From 60d17202f036fc3084d1f3de937af9bc40b97529 Mon Sep 17 00:00:00 2001
From: Ying Li <ying.li@docker.com>
Date: Thu, 9 Mar 2017 10:45:15 -0800
Subject: [PATCH] Use either the system root pool or an empty cert pool with
 custom CA roots, and not a joint system+custom CA roots pool, when connecting
 from a docker client to a remote daemon

Signed-off-by: Ying Li <ying.li@docker.com>
---
 cli/command/cli.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cli/command/cli.go b/cli/command/cli.go
index 783e516f3d..77b05d5832 100644
--- a/cli/command/cli.go
+++ b/cli/command/cli.go
@@ -250,8 +250,9 @@ func newHTTPClient(host string, tlsOptions *tlsconfig.Options) (*http.Client, er
 		// let the api client configure the default transport.
 		return nil, nil
 	}
-
-	config, err := tlsconfig.Client(*tlsOptions)
+	opts := *tlsOptions
+	opts.ExclusiveRootPools = true
+	config, err := tlsconfig.Client(opts)
 	if err != nil {
 		return nil, err
 	}