Index: head/security/openssl-devel/Makefile
===================================================================
--- head/security/openssl-devel/Makefile
+++ head/security/openssl-devel/Makefile
@@ -33,18 +33,21 @@
 MAKE_ARGS+=	WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}"
 MAKE_ENV+=	LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
 
-OPTIONS_GROUP=		CIPHERS HASHES OPTIMIZE PROTOCOLS
+OPTIONS_GROUP=		CIPHERS HASHES MODULES OPTIMIZE PROTOCOLS
 OPTIONS_GROUP_CIPHERS=	ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS
 OPTIONS_GROUP_HASHES=	MD2 MD4 MDC2 RMD160 SM2 SM3
 OPTIONS_GROUP_OPTIMIZE=	ASM SSE2 THREADS
+OPTIONS_GROUP_MODULES=	FIPS LEGACY
 OPTIONS_DEFINE_i386=	I386
 OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2
 
-OPTIONS_DEFINE=	ASYNC CT MAN3 RFC3779 SHARED ZLIB
+OPTIONS_DEFINE=	ASYNC CT KTLS MAN3 RFC3779 SHARED ZLIB
 
-OPTIONS_DEFAULT=ASM ASYNC CT GOST DES EC MAN3 MD4 NEXTPROTONEG RC2 RC4 \
+OPTIONS_DEFAULT=ASM ASYNC CT FIPS GOST DES EC MAN3 MD4 NEXTPROTONEG RC2 RC4 \
 		RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2
 
+OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:}
+
 OPTIONS_GROUP_OPTIMIZE_amd64=	EC
 
 .if ${MACHINE_ARCH} == "amd64"
@@ -62,14 +65,18 @@
 CT_DESC=	Certificate Transparency Support
 DES_DESC=	(Triple) Data Encryption Standard
 EC_DESC=	Optimize NIST elliptic curves
+FIPS_DESC=	Build FIPS provider (Note: NOT yet FIPS validated)
 GOST_DESC=	GOST (Russian standard)
 HASHES_DESC=	Hash Function Support
 I386_DESC=	i386 (instead of i486+)
 IDEA_DESC=	International Data Encryption Algorithm
+KTLS_DESC=	Use in-kernel TLS (FreeBSD >13)
+LEGACY_DESC=	Older algorithms
 MAN3_DESC=	Install API manpages (section 3, 7)
-MD2_DESC=	MD2 (obsolete)
+MD2_DESC=	MD2 (obsolete) (requires LEGACY)
 MD4_DESC=	MD4 (unsafe)
 MDC2_DESC=	MDC-2 (patented, requires DES)
+MODULES_DESC=	Provider modules
 NEXTPROTONEG_DESC=	Next Protocol Negotiation (SPDY)
 OPTIMIZE_DESC=	Optimizations
 PROTOCOLS_DESC=	Protocol Support
@@ -92,16 +99,18 @@
 ZLIB_DESC=	zlib compression support
 
 # Upstream default disabled options
-.for _option in md2 rc5 sctp ssl3 weak-ssl-ciphers zlib
+.for _option in md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib
 ${_option:tu}_CONFIGURE_ON=	enable-${_option}
 .endfor
 
 # Upstream default enabled options
-.for _option in aria asm async ct des gost idea md4 mdc2 nextprotoneg rc2 rc4 \
-	rfc3779 rmd160 shared sm2 sm3 sm4 sse2 threads tls1 tls1_1 tls1_2
+.for _option in aria asm async ct des fips gost idea md4 mdc2 legacy \
+	nextprotoneg rc2 rc4 rfc3779 rmd160 shared sm2 sm3 sm4 sse2 \
+	threads tls1 tls1_1 tls1_2
 ${_option:tu}_CONFIGURE_OFF=	no-${_option}
 .endfor
 
+MD2_IMPLIES=	LEGACY
 MDC2_IMPLIES=	DES
 TLS1_IMPLIES=	TLS1_1
 TLS1_1_IMPLIES=	TLS1_2
Index: head/security/openssl-devel/pkg-plist
===================================================================
--- head/security/openssl-devel/pkg-plist
+++ head/security/openssl-devel/pkg-plist
@@ -136,8 +136,8 @@
 lib/libssl.a
 %%SHARED%%lib/libssl.so
 %%SHARED%%lib/libssl.so.%%SHLIBVER%%
-%%SHARED%%lib/ossl-modules/fips.so
-%%SHARED%%lib/ossl-modules/legacy.so
+%%FIPS%%%%SHARED%%lib/ossl-modules/fips.so
+%%LEGACY%%%%SHARED%%lib/ossl-modules/legacy.so
 libdata/pkgconfig/libcrypto.pc
 libdata/pkgconfig/libssl.pc
 libdata/pkgconfig/openssl.pc