Hello I am working with client on dotnet using nuget packages Apache.NMS and Apache.NMS.ActiveMQ which is attempting to communicate specifically to ActiveMQ broker via SSL, have a few questions:
1. Does active mq support SNI auth during SSL handshake? Can we add issuer and root CA certs in trust store and expect underlying system to verify the chain? If unsupported, we would need to redeploy on cert rotation or is there any other way to avoid redeployment? 2. In which field do we add keystore password and truststore details? I do not see any fields in SslTransportFactory class which takes these details. Is there another class or method via which we can configure dotnet client? I see fields like BrokerCertFilename and ClientCertPassword instead of trust store file name, its location and keystore password. Is this because the package creates a trust store by adding broker cert to a trust store at runtime? This would mean we cannot support certificate verification via CAs as mentioned in point 1? 3. How do we configure a revocation list in dotnet client? If broker cert is revoked, how do we ensure the client no longer accepts the invalid broker cert in case SNI is supported. The documentation mentions having a static revocation list on broker ssl context but could not find info on client which uses this package. Also, please share any applicable documentation and/or recommendations around connecting dotnet client over ssl to activeMQ broker without redeployment on rotation and revocation support. Thanks.
