diff --git a/include/haproxy/tools.h b/include/haproxy/tools.h
index 89b297a56..f181a7601 100644
--- a/include/haproxy/tools.h
+++ b/include/haproxy/tools.h
@@ -1490,4 +1490,6 @@ int path_base(const char *path, const char *base, char *dst, char **err);
 
 void ha_freearray(char ***array);
 
+void ha_memset_s(void *s, int c, size_t n);
+
 #endif /* _HAPROXY_TOOLS_H */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index aad4e56de..0f18132b1 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3756,7 +3756,7 @@ static int ssl_sock_clear_passphrase_cache(void)
 
 			/* Erase stored passphrases just in case some memory
 			 * ends up leaking */
-			memset(passphrase_cache[idx].ptr, 0, passphrase_cache[idx].len);
+			ha_memset_s(passphrase_cache[idx].ptr, 0, passphrase_cache[idx].len);
 			istfree(&passphrase_cache[idx]);
 		}
 		ha_free(&passphrase_cache);
diff --git a/src/tools.c b/src/tools.c
index e64c55ada..f33800580 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -7438,6 +7438,15 @@ void ha_freearray(char ***array)
 	*array = NULL;
 }
 
+/*
+ * Secure implementation of memset that cannot be optimized away.
+ */
+void ha_memset_s(void *s, int c, size_t n)
+{
+	memset(s, c, n);
+	__asm__ __volatile__("" : : "r"(s) : "memory");
+}
+
 /*
  * Local variables:
  *  c-indent-level: 8