diff --git a/ChangeLog.txt b/ChangeLog.txt
index 2c4e7164..dbe24208 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,5 +1,7 @@
 Security:
-- Broker will reject Will messages that attempt to publish to $CONTROL/.
+- Broker will now reject Will messages that attempt to publish to $CONTROL/.
+- Broker now validates usernames provided in a TLS certificate or TLS-PSK
+  identity are valid UTF-8.
 
 Broker:
 - Fix $SYS messages being expired after 60 seconds and hence unchanged values
diff --git a/src/handle_connect.c b/src/handle_connect.c
index 63824b0c..58bea7b3 100644
--- a/src/handle_connect.c
+++ b/src/handle_connect.c
@@ -794,11 +794,22 @@ int handle__connect(struct mosquitto *context)
 						rc = MOSQ_ERR_AUTH;
 						goto handle_connect_error;
 					}
+					const char *new_username;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-					context->username = mosquitto__strdup((char *) ASN1_STRING_data(name_asn1));
+					new_username = (const char *) ASN1_STRING_data(name_asn1);
 #else
-					context->username = mosquitto__strdup((char *) ASN1_STRING_get0_data(name_asn1));
+					new_username = (const char *) ASN1_STRING_get0_data(name_asn1);
 #endif
+					if(mosquitto_validate_utf8(new_username, (int)strlen(new_username))){
+						if(context->protocol == mosq_p_mqtt5){
+							send__connack(context, 0, MQTT_RC_BAD_USERNAME_OR_PASSWORD, NULL);
+						}else{
+							send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD, NULL);
+						}
+						X509_free(client_cert);
+						return MOSQ_ERR_AUTH;
+					}
+					context->username = mosquitto__strdup(new_username);
 					if(!context->username){
 						if(context->protocol == mosq_p_mqtt5){
 							send__connack(context, 0, MQTT_RC_SERVER_UNAVAILABLE, NULL);
diff --git a/src/net.c b/src/net.c
index 51452307..8fab9b3d 100644
--- a/src/net.c
+++ b/src/net.c
@@ -296,6 +296,10 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
 	}
 
 	if(listener->use_identity_as_username){
+		if(mosquitto_validate_utf8(identity, (int)strlen(identity))){
+			mosquitto__free(psk_key);
+			return 0;
+		}
 		context->username = mosquitto__strdup(identity);
 		if(!context->username){
 			mosquitto__free(psk_key);
diff --git a/src/plugin_public.c b/src/plugin_public.c
index a800090c..cc1c0ded 100644
--- a/src/plugin_public.c
+++ b/src/plugin_public.c
@@ -244,6 +244,9 @@ int mosquitto_set_username(struct mosquitto *client, const char *username)
 	if(!client) return MOSQ_ERR_INVAL;
 
 	if(username){
+		if(mosquitto_validate_utf8(username, (int)strlen(username))){
+			return MOSQ_ERR_MALFORMED_UTF8;
+		}
 		u_dup = mosquitto__strdup(username);
 		if(!u_dup) return MOSQ_ERR_NOMEM;
 	}else{