fix(httpclient): clone DefaultTransport + only set RootCAs with custom CA (OD-30)

andrzej-janczak · claude · andrzej-janczak · commit e6b5a4f5e191 · 2026-06-10T09:36:36.000+02:00
Address PR #205 review: - Clone http.DefaultTransport to preserve connection pooling, idle/handshake timeouts, and HTTP/2 instead of building a bare Transport. - Only set tls.Config.RootCAs when SSL_CERT_FILE is configured; leave nil otherwise so Go uses default system verification. Prevents an empty pool (when SystemCertPool fails) from rejecting all TLS handshakes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
diff --git a/utils/httpclient/client.go b/utils/httpclient/client.go
@@ -20,10 +20,11 @@ func New(opts ...Option) (*http.Client, error) {
 		return nil, err
 	}
 
-	transport := &http.Transport{
-		Proxy:           http.ProxyFromEnvironment,
-		TLSClientConfig: tlsCfg,
-	}
+	// Clone DefaultTransport to preserve Go's tuned defaults (connection pooling,
+	// idle/handshake timeouts, HTTP/2) and only override proxy + TLS.
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.Proxy = http.ProxyFromEnvironment
+	transport.TLSClientConfig = tlsCfg
 
 	return &http.Client{
 		Timeout:   o.Timeout,
diff --git a/utils/httpclient/tls.go b/utils/httpclient/tls.go
@@ -22,22 +22,25 @@ func buildTLSConfig() (*tls.Config, error) {
 		return cfg, nil
 	}
 
-	pool, err := x509.SystemCertPool()
-	if err != nil || pool == nil {
-		pool = x509.NewCertPool()
-	}
-
+	// Only override RootCAs when a custom CA bundle is configured. Otherwise leave
+	// it nil so Go falls back to default system verification — building an explicit
+	// pool unconditionally is wasteful and, if SystemCertPool fails, would leave an
+	// empty pool that rejects every TLS handshake.
 	if path := caBundlePath(); path != "" {
+		pool, err := x509.SystemCertPool()
+		if err != nil || pool == nil {
+			pool = x509.NewCertPool()
+		}
 		pemBytes, err := os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read CA bundle from %s (%s): %w", EnvCABundle, path, err)
 		}
 		if !pool.AppendCertsFromPEM(pemBytes) {
 			return nil, fmt.Errorf("no valid certificates found in CA bundle %s (%s)", EnvCABundle, path)
 		}
+		cfg.RootCAs = pool
 	}
 
-	cfg.RootCAs = pool
 	return cfg, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -22,22 +22,25 @@ func buildTLSConfig() (*tls.Config, error) {`
`22`	`22`	`return cfg, nil`
`23`	`23`	`}`
`24`	`24`
`25`		`- pool, err := x509.SystemCertPool()`
`26`		`- if err != nil \|\| pool == nil {`
`27`		`- pool = x509.NewCertPool()`
`28`		`- }`
`29`		`-`
	`25`	`+ // Only override RootCAs when a custom CA bundle is configured. Otherwise leave`
	`26`	`+ // it nil so Go falls back to default system verification — building an explicit`
	`27`	`+ // pool unconditionally is wasteful and, if SystemCertPool fails, would leave an`
	`28`	`+ // empty pool that rejects every TLS handshake.`
`30`	`29`	`if path := caBundlePath(); path != "" {`
	`30`	`+ pool, err := x509.SystemCertPool()`
	`31`	`+ if err != nil \|\| pool == nil {`
	`32`	`+ pool = x509.NewCertPool()`
	`33`	`+ }`
`31`	`34`	`pemBytes, err := os.ReadFile(path)`
`32`	`35`	`if err != nil {`
`33`	`36`	`return nil, fmt.Errorf("failed to read CA bundle from %s (%s): %w", EnvCABundle, path, err)`
`34`	`37`	`}`
`35`	`38`	`if !pool.AppendCertsFromPEM(pemBytes) {`
`36`	`39`	`return nil, fmt.Errorf("no valid certificates found in CA bundle %s (%s)", EnvCABundle, path)`
`37`	`40`	`}`
	`41`	`+ cfg.RootCAs = pool`
`38`	`42`	`}`
`39`	`43`
`40`		`- cfg.RootCAs = pool`
`41`	`44`	`return cfg, nil`
`42`	`45`	`}`
`43`	`46`