diff --git a/ChangeLog b/ChangeLog
index 5758c7b13..55e4e7ffd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,7 @@ Security
      data is all zeros.
    * Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding
      64kB to the address of the SSL buffer wraps around.
+   * Tighten should-be-constant-time memcmp against compiler optimizations.
 
 Bugfix
    * Fix memory leak in ssl_set_hostname() when called multiple times.
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 9a3fb8a4b..6e43f9432 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -2061,9 +2061,9 @@ int ssl_check_cert_usage( const x509_crt *cert,
 static inline int safer_memcmp( const void *a, const void *b, size_t n )
 {
     size_t i;
-    const unsigned char *A = (const unsigned char *) a;
-    const unsigned char *B = (const unsigned char *) b;
-    unsigned char diff = 0;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
 
     for( i = 0; i < n; i++ )
         diff |= A[i] ^ B[i];