diff --git a/gnutls.c b/gnutls.c
index 4db21db1..db2abd1b 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -265,7 +265,7 @@ static int load_datum(struct openconnect_info *vpninfo,
 	}
 #endif
 
-	fd = open(fname, O_RDONLY|O_CLOEXEC);
+	fd = open(fname, O_RDONLY|O_CLOEXEC|O_BINARY);
 	if (fd == -1) {
 		err = errno;
 		vpn_progress(vpninfo, PRG_ERR,
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 38f3c46f..1f8e2eb7 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -377,6 +377,9 @@ ssize_t openconnect__win32_sock_write(gnutls_transport_ptr_t ptr, const void *da
 #else
 #define neterrno() errno
 #define closesocket close
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
 #endif
 
 /* I always coded as if it worked like this. Now it does. */
diff --git a/openssl.c b/openssl.c
index eb6bc4e8..acc8f358 100644
--- a/openssl.c
+++ b/openssl.c
@@ -661,7 +661,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
 		FILE *f;
 		PKCS12 *p12;
 
-		f = fopen(vpninfo->cert, "r");
+		f = fopen(vpninfo->cert, "rb");
 		if (!f) {
 			vpn_progress(vpninfo, PRG_ERR,
 				     _("Failed to open certificate file %s: %s\n"),
@@ -749,7 +749,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
 #endif /* ANDROID_KEYSTORE */
 
 	if (vpninfo->cert_type == CERT_TYPE_UNKNOWN) {
-		FILE *f = fopen(vpninfo->sslkey, "r");
+		FILE *f = fopen(vpninfo->sslkey, "rb");
 		char buf[256];
 
 		if (!f) {