diff --git a/clients/upsclient.c b/clients/upsclient.c
index 63bbc7051e..deebb7fbda 100644
--- a/clients/upsclient.c
+++ b/clients/upsclient.c
@@ -68,14 +68,14 @@
 #	define SOLARIS_i386_NBCONNECT_ENOENT(status) ( (!strcmp("i386", CPU_TYPE)) ? (ENOENT == (status)) : 0 )
 #else
 #	define SOLARIS_i386_NBCONNECT_ENOENT(status) (0)
-#endif  /* end of Solaris/i386 WA for non-blocking connect */
+#endif	/* end of Solaris/i386 WA for non-blocking connect */
 
 /* WA for AIX bug: non-blocking connect sets errno to 0 */
 #if (defined NUT_PLATFORM_AIX)
 #	define AIX_NBCONNECT_0(status) (0 == (status))
 #else
 #	define AIX_NBCONNECT_0(status) (0)
-#endif  /* end of AIX WA for non-blocking connect */
+#endif	/* end of AIX WA for non-blocking connect */
 
 #ifdef WITH_NSS
 #	include <prerror.h>
@@ -84,16 +84,16 @@
 #	include <prtypes.h>
 #	include <ssl.h>
 #	include <private/pprio.h>
-#endif /* WITH_NSS */
+#endif	/* WITH_NSS */
 
-#define UPSCLIENT_MAGIC 0x19980308
+#define UPSCLIENT_MAGIC	0x19980308
 
 #define SMALLBUF	512
 
 #ifdef SHUT_RDWR
-#define shutdown_how SHUT_RDWR
+#	define shutdown_how	SHUT_RDWR
 #else
-#define shutdown_how 2
+#	define shutdown_how	2
 #endif
 
 static struct {
@@ -378,30 +378,30 @@ int upscli_init(int certverify, const char *certpath,
 
 #ifdef WITH_OPENSSL
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+# if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_load_error_strings();
 	SSL_library_init();
 
 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
-#else
+# else
 	ssl_ctx = SSL_CTX_new(TLS_client_method());
-#endif
+# endif
 
 	if (!ssl_ctx) {
 		upslogx(LOG_ERR, "Can not initialize SSL context");
 		return -1;
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+# if OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* set minimum protocol TLSv1 */
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
-#else
+# else
 	ret = SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
 	if (ret != 1) {
 		upslogx(LOG_ERR, "Can not set minimum protocol to TLSv1");
 		return -1;
 	}
-#endif
+# endif
 
 	if (!certpath) {
 		if (certverify == 1) {
@@ -681,7 +681,7 @@ static ssize_t net_read(UPSCONN_t *ups, char *buf, size_t buflen, const time_t t
 
 #ifdef WITH_SSL
 	if (ups->ssl) {
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 		/* SSL_* routines deal with int type for return and buflen
 		 * We might need to window our I/O if we exceed 2GB (in
 		 * 32-bit builds)... Not likely to exceed in 64-bit builds,
@@ -692,12 +692,12 @@ static ssize_t net_read(UPSCONN_t *ups, char *buf, size_t buflen, const time_t t
 		iret = SSL_read(ups->ssl, buf, (int)buflen);
 		assert(iret <= SSIZE_MAX);
 		ret = (ssize_t)iret;
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS) /* WITH_OPENSSL */
 		/* PR_* routines deal in PRInt32 type
 		 * We might need to window our I/O if we exceed 2GB :) */
 		assert(buflen <= PR_INT32_MAX);
 		ret = PR_Read(ups->ssl, buf, (PRInt32)buflen);
-#endif	/* WITH_OPENSSL | WITH_NSS*/
+# endif	/* WITH_OPENSSL | WITH_NSS*/
 
 		if (ret < 1) {
 			ups->upserror = UPSCLI_ERR_SSLERR;
@@ -705,7 +705,7 @@ static ssize_t net_read(UPSCONN_t *ups, char *buf, size_t buflen, const time_t t
 
 		return ret;
 	}
-#endif
+#endif	/* WITH_SSL */
 
 	ret = upscli_select_read(ups->fd, buf, buflen, timeout, 0);
 
@@ -766,7 +766,7 @@ static ssize_t net_write(UPSCONN_t *ups, const char *buf, size_t buflen, const t
 
 #ifdef WITH_SSL
 	if (ups->ssl) {
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 		/* SSL_* routines deal with int type for return and buflen
 		 * We might need to window our I/O if we exceed 2GB (in
 		 * 32-bit builds)... Not likely to exceed in 64-bit builds,
@@ -777,12 +777,12 @@ static ssize_t net_write(UPSCONN_t *ups, const char *buf, size_t buflen, const t
 		iret = SSL_write(ups->ssl, buf, (int)buflen);
 		assert(iret <= SSIZE_MAX);
 		ret = (ssize_t)iret;
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS) /* WITH_OPENSSL */
 		/* PR_* routines deal in PRInt32 type
 		 * We might need to window our I/O if we exceed 2GB :) */
 		assert(buflen <= PR_INT32_MAX);
 		ret = PR_Write(ups->ssl, buf, (PRInt32)buflen);
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif /* WITH_OPENSSL | WITH_NSS */
 
 		if (ret < 1) {
 			ups->upserror = UPSCLI_ERR_SSLERR;
@@ -790,7 +790,7 @@ static ssize_t net_write(UPSCONN_t *ups, const char *buf, size_t buflen, const t
 
 		return ret;
 	}
-#endif
+#endif	/* WITH_SSL */
 
 	ret = upscli_select_write(ups->fd, buf, buflen, timeout, 0);
 
@@ -1820,13 +1820,13 @@ int upscli_disconnect(UPSCONN_t *ups)
 		SSL_free(ups->ssl);
 		ups->ssl = NULL;
 	}
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+#elif defined(WITH_NSS) /* !WITH_OPENSSL */
 	if (ups->ssl) {
 		PR_Shutdown(ups->ssl, PR_SHUTDOWN_BOTH);
 		PR_Close(ups->ssl);
 		ups->ssl = NULL;
 	}
-#endif /* WITH_OPENSSL | WITH_NSS */
+#endif	/* WITH_OPENSSL | WITH_NSS */
 
 	shutdown(ups->fd, shutdown_how);
 
@@ -1876,7 +1876,7 @@ int upscli_ssl(UPSCONN_t *ups)
 	if (ups->ssl) {
 		return 1;
 	}
-#endif /* WITH_SSL */
+#endif	/* WITH_SSL */
 
 	return 0;
 }
diff --git a/conf/upsd.conf.sample b/conf/upsd.conf.sample
index d2ed9a8f71..f03b67b480 100644
--- a/conf/upsd.conf.sample
+++ b/conf/upsd.conf.sample
@@ -135,7 +135,7 @@
 # you can enter the certificate file here.
 # The certificates must be in PEM format and must be sorted starting with
 # the subject's certificate (server certificate), followed by intermediate
-# CA certificates (if applicable_ and the highest level (root) CA. It should
+# CA certificates (if applicable) and the highest level (root) CA. It should
 # end with the server key. See 'docs/security.txt' or the Security chapter of
 # NUT user manual for more information on the SSL support in NUT.
 #
diff --git a/docs/config-prereqs.txt b/docs/config-prereqs.txt
index b4adb9d96f..9a22df0ad0 100644
--- a/docs/config-prereqs.txt
+++ b/docs/config-prereqs.txt
@@ -77,7 +77,8 @@ variants, e.g. `--with-ssl=nss` vs. `--with-ssl=openssl`
 For reproducible runs of various pre-sets of configuration during
 development, take a look at `ci_build.sh` script and different `BUILD_TYPE`
 (and other) environment variable settings that it supports. A minimal run
-with it is just to call the script, e.g.:
+with it is just to call the script, possibly using an alternate source
+code branch of interest, e.g.:
 
 ------
 :; mkdir -p nut && cd nut && \
diff --git a/docs/download.txt b/docs/download.txt
index 74e1cb8155..bd5c9c8fca 100644
--- a/docs/download.txt
+++ b/docs/download.txt
@@ -239,10 +239,19 @@ link:https://github.com/networkupstools/nut/wiki/Links-to-distribution-packaging
       link:https://ci.appveyor.com/project/nut-travis/nut/build/artifacts[Appveyor
       CI] -- but it may be difficult to locate specifically the master-branch builds.
       See link:https://github.com/networkupstools/nut/wiki/NUT-for-Windows[NUT
-      for Windows wiki article] for these details, and more.
+      for Windows wiki article] for these details, and more.  These builds are
+      location-agnostic, you can place their directory trees into any non-UNC
+      Windows path you deem fit (the built-in `mingw{32,64}` prefix directory
+      is also not required).
 +
 The latest release's automated build archive is available here:
       link:https://www.networkupstools.org/package/windows/NUT-for-Windows-x86_64-RELEASE-{revision}.7z[NUT-for-Windows-x86_64-RELEASE-{revision}.7z]
++
+------
+[NOTE]
+Windows binaries may be quite large but sparse, so it may be useful to
+enable compression on the folder where you have unpacked a NUT tarball.
+------
 
     * link:https://www.networkupstools.org/package/windows/NUT-Installer-2.6.5-6.msi[(OBSOLETE) Windows MSI installer 2.6.5-6]
 
diff --git a/docs/images/nut-squared.svg b/docs/images/nut-squared.svg
new file mode 100644
index 0000000000..84c1dcd2c9
--- /dev/null
+++ b/docs/images/nut-squared.svg
@@ -0,0 +1,254 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="22.577778mm"
+   height="22.577778mm"
+   id="svg6456"
+   version="1.1"
+   inkscape:version="1.3 (0e150ed6c4, 2023-07-21)"
+   sodipodi:docname="nut-trimmed.svg"
+   viewBox="0 0 80 80"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <defs
+     id="defs6458">
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#id97"
+       id="radialGradient6400"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.00328986,0.00250497,-0.00250497,0.00328986,813.49885,-242.17629)"
+       cx="22767.4"
+       cy="148727"
+       fx="22767.4"
+       fy="148727"
+       r="15252" />
+    <radialGradient
+       fy="148727"
+       fx="22767.4"
+       r="15252"
+       cy="148727"
+       cx="22767.4"
+       gradientUnits="userSpaceOnUse"
+       id="id97">
+      <stop
+         id="stop404"
+         style="stop-color:#EF9A48"
+         offset="0" />
+      <stop
+         id="stop406"
+         style="stop-color:#8F5444"
+         offset="1" />
+    </radialGradient>
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient5994"
+       id="radialGradient6397"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.93052262,0,0,0.92333713,288.43248,-616.84103)"
+       cx="326.28094"
+       cy="591.72388"
+       fx="326.28094"
+       fy="591.72388"
+       r="28.291517" />
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient5994">
+      <stop
+         style="stop-color:#ffffff;stop-opacity:1;"
+         offset="0"
+         id="stop5996" />
+      <stop
+         style="stop-color:#ffffff;stop-opacity:0;"
+         offset="1"
+         id="stop5998" />
+    </linearGradient>
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient6352"
+       id="radialGradient6393"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.836803,-0.1530383,0.2177191,1.7315357,-184.24282,-677.81111)"
+       cx="306.03009"
+       cy="601.14636"
+       fx="306.03009"
+       fy="601.14636"
+       r="19.88851" />
+    <linearGradient
+       id="linearGradient6352"
+       inkscape:collect="always">
+      <stop
+         id="stop6354"
+         offset="0"
+         style="stop-color:#d69600;stop-opacity:1" />
+      <stop
+         id="stop6356"
+         offset="1"
+         style="stop-color:#ffff90;stop-opacity:1" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient4948"
+       id="linearGradient6390"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.00415074,4.6170613e-4,-6.2836721e-4,0.00385903,516.60065,-282.00415)"
+       x1="20482.521"
+       y1="138225.59"
+       x2="22053.289"
+       y2="146536.86" />
+    <linearGradient
+       id="linearGradient4948"
+       inkscape:collect="always">
+      <stop
+         id="stop4950"
+         offset="0"
+         style="stop-color:#ffffff;stop-opacity:1;" />
+      <stop
+         id="stop4952"
+         offset="1"
+         style="stop-color:#ffffff;stop-opacity:0;" />
+    </linearGradient>
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#id96"
+       id="radialGradient6386"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.00328986,0.00250497,-0.00244116,0.00320605,799.1539,-219.15978)"
+       cx="18876.199"
+       cy="150304"
+       fx="18876.199"
+       fy="150304"
+       r="14266.5" />
+    <radialGradient
+       fy="150304"
+       fx="18876.199"
+       r="14266.5"
+       cy="150304"
+       cx="18876.199"
+       gradientUnits="userSpaceOnUse"
+       id="id96">
+      <stop
+         id="stop399"
+         style="stop-color:#FFF974"
+         offset="0" />
+      <stop
+         id="stop401"
+         style="stop-color:#97946B"
+         offset="1" />
+    </radialGradient>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1.1443359"
+     inkscape:cx="255.60677"
+     inkscape:cy="289.25073"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="false"
+     inkscape:window-width="1920"
+     inkscape:window-height="976"
+     inkscape:window-x="1912"
+     inkscape:window-y="-8"
+     inkscape:window-maximized="1"
+     inkscape:showpageshadow="2"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1" />
+  <metadata
+     id="metadata6461">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Calque 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-42.32121,-36.140986)">
+    <g
+       transform="translate(-431.60097,-226.01267)"
+       id="g6403"
+       inkscape:export-xdpi="144"
+       inkscape:export-ydpi="144">
+      <rect
+         y="262.15366"
+         x="473.92218"
+         height="80"
+         width="80"
+         id="rect6314"
+         style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:none;stroke:none;stroke-width:2;marker:none;enable-background:accumulate" />
+      <path
+         style="fill:#1f1a17;fill-rule:evenodd"
+         d="m 520.65858,264.42021 c 4.27938,-0.77706 10.16009,-1.15779 14.46039,-1.80478 l 3.69642,8.01174 c 8.58733,10.85336 11.54715,25.74793 10.08901,34.57232 l -2.48524,12.59545 -65.75521,-29.7587 c 2.19584,-5.10034 5.34609,-8.2567 8.36809,-11.67432 9.26309,-8.60251 20.37664,-11.03034 31.62654,-11.94171 z"
+         id="path6316"
+         inkscape:connector-curvature="0"
+         sodipodi:nodetypes="cccccccc" />
+      <path
+         style="fill:url(#radialGradient6400);fill-rule:evenodd"
+         d="m 492.24752,332.77799 c -12.52545,-10.49168 -15.10016,-25.98853 -11.31085,-41.37548 l 3.65672,-7.34505 c 7.40546,-10.73333 17.58539,-14.48975 29.77863,-17.45348 6.95687,-0.53519 13.97404,-1.45369 19.91501,-1.83112 9.70365,16.56861 15.41125,26.60793 12.19818,46.3648 l -2.72104,7.87039 -3.54031,5.43795 c -12.32438,15.22828 -31.46058,18.77011 -47.97634,8.33199 z"
+         id="path6318"
+         inkscape:connector-curvature="0"
+         sodipodi:nodetypes="ccccccccc" />
+      <rect
+         style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient6397);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;marker:none;enable-background:accumulate"
+         id="rect6320"
+         width="52.651794"
+         height="52.245213"
+         x="565.71838"
+         y="-96.60302"
+         transform="rotate(37.286451)" />
+      <path
+         sodipodi:nodetypes="csccczccc"
+         inkscape:connector-curvature="0"
+         id="path6324"
+         d="m 529.82626,268.79558 c 0,0 -33.83846,28.42319 -32.80561,30.79645 0.67874,1.55962 13.03476,3.25735 13.03476,3.25735 l -10.07313,22.06221 c -1.78204,5.72643 1.45573,2.51688 3.09186,3.09428 0,0 33.70019,-28.97749 32.86821,-30.93292 -0.83197,-1.95544 -8.93143,-2.48368 -12.43885,-3.49667 2.28226,-4.66139 9.4881,-22.93988 9.4881,-22.93988 2.12509,-4.13743 1.38019,-6.2758 -3.16534,-1.84082 z"
+         style="fill:#000000;stroke:none" />
+      <path
+         inkscape:connector-curvature="0"
+         d="m 531.53774,269.80716 -29.94604,27.53766 12.90555,2.52091 -12.04948,25.46895 29.94604,-27.53764 -12.90554,-2.5209 z"
+         id="path6326"
+         style="fill:url(#radialGradient6393);fill-opacity:1;stroke:none" />
+      <path
+         inkscape:connector-curvature="0"
+         id="path6328"
+         class="fil16"
+         style="fill:url(#linearGradient6390);fill-opacity:1;fill-rule:evenodd"
+         d="m 516.04726,269.15447 c 16.41807,-0.021 29.70942,11.42877 29.68214,25.56833 l -0.006,0.35993 -59.45243,0.0767 -0.004,-0.36007 c 0.0273,-14.13956 13.36246,-25.62389 29.78054,-25.64489 l 1.3e-4,2e-5 z" />
+      <path
+         style="fill:#1f1a17;fill-rule:evenodd"
+         d="m 549.64671,313.18416 1.23063,2.29349 -9.7375,10.76546 c -6.48594,7.95296 -9.21767,9.85116 -14.88881,13.01715 -12.60734,4.67767 -19.60436,1.75868 -29.44588,-1.66442 l -5.71181,3.72215 -2.79033,-1.32424 -1.42588,-2.26028 4.77357,-2.77864 c -17.26602,-18.40203 -15.36197,-34.6694 -11.6313,-50.88972 l 2.60344,-0.6111 2.25506,15.45327 9.39948,-7.04179 v 0 l 2.26428,2.01512 -2.48095,14.00472 9.78082,-3.16222 3.15332,0.87823 -0.31,13.32243 22.89178,-12.04294 2.38056,1.42283 -5.03999,12.32074 12.98246,-12.60629 2.41442,1.40703 -4.85611,10.85461 z"
+         id="path6332"
+         inkscape:connector-curvature="0"
+         sodipodi:nodetypes="cccccccccccccccccccccccccc" />
+      <path
+         style="fill:url(#radialGradient6386);fill-rule:evenodd"
+         d="m 499.65267,336.92135 c -2.53147,-0.74769 -5.3726,-1.3134 -7.32773,-2.97472 -13.61035,-16.32999 -14.71843,-29.28437 -11.32324,-46.88851 l 2.26839,15.51359 10.66792,-7.70976 v 0 l -3.3775,18.04202 13.13098,-5.2243 -0.038,17.01783 24.6928,-14.58857 -5.57998,17.70934 17.12417,-17.07152 -4.87349,12.91696 13.1682,-7.58882 c -7.07975,8.91139 -14.30169,18.23537 -22.7844,21.45034 -7.50985,3.45528 -13.61685,2.60928 -25.74814,-0.60388 z"
+         id="path6334"
+         inkscape:connector-curvature="0"
+         sodipodi:nodetypes="cccccccccccccccc" />
+      <polygon
+         id="polygon6336"
+         class="fil43"
+         points="23163.6,159265 22842,159364 22642.4,159246 22893.4,158534 23466.3,158566 "
+         style="fill:#99ae6a;fill-rule:evenodd"
+         transform="matrix(0.00328986,0.00250497,-0.00250497,0.00328986,813.80781,-242.48525)" />
+    </g>
+  </g>
+</svg>
diff --git a/docs/man/nut.txt b/docs/man/nut.txt
index e420389382..fa6a5926c1 100644
--- a/docs/man/nut.txt
+++ b/docs/man/nut.txt
@@ -370,7 +370,7 @@ to secure access to those files and their copies as well.
 
 include::index.txt[]
 
-:!included-skip-title:
+:included-skip-title!:
 
 ///////////////
 :leveloffset: 0
diff --git a/docs/security.txt b/docs/security.txt
index 3c55e94d35..6a96d4f8ac 100644
--- a/docs/security.txt
+++ b/docs/security.txt
@@ -536,7 +536,7 @@ other certificates.
 Create a self-signed CA certificate
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-NSS provides a way to create self-signed certificate which can acting as
+NSS provides a way to create self-signed certificate which can act as
 CA certificate, and to sign other certificates with this CA certificate.
 This method can be used to provide a CA certification chain without using
 an "official" certificate authority.
diff --git a/include/common.h b/include/common.h
index a83001b7e9..69f8d7348a 100644
--- a/include/common.h
+++ b/include/common.h
@@ -50,19 +50,19 @@
 #include <sys/stat.h>
 
 #ifdef HAVE_SYS_SIGNAL_H
-#include <sys/signal.h>
+# include <sys/signal.h>
 #endif
 #ifdef HAVE_SIGNAL_H
-#include <signal.h>
+# include <signal.h>
 #endif
 
 #include <stdlib.h>
 
 #ifdef HAVE_STRINGS_H
-#include <strings.h>	/* for strncasecmp() and strcasecmp() */
+# include <strings.h>	/* for strncasecmp() and strcasecmp() */
 #endif
 #ifdef HAVE_STRING_H
-#include <string.h>	/* for strdup() and many others */
+# include <string.h>	/* for strdup() and many others */
 #endif
 
 #ifndef WIN32
@@ -745,12 +745,12 @@ char * get_libname(const char* base_libname);
 /* Provide declarations for getopt() global variables */
 
 #ifdef NEED_GETOPT_H
-#include <getopt.h>
+# include <getopt.h>
 #else
-#ifdef NEED_GETOPT_DECLS
+# ifdef NEED_GETOPT_DECLS
 extern char *optarg;
 extern int optind;
-#endif /* NEED_GETOPT_DECLS */
+# endif /* NEED_GETOPT_DECLS */
 #endif /* HAVE_GETOPT_H */
 
 /* logging flags: bitmask! */
diff --git a/server/netssl.c b/server/netssl.c
index a1cdfbd8df..5a48201a87 100644
--- a/server/netssl.c
+++ b/server/netssl.c
@@ -28,10 +28,10 @@
 
 #include <sys/types.h>
 #ifndef WIN32
-#include <netinet/in.h>
-#include <sys/socket.h>
+#	include <netinet/in.h>
+#	include <sys/socket.h>
 #else	/* WIN32 */
-#include "wincompat.h"
+#	include "wincompat.h"
 #endif	/* WIN32 */
 
 #include "upsd.h"
@@ -43,17 +43,17 @@
 #	include <pk11pub.h>
 #	include <prinit.h>
 #	include <private/pprio.h>
-#if defined(NSS_VMAJOR) && (NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && defined(NSS_VMINOR) && NSS_VMINOR >= 39))
+# if defined(NSS_VMAJOR) && (NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && defined(NSS_VMINOR) && NSS_VMINOR >= 39))
 #	include <keyhi.h>
 #	include <keythi.h>
-#else
+# else	/* older NSS */
 #	include <key.h>
 #	include <keyt.h>
-#endif /* NSS before 3.39 */
+# endif	/* NSS before 3.39 */
 #	include <secerr.h>
 #	include <sslerr.h>
 #	include <sslproto.h>
-#endif /* WITH_NSS */
+#endif	/* WITH_NSS */
 
 char	*certfile = NULL;
 char	*certname = NULL;
@@ -121,9 +121,9 @@ void ssl_cleanup(void)
 {
 }
 
-#else
+#else	/* ifdef WITH_SSL: */
 
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 
 static SSL_CTX	*ssl_ctx = NULL;
 
@@ -174,10 +174,10 @@ static int ssl_error(SSL *ssl, ssize_t ret)
 	return -1;
 }
 
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS) /* not WITH_OPENSSL */
 
-static CERTCertificate *cert;
-static SECKEYPrivateKey *privKey;
+static CERTCertificate	*cert;
+static SECKEYPrivateKey	*privKey;
 
 static char *nss_password_callback(PK11SlotInfo *slot, PRBool retry,
 		void *arg)
@@ -189,34 +189,35 @@ static char *nss_password_callback(PK11SlotInfo *slot, PRBool retry,
 		return NULL;
 	}
 	upslogx(LOG_INFO, "Intend to retrieve password for %s / %s: password %sconfigured",
-		PK11_GetSlotName(slot), PK11_GetTokenName(slot), certpasswd?"":"not ");
+		PK11_GetSlotName(slot), PK11_GetTokenName(slot),
+		certpasswd ? "" : "not ");
 	return certpasswd ? PL_strdup(certpasswd) : NULL;
 }
 
 static void nss_error(const char* text)
 {
-	char buffer[SMALLBUF];
-	PRErrorCode err_num = PR_GetError();
-	PRInt32 err_len = PR_GetErrorTextLength();
+	char	buffer[SMALLBUF];
+	PRErrorCode	err_num = PR_GetError();
+	PRInt32	err_len = PR_GetErrorTextLength();
 
 	if (err_len > 0) {
 		if (err_len < SMALLBUF) {
 			PR_GetErrorText(buffer);
 			upsdebugx(1, "nss_error %ld in %s : %s", (long)err_num, text, buffer);
-		}else{
+		} else {
 			upsdebugx(1, "nss_error %ld in %s : Internal error buffer too small, needs %ld bytes", (long)err_num, text, (long)err_len);
 		}
-	}else{
+	} else {
 		upsdebugx(1, "nss_error %ld in %s", (long)PR_GetError(), text);
 	}
 }
 
 static int ssl_error(PRFileDesc *ssl, ssize_t ret)
 {
-	char buffer[256];
-	PRErrorCode err_num = PR_GetError();
-	PRInt32 err_len = PR_GetErrorTextLength();
-	PRInt32 length;
+	char	buffer[256];
+	PRErrorCode	err_num = PR_GetError();
+	PRInt32	err_len = PR_GetErrorTextLength();
+	PRInt32	length;
 	NUT_UNUSED_VARIABLE(ssl);
 	NUT_UNUSED_VARIABLE(ret);
 
@@ -224,10 +225,10 @@ static int ssl_error(PRFileDesc *ssl, ssize_t ret)
 		if (err_len < SMALLBUF) {
 			length = PR_GetErrorText(buffer);
 			upsdebugx(1, "ssl_error %ld : %*s", (long)err_num, length, buffer);
-		}else{
+		} else {
 			upsdebugx(1, "ssl_error %ld : Internal error buffer too small, needs %ld bytes", (long)err_num, (long)err_len);
 		}
-	}else{
+	} else {
 		upsdebugx(1, "ssl_error %ld", (long)err_num);
 	}
 
@@ -237,11 +238,13 @@ static int ssl_error(PRFileDesc *ssl, ssize_t ret)
 static SECStatus AuthCertificate(CERTCertDBHandle *arg, PRFileDesc *fd,
 	PRBool checksig, PRBool isServer)
 {
-	nut_ctype_t *client  = (nut_ctype_t *)SSL_RevealPinArg(fd);
-	SECStatus status = SSL_AuthCertificate(arg, fd, checksig, isServer);
+	nut_ctype_t	*client  = (nut_ctype_t *)SSL_RevealPinArg(fd);
+	SECStatus	status = SSL_AuthCertificate(arg, fd, checksig, isServer);
+
 	upslogx(LOG_INFO, "Intend to authenticate client %s : %s.",
 		client?client->addr:"(unnamed)",
 		status==SECSuccess?"SUCCESS":"FAILED");
+
 	return status;
 }
 
@@ -251,16 +254,17 @@ static SECStatus BadCertHandler(nut_ctype_t *arg, PRFileDesc *fd)
 
 	upslogx(LOG_WARNING, "Certificate validation failed for %s",
 		(arg&&arg->addr)?arg->addr:"<unnamed>");
-#ifdef WITH_CLIENT_CERTIFICATE_VALIDATION
+
+#  ifdef WITH_CLIENT_CERTIFICATE_VALIDATION
 	/* BadCertHandler is called when the NSS certificate validation is failed.
 	 * If the certificate verification (user conf) is mandatory, reject authentication
 	 * else accept it.
 	 */
-	return certrequest==NETSSL_CERTREQ_REQUIRE?SECFailure:SECSuccess;
-#else /* WITH_CLIENT_CERTIFICATE_VALIDATION */
+	return (certrequest == NETSSL_CERTREQ_REQUIRE) ? SECFailure : SECSuccess;
+#  else	/* not WITH_CLIENT_CERTIFICATE_VALIDATION */
 	/* Always accept clients. */
 	return SECSuccess;
-#endif /* WITH_CLIENT_CERTIFICATE_VALIDATION */
+#  endif	/* WITH_CLIENT_CERTIFICATE_VALIDATION */
 }
 
 static void HandshakeCallback(PRFileDesc *fd, nut_ctype_t *client_data)
@@ -272,16 +276,16 @@ static void HandshakeCallback(PRFileDesc *fd, nut_ctype_t *client_data)
 }
 
 
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif	/* WITH_OPENSSL | WITH_NSS */
 
 void net_starttls(nut_ctype_t *client, size_t numarg, const char **arg)
 {
-#ifdef WITH_OPENSSL
-	int ret;
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# ifdef WITH_OPENSSL
+	int	ret;
+# elif defined(WITH_NSS)	/* WITH_OPENSSL */
 	SECStatus	status;
 	PRFileDesc	*socket;
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif	/* WITH_OPENSSL | WITH_NSS */
 
 	NUT_UNUSED_VARIABLE(numarg);
 	NUT_UNUSED_VARIABLE(arg);
@@ -298,11 +302,11 @@ void net_starttls(nut_ctype_t *client, size_t numarg, const char **arg)
 		return;
 	}
 
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 	if (!ssl_ctx)
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS)	/* not WITH_OPENSSL */
 	if (!NSS_IsInitialized())
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif	/* WITH_OPENSSL | WITH_NSS */
 	{
 		send_err(client, NUT_ERR_FEATURE_NOT_CONFIGURED);
 		ssl_initialized = 0;
@@ -313,7 +317,7 @@ void net_starttls(nut_ctype_t *client, size_t numarg, const char **arg)
 		return;
 	}
 
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 
 	client->ssl = SSL_new(ssl_ctx);
 
@@ -350,7 +354,7 @@ void net_starttls(nut_ctype_t *client, size_t numarg, const char **arg)
 		break;
 	}
 
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS)	/* not WITH_OPENSSL */
 
 	socket = PR_ImportTCPSocket(client->sock_fd);
 	if (socket == NULL) {
@@ -433,17 +437,17 @@ void net_starttls(nut_ctype_t *client, size_t numarg, const char **arg)
 		}
 	}
 	client->ssl_connected = 1;
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif /* WITH_OPENSSL | WITH_NSS */
 }
 
 void ssl_init(void)
 {
-#ifdef WITH_NSS
+# ifdef WITH_NSS
 	SECStatus status;
-#if defined(NSS_VMAJOR) && (NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && defined(NSS_VMINOR) && NSS_VMINOR >= 14))
+#  if defined(NSS_VMAJOR) && (NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && defined(NSS_VMINOR) && NSS_VMINOR >= 14))
 	SSLVersionRange range;
-#endif
-#endif /* WITH_NSS */
+#  endif
+# endif /* WITH_NSS */
 
 	if (!certfile) {
 		return;
@@ -453,16 +457,16 @@ void ssl_init(void)
 	if (!disable_weak_ssl)
 		upslogx(LOG_WARNING, "Warning: DISABLE_WEAK_SSL is not enabled. Please consider enabling to improve network security.");
 
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#  if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_load_error_strings();
 	SSL_library_init();
 
 	ssl_ctx = SSL_CTX_new(SSLv23_server_method());
-#else
+#  else	/* newer OPENSSL_VERSION_NUMBER */
 	ssl_ctx = SSL_CTX_new(TLS_server_method());
-#endif
+#  endif	/* OPENSSL_VERSION_NUMBER */
 
 	if (!ssl_ctx) {
 		ssl_debug();
@@ -470,22 +474,22 @@ void ssl_init(void)
 	}
 
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#  if OPENSSL_VERSION_NUMBER < 0x10100000L
 	/* set minimum protocol TLSv1 */
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 	if (disable_weak_ssl) {
-#if defined(SSL_OP_NO_TLSv1_2)
+#   if defined(SSL_OP_NO_TLSv1_2)
 		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
-#elif defined(SSL_OP_NO_TLSv1_1)
+#   elif defined(SSL_OP_NO_TLSv1_1)
 		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
-#endif
+#   endif
 	}
-#else
+#  else	/* newer OPENSSL_VERSION_NUMBER */
 	if (SSL_CTX_set_min_proto_version(ssl_ctx, disable_weak_ssl ? TLS1_2_VERSION : TLS1_VERSION) != 1) {
 		ssl_debug();
 		fatalx(EXIT_FAILURE, "SSL_CTX_set_min_proto_version(TLS1_VERSION)");
 	}
-#endif
+#  endif	/* OPENSSL_VERSION_NUMBER */
 
 	if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
 		ssl_debug();
@@ -511,7 +515,7 @@ void ssl_init(void)
 
 	ssl_initialized = 1;
 
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS)	/* not WITH_OPENSSL */
 
 	if (!certname || certname[0]==0 ) {
 		upslogx(LOG_ERR, "The SSL certificate name is not specified.");
@@ -562,7 +566,7 @@ void ssl_init(void)
 			return;
 		}
 	} else {
-#if defined(NSS_VMAJOR) && (NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && defined(NSS_VMINOR) && NSS_VMINOR >= 14))
+#  if defined(NSS_VMAJOR) && (NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && defined(NSS_VMINOR) && NSS_VMINOR >= 14))
 		status = SSL_VersionRangeGetSupported(ssl_variant_stream, &range);
 		if (status != SECSuccess) {
 			upslogx(LOG_ERR, "Can not get versions supported");
@@ -570,9 +574,9 @@ void ssl_init(void)
 			return;
 		}
 		range.min = SSL_LIBRARY_VERSION_TLS_1_1;
-#ifdef SSL_LIBRARY_VERSION_TLS_1_2
+#   ifdef SSL_LIBRARY_VERSION_TLS_1_2
 		range.min = SSL_LIBRARY_VERSION_TLS_1_2;
-#endif
+#   endif
 		status = SSL_VersionRangeSetDefault(ssl_variant_stream, &range);
 		if (status != SECSuccess) {
 			upslogx(LOG_ERR, "Can not set versions supported");
@@ -584,7 +588,7 @@ void ssl_init(void)
 		SSL_CipherPrefSetDefault(TLS_RSA_WITH_3DES_EDE_CBC_SHA, PR_FALSE);
 		SSL_CipherPrefSetDefault(TLS_RSA_WITH_RC4_128_SHA, PR_FALSE);
 		SSL_CipherPrefSetDefault(TLS_RSA_WITH_RC4_128_MD5, PR_FALSE);
-#else
+#  else	/* older NSS_VMAJOR */
 		status = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_FALSE);
 		if (status != SECSuccess) {
 			upslogx(LOG_ERR, "Can not disable SSLv3");
@@ -597,18 +601,20 @@ void ssl_init(void)
 			nss_error("ssl_init / SSL_OptionSetDefault(SSL_ENABLE_TLS)");
 			return;
 		}
-#endif
+#  endif	/* NSS_VMAJOR */
 	}
 
-#ifdef WITH_CLIENT_CERTIFICATE_VALIDATION
-	if (certrequest < NETSSL_CERTREQ_NO &&
-		certrequest > NETSSL_CERTREQ_REQUEST) {
+#  ifdef WITH_CLIENT_CERTIFICATE_VALIDATION
+	if (certrequest < NETSSL_CERTREQ_NO
+	 && certrequest > NETSSL_CERTREQ_REQUEST
+	) {
 		upslogx(LOG_ERR, "Invalid certificate requirement");
 		return;
 	}
 
-	if (certrequest == NETSSL_CERTREQ_REQUEST ||
-		certrequest == NETSSL_CERTREQ_REQUIRE ) {
+	if (certrequest == NETSSL_CERTREQ_REQUEST
+	 || certrequest == NETSSL_CERTREQ_REQUIRE
+	) {
 		status = SSL_OptionSetDefault(SSL_REQUEST_CERTIFICATE, PR_TRUE);
 		if (status != SECSuccess) {
 			upslogx(LOG_ERR, "Can not enable certificate request");
@@ -617,7 +623,7 @@ void ssl_init(void)
 		}
 	}
 
-	if (certrequest == NETSSL_CERTREQ_REQUIRE ) {
+	if (certrequest == NETSSL_CERTREQ_REQUIRE) {
 		status = SSL_OptionSetDefault(SSL_REQUIRE_CERTIFICATE, PR_TRUE);
 		if (status != SECSuccess) {
 			upslogx(LOG_ERR, "Can not enable certificate requirement");
@@ -625,49 +631,50 @@ void ssl_init(void)
 			return;
 		}
 	}
-#endif /* WITH_CLIENT_CERTIFICATE_VALIDATION */
+#  endif	/* WITH_CLIENT_CERTIFICATE_VALIDATION */
 
 	cert = PK11_FindCertFromNickname(certname, NULL);
-	if(cert==NULL)	{
+	if (cert == NULL)	{
 		upslogx(LOG_ERR, "Can not find server certificate");
 		nss_error("ssl_init / PK11_FindCertFromNickname");
 		return;
 	}
 
 	privKey = PK11_FindKeyByAnyCert(cert, NULL);
-	if(privKey==NULL){
+	if (privKey == NULL){
 		upslogx(LOG_ERR, "Can not find private key associate to server certificate");
 		nss_error("ssl_init / PK11_FindKeyByAnyCert");
 		return;
 	}
 
 	ssl_initialized = 1;
-#else /* WITH_OPENSSL | WITH_NSS */
-	upslogx(LOG_ERR, "ssl_init called but SSL wasn't compiled in");
-#endif /* WITH_OPENSSL | WITH_NSS */
+# else /* not (WITH_OPENSSL | WITH_NSS) */
+	/* Looking at ifdefs, we should not get here. But just in case... */
+	upslogx(LOG_ERR, "ssl_init called but no supported SSL backend wasn compiled in");
+# endif /* WITH_OPENSSL | WITH_NSS */
 }
 
 #if (defined HAVE_PRAGMA_GCC_DIAGNOSTIC_PUSH_POP_BESIDEFUNC) && ( (defined HAVE_PRAGMA_GCC_DIAGNOSTIC_IGNORED_TYPE_LIMITS_BESIDEFUNC) || (defined HAVE_PRAGMA_GCC_DIAGNOSTIC_IGNORED_TAUTOLOGICAL_CONSTANT_OUT_OF_RANGE_COMPARE_BESIDEFUNC) )
-# pragma GCC diagnostic push
+#pragma GCC diagnostic push
 #endif
 #ifdef HAVE_PRAGMA_GCC_DIAGNOSTIC_IGNORED_TYPE_LIMITS_BESIDEFUNC
-# pragma GCC diagnostic ignored "-Wtype-limits"
+#pragma GCC diagnostic ignored "-Wtype-limits"
 #endif
 #ifdef HAVE_PRAGMA_GCC_DIAGNOSTIC_IGNORED_TAUTOLOGICAL_CONSTANT_OUT_OF_RANGE_COMPARE_BESIDEFUNC
-# pragma GCC diagnostic ignored "-Wtautological-constant-out-of-range-compare"
+#pragma GCC diagnostic ignored "-Wtautological-constant-out-of-range-compare"
 #endif
 ssize_t ssl_read(nut_ctype_t *client, char *buf, size_t buflen)
 {
 	ssize_t	ret = -1;
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 	int	iret;
-#endif
+# endif
 
 	if (!client->ssl_connected) {
 		return -1;
 	}
 
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 	/* SSL_* routines deal with int type for return and buflen
 	 * We might need to window our I/O if we exceed 2GB (in
 	 * 32-bit builds)... Not likely to exceed in 64-bit builds,
@@ -677,12 +684,12 @@ ssize_t ssl_read(nut_ctype_t *client, char *buf, size_t buflen)
 	iret = SSL_read(client->ssl, buf, (int)buflen);
 	assert(iret <= SSIZE_MAX);
 	ret = (ssize_t)iret;
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS)	/* not WITH_OPENSSL */
 	/* PR_* routines deal in PRInt32 type
 	 * We might need to window our I/O if we exceed 2GB :) */
 	assert(buflen <= PR_INT32_MAX);
 	ret = PR_Read(client->ssl, buf, (PRInt32)buflen);
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif	/* WITH_OPENSSL | WITH_NSS */
 
 	if (ret < 1) {
 		ssl_error(client->ssl, ret);
@@ -695,15 +702,15 @@ ssize_t ssl_read(nut_ctype_t *client, char *buf, size_t buflen)
 ssize_t ssl_write(nut_ctype_t *client, const char *buf, size_t buflen)
 {
 	ssize_t	ret = -1;
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 	int	iret;
-#endif
+# endif
 
 	if (!client->ssl_connected) {
 		return -1;
 	}
 
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 	/* SSL_* routines deal with int type for return and buflen
 	 * We might need to window our I/O if we exceed 2GB (in
 	 * 32-bit builds)... Not likely to exceed in 64-bit builds,
@@ -713,30 +720,30 @@ ssize_t ssl_write(nut_ctype_t *client, const char *buf, size_t buflen)
 	iret = SSL_write(client->ssl, buf, (int)buflen);
 	assert(iret <= SSIZE_MAX);
 	ret = (ssize_t)iret;
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS)	/* not WITH_OPENSSL */
 	/* PR_* routines deal in PRInt32 type
 	 * We might need to window our I/O if we exceed 2GB :) */
 	assert(buflen <= PR_INT32_MAX);
 	ret = PR_Write(client->ssl, buf, (PRInt32)buflen);
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif	/* WITH_OPENSSL | WITH_NSS */
 
 	upsdebugx(5, "ssl_write ret=%" PRIiSIZE, ret);
 
 	return ret;
 }
 #if (defined HAVE_PRAGMA_GCC_DIAGNOSTIC_PUSH_POP_BESIDEFUNC) && ( (defined HAVE_PRAGMA_GCC_DIAGNOSTIC_IGNORED_TYPE_LIMITS_BESIDEFUNC) || (defined HAVE_PRAGMA_GCC_DIAGNOSTIC_IGNORED_TAUTOLOGICAL_CONSTANT_OUT_OF_RANGE_COMPARE_BESIDEFUNC) )
-# pragma GCC diagnostic pop
+#pragma GCC diagnostic pop
 #endif
 
 void ssl_finish(nut_ctype_t *client)
 {
 	if (client->ssl) {
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 		SSL_free(client->ssl);
-#elif defined(WITH_NSS)
+# elif defined(WITH_NSS)
 		PR_Shutdown(client->ssl, PR_SHUTDOWN_BOTH);
 		PR_Close(client->ssl);
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif /* WITH_OPENSSL | WITH_NSS */
 		client->ssl_connected = 0;
 		client->ssl = NULL;
 	}
@@ -744,14 +751,14 @@ void ssl_finish(nut_ctype_t *client)
 
 void ssl_cleanup(void)
 {
-#ifdef WITH_OPENSSL
+# ifdef WITH_OPENSSL
 	if (ssl_ctx) {
 		SSL_CTX_free(ssl_ctx);
 		ssl_ctx = NULL;
 	}
-#elif defined(WITH_NSS) /* WITH_OPENSSL */
+# elif defined(WITH_NSS)	/* not WITH_OPENSSL */
 	CERT_DestroyCertificate(cert);
-    SECKEY_DestroyPrivateKey(privKey);
+	SECKEY_DestroyPrivateKey(privKey);
 	NSS_Shutdown();
 	PR_Cleanup();
 	/* Called to release memory arena used by NSS/NSPR.
@@ -759,7 +766,7 @@ void ssl_cleanup(void)
 	 * https://developer.mozilla.org/en/NSS_Memory_allocation
 	 */
 	PL_ArenaFinish();
-#endif /* WITH_OPENSSL | WITH_NSS */
+# endif	/* WITH_OPENSSL | WITH_NSS */
 	ssl_initialized = 0;
 }