Details
Major Description
When Bouncycastle (bcprov) is on the classpath, the class org.apache.activemq.broker.BrokerService automatically adds Bouncycastle as security provider at the end of the JVM's provider chain without the ability to prevent it: https://github.com/apache/activemq/blob/main/activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java#L282 .
When ActiveMQ is embedded in an application, this is quite an invasive step and can lead to unexpected behavior if the application does not expect Bouncycastle as security provider.
Looking at the commit history, this was introduced in May 2013 with AMQ-4520 to address problems with the TLS implementation in JDK 7. The Jira issue references another issue in the activemq-apollo project where similar problems with JDK 7 are mentioned: APLO-287. Apollo fixed these problems by adding Bouncycastle at the second position in the provider chain. In AMQ-4520 the same fix was introduced in BrokerService.
In May 2016, the position of Bouncycastle in the provider chain was made configurable by a system property with AMQ-6247 due to side effects of the original fix. The default was still the second position.
In January 2020 the default position was changed form 2 to the end of the provider chain with AMQ-7142.
Since this feature was initially introduced to address problems in JDK 7 and was subsequently causing problems in the years after (hence the other two changes in 2016 and 2020) I suggest to remove this feature completely or to at least allow disabling it by setting a system property.
I'll be happy to help with a PR if needed.
This issue affects all versions since the introduction of this feature.
