Index: sys/kern/kern_sysctl.c
===================================================================
--- sys/kern/kern_sysctl.c
+++ sys/kern/kern_sysctl.c
@@ -1732,6 +1732,29 @@
 	return (0);
 }
 
+/*
+ * Convert seconds to a struct timeval.  Intended for use with
+ * intervals and thus does not permit negative seconds.
+ */
+int
+sysctl_sec_to_timeval(SYSCTL_HANDLER_ARGS)
+{
+	struct timeval *tv;
+	int error, secs;
+
+	tv = arg1;
+	secs = tv->tv_sec;
+
+	error = sysctl_handle_int(oidp, &secs, 0, req);
+	if (error || req->newptr == NULL)
+		return (error);
+
+	if (secs < 0)
+		return (EINVAL);
+	tv->tv_sec = secs;
+
+	return (0);
+}
 
 /*
  * Transfer functions to/from kernel space.
Index: sys/kgssapi/krb5/kcrypto.h
===================================================================
--- sys/kgssapi/krb5/kcrypto.h
+++ sys/kgssapi/krb5/kcrypto.h
@@ -101,6 +101,7 @@
 extern struct krb5_encryption_class krb5_aes256_encryption_class;
 extern struct krb5_encryption_class krb5_arcfour_encryption_class;
 extern struct krb5_encryption_class krb5_arcfour_56_encryption_class;
+extern struct timeval krb5_warn_interval;
 
 static __inline void
 krb5_set_key(struct krb5_key_state *ks, const void *keydata)
Index: sys/kgssapi/krb5/kcrypto.c
===================================================================
--- sys/kgssapi/krb5/kcrypto.c
+++ sys/kgssapi/krb5/kcrypto.c
@@ -34,6 +34,7 @@
 #include <sys/malloc.h>
 #include <sys/kobj.h>
 #include <sys/mbuf.h>
+#include <sys/sysctl.h>
 
 #include <kgssapi/gssapi.h>
 #include <kgssapi/gssapi_impl.h>
@@ -50,6 +51,11 @@
 	NULL
 };
 
+struct timeval krb5_warn_interval = { .tv_sec = 3600, .tv_usec = 0 };
+SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, kgssapi_warn_interval, CTLFLAG_RW,
+    &krb5_warn_interval,
+    "Delay in seconds between warnings of deprecated KGSSAPI crypto.");
+
 struct krb5_encryption_class *
 krb5_find_encryption_class(int etype)
 {
Index: sys/kgssapi/krb5/kcrypto_arcfour.c
===================================================================
--- sys/kgssapi/krb5/kcrypto_arcfour.c
+++ sys/kgssapi/krb5/kcrypto_arcfour.c
@@ -47,10 +47,9 @@
 arcfour_init(struct krb5_key_state *ks)
 {
 	static struct timeval lastwarn;
-	static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
 
 	ks->ks_priv = NULL;
-	if (ratecheck(&lastwarn, &warninterval))
+	if (ratecheck(&lastwarn, &krb5_warn_interval))
 		gone_in(13, "RC4 cipher for Kerberos GSS");
 }
 
Index: sys/kgssapi/krb5/kcrypto_des.c
===================================================================
--- sys/kgssapi/krb5/kcrypto_des.c
+++ sys/kgssapi/krb5/kcrypto_des.c
@@ -54,13 +54,12 @@
 des1_init(struct krb5_key_state *ks)
 {
 	static struct timeval lastwarn;
-	static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
 	struct des1_state *ds;
 
 	ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO);
 	mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF);
 	ks->ks_priv = ds;
-	if (ratecheck(&lastwarn, &warninterval))
+	if (ratecheck(&lastwarn, &krb5_warn_interval))
 		gone_in(13, "DES cipher for Kerberos GSS");
 }
 
Index: sys/kgssapi/krb5/kcrypto_des3.c
===================================================================
--- sys/kgssapi/krb5/kcrypto_des3.c
+++ sys/kgssapi/krb5/kcrypto_des3.c
@@ -55,13 +55,12 @@
 des3_init(struct krb5_key_state *ks)
 {
 	static struct timeval lastwarn;
-	static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
 	struct des3_state *ds;
 
 	ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO);
 	mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF);
 	ks->ks_priv = ds;
-	if (ratecheck(&lastwarn, &warninterval))
+	if (ratecheck(&lastwarn, &krb5_warn_interval))
 		gone_in(13, "DES3 cipher for Kerberos GSS");
 }
 
Index: sys/netipsec/ipsec.h
===================================================================
--- sys/netipsec/ipsec.h
+++ sys/netipsec/ipsec.h
@@ -287,6 +287,8 @@
 VNET_DECLARE(int, async_crypto);
 VNET_DECLARE(int, natt_cksum_policy);
 
+extern struct timeval ipsec_warn_interval;
+
 #define	IPSECSTAT_INC(name)	\
     VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1)
 #define	V_ip4_esp_trans_deflev	VNET(ip4_esp_trans_deflev)
Index: sys/netipsec/ipsec.c
===================================================================
--- sys/netipsec/ipsec.c
+++ sys/netipsec/ipsec.c
@@ -216,6 +216,11 @@
 SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat,
     ipsec4stat, "IPsec IPv4 statistics.");
 
+struct timeval ipsec_warn_interval = { .tv_sec = 1, .tv_usec = 0 };
+SYSCTL_TIMEVAL_SEC(_net_inet_ipsec, OID_AUTO, crypto_warn_interval, CTLFLAG_RW,
+    &ipsec_warn_interval,
+    "Delay in seconds between warnings of deprecated IPsec crypto algorithms.");
+
 #ifdef REGRESSION
 /*
  * When set to 1, IPsec will send packets with the same sequence number.
Index: sys/netipsec/xform_ah.c
===================================================================
--- sys/netipsec/xform_ah.c
+++ sys/netipsec/xform_ah.c
@@ -109,7 +109,6 @@
 
 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
 static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn;
-static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
 
 static int ah_input_cb(struct cryptop*);
 static int ah_output_cb(struct cryptop*);
@@ -189,19 +188,19 @@
 
 	switch (sav->alg_auth) {
 	case SADB_AALG_MD5HMAC:
-		if (ratecheck(&md5warn, &warninterval))
+		if (ratecheck(&md5warn, &ipsec_warn_interval))
 			gone_in(13, "MD5-HMAC authenticator for IPsec");
 		break;
 	case SADB_X_AALG_RIPEMD160HMAC:
-		if (ratecheck(&ripewarn, &warninterval))
+		if (ratecheck(&ripewarn, &ipsec_warn_interval))
 			gone_in(13, "RIPEMD160-HMAC authenticator for IPsec");
 		break;
 	case SADB_X_AALG_MD5:
-		if (ratecheck(&kpdkmd5warn, &warninterval))
+		if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval))
 			gone_in(13, "Keyed-MD5 authenticator for IPsec");
 		break;
 	case SADB_X_AALG_SHA:
-		if (ratecheck(&kpdksha1warn, &warninterval))
+		if (ratecheck(&kpdksha1warn, &ipsec_warn_interval))
 			gone_in(13, "Keyed-SHA1 authenticator for IPsec");
 		break;
 	}
Index: sys/netipsec/xform_esp.c
===================================================================
--- sys/netipsec/xform_esp.c
+++ sys/netipsec/xform_esp.c
@@ -95,7 +95,6 @@
     "ESP statistics (struct espstat, netipsec/esp_var.h");
 
 static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
-static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
 
 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
@@ -162,19 +161,19 @@
 
 	switch (sav->alg_enc) {
 	case SADB_EALG_DESCBC:
-		if (ratecheck(&deswarn, &warninterval))
+		if (ratecheck(&deswarn, &ipsec_warn_interval))
 			gone_in(13, "DES cipher for IPsec");
 		break;
 	case SADB_X_EALG_BLOWFISHCBC:
-		if (ratecheck(&blfwarn, &warninterval))
+		if (ratecheck(&blfwarn, &ipsec_warn_interval))
 			gone_in(13, "Blowfish cipher for IPsec");
 		break;
 	case SADB_X_EALG_CAST128CBC:
-		if (ratecheck(&castwarn, &warninterval))
+		if (ratecheck(&castwarn, &ipsec_warn_interval))
 			gone_in(13, "CAST cipher for IPsec");
 		break;
 	case SADB_X_EALG_CAMELLIACBC:
-		if (ratecheck(&camelliawarn, &warninterval))
+		if (ratecheck(&camelliawarn, &ipsec_warn_interval))
 			gone_in(13, "Camellia cipher for IPsec");
 		break;
 	}
Index: sys/opencrypto/cryptodev.c
===================================================================
--- sys/opencrypto/cryptodev.c
+++ sys/opencrypto/cryptodev.c
@@ -146,6 +146,11 @@
 #define	CIOCGSESSION232	_IOWR('c', 106, struct session2_op32)
 #define	CIOCKEY232	_IOWR('c', 107, struct crypt_kop32)
 
+static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
+SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, cryptodev_warn_interval, CTLFLAG_RW,
+    &warninterval,
+    "Delay in seconds between warnings of deprecated /dev/crypto algorithms");
+
 static void
 session_op_from_32(const struct session_op32 *from, struct session_op *to)
 {
@@ -388,7 +393,6 @@
 #endif
 	static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
 	static struct timeval skipwarn, tdeswarn;
-	static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
 
 	switch (cmd) {
 	case CIOCGSESSION:
Index: sys/sys/sysctl.h
===================================================================
--- sys/sys/sysctl.h
+++ sys/sys/sysctl.h
@@ -218,6 +218,7 @@
 
 int sysctl_msec_to_sbintime(SYSCTL_HANDLER_ARGS);
 int sysctl_usec_to_sbintime(SYSCTL_HANDLER_ARGS);
+int sysctl_sec_to_timeval(SYSCTL_HANDLER_ARGS);
 
 int sysctl_dpcpu_int(SYSCTL_HANDLER_ARGS);
 int sysctl_dpcpu_long(SYSCTL_HANDLER_ARGS);
@@ -857,6 +858,24 @@
 	    NULL);							\
 })
 
+/* OID expressing a struct timeval as seconds */
+#define	SYSCTL_TIMEVAL_SEC(parent, nbr, name, access, ptr, descr)	\
+	SYSCTL_OID(parent, nbr, name,					\
+	    CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access),	\
+	    (ptr), 0, sysctl_sec_to_timeval, "I", descr);		\
+	CTASSERT(((access) & CTLTYPE) == 0 ||				\
+	    ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_INT)
+#define	SYSCTL_ADD_TIMEVAL_SEC(ctx, parent, nbr, name, access, ptr, descr) \
+({									\
+	struct timeval *__ptr = (ptr);					\
+	CTASSERT(((access) & CTLTYPE) == 0 ||				\
+	    ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_INT);		\
+	sysctl_add_oid(ctx, parent, nbr, name,				\
+	    CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access),	\
+	    __ptr, 0, sysctl_sec_to_timeval, "I", __DESCR(descr),	\
+	    NULL);							\
+})
+
 /*
  * A macro to generate a read-only sysctl to indicate the presence of optional
  * kernel features.