diff --git a/security/xmlsec1/Makefile b/security/xmlsec1/Makefile
index b2b5f767e408..c758c3315b0f 100644
--- a/security/xmlsec1/Makefile
+++ b/security/xmlsec1/Makefile
@@ -40,10 +40,14 @@ OPTIONS_SUB=	yes
 
 DOCS_MAKE_ENV=		DOCS=docs
 GNUTLS_DESC=		Enable GNUTLS support
-GNUTLS_CONFIGURE_WITH=	gnutls="${LOCALBASE}"
+GNUTLS_CONFIGURE_ON=	--with-gnutls="${LOCALBASE}"
+GNUTLS_CONFIGURE_OFF=	--without-gnutls
 GNUTLS_LIB_DEPENDS=	libgnutls.so:security/gnutls
 NSS_DESC=		Enable Mozilla's NSS support
-NSS_CONFIGURE_WITH=	nss="${LOCALBASE}" nspr="${LOCALBASE}"
+NSS_CONFIGURE_ON=	--with-nss="${LOCALBASE}" \
+			--with-nspr="${LOCALBASE}"
+NSS_CONFIGURE_OFF=	--without-nss \
+			--without-nspr
 NSS_LIB_DEPENDS=	libnss3.so:security/nss \
 			libnspr4.so:devel/nspr \
 			libplds4.so:devel/nspr \
@@ -53,42 +57,16 @@ NSS_LIB_DEPENDS=	libnss3.so:security/nss \
 MAKE_ARGS+=	-EABS_BUILDDIR
 .endif
 
-.include <bsd.port.options.mk>
-
-# avoid --without-opt=PATH constructs
-CONFIGURE_ARGS:=${CONFIGURE_ARGS:C/without-([a-z]*)=.*/without-\1/}
-
-post-patch:
-	@${REINPLACE_CMD} -e 's|src apps man docs|src apps man \$${DOCS}|g' \
-	    -e 's|^confexecdir =.*$$|confexecdir = \$$(sysconfdir)|g' \
-	    -e 's|/tmp/\*\.log|${WRKSRC}/*.log|g' \
-		${WRKSRC}/Makefile.in
-	@${REINPLACE_CMD} \
-	    -e '/^XMLSEC_SHLIBSFX="/s|"[^"]*"|".so"|' \
-	    -e 's|openssl_exlibs=-ldl|openssl_exlibs=|' \
-	    -e 's|-ldl"|"|' \
-	    -e 's,with_nss/include,with_nss/include/nss/nss,' \
-	    -e 's,with_nss/lib,with_nss/lib/nss,g' \
-	    -e 's,\(CPPFLAGS="\$$NSS_CFLAGS\),\1 $$NSPR_CFLAGS,' \
-	    -e '/XMLSEC_CRYPTO_LIST=.*openssl/s,$$,\; CPPFLAGS="$$CPPFLAGS $$OPENSSL_CFLAGS",' \
-	    -e 's,\(-lplc4\)",\1 -lpthread",' \
-	    -e '/ test /s, == , = ,' \
-		${WRKSRC}/${CONFIGURE_SCRIPT}
-	@${REINPLACE_CMD} \
-	    -e 's,total_time.*/ 1000),total_time*1000/CLOCKS_PER_SEC,' \
-		${WRKSRC}/apps/xmlsec.c
-	@${REINPLACE_CMD} -e 's,\\\\\\,\\,g' ${WRKSRC}/*.pc.in
-.if ${PORT_OPTIONS:MGNUTLS}
+post-patch-GNUTLS-on:
 # Don't rely on broken autodetection
 	@${REINPLACE_CMD} -e '/^GNUTLS_FOUND/s/no/yes/' \
 	    -e '/^GNUTLS_LIBS=/s,"","-L${LOCALBASE}/lib -lgnutls",' \
 		${WRKSRC}/${CONFIGURE_SCRIPT}
-.endif
-.if ${PORT_OPTIONS:MNSS}
+
+post-patch-NSS-on:
 # Makeing the xmlsec1 executable multi-threaded to let load -lnss,
 # when needed.
 	@${REINPLACE_CMD} -e 's,^\(xmlsec1_LDADD = \)\\$$,\1 -L${LOCALBASE}/lib -lpthread\\,' \
 		${WRKSRC}/apps/Makefile.in
-.endif
 
 .include <bsd.port.mk>
diff --git a/security/xmlsec1/files/patch-Makefile.in b/security/xmlsec1/files/patch-Makefile.in
new file mode 100644
index 000000000000..746f880e0720
--- /dev/null
+++ b/security/xmlsec1/files/patch-Makefile.in
@@ -0,0 +1,18 @@
+--- Makefile.in.orig	2017-01-05 17:38:02.402682000 +0900
++++ Makefile.in	2017-01-05 17:39:12.079701000 +0900
+@@ -468,13 +468,13 @@
+ top_srcdir = @top_srcdir@
+ NULL = 
+ SAFE_VERSION = @XMLSEC_VERSION_SAFE@
+-SUBDIRS = include src apps man docs
++SUBDIRS = include src apps man ${DOCS}
+ TEST_APP = apps/xmlsec1$(EXEEXT)
+ DEFAULT_CRYPTO = @XMLSEC_DEFAULT_CRYPTO@
+ bin_SCRIPTS = xmlsec1-config
+ pkgconfig_DATA = xmlsec1.pc @XMLSEC_CRYPTO_PC_FILES_LIST@
+ pkgconfigdir = $(prefix)/libdata/pkgconfig
+-confexecdir = $(libdir)
++confexecdir = $(sysconfdir)
+ confexec_DATA = xmlsec1Conf.sh
+ m4datadir = $(datadir)/aclocal
+ m4data_DATA = xmlsec1.m4
diff --git a/security/xmlsec1/files/patch-configure b/security/xmlsec1/files/patch-configure
new file mode 100644
index 000000000000..d99faf24bdcf
--- /dev/null
+++ b/security/xmlsec1/files/patch-configure
@@ -0,0 +1,93 @@
+--- configure.orig	2016-10-17 07:49:05.000000000 +0900
++++ configure	2017-01-05 18:09:44.486857000 +0900
+@@ -12141,7 +12141,7 @@
+ 
+ 
+ 
+-if test "z$RM" == "z" ; then
++if test "z$RM" = "z" ; then
+     # Extract the first word of "rm", so it can be a program name with args.
+ set dummy rm; ac_word=$2
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+@@ -13143,7 +13143,7 @@
+ fi
+ 
+ 
+-if test "z$shrext" == "z" ; then
++if test "z$shrext" = "z" ; then
+     shrext=$shrext_cmds
+ fi
+ 
+@@ -13858,6 +13858,7 @@
+ 	*-*-osf5*) openssl_exlibs=;;
+ 	*-*-openbsd*) openssl_exlibs=;;
+ 	*-*-netbsd*) openssl_exlibs=;;
++	*-*-freebsd*) openssl_exlibs=;;
+ 	#FIXME: check if lib "dl" is required
+ 	*)          openssl_exlibs=-ldl;;
+     esac
+@@ -14189,9 +14190,9 @@
+     for dir in $ac_openssl_lib_dir ; do
+ 	if test -f $dir/libcrypto.a ; then
+ 	    	    if test "z$dir" = "z/usr/lib" ; then
+-		OPENSSL_LIBS="-lcrypto -ldl"
++		OPENSSL_LIBS="-lcrypto"
+ 	    else
+-		OPENSSL_LIBS="-L$dir -lcrypto -ldl"
++		OPENSSL_LIBS="-L$dir -lcrypto "
+ 	    fi
+ 	    OPENSSL_LIBS_FOUND="yes"
+ 	    ac_found_openssl_lib_dir=$dir
+@@ -14240,7 +14241,7 @@
+ /* end confdefs.h.  */
+ 
+     	    #include <openssl/opensslv.h>
+-	    #if OPENSSL_VERSION_NUMBER >= 0x10000000L
++	    #if OPENSSL_VERSION_NUMBER >= 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
+ 		yes
+ 	    #endif
+ 
+@@ -14330,12 +14331,12 @@
+     	OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DXMLSEC_OPENSSL_110=1"
+     fi
+     OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DXMLSEC_CRYPTO_OPENSSL=1"
+-    XMLSEC_CRYPTO_LIST="$XMLSEC_CRYPTO_LIST openssl"
++    XMLSEC_CRYPTO_LIST="$XMLSEC_CRYPTO_LIST openssl"; CPPFLAGS="$CPPFLAGS $OPENSSL_CFLAGS"
+ else
+     XMLSEC_CRYPTO_DISABLED_LIST="$XMLSEC_CRYPTO_DISABLED_LIST openssl"
+ fi
+ 
+- if test "z$XMLSEC_NO_OPENSSL" == "z1"; then
++ if test "z$XMLSEC_NO_OPENSSL" = "z1"; then
+   XMLSEC_NO_OPENSSL_TRUE=
+   XMLSEC_NO_OPENSSL_FALSE='#'
+ else
+@@ -14357,7 +14358,7 @@
+ NSS_CFLAGS=""
+ NSS_LIBS=""
+ NSS_LIBS_LIST="-lnss3 -lsmime3"
+-NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
++NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4 -lpthread"
+ NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss"
+ NSS_FOUND="no"
+ NSPR_PACKAGE=mozilla-nspr
+@@ -14792,15 +14793,15 @@
+     NSS_NSS_H=""
+ 
+     if test "z$with_nss" != "z" ; then
+-	NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/include -I$with_nss/include/nss"
++	NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/include/nss/nss -I$with_nss/include/nss"
+ 	if test "z$with_gnu_ld" = "zyes" ; then
+-	    NSS_LIBS="$NSS_LIBS -Wl,-rpath-link -Wl,$with_nss/lib -L$with_nss/lib $NSS_LIBS_LIST"
++	    NSS_LIBS="$NSS_LIBS -Wl,-rpath-link -Wl,$with_nss/lib/nss -L$with_nss/lib/nss $NSS_LIBS_LIST"
+         else
+-	    NSS_LIBS="$NSS_LIBS -L$with_nss/lib $NSS_LIBS_LIST"
++	    NSS_LIBS="$NSS_LIBS -L$with_nss/lib/nss $NSS_LIBS_LIST"
+         fi
+ 	NSS_INCLUDES_FOUND="yes"
+ 	NSS_LIBS_FOUND="yes"
+-	NSS_NSS_H="$with_nss/include/nss.h"
++	NSS_NSS_H="$with_nss/include/nss/nss/nss.h"
+     else
+ 	for dir in $ac_nss_inc_dir ; do
+ 	    if test -f $dir/nss/nss.h ; then
diff --git a/security/xmlsec1/files/patch-src-openssl-app.c b/security/xmlsec1/files/patch-src-openssl-app.c
new file mode 100644
index 000000000000..e60470446e93
--- /dev/null
+++ b/security/xmlsec1/files/patch-src-openssl-app.c
@@ -0,0 +1,20 @@
+--- src/openssl/app.c.orig	2017-01-05 18:07:26.936917000 +0900
++++ src/openssl/app.c	2017-01-05 18:08:34.388575000 +0900
+@@ -61,7 +61,7 @@
+ int
+ xmlSecOpenSSLAppInit(const char* config) {
+     
+-#if (OPENSSL_VERSION_NUMBER < 0x10100000)
++#if !defined(XMLSEC_OPENSSL_110)
+     ERR_load_crypto_strings();
+     OPENSSL_config(NULL);
+     OpenSSL_add_all_algorithms();
+@@ -119,7 +119,7 @@
+ xmlSecOpenSSLAppShutdown(void) {
+     xmlSecOpenSSLAppSaveRANDFile(NULL);
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x10100000)
++#if !defined(XMLSEC_OPENSSL_110)
+     RAND_cleanup();
+     EVP_cleanup();
+