@@ -83,9 +83,14 @@ func main() {

 	)

 	tlsConfig.InsecureSkipVerify = true

+	// Regardless of whether the user sets it to true or false, if they

+	// specify --tlsverify at all then we need to turn on tls

+	if flag.IsSet("-tlsverify") {

+		*flTls = true

+	}

+

 	// If we should verify the server, we need to load a trusted ca

 	if *flTlsVerify {

-		*flTls = true

 		certPool := x509.NewCertPool()

 		file, err := ioutil.ReadFile(*flCa)

 		if err != nil {

@@ -35,7 +35,7 @@ var (

 	flSocketGroup = flag.String([]string{"G", "-group"}, "docker", "Group to assign the unix socket specified by -H when running in daemon mode\nuse '' (the empty string) to disable setting of a group")

 	flLogLevel    = flag.String([]string{"l", "-log-level"}, "info", "Set the logging level")

 	flEnableCors  = flag.Bool([]string{"#api-enable-cors", "-api-enable-cors"}, false, "Enable CORS headers in the remote API")

-	flTls         = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by --tlsverify=true")

+	flTls         = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by --tlsverify flag")

 	flTlsVerify   = flag.Bool([]string{"-tlsverify"}, dockerTlsVerify, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)")

 	// these are initialized in init() below since their default values depend on dockerCertPath which isn't fully initialized until init() runs

@@ -84,7 +84,7 @@ expect an integer, and they can only be specified once.

       -s, --storage-driver=""                    Force the Docker runtime to use a specific storage driver

       --selinux-enabled=false                    Enable selinux support. SELinux does not presently support the BTRFS storage driver

       --storage-opt=[]                           Set storage driver options

-      --tls=false                                Use TLS; implied by --tlsverify=true

+      --tls=false                                Use TLS; implied by --tlsverify flag

       --tlscacert="/home/sven/.docker/ca.pem"    Trust only remotes providing a certificate signed by the CA given here

       --tlscert="/home/sven/.docker/cert.pem"    Path to TLS certificate file

       --tlskey="/home/sven/.docker/key.pem"      Path to TLS key file

@@ -2687,3 +2687,28 @@ func TestContainerNetworkMode(t *testing.T) {

 	logDone("run - container shared network namespace")

 }

+

+func TestRunTLSverify(t *testing.T) {

+	cmd := exec.Command(dockerBinary, "ps")

+	out, ec, err := runCommandWithOutput(cmd)

+	if err != nil || ec != 0 {

+		t.Fatalf("Should have worked: %v:\n%v", err, out)

+	}

+

+	// Regardless of whether we specify true or false we need to

+	// test to make sure tls is turned on if --tlsverify is specified at all

+

+	cmd = exec.Command(dockerBinary, "--tlsverify=false", "ps")

+	out, ec, err = runCommandWithOutput(cmd)

+	if err == nil || ec == 0 || !strings.Contains(out, "trying to connect") {

+		t.Fatalf("Should have failed: \nec:%v\nout:%v\nerr:%v", ec, out, err)

+	}

+

+	cmd = exec.Command(dockerBinary, "--tlsverify=true", "ps")

+	out, ec, err = runCommandWithOutput(cmd)

+	if err == nil || ec == 0 || !strings.Contains(out, "cert") {

+		t.Fatalf("Should have failed: \nec:%v\nout:%v\nerr:%v", ec, out, err)

+	}

+

+	logDone("run - verify tls is set for --tlsverify")

+}

@@ -394,12 +394,22 @@ func (f *FlagSet) Lookup(name string) *Flag {

 	return f.formal[name]

 }

+// Indicates whether the specified flag was specified at all on the cmd line

+func (f *FlagSet) IsSet(name string) bool {

+	return f.actual[name] != nil

+}

+

 // Lookup returns the Flag structure of the named command-line flag,

 // returning nil if none exists.

 func Lookup(name string) *Flag {

 	return CommandLine.formal[name]

 }

+// Indicates whether the specified flag was specified at all on the cmd line

+func IsSet(name string) bool {

+	return CommandLine.IsSet(name)

+}

+

 // Set sets the value of the named flag.

 func (f *FlagSet) Set(name, value string) error {

 	flag, ok := f.formal[name]