I'm trying to authenticate a client via EXTERNAL mech, but it is faling.
After some debugs, I noticed that the Client certificate is being validated against the S2S Truststore, not the C2S Truststore.
See the class SASLAuthentication (line 584)
| trusted =CertificateManager.getEndEntityCertificate(connection.getPeerCertificates(), SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore()); |