diff --git a/tonic/src/transport/channel/endpoint.rs b/tonic/src/transport/channel/endpoint.rs
index 3a919e93d..99ff11e9f 100644
--- a/tonic/src/transport/channel/endpoint.rs
+++ b/tonic/src/transport/channel/endpoint.rs
@@ -62,7 +62,7 @@ impl Endpoint {
         let me = dst.try_into().map_err(|e| Error::from_source(e.into()))?;
         #[cfg(feature = "_tls-any")]
         if let EndpointType::Uri(uri) = &me.uri {
-            if uri.scheme() == Some(&http::uri::Scheme::HTTPS) {
+            if me.tls.is_none() && uri.scheme() == Some(&http::uri::Scheme::HTTPS) {
                 return me.tls_config(ClientTlsConfig::new().with_enabled_roots());
             }
         }
diff --git a/tonic/src/transport/channel/tls.rs b/tonic/src/transport/channel/tls.rs
index 945384fd2..59ecc36fd 100644
--- a/tonic/src/transport/channel/tls.rs
+++ b/tonic/src/transport/channel/tls.rs
@@ -113,11 +113,13 @@ impl ClientTlsConfig {
 
     /// Activates all TLS roots enabled through `tls-*-roots` feature flags
     pub fn with_enabled_roots(self) -> Self {
-        let config = ClientTlsConfig::new();
+        let config = self;
+
         #[cfg(feature = "tls-native-roots")]
         let config = config.with_native_roots();
         #[cfg(feature = "tls-webpki-roots")]
         let config = config.with_webpki_roots();
+
         config
     }