From 63bb7d89adb40d8658b42b9c6337ab247c76ebc4 Mon Sep 17 00:00:00 2001
From: Ying Li <ying.li@docker.com>
Date: Thu, 9 Mar 2017 10:45:15 -0800
Subject: [PATCH] Use either the system root pool or an empty cert pool with
 custom CA roots, and not a joint system+custom CA roots pool, when connecting
 from a docker client to a remote daemon.

Signed-off-by: Ying Li <ying.li@docker.com>
---
 command/cli.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/command/cli.go b/command/cli.go
index 782c3a5074..be38b8acf7 100644
--- a/command/cli.go
+++ b/command/cli.go
@@ -243,8 +243,9 @@ func newHTTPClient(host string, tlsOptions *tlsconfig.Options) (*http.Client, er
 		// let the api client configure the default transport.
 		return nil, nil
 	}
-
-	config, err := tlsconfig.Client(*tlsOptions)
+	opts := *tlsOptions
+	opts.ExclusiveRootPools = true
+	config, err := tlsconfig.Client(opts)
 	if err != nil {
 		return nil, err
 	}