diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile
index f72a03894fb0..d7d190bce6f5 100644
--- a/security/gnutls/Makefile
+++ b/security/gnutls/Makefile
@@ -1,124 +1,125 @@
 PORTNAME=	gnutls
 DISTVERSION=	3.8.5
+PORTREVISION=	1
 CATEGORIES=	security net
 MASTER_SITES=	GNUPG/${PORTNAME}/v${DISTVERSION:R}
 
 MAINTAINER=	tijl@FreeBSD.org
 COMMENT=	GNU Transport Layer Security library
 WWW=		https://gnutls.org/
 
 LICENSE=	GPLv3 LGPL21
 LICENSE_COMB=	multi
 LICENSE_FILE_GPLv3=	${WRKSRC}/doc/COPYING
 LICENSE_FILE_LGPL21=	${WRKSRC}/doc/COPYING.LESSER
 
 LIB_DEPENDS=	libgmp.so:math/gmp \
 		libnettle.so:security/nettle \
 		libtasn1.so:security/libtasn1 \
 		libunistring.so:devel/libunistring
 
 USES=		compiler:c11 cpe gmake iconv libtool localbase makeinfo \
 		pkgconfig tar:xz
 CPE_VENDOR=	gnu
 
 GNU_CONFIGURE=	yes
 GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
 USE_LDCONFIG=	yes
 
 INFO=		gnutls
 INSTALL_TARGET=	install-strip
 TEST_TARGET=	check
 LDFLAGS=	-Wl,--undefined-version
 MAKE_ENV=	MAKEINFOFLAGS=--no-split
 
 CONFIGURE_ARGS=	--disable-rpath \
 		--with-system-priority-file=${PREFIX}/etc/gnutls/config \
 		--with-default-trust-store-dir=/etc/ssl/certs \
 		--without-brotli \
 		--without-included-libtasn1 \
 		--without-zstd \
 		--without-tpm \
 		--without-tpm2 \
 		--enable-ld-version-script
 
 OPTIONS_DEFINE=		DANE EXAMPLES IDN KTLS MAN3 NLS P11KIT SRP
 OPTIONS_DEFAULT=	IDN KTLS MAN3 P11KIT
 OPTIONS_SUB=		yes
 
 DANE_DESC=		Certificate verification via DNSSEC
 KTLS_DESC=		Enable support for in-kernel TLS
 MAN3_DESC=		Install API manpages (section 3)
 P11KIT_DESC=		PKCS\#11 and p11-kit support
 SRP_DESC=		Secure Remote Password support
 
 DANE_LIB_DEPENDS=	libunbound.so:dns/unbound
 DANE_CONFIGURE_ENABLE=	libdane
 
 IDN_LIB_DEPENDS=	libidn2.so:dns/libidn2
 IDN_CONFIGURE_WITH=	idn
 
 KTLS_CONFIGURE_ENABLE=	ktls
 
 NLS_USES=		gettext
 NLS_CONFIGURE_ENABLE=	nls
 NLS_CONFIGURE_OFF= 	ac_cv_lib_intl_gettext=no
 
 P11KIT_LIB_DEPENDS=	libp11-kit.so:security/p11-kit
 P11KIT_CONFIGURE_WITH=	p11-kit
 P11KIT_CONFIGURE_ON=	--with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit"
 
 SRP_CONFIGURE_ENABLE=	srp-authentication
 
 post-patch:
 	@${RM} ${WRKSRC}/doc/*.info*
 	@${REINPLACE_CMD} 's,/usr/share,${PREFIX}/share,' \
 		${WRKSRC}/doc/manpages/*.[13]
 	@${REINPLACE_CMD} -E 's,/etc/(gnutls|tpasswd),${PREFIX}&,g' \
 		${WRKSRC}/doc/cha-config.texi \
 		${WRKSRC}/doc/gnutls-api.texi \
 		${WRKSRC}/doc/invoke-certtool.texi \
 		${WRKSRC}/doc/invoke-gnutls-cli.texi \
 		${WRKSRC}/doc/invoke-gnutls-serv.texi \
 		${WRKSRC}/doc/invoke-p11tool.texi \
 		${WRKSRC}/doc/invoke-srptool.texi \
 		${WRKSRC}/doc/manpages/certtool.1 \
 		${WRKSRC}/doc/manpages/gnutls_priority_init2.3 \
 		${WRKSRC}/doc/manpages/gnutls-cli.1 \
 		${WRKSRC}/doc/manpages/gnutls-serv.1 \
 		${WRKSRC}/doc/manpages/p11tool.1 \
 		${WRKSRC}/doc/manpages/srptool.1 \
 		${WRKSRC}/doc/srptool-examples.texi \
 		${WRKSRC}/lib/includes/gnutls/pkcs11.h \
 		${WRKSRC}/lib/pkcs11.c \
 		${WRKSRC}/src/p11tool-options.c \
 		${WRKSRC}/src/srptool.c
 	@${REINPLACE_CMD} \
 		's,/etc/pkcs11/modules,${PREFIX}/share/p11-kit/modules,' \
 		${WRKSRC}/doc/cha-tokens.texi \
 		${WRKSRC}/doc/invoke-p11tool.texi \
 		${WRKSRC}/doc/manpages/p11tool.1 \
 		${WRKSRC}/src/p11tool-options.c
 # Prevent regeneration.  The order is important.
 	@${TOUCH} ${WRKSRC}/doc/enums.texi \
 		${WRKSRC}/doc/invoke-gnutls-cli.texi \
 		${WRKSRC}/doc/invoke-gnutls-cli-debug.texi \
 		${WRKSRC}/doc/invoke-gnutls-serv.texi \
 		${WRKSRC}/doc/invoke-certtool.texi \
 		${WRKSRC}/doc/invoke-ocsptool.texi \
 		${WRKSRC}/doc/invoke-danetool.texi \
 		${WRKSRC}/doc/invoke-srptool.texi \
 		${WRKSRC}/doc/invoke-psktool.texi \
 		${WRKSRC}/doc/invoke-p11tool.texi \
 		${WRKSRC}/doc/invoke-tpmtool.texi \
 		${WRKSRC}/doc/pkcs11-api.texi \
 		${WRKSRC}/doc/manpages/stamp_mans \
 		${WRKSRC}/doc/stamp_enums \
 		${WRKSRC}/doc/stamp_functions
 
 post-install:
 	@${RM} ${STAGEDIR}${DOCSDIR}/*.png
 	@${RMDIR} ${STAGEDIR}${DOCSDIR}
 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	${INSTALL_DATA} ${WRKSRC}/doc/examples/*.[ch] ${STAGEDIR}${EXAMPLESDIR}
 
 .include <bsd.port.mk>
diff --git a/security/gnutls/files/patch-lib_global.c b/security/gnutls/files/patch-lib_global.c
new file mode 100644
index 000000000000..967aa49a5877
--- /dev/null
+++ b/security/gnutls/files/patch-lib_global.c
@@ -0,0 +1,43 @@
+--- lib/global.c.orig	2024-04-11 15:36:24 UTC
++++ lib/global.c
+@@ -29,6 +29,13 @@
+ #include "random.h"
+ #include <gnutls/pkcs11.h>
+ 
++#if __FreeBSD__
++#include <sys/param.h>
++#if __FreeBSD_version >= 1400094
++#include <dlfcn.h>
++#endif
++#endif
++
+ #include "hello_ext.h" /* for _gnutls_hello_ext_init */
+ #include "supplemental.h" /* for _gnutls_supplemental_deinit */
+ #include "locks.h"
+@@ -520,6 +527,26 @@ static void _CONSTRUCTOR lib_init(void)
+ 		if (ret == 1)
+ 			return;
+ 	}
++
++#if __FreeBSD__
++#if __FreeBSD_version >= 1400094
++	/* This dlopen call initialises libpthread if it is present.  Normally
++	   this is handled by linking to libpthread but libgnutls does not link
++	   with libpthread to avoid the overhead for non-threaded programs.  */
++	(void) dlopen("libpthread.so", RTLD_LAZY | RTLD_GLOBAL | RTLD_NOLOAD);
++#else
++	/* The dlopen call above does not work correctly on older versions of
++	   FreeBSD.  Call pthread_mutex_timedlock instead.  It initialises
++	   libpthread and there's no libc stub that can preempt it.  */
++#pragma weak pthread_mutex_timedlock
++	if (pthread_mutex_timedlock != NULL) {
++		pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
++		pthread_mutex_timedlock(&lock, NULL);
++		pthread_mutex_unlock(&lock);
++		pthread_mutex_destroy(&lock);
++	}
++#endif
++#endif
+ 
+ 	ret = _gnutls_global_init(1);
+ 	if (ret < 0) {