Currently if you specify a JmsBridgeConnection, with an outbound connection factory where the broker URL is using the SSL transport, the only way you can control its SSL connection details (keystore etc.) is via the VM level SSL_OPTS method. This is because the ActiveMQConnectionFactory is configured outside the broker and so does not use its SslContext which is broker specific. Fundamentally the SSL connection details are related to the connections, rather than the broker or the whole VM; so it would make sense to be able to configure each and every 'connection' in the broker with a potentially different SslContext. JMS bridge connections are highly likely to require SSL connections as they tend to connect distinct networks, client connections are also likely to use SSL and there is no easy way to configure those either.
So, the suggestion is that broker URL parameters be used to provide the details of the path to the keystore, truststore and their password. In this way the SslTransportFactory can decipher the required SslContext. If no connection specific parameters are used then the transport factory should fall back on the broker level SSL context, and if there was none defined then the VM level SSL context would be the default. Named SslContext objects might also be a solution.