Okay, so after a bit of digging around -- it turns out that in order to be exposed in make.conf, there has to be some "glue" magic in /usr/ports/Mk to pass those options in.
That said, if you're looking for a *programmatic* way to do this (as I was), your best answer probably is:
mkdir /var/db/ports/security_openssl
echo "OPTIONS_FILE_SET+=WEAK-SSL-CIPHERS" >> /var/db/ports/security_openssl/options
If you want something persistent (as I do), your best answer might be to build your own port independently via poudriere. This is annoying because it means you'll have to custom-build anything ELSE you want to depend on that port via poudriere.
For my use case, newer openssl broke a nagios check for me that was checking a piece of hardware that had older crypto on it. Ultimately, my answer is going to be installing openssl-unsafe, and wrapping /usr/local/openssl-unsafe/bin/openssl -ciphers ALL, with a perl script, and coding a new Nagios plugin up. I mention this because it looks like the rabbit hole of older crypto being a COMPILE TIME (as opposed to something disabled in openssl.cnf or something.) is Just Too Annoying to fix.