Does anyone know a way for roll-back a package if it breaks a service after apt-get upgrade?
For example:

pt-cache policy openssl
openssl:
Installed: 1.0.1f-1ubuntu2.21
Candidate: 1.0.1f-1ubuntu2.21
Version table:
*** 1.0.1f-1ubuntu2.21 0
500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
100 /var/lib/dpkg/status
1.0.1f-1ubuntu2 0
500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages


I see my current version is 1.0.1f-1ubuntu2.21 but I have upgraded from 1.0.1f-1ubuntu2.19
Looks like I can't get back to that version!

apt-get install openssl=1.0.1f-1ubuntu2.19
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version '1.0.1f-1ubuntu2.19' for 'openssl' was not found

Yes, exactly the way you describe - you do, of course, need access to the previous version, either in your cache or from an available repo.
Debian has snapshots.debian.org for all archived previous versions - presumably ubuntu has something similar.

I would, however, question the wisdom of downgrading the SSL package. Updates are generally to patch security issues and remove support for insecure schemes that should no longer be used.
If you have things that have stopped working for this reason (details?) you should fix that, NOT make it 'work' again by just leaving the doors unlocked....

OpesSSL was an examnple
I am mostly conecrned about mesos package and zookeeper. I am preparing to upgrade machines in AWS and need to be prepared if something goes bad.

Thank you for the answer. I have found Launchpad as something similar on ubuntu - It may help