The AxTLS is now in https://github.com/esp8266/Arduino deprecated and should not be used. Change to BearSSL gives us more control over certificate validation but requires some changes on client side:
the default SSL connection should be established as insecure. While this is really bad in terms of security, it is required for not breaking the existing code.
remove WiFiSpiClient::verifySSL function
add WiFiSpiClient::setFingerprint function. Good first step but rather difficult to maintain with short-life certificates (e.g. from the Let's Encrypt authority)
think about adding full certificate chain validation. It requires loading valid CA certificate into the ESP.
JiriBilek
commented
3 years ago
The AxTLS is now in https://github.com/esp8266/Arduino deprecated and should not be used. Change to BearSSL gives us more control over certificate validation but requires some changes on client side: