indent has problems with comments that are on the right hand side of a line.
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 26e1da2..b70192b 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -481,10 +481,15 @@
 again:
 	i = dtls1_get_message_fragment(s, st1, stn, max, ok);
 	if ( i == DTLS1_HM_BAD_FRAGMENT ||
-		i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */
+		i == DTLS1_HM_FRAGMENT_RETRY)
+		{
+		/* bad fragment received */
 		goto again;
+		}
 	else if ( i <= 0 && !*ok)
+		{
 		return i;
+		}
 
 	p = (unsigned char *)s->init_buf->data;
 	msg_len = msg_hdr->msg_len;
@@ -1022,9 +1027,11 @@
 		}
 
 #ifndef OPENSSL_NO_HEARTBEATS
-	if (!SSL_in_init(s) && !s->tlsext_hb_pending)  /* done, no need to send a retransmit */
+	/* done, no need to send a retransmit */
+	if (!SSL_in_init(s) && !s->tlsext_hb_pending)
 #else
-	if (!SSL_in_init(s))  /* done, no need to send a retransmit */
+	/* done, no need to send a retransmit */
+	if (!SSL_in_init(s))
 #endif
 		{
 		BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index ee2c0e0..44a8349 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -343,8 +343,8 @@
 		(((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 
 		((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
 	
-	if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
-							   nothing buffered */
+    /* if we're not (re)negotiating, nothing buffered */
+	if ( ! SSL_in_init(s))
 		return 0;
 
 
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 1a8cbaa..bac3d89 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -232,19 +232,21 @@
 
 int ssl23_get_client_hello(SSL *s)
 	{
-	char buf_space[11]; /* Request this many bytes in initial read.
-	                     * We can detect SSL 3.0/TLS 1.0 Client Hellos
-	                     * ('type == 3') correctly only when the following
-	                     * is in a single record, which is not guaranteed by
-	                     * the protocol specification:
-	                     * Byte  Content
-	                     *  0     type            \
-	                     *  1/2   version          > record header
-	                     *  3/4   length          /
-	                     *  5     msg_type        \
-	                     *  6-8   length           > Client Hello message
-	                     *  9/10  client_version  /
-	                     */
+    /*-
+     * Request this many bytes in initial read.
+     * We can detect SSL 3.0/TLS 1.0 Client Hellos
+     * ('type == 3') correctly only when the following
+     * is in a single record, which is not guaranteed by
+     * the protocol specification:
+     * Byte  Content
+     *  0     type            \
+     *  1/2   version          > record header
+     *  3/4   length          /
+     *  5     msg_type        \
+     *  6-8   length           > Client Hello message
+     *  9/10  client_version  /
+     */
+	char buf_space[11]; 
 	char *buf= &(buf_space[0]);
 	unsigned char *p,*d,*d_len,*dd;
 	unsigned int i;
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 7252153..4ce065b 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -230,11 +230,12 @@
 	 */ 
 #endif
 
+	/* 64 argument should actually be 36+4 :-) */
 	n=s->method->ssl_get_message(s,
 		a,
 		b,
 		SSL3_MT_FINISHED,
-		64, /* should actually be 36+4 :-) */
+		64,
 		&ok);
 
 	if (!ok) return((int)n);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 333c570..28e9df6 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -994,7 +994,8 @@
 	int verify_mode;
 	unsigned int sid_ctx_length;
 	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
+	/* called 'verify_callback' in the SSL */
+	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
 
 	/* Default generate session ID callback. */
 	GEN_SESSION_CB generate_session_id;
@@ -1288,22 +1289,28 @@
 	 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
 	 */
 	int version;
-	int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
+	/* SSL_ST_CONNECT or SSL_ST_ACCEPT */
+	int type;
 
-	const SSL_METHOD *method; /* SSLv3 */
+	/* SSLv3 */
+	const SSL_METHOD *method;
 
 	/* There are 2 BIO's even though they are normally both the
 	 * same.  This is so data can be read and written to different
 	 * handlers */
 
 #ifndef OPENSSL_NO_BIO
-	BIO *rbio; /* used by SSL_read */
-	BIO *wbio; /* used by SSL_write */
-	BIO *bbio; /* used during session-id reuse to concatenate
-		    * messages */
+	/* used by SSL_read */
+	BIO *rbio;
+	/* used by SSL_write */
+	BIO *wbio;
+	/* used during session-id reuse to concatenate messages */
+	BIO *bbio;
 #else
-	char *rbio; /* used by SSL_read */
-	char *wbio; /* used by SSL_write */
+	/* used by SSL_read */
+	char *rbio;
+	/* used by SSL_write */
+	char *wbio;
 	char *bbio;
 #endif
 	/* This holds a variable that indicates what we were doing
@@ -1324,17 +1331,24 @@
 	 * test instead of an "init" member.
 	 */
 
-	int server;	/* are we the server side? - mostly used by SSL_clear*/
+	/* are we the server side? - mostly used by SSL_clear*/
+	int server;
 
-	int new_session;/* Generate a new session or reuse an old one.
-	                 * NB: For servers, the 'new' session may actually be a previously
-	                 * cached session or even the previous session unless
-	                 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
-	int quiet_shutdown;/* don't send shutdown packets */
-	int shutdown;	/* we have shut things down, 0x01 sent, 0x02
-			 * for received */
-	int state;	/* where we are */
-	int rstate;	/* where we are when reading */
+	/*
+	 * Generate a new session or reuse an old one.
+	 * NB: For servers, the 'new' session may actually be a previously
+	 * cached session or even the previous session unless
+	 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set
+	 */
+	int new_session;
+	/* don't send shutdown packets */
+	int quiet_shutdown;
+	/* we have shut things down, 0x01 sent, 0x02 for received */
+	int shutdown;
+	/* where we are */
+	int state;
+	/* where we are when reading */
+	int rstate;
 
 	BUF_MEM *init_buf;	/* buffer used during init */
 	void *init_msg;   	/* pointer to handshake message body, set by ssl3_get_message() */
@@ -1405,17 +1419,25 @@
 	GEN_SESSION_CB generate_session_id;
 
 	/* Used in SSL3 */
-	int verify_mode;	/* 0 don't care about verify failure.
-				 * 1 fail if verify fails */
-	int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
+	/*
+	 * 0 don't care about verify failure.
+	 * 1 fail if verify fails
+	 */
+	int verify_mode;	
+	/* fail if callback returns 0 */
+	int (*verify_callback)(int ok,X509_STORE_CTX *ctx);
 
-	void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
+	/* optional informational callback */
+	void (*info_callback)(const SSL *ssl,int type,int val);
 
-	int error;		/* error bytes to be written */
-	int error_code;		/* actual code */
+	/* error bytes to be written */
+	int error;
+	/* actual code */
+	int error_code;
 
 #ifndef OPENSSL_NO_KRB5
-	KSSL_CTX *kssl_ctx;     /* Kerberos 5 context */
+	/* Kerberos 5 context */
+	KSSL_CTX *kssl_ctx;
 #endif	/* OPENSSL_NO_KRB5 */
 
 #ifndef OPENSSL_NO_PSK
@@ -1439,12 +1461,14 @@
 	STACK_OF(X509_NAME) *client_CA;
 
 	int references;
-	unsigned long options; /* protocol behaviour */
-	unsigned long mode; /* API behaviour */
+	/* protocol behaviour */
+	unsigned long options;
+	/* API behaviour */
+	unsigned long mode;
 	long max_cert_list;
 	int first_packet;
-	int client_version;	/* what was passed, used for
-				 * SSLv3/TLS rollback check */
+	/* what was passed, used for SSLv3/TLS rollback check */
+	int client_version;
 	unsigned int max_send_fragment;
 #ifndef OPENSSL_NO_TLSEXT
 	/* TLS extension debug callback */
@@ -1453,11 +1477,13 @@
 					void *arg);
 	void *tlsext_debug_arg;
 	char *tlsext_hostname;
-	int servername_done;   /* no further mod of servername 
-	                          0 : call the servername extension callback.
-	                          1 : prepare 2, allow last ack just after in server callback.
-	                          2 : don't call servername callback, no ack in server hello
-	                       */
+    /*-
+     * no further mod of servername 
+     * 0 : call the servername extension callback.
+     * 1 : prepare 2, allow last ack just after in server callback.
+     * 2 : don't call servername callback, no ack in server hello
+     */
+	int servername_done;
 	/* certificate status request info */
 	/* Status type or -1 if no status type */
 	int tlsext_status_type;
@@ -1474,9 +1500,11 @@
 	int tlsext_ticket_expected;
 #ifndef OPENSSL_NO_EC
 	size_t tlsext_ecpointformatlist_length;
-	unsigned char *tlsext_ecpointformatlist; /* our list */
+	/* our list */
+	unsigned char *tlsext_ecpointformatlist;
 	size_t tlsext_ellipticcurvelist_length;
-	unsigned char *tlsext_ellipticcurvelist; /* our list */
+	/* our list */
+	unsigned char *tlsext_ellipticcurvelist;
 #endif /* OPENSSL_NO_EC */
 
 	/* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
@@ -1510,16 +1538,22 @@
 
 #define session_ctx initial_ctx
 
-	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;  /* What we'll do */
-	SRTP_PROTECTION_PROFILE *srtp_profile;            /* What's been chosen */
+	/* What we'll do */
+	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+	/* What's been chosen */
+	SRTP_PROTECTION_PROFILE *srtp_profile;
 
-	unsigned int tlsext_heartbeat;  /* Is use of the Heartbeat extension negotiated?
-	                                   0: disabled
-	                                   1: enabled
-	                                   2: enabled, but not allowed to send Requests
-	                                 */
-	unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
-	unsigned int tlsext_hb_seq;     /* HeartbeatRequest sequence number */
+	/*-
+	 * Is use of the Heartbeat extension negotiated?
+	 *  0: disabled
+	 *  1: enabled
+	 *  2: enabled, but not allowed to send Requests
+	 */
+	unsigned int tlsext_heartbeat;
+	/* Indicates if a HeartbeatRequest is in flight */
+	unsigned int tlsext_hb_pending;
+	/* HeartbeatRequest sequence number */
+	unsigned int tlsext_hb_seq;
 
 	/* For a client, this contains the list of supported protocols in wire
 	 * format. */
@@ -1529,12 +1563,16 @@
 #define session_ctx ctx
 #endif /* OPENSSL_NO_TLSEXT */
 
-	int renegotiate;/* 1 if we are renegotiating.
-	                 * 2 if we are a server and are inside a handshake
-	                 * (i.e. not just sending a HelloRequest) */
+    /*-
+     * 1 if we are renegotiating.
+     * 2 if we are a server and are inside a handshake
+     * (i.e. not just sending a HelloRequest)
+     */
+	int renegotiate;
 
 #ifndef OPENSSL_NO_SRP
-	SRP_CTX srp_ctx; /* ctx for SRP authentication */
+	/* ctx for SRP authentication */
+	SRP_CTX srp_ctx;
 #endif
 
 	/* Callback for disabling session caching and ticket support
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 24e6faa..76fbc6f 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -388,27 +388,39 @@
 
 typedef struct ssl3_record_st
 	{
-/*r */	int type;               /* type of record */
-/*rw*/	unsigned int length;    /* How many bytes available */
-/*rw*/	unsigned int orig_len;  /* How many bytes were available before padding
-				   was removed? This is used to implement the
-				   MAC check in constant time for CBC records.
-				 */
-/*r */	unsigned int off;       /* read/write offset into 'buf' */
-/*rw*/	unsigned char *data;    /* pointer to the record data */
-/*rw*/	unsigned char *input;   /* where the decode bytes are */
-/*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
-/*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
-/*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
+		/* type of record */
+/*r */	int type;
+		/* How many bytes available */
+/*rw*/	unsigned int length;
+		/* How many bytes were available before padding
+		 * was removed? This is used to implement the
+		 * MAC check in constant time for CBC records.
+		 */
+/*rw*/	unsigned int orig_len;
+		/* read/write offset into 'buf' */
+/*r */	unsigned int off;
+		/* pointer to the record data */
+/*rw*/	unsigned char *data;
+		/* where the decode bytes are */
+/*rw*/	unsigned char *input;
+		/* only used with decompression - malloc()ed */
+/*r */	unsigned char *comp;
+		/* epoch number, needed by DTLS1 */
+/*r */  unsigned long epoch;
+		/* sequence number, needed by DTLS1 */
+/*r */  unsigned char seq_num[8];
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
 	{
-	unsigned char *buf;     /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
-	                         * see ssl3_setup_buffers() */
-	size_t len;             /* buffer size */
-	int offset;             /* where to 'copy from' */
-	int left;               /* how many bytes left */
+	/* at least SSL3_RT_MAX_PACKET_SIZE bytes, see ssl3_setup_buffers() */
+	unsigned char *buf;
+	/* buffer size */
+	size_t len;
+	/* where to 'copy from' */
+	int offset;
+	/* how many bytes left */
+	int left;
 	} SSL3_BUFFER;
 
 #endif
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b17a3ed..dbb309e 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -201,10 +201,15 @@
 	s->hit=0;
 	s->shutdown=0;
 
-#if 0 /* Disabled since version 1.10 of this file (early return not
-       * needed because SSL_clear is not called when doing renegotiation) */
-	/* This is set if we are doing dynamic renegotiation so keep
-	 * the old cipher.  It is sort of a SSL_clear_lite :-) */
+#if 0
+    /*
+     * Disabled since version 1.10 of this file (early return not
+     * needed because SSL_clear is not called when doing renegotiation)
+     */
+    /*
+     * This is set if we are doing dynamic renegotiation so keep
+     * the old cipher.  It is sort of a SSL_clear_lite :-)
+     */
 	if (s->renegotiate) return(1);
 #else
 	if (s->renegotiate)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e817b38..6f49421 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -566,9 +566,12 @@
 typedef struct cert_st
 	{
 	/* Current active set */
-	CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
-			 * Probably it would make more sense to store
-			 * an index, not a pointer. */
+	/*
+	 * ALWAYS points to an element of the pkeys array
+	 * Probably it would make more sense to store
+	 * an index, not a pointer.
+	 */
+	CERT_PKEY *key;
  
 	/* For servers the following masks are for the key and auth
 	 * algorithms that are supported by the certs below.
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index c21aeed..1f697e9 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -1009,9 +1009,11 @@
 	if ((s->next == NULL) || (s->prev == NULL)) return;
 
 	if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
-		{ /* last element in list */
+		{
+		/* last element in list */
 		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-			{ /* only one element in list */
+			{
+			/* only one element in list */
 			ctx->session_cache_head=NULL;
 			ctx->session_cache_tail=NULL;
 			}
@@ -1024,12 +1026,14 @@
 	else
 		{
 		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-			{ /* first element in list */
+			{
+			/* first element in list */
 			ctx->session_cache_head=s->next;
 			s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
 			}
 		else
-			{ /* middle of list */
+			{
+			/* middle of list */
 			s->next->prev=s->prev;
 			s->prev->next=s->next;
 			}
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 77ef141..746bfba 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -140,8 +140,8 @@
  * OTHERWISE.
  */
 
-#define _BSD_SOURCE 1		/* Or gethostname won't be declared properly
-				   on Linux and GNU platforms. */
+/* Or gethostname won't be declared properly on Linux and GNU platforms. */
+#define _BSD_SOURCE 1
 
 #include <assert.h>
 #include <errno.h>
@@ -155,8 +155,8 @@
 #include "e_os.h"
 
 #ifdef OPENSSL_SYS_VMS
-#define _XOPEN_SOURCE 500	/* Or isascii won't be declared properly on
-				   VMS (at least with DECompHP C).  */
+/* Or isascii won't be declared properly on VMS (at least with DECompHP C).  */
+#define _XOPEN_SOURCE 500
 #endif
 
 #include <ctype.h>
@@ -186,11 +186,13 @@
 #endif
 #include <openssl/bn.h>
 
-#define _XOPEN_SOURCE_EXTENDED	1 /* Or gethostname won't be declared properly
-				     on Compaq platforms (at least with DEC C).
-				     Do not try to put it earlier, or IPv6 includes
-				     get screwed...
-				  */
+/*
+ * Or gethostname won't be declared properly
+ * on Compaq platforms (at least with DEC C).
+ * Do not try to put it earlier, or IPv6 includes
+ * get screwed...
+*/
+#define _XOPEN_SOURCE_EXTENDED	1 
 
 #ifdef OPENSSL_SYS_WINDOWS
 #include <winsock.h>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2e8e149..7101473 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2264,8 +2264,11 @@
 				return 0;
 				}
 
-			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
+			if (s->s3->client_opaque_prf_input != NULL)
+				{
+				/* shouldn't really happen */
 				OPENSSL_free(s->s3->client_opaque_prf_input);
+				}
 				
 			/* dummy byte just to get non-NULL */
 			if (s->s3->client_opaque_prf_input_len == 0)
@@ -2695,12 +2698,20 @@
 				return 0;
 				}
 			
-			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
+			if (s->s3->server_opaque_prf_input != NULL)
+				{
+				/* shouldn't really happen */
 				OPENSSL_free(s->s3->server_opaque_prf_input);
+				}
 			if (s->s3->server_opaque_prf_input_len == 0)
-				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+				{
+				/* dummy byte just to get non-NULL */
+				s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
+				}
 			else
+				{
 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
+				}
 
 			if (s->s3->server_opaque_prf_input == NULL)
 				{
@@ -2915,13 +2926,21 @@
 
 		if (s->tlsext_opaque_prf_input != NULL)
 			{
-			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
+			if (s->s3->client_opaque_prf_input != NULL)
+				{
+				/* shouldn't really happen */
 				OPENSSL_free(s->s3->client_opaque_prf_input);
+				}
 
 			if (s->tlsext_opaque_prf_input_len == 0)
-				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+				{
+				/* dummy byte just to get non-NULL */
+				s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
+				}
 			else
+				{
 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
+				}
 			if (s->s3->client_opaque_prf_input == NULL)
 				{
 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
@@ -2983,8 +3002,11 @@
 				}
 			}
 
-		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
+		if (s->s3->server_opaque_prf_input != NULL)
+			{
+			/* shouldn't really happen */
 			OPENSSL_free(s->s3->server_opaque_prf_input);
+			}
 		s->s3->server_opaque_prf_input = NULL;
 
 		if (s->tlsext_opaque_prf_input != NULL)
@@ -2996,9 +3018,14 @@
 				 * of the same length as the client opaque PRF input! */
 
 				if (s->tlsext_opaque_prf_input_len == 0)
-					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+					{
+					/* dummy byte just to get non-NULL */
+					s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
+					}
 				else
+					{
 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
+					}
 				if (s->s3->server_opaque_prf_input == NULL)
 					{
 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 4aac4c6..d98f90d 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -253,9 +253,12 @@
 #define TLSEXT_TYPE_session_ticket		35
 
 /* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */
-#if 0 /* will have to be provided externally for now ,
-       * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183
-       * using whatever extension number you'd like to try */
+#if 0
+/*
+ * will have to be provided externally for now ,
+ * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183
+ * using whatever extension number you'd like to try
+ */
 # define TLSEXT_TYPE_opaque_prf_input		??
 #endif