Roughly copy / pasting my response from this task:
Updating OpenSSL involves keeping the existing version around, both in the same upgrade (so shipping both at the same time, in the same package, to ensure no libs are removed and ABIs pulled out from underneath python's feet). This has to be done to ensure the package manager continues to function, so we can perform the necessary package transactions to get the dependencies to build (and even rebuild) Python 2/3 in the first place.
It's only after that point I can even work on ripping OpenSSL 1.0.2 series into it's own binary compat library for older applications or the likes of Steam. LibreSSL will be investigated for that, alongside switching some applications to using GnuTLS instead. For now I'll be updating us to the latest OpenSSL 1.0.2 series release, which isn't "outdated", just a different development branch / series.
I have a doc with quite a few packages successfully updated and rebuild however there are specific items like httpd that don't appreciate our co-installed OpenSSL 1.0.2 and 1.1.x shared libraries and straight up refuse to compile.