diff --git a/client/client.go b/client/client.go
index 8d7bd6cfa0..fd357a93e2 100644
--- a/client/client.go
+++ b/client/client.go
@@ -189,16 +189,15 @@ func NewClientWithOpts(ops ...Opt) (*Client, error) {
 	}
 
 	if c.scheme == "" {
-		c.scheme = "http"
-
-		tlsConfig := resolveTLSConfig(c.client.Transport)
-		if tlsConfig != nil {
-			// TODO(stevvooe): This isn't really the right way to write clients in Go.
-			// `NewClient` should probably only take an `*http.Client` and work from there.
-			// Unfortunately, the model of having a host-ish/url-thingy as the connection
-			// string has us confusing protocol and transport layers. We continue doing
-			// this to avoid breaking existing clients but this should be addressed.
+		// TODO(stevvooe): This isn't really the right way to write clients in Go.
+		// `NewClient` should probably only take an `*http.Client` and work from there.
+		// Unfortunately, the model of having a host-ish/url-thingy as the connection
+		// string has us confusing protocol and transport layers. We continue doing
+		// this to avoid breaking existing clients but this should be addressed.
+		if c.tlsConfig() != nil {
 			c.scheme = "https"
+		} else {
+			c.scheme = "http"
 		}
 	}
 
@@ -217,6 +216,16 @@ func defaultHTTPClient(hostURL *url.URL) (*http.Client, error) {
 	}, nil
 }
 
+// tlsConfig returns the TLS configuration from the client's transport.
+// It returns nil if the transport is not a [http.Transport], or if no
+// TLSClientConfig is set.
+func (cli *Client) tlsConfig() *tls.Config {
+	if tr, ok := cli.client.Transport.(*http.Transport); ok {
+		return tr.TLSClientConfig
+	}
+	return nil
+}
+
 // Close the transport used by the client
 func (cli *Client) Close() error {
 	if t, ok := cli.client.Transport.(*http.Transport); ok {
@@ -365,7 +374,7 @@ func (cli *Client) Dialer() func(context.Context) (net.Conn, error) {
 		case "npipe":
 			return sockets.DialPipe(cli.addr, 32*time.Second)
 		default:
-			if tlsConfig := resolveTLSConfig(cli.client.Transport); tlsConfig != nil {
+			if tlsConfig := cli.tlsConfig(); tlsConfig != nil {
 				return tls.Dial(cli.proto, cli.addr, tlsConfig)
 			}
 			return net.Dial(cli.proto, cli.addr)
diff --git a/client/transport.go b/client/transport.go
deleted file mode 100644
index 5541344366..0000000000
--- a/client/transport.go
+++ /dev/null
@@ -1,17 +0,0 @@
-package client // import "github.com/docker/docker/client"
-
-import (
-	"crypto/tls"
-	"net/http"
-)
-
-// resolveTLSConfig attempts to resolve the TLS configuration from the
-// RoundTripper.
-func resolveTLSConfig(transport http.RoundTripper) *tls.Config {
-	switch tr := transport.(type) {
-	case *http.Transport:
-		return tr.TLSClientConfig
-	default:
-		return nil
-	}
-}