From 8e3f3df0c28fa8a9fe66e655bd0caa2d3a0b286d Mon Sep 17 00:00:00 2001
From: Andreas Kupries <andreas.kupries@suse.com>
Date: Thu, 26 Jan 2023 16:08:17 +0100
Subject: [PATCH] fix: keep tls config structurues of http and websockets
 separate, unshared ref: #445 ref:
 https://github.com/gorilla/websocket/issues/601#issuecomment-1008110621

---
 internal/auth/certs.go            | 2 +-
 internal/cli/settings/settings.go | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/internal/auth/certs.go b/internal/auth/certs.go
index 25a2a40dec..56003bc713 100644
--- a/internal/auth/certs.go
+++ b/internal/auth/certs.go
@@ -42,7 +42,7 @@ func ExtendLocalTrust(certs string) {
 	}
 
 	http.DefaultTransport.(*http.Transport).TLSClientConfig = config
-	websocket.DefaultDialer.TLSClientConfig = config
+	websocket.DefaultDialer.TLSClientConfig = config.Clone()
 
 	// See https://github.com/gorilla/websocket/issues/601 for
 	// what this is a work around for.
diff --git a/internal/cli/settings/settings.go b/internal/cli/settings/settings.go
index ea587f39dc..b1afc7e9ed 100644
--- a/internal/cli/settings/settings.go
+++ b/internal/cli/settings/settings.go
@@ -132,13 +132,11 @@ func LoadFrom(file string) (*Settings, error) {
 			}
 
 			http.DefaultTransport.(*http.Transport).TLSClientConfig = tlsInsecure
-			websocket.DefaultDialer.TLSClientConfig = tlsInsecure
 		} else {
 			// nolint:gosec // Controlled by user option
 			http.DefaultTransport.(*http.Transport).TLSClientConfig.InsecureSkipVerify = true
-			// websocket.DefaultDialer.TLSClientConfig refers to the same structure,
-			// and the assignment has modified it also.
 		}
+		websocket.DefaultDialer.TLSClientConfig = http.DefaultTransport.(*http.Transport).TLSClientConfig.Clone()
 	}
 
 	if !cfg.Colors || viper.GetBool("no-colors") {