Downgrade OpenSSL to support SSLv3, Heartbeats, MD2, Idea, MDC2, RC5 and old / weak / legacy SSL ciphers and protocols.

You will be able in 10 minutes:
  1. Setup OpenSSL to enable support of SSLv3 and other system wide and in apache2 and nginx.
Fully explained commands following. You can copy-paste it to terminal to get the goals.
Should be compatible with other Debian versions.
# command - for privileged commands (invoke from root).
$ command - non-privileged commands (invoke from non-root).
This recommendations is ONLY to make backward compatible environment.
This is unstable and NOT secured since outdated ciphers/protocols used.
AS-IS. Only if you know what you are really doing.
If you have corrections - please speak up in the bottom.

Append to apt source list SRC lines / source entries.

vi /etc/apt/sources.list
Paste the following content:
deb buster main contrib non-free
deb buster-updates main contrib non-free
deb buster/updates main contrib non-free
deb-src buster main contrib non-free
deb-src buster-updates main contrib non-free
deb-src buster/updates main contrib non-free

# apt-get update

Rebuild current OpenSSL.

Actually you can rebuild any package in a same way.
Including apache2 if needed.
On the Debian 10 machine invoke:

# openssl list -disabled #keep output to compare

# mkdir /_apt
# chown _apt: /_apt/

# apt install devscripts #'devscripts' needs for 'debuild'.

# su -s/bin/bash - _apt
$ mkdir /_apt/openssl-current/
$ cd /_apt/openssl-current/
$ apt-get source openssl #this will get current openssl version source.
$ exit;

#under root
# apt-get build-dep openssl

#*This dependencies for CONFARGS below.
#*If we change no-zlib ->to-> enable-zlib - build will fail.
#*So keep it as 'no-zlib' but installing it anyway.
# apt-get install zlib1g-dev zlib1g

apt-get install build-essential make zlib1g-dev libxml2-dev
#*This dependencies to 'enable-weak-ssl-ciphers' below.

# su -s/bin/bash - _apt
$ cd /_apt/openssl-current/openssl-1.1.1d #ver. may change.
$ vi debian/rules
Chage line started with CONFARGS 
CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms
CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) enable-heartbeats enable-md2 enable-weak-ssl-ciphers enable-idea enable-mdc2 enable-rc5 no-zlib enable-ssl2 enable-ssl3 enable-unit-test enable-ssl3-method enable-rfc3779 enable-cms

#*Actual buid.
$ debuild -b -uc -us

$ exit;
# cd /_apt/openssl-current/
# dpkg -i ./libssl-dev_1.1.1d-0+deb10u3_amd64.deb ./libssl1.1_1.1.1d-0+deb10u3_amd64.deb ./libssl-doc_1.1.1d-0+deb10u3_all.deb ./openssl_1.1.1d-0+deb10u3_amd64.deb
#*Versions may change, tune to yours.

# apt-mark hold libssl-dev libssl1.1 libssl-doc openssl

# openssl list -disabled #compare it with original

# openssl list -cipher-algorithms

# openssl list -digest-algorithms

# openssl ciphers -v |fgrep --color=yes SSLv3

Now you build and installed OpenSSL with old ciphers / protocols enabled.
But for apache2 and nginx this is not enough.
You need to re-build libssl1.0.0 libraty from previous OpenSSL package. You can get prev. OpenSSL version from Debian 8.
$ openssl version
OpenSSL 1.0.1t  3 May 2016
# openssl ciphers -v '-ALL:MD5' to show all supported MD5 ciphers.
# openssl ciphers -v 'ALL' gives you all possible values for
apache's SSLCipherSuite and nginx's ssl_ciphers directives.
You can also use Mozilla SSL Configuration Generator

Rebuild previous OpenSSL - part 1.

You can install libssl1.0.0 on Debian 10 from jessie-backports but it lack for what we need.
# apt-get install libssl1.0.0 -t jessie-backports
On the Debian 8 machine invoke:

# vi /etc/apt/sources.list
deb jessie main contrib non-free
deb jessie/updates main contrib non-free
deb-src jessie main contrib non-free
deb-src jessie/updates main contrib non-free

# apt-get update

# mkdir openssl-previous
# cd openssl-previous
# apt-get source openssl #will get 1.0.1t ver.
# tar zcpf openssl-previous.tar.gz openssl-previous

Transfer openssl-previous.tar.gz to the Debian 10 machine. 

Rebuild previous OpenSSL - part 2.

On the Debian 10 machine invoke:

# cd /_apt
# tar zxpf /root/openssl-previous.tar.gz
# chown -R _apt: ./openssl-previous/

# su -s/bin/bash - _apt
$ cd /_apt/openssl-previous/openssl-1.0.1t #ver. may change.
$ vi debian/rules
Chage line started with CONFARGS 
CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  enable-tlsext no-ssl2 no-ssl3
CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH)  enable-heartbeats enable-md2 enable-weak-ssl-ciphers enable-idea enable-mdc2 enable-rc5 no-zlib  enable-tlsext no-ssl2 enable-ssl3 enable-ssl3-method

Below comment out:
#MAKE_TEST = make test
#ifneq (,$(findstring nocheck,$(DEB_BUILD_OPTIONS)))
#       MAKE_TEST = :
and add right after it append:
        MAKE_TEST = :

$ debuild -b -uc -us
#*Actual buid.

$ exit;
# cd /_apt/openssl-previous/
# dpkg -i ./libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb ./openssl_1.0.1t-1+deb8u12_amd64.deb
#*Versions may change, tune to yours.

# apt-mark hold libssl1.0.0 openssl

All done.
Now invoke:
# systemctl restart apache2 nginx
to make SSLv3 and others work.
Tested with:
  1. Debian 10.5.
  2. apache2=2.4.38-3+deb10u3
  3. nginx=1.18.0-1~buster

Apache2 SSLv3 (and other) note regarding mod_ssl.

After you installed new and old versions of OpenSSL you should
rebuild Apache2 to upgrade mod_ssl regarding current SSL libs.
You can do in in a same manner as rebuilding current OpenSSL.
# apachectl -t
AH00526: Syntax error on line 67 of /etc/apache2/mods-enabled/ssl.conf:
SSLv3 not supported by this version of OpenSSL
Action '-t' failed.
The Apache error log may have more information.

Nginx SSLv3 (and other) note.

Just restart nginx to apply changes regarding SSLv3 and others.

The ca-certificates package note.

ca-certificates can be depend from the previous OpenSSL variant.
To test it invoke:
# apt autoremove
If you see unmet dependencies message, then
rebuild this package (get it from Debian 8) too.
After build and install do not forget to hold it:
# apt-mark hold ca-certificates

To revert changes.

On the Debian 10 machine invoke:

apt-mark unhold libssl-dev libssl1.1 libssl-doc openssl
apt-mark unhold libssl1.0.0 openssl
apt-mark unhold apache2 apache2-bin apache2-data apache2-utils
apt-mark unhold ca-certificates
apt-mark unhold nginx

apt-get install openssl
apt-get remove --purge libssl1.0.0
apt-get reinstall openssl libssl1.1  libssl-doc  libssl-dev

apt-get remove --purge   apache2 apache2-bin apache2-data apache2-utils

Install brief.

dpkg -i ./libssl-dev_1.1.1d-0+deb10u3_amd64.deb ./libssl1.1_1.1.1d-0+deb10u3_amd64.deb ./libssl-doc_1.1.1d-0+deb10u3_all.deb ./openssl_1.1.1d-0+deb10u3_amd64.deb
dpkg -i ./libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb ./openssl_1.0.1t-1+deb8u12_amd64.deb
dpkg -i ./apache2-bin_2.4.38-3+deb10u3_amd64.deb ./apache2-data_2.4.38-3+deb10u3_all.deb ./apache2_2.4.38-3+deb10u3_amd64.deb ./apache2-utils_2.4.38-3+deb10u3_amd64.deb
dpkg -i ca-certificates_20141019+deb8u4_all.deb


Use this URL
to get, password is: [withheld].
*You can request password from me with a form below.