Cleanse memory using the new OPENSSL_cleanse() function.
I've covered all the memset()s I felt safe modifying, but may have missed some.
diff --git a/ssl/kssl.c b/ssl/kssl.c
index c294166..1a49f43 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -1550,7 +1550,7 @@
         {
 	if (kssl_ctx == NULL)  return kssl_ctx;
 
-	if (kssl_ctx->key)  		memset(kssl_ctx->key, 0,
+	if (kssl_ctx->key)  		OPENSSL_cleanse(kssl_ctx->key,
 							      kssl_ctx->length);
 	if (kssl_ctx->key)  		free(kssl_ctx->key);
 	if (kssl_ctx->client_princ) 	free(kssl_ctx->client_princ);
@@ -1654,7 +1654,7 @@
 
 	if (kssl_ctx->key)
                 {
-		memset(kssl_ctx->key, 0, kssl_ctx->length);
+		OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
 		free(kssl_ctx->key);
 		}
 
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 096e38d..910b9fe 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -308,7 +308,7 @@
 	s2=s->s2;
 	if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
 	if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
-	memset(s2,0,sizeof *s2);
+	OPENSSL_cleanse(s2,sizeof *s2);
 	OPENSSL_free(s2);
 	s->s2=NULL;
 	}
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 45bea06..aff0d9e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1657,7 +1657,7 @@
 				s->method->ssl3_enc->generate_master_secret(s,
 					s->session->master_key,
 					tmp_buf,sizeof tmp_buf);
-			memset(tmp_buf,0,sizeof tmp_buf);
+			OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
 			}
 #endif
 #ifndef OPENSSL_NO_KRB5
@@ -1788,8 +1788,8 @@
 					s->session->master_key,
 					tmp_buf, sizeof tmp_buf);
 
-			memset(tmp_buf, 0, sizeof tmp_buf);
-			memset(epms, 0, outl);
+			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+			OPENSSL_cleanse(epms, outl);
                         }
 #endif
 #ifndef OPENSSL_NO_DH
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index cec8fcd..35fde29 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -182,7 +182,7 @@
 
 		km+=MD5_DIGEST_LENGTH;
 		}
-	memset(smd,0,SHA_DIGEST_LENGTH);
+	OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
 	EVP_MD_CTX_cleanup(&m5);
 	EVP_MD_CTX_cleanup(&s1);
 	return 1;
@@ -333,8 +333,8 @@
 
 	EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
 
-	memset(&(exp_key[0]),0,sizeof(exp_key));
-	memset(&(exp_iv[0]),0,sizeof(exp_iv));
+	OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
+	OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
 	EVP_MD_CTX_cleanup(&md);
 	return(1);
 err:
@@ -408,7 +408,7 @@
 	{
 	if (s->s3->tmp.key_block != NULL)
 		{
-		memset(s->s3->tmp.key_block,0,
+		OPENSSL_cleanse(s->s3->tmp.key_block,
 			s->s3->tmp.key_block_length);
 		OPENSSL_free(s->s3->tmp.key_block);
 		s->s3->tmp.key_block=NULL;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index be43258..2145385 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1468,7 +1468,7 @@
 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
-	memset(s->s3,0,sizeof *s->s3);
+	OPENSSL_cleanse(s->s3,sizeof *s->s3);
 	OPENSSL_free(s->s3);
 	s->s3=NULL;
 	}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index fbd5ff5..c687da9 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2069,7 +2069,7 @@
                 s->session->master_key_length = s->method->ssl3_enc-> \
 		    generate_master_secret(s, s->session->master_key, p, i);
 		
-                memset(p, 0, i);
+                OPENSSL_cleanse(p, i);
                 return (ret);
 		}
 	else
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index a969d8f..fbc30b9 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -528,13 +528,13 @@
 
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
 
-	memset(ss->key_arg,0,sizeof ss->key_arg);
-	memset(ss->master_key,0,sizeof ss->master_key);
-	memset(ss->session_id,0,sizeof ss->session_id);
+	OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
+	OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
+	OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
 	if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
 	if (ss->peer != NULL) X509_free(ss->peer);
 	if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
-	memset(ss,0,sizeof(*ss));
+	OPENSSL_cleanse(ss,sizeof(*ss));
 	OPENSSL_free(ss);
 	}
 
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 872c629..bfcd7d9 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -161,7 +161,7 @@
 		}
 	HMAC_CTX_cleanup(&ctx);
 	HMAC_CTX_cleanup(&ctx_tmp);
-	memset(A1,0,sizeof(A1));
+	OPENSSL_cleanse(A1,sizeof(A1));
 	}
 
 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
@@ -418,10 +418,10 @@
 printf("\n");
 #endif
 
-	memset(tmp1,0,sizeof(tmp1));
-	memset(tmp2,0,sizeof(tmp1));
-	memset(iv1,0,sizeof(iv1));
-	memset(iv2,0,sizeof(iv2));
+	OPENSSL_cleanse(tmp1,sizeof(tmp1));
+	OPENSSL_cleanse(tmp2,sizeof(tmp1));
+	OPENSSL_cleanse(iv1,sizeof(iv1));
+	OPENSSL_cleanse(iv2,sizeof(iv2));
 	return(1);
 err:
 	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -476,7 +476,7 @@
 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
 #endif
 	tls1_generate_key_block(s,p1,p2,num);
-	memset(p2,0,num);
+	OPENSSL_cleanse(p2,num);
 	OPENSSL_free(p2);
 #ifdef TLS_DEBUG
 printf("\nkey block\n");