Index: head/ftp/curl/Makefile
===================================================================
--- head/ftp/curl/Makefile	(revision 422011)
+++ head/ftp/curl/Makefile	(revision 422012)
@@ -1,192 +1,192 @@
 # Created by: Neil Blakey-Milner <nbm@rucus.ru.ac.za>
 # $FreeBSD$
 
 PORTNAME=	curl
 PORTVERSION=	7.50.1
 CATEGORIES=	ftp www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		LOCAL/sunpoet
 
 MAINTAINER?=	sunpoet@FreeBSD.org
 COMMENT?=	Non-interactive tool to get files from FTP, GOPHER, HTTP(S) servers
 
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 OPTIONS_DEFINE=	CA_BUNDLE COOKIES CURL_DEBUG DEBUG DOCS EXAMPLES HTTP2 IDN IPV6 LDAP LDAPS LIBSSH2 METALINK PROXY PSL RTMP TLS_SRP
 OPTIONS_RADIO=	RESOLV SSL
 OPTIONS_SINGLE=	GSSAPI
 OPTIONS_RADIO_RESOLV=	CARES THREADED_RESOLVER
 OPTIONS_RADIO_SSL=	GNUTLS NSS OPENSSL POLARSSL WOLFSSL
 OPTIONS_SINGLE_GSSAPI=	GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE
 OPTIONS_DEFAULT=	CA_BUNDLE COOKIES OPENSSL PROXY RESOLV THREADED_RESOLVER TLS_SRP
 CA_BUNDLE_DESC=		Install CA bundle for OpenSSL
 CA_BUNDLE_IMPLIES=	OPENSSL
 COOKIES_DESC=		Cookies support
 CURL_DEBUG_DESC=	cURL debug memory tracking
 LDAPS_IMPLIES=		LDAP
 LIBSSH2_DESC=		SCP/SFTP support via libssh2
 LIBSSH2_IMPLIES=	OPENSSL
 RESOLV_DESC=		DNS resolving options
 THREADED_RESOLVER_DESC=	Threaded DNS resolver
 TLS_SRP_DESC=		TLS-SRP (Secure Remote Password) support
 
 .include <${.CURDIR}/../../Mk/bsd.default-versions.mk>
 
 .if ${SSL_DEFAULT} != base
 OPTIONS_DEFAULT+=	GSSAPI_NONE
 .else
 OPTIONS_DEFAULT+=	GSSAPI_BASE
 .endif
 
 CONFIGURE_ARGS+=--disable-werror \
 		--enable-imap --enable-pop3 --enable-rtsp --enable-smtp \
 		--with-zsh-functions-dir=${LOCALBASE}/share/zsh/site-functions \
 		--without-axtls
 CONFIGURE_ENV+=	LOCALBASE=${LOCALBASE} \
 		ac_cv_func_SSLv2_client_method=no
 GNU_CONFIGURE=	yes
 INSTALL_TARGET=	install-strip
 TEST_ENV=	${MAKE_ENV} LC_ALL=C
 TEST_TARGET=	test
 USE_PERL5=	build
 USES=		gmake libtool localbase pathfix perl5 shebangfix tar:lzma
 
 .if !defined(BUILDING_HIPHOP)
 USE_LDCONFIG=	yes
 USES+=		cpe
 
 PORTDOCS=	*
 PORTEXAMPLES=	*
 
 CPE_VENDOR=	haxx
 
 DOCS=		BINDINGS BUGS CODE_OF_CONDUCT.md CODE_STYLE.md CONTRIBUTE FAQ \
 		FEATURES HISTORY HTTP-COOKIES.md HTTP2.md INSTALL \
 		INSTALL.devcpp INTERNALS KNOWN_BUGS LICENSE-MIXING \
 		MAIL-ETIQUETTE MANUAL RELEASE-PROCEDURE RESOURCES ROADMAP.md \
 		SECURITY SSL-PROBLEMS SSLCERTS THANKS TODO \
 		TheArtOfHttpScripting VERSIONS curl-config.html \
 		curl-config.pdf curl.html curl.pdf index.html \
 		mk-ca-bundle.html mk-ca-bundle.pdf
 .endif
 
 SHEBANG_FILES=	*/*.pl
 
 SLAVEDIRS=	ftp/curl-hiphop
 
 CA_BUNDLE_CONFIGURE_OFF=--without-ca-bundle
 CA_BUNDLE_CONFIGURE_ON=	--with-ca-bundle=${LOCALBASE}/share/certs/ca-root-nss.crt
 CA_BUNDLE_RUN_DEPENDS=	${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss
 CARES_CONFIGURE_ENABLE=	ares
 CARES_LIB_DEPENDS=	libcares.so:dns/c-ares
 COOKIES_CONFIGURE_ENABLE=	cookies
 CURL_DEBUG_CONFIGURE_ENABLE=	curldebug
 DEBUG_CONFIGURE_ENABLE=	debug
 GNUTLS_CONFIGURE_WITH=	gnutls
 GNUTLS_LIB_DEPENDS=	libgnutls.so:security/gnutls
 GSSAPI_BASE_CONFIGURE_ON=	--with-gssapi=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 GSSAPI_BASE_CPPFLAGS=	${GSSAPICPPFLAGS}
 GSSAPI_BASE_LDFLAGS=	${GSSAPILDFLAGS}
 GSSAPI_BASE_LIBS=	${GSSAPILIBS}
 GSSAPI_BASE_USES=	gssapi
 GSSAPI_HEIMDAL_CONFIGURE_ON=	--with-gssapi=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 GSSAPI_HEIMDAL_CPPFLAGS=${GSSAPICPPFLAGS}
 GSSAPI_HEIMDAL_LDFLAGS=	${GSSAPILDFLAGS}
 GSSAPI_HEIMDAL_LIBS=	${GSSAPILIBS}
 GSSAPI_HEIMDAL_USES=	gssapi:heimdal
 GSSAPI_MIT_CONFIGURE_ON=--with-gssapi=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 GSSAPI_MIT_CPPFLAGS=	${GSSAPICPPFLAGS}
 GSSAPI_MIT_LDFLAGS=	${GSSAPILDFLAGS}
 GSSAPI_MIT_LIBS=	${GSSAPILIBS}
 GSSAPI_MIT_USES=	gssapi:mit
 GSSAPI_NONE_CONFIGURE_ON=	--without-gssapi
 HTTP2_BUILD_DEPENDS=	nghttp2>=1.0.0:www/nghttp2
 HTTP2_CONFIGURE_WITH=	nghttp2
 HTTP2_LIB_DEPENDS=	libnghttp2.so:www/nghttp2
 HTTP2_RUN_DEPENDS=	nghttp2>=1.0.0:www/nghttp2
 HTTP2_USES=		pkgconfig
 IDN_CONFIGURE_WITH=	libidn
 IDN_LIB_DEPENDS=	libidn.so:dns/libidn
 IPV6_CATEGORIES=	ipv6
 IPV6_CONFIGURE_ENABLE=	ipv6
 LDAP_CONFIGURE_ENABLE=	ldap
 LDAP_USE=		OPENLDAP=yes
 LDAPS_CONFIGURE_ENABLE=	ldaps
 LIBSSH2_CONFIGURE_WITH=	libssh2
 LIBSSH2_LIB_DEPENDS=	libssh2.so:security/libssh2
 METALINK_CONFIGURE_WITH=libmetalink
 METALINK_LIB_DEPENDS=	libmetalink.so:misc/libmetalink
 METALINK_LIBS=		-lcrypto
 NSS_CONFIGURE_WITH=	nss
 NSS_LIB_DEPENDS=	libnss3.so:security/nss
 NSS_USES=		pkgconfig
 OPENSSL_CONFIGURE_OFF=	--without-ssl
 OPENSSL_CONFIGURE_ON=	--with-ssl=${OPENSSLBASE}
 OPENSSL_CPPFLAGS=	-I${OPENSSLINC}
 OPENSSL_LDFLAGS=	-L${OPENSSLLIB}
 OPENSSL_USES=		ssl
 POLARSSL_CONFIGURE_WITH=polarssl
 POLARSSL_LIB_DEPENDS=	libmbedtls.so.9:security/polarssl13
 PROXY_CONFIGURE_ENABLE=	proxy
 PSL_CONFIGURE_WITH=	libpsl
 PSL_LIB_DEPENDS=	libpsl.so:dns/libpsl
 RTMP_CONFIGURE_WITH=	librtmp
 RTMP_LIB_DEPENDS=	librtmp.so:multimedia/librtmp
 RTMP_USES=		pkgconfig
 THREADED_RESOLVER_CONFIGURE_ENABLE=	threaded-resolver
 TLS_SRP_CONFIGURE_ENABLE=	tls-srp
 WOLFSSL_CONFIGURE_WITH=	cyassl
 WOLFSSL_LIB_DEPENDS=	libwolfssl.so:security/wolfssl
 
 .include <bsd.port.pre.mk>
 
 .if !${PORT_OPTIONS:MGNUTLS} && !${PORT_OPTIONS:MOPENSSL} && ${PORT_OPTIONS:MTLS_SRP}
 IGNORE=		only supports TLS-SRP with either OpenSSL or GnuTLS
 .endif
 
 .if ${PORT_OPTIONS:MLDAPS} && !${PORT_OPTIONS:MGNUTLS} && !${PORT_OPTIONS:MNSS} && !${PORT_OPTIONS:MOPENSSL} && !${PORT_OPTIONS:MPOLARSSL} && !${PORT_OPTIONS:MWOLFSSL}
 IGNORE=		only supports LDAPS with SSL
 .endif
 
 .if ${PORT_OPTIONS:MGSSAPI_BASE} && ${PORT_OPTIONS:MOPENSSL} && ${SSL_DEFAULT} != base
 IGNORE=		GSSAPI_BASE is not compatible with OpenSSL from ports. Use other GSSAPI options or OpenSSL from base system
 .endif
 
-.if ${SSL_DEFAULT} == libressl
+.if ${SSL_DEFAULT:Mlibressl*}
 .if ${PORT_OPTIONS:MGSSAPI_BASE} && ${PORT_OPTIONS:MOPENSSL}
 IGNORE=		GSSAPI_BASE is not compatible with LibreSSL. Use other GSSAPI options
 .endif
 .if ${PORT_OPTIONS:MTLS_SRP}
 IGNORE=		unsupported TLS-SRP in LibreSSL
 .endif
 .endif
 
 post-patch:
 	@${REINPLACE_CMD} -e '/^SUBDIRS = / s|$$| docs scripts|; /^DIST_SUBDIRS = / s| docs scripts||; /cd docs &&/d' ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} -e 's|\(flags_dbg_off=\)".*"|\1""|; s|\(flags_opt_off=\)".*"|\1""|; s|lib/pkgconfig|libdata/pkgconfig|g' ${WRKSRC}/configure
 	@${REINPLACE_CMD} -e 's|include <gssapi.h>|include <gssapi/gssapi.h>|' ${WRKSRC}/lib/curl_gssapi.h ${WRKSRC}/lib/urldata.h
 
 .if !defined(BUILDING_HIPHOP)
 post-install:
 	${LN} -s libcurl.so.4 ${STAGEDIR}${PREFIX}/lib/libcurl.so.7
 	${INSTALL_DATA} ${WRKSRC}/docs/libcurl/libcurl.m4 ${STAGEDIR}${PREFIX}/share/aclocal/
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/ ${STAGEDIR}${DOCSDIR}/libcurl/
 	cd ${WRKSRC}/docs/ && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR}/
 	cd ${WRKSRC}/docs/libcurl/ && ${INSTALL_DATA} ABI *.html *.m4 *.pdf ${STAGEDIR}${DOCSDIR}/libcurl/
 
 post-install-EXAMPLES-on:
 	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/
 	cd ${WRKSRC}/docs/examples/ && ${INSTALL_DATA} README Makefile.example makefile* *.c *.cpp ${STAGEDIR}${EXAMPLESDIR}/
 .endif
 
 pre-test-PROXY-off:
 	@${ECHO_MSG} "******************************************"
 	@${ECHO_MSG} "* You have disabled curl proxy support.  *"
 	@${ECHO_MSG} "* Some tests SHALL FAIL!                 *"
 	@${ECHO_MSG} "* This is being addressed.               *"
 	@${ECHO_MSG} "******************************************"
 
 .include <bsd.port.post.mk>
Index: head/security/softhsm2/Makefile
===================================================================
--- head/security/softhsm2/Makefile	(revision 422011)
+++ head/security/softhsm2/Makefile	(revision 422012)
@@ -1,47 +1,47 @@
 # Created by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
 # $FreeBSD$
 
 PORTNAME=	softhsm
 PORTVERSION=	2.1.0
 CATEGORIES=	security
 MASTER_SITES=	http://dist.opendnssec.org/source/ \
 		http://dist.opendnssec.org/source/testing/
 PKGNAMESUFFIX=	2
 
 MAINTAINER=	jaap@NLnetLabs.nl
 COMMENT=	Software implementation of a Hardware Security Module (HSM)
 
 LICENSE=	BSD2CLAUSE
 
 LIB_DEPENDS=	libsqlite3.so:databases/sqlite3
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--with-sqlite3=${LOCALBASE} --localstatedir="${PREFIX}/var"
 INSTALL_TARGET=	install-strip
 USES=		libtool sqlite
 
 CONFLICTS=	softhsm-1.*
 
 USE_LDCONFIG=	yes
 
 OPTIONS_SINGLE=		CRYP
 OPTIONS_SINGLE_CRYP=	CRYP_OPEN CRYP_BOTAN
 
 CRYP_OPEN_DESC=		Build with OpenSSL crypto library
 CRYP_BOTAN_DESC=	Build with Botan crypto library
 
 OPTIONS_DEFAULT=	CRYP_OPEN
 
 CRYP_BOTAN_CONFIGURE_ON=	--with-crypto-backend=botan
 CRYP_BOTAN_LIB_DEPENDS=	libbotan-1.10.so:security/botan110
 CRYP_OPEN_USE=		openssl=yes
 CRYP_OPEN_VARS=		WITH_OPENSSL_PORT=yes
 CRYP_OPEN_CONFIGURE_ON=	--with-crypto-backend=openssl
 
 .include <bsd.port.pre.mk>
 
-.if ${SSL_DEFAULT} == libressl
+.if ${SSL_DEFAULT:Mlibressl*}
 CONFIGURE_ARGS+=	--disable-gost
 .endif
 
 .include <bsd.port.post.mk>
Index: head/security/stunnel/Makefile
===================================================================
--- head/security/stunnel/Makefile	(revision 422011)
+++ head/security/stunnel/Makefile	(revision 422012)
@@ -1,120 +1,120 @@
 # Created by: Martti Kuparinen <martti.kuparinen@ericsson.com>
 # $FreeBSD$
 
 PORTNAME=	stunnel
 PORTVERSION=	5.35
 PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	https://www.stunnel.org/downloads/%SUBDIR%/ \
 		https://www.stunnel.org/downloads/beta/ \
 		http://mirrors.zerg.biz/stunnel/%SUBDIR%/ \
 		http://mirrors.go-part.com/stunnel/%SUBDIR%/ \
 		http://ftp.nluug.nl/pub/networking/stunnel/%SUBDIR%/ \
 		ftp://ftp.nluug.nl/pub/networking/stunnel/%SUBDIR%/ \
 		http://ftp.nluug.nl/pub/networking/stunnel/%SUBDIR%/ \
 		ftp://ftp.surfnet.nl/pub/networking/stunnel/%SUBDIR%/ \
 		http://ftp.surfnet.nl/pub/networking/stunnel/%SUBDIR%/ \
 		ftp://stunnel.mirt.net/stunnel/%SUBDIR%/ \
 		http://www.namesdir.com/mirrors/stunnel/%SUBDIR%/ \
 		http://stunnel.cybermirror.org/%SUBDIR%/ \
 		http://mirrors.zerg.biz/stunnel/%SUBDIR%/ \
 		http://mirrors.rit.edu/zi/
 
 MAINTAINER=	zi@FreeBSD.org
 COMMENT=	SSL encryption wrapper for standard network daemons
 
 # FIXME: IMHO, there really ought to be a GPL-2+ option or some such.
 LICENSE=	GPLv2 GPLv3
 LICENSE_COMB=	dual
 
 USES=		cpe libtool perl5 shebangfix ssl
 USE_PERL5=	build
 USE_LDCONFIG=	yes
 USE_RC_SUBR=	stunnel
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var/tmp --enable-static --disable-systemd \
 		--with-ssl="${OPENSSLBASE}"
 SHEBANG_FILES=	src/stunnel3.in
 
 OPTIONS_DEFINE=			DOCS EXAMPLES FIPS IPV6 LIBWRAP
 OPTIONS_SINGLE=			THREAD
 OPTIONS_SINGLE_THREAD=		FORK PTHREAD UCONTEXT
 OPTIONS_DEFAULT=		PTHREAD
 
 FIPS_CONFIGURE_ENABLE=		fips
 IPV6_CONFIGURE_ENABLE=		ipv6
 LIBWRAP_CONFIGURE_ENABLE=	libwrap
 
 FIPS_DESC=			Enable OpenSSL FIPS mode
 FORK_DESC=			Use the fork(3) threading model
 PTHREAD_DESC=			Use the pthread(3) threading model
 UCONTEXT_DESC=			Use the ucontext(3) threading model
 
 STUNNEL_USER?=	stunnel
 STUNNEL_GROUP?=	stunnel
 
 USERS=		${STUNNEL_USER}
 GROUPS=		${STUNNEL_GROUP}
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MLIBWRAP}
 LDFLAGS+=		-lwrap
 .endif
 
 .if ${PORT_OPTIONS:MUCONTEXT}
 CONFIGURE_ARGS+=--with-threads=ucontext
 LDFLAGS+=	-lpthread
 .elif ${PORT_OPTIONS:MFORK}
 CONFIGURE_ARGS+=--with-threads=fork
 .else
 CONFIGURE_ARGS+=--with-threads=pthread
 LDFLAGS+=	-lpthread
 .endif
 
 .include <bsd.port.pre.mk>
 
-.if ${PORT_OPTIONS:MFIPS} && ${SSL_DEFAULT} == libressl
+.if ${PORT_OPTIONS:MFIPS} && ${SSL_DEFAULT:Mlibressl*}
 IGNORE=		LibreSSL does not support FIPS standard
 .endif
 
-.if ${SSL_DEFAULT} == libressl
+.if ${SSL_DEFAULT:Mlibressl*}
 NO_PACKAGE=	The stunnel license restricts distribution when linked to non-OpenSSL non-base SSL-libraries
 .endif
 
 post-patch:
 # place files under /var/tmp so that this can be run by an unprivileged
 # user stunnel and group stunnel
 	@${REINPLACE_CMD} -E -e 's|\@prefix\@/var/lib/stunnel/|/var/tmp/stunnel|; \
 		s|nobody|stunnel|;s|nogroup|stunnel|' \
 		${WRKSRC}/tools/stunnel.conf-sample.in
 	@${REINPLACE_CMD} -E -e 's|\$$\(prefix\)/var/run/stunnel/stunnel.pid|$$(localstatedir)/stunnel.pid|' \
 		${WRKSRC}/src/Makefile.in
 	@${FIND} ${WRKSRC} -type f -name Makefile.in | ${XARGS} ${REINPLACE_CMD} -E -e 's,@(ACLOCAL|AUTO(MAKE|CONF|HEADER))@,/usr/bin/true,'
 	@${REINPLACE_CMD} -E -e 's|install-confDATA install-data-local|install-confDATA|g' \
 		${WRKSRC}/tools/Makefile.in
 .if empty(PORT_OPTIONS:MDOCS)
 	@${REINPLACE_CMD} -E -e 's/ install-docDATA/ /' ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} -E -e '/install-data-am/s,install-docDATA,,' ${WRKSRC}/doc/Makefile.in
 .endif
 .if empty(PORT_OPTIONS:MEXAMPLES)
 	@${REINPLACE_CMD} -E -e 's/([^n])install-examplesDATA/\1/' \
 		${WRKSRC}/tools/Makefile.in
 .else
 	@${REINPLACE_CMD} -E -e 's|\$$\(docdir\)/examples|${EXAMPLESDIR}|g' ${WRKSRC}/tools/Makefile.in
 .endif
 
 post-build:
 	@${STRIP_CMD} ${WRKSRC}/src/.libs/libstunnel.so
 
 cert:
 	@${ECHO} ""
 	@${ECHO} "**************************************************************************"
 	@${ECHO} "The new certificate will be saved into ${ETCDIR}/stunnel.pem"
 	@${ECHO} "**************************************************************************"
 	@${ECHO} ""
 	@(cd ${WRKSRC}/tools/; make install-data-local)
 
 .include <bsd.port.post.mk>