diff --git a/ChangeLog.txt b/ChangeLog.txt
index cf94b1c0..cc35d767 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,6 +1,12 @@
-1.5.4 - 201810xx
+1.5.4 - 20181108
 ================
 
+Security:
+- When using a TLS enabled websockets listener with "require_certificate"
+  enabled, the mosquitto broker does not correctly verify client certificates.
+  This is now fixed. All other security measures operate as expected, and in
+  particular non-websockets listeners are not affected by this. Closes #996.
+
 Broker:
 - Process all pending messages even when a client has disconnected. This means
   a client that send a PUBLISH then DISCONNECT quickly, then disconnects will
diff --git a/src/websockets.c b/src/websockets.c
index 1ab02a9b..bf2804b8 100644
--- a/src/websockets.c
+++ b/src/websockets.c
@@ -665,6 +665,14 @@ static int callback_http(struct libwebsocket_context *context,
 			}
 			break;
 
+#ifdef WITH_TLS
+		case LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION:
+			if(!len || (SSL_get_verify_result((SSL*)in) != X509_V_OK)){
+				return 1;
+			}
+			break;
+#endif
+
 		default:
 			return 0;
 	}