Wow!!!

I was working on it (having some trouble installing the Git version in the IDE) and you solved it in a moment, hehe.

Thank you very much, it is a very useful feature to not depend on the TLS configuration of the remote server and to be able to specify TLS 1.2 as the only option from the client.

Can you verify it with your own test and report back? I've done quick things w/curl, but a 2nd-hand report is always useful!

Umm, apparently it fails!

/home/manolodd/Desarrollo/Arduino/NodemcuWifiMQTTTLStls12_5/NodemcuWifiMQTTTLStls12_5.ino: In function 'void setupMQTT()':
NodemcuWifiMQTTTLStls12_5:235:17: error: 'class BearSSL::WiFiClientSecure' has no member named 'setSSLVersion'; did you mean 'setSession'?
235 | tlsConnection.setSSLVersion(BR_TLS12, BR_TLS12);
| ^~~~~~~~~~~~~
| setSession
exit status 1
'class BearSSL::WiFiClientSecure' has no member named 'setSSLVersion'; did you mean 'setSession'?

If I add the following method

bool setSSLVersion(uint32_t min = BR_TLS10, uint32_t max = BR_TLS12) { return setSSLVersion(min, max); };

to class WiFiClientSecure : public WiFiClient (is missing)

then everything compiles, but once flashed to my NodeMCU it throws an exception.

My mosquitto is running only TLS 1.2

nmap --script ssl-enum-ciphers -p 8883 localhost
Starting Nmap 7.70 (https://nmap.org ) at 2021-03-12 21:59 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00022s latency).
Other addresses for localhost (not scanned): ::1

PORT STATE SERVICE
8883/tcp open secure-mqtt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

And without trying to set the TLS version with the new method, my sketch works fine, so It uses TLS 1.2.

I need to do some additional tests.

stack>>>

ctx: cont
sp: 3ffffdd0 end: 3fffffc0 offset: 01a0
3fffff70: 3fffdad0 3ffeeb68 3ffeecb0 402026f2
3fffff80: 3fffdad0 3ffeeb68 3ffeecb0 40202a0a
3fffff90: 00000000 0018001f 00000000 feefeffe
3fffffa0: feefeffe feefeffe feefeffe 40207430
3fffffb0: feefeffe feefeffe 3ffe8648 40100c35
<<<stack<<<

--------------- CUT HERE FOR EXCEPTION DECODER ---------------

ets Jan 8 2013,rst cause:2, boot mode:(3,6)

load 0x4010f000, len 3460, room 16
tail 4
chksum 0xcc
load 0x3fff20b8, len 40, room 4
tail 4
chksum 0xc9
csum 0xc9
v000636c0
~ld

My fault!!!

I forgot the "_ctx->" in

bool setSSLVersion(uint32_t min = BR_TLS10, uint32_t max = BR_TLS12) { return _ctx->setSSLVersion(min, max); };

You only have to add this method to class WiFiClientSecure : public WiFiClient and everything seems to work fine:

Conectando 8C:AA:B5:7C:82:B4 a la red WiFi MEREET...¡Conectado!
Configurando hora vía NTP.¡Configurada!
Conectando al broker MQTT con TLS 1.2...¡Conectado al broker MQTT!
Suscribiendose al topic devices/todevice/nodemcu-8CAAB57C82B4...¡Suscrito al topic!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:02 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:12 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:22 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:32 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:42 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:52 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:13:02 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
[...]

So... simply add this method!

Thank you so much.

An equivalent option for the WiFiServerSecure should also be made available. Pushing past 3.0.0