diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 9585e6922..8c35b86cd 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2852,6 +2852,14 @@
  */
 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 
+/**
+ * \def MBEDTLS_UTILS_ZEROIZE_ALT
+ *
+ * Uncomment the macro to let mbed TLS use your alternate implementation of
+ * mbedtls_zeroize().
+ */
+//#define MBEDTLS_UTILS_ZEROIZE_ALT
+
 /* \} name SECTION: Customisation configuration options */
 
 /* Target and application specific configurations */
diff --git a/library/utils.c b/library/utils.c
index f943cb1c6..3819558f4 100644
--- a/library/utils.c
+++ b/library/utils.c
@@ -19,10 +19,17 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "mbedtls/utils.h"
 
 #include <stddef.h>
 
+#if !defined(MBEDTLS_UTILS_ZEROIZE_ALT)
 /* This implementation should never be optimized out by the compiler */
 void mbedtls_zeroize( void *buf, size_t len )
 {
@@ -31,3 +38,4 @@ void mbedtls_zeroize( void *buf, size_t len )
     while( len-- )
         *p++ = 0;
 }
+#endif /* MBEDTLS_UTILS_ZEROIZE_ALT */