diff --git a/nixos/lib/tests/test_openssl.nix b/nixos/lib/tests/test_openssl.nix
index a651657f40e19d4ed8e1d728c07ea4650981eee1..db3a82ec450e9097e7cbee4206ffcf2dc55d3d4d 100644
--- a/nixos/lib/tests/test_openssl.nix
+++ b/nixos/lib/tests/test_openssl.nix
@@ -1,18 +1,30 @@
 openssl:
-{ test_package_version =
-  { expected = "1.1.1k";
-    expr = "${openssl.version}";
+let
+  # This is the version of OpenSSL that we want to see.
+  expected = "1.1.1k";
+in {
+  # Check the packaging version.  It's nice for this to be what we expect
+  # because otherwise things get confusing but this is just the number *we*
+  # (or nixpkgs) puts on the software.
+  test_package_version = {
+    inherit expected;
+    expr = openssl.version;
   };
+
+  # Now check that the version OpenSSL itself reports is the same.
   test_runtime_version_matches =
-  { expected = "${openssl.version}";
+  { inherit expected;
     expr =
       let
+        # Find out what openssl thinks its own version is.
         pkgs = import <nixpkgs> { };
         cmd = "${openssl}/bin/openssl version";
         drv = pkgs.runCommand "version" {} "${cmd} > $out";
         runtime_version = builtins.readFile drv;
         pieces = pkgs.lib.splitString " " runtime_version;
       in
+        # The pieces are like [ "OpenSSL" "1.1.1k" "25" "Mar" "2021" ].  We
+        # don't really care about the date.  Get just the version number.
         builtins.elemAt pieces 1;
   };
 }