SERVER-36110 Fix --tlsOnNormalPorts canonicalization

2 files changed, 19 insertions, 2 deletions

diff --git a/jstests/ssl/config-canonicalize-normal-ports.js b/jstests/ssl/config-canonicalize-normal-ports.js
new file mode 100644
index 00000000000..b83f8b2efa4
--- /dev/null
+++ b/jstests/ssl/config-canonicalize-normal-ports.js
@@ -0,0 +1,13 @@
+// Make sure the psuedo-option --tlsOnNormalPorts is correctly canonicalized.
+
+(function() {
+    'use strict';
+
+    const mongod = MongoRunner.runMongod({
+        tlsOnNormalPorts: '',
+        tlsPEMKeyFile: 'jstests/libs/server.pem',
+    });
+    assert(mongod);
+    assert.commandWorked(mongod.getDB('admin').runCommand({isMaster: 1}));
+    MongoRunner.stopMongod(mongod);
+})();
diff --git a/src/mongo/util/net/ssl_options_server.cpp b/src/mongo/util/net/ssl_options_server.cpp
index 930eccaf2c4..670f824ff19 100644
--- a/src/mongo/util/net/ssl_options_server.cpp
+++ b/src/mongo/util/net/ssl_options_server.cpp
@@ -408,14 +408,18 @@ MONGO_MODULE_STARTUP_OPTIONS_REGISTER(SSLServerOptions)(InitializerContext*) {
     return moe::startupOptions.addSection(options);
 }
 
+// Alias --tlsOnNormalPorts as --tlsMode=requireTLS
 Status canonicalizeSSLServerOptions(moe::Environment* params) {
     if (params->count("net.tls.tlsOnNormalPorts") &&
         (*params)["net.tls.tlsOnNormalPorts"].as<bool>() == true) {
-        Status ret = params->set("net.tls.mode", moe::Value(std::string("requireTLS")));
+        // Must remove the old setting before adding the new one
+        // since as soon as we add it, the incompatibleWith validation will run.
+        auto ret = params->remove("net.tls.tlsOnNormalPorts");
         if (!ret.isOK()) {
             return ret;
         }
-        ret = params->remove("net.tls.tlsOnNormalPorts");
+
+        ret = params->set("net.tls.mode", moe::Value(std::string("requireTLS")));
         if (!ret.isOK()) {
             return ret;
         }