diff --git a/security/testssl.sh/Makefile b/security/testssl.sh/Makefile
index ed41867a525d..fcc86c2d296f 100644
--- a/security/testssl.sh/Makefile
+++ b/security/testssl.sh/Makefile
@@ -1,44 +1,46 @@
 PORTNAME=	testssl.sh
 DISTVERSIONPREFIX=	v
-DISTVERSION=	3.0.9
+DISTVERSION=	3.2.0
 CATEGORIES=	security
 
 MAINTAINER=	adamw@FreeBSD.org
 COMMENT=	Analyze and report TLS/SSL configuration/misconfiguration
 WWW=		https://github.com/testssl/testssl.sh
 
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 RUN_DEPENDS=	openssl-unsafe>=1.0.1:security/openssl-unsafe \
 		bash:shells/bash
 TEST_DEPENDS=	p5-JSON>=0:converters/p5-JSON
 
-USES=		perl5 shebangfix
+USES=		perl5 shebangfix ssl
 USE_GITHUB=	yes
 GH_ACCOUNT=	testssl
 
 SHEBANG_FILES=	testssl.sh utils/*
+SUB_LIST+=	OPENSSLBASE="${OPENSSLBASE}"
 
 USE_PERL5=	test
 TEST_ENV=	TESTSSL_INSTALL_DIR=${WRKSRC}
 
 NO_ARCH=	yes
 NO_BUILD=	yes
 
 post-patch:
 	${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|; s|%%DATADIR%%|${DATADIR}|' \
 		${WRKSRC}/testssl.sh
 
 do-install:
 	${INSTALL_SCRIPT} ${WRKSRC}/testssl.sh ${STAGEDIR}${PREFIX}/bin
 	${INSTALL_MAN} ${WRKSRC}/doc/testssl.1 ${STAGEDIR}${PREFIX}/share/man/man1
 	cd ${WRKSRC} && ${COPYTREE_SHARE} "etc utils" ${STAGEDIR}${DATADIR}
 
 do-test:
 # Run the badssl.com test as a sanity check.  The full test suite
 # opens too many network connections and might take too long to
 # run.
 	cd ${WRKSRC} && ${SETENV} ${TEST_ENV} prove -v t/51_badssl.com.t
 
-.include <bsd.port.mk>
+.include <bsd.port.pre.mk>
+.include <bsd.port.post.mk>
diff --git a/security/testssl.sh/distinfo b/security/testssl.sh/distinfo
index af2c8757b2c1..8da804c605af 100644
--- a/security/testssl.sh/distinfo
+++ b/security/testssl.sh/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1737732228
-SHA256 (testssl-testssl.sh-v3.0.9_GH0.tar.gz) = 75ecbe4470e74f9ad17f4c4ac733be123b0f67d676ed24cc2b30adb41561e05f
-SIZE (testssl-testssl.sh-v3.0.9_GH0.tar.gz) = 9381651
+TIMESTAMP = 1745404098
+SHA256 (testssl-testssl.sh-v3.2.0_GH0.tar.gz) = f3969c152c0fe99a2a90e8c8675ab677d77608ac77c957a95497387c36363c32
+SIZE (testssl-testssl.sh-v3.2.0_GH0.tar.gz) = 6976478
diff --git a/security/testssl.sh/files/patch-testssl.sh b/security/testssl.sh/files/patch-testssl.sh
index 46ad2069d189..476e424b1f14 100644
--- a/security/testssl.sh/files/patch-testssl.sh
+++ b/security/testssl.sh/files/patch-testssl.sh
@@ -1,29 +1,30 @@
---- testssl.sh.orig	2022-02-19 20:34:21 UTC
+--- testssl.sh.orig	2025-04-23 10:29:50 UTC
 +++ testssl.sh
-@@ -132,7 +132,7 @@ declare -r RUN_DIR="$(dirname "$0")"
- declare -r SYSTEM="$(uname -s)"
- declare -r SYSTEMREV="$(uname -r)"
- SYSTEM2=""                                        # currently only being used for WSL = bash on windows
+@@ -193,7 +193,7 @@ ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}"  # single file 
+ 
+ ########### Tuning vars which cannot be set by a cmd line switch. Use instead e.g "HEADER_MAXSLEEP=10 ./testssl.sh <your_args_here>"
+ #
 -TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}"  # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
 +TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-"%%DATADIR%%"}"  # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
- CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}"          # You can have your stores some place else
- ADDITIONAL_CA_FILES="${ADDITIONAL_CA_FILES:-""}"  # single file with a CA in PEM format or comma separated lists of them
+ CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}"          # You can have your CA stores some place else
+ EXPERIMENTAL=${EXPERIMENTAL:-false}     # a development hook which allows us to disable code
+ PROXY_WAIT=${PROXY_WAIT:-20}            # waiting at max 20 seconds for socket reply through proxy
+@@ -244,8 +244,8 @@ TLS_DATA_FILE=""                        # mandatory fi
+ PRINTF=""                               # which external printf to use. Empty presets the internal one, see #1130
  CIPHERS_BY_STRENGTH_FILE=""
-@@ -187,6 +187,9 @@ TERM_CURRPOS=0                                        
- ########### Defining (and presetting) variables which can be changed
- #
- # Following variables make use of $ENV and can be used like "OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <URI>"
-+if [[ -z "$OPENSSL" ]]; then
-+     OPENSSL="%%PREFIX%%/openssl-unsafe/bin/openssl"
-+fi
- declare -x OPENSSL
- OPENSSL_TIMEOUT=${OPENSSL_TIMEOUT:-""}  # Default connect timeout with openssl before we call the server side unreachable
- CONNECT_TIMEOUT=${CONNECT_TIMEOUT:-""}  # Default connect timeout with sockets before we call the server side unreachable
-@@ -20345,7 +20348,6 @@ lets_roll() {
+ TLS_DATA_FILE=""                        # mandatory file for socket-based handshakes
+-OPENSSL=""                              # ~/bin/openssl.$(uname).$(uname -m) if you run this from GitHub. Linux otherwise probably /usr/bin/openssl
+-OPENSSL2=${OPENSSL2:-/usr/bin/openssl}  # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL)
++OPENSSL="%%PREFIX%%/openssl-unsafe/bin/openssl"                              # ~/bin/openssl.$(uname).$(uname -m) if you run this from GitHub. Linux otherwise probably /usr/bin/openssl
++OPENSSL2=${OPENSSL2:-"%%OPENSSLBASE%%/bin/openssl"}  # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL)
+ OPENSSL2_HAS_TLS_1_3=false              # If we run with supplied binary AND $OPENSSL2 supports TLS 1.3 this will be set to true
+ OPENSSL2_HAS_CHACHA20=false
+ OPENSSL2_HAS_AES128_GCM=false
+@@ -24940,7 +24940,6 @@ lets_roll() {
       mybanner
       check_proxy
       check4openssl_oldfarts
 -     check_bsd_mount
       setup_lc_collate
  
       if "$do_display_only"; then
diff --git a/security/testssl.sh/pkg-plist b/security/testssl.sh/pkg-plist
index a87771213426..5649dbfaee77 100644
--- a/security/testssl.sh/pkg-plist
+++ b/security/testssl.sh/pkg-plist
@@ -1,38 +1,40 @@
 bin/testssl.sh
 share/man/man1/testssl.1.gz
 %%DATADIR%%/etc/Apple.pem
 %%DATADIR%%/etc/DST Root CA X3.txt
 %%DATADIR%%/etc/Java.pem
 %%DATADIR%%/etc/Linux.pem
 %%DATADIR%%/etc/Microsoft.pem
 %%DATADIR%%/etc/Mozilla.pem
 %%DATADIR%%/etc/README.md
+%%DATADIR%%/etc/SSLSocketClient.java
 %%DATADIR%%/etc/ca_hashes.txt
 %%DATADIR%%/etc/cipher-mapping.txt
 %%DATADIR%%/etc/client-simulation.txt
 %%DATADIR%%/etc/client-simulation.wiresharked.md
 %%DATADIR%%/etc/client-simulation.wiresharked.txt
 %%DATADIR%%/etc/common-primes.txt
 %%DATADIR%%/etc/curves.txt
 %%DATADIR%%/etc/curves-mapping.txt
 %%DATADIR%%/etc/openssl.cnf
 %%DATADIR%%/etc/tls_data.txt
 %%DATADIR%%/utils/00_unittest_baseline.sh
 %%DATADIR%%/utils/ccs-injection.bash
 %%DATADIR%%/utils/checkcert.sh
 %%DATADIR%%/utils/create_ca_hashes.sh
 %%DATADIR%%/utils/curves.bash
 %%DATADIR%%/utils/docker-debian10.tls13only.start.sh
 %%DATADIR%%/utils/docker-nginx.tls13-earlydata.start.sh
 %%DATADIR%%/utils/generate_static_cipher_lists.sh
 %%DATADIR%%/utils/gmap2testssl.sh
 %%DATADIR%%/utils/heartbleed.bash
 %%DATADIR%%/utils/hexstream2cipher.sh
+%%DATADIR%%/utils/hexstream2curves.sh
 %%DATADIR%%/utils/make-openssl.sh
 %%DATADIR%%/utils/make-openssl111.sh
 %%DATADIR%%/utils/parse_client_ciphers.pl
 %%DATADIR%%/utils/prototype.ssl2proto-check.bash
 %%DATADIR%%/utils/prototype.tls-protocol-checker.bash
 %%DATADIR%%/utils/resume.sh
 %%DATADIR%%/utils/ticketbleed.bash
 %%DATADIR%%/utils/update_client_sim_data.pl