diff -up openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_api.c
--- openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv	2017-11-02 15:29:02.000000000 +0100
+++ openssl-1.1.0g/crypto/conf/conf_api.c	2017-11-03 16:12:31.826265323 +0100
@@ -9,6 +9,8 @@
 
 /* Part of the code in here was originally in conf.c, which is now removed */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/conf.h>
@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
             if (v != NULL)
                 return (v->value);
             if (strcmp(section, "ENV") == 0) {
-                p = getenv(name);
+                p = secure_getenv(name);
                 if (p != NULL)
                     return (p);
             }
@@ -95,7 +97,7 @@ char *_CONF_get_string(const CONF *conf,
         else
             return (NULL);
     } else
-        return (getenv(name));
+        return (secure_getenv(name));
 }
 
 static unsigned long conf_value_hash(const CONF_VALUE *v)
diff -up openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_mod.c
--- openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv	2017-11-02 15:29:02.000000000 +0100
+++ openssl-1.1.0g/crypto/conf/conf_mod.c	2017-11-03 16:12:31.827265347 +0100
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
 #include <stdio.h>
 #include <ctype.h>
 #include <openssl/crypto.h>
@@ -478,7 +480,7 @@ char *CONF_get1_default_config_file(void
     char *file;
     int len;
 
-    file = getenv("OPENSSL_CONF");
+    file = secure_getenv("OPENSSL_CONF");
     if (file)
         return OPENSSL_strdup(file);
 
diff -up openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv openssl-1.1.0g/crypto/engine/eng_list.c
--- openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv	2017-11-02 15:29:03.000000000 +0100
+++ openssl-1.1.0g/crypto/engine/eng_list.c	2017-11-03 16:12:31.827265347 +0100
@@ -13,6 +13,8 @@
  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
  */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
 #include "eng_int.h"
 
 /*
@@ -322,7 +324,7 @@ ENGINE *ENGINE_by_id(const char *id)
      * Prevent infinite recursion if we're looking for the dynamic engine.
      */
     if (strcmp(id, "dynamic")) {
-        if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
+        if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
             load_dir = ENGINESDIR;
         iterator = ENGINE_by_id("dynamic");
         if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
diff -up openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv openssl-1.1.0g/crypto/rand/randfile.c
--- openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv	2017-11-02 15:29:03.000000000 +0100
+++ openssl-1.1.0g/crypto/rand/randfile.c	2017-11-03 16:12:31.827265347 +0100
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
 #include "internal/cryptlib.h"
 
 #include <errno.h>
@@ -317,10 +319,10 @@ const char *RAND_file_name(char *buf, si
     if (OPENSSL_issetugid() != 0) {
         use_randfile = 0;
     } else {
-        s = getenv("RANDFILE");
+        s = secure_getenv("RANDFILE");
         if (s == NULL || *s == '\0') {
             use_randfile = 0;
-            s = getenv("HOME");
+            s = secure_getenv("HOME");
         }
     }
 #endif
diff -up openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0g/crypto/x509/by_dir.c
--- openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv	2017-11-02 15:29:04.000000000 +0100
+++ openssl-1.1.0g/crypto/x509/by_dir.c	2017-11-03 16:12:31.827265347 +0100
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
@@ -78,7 +80,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
     switch (cmd) {
     case X509_L_ADD_DIR:
         if (argl == X509_FILETYPE_DEFAULT) {
-            dir = (char *)getenv(X509_get_default_cert_dir_env());
+            dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
             if (dir)
                 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
             else
diff -up openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv openssl-1.1.0g/crypto/x509/by_file.c
--- openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv	2017-11-02 15:29:04.000000000 +0100
+++ openssl-1.1.0g/crypto/x509/by_file.c	2017-11-03 16:14:13.230649686 +0100
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
@@ -47,7 +49,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
     switch (cmd) {
     case X509_L_FILE_LOAD:
         if (argl == X509_FILETYPE_DEFAULT) {
-            file = getenv(X509_get_default_cert_file_env());
+            file = secure_getenv(X509_get_default_cert_file_env());
             if (file)
                 ok = (X509_load_cert_crl_file(ctx, file,
                                               X509_FILETYPE_PEM) != 0);