diff --git a/security/sslsplit/Makefile b/security/sslsplit/Makefile
new file mode 100644
index 00000000000..e756fc3f951
--- /dev/null
+++ b/security/sslsplit/Makefile
@@ -0,0 +1,32 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+
+COMMENT=	transparent and scalable SSL/TLS interception
+
+DISTNAME=	sslsplit-0.4.7
+EXTRACT_SUFX=	.tar.bz2
+
+CATEGORIES=	security
+
+HOMEPAGE=	https://www.roe.ch/SSLsplit/
+
+MAINTAINER=	Stuart Henderson <sthen@openbsd.org>
+
+# SSLsplit: BSD, khash.h (header-based library): MIT
+PERMIT_PACKAGE_CDROM=	Yes
+
+WANTLIB += c crypto event_core event_extra event_openssl event_pthreads
+WANTLIB += pthread ssl
+
+MASTER_SITES=	https://mirror.roe.ch/rel/sslsplit/
+
+LIB_DEPENDS=	devel/libevent2
+# following is expected with MALLOC_FLAGS J:
+# "cert.t.c:66:F:cert_refcount_inc:cert_refcount_inc_01:0: refcount mismatch"
+# the test deliberately does a use-after-free
+TEST_DEPENDS=	devel/check
+
+USE_GMAKE=	Yes
+
+MAKE_FILE=	GNUmakefile
+
+.include <bsd.port.mk>
diff --git a/security/sslsplit/distinfo b/security/sslsplit/distinfo
new file mode 100644
index 00000000000..397fb73a9e5
--- /dev/null
+++ b/security/sslsplit/distinfo
@@ -0,0 +1,2 @@
+SHA256 (sslsplit-0.4.7.tar.bz2) = fnW3PtAm2cd2z5Oh1+1a0keXPDzpSmszZ/R096VhF9s=
+SIZE (sslsplit-0.4.7.tar.bz2) = 73686
diff --git a/security/sslsplit/patches/patch-GNUmakefile b/security/sslsplit/patches/patch-GNUmakefile
new file mode 100644
index 00000000000..a7b58189e25
--- /dev/null
+++ b/security/sslsplit/patches/patch-GNUmakefile
@@ -0,0 +1,23 @@
+$OpenBSD: patch-GNUmakefile,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+
+enable HAVE_IPFW for divert-to
+
+--- GNUmakefile.orig	Tue Jul  2 15:06:16 2013
++++ GNUmakefile	Thu Nov 28 15:22:53 2013
+@@ -46,6 +46,7 @@ DEBUG_CFLAGS?=	-g
+ # Autodetect pf
+ ifneq ($(wildcard /usr/include/net/pfvar.h),)
+ FEATURES+=	-DHAVE_PF
++FEATURES+=	-DHAVE_IPFW
+ endif
+ 
+ # Autodetect ipfw
+@@ -292,7 +293,7 @@ install: $(TARGET)
+ 	test -d $(PREFIX)/share/man/man1 || \
+ 		$(MKDIR) -p $(PREFIX)/share/man/man1
+ 	$(INSTALL) -o 0 -g 0 -m 0755 $(TARGET) $(PREFIX)/bin/
+-	$(INSTALL) -o 0 -g 0 -m 0644 $(TARGET).1 $(PREFIX)/share/man/man1/
++	$(INSTALL) -o 0 -g 0 -m 0644 $(TARGET).1 $(PREFIX)/man/man1/
+ 
+ deinstall:
+ 	$(RM) -f $(PREFIX)/bin/$(TARGET) $(PREFIX)/share/man/man1/$(TARGET).1
diff --git a/security/sslsplit/patches/patch-main_c b/security/sslsplit/patches/patch-main_c
new file mode 100644
index 00000000000..274ff79e1fa
--- /dev/null
+++ b/security/sslsplit/patches/patch-main_c
@@ -0,0 +1,21 @@
+$OpenBSD: patch-main_c,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+--- main.c.orig	Thu Nov 28 15:30:57 2013
++++ main.c	Thu Nov 28 15:31:07 2013
+@@ -128,7 +128,7 @@ main_usage(void)
+ "  -s ciphers  use the given OpenSSL cipher suite spec (default: ALL:-aNULL)\n"
+ "  -e engine   specify default NAT engine to use (default: %s)\n"
+ "  -E          list available NAT engines and exit\n"
+-"  -u user     drop privileges to user (default if run as root: nobody)\n"
++"  -u user     drop privileges to user (default if run as root: _sslsplit)\n"
+ "  -j jaildir  chroot() to jaildir (default if run as root: /var/empty)\n"
+ "  -p pidfile  write pid to pidfile (default: no pid file)\n"
+ "  -l logfile  connect log: log one line summary per connection to logfile\n"
+@@ -522,7 +522,7 @@ main(int argc, char *argv[])
+ 	}
+ 	if (!opts->dropuser && !geteuid() && !getuid() &&
+ 	    !opts->contentlogdir) {
+-		opts->dropuser = strdup("nobody");
++		opts->dropuser = strdup("_sslsplit");
+ 	}
+ 	if (opts_has_ssl_spec(opts) && opts->cakey && !opts->key) {
+ 		opts->key = ssl_key_genrsa(1024);
diff --git a/security/sslsplit/patches/patch-sslsplit_1 b/security/sslsplit/patches/patch-sslsplit_1
new file mode 100644
index 00000000000..2b9105b8c25
--- /dev/null
+++ b/security/sslsplit/patches/patch-sslsplit_1
@@ -0,0 +1,73 @@
+$OpenBSD: patch-sslsplit_1,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+--- sslsplit.1.orig	Tue Jul  2 15:06:16 2013
++++ sslsplit.1	Thu Nov 28 15:49:43 2013
+@@ -231,7 +231,7 @@ Drop privileges after opening sockets and files by set
+ effective and stored user IDs to \fIuser\fP and loading the appropriate
+ primary and ancillary groups.  If \fB-u\fP is not given, SSLsplit will drop
+ privileges to the stored UID if EUID != UID (setuid bit scenario), or to
+-\fBnobody\fP if running with full \fBroot\fP privileges (EUID == UID == 0)
++\fB_sslsplit\fP if running with full \fBroot\fP privileges (EUID == UID == 0)
+ and \fB-S\fP is not used.
+ .TP
+ .B \-V
+@@ -291,26 +291,29 @@ than the NAT rules redirecting the actual connections.
+ SSLsplit currently supports the following NAT engines:
+ .TP
+ .B pf
+-OpenBSD packet filter (pf), also available on FreeBSD and NetBSD.
+-Fully supported, including IPv6.
++OpenBSD packet filter (pf), using NAT redirects (rdr-to), also available
++on FreeBSD and NetBSD.
++Fully supported, including IPv6, but note that divert sockets (divert-to)
++are preferred (see the ipfw NAT engine).
+ Assuming inbound interface \fBem0\fP:
+ .LP
+ .RS
+ .nf
+-\fBrdr pass on em0 proto tcp from 2001:db8::/64 to any port  80 \\
+-         ->       ::1 port 10080\fP
+-\fBrdr pass on em0 proto tcp from 2001:db8::/64 to any port 443 \\
+-         ->       ::1 port 10443\fP
+-\fBrdr pass on em0 proto tcp from  192.0.2.0/24 to any port  80 \\
+-         -> 127.0.0.1 port 10080\fP
+-\fBrdr pass on em0 proto tcp from  192.0.2.0/24 to any port 443 \\
+-         -> 127.0.0.1 port 10443\fP
++\fBpass in quick on em0 proto tcp from 2001:db8::/64 to any port  80 \\
++         rdr-to       ::1 port 10080\fP
++\fBpass in quick on em0 proto tcp from 2001:db8::/64 to any port 443 \\
++         rdr-to       ::1 port 10443\fP
++\fBpass in quick on em0 proto tcp from  192.0.2.0/24 to any port  80 \\
++         rdr-to 127.0.0.1 port 10080\fP
++\fBpass in quick on em0 proto tcp from  192.0.2.0/24 to any port 443 \\
++         rdr-to 127.0.0.1 port 10443\fP
+ .fi
+ .RE
+ .TP
+ .B ipfw
+ FreeBSD IP firewall (IPFW), also available on Mac OS X.
+-Fully supported on FreeBSD, including IPv6.
++Also OpenBSD packet filter (pf), using divert-to.
++Fully supported on FreeBSD and OpenBSD, including IPv6.
+ Only supports IPv4 on Mac OS X due to the ancient version of IPFW included.
+ .LP
+ .RS
+@@ -319,6 +322,19 @@ Only supports IPv4 on Mac OS X due to the ancient vers
+ \fBipfw add fwd       ::1,10443 tcp from 2001:db8::/64 to any 443\fP
+ \fBipfw add fwd 127.0.0.1,10080 tcp from 192.0.2.0/24  to any  80\fP
+ \fBipfw add fwd 127.0.0.1,10443 tcp from 192.0.2.0/24  to any 443\fP
++.fi
++.RE
++.LP
++.RS
++.nf
++\fBpass in quick on em0 proto tcp from 2001:db8::/64 to any port  80 \\
++         divert-to       ::1 port 10080\fP
++\fBpass in quick on em0 proto tcp from 2001:db8::/64 to any port 443 \\
++         divert-to       ::1 port 10443\fP
++\fBpass in quick on em0 proto tcp from  192.0.2.0/24 to any port  80 \\
++         divert-to 127.0.0.1 port 10080\fP
++\fBpass in quick on em0 proto tcp from  192.0.2.0/24 to any port 443 \\
++         divert-to 127.0.0.1 port 10443\fP
+ .fi
+ .RE
+ .TP
diff --git a/security/sslsplit/pkg/DESCR b/security/sslsplit/pkg/DESCR
new file mode 100644
index 00000000000..66870c7411d
--- /dev/null
+++ b/security/sslsplit/pkg/DESCR
@@ -0,0 +1,20 @@
+SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
+encrypted network connections. Connections are transparently intercepted
+through a firewall/network address translation engine and redirected to
+SSLsplit.
+
+SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to
+the original destination address, while logging all data transmitted.
+SSLsplit is intended to be useful for network forensics and penetration
+testing.
+
+SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over
+both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates
+and signs forged X509v3 certificates on-the-fly, based on the original
+server certificate subject DN and subjectAltName extension. SSLsplit
+fully supports Server Name Indication (SNI) and is able to work with
+RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can
+also use existing certificates of which the private key is available,
+instead of generating forged ones. SSLsplit supports NULL-prefix CN
+certificates and can deny OCSP requests in a generic way. SSLsplit
+removes HPKP response headers in order to prevent public key pinning.
diff --git a/security/sslsplit/pkg/PLIST b/security/sslsplit/pkg/PLIST
new file mode 100644
index 00000000000..c765cdf8bd4
--- /dev/null
+++ b/security/sslsplit/pkg/PLIST
@@ -0,0 +1,4 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+@newuser _sslsplit:727:_sslsplit:daemon:sslsplit:/nonexistent:/sbin/nologin
+@bin bin/sslsplit
+@man man/man1/sslsplit.1