Using insecure mode with ESP8266 which makes the ESP accept any certificate without verification and therefore susceptible to MITM attacks. This has been a mgmt decision since the other option would have been that the ESPs will not be able to connect to the ArduinoIoTCloud anymore when the leaf certificate is exchanged (which happens once/year or even sooner than that). Unfortunately the ESP8266 does not have the capability to verify the whole chain of trust which is the reason why the verification of the leaf certificate has been the option used in the first place - despite breaking minimum once/year.

Author: aentinger

src/ArduinoIoTCloud.cpp

@@ -20,8 +20,6 @@
 #ifdef BOARD_HAS_ECCX08
   #include "utility/ECCX08Cert.h"
   #include <ArduinoECCX08.h>
-#elif defined(BOARD_ESP)
-  #include "utility/Certificate.h"
 #endif
 
 #ifdef ARDUINO_ARCH_SAMD
@@ -62,7 +60,6 @@ ArduinoIoTCloudClass::ArduinoIoTCloudClass() :
   _thing_id(""),
   _sslClient(NULL),
   #ifdef BOARD_ESP
-  _certificate(MQTTS_UP_ARDUINO_CC_CERTIFICATE),
   _password(""),
   #endif
   _mqttClient(NULL),
@@ -154,7 +151,7 @@ int ArduinoIoTCloudClass::begin(Client& net, String brokerAddress, uint16_t brok
   _sslClient->setEccSlot(keySlot, ECCX08Cert.bytes(), ECCX08Cert.length());
   #elif defined(BOARD_ESP)
   _sslClient = new WiFiClientSecure();
-  _sslClient->setTrustAnchors(&_certificate);
+  _sslClient->setInsecure();
   #endif
 
   _mqttClient = new MqttClient(*_sslClient);

src/ArduinoIoTCloud.h

@@ -228,7 +228,6 @@ class ArduinoIoTCloudClass {
     BearSSLClient *_sslClient;
     #elif defined(BOARD_ESP)
     WiFiClientSecure *_sslClient;
-    X509List _certificate;
     String _password;
     #endif