diff --git a/abstractions-openssl-1_1.diff b/abstractions-openssl-1_1.diff
new file mode 100644
index 0000000..08a5f22
--- /dev/null
+++ b/abstractions-openssl-1_1.diff
@@ -0,0 +1,12 @@
+diff --git a/profiles/apparmor.d/abstractions/openssl b/profiles/apparmor.d/abstractions/openssl
+index c0c09fb45..65939ae44 100644
+--- a/profiles/apparmor.d/abstractions/openssl
++++ b/profiles/apparmor.d/abstractions/openssl
+@@ -11,6 +11,7 @@
+   abi <abi/3.0>,
+ 
+   /etc/ssl/openssl.cnf r,
++  /etc/ssl/openssl-*.cnf r,
+   /etc/ssl/{engdef,engines}.d/ r,
+   /etc/ssl/{engdef,engines}.d/*.cnf r,
+   /usr/share/ssl/openssl.cnf r,
diff --git a/apparmor.changes b/apparmor.changes
index c054b1a..b9d1c09 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Feb  6 19:27:40 UTC 2023 - Christian Boltz <suse-beta@cboltz.de>
+
+- add abstractions-openssl-1_1.diff: allow to read
+  /etc/ssl/openssl-1_1.cnf in abstractions/openssl (boo#1207911)
+
 -------------------------------------------------------------------
 Mon Jan 30 11:33:05 UTC 2023 - Christian Boltz <suse-beta@cboltz.de>
 
diff --git a/apparmor.spec b/apparmor.spec
index cc24666..85f84f5 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -94,6 +94,9 @@ Patch12:        dnsmasq-cpu-possible.diff
 # allow nscd to read systemd userdb (boo#1207698, submitted upstream 2023-01-30 https://gitlab.com/apparmor/apparmor/-/merge_requests/977)
 Patch13:        nscd-systemd-userdb.diff
 
+# abstractions/openssl: allow to read /etc/ssl/openssl-1_1.cnf (boo#1207911, upstreaming TODO)
+Patch14:        abstractions-openssl-1_1.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
@@ -360,6 +363,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch6
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 %build
 export SUSE_ASNEEDED=0