diff --git a/doc/Changelog b/doc/Changelog
index bb09fa39a..0d110b214 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,8 @@
 	  multicast DNS [RFC 6762] via Avahi.  The plugin communicates
 	  with Avahi via DBus. The comment section at the beginning of
 	  the file contains detailed documentation.
+	- Fix to wipe ssl ticket keys from memory with explicit_bzero,
+	  if available.
 
 5 April 2019: Wouter
 	- Fix to reinit event structure for accepted TCP (and TLS) sockets.
diff --git a/util/net_help.c b/util/net_help.c
index a6c3fd5cc..13bcdf808 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1245,7 +1245,12 @@ listen_sslctx_delete_ticket_keys(void)
 	struct tls_session_ticket_key *key;
 	if(!ticket_keys) return;
 	for(key = ticket_keys; key->key_name != NULL; key++) {
-		memset(key->key_name, 0xdd, 80); /* wipe key data from memory*/
+		/* wipe key data from memory*/
+#ifdef HAVE_EXPLICIT_BZERO
+		explicit_bzero(key->key_name, 80);
+#else
+		memset(key->key_name, 0xdd, 80);
+#endif
 		free(key->key_name);
 	}
 	free(ticket_keys);