During SMTP STARTTLS and HTTPS TLS negotiation the SMG appliance presents a certificate chain.
The presented certificate chain also includes the root anchor certificate which serves no purpose and is increasing the TLS handshake latency.
RFC5246 states:
"Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case."
So while it seems not to be an issue to include the root certificate according to RFC5246, the SMG appliance could reduce TLS handshake latency by omitting it.
I would like to hear your thoughts on that issue:
https://www.symantec.com/connect/polls/should-root...