New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: Improve control of FIPS mode #5181

Closed
wants to merge 14 commits into
base: master
from

Conversation

Projects
None yet
7 participants
@stefanmb
Member

stefanmb commented Feb 10, 2016

In Issue #3819 requests were made to support a FIPS OpenSSL build of Node.js running in a non-FIPS mode. In PR #3820 an attempt was made to introduce this feature.

In this PR I've attempted to merge all requests and discussion from #3819 and #3820.

The following features are introduced:

  1. Default to FIPS off even in FIPS builds: FIPS mode now has to be explicitly enabled by command line argument, OpenSSL config file, or JavaScript API call.
  2. Add JS API to check and control FIPS mode: Allow JavaScript applications to check if they are executing in FIPS mode and to enable/disable FIPS mode if applicable.
  3. Add command line arguments to force FIPS on/off: --[disable|enable]-fips have been added, and they will override all other options.
  4. Respect OPENSSL_CONF variable and read the config: OpenSSL provides a standard mechanism for reading a config file from the "OPENSSL_CONF" environment variable. Load this config file, which permits, among other things, to control FIPS mode.
  5. Add testing for new features: Test combinations of features from 1 and 4.

As always, I'm open to any suggestions and improvements, especially if there is a better way to pass global options such as the enable/disable flags (instead of extern C variables).

These features were added as a result of discussion in #3819 and #3820, please refer to them for background information.

Note also that going forward we will need to run regression testing in FIPS builds twice: once with FIPS enabled at runtime, and once with FIPS disabled.

@stefanmb

This comment has been minimized.

Member

stefanmb commented Feb 10, 2016

@mhdawson @indutny @shigeki @jasnell @lordjabez @ScarletTanager This PR should include suggestions from all of you, any comments are greatly appreciated. Thanks!

@mscdex

This comment has been minimized.

Contributor

mscdex commented Feb 10, 2016

Maybe defining a getter/setter simply called fips would be simpler instead of having separate methods?

@stefanmb stefanmb force-pushed the stefanmb:fips-switch branch Feb 10, 2016

@mhdawson

This comment has been minimized.

Member

mhdawson commented Feb 10, 2016

Added semver-major tag since it changes default behaviour

@indutny

View changes

lib/crypto.js Outdated
@@ -645,6 +647,13 @@ exports.getCurves = function() {
return filterDuplicates(getCurves());
};
exports.hasFipsCrypto = function() {

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Nit: function hasFipsCrypto

@indutny

View changes

lib/crypto.js Outdated
return hasFipsCrypto();
};
exports.setFipsCrypto = function(mode) {

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Ditto.

@indutny

View changes

src/node.cc Outdated
#endif
#if NODE_FIPS_MODE
} else if (strcmp(arg, "--disable-fips") == 0) {
disable_fips_crypto = true;

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Nit: indent.

@indutny

View changes

src/node.cc Outdated
} else if (strcmp(arg, "--disable-fips") == 0) {
disable_fips_crypto = true;
} else if (strcmp(arg, "--enable-fips") == 0) {
enable_fips_crypto = true;

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Ditto.

@indutny

View changes

src/node_crypto.cc Outdated
bool mode = args[0]->BooleanValue();
if (disable_fips_crypto) {
return env->ThrowError(
"Cannot set FIPS mode, it was forced with --disable-fips at startup.");

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Nit: indent, does make cpplint pass?

This comment has been minimized.

@stefanmb

stefanmb Feb 10, 2016

Member

Sadly yes, reports 0 errors found. I'll fix all this stuff.

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Yikes, too bad for it. Thank you! 👍

@indutny

View changes

src/node_crypto.cc Outdated
"Cannot set FIPS mode, it was forced with --disable-fips at startup.");
} else if (enable_fips_crypto) {
return env->ThrowError(
"Cannot set FIPS mode, it was forced with --enable-fips at startup.");

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Ditto.

@indutny

View changes

test/parallel/test-crypto-authenticated.js Outdated
@@ -93,7 +93,7 @@ for (var i in TEST_CASES) {
(function() {
if (!test.password) return;
if (common.hasFipsCrypto) {
if (crypto.hasFipsCrypto()) {

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Let's make common.hasFipsCrypto a getter instead, should save us from fixing all tests and make them compatible to older node.js versions.

@indutny

View changes

test/parallel/test-crypto-fips.js Outdated
}
function getResponse(data)
{

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Nit: style, please put brace on the previous line. Does it pass make lint?

This comment has been minimized.

@stefanmb

stefanmb Feb 10, 2016

Member

It does :( I'll resolve the style problems.

@indutny

View changes

test/parallel/test-crypto-fips.js Outdated
const FIPS_DISABLED = 0;
const FIPS_ERROR_STRING = 'Error: Cannot set FIPS mode';
const OPTION_ERROR_STRING = 'bad option';
const CNF_FIPS_ON = common.fixturesDir + '/openssl_fips_enabled.cnf';

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Nit: Let's use path.join() here.

@indutny

View changes

test/parallel/test-crypto-fips.js Outdated
function getResponse(data)
{
return data.toString().replace('\n', '').replace('>', '').trim();

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

.replace(/\n|>/g, '').trim()?

@indutny

View changes

test/parallel/test-crypto-fips.js Outdated
}
function childOk(child) {
console.log('Child ' + ++num_children_ok + '/' + num_children_spawned +

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

It should be either console.error or nothing at all. Doesn't play well with TAP output.

@indutny

View changes

test/parallel/test-crypto-fips.js Outdated
env: env
});
console.log('Spawned child [pid:' + child.pid + '] with cmd ' +

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Ditto.

@indutny

View changes

test/parallel/test-crypto-fips.js Outdated
child.stdin.setEncoding('utf-8');
child.stdout.on('data', function(data) {
// Prompt and newline may occur in undefined order.
const response = getResponse(data);

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Perhaps it should wait until end event to accumulate all data? I'm afraid of the situation where stdout could be chunked.

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Also, this way it will be possible able to share lots of code between fips and non-fips branches in this function.

@indutny

View changes

test/parallel/test-crypto-fips.js Outdated
const response = getResponse(data);
if (response.length > 0) {
assert.notEqual(-1, response.indexOf(string));
childOk(child);

This comment has been minimized.

@indutny

indutny Feb 10, 2016

Member

Possibly this will be called several times as mentioned above.

@lordjabez

This comment has been minimized.

lordjabez commented Feb 10, 2016

This is a great change, and addresses all my concerns. Thanks!

@indutny

This comment has been minimized.

Member

indutny commented Feb 10, 2016

Overall I have really good impression from the PR. Thank you for your work!

@mhdawson

This comment has been minimized.

Member

mhdawson commented Feb 10, 2016

In terms of the command line options I'm wondering about the case were we want it enabled by default but then the application can turn on/off. I also wonder about the need to prevent an app from turning it on. Maybe the following would make sense ?

--enable-fips - enables FIPs, overrides setting in openssl file
--force-fips - enables FIPs. overrides seeting in openss file, app cannot disable

@mhdawson mhdawson self-assigned this Feb 10, 2016

@stefanmb stefanmb force-pushed the stefanmb:fips-switch branch 2 times, most recently Feb 10, 2016

@stefanmb

This comment has been minimized.

Member

stefanmb commented Feb 10, 2016

@mscdex I've switched to using a "crypto.fips" property as you suggested, thanks!
@indutny Thanks for the super quick feedback. I think I've addressed most of your concerns, I now use the 'end' event to validate output and 'data' event to buffer it. The handler is now shared between the FIPS and non-FIPS test branches. I'll double check the formatting issues.
@mhdawson I will remove --disable-fips and add a --force-fips tomorrow, as per our discussion there is no point in having disable-fips since that's the new default, instead we should provide a way to turn it on by default (--enable-fips) and a way to force it (--force-fips, does not allow it to be turned off).

@stefanmb

This comment has been minimized.

Member

stefanmb commented Feb 23, 2016

@mhdawson @indutny I've updated this PR to resolve issues encountered while attempting to setup the CI:

  1. test/common.js still used the stale API (crypto.hasFipsCrypto instead of fips.crypto)

  2. I've updated the testing to survive a polluted environment (i.e. one where OPENSSL_CONF may already be defined, note that OpenSSL will not allow you to set the FIPS mode to on if it's already on, an exception will be thrown).

  3. During CI for a FIPS build we must now run the test suite twice, once with FIPS enabled and once with FIPS disabled. One way to do so is to use the OPENSSL_CONF environment variable, however this will cause test failures for those tests that use opensslCli from test/common.js because the OPENSSL_CONF variable will affect the standalone OpenSSL utilities. We could filter out the OPENSSL_CONF variable from the environment in common.js, but this does not strike me as a clean solution. The alternative is to pass "--enable-fips" to each test, however there was no obvious way to pass the --enable-fips argument through the "make test-ci" target. The "--special-command" argument comes close, but is only able to suffix or prefix the entire invocation. I have made a separate PR to deal with this problem since it outside the scope of this PR: #5376

@mhdawson

This comment has been minimized.

Member

mhdawson commented Feb 25, 2016

LTGM to latest changes, and successful test run in both fiips/non-fips enabled in updated test here: https://ci.nodejs.org/job/node-test-commit-linux-fips-dawson/

Will sync landing this and updating the test job.

One last regular CI run so that we have a current one: https://ci.nodejs.org/job/node-test-pull-request/1752/

@mhdawson

This comment has been minimized.

Member

mhdawson commented Feb 25, 2016

CI run is green, landing

mhdawson added a commit that referenced this pull request Feb 25, 2016

crypto: Improve control of FIPS mode
Default to FIPS off even in FIPS builds.
Add JS API to check and control FIPS mode.
Add command line arguments to force FIPS on/off.
Respect OPENSSL_CONF variable and read the config.
Add testing for new features.

Fixes: #3819
PR-URL: #5181
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-by: Michael Dawson <michael_dawson@ca.ibm.com>
@mhdawson

This comment has been minimized.

Member

mhdawson commented Feb 25, 2016

Landed as 7c48cb5

Updated fits test, CI run here to validate test is updated ok: https://ci.nodejs.org/job/node-test-commit/2345/

@mhdawson

This comment has been minimized.

Member

mhdawson commented Feb 25, 2016

CI all good closing

@mhdawson mhdawson closed this Feb 25, 2016

@jasnell jasnell referenced this pull request Mar 17, 2016

Closed

Planning for v6 #5766

@jasnell jasnell referenced this pull request Apr 19, 2016

Closed

What is new in v6? #6264

jasnell added a commit that referenced this pull request Apr 26, 2016

2016-04-26, Version 6.0.0 (Current) Release
The following significant (semver-major) changes have been made since the
previous Node v5.0.0 release.

* Buffer
  * New Buffer constructors have been added
    [#4682](#4682)
  * Previously deprecated Buffer APIs are removed
    [#5048](#5048),
    [#4594](#4594)
  * Improved error handling [#4514](#4514)
* Cluster
  * Worker emitted as first argument in 'message' event
    [#5361](#5361).
* Crypto
  * Improved error handling [#3100](#3100),
    [#5611](#5611)
  * Simplified Certificate class bindings
    [#5382](#5382)
  * Improved control over FIPS mode
    [#5181](#5181)
  * pbkdf2 digest overloading is deprecated
    [#4047](#4047)
* Dependencies
  * Reintroduce shared c-ares build support
    [#5775](#5775).
  * V8 updated to 5.0.71.31 [#6111](#6111).
* DNS
  * Add resolvePtr API to query plain DNS PTR records
    [#4921](#4921).
* Domains
  * Clear stack when no error handler
  [#4659](#4659).
* File System
  * The `fs.realpath()` and `fs.realpathSync()` methods have been updated
    to use a more efficient libuv implementation. This change includes the
    removal of the `cache` argument and the method can throw new errors
    [#3594](#3594)
  * FS apis can now accept and return paths as Buffers
    [#5616](#5616).
  * Error handling and type checking improvements
    [#5616](#5616),
    [#5590](#5590),
    [#4518](#4518),
    [#3917](#3917).
  * fs.read's string interface is deprecated
    [#4525](#4525)
* HTTP
  * 'clientError' can now be used to return custom errors from an
    HTTP server [#4557](#4557).
* Modules
  * Current directory is now prioritized for local lookups
    [#5689](#5689)
  * Symbolic links are preserved when requiring modules
    [#5950](#5950)
* Net
  * DNS hints no longer implicitly set
    [#6021](#6021).
  * Improved error handling and type checking
    [#5981](#5981),
    [#5733](#5733),
    [#2904](#2904)
* Path
  * Improved type checking [#5348](#5348).
* Process
  * Introduce process warnings API
    [#4782](#4782).
  * Throw exception when non-function passed to nextTick
    [#3860](#3860).
* Readline
  * Emit key info unconditionally
    [#6024](#6024)
* REPL
  * Assignment to `_` will emit a warning.
    [#5535](#5535)
* Timers
  * Fail early when callback is not a function
    [#4362](#4362)
* TLS
  * Rename 'clientError' to 'tlsClientError'
    [#4557](#4557)
  * SHA1 used for sessionIdContext
    [#3866](#3866)
* TTY
  * Previously deprecated setRawMode wrapper is removed
    [#2528](#2528).
* Util
  * Changes to Error object formatting
    [#4582](#4582).
* Windows
  * Windows XP and Vista are no longer supported
    [#5167](#5167),
    [#5167](#5167).

jasnell added a commit that referenced this pull request Apr 26, 2016

2016-04-26, Version 6.0.0 (Current) Release
The following significant (semver-major) changes have been made since the
previous Node v5.0.0 release.

* Buffer
  * New Buffer constructors have been added
    [#4682](#4682)
  * Previously deprecated Buffer APIs are removed
    [#5048](#5048),
    [#4594](#4594)
  * Improved error handling [#4514](#4514)
* Cluster
  * Worker emitted as first argument in 'message' event
    [#5361](#5361).
* Crypto
  * Improved error handling [#3100](#3100),
    [#5611](#5611)
  * Simplified Certificate class bindings
    [#5382](#5382)
  * Improved control over FIPS mode
    [#5181](#5181)
  * pbkdf2 digest overloading is deprecated
    [#4047](#4047)
* Dependencies
  * Reintroduce shared c-ares build support
    [#5775](#5775).
  * V8 updated to 5.0.71.31 [#6111](#6111).
* DNS
  * Add resolvePtr API to query plain DNS PTR records
    [#4921](#4921).
* Domains
  * Clear stack when no error handler
  [#4659](#4659).
* File System
  * The `fs.realpath()` and `fs.realpathSync()` methods have been updated
    to use a more efficient libuv implementation. This change includes the
    removal of the `cache` argument and the method can throw new errors
    [#3594](#3594)
  * FS apis can now accept and return paths as Buffers
    [#5616](#5616).
  * Error handling and type checking improvements
    [#5616](#5616),
    [#5590](#5590),
    [#4518](#4518),
    [#3917](#3917).
  * fs.read's string interface is deprecated
    [#4525](#4525)
* HTTP
  * 'clientError' can now be used to return custom errors from an
    HTTP server [#4557](#4557).
* Modules
  * Current directory is now prioritized for local lookups
    [#5689](#5689)
  * Symbolic links are preserved when requiring modules
    [#5950](#5950)
* Net
  * DNS hints no longer implicitly set
    [#6021](#6021).
  * Improved error handling and type checking
    [#5981](#5981),
    [#5733](#5733),
    [#2904](#2904)
* Path
  * Improved type checking [#5348](#5348).
* Process
  * Introduce process warnings API
    [#4782](#4782).
  * Throw exception when non-function passed to nextTick
    [#3860](#3860).
* Readline
  * Emit key info unconditionally
    [#6024](#6024)
* REPL
  * Assignment to `_` will emit a warning.
    [#5535](#5535)
* Timers
  * Fail early when callback is not a function
    [#4362](#4362)
* TLS
  * Rename 'clientError' to 'tlsClientError'
    [#4557](#4557)
  * SHA1 used for sessionIdContext
    [#3866](#3866)
* TTY
  * Previously deprecated setRawMode wrapper is removed
    [#2528](#2528).
* Util
  * Changes to Error object formatting
    [#4582](#4582).
* Windows
  * Windows XP and Vista are no longer supported
    [#5167](#5167),
    [#5167](#5167).

jasnell added a commit that referenced this pull request Apr 26, 2016

2016-04-26, Version 6.0.0 (Current) Release
The following significant (semver-major) changes have been made since the
previous Node v5.0.0 release.

* Buffer
  * New Buffer constructors have been added
    [#4682](#4682)
  * Previously deprecated Buffer APIs are removed
    [#5048](#5048),
    [#4594](#4594)
  * Improved error handling [#4514](#4514)
* Cluster
  * Worker emitted as first argument in 'message' event
    [#5361](#5361).
* Crypto
  * Improved error handling [#3100](#3100),
    [#5611](#5611)
  * Simplified Certificate class bindings
    [#5382](#5382)
  * Improved control over FIPS mode
    [#5181](#5181)
  * pbkdf2 digest overloading is deprecated
    [#4047](#4047)
* Dependencies
  * Reintroduce shared c-ares build support
    [#5775](#5775).
  * V8 updated to 5.0.71.31 [#6111](#6111).
* DNS
  * Add resolvePtr API to query plain DNS PTR records
    [#4921](#4921).
* Domains
  * Clear stack when no error handler
  [#4659](#4659).
* File System
  * The `fs.realpath()` and `fs.realpathSync()` methods have been updated
    to use a more efficient libuv implementation. This change includes the
    removal of the `cache` argument and the method can throw new errors
    [#3594](#3594)
  * FS apis can now accept and return paths as Buffers
    [#5616](#5616).
  * Error handling and type checking improvements
    [#5616](#5616),
    [#5590](#5590),
    [#4518](#4518),
    [#3917](#3917).
  * fs.read's string interface is deprecated
    [#4525](#4525)
* HTTP
  * 'clientError' can now be used to return custom errors from an
    HTTP server [#4557](#4557).
* Modules
  * Current directory is now prioritized for local lookups
    [#5689](#5689)
  * Symbolic links are preserved when requiring modules
    [#5950](#5950)
* Net
  * DNS hints no longer implicitly set
    [#6021](#6021).
  * Improved error handling and type checking
    [#5981](#5981),
    [#5733](#5733),
    [#2904](#2904)
* OS X
  * MACOSX_DEPLOYMENT_TARGET has been bumped up to 10.7
    [#6402](#6402).
* Path
  * Improved type checking [#5348](#5348).
* Process
  * Introduce process warnings API
    [#4782](#4782).
  * Throw exception when non-function passed to nextTick
    [#3860](#3860).
* Readline
  * Emit key info unconditionally
    [#6024](#6024)
* REPL
  * Assignment to `_` will emit a warning.
    [#5535](#5535)
* Timers
  * Fail early when callback is not a function
    [#4362](#4362)
* TLS
  * Rename 'clientError' to 'tlsClientError'
    [#4557](#4557)
  * SHA1 used for sessionIdContext
    [#3866](#3866)
* TTY
  * Previously deprecated setRawMode wrapper is removed
    [#2528](#2528).
* Util
  * Changes to Error object formatting
    [#4582](#4582).
* Windows
  * Windows XP and Vista are no longer supported
    [#5167](#5167),
    [#5167](#5167).

jasnell added a commit that referenced this pull request Apr 26, 2016

2016-04-26, Version 6.0.0 (Current) Release
The following significant (semver-major) changes have been made since the
previous Node v5.0.0 release.

* Buffer
  * New Buffer constructors have been added
    [#4682](#4682)
  * Previously deprecated Buffer APIs are removed
    [#5048](#5048),
    [#4594](#4594)
  * Improved error handling [#4514](#4514)
* Cluster
  * Worker emitted as first argument in 'message' event
    [#5361](#5361).
* Crypto
  * Improved error handling [#3100](#3100),
    [#5611](#5611)
  * Simplified Certificate class bindings
    [#5382](#5382)
  * Improved control over FIPS mode
    [#5181](#5181)
  * pbkdf2 digest overloading is deprecated
    [#4047](#4047)
* Dependencies
  * Reintroduce shared c-ares build support
    [#5775](#5775).
  * V8 updated to 5.0.71.31 [#6111](#6111).
* DNS
  * Add resolvePtr API to query plain DNS PTR records
    [#4921](#4921).
* Domains
  * Clear stack when no error handler
  [#4659](#4659).
* File System
  * The `fs.realpath()` and `fs.realpathSync()` methods have been updated
    to use a more efficient libuv implementation. This change includes the
    removal of the `cache` argument and the method can throw new errors
    [#3594](#3594)
  * FS apis can now accept and return paths as Buffers
    [#5616](#5616).
  * Error handling and type checking improvements
    [#5616](#5616),
    [#5590](#5590),
    [#4518](#4518),
    [#3917](#3917).
  * fs.read's string interface is deprecated
    [#4525](#4525)
* HTTP
  * 'clientError' can now be used to return custom errors from an
    HTTP server [#4557](#4557).
* Modules
  * Current directory is now prioritized for local lookups
    [#5689](#5689)
  * Symbolic links are preserved when requiring modules
    [#5950](#5950)
* Net
  * DNS hints no longer implicitly set
    [#6021](#6021).
  * Improved error handling and type checking
    [#5981](#5981),
    [#5733](#5733),
    [#2904](#2904)
* OS X
  * MACOSX_DEPLOYMENT_TARGET has been bumped up to 10.7
    [#6402](#6402).
* Path
  * Improved type checking [#5348](#5348).
* Process
  * Introduce process warnings API
    [#4782](#4782).
  * Throw exception when non-function passed to nextTick
    [#3860](#3860).
* Readline
  * Emit key info unconditionally
    [#6024](#6024)
* REPL
  * Assignment to `_` will emit a warning.
    [#5535](#5535)
* Timers
  * Fail early when callback is not a function
    [#4362](#4362)
* TLS
  * Rename 'clientError' to 'tlsClientError'
    [#4557](#4557)
  * SHA1 used for sessionIdContext
    [#3866](#3866)
* TTY
  * Previously deprecated setRawMode wrapper is removed
    [#2528](#2528).
* Util
  * Changes to Error object formatting
    [#4582](#4582).
* Windows
  * Windows XP and Vista are no longer supported
    [#5167](#5167),
    [#5167](#5167).

jasnell added a commit that referenced this pull request Apr 26, 2016

2016-04-26, Version 6.0.0 (Current) Release
The following significant (semver-major) changes have been made since the
previous Node v5.0.0 release.

* Buffer
  * New Buffer constructors have been added
    [#4682](#4682)
  * Previously deprecated Buffer APIs are removed
    [#5048](#5048),
    [#4594](#4594)
  * Improved error handling [#4514](#4514)
* Cluster
  * Worker emitted as first argument in 'message' event
    [#5361](#5361).
* Crypto
  * Improved error handling [#3100](#3100),
    [#5611](#5611)
  * Simplified Certificate class bindings
    [#5382](#5382)
  * Improved control over FIPS mode
    [#5181](#5181)
  * pbkdf2 digest overloading is deprecated
    [#4047](#4047)
* Dependencies
  * Reintroduce shared c-ares build support
    [#5775](#5775).
  * V8 updated to 5.0.71.31 [#6111](#6111).
* DNS
  * Add resolvePtr API to query plain DNS PTR records
    [#4921](#4921).
* Domains
  * Clear stack when no error handler
  [#4659](#4659).
* File System
  * The `fs.realpath()` and `fs.realpathSync()` methods have been updated
    to use a more efficient libuv implementation. This change includes the
    removal of the `cache` argument and the method can throw new errors
    [#3594](#3594)
  * FS apis can now accept and return paths as Buffers
    [#5616](#5616).
  * Error handling and type checking improvements
    [#5616](#5616),
    [#5590](#5590),
    [#4518](#4518),
    [#3917](#3917).
  * fs.read's string interface is deprecated
    [#4525](#4525)
* HTTP
  * 'clientError' can now be used to return custom errors from an
    HTTP server [#4557](#4557).
* Modules
  * Current directory is now prioritized for local lookups
    [#5689](#5689)
  * Symbolic links are preserved when requiring modules
    [#5950](#5950)
* Net
  * DNS hints no longer implicitly set
    [#6021](#6021).
  * Improved error handling and type checking
    [#5981](#5981),
    [#5733](#5733),
    [#2904](#2904)
* OS X
  * MACOSX_DEPLOYMENT_TARGET has been bumped up to 10.7
    [#6402](#6402).
* Path
  * Improved type checking [#5348](#5348).
* Process
  * Introduce process warnings API
    [#4782](#4782).
  * Throw exception when non-function passed to nextTick
    [#3860](#3860).
* Readline
  * Emit key info unconditionally
    [#6024](#6024)
* REPL
  * Assignment to `_` will emit a warning.
    [#5535](#5535)
* Timers
  * Fail early when callback is not a function
    [#4362](#4362)
* TLS
  * Rename 'clientError' to 'tlsClientError'
    [#4557](#4557)
  * SHA1 used for sessionIdContext
    [#3866](#3866)
* TTY
  * Previously deprecated setRawMode wrapper is removed
    [#2528](#2528).
* Util
  * Changes to Error object formatting
    [#4582](#4582).
* Windows
  * Windows XP and Vista are no longer supported
    [#5167](#5167),
    [#5167](#5167).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment