From a9e1b8fb84a8a4062225f0d05e2aaf4bd5b4fa2d Mon Sep 17 00:00:00 2001
From: Dave Collins <davec@conformal.com>
Date: Wed, 25 Jun 2014 21:48:40 -0500
Subject: [PATCH] Use system CAs when Certificates are not specified.

This commit modifies the TLS setup to only override the RootCAs for the
TLS connection if certificates are specified.  This allows the
Certificates parameter to be ommitted from the connection config to use
the system CAs.
---
 infrastructure.go | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/infrastructure.go b/infrastructure.go
index 511202c87..b45009b2d 100644
--- a/infrastructure.go
+++ b/infrastructure.go
@@ -966,10 +966,12 @@ func newHTTPClient(config *ConnConfig) (*http.Client, error) {
 	// Configure TLS if needed.
 	var tlsConfig *tls.Config
 	if !config.DisableTLS {
-		pool := x509.NewCertPool()
-		pool.AppendCertsFromPEM(config.Certificates)
-		tlsConfig = &tls.Config{
-			RootCAs: pool,
+		if len(config.Certificates) > 0 {
+			pool := x509.NewCertPool()
+			pool.AppendCertsFromPEM(config.Certificates)
+			tlsConfig = &tls.Config{
+				RootCAs: pool,
+			}
 		}
 	}
 
@@ -990,12 +992,14 @@ func dial(config *ConnConfig) (*websocket.Conn, error) {
 	var tlsConfig *tls.Config
 	var scheme = "ws"
 	if !config.DisableTLS {
-		pool := x509.NewCertPool()
-		pool.AppendCertsFromPEM(config.Certificates)
 		tlsConfig = &tls.Config{
-			RootCAs:    pool,
 			MinVersion: tls.VersionTLS12,
 		}
+		if len(config.Certificates) > 0 {
+			pool := x509.NewCertPool()
+			pool.AppendCertsFromPEM(config.Certificates)
+			tlsConfig.RootCAs = pool
+		}
 		scheme = "wss"
 	}