An `amqp-connection` has two targets for mirroring. Both are named in the same URI. Both are TLS-enabled. The configuration in the broker that is the mirror source looks like this:

<amqp-connection uri="(tcp://dead-broker:5773,tcp://rupert:5773)?sslEnabled=true;trustStorePath=/home/kevin/keystore.jks;trustStorePassword=changeit" name="myconnection">  

For the purposes of testing, the hostname `dead-broker` simulates a target that is down. This target's hostname appears first in the connection URI.

The working broker is on a host called `rupert` in this case, with an acceptor on port 5773, and the acceptor has a self-signed certificate with `CN=rupert`, so hostname verification should work. When this broker is listed first in the connection URI, it does work – the connection is made and messages will past.

When the 'dead' broker is listed first, the connection fails. The broker correctly detects that `dead-broker` is not reachable, and tries to connect to `rupert`. When it does, the connection fails with this exception:

2024-02-21 08:21:38,227 ERROR [org.apache.activemq.artemis.core.client] AMQ214016: Failed to create netty connection javax.net.ssl.SSLHandshakeException: No name matching dead-broker found 

It seems that the hostname verification is using `dead-broker` as the hostname to test against the broker's certificate. But the working broker has a (correct) certificate for the hostname `rupert`, so verification fails.

A workaround is to disable hostname verification completely, but this isn't a long-term solution.