thanks for your quick reply. As suggested, I have opened a new JIRA (https://jira.hyperledger.org/browse/FAB-17998).
Regarding (3.), we have already added the intermediate certificates to the channel configuration. Let me try to give a proper explanation on what we want to achieve:
Suppose we have an orderer with a TLS chain "orderer.crt -> intermediate.crt -> root.crt" and want to create a new channel with "peer channel create". Now, if we are contacting the organisations orderer, we could simply specify "--cafile intermediate.crt" and the TLS handshake would succeed. However, if we are contacting another organisations orderer, we do not want look up its "intermediate.crt" within the channel config. We would like to be able to specify "--cafile root.crt" no matter which orderer we are contacting. For some reason, this always results in a failed TLS handshake. We would expect the orderer to supply its full chain of certificates (or at least "orderer.crt -> intermediate.crt") in the handshake, but can not figure out how to achieve this. As mentioned, our workaround is to build the TLS chain through manually appending "intermediate.crt" to "orderer.crt". Is there a way for the orderer/peer to do this automatically? Maybe through the fabric configuration files orderer.yaml/core.yaml?