I am not an expert in the JSSE API, so without specifics regarding APIs you
are trying to use I don't think I can be of much help. From browsing around
a little bit, it looks like we can simply have the server specify the CA
certs that it respects and the client will attempt to use one of the certs
in its store that is signed by one of them. Maybe this StackOverflow thread
will help?

Also the JSSE reference guide:
And of course, the Flume Avro Source (check the Netty pipeline factory

The logic you are describing regarding a fallback CA sounds somewhat
complicated. I'd bet you can make those requirements fit into how the JSSE
API was designed and have it require only one SSL handshake sequence by
having the server specify multiple acceptable CAs to the client.
On Thu, Jan 30, 2014 at 12:29 AM, Pritchard, Charles X. -ND <
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB