Version 1.3.4 introduced the change that when using TLS with
require_certificate set to false, the client is no longer asked for a client
certificate. This seemed to be causing problems in some situations,
particularly with embedded devices.
If use_identity_as_username is set to true when require_certificate is set
to false, then the client will not be asked for a certificate, even if it has
one configured. This means that the client will be refused access with connack
code 4, "bad username or password", because if use_identity_as_username
currently requires that a certificate is present, even if allow_anonymous is
set to true.
This change may cause unexpected results, but does not represent a security flaw because the change results in more clients being rejected than would otherwise have been.