diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
index 2ef6d102e3..bd2a31e3f9 100644
--- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
+++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
@@ -102,7 +102,7 @@ instead of the while certificate.  This is not nearly as secure as real
 X.509 validation, but is better than nothing.
 )EOF");
   BearSSL::WiFiClientSecure client;
-  const uint8_t fp[20] = {0x35, 0x85, 0x74, 0xEF, 0x67, 0x35, 0xA7, 0xCE, 0x40, 0x69, 0x50, 0xF3, 0xC0, 0xF6, 0x80, 0xCF, 0x80, 0x3B, 0x2E, 0x19};
+  const uint8_t fp[20] = {0x5F, 0xF1, 0x60, 0x31, 0x09, 0x04, 0x3E, 0xF2, 0x90, 0xD2, 0xB0, 0x8A, 0x50, 0x38, 0x04, 0xE8, 0x37, 0x9F, 0xBC, 0x76};
   client.setFingerprint(fp);
   fetchURL(&client, host, port, path);
 }
diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
index 89fbffd3ed..890d86c8e3 100644
--- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
@@ -79,6 +79,7 @@ void WiFiClientSecure::_clearAuthenticationSettings() {
   _use_self_signed = false;
   _knownkey = nullptr;
   _sk = nullptr;
+  _ta = nullptr;
 }
 
 
@@ -177,6 +178,7 @@ void WiFiClientSecure::stop() {
     _client->abort();
   }
   WiFiClient::stop();
+  _clearAuthenticationSettings();
   _freeSSL();
 }
 
@@ -510,6 +512,7 @@ bool WiFiClientSecure::_wait_for_handshake() {
     if (br_ssl_engine_current_state(_eng) & BR_SSL_SENDAPP) {
       _handshake_done = true;
     }
+    optimistic_yield(1000);
   }
   return _handshake_done;
 }
diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
index 23850fdba9..365cb9bd01 100644
--- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
@@ -59,24 +59,29 @@ class WiFiClientSecure : public WiFiClient {
 
     // Don't validate the chain, just accept whatever is given.  VERY INSECURE!
     void setInsecure() {
+      _clearAuthenticationSettings();
       _use_insecure = true;
     }
     // Assume a given public key, don't validate or use cert info at all
     void setKnownKey(const BearSSLPublicKey *pk, unsigned usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN) {
+      _clearAuthenticationSettings();
       _knownkey = pk;
       _knownkey_usages = usages;
     }
     // Only check SHA1 fingerprint of certificate
     void setFingerprint(const uint8_t fingerprint[20]) {
+      _clearAuthenticationSettings();
       _use_fingerprint = true;
       memcpy_P(_fingerprint, fingerprint, 20);
     }
     // Accept any certificate that's self-signed
     void allowSelfSignedCerts() {
+      _clearAuthenticationSettings();
       _use_self_signed = true;
     }
     // Install certificates of trusted CAs or specific site
     void setTrustAnchors(const BearSSLX509List *ta) {
+      _clearAuthenticationSettings();
       _ta = ta;
     }
     // In cases when NTP is not used, app must set a time manually to check cert validity