diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index e98d0fcdc..b3deb7f52 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -428,13 +428,17 @@ void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
         ctx->db_meth->free_section(ctx->db, section);
 }
 
-static char *nconf_get_string(void *db, char *section, char *value)
+static char *nconf_get_string(void *db, const char *section, const char *value)
 {
-    /* TODO(fork): this should return a const value. */
+    /* TODO(fork): This returns a non-const pointer because |X509V3_CONF_METHOD|
+     * allows |get_string| to return caller-owned pointers, provided they're
+     * freed by |free_string|. |nconf_method| leaves |free_string| NULL, and
+     * there are no other implementations of |X509V3_CONF_METHOD|, so this can
+     * be simplified if we make it private. */
     return (char *)NCONF_get_string(db, section, value);
 }
 
-static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
+static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, const char *section)
 {
     return NCONF_get_section(db, section);
 }
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 2b2b4d910..0fd44bcc7 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -126,8 +126,8 @@ void *usr_data;	/* Any extension specific data */
 };
 
 typedef struct X509V3_CONF_METHOD_st {
-char * (*get_string)(void *db, char *section, char *value);
-STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
+char * (*get_string)(void *db, const char *section, const char *value);
+STACK_OF(CONF_VALUE) * (*get_section)(void *db, const char *section);
 void (*free_string)(void *db, char * string);
 void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
 } X509V3_CONF_METHOD;