diff --git a/Dockerfile b/Dockerfile
index 3dd2667..1bda44f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,21 +1,34 @@
-FROM python:3.12-slim-bookworm
+FROM python:3.12-slim-bullseye
 
-# Base deps
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    curl gnupg ca-certificates \
-    unixodbc unixodbc-dev \
+    curl gnupg ca-certificates unixodbc unixodbc-dev openssl \
  && rm -rf /var/lib/apt/lists/*
 
-# MS ODBC Driver 17 for SQL Server
+# Microsoft repo for Debian 11 (bullseye)
 RUN mkdir -p /etc/apt/keyrings \
- && curl -fsSL https://packages.microsoft.com/keys/microsoft.asc \
-    | gpg --dearmor -o /etc/apt/keyrings/microsoft-prod.gpg \
- && echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/microsoft-prod.gpg] https://packages.microsoft.com/debian/12/prod bookworm main" \
+ && curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor -o /etc/apt/keyrings/microsoft-prod.gpg \
+ && echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/microsoft-prod.gpg] https://packages.microsoft.com/debian/11/prod bullseye main" \
     > /etc/apt/sources.list.d/microsoft-prod.list \
  && apt-get update \
- && ACCEPT_EULA=Y apt-get install -y msodbcsql17 unixodbc unixodbc-dev \
+ && ACCEPT_EULA=Y apt-get install -y msodbcsql17 \
  && rm -rf /var/lib/apt/lists/*
 
+# Loosen OpenSSL policy so very old servers/certs work
+RUN printf '%s\n' \
+  'openssl_conf = default_conf' \
+  '' \
+  '[default_conf]' \
+  'ssl_conf = ssl_sect' \
+  '' \
+  '[ssl_sect]' \
+  'system_default = system_default_sect' \
+  '' \
+  '[system_default_sect]' \
+  'MinProtocol = TLSv1' \
+  'CipherString = DEFAULT@SECLEVEL=1' \
+  > /etc/ssl/openssl_loose.cnf
+ENV OPENSSL_CONF=/etc/ssl/openssl_loose.cnf
+
 WORKDIR /app
 
 COPY requirements.txt .