 collect2: error: ld returned 1 exit status
Our nightly GitHub Action for the container image fails since yesterday with:
#34 22.69 Applying patch patches/0001-Allow-overriding-default-user-and-file-locations.patch
#34 22.70 Applying patch patches/0002-Apply-placeholders-for-portability-shim.patch
#34 22.70 2 out of 5 hunks FAILED -- saving rejects to file rpki-client.8.rej
Trying to build rpki-client 6.7p1 for Alpine Linux leads to:
main.c: In function 'proc_rsync':
main.c:652:26: error: 'WAIT_ANY' undeclared (first use in this function)
652 | while ((pid = waitpid(WAIT_ANY, &st, WNOHANG)) > 0) {
| ^~~~~~~~
main.c:652:26: note: each undeclared identifier is reported only once for each function it appears in
According to https://git.alpinelinux.org/aports/tree/main/openvswitch/0002-fix-wait-any.patch?id=37504e4898503d315252c439ab6bb250a198d2e2, this can be solved by putting
#ifndef WAIT_ANY
#define WAIT_ANY (-1)
#endif
into the code. However, then the build fails like this:
tal.c: In function 'tal_parse_buffer':
tal.c:113:15: error: implicit declaration of function 'b64_pton' [-Werror=implicit-function-declaration]
113 | if ((b64sz = b64_pton(buf, b64, sz)) < 0)
| ^~~~~~~~
cc1: some warnings being treated as errors
Or, when adding -Wno-error=implicit-function-declaration
, like this:
/usr/lib/gcc/x86_64-alpine-linux-musl/9.3.0/../../../../x86_64-alpine-linux-musl/bin/ld: rpki_client-tal.o: in function `tal_parse_buffer':
tal.c:(.text+0x33b): undefined reference to `b64_pton'
collect2: error: ld returned 1 exit status
And yes, ./configure
made this assuming already:
…
checking for library containing __b64_pton... no
checking for __b64_pton... no
…
Is there a specific reason that COPYING
and LICENSE
file (with same content) are in Git? Isn't a single COPYING
like in the 6.6p2 release enough?
With 8.0 we are having connectivity issues making rpki-client not functional anymore. We are behind a company proxy with a dockerized version of rpki-client-portable 8.0. I tried to narrow it down a bit:
Some RPKI logging:
user@hostname:~/etc/rpki$ sudo docker exec -ti <containerid> sh
/ # rpki-client -v -t /etc/tals/afrinic.tal
rpki-client: ta/afrinic: pulling from https://rpki.afrinic.net/repository/AfriNIC.cer
rpki-client: ta/afrinic: loaded from network
rpki-client: https://rrdp.afrinic.net/notification.xml: pulling from network
rpki-client: https://rrdp.afrinic.net/notification.xml: connect: Connection refused
rpki-client: https://rrdp.afrinic.net/notification.xml: load from network failed, fallback to rsync
rpki-client: .rsync/rpki.afrinic.net/repository: pulling from rsync://rpki.afrinic.net/repository
ERROR: rejecting unrequested file-list name: 04E8B0D80F4D11E0B657D8931367AE7D
rsync error: protocol incompatibility (code 2) at flist.c(998) [Receiver=3.2.4]
rpki-client: rsync rsync://rpki.afrinic.net/repository failed
rpki-client: .rsync/rpki.afrinic.net/repository: load from network failed, fallback to cache
rpki-client: rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.mft: no valid mft available
rpki-client: all files parsed: generating output
Processing time 2 seconds (0 seconds user, 0 seconds system)
Skiplist entries: 0
Route Origin Authorizations: 0 (0 failed parse, 0 invalid)
AS Provider Attestations: 0 (0 failed parse, 0 invalid)
BGPsec Router Certificates: 0
Certificates: 1 (0 invalid)
Trust Anchor Locators: 1 (0 invalid)
Manifests: 1 (1 failed parse, 0 stale)
Certificate revocation lists: 0
Ghostbuster records: 0
Repositories: 2
Cleanup: removed 0 files, 3 directories, 0 superfluous
VRP Entries: 0 (0 unique)
VAP Entries: 0 (0 unique)
/ # rpki-client -V
rpki-client-portable 8.0
With an intermediate proxy, we were able to get logging, this is from the same session as above:
CONNECT Oct 18 08:25:13.324 [1]: Connect (file descriptor 4): 127.0.0.1
CONNECT Oct 18 08:25:13.325 [1]: Request (file descriptor 4): CONNECT rpki.afrinic.net:443 HTTP/1.1
INFO Oct 18 08:25:13.325 [1]: Found upstream proxy http 172.16.154.2:8080 for rpki.afrinic.net
INFO Oct 18 08:25:13.325 [1]: opensock: opening connection to 172.16.154.2:8080
INFO Oct 18 08:25:13.325 [1]: opensock: getaddrinfo returned for 172.16.154.2:8080
CONNECT Oct 18 08:25:13.327 [1]: Established connection to upstream proxy "172.16.154.2" using file descriptor 5.
CONNECT Oct 18 08:25:14.151 [1]: Connect (file descriptor 6): 127.0.0.1
CONNECT Oct 18 08:25:14.151 [1]: Request (file descriptor 6): CONNECT rpki.afrinic.net:873 HTTP/1.0
INFO Oct 18 08:25:14.151 [1]: Found upstream proxy http 172.16.154.2:8080 for rpki.afrinic.net
INFO Oct 18 08:25:14.151 [1]: opensock: opening connection to 172.16.154.2:8080
INFO Oct 18 08:25:14.151 [1]: opensock: getaddrinfo returned for 172.16.154.2:8080
CONNECT Oct 18 08:25:14.154 [1]: Established connection to upstream proxy "172.16.154.2" using file descriptor 7.
INFO Oct 18 08:25:15.311 [1]: Closed connection between local client (fd:6) and remote client (fd:7)
INFO Oct 18 08:25:15.315 [1]: Closed connection between local client (fd:4) and remote client (fd:5)
As far as I can tell, the rrdp sessions or notification requests do not use the proxy anymore while TA seems to download fine. Rsync seems to fail as well but that seems to be a know bug of rsync. The combination of these bugs makes rpki-client-portable 8.0 unusable for us.
Hi,
I need to generate RPSL output and I have made some small modification to the file output-csv.c to do just that. I have not made any modification in the rest of the source files needed to - for example - take an additional command line option.
Is it possible to have this feature integrated into the source? Perhaps better that I apply the patch after new releases.
br
/mm
Today, RIPE NCC Academy made me aware that there recently was a change to management of the Trust Anchor Locator (TAL) for ARIN’s RPKI service:
Users are no longer required to sign the ARIN Relying Party Agreement to redistribute information from ARIN’s Online Resource Certification PKI (“ORCP”) in a machine readable format for network routing purposes. We are making this modification in response to feedback from the Internet community and in the hope that it will accelerate RPKI deployment in the ARIN region. We ask that developers of Relying Party software include the ARIN TAL in future releases. We encourage all participants in the RPKI community to download the ARIN TAL and add it to existing validator deployments where previously it has not been included.
Is there anything that prevents from including ARIN TAL to https://github.com/rpki-client/rpki-client-openbsd/tree/master/src/etc/rpki – or could this just take place before the next release?
Hello,
Yesterday and this morning, i tried to reinstall rpki-client-portable. While executing the autogen.sh script, a failure occured.
This is the Output of the execution:
Bereits auf 'master'
Ihr Branch ist auf demselben Stand wie 'origin/master'.
Bereits aktuell.
Aktueller Branch master ist auf dem neuesten Stand.
copying tal
copying includes
Copying as.c
Copying cert.c
Copying cms.c
Copying crl.c
Copying extern.h
Copying gbr.c
Copying http.c
Copying io.c
Copying ip.c
Copying log.c
Copying main.c
Copying mft.c
Copying mkdir.c
Copying output-bgpd.c
Copying output-bird.c
Copying output-csv.c
Copying output-json.c
Copying output.c
Copying parser.c
Copying roa.c
Copying rpki-client.8
Copying rsync.c
Copying tal.c
Copying validate.c
Copying x509.c
Applying patch patches/0001-Allow-overriding-default-user-and-file-locations.patch
1 out of 5 hunks FAILED -- saving rejects to file main.c.rej
And the content of main.c.rej
is:
--- main.c
+++ main.c
@@ -761,7 +761,7 @@ main(int argc, char *argv[])
struct msgbuf procq, rsyncq;
struct pollfd pfd[2];
struct roa **out = NULL;
- char *rsync_prog = "openrsync";
+ char *rsync_prog = RPKI_RSYNC_CMD;
char *bind_addr = NULL;
const char *cachedir = NULL, *errs;
const char *tals[TALSZ_MAX];
I tried to change it manually, but by executing the script, it is changed back.
As of writing, rpki-client.8 says:
rpki-client should be run hourly by cron(8) […]
Based on Timing Parameters in the RPKI based Route Origin Validation Supply Chain and Re: [Sidrops] I-D Action: draft-ietf-sidrops-prefer-rrdp-00.txt, this phrase should be somehow updated, I assume?
rpki-client records a line like this when an out-of-TAL reference is removed from a repository fetch:
rpki-client: deleted nostromo.heficed.net/repo/1123721/0/34352e38382e39362e302f32322d3234203d3e203631333137.roa
If this said something like resources not under TAL
it would be clearer why this object is being rejected, which would aide in debug of an otherwise valid TAL.
with self-hosting, and self-publication, it is increasingly likely people will run repositories which lie under more than one TAL and so any TAL specific rejection will need to be contextually understood. Its not a problem, where a mal-formed MFT, or bad ROA, or overclaim would be.
Our nightly GitHub Action for the container image fails since today with:
#37 23.17 Copying rsync.c
#37 23.18 Copying tak.c
#37 23.18 Copying tal.c
#37 23.20 Copying validate.c
#37 23.20 Copying version.h
#37 23.21 Copying x509.c
#37 23.22 Applying patch patches/0001-Allow-overriding-default-user-and-file-locations.patch
#37 23.24 Applying patch patches/0002-Apply-placeholders-for-portability-shim.patch
#37 23.25 Applying patch patches/0003-Emit-all-output-formats-on-non-OpenBSD-systems.patch
#37 23.26 1 out of 1 hunk FAILED -- saving rejects to file rpki-client.8.rej
Looks like rpki-client/rpki-client-openbsd@697cb25 causes this.
release link on website throws 404 (rpki-client-7.9.txt)
github changelog has typo saying its 7.6 instead of 7.9 -- sent pull to fix
This is a Mac OSX Big sur build of the client code.
ggm@ggm-802382 rpki-client % /usr/local/sbin/rpki-client -B -c -j -o -v
rpki-client: ta/apnic: pulling from https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
rpki-client: https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer: server closed connection
rpki-client: ta/apnic: load from network failed, retry
rpki-client: ta/apnic: pulling from rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
rpki-client: ta/apnic: loaded from network
curl -v on the same url:
ggm@ggm-802382 rpki-client % curl -v -o /tmp/apnic.cer -L https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 2001:dd8:9:2::101:18...
* TCP_NODELAY set
* Connected to rpki.apnic.net (2001:dd8:9:2::101:18) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [228 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [87 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2714 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [589 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=rpki.apnic.net
* start date: Mar 24 02:46:43 2021 GMT
* expire date: Jun 22 02:46:43 2021 GMT
* subjectAltName: host "rpki.apnic.net" matched cert's "rpki.apnic.net"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET /repository/apnic-rpki-root-iana-origin.cer HTTP/1.1
> Host: rpki.apnic.net
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 15 Apr 2021 00:49:38 GMT
< Server: Apache/2.2.15 (CentOS)
< Last-Modified: Wed, 26 Aug 2020 01:30:38 GMT
< ETag: "613ef-4bb-5adbdc456cb80"
< Accept-Ranges: bytes
< Content-Length: 1211
< Set-Cookie: Persistence-Token=!YgLdXj2lHoDXBrUWwXnSi27bn6LXmBdtzMP2k77kfNo5UxkmuJh0MZsr0ID88slIiXqq4melz+nZBKeyt4yU7Mv/Uw6xBzIyeK7anREi; path=/; Httponly; Secure
< Vary: Accept-Encoding
<
{ [1211 bytes data]
100 1211 100 1211 0 0 23745 0 --:--:-- --:--:-- --:--:-- 23745
* Connection #0 to host rpki.apnic.net left intact
* Closing connection 0
ggm@ggm-802382 rpki-client % ls -ltr /tmp/apnic.cer
-rw-r--r-- 1 ggm wheel 1211 15 Apr 10:49 /tmp/apnic.cer
ggm@ggm-802382 rpki-client %
the git log: (to show the version I am on)
commit 316298269a71e2e69191f14a046bf4c1f2ec9d61 (HEAD -> master, origin/master, origin/HEAD)
Author: Claudio Jeker <[email protected]>
Date: Wed Apr 14 20:50:59 2021 +0200
Adjust repo to work after the addition of version.h
git log of the openBSD code included by autogen.sh:
commit be3e2a68f6769ad25bb31321e1dd82c7cbe57f2a (HEAD -> master, origin/master, origin/HEAD)
Author: benno <>
Date: Wed Apr 14 18:05:47 2021 +0000
move the RPKI_VERSION define into its own version.h file, helps portable.
ok claudio@
Our nightly GitHub Action for the container image fails since yesterday with:
86.51 85 | } ASN1_SEQUENCE_END(Manifest);
86.51 | ^~~~~~~~
86.63 mft.c: In function 'mft_parse_filehash':
86.64 mft.c:264:27: error: implicit declaration of function 'arc4random_uniform' [-Werror=implicit-function-declaration]
86.64 264 | new_idx = arc4random_uniform(p->res->filesz + 1);
86.64 | ^~~~~~~~~~~~~~~~~~
87.23 cc1: some warnings being treated as errors
87.23 make[1]: *** [Makefile:792: rpki_client-mft.o] Error 1
Hi, I am using rpki-client
to download ROAs to a cache dir using the -d
option. Lately, I ran into an issue due to the missing ARIN TAL. I can download the ARIN ROAs by providing the ARIN TAL with a -t
and I also see the certificate in the ta
folder in the cache dir. So this works as expected:
rpki-client -d /path/to/cache [-t /tal/files]
However, in the next step, I am validating the ROAs in the cache dir and it seems like the certificate in the ta
folder is ignored. To make it explicit I run:
rpki-client -j -n -d /path/to/cache -P timestamp -f /roa/in/cache
I have also tried to pass the TAL as a -t
to the validation command above but in both cases all the ARIN ROAs have the same error:
"validation": "Failed",
"error": "unable to get local issuer certificate"
I would have expected rpki-client
to use the certificates in the ta
folder if a cache dir is provided and it contains a ta
folder with certificates. If there is another way or I misunderstood something it would be great to know the correct way to deal with this. I guess moving the ARIN to the /etc/rpki/
folder on the user's system would be a possible fix but I would prefer it if I could keep the data used self-contained (all in the cache dir) and make it explicit where the file is that is used, just like I do with -t
.
FWIW, the project is Kartograf and the file that contains the rpki-client
usage is here: https://github.com/fjahr/kartograf/blob/master/kartograf/rpki/fetch.py
Thanks a lot!
IDNIC is proving unreliable on IPv6:
rpki-client: https://repo-rpki.idnic.net/rrdp/d0b0cc6f-23d0-4f4f-ad5b-adbca8dbf698/223636...: connect: Operation timed out
rpki-client: https://repo-rpki.idnic.net/rrdp/d0b0cc6f-23d0-4f4f-ad5b-adbca8dbf698/223736...: connect: Operation timed out
rpki-client: https://repo-rpki.idnic.net/rrdp/d0b0cc6f-23d0-4f4f-ad5b-adbca8dbf698/223836...: connect: Operation timed out
rpki-client: https://repo-rpki.idnic.net/rrdp/d0b0cc6f-23d0-4f4f-ad5b-adbca8dbf698/223936...: connect: Operation timed out
rpki-client: https://repo-rpki.idnic.net/rrdp/d0b0cc6f-23d0-4f4f-ad5b-adbca8dbf698/224036...: connect: Operation timed out
rpki-client: https://repo-rpki.idnic.net/rrdp/d0b0cc6f-23d0-4f4f-ad5b-adbca8dbf698/224136...: connect: Operation timed out
rpki-client: https://repo-rpki.idnic.net/rrdp/notification.xml: loaded from network
It does appear to move on, but some guidance on how long it retries in 6 before moving to 4 would help
Hello there!
I have been making efforts to update the MacPorts Portfile from 8.2 to 8.3 and have run into the following issue during an attempted build and installation:
output-ometric.c:131:16: error: use of undeclared identifier 'HOST_NAME_MAX'
char hostname[HOST_NAME_MAX + 1];
^
1 error generated.
CC rpki_client-roa.o
make[1]: *** [rpki_client-output-ometric.o] Error 1
make[1]: *** Waiting for unfinished jobs....
Documented (along with some rabbit holes not worth expounding upon here) and explored by a fellow MacPorts contributor in comment:
https://trac.macports.org/ticket/67126#comment:6
"As far as I can tell, macOS does not currently define HOST_NAME_MAX. I found no references to it by grepping MacOSX.sdk/usr/include on Monterey. The macOS gethostname(3) manpage used to refer to HOST_NAME_MAX so I guess macOS used to define it (or the manpage mentioned it erroneously), but that manpage currently refers to sysconf(_SC_HOST_NAME_MAX) instead. So this is a bug in rpki-client that will have to be discussed with and addressed by its developers before the port can be updated to this version." ー @ryandesign
Similarly, on macOS Ventura (13.2.1) this seems to be the case as well:
% cd /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.sdk/usr/include
% grep -R HOST_NAME_MAX
./limits.h:#define _POSIX_HOST_NAME_MAX 255
./unistd.h:#define _SC_HOST_NAME_MAX 72
I'm trying to build and run on Big Sur and get the following error:
$ /usr/local/sbin/rpki-client
rpki-client: tls_load_file: No such file or directory
rpki-client: poll[2]: hangup
To reproduce:
brew install libressl
export LDFLAGS="-L/usr/local/opt/libressl/lib"
export CPPFLAGS="-I/usr/local/opt/libressl/include"
./autogen.sh
./configure
make
make install
/usr/local/sbin/rpki-client
rpki-client: tls_load_file: No such file or directory
rpki-client: poll[2]: hangup
...because it doesn't seem to be as simple as it should be :-).
Starting 29th of Nov at 13:00 CET our dockerized rpki-client no longer produces any files.
Docker logging:
2022-11-30T08:30:50.064813443Z rpki-client: rpki-rps.arin.net/repository/8a848ade7fb71aa9017fdd9c5dd324c7/0/EB1DD8AA3E2B6864E06379C751DBFFFCC6418350.mft: no valid mft available
2022-11-30T08:30:50.100377723Z rpki-client: rpki-rps.arin.net/repository/8a848ade7fb71aa901800003287f4402/0/2BF7605B8927C87448B3B294A8B61D8E983248E0.mft: no valid mft available
2022-11-30T08:30:50.287559589Z rpki-client: rpki-rps.arin.net/repository/8a848adf7fb722e9017ffead9f534ac5/0/BFA2750976CA07F56A68976B0F01EB862F17C3B3.mft: no valid mft available
2022-11-30T08:31:05.479810276Z rpki-client: unhandled entity type 7
2022-11-30T08:31:05.566212488Z rpki-client: poll[0]: bad fd
2022-11-30T08:31:05.566249456Z rpki-client: write[0]: Broken pipe
2022-11-30T08:31:05.566256810Z rpki-client: parser process exited abnormally
2022-11-30T08:31:05.571419260Z rpki-client: not all files processed, giving up
2022-11-30T08:31:05.966877368Z rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(713) [Receiver=3.2.4]
We are still using rpki-client 7.9
sudo docker inspect --format='{{index .RepoDigests 0}}' rpki/rpki-client:7.9
rpki/rpki-client@sha256:81f6c17b508e5184185a15e33f6f9f578d454ed6e78d67fa78c9182bf5f911ce
The instructions in README.md say:
Building
$ ./configure
$ make
but "configure" is neither in git nor in the release tar file (tried: https://github.com/rpki-client/rpki-client-portable/archive/refs/tags/7.1.tar.gz)
Our nightly GitHub Action for the container image failed with:
#33 20.04 + ./autogen.sh
#33 20.04 pulling upstream openbsd source
#33 20.44 Already on 'master'
#33 20.44 Your branch is up to date with 'origin/master'.
#33 21.64 Already up to date.
#33 21.64 copying tal
#33 21.64 copying includes
#33 21.74 Copying as.c
#33 21.74 Copying cert.c
#33 21.75 Copying cms.c
#33 21.76 Copying crl.c
#33 21.76 Copying extern.h
#33 21.78 Copying gbr.c
#33 21.78 Copying http.c
#33 21.78 Copying io.c
#33 21.79 Copying ip.c
#33 21.79 Copying log.c
#33 21.80 Copying main.c
#33 21.80 Copying mft.c
#33 21.80 Copying mkdir.c
#33 21.82 Copying output-bgpd.c
#33 21.83 Copying output-bird.c
#33 21.83 Copying output-csv.c
#33 21.83 Copying output-json.c
#33 21.83 Copying output.c
#33 21.84 Copying parser.c
#33 21.89 Copying roa.c
#33 21.89 Copying rpki-client.8
#33 21.89 Copying rsync.c
#33 21.91 Copying tal.c
#33 21.91 Copying validate.c
#33 21.92 Copying x509.c
#33 21.92 Applying patch patches/0001-Allow-overriding-default-user-and-file-locations.patch
#33 21.92 1 out of 1 hunk FAILED -- saving rejects to file extern.h.rej
#33 ...
From what I can see so far, rpki-client
never tells its version. I wonder if it makes sense to enhance the portable version with some version information output, e.g. rpki-client -V
, which we're anyway passing in via build-time options such as -DPACKAGE_VERSION=\"6.8p1\"
already. Oh and yes, there are package managers, but some people build rpki-client on their own from source.
As of writing, rpki-client 7.3 prints some statistics at the end like this:
rpki-client: Route Origin Authorizations: 95719 (2 failed parse, 0 invalid)
rpki-client: Certificates: 27741 (0 failed parse, 0 invalid)
rpki-client: Trust Anchor Locators: 5
rpki-client: Manifests: 27741 (10 failed parse, 2 stale)
rpki-client: Certificate revocation lists: 27729
rpki-client: Ghostbuster records: 2
rpki-client: Repositories: 27561
rpki-client: Cleanup: removed 84 files, 4774 directories
rpki-client: VRP Entries: 292644 (286905 unique)
Is there any chance to include the actual run-time, too? The goal is to see how long a run of rpki-client
actually took.
Our nightly GitHub Action for the container image failed with io.c:27:10: fatal error: imsg.h: No such file or directory
Our nightly GitHub Action for the container image failed with:
#14 19.22 Copying rrdp_delta.c
#14 19.23 Copying rrdp_notification.c
#14 19.24 Copying rrdp_snapshot.c
#14 19.25 Copying rsync.c
#14 19.25 Copying tal.c
#14 19.25 Copying validate.c
#14 19.25 Copying version.h
#14 19.27 Copying x509.c
#14 19.28 Applying patch patches/0001-Allow-overriding-default-user-and-file-locations.patch
#14 19.28 1 out of 6 hunks FAILED -- saving rejects to file main.c.rej
Would it be possible to also cut a release based on each version that is tagged?
This would allow for easier comparison between version and also also tooling to compare versions more easily via the GitHub api.
rpki-client is failing to complete a run, this stopped for us approx 1 week ago on one machine (but find on another), the app just hangs and fails to provide any output when it gets to the end. The JSON file does not get created. Is there a debug mode to work out where this is failing?
rpki-client -j
The RIPE NCC Certification Repository is subject to Terms and Conditions
See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc
rsync: failed to connect to rpki.admin.freerangecloud.com (172.98.192.101): Connection refused (111)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]
rpki-client: rsync rsync://rpki.admin.freerangecloud.com/repo failed
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/2/5D35939557110CC43429AE301F7CEF0E5889942B.mft: No such file or directory
The RIPE NCC Certification Repository is subject to Terms and Conditions
See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc
rpki-client: rpki-repository.nic.ad.jp/ap/A91A73810000/699/bkqeJzVTPVpOXDMPDUQnaPOy7iw.roa: RFC 3779 resource not subset of parent's resources
rpki-client: rpki.afrinic.net/repository/member_repository/F3646C24/1C86B7862B5B11EC8EBEF540D8A014CE/_r9_454NpaYN1sjcZoHO9aJGKC4.mft: No such file or directory
rpki-client: rpki.afrinic.net/repository/member_repository/F362C7E9/08F07C14E8D911E98515C740F8AEA228/8A9DED60330411ECB9F7B454D8A014CE.roa: certificate is not yet valid
rsync: failed to connect to krill.openx.com.br (177.91.162.90): Connection refused (111)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]
rpki-client: rsync rsync://krill.openx.com.br/repo failed
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/7/FA048AF3EA62E5575B4698C5CC2403982893F0C5.mft: No such file or directory
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/3/A0DF8EB28D12F9CDF7A68B3DC7A56576748B2E54.mft: No such file or directory
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/6/75E8A027E92C15B9414A59AC096BD4634B906914.mft: No such file or directory
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/0/C8935FDCA5028AE8209FEC82AD8AE8CFB7C6E776.mft: No such file or directory
rpki-client: krill-eval-ctec.charter.com/repo/Charter_CTEC_Lab/3/47CA36B68F7EBB87A8E744A7072F9E3D860263A1.mft: mft expired on Jun 19 16:26:00 2021 GMT
rpki-client: rpki-repo.registro.br/repo/HX3z3YpiLS9QubGAVEqGBhb1VVpkZCsgxGknQcP2wpSt/0/7D8A9531076B1611BA99C6F0DE67D1C23D9D4D69.mft: mft expired on Oct 27 23:50:00 2021 GMT
rpki-client: rpki-repo.registro.br/repo/2o4paBoq6LzvHAs31rV7xtet2Hzi7TKLjBWpoMv7wDcQ/0/3BE7834F5C952166B2344224A6CDC53A4B6CBC5D.mft: mft expired on Oct 29 12:10:00 2021 GMT
rpki-client: krill.openx.com.br/repo/openx/0/903DCC9CE00A3A63C8A767354675DE030AAD480F.mft: No such file or directory
rpki-client: rpki-repo.registro.br/repo/681Sn9wiCnn8ANQrJM6gRLGiMQoRQdk5kUbodfdYqyGS/0/24CE2A1D7D0C33062228DAC12389B9C1E0BF7321.mft: mft expired on Oct 29 12:40:00 2021 GMT
rpki-client: rpki-repo.registro.br/repo/7YS5o7RPbEdQ5uu7j5JTH3NNkdaeanEfgpMK2MEe7YZ5/0/EDCE71D4C0B931EADD49D9EE3F380B39FC716C3C.mft: mft expired on Oct 29 12:20:00 2021 GMT
rpki-client: rpki-repo.registro.br/repo/C6CpBe3iBpA78BroqAnRfz5gEWpz76nR9fuVbQGBDRxP/0/78B729D22DCEFB9255CD272064BD0C7255672C12.mft: mft expired on Oct 30 17:36:00 2021 GMT
rpki-client: rpki-repo.registro.br/repo/WMHJfnYE8NUC9RUbAsx363tYt5U4gN6UpB6umWUffbG/0/4A00AF1325B5DBF0EA04C441E5B9FB9ABD85F2C1.mft: mft expired on Oct 28 00:50:56 2021 GMT
rpki-client: rpki-ca.uepg.br/repo/uepg_ca/0/279CDDC78D1BDE4B86DFC07FC751BB7A9FD53CEC.mft: No such file or directory
rpki-client: rpki1.terratransit.de/repo/TerraTransit/79/EF6D5C4FF0D822C54B3BB2000663091CBC4F41E6.mft: No such file or directory
rpki-client: rpki1.terratransit.de/repo/TerraTransit/87/07B1A2CB9D13D3AE494D675F20F04AC17F7F5DCB.mft: No such file or directory
rpki-client: rpkica.mckay.com/rpki/MCnet/UEh2SAvdIgPsUFdv92RSSaNqBnY.mft: No such file or directory
rpki-client: rpki.admin.freerangecloud.com/repo/FRC-CA/5/7EA5316DBDAC01CD05D0EAA05A89C04DA3E7398F.mft: No such file or directory
rpki-client: r.magellan.ipxo.com/repo/3df3b03a-ee5f-4212-bbe8-239ad294f50e-589fc7fbb6-1/0/C486E45F80D7067C26D7C927E756CE4EA826B006.mft: mft expired on Oct 28 17:10:00 2021 GMT
rpki-client: ca.rg.net/rpki/RGnet-OU/ovsCA/IOUcOeBGM_Tb4dwfvswY4bnNZYY.mft: No such file or directory
rsync: failed to connect to cc.rg.net (147.28.0.47): Connection timed out (110)
rsync: failed to connect to cc.rg.net (2001:418:1::47): Network is unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]
rpki-client: rsync rsync://cc.rg.net/rpki failed
rpki-client: cc.rg.net/rpki/RGnet-cc/gY5eZDw9ohLSAi1mlxSwh1gVFcY.mft: No such file or directory
Centos 8.1
rpki-client 7.2
in a case where libcrypto
and libssl
is provided by the system openssl 3.0.8
and only libtls
is built from libressl 3.7.0
(with --enable-libtls-only
), the build fails with the following symbol collision:
ld.lld: error: duplicate symbol: ASN1_time_tm_cmp
>>> defined in ../compat/.libs/libcompat.a(a_time_tm.o)
>>> defined in /mss/work/table/INS/lib/libtls.a(libcrypto_la-a_time_tm.o)
ld.lld: error: duplicate symbol: ASN1_time_parse
>>> defined in ../compat/.libs/libcompat.a(a_time_tm.o)
>>> defined in /mss/work/table/INS/lib/libtls.a(libcrypto_la-a_time_tm.o)
clang-15: error: linker command failed with exit code 1 (use -v to see invocation)
building and using libcrypto
and libssl
alongise libtls
from libressl, the pkg-config
calls made by configure
will pick the libs provided by the libressl
installation, and the collision does not happen.
i am seeing this while building rpki-client 8.2
on an x86_64 musl 1.2.3 host with a complete and standalone llvm 15.0.7 toolchain.
libressl 3.7.0
is configured with:
./configure \
--build=x86_64-apathy-linux-musl \
--host=x86_64-apathy-linux-musl \
--prefix="/mss/work/table/INS" \
\
--enable-asm \
--enable-static \
--disable-extratests \
--enable-libtls-only \
--disable-nc \
--disable-shared \
--disable-tests \
--disable-windows-ssp
rpki-client 8.2
is configured with:
./configure \
--build=x86_64-apathy-linux-musl \
--host=x86_64-apathy-linux-musl \
--prefix="/opt/rpki-client-8.2" \
--localstatedir=/var \
\
--with-user="mss"
system openssl
:
openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
clang
&& ld
:
apathy clang version 15.0.7
Target: x86_64-apathy-linux-musl
Thread model: posix
InstalledDir: /opt/llvm-15.0.7/bin
apathy LLD 15.0.7 (compatible with GNU linkers)
Hello again,
In an attempt to upgrade from 6.7p1 I went through essentially the same build process, but ran into problems. Perhaps the most severe issue is what appears to be a requirement for functions only found in LibreSSL, which are not typically found on most Linux distributions by default. Is LibreSSL expected to be a requirement now?
rpki-client-portable-6.8p$ make
Making all in include
make[1]: Entering directory '/home/jtk/dl/rpki-client-portable-6.8p0/include'
make[1]: Nothing to be done for 'all'.
make[1]: Leaving directory '/home/jtk/dl/rpki-client-portable-6.8p0/include'
Making all in compat
make[1]: Entering directory '/home/jtk/dl/rpki-client-portable-6.8p0/compat'
CC recallocarray.lo
recallocarray.c: In function ‘recallocarray’:
recallocarray.c:60:28: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} a
nd ‘int’ [-Wsign-compare]
if (d < oldsize / 2 && d < getpagesize()) {
^
CC strlcat.lo
CC strlcpy.lo
CC strtonum.lo
CCLD libcompat.la
ar: `u' modifier ignored since `D' is the default (see `U')
CCLD libcompatnoopt.la
ar: `u' modifier ignored since `D' is the default (see `U')
make[1]: Leaving directory '/home/jtk/dl/rpki-client-portable-6.8p0/compat'
Making all in src
make[1]: Entering directory '/home/jtk/dl/rpki-client-portable-6.8p0/src'
CC rpki_client-as.o
CC rpki_client-cert.o
CC rpki_client-cms.o
CC rpki_client-crl.o
CC rpki_client-io.o
CC rpki_client-ip.o
CC rpki_client-log.o
CC rpki_client-main.o
main.c: In function ‘main’:
main.c:1669:7: warning: ‘rsyncpid’ may be used uninitialized in this function [-Wmaybe-uninitialized]
if (waitpid(rsyncpid, &st, 0) == -1)
^~~~~~~~~~~~~~~~~~~~~~~~~
CC rpki_client-mft.o
mft.c: In function ‘generalizedtime_to_tm’:
mft.c:69:9: error: implicit declaration of function ‘ASN1_time_parse’; did you mean ‘ASN1_parse’? [-Werror=implicit-function-declaration]
return ASN1_time_parse(data, len, tm, V_ASN1_GENERALIZEDTIME) ==
^~~~~~~~~~~~~~~
ASN1_parse
mft.c: In function ‘check_validity’:
mft.c:99:6: error: implicit declaration of function ‘ASN1_time_tm_cmp’; did you mean ‘ASN1_item_dup’? [-Werror=implicit-function-declaration]
if (ASN1_time_tm_cmp(&tm_until, &tm_from) < 0) {
^~~~~~~~~~~~~~~~
ASN1_item_dup
cc1: some warnings being treated as errors
make[1]: *** [Makefile:648: rpki_client-mft.o] Error 1
make[1]: Leaving directory '/home/jtk/dl/rpki-client-portable-6.8p0/src'
make: *** [Makefile:454: all-recursive] Error 1
Leaving a reminder that perhaps https://landlock.io/ can be used as unveil()
replacement on Linux systems
As per https://blog.apnic.net/2020/09/02/policy-prop-132-as0-for-unallocated-space-deployed-in-service/, APNIC provides a separate TAL covering their undelegated IPv4 and IPv6 ranges. I hereby would like to suggest the inclusion of the APNIC AS0 TAL as apnic-as0.tal
into rpki-client.
As discussed with @job and @robert-scheck on IRC I would appreciate to see the metadata
-dict in the vrps.json
exposed in the OpenMetrics format.
An example output could be:
# HELP rpki_client_roas_count Total number of ROAs
# TYPE rpki_client_roas_count gauge
rpki_client_roas_count 100020
[...]
OpenMetrics requires the software to natively answer to HTTP GET which I suppose is a no-go for rpki-client
, however prometheus users would still be able to ingest the data either via a webserver or by utilizing the textfile collector of node_exporter.
If this in general is relevant to rpki-client
I'll happily help with the OpenMetrics side, I sadly can't contribute any C-Code though.
Our nightly GitHub Action for the container image fails since today with:
#34 109.8 /tmp/rpki-client-portable/src/parser.c:497: undefined reference to `aspa_parse'
#34 109.8 /usr/lib/gcc/x86_64-alpine-linux-musl/11.2.1/../../../../x86_64-alpine-linux-musl/bin/ld: rpki_client-parser.o: in function `parse_entity':
#34 109.8 /tmp/rpki-client-portable/src/parser.c:647: undefined reference to `aspa_buffer'
#34 109.8 /usr/lib/gcc/x86_64-alpine-linux-musl/11.2.1/../../../../x86_64-alpine-linux-musl/bin/ld: /tmp/rpki-client-portable/src/parser.c:648: undefined reference to `aspa_free'
#34 109.8 /usr/lib/gcc/x86_64-alpine-linux-musl/11.2.1/../../../../x86_64-alpine-linux-musl/bin/ld: rpki_client-parser.o: in function `proc_parser_aspa':
#34 109.8 /tmp/rpki-client-portable/src/parser.c:505: undefined reference to `aspa_free'
#34 109.8 collect2: error: ld returned 1 exit status
wget https://sobornost.net/geofeed.csv
rpki-client -f geofeed.csv
Output :
File: geofeed.csv
Hash identifier: VOXBRdQpiyALlLRdo3OkLbLIY4PexRlci/0EM9Fc21U=
rpki-client: invalid address: 2001:67c:208c::/48
Validation:
When crafting rpki-client/rpki-client-container@99690d3, I had to learn that Alpine's libtls-standalone-dev package doesn't put tls.h
onto a standard path. Thus I would like to raise the idea for --with-libtls
etc., that – like for OpenSSL – a pkg-config
pkg-name (or other individual build-time paths) can be passed, too.
Commit fbc33757884fada818c04cd542123c809f867a52 leads to a build failure here:
main.c: In function 'repo_cleanup':
main.c:1471:5: error: implicit declaration of function 'warnc' [-Werror=implicit-function-declaration]
warnc(e->fts_errno, "fts_read %s", e->fts_path);
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.