SERVER-35528 Limit new SSL config options to YAML/CommandLine only

(cherry picked from commit 4ad27bacdc573cb77aae379f7a75742a1dfc2ae1)

2 files changed, 14 insertions, 8 deletions

diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index f8a8457e073..72ee5b041c9 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -254,14 +254,16 @@ Status addSSLServerOptions(moe::OptionSection* options) {
                             moe::String,
                             "SSL Certificate in system store")
         .incompatibleWith("net.ssl.PEMKeyFile")
-        .incompatibleWith("net.ssl.PEMKeyPassword");
+        .incompatibleWith("net.ssl.PEMKeyPassword")
+        .setSources(moe::SourceYAMLCLI);
     options
         ->addOptionChaining("net.ssl.clusterCertificateSelector",
                             "sslClusterCertificateSelector",
                             moe::String,
                             "SSL Certificate in system store for internal SSL authentication")
         .incompatibleWith("net.ssl.clusterFile")
-        .incompatibleWith("net.ssl.clusterFilePassword");
+        .incompatibleWith("net.ssl.clusterFilePassword")
+        .setSources(moe::SourceYAMLCLI);
 #endif
 
     return Status::OK();
@@ -317,14 +319,17 @@ Status addSSLClientOptions(moe::OptionSection* options) {
                             moe::String,
                             "SSL Certificate in system store")
         .incompatibleWith("ssl.PEMKeyFile")
-        .incompatibleWith("ssl.PEMKeyPassword");
+        .incompatibleWith("ssl.PEMKeyPassword")
+        .setSources(moe::SourceYAMLCLI);
 #endif
 
-    options->addOptionChaining(
-        "ssl.disabledProtocols",
-        "sslDisabledProtocols",
-        moe::String,
-        "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]");
+    options
+        ->addOptionChaining(
+            "ssl.disabledProtocols",
+            "sslDisabledProtocols",
+            moe::String,
+            "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]")
+        .setSources(moe::SourceYAMLCLI);
 
     return Status::OK();
 }
diff --git a/src/mongo/util/options_parser/option_description.h b/src/mongo/util/options_parser/option_description.h
index de4aba5c705..5d6bce0a048 100644
--- a/src/mongo/util/options_parser/option_description.h
+++ b/src/mongo/util/options_parser/option_description.h
@@ -64,6 +64,7 @@ enum OptionSources {
     SourceYAMLConfig = 4,
     SourceAllConfig = SourceINIConfig | SourceYAMLConfig,
     SourceAllLegacy = SourceINIConfig | SourceCommandLine,
+    SourceYAMLCLI = SourceYAMLConfig | SourceCommandLine,
     SourceAll = SourceCommandLine | SourceINIConfig | SourceYAMLConfig
 };