Browse code
Use either the system root pool or an empty cert pool with custom CA roots, and not a joint system+custom CA roots pool, when connecting from a docker client to a remote daemon
Signed-off-by: Ying Li <ying.li@docker.com>
Ying Li authored on 2017/03/10 03:45:15Showing 1 changed files
| ... | ... |
@@ -250,8 +250,9 @@ func newHTTPClient(host string, tlsOptions *tlsconfig.Options) (*http.Client, er |
| 250 | 250 |
// let the api client configure the default transport. |
| 251 | 251 |
return nil, nil |
| 252 | 252 |
} |
| 253 |
- |
|
| 254 |
- config, err := tlsconfig.Client(*tlsOptions) |
|
| 253 |
+ opts := *tlsOptions |
|
| 254 |
+ opts.ExclusiveRootPools = true |
|
| 255 |
+ config, err := tlsconfig.Client(opts) |
|
| 255 | 256 |
if err != nil {
|
| 256 | 257 |
return nil, err |
| 257 | 258 |
} |