diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 2b88de08..1aa5959e 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -140,8 +140,8 @@
  * OTHERWISE.
  */
 
-#ifndef HEADER_SSL_H
-#define HEADER_SSL_H
+#ifndef OPENSSL_HEADER_SSL_H
+#define OPENSSL_HEADER_SSL_H
 
 #include <openssl/base.h>
 
@@ -159,7 +159,7 @@
 /* Some code expected to get the threading functions by including ssl.h. */
 #include <openssl/thread.h>
 
-#ifdef  __cplusplus
+#if defined(__cplusplus)
 extern "C" {
 #endif
 
@@ -1341,21 +1341,6 @@ struct ssl_st {
   EVP_MD_CTX *read_hash;
 };
 
-#ifdef __cplusplus
-}
-#endif
-
-#include <openssl/ssl2.h>
-#include <openssl/ssl3.h>
-#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
-#include <openssl/dtls1.h> /* Datagram TLS */
-#include <openssl/ssl23.h>
-#include <openssl/srtp.h>  /* Support for the use_srtp extension */
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
 /* compatibility */
 #define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)arg))
 #define SSL_get_app_data(s) (SSL_get_ex_data(s, 0))
@@ -2268,10 +2253,26 @@ OPENSSL_EXPORT int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
 OPENSSL_EXPORT const char *SSLeay_version(int unused);
 
 
-#ifdef  __cplusplus
-}
+#if defined(__cplusplus)
+} /* extern C */
 #endif
 
+
+/* Library consumers assume these headers are included by ssl.h, but they depend
+ * on ssl.h, so include them after all declarations.
+ *
+ * TODO(davidben): The separation between ssl.h and these version-specific
+ * headers introduces circular dependencies and is inconsistent. The function
+ * declarations should move to ssl.h. Many of the constants can probably be
+ * pruned or unexported. */
+#include <openssl/ssl2.h>
+#include <openssl/ssl3.h>
+#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
+#include <openssl/dtls1.h> /* Datagram TLS */
+#include <openssl/ssl23.h>
+#include <openssl/srtp.h>  /* Support for the use_srtp extension */
+
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script make_errors.go. Any
  * changes made after this point may be overwritten when the script is next run.
@@ -2649,4 +2650,4 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 #define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
 #define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
 
-#endif
+#endif /* OPENSSL_HEADER_SSL_H */