After the upgrade from SGOS 6.7 to 7.2 and newer the Proxy SG does not send Intermediate or Root CA certificates in the TLS handshake when SSL intercept is enabled.

The behavior difference between 6.7.5.x and 7.2.5.1 can be summarized below.

1.       The emulated server cert and the proxy resigning CA are always put on the wire for both versions;

2.       For 6.7.x, the CA chain up to the root CA (included) are sent during the TLS handshake if they are found in the CA list;

3.       For 7.2.x, the CA chain up to but not including the root CA are put on the wire if they are added to the issuer keyring, the root CA is never put into the TLS handshake;

It was determined that sending the Root CA certificate is a security breach and not RFC compliant.

The Root CA certificate will never be put in the TLS handshake. The workaround for the Intermediate CA certificate to be send is to add it directly to the keyring used for SSL intercept