This I expected hence my comment, but the base is not the big issue as using 3.0 in ports will make almost everything on the server use 3.0 as dependency which is fine for me.The issue is, this isn't possible without breaking ABI or having two different OpenSSL versions (one private) in base, which has other hard to solve issues. See also what Alexander wrote in the thread: https://lists.freebsd.org/archives/freebsd-arch/2023-April/000365.html -- I fully agree with him.
Now, this discussion was half a year ago. 14 already moved to OpenSSL 3 (before entering release engineering). A lot of fixing in ports was done as well, ports should largely build and work with OpenSSL 3 from base now.
I honestly don't know what's the plan now for stable/13. One could always try the "Debian approach" and backport security fixes yourself, which is very tedious and also error-prone work... not sure whether this is considered. People actively working on base probably know more.
From a user perspective, I'd say the best way to avoid this issue is to move to 14.0-RELEASE early on.
The bigger issue is that the move to 3.0 was left right to the last moment, this is inconsistent with how things are normally done when ports now days typically get bumped when a new upstream major version is released.
Is there a lot of breakages in the ports tree with openssl 3.0? for things like php 8.0, 8.1, dovecot, exim, apache, mysql, because if there is, it makes moving to 3.0 a no go which is the real problem.
But on 13.x if its deemed not possible to merge in openssl 3.0, then it might be an idea to drop openssl in base entirely, just pre install the port instead or back port security patches, more work for the dev's but I dont think is right to just say we will keep on building 13.x but dont use it and go to a point zero release instead. Thats my 5 pennies on that.
Also openssl 3.0 was released prior to FreeBSD 13.0, and at that point the openssl 1.1 EOL was published, so 13 should have been released with openssl 3.0 to avoid the problem, but I expect was no appetite back then to make sure the ports tree is working.
Seems they also waited 6 days after the quarterly ports tree update as well, that is 1.1 now until January.