diff --git a/security/cryptlib/Makefile b/security/cryptlib/Makefile
index 2ac2ba26c675..a306eb97b224 100644
--- a/security/cryptlib/Makefile
+++ b/security/cryptlib/Makefile
@@ -1,44 +1,50 @@
 PORTNAME=		cryptlib
-PORTVERSION=		3.4.3
+DISTVERSION=		3.4.6
 CATEGORIES=		security
-MASTER_SITES=		ftp://ftp.franken.de/pub/crypt/cryptlib/
-DISTNAME=		cl${PORTVERSION:S/.//g}
+MASTER_SITES=		https://cryptlib-release.s3-ap-southeast-1.amazonaws.com/
+DISTNAME=		${PORTNAME}${PORTVERSION:S/.//g}
 
 MAINTAINER=		ale@FreeBSD.org
 COMMENT=		Powerful security programming toolkit
-WWW=		http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
+WWW=			http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
+
+LICENSE=		SLEEPYCAT
+LICENSE_NAME=		Sleepycat
+LICENSE_FILE=		${WRKSRC}/COPYING
+LICENSE_PERMS=		dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 ONLY_FOR_ARCHS=		amd64 armv6 armv7 i386 powerpc powerpc64 powerpc64le
 
+USES=			cpe zip:infozip
+
 OPTIONS_DEFINE=		DOCS
 
-USES=			cpe zip:infozip
 EXTRACT_BEFORE_ARGS=	-aq
 NO_WRKSUBDIR=		yes
 MAKEFILE=		makefile
-ALL_TARGET=		default FreeBSD shared
+ALL_TARGET=		default FreeBSD shared testlib
 USE_LDCONFIG=		yes
 MAKE_JOBS_UNSAFE=	yes
 CFLAGS+=		-DUSE_PKCS11
 
 PLIST_FILES=		include/cryptlib.h \
 			lib/libcl.a lib/libcl.so \
 			lib/libcl.so.3 lib/libcl.so.${PORTVERSION}
 
 PORTDOCS=		README
 
-post-patch:
-	@${REINPLACE_CMD} -e 's/%%CFLAGS%%/${CFLAGS}/' ${WRKSRC}/makefile
-
 do-install:
 	${INSTALL_DATA} ${WRKSRC}/libcl.a ${WRKSRC}/libcl.so.${PORTVERSION} \
 		${STAGEDIR}${PREFIX}/lib
 	${LN} -sf libcl.so.${PORTVERSION} ${STAGEDIR}${PREFIX}/lib/libcl.so.3
 	${LN} -sf libcl.so.3 ${STAGEDIR}${PREFIX}/lib/libcl.so
 	${INSTALL_DATA} ${WRKSRC}/cryptlib.h ${STAGEDIR}${PREFIX}/include
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${WRKSRC}/README ${STAGEDIR}${DOCSDIR}
 
+do-test:
+	@cd ${BUILD_WRKSRC} && ./testlib -a
+
 .include <bsd.port.mk>
diff --git a/security/cryptlib/distinfo b/security/cryptlib/distinfo
index 86cae6841b04..4e31fa1950d6 100644
--- a/security/cryptlib/distinfo
+++ b/security/cryptlib/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1484210997
-SHA256 (cl343.zip) = 08b104442bb5c7281a3299853d5585cc63bd928454dff3150569c02b957427ad
-SIZE (cl343.zip) = 5703258
+TIMESTAMP = 1679305871
+SHA256 (cryptlib346.zip) = c72cfd103eb9fa9f205c14c84ce4fbdf3ead1e2447e830b164dc335141f747bd
+SIZE (cryptlib346.zip) = 6826568
diff --git a/security/cryptlib/files/patch-crypt_osconfig.h b/security/cryptlib/files/patch-crypt_osconfig.h
deleted file mode 100644
index 3cc1a7d7de9b..000000000000
--- a/security/cryptlib/files/patch-crypt_osconfig.h
+++ /dev/null
@@ -1,13 +0,0 @@
---- crypt/osconfig.h.orig	2021-11-26 15:16:58 UTC
-+++ crypt/osconfig.h
-@@ -147,6 +147,10 @@
- 	  #define L_ENDIAN
- 	#else
- 	  #define B_ENDIAN
- 	#endif	/* Usually big-endian but may be little-endian */
-+	#ifdef __LP64__
-+	  #undef SIXTY_FOUR_BIT
-+	  #define SIXTY_FOUR_BIT_LONG
-+	#endif
- 	#define BN_LLONG
- 	#define DES_RISC1
diff --git a/security/cryptlib/files/patch-makefile b/security/cryptlib/files/patch-makefile
index ed4afc3aa397..6f255e18d9d2 100644
--- a/security/cryptlib/files/patch-makefile
+++ b/security/cryptlib/files/patch-makefile
@@ -1,11 +1,11 @@
---- makefile.orig	2016-03-25 04:33:28.000000000 +0100
-+++ makefile	2017-01-12 10:10:40.481484000 +0100
-@@ -1626,7 +1626,7 @@
- 	@make $(DEFINES) CFLAGS="$(CFLAGS) -DUSE_ASM -fomit-frame-pointer -O3"
+--- makefile.orig	2021-09-10 22:27:18 UTC
++++ makefile
+@@ -1859,7 +1859,7 @@ BSD/OS:
+ 	$(MAKE) $(DEFINES) CFLAGS="$(CFLAGS) -fomit-frame-pointer -O3"
  
  FreeBSD:
--	make $(DEFINES) CFLAGS="$(CFLAGS) -fomit-frame-pointer -pthread"
-+	make $(DEFINES) CFLAGS="$(CFLAGS) %%CFLAGS%%"
+-	$(MAKE) $(DEFINES) CFLAGS="$(CFLAGS) -fomit-frame-pointer -pthread"
++	$(MAKE) $(DEFINES) CFLAGS="$(CFLAGS) -O2 -pipe  -DUSE_PKCS11 -fstack-protector-strong -fno-strict-aliasing "
  
  NetBSD:
- 	make $(DEFINES) CFLAGS="$(CFLAGS) -fomit-frame-pointer -pthread" 
+ 	$(MAKE) $(DEFINES) CFLAGS="$(CFLAGS) -fomit-frame-pointer -pthread"
diff --git a/security/cryptlib/files/patch-misc_os__detect.h b/security/cryptlib/files/patch-misc_os__detect.h
new file mode 100644
index 000000000000..835bc7c9a6c9
--- /dev/null
+++ b/security/cryptlib/files/patch-misc_os__detect.h
@@ -0,0 +1,11 @@
+--- misc/os_detect.h.orig	2023-03-20 10:08:54 UTC
++++ misc/os_detect.h
+@@ -629,7 +629,7 @@
+ 
+ #if defined( __WINDOWS__ ) || \
+ 	( defined( __UNIX__ ) && \
+-	  ( ( defined( sun ) && OSVERSION > 4 ) || defined( __linux__ ) || \
++	  ( ( defined( sun ) && OSVERSION > 4 ) || defined( __linux__ ) || defined( __FreeBSD__ ) || \
+ 		defined( _AIX ) || ( defined( __APPLE__ ) && !defined( __MAC__ ) ) ) ) || \
+ 	defined( __ANDROID__ )
+   #define DYNAMIC_LOAD
diff --git a/security/cryptlib/files/patch-misc_os__spec.h b/security/cryptlib/files/patch-misc_os__spec.h
new file mode 100644
index 000000000000..66d060b78bd7
--- /dev/null
+++ b/security/cryptlib/files/patch-misc_os__spec.h
@@ -0,0 +1,14 @@
+--- misc/os_spec.h.orig	2021-09-11 19:27:14 UTC
++++ misc/os_spec.h
+@@ -610,9 +610,8 @@ typedef int					BOOLEAN_INT;
+    variants, this presumably extends to SH5 as well so we treat va_lists on 
+    Super-H as scalars */
+ 
+-#if defined( __GNUC__ )
+-  #if( defined( __ARM_EABI__ ) && \
+-	   ( __GNUC__ == 4 && __GNUC_MINOR__ >= 4 ) || ( __GNUC__ > 4 ) )
++#if 1
++  #if defined( __ARM_EABI__ )
+ 	/* In theory we could check __ap but in practice it's too risky to rely 
+ 	   on the type and state of hidden internal fields, and in any case it's 
+ 	   only a sanity check, not a hard requirement, so we just no-op the 
diff --git a/security/cryptlib/files/patch-misc_os_spec.h b/security/cryptlib/files/patch-misc_os_spec.h
deleted file mode 100644
index 8d229ccc8a28..000000000000
--- a/security/cryptlib/files/patch-misc_os_spec.h
+++ /dev/null
@@ -1,23 +0,0 @@
---- misc/os_spec.h.orig	2016-03-25 02:49:10.000000000 +0100
-+++ misc/os_spec.h	2017-01-12 10:03:32.170180000 +0100
-@@ -761,9 +761,8 @@
-    variants, this presumably extends to SH5 as well so we treat va_lists on 
-    Super-H as scalars */
- 
--#if defined( __GNUC__ )
--  #if( defined( __ARM_EABI__ ) && \
--	   ( __GNUC__ == 4 && __GNUC_MINOR__ >= 4 ) || ( __GNUC__ > 4 ) )
-+#if 1
-+  #if defined( __ARM_EABI__ )
- 	/* In theory we could check __ap but in practice it's too risky to rely 
- 	   on the type and state of hidden internal fields, and in any case it's 
- 	   only a sanity check, not a hard requirement, so we just no-op the 
-@@ -839,7 +838,7 @@
- 
- #if defined( __WINDOWS__ ) || \
- 	( defined( __UNIX__ ) && \
--	  ( ( defined( sun ) && OSVERSION > 4 ) || defined( __linux__ ) || \
-+	  ( ( defined( sun ) && OSVERSION > 4 ) || defined( __linux__ ) || defined(__FreeBSD__) || \
- 		defined( _AIX ) || ( defined( __APPLE__ ) && !defined( __MAC__ ) ) ) ) || \
- 	defined( __ANDROID__ )
-   #define DYNAMIC_LOAD
diff --git a/security/cryptlib/files/patch-test_certs.c b/security/cryptlib/files/patch-test_certs.c
new file mode 100644
index 000000000000..8d9b05f4093c
--- /dev/null
+++ b/security/cryptlib/files/patch-test_certs.c
@@ -0,0 +1,11 @@
+--- test/certs.c.orig	2023-03-20 10:42:36 UTC
++++ test/certs.c
+@@ -52,7 +52,7 @@
+ #if defined( __MWERKS__ ) || defined( SYMANTEC_C ) || defined( __MRC__ )
+   #define CERTTIME_DATETEST	( ( ( 2021 - 1970 ) * ONE_YEAR_TIME ) + 2082844800L )
+ #else
+-  #define CERTTIME_DATETEST	( ( 2021 - 1970 ) * ONE_YEAR_TIME )
++  #define CERTTIME_DATETEST	( ( 2023 - 1970 ) * ONE_YEAR_TIME )
+ #endif /* Macintosh-specific weird epoch */
+ #if ( ULONG_MAX > 0xFFFFFFFFUL ) || defined( _M_X64 )
+   #define SYSTEM_64BIT
diff --git a/security/cryptlib/files/patch-tools_ccopts.sh b/security/cryptlib/files/patch-tools_ccopts.sh
index e1b43d127496..f0c1781caf8f 100644
--- a/security/cryptlib/files/patch-tools_ccopts.sh
+++ b/security/cryptlib/files/patch-tools_ccopts.sh
@@ -1,25 +1,34 @@
---- tools/ccopts.sh.orig	2010-12-19 00:57:12.000000000 +0100
-+++ tools/ccopts.sh	2011-03-04 15:33:54.000000000 +0100
-@@ -341,22 +341,6 @@ fi
- # in situations that also use shared libs, in the case of x86-64 the use
- # of PIC should have minimum overhead so it shouldn't be a big deal.
+--- tools/ccopts.sh.orig	2021-10-21 02:27:26 UTC
++++ tools/ccopts.sh
+@@ -892,31 +892,6 @@ fi
+ # a big deal.  As a convenient side-effect, this also enables the use of
+ # ASLR where it's supported.
  
--if [ "$ARCH" = "i586" -o "$ARCH" = "i686" -o "$ARCH" = "x86_64" ] ; then
--	if [ "$GCC_VER" -ge 30 ] ; then
+-if [ "$ARCH" = "i586" ] || [ "$ARCH" = "i686" ] || [ "$ARCH" = "x86_64" ] ; then
+-	if [ "$COMPILER_VER" -ge 45 ] ; then
+-		if [ $GENERICBUILD -gt 0 ] ; then
+-			echo "  (Enabling lowest-common-denominator build options for cross-platform library)." >&2 ;
+-		else
+-			CCARGS="$CCARGS -march=native -mtune=generic" ;
+-		fi
+-		if [ "$ARCH" = "x86_64" ] ; then
+-			CCARGS="$CCARGS -fPIC" ;
+-		fi ;
+-	elif [ "$COMPILER_VER" -ge 30 ] ; then
 -		case $ARCH in
 -			'x86_64')
 -				CCARGS="$CCARGS -march=opteron -fPIC" ;;
 -
 -			'i686')
 -				CCARGS="$CCARGS -march=pentiumpro" ;;
 -
 -			*)
 -				CCARGS="$CCARGS -march=pentium" ;;
 -		esac ;
 -	else
 -		CCARGS="$CCARGS -mcpu=pentium" ;
 -	fi ;
 -fi
  
  # gcc 4.x for 64-bit architectures has an optimiser bug that removes an
  # empty-list check in cryptlib's list-management code (this has been