diff --git a/relenv/python-versions.json b/relenv/python-versions.json
index 2ffa6ad7..af57561c 100644
--- a/relenv/python-versions.json
+++ b/relenv/python-versions.json
@@ -205,9 +205,9 @@
    }
   },
   "openssl": {
-   "3.6.1": {
+   "3.5.5": {
     "url": "https://github.com/openssl/openssl/releases/download/openssl-{version}/openssl-{version}.tar.gz",
-    "sha256": "b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e",
+    "sha256": "b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89",
     "platforms": [
      "linux",
      "darwin",
diff --git a/relenv/pyversions.py b/relenv/pyversions.py
index f4b865d0..c8b243e8 100644
--- a/relenv/pyversions.py
+++ b/relenv/pyversions.py
@@ -123,6 +123,10 @@ def verify_signature(
 VERSION = None  # '3.13.2'
 UPDATE = False
 
+PINNED_VERSIONS = {
+    "openssl": "3.5",
+}
+
 
 def digest(file: str | os.PathLike[str]) -> str:
     """
@@ -249,6 +253,11 @@ def detect_openssl_versions() -> list[str]:
     # Find tags like openssl-3.5.4
     pattern = r'openssl-(\d+\.\d+\.\d+)"'
     matches = re.findall(pattern, content)
+
+    pin = PINNED_VERSIONS.get("openssl")
+    if pin:
+        matches = [v for v in matches if v == pin or v.startswith(f"{pin}.")]
+
     # Deduplicate and sort
     versions = sorted(
         set(matches), key=lambda v: [int(x) for x in v.split(".")], reverse=True
diff --git a/tests/test_pyversions_runtime.py b/tests/test_pyversions_runtime.py
index 37f2fe29..dd69c373 100644
--- a/tests/test_pyversions_runtime.py
+++ b/tests/test_pyversions_runtime.py
@@ -110,6 +110,7 @@ def test_detect_openssl_versions(monkeypatch: pytest.MonkeyPatch) -> None:
     """Test OpenSSL version detection from GitHub releases."""
     mock_html = """
     <html>
+    <a href="/openssl/openssl/releases/tag/openssl-3.6.1">openssl-3.6.1</a>
     <a href="/openssl/openssl/releases/tag/openssl-3.5.4">openssl-3.5.4</a>
     <a href="/openssl/openssl/releases/tag/openssl-3.5.3">openssl-3.5.3</a>
     <a href="/openssl/openssl/releases/tag/openssl-3.4.0">openssl-3.4.0</a>
@@ -120,14 +121,31 @@ def fake_fetch(url: str) -> str:
         return mock_html
 
     monkeypatch.setattr(pyversions, "fetch_url_content", fake_fetch)
+
+    # Test with pin "3.5" (current setting)
+    monkeypatch.setitem(pyversions.PINNED_VERSIONS, "openssl", "3.5")
     versions = pyversions.detect_openssl_versions()
-    assert isinstance(versions, list)
     assert "3.5.4" in versions
     assert "3.5.3" in versions
-    assert "3.4.0" in versions
-    # Verify sorting (latest first)
+    assert "3.6.1" not in versions
+    assert "3.4.0" not in versions
     assert versions[0] == "3.5.4"
 
+    # Test with different pin
+    monkeypatch.setitem(pyversions.PINNED_VERSIONS, "openssl", "3.4")
+    versions = pyversions.detect_openssl_versions()
+    assert "3.4.0" in versions
+    assert "3.5.4" not in versions
+    assert "3.6.1" not in versions
+
+    # Test with no pin
+    monkeypatch.delitem(pyversions.PINNED_VERSIONS, "openssl")
+    versions = pyversions.detect_openssl_versions()
+    assert "3.6.1" in versions
+    assert "3.5.4" in versions
+    assert "3.4.0" in versions
+    assert versions[0] == "3.6.1"
+
 
 def test_detect_sqlite_versions(monkeypatch: pytest.MonkeyPatch) -> None:
     """Test SQLite version detection from sqlite.org."""