diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 5d490b53..c7090ae8 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -990,6 +990,14 @@ static const struct tls_extension kExtensions[] = {
 
 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
 
+OPENSSL_COMPILE_ASSERT(kNumExtensions <=
+                           sizeof(((SSL *)NULL)->s3->tmp.extensions.sent) * 8,
+                       too_many_extensions_for_bitset);
+OPENSSL_COMPILE_ASSERT(kNumExtensions <=
+                           sizeof(((SSL *)NULL)->s3->tmp.extensions.received) *
+                               8,
+                       too_many_extensions_for_bitset);
+
 static const struct tls_extension *tls_extension_find(uint32_t *out_index,
                                                       uint16_t value) {
   unsigned i;
@@ -1042,9 +1050,6 @@ uint8_t *ssl_add_clienthello_tlsext(SSL *s, uint8_t *const buf,
     return NULL; /* should never occur. */
   }
 
-  OPENSSL_COMPILE_ASSERT(
-      kNumExtensions <= sizeof(s->s3->tmp.extensions.sent) * 8,
-      too_many_extensions_for_bitset);
   s->s3->tmp.extensions.sent = 0;
 
   size_t i;
@@ -1646,10 +1651,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
       return 0;
     }
 
-    OPENSSL_COMPILE_ASSERT(
-        kNumExtensions <= sizeof(s->s3->tmp.extensions.received) * 8,
-        too_many_extensions_for_bitset);
-
     unsigned ext_index;
     const struct tls_extension *const ext =
         tls_extension_find(&ext_index, type);
@@ -1882,10 +1883,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
 
   uint32_t received = 0;
   size_t i;
-
-  OPENSSL_COMPILE_ASSERT(
-      kNumExtensions <= sizeof(received) * 8,
-      too_many_extensions_for_bitset);
+  assert(kNumExtensions <= sizeof(received) * 8);
 
   /* There may be no extensions. */
   if (CBS_len(cbs) == 0) {