Browse code
Use either the system root pool or an empty cert pool with custom CA roots, and not a joint system+custom CA roots pool, when connecting from a docker client to a remote daemon.
Signed-off-by: Ying Li <ying.li@docker.com>
Ying Li authored on 2017/03/10 03:45:15Showing 1 changed files
| ... | ... |
@@ -243,8 +243,9 @@ func newHTTPClient(host string, tlsOptions *tlsconfig.Options) (*http.Client, er |
| 243 | 243 |
// let the api client configure the default transport. |
| 244 | 244 |
return nil, nil |
| 245 | 245 |
} |
| 246 |
- |
|
| 247 |
- config, err := tlsconfig.Client(*tlsOptions) |
|
| 246 |
+ opts := *tlsOptions |
|
| 247 |
+ opts.ExclusiveRootPools = true |
|
| 248 |
+ config, err := tlsconfig.Client(opts) |
|
| 248 | 249 |
if err != nil {
|
| 249 | 250 |
return nil, err |
| 250 | 251 |
} |