From dce8681594585a722a843539a41e52b4e9df3a6f Mon Sep 17 00:00:00 2001
From: Patrick Steinhardt <ps@pks.im>
Date: Sun, 21 Jun 2026 12:59:37 +0200
Subject: [PATCH] android: honor user-installed CA certificates for DERP
 servers

In e7fca1a (libtailscale,android: use ExtraRootCAs for user-installed CA
certificates, 2026-04-08), we added the ability to honor user-installed
CA certificates. This allows the user to connect to a Headscale server
that uses a self-signed certificate.

While this works for connecting to the server itself, this new feature
is broken in case any of the DERP servers contained in the DERP map use
self-signed certificates, too. This is because we set up the cert pool
for `sys.ExtraRootCAs`, but not for `wgengine.Config`. The latter though
is what we use to configure the DERP client, and consequently the TLS
dialer doesn't respect any user-installed CA certificates.

Fix this by propagating the cert pool via `wgengine.Config`.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 libtailscale/backend.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libtailscale/backend.go b/libtailscale/backend.go
index 5c220059a1..35828086f3 100644
--- a/libtailscale/backend.go
+++ b/libtailscale/backend.go
@@ -336,6 +336,7 @@ func (a *App) newBackend(dataDir string, appCtx AppContext, store *stateStore,
 		DNS:            vf,
 		ReconfigureVPN: vf.ReconfigureVPN,
 		Dialer:         dialer,
+		ExtraRootCAs:   sys.ExtraRootCAs,
 		SetSubsystem:   sys.Set,
 		NetMon:         b.netMon,
 		HealthTracker:  sys.HealthTracker.Get(),