diff --git a/src/context.c b/src/context.c
index aa0478ff..0a0e4456 100644
--- a/src/context.c
+++ b/src/context.c
@@ -55,6 +55,7 @@ typedef unsigned short in_port_t;
 
 #include <sys/stat.h>
 #include <string.h>
+#include <strings.h>
 #include <stdio.h>
 #include <stdlib.h>
 
diff --git a/src/convert.c b/src/convert.c
index 53d98e99..42365c84 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -1670,7 +1670,7 @@ getdns_str2dict(const char *str, getdns_dict **dict)
 	if (!str || !dict)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	while (*str && isspace(*str))
+	while (*str && isspace((unsigned char)*str))
 		str++;
 
 	if (*str != '{') {
diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h
index e640150d..615f79e3 100644
--- a/src/openssl/tls-internal.h
+++ b/src/openssl/tls-internal.h
@@ -67,7 +67,7 @@ typedef struct _getdns_tls_connection {
 	const getdns_log_config* log;
 #if defined(USE_DANESSL)
 	const char* auth_name;
-	sha256_pin_t* pinset;
+	const sha256_pin_t* pinset;
 #endif
 } _getdns_tls_connection;
 
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index e53cb60b..94335848 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -904,7 +904,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	if (!conn || !conn->ssl || !auth_name)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-#if defined(USE_DANE_SSL)
+#if defined(USE_DANESSL)
 	/* Stash auth name and pinset away for use in cert verification. */
 	conn->auth_name = auth_name;
 	conn->pinset = pinset;
diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index dc866586..80b94dbd 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -98,7 +98,7 @@ static int get_rrtype(const char *t)
 	if (strlen(t) > sizeof(buf) - 15)
 		return -1;
 	for (i = 14; *t && i < sizeof(buf) - 1; i++, t++)
-		buf[i] = *t == '-' ? '_' : toupper(*t);
+		buf[i] = *t == '-' ? '_' : toupper((unsigned char)*t);
 	buf[i] = '\0';
 
 	if (!getdns_str2int(buf, &rrtype))
@@ -123,7 +123,7 @@ static int get_rrclass(const char *t)
 	if (strlen(t) > sizeof(buf) - 16)
 		return -1;
 	for (i = 15; *t && i < sizeof(buf) - 1; i++, t++)
-		buf[i] = toupper(*t);
+		buf[i] = toupper((unsigned char)*t);
 	buf[i] = '\0';
 
 	if (!getdns_str2int(buf, &rrclass))
diff --git a/src/tools/getdns_server_mon.c b/src/tools/getdns_server_mon.c
index 3b2d1045..a11ed55e 100644
--- a/src/tools/getdns_server_mon.c
+++ b/src/tools/getdns_server_mon.c
@@ -130,7 +130,7 @@ static int get_rrtype(const char *t)
         if (strlen(t) > sizeof(buf) - 15)
                 return -1;
         for (i = 14; *t && i < sizeof(buf) - 1; i++, t++)
-                buf[i] = *t == '-' ? '_' : toupper(*t);
+                buf[i] = *t == '-' ? '_' : toupper((unsigned char)*t);
         buf[i] = '\0';
 
         if (!getdns_str2int(buf, &rrtype))
diff --git a/src/util-internal.c b/src/util-internal.c
index a592b90d..be919637 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -1428,9 +1428,9 @@ _getdns_validate_dname(const char* dname) {
                 break;
 	    case '\\':
 		s += 1;
-		if (isdigit(s[0])) {
+		if (isdigit((unsigned char)s[0])) {
 			/* octet value */
-			if (! isdigit(s[1]) && ! isdigit(s[2]))
+			if (! isdigit((unsigned char)s[1]) && ! isdigit((unsigned char)s[2]))
 				return GETDNS_RETURN_BAD_DOMAIN_NAME;
 
 			if ((s[0] - '0') * 100 +