From be523fd10e9405d6ed82c56da62b3b9378e3dfd1 Mon Sep 17 00:00:00 2001
From: Adam Wick <awick@fastly.com>
Date: Wed, 13 Mar 2024 18:31:32 +0000
Subject: [PATCH] Ooops! Make sure to use the default roots computed early when
 ca certs are not applied.

---
 lib/src/upstream.rs | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/lib/src/upstream.rs b/lib/src/upstream.rs
index 967998c8..9d4927c4 100644
--- a/lib/src/upstream.rs
+++ b/lib/src/upstream.rs
@@ -38,7 +38,7 @@ static GZIP_VALUES: [HeaderValue; 2] = [
 #[derive(Clone)]
 pub struct TlsConfig {
     partial_config: rustls::ConfigBuilder<rustls::ClientConfig, rustls::WantsVerifier>,
-    roots: rustls::RootCertStore,
+    default_roots: rustls::RootCertStore,
 }
 
 impl TlsConfig {
@@ -62,7 +62,7 @@ impl TlsConfig {
 
         Ok(TlsConfig {
             partial_config,
-            roots,
+            default_roots: roots,
         })
     }
 }
@@ -122,14 +122,16 @@ impl hyper::service::Service<Uri> for BackendConnector {
         let (added, ignored) = custom_roots.add_parsable_certificates(&self.backend.ca_certs);
         if ignored > 0 {
             tracing::warn!(
-                "Ignored {} certificates in provide CA certificate.",
+                "Ignored {} certificates in provided CA certificate.",
                 ignored
             );
         }
-        if added > 0 {
-            tracing::trace!("Added {} certificates from provided CA certificate.", added);
-        }
-        let config = config.partial_config.with_root_certificates(custom_roots);
+        let config = if self.backend.ca_certs.is_empty() {
+            config.partial_config.with_root_certificates(config.default_roots)
+        } else {
+            tracing::trace!("Using {} certificates from provided CA certificate.", added);
+            config.partial_config.with_root_certificates(custom_roots)
+        };
 
         Box::pin(async move {
             let tcp = connect_fut.await.map_err(Box::new)?;