diff --git a/src/http_auth.c b/src/http_auth.c
index e9a64f60..d3d3f6dd 100644
--- a/src/http_auth.c
+++ b/src/http_auth.c
@@ -56,11 +56,22 @@ int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b,
     /* constant time memory compare, unless compiler figures it out
      * (similar to mod_secdownload.c:const_time_memeq()) */
     /* round to next multiple of 64 to avoid potentially leaking exact
-     * password length when subject to high precision timing attacks) */
+     * password length when subject to high precision timing attacks)
+     * (not necessary when comparing digests, which have defined lengths)
+     */
+    /* Note: some libs provide similar funcs but might not obscure length, e.g.
+     * OpenSSL:
+     *   int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len)
+     * Note: some OS provide similar funcs but might not obscure length, e.g.
+     * OpenBSD: int timingsafe_bcmp(const void *b1, const void *b2, size_t len)
+     * NetBSD: int consttime_memequal(void *b1, void *b2, size_t len)
+     */
+    const volatile unsigned char * const av = (const unsigned char *)a;
+    const volatile unsigned char * const bv = (const unsigned char *)b;
     size_t lim = ((alen >= blen ? alen : blen) + 0x3F) & ~0x3F;
-    int diff = 0;
+    int diff = (alen != blen); /*(never match if string length mismatch)*/
     for (size_t i = 0, j = 0; lim; --lim) {
-        diff |= (a[i] ^ b[j]);
+        diff |= (av[i] ^ bv[j]);
         i += (i < alen);
         j += (j < blen);
     }