In the custom resource template that is distributed for the operator, there is following line:

 enabledCipherSuites: SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

These cipher suites are likely weak and are not supported bu our messaging clients. When this field is removed form CR and cipher suite used is left for negotiation the "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" is agreed upon by broker from the list offered by the client. List of other potential cipher suites is attached to this jira. This is one of the reasons for potential issues with SSL connections for broker on OpenShift.