From 53f53e9b0249480aa0bfa798fd71b4872f2681c8 Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Fri, 1 Dec 2023 21:11:22 +0200
Subject: [PATCH] Add a 'cipher-suites' option system test

This commit adds a new system test which verifies that using the
'cipher-suites' option actually works as expected (as well as adds
first TLSv1.3 specific tests).
---
 bin/tests/system/cipher-suites/clean.sh       |  26 +++++
 .../system/cipher-suites/ns1/named.conf.in    | 100 ++++++++++++++++++
 .../system/cipher-suites/ns2/named.conf.in    |  85 +++++++++++++++
 .../system/cipher-suites/ns3/named.conf.in    |  85 +++++++++++++++
 .../system/cipher-suites/ns4/named.conf.in    |  85 +++++++++++++++
 .../system/cipher-suites/ns5/named.conf.in    |  78 ++++++++++++++
 bin/tests/system/cipher-suites/prereq.sh      |  21 ++++
 .../system/cipher-suites/self-signed-cert.pem |  17 +++
 .../system/cipher-suites/self-signed-key.pem  |   8 ++
 bin/tests/system/cipher-suites/setup.sh       |  22 ++++
 bin/tests/system/cipher-suites/tests.sh       |  88 +++++++++++++++
 .../cipher-suites/tests_sh_cipher_suites.py   |  14 +++
 bin/tests/system/feature-test.c               |   9 ++
 13 files changed, 638 insertions(+)
 create mode 100644 bin/tests/system/cipher-suites/clean.sh
 create mode 100644 bin/tests/system/cipher-suites/ns1/named.conf.in
 create mode 100644 bin/tests/system/cipher-suites/ns2/named.conf.in
 create mode 100644 bin/tests/system/cipher-suites/ns3/named.conf.in
 create mode 100644 bin/tests/system/cipher-suites/ns4/named.conf.in
 create mode 100644 bin/tests/system/cipher-suites/ns5/named.conf.in
 create mode 100644 bin/tests/system/cipher-suites/prereq.sh
 create mode 100644 bin/tests/system/cipher-suites/self-signed-cert.pem
 create mode 100644 bin/tests/system/cipher-suites/self-signed-key.pem
 create mode 100644 bin/tests/system/cipher-suites/setup.sh
 create mode 100644 bin/tests/system/cipher-suites/tests.sh
 create mode 100644 bin/tests/system/cipher-suites/tests_sh_cipher_suites.py

diff --git a/bin/tests/system/cipher-suites/clean.sh b/bin/tests/system/cipher-suites/clean.sh
new file mode 100644
index 0000000000..c81c6a1bdc
--- /dev/null
+++ b/bin/tests/system/cipher-suites/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./*/named.run.prev
+rm -f ./dig.out.*
+rm -f ./gnutls-cli.*
+rm -f ./sslyze.log.*
+rm -f ./*/example*.db
+rm -rf ./headers.*
diff --git a/bin/tests/system/cipher-suites/ns1/named.conf.in b/bin/tests/system/cipher-suites/ns1/named.conf.in
new file mode 100644
index 0000000000..77186a6e63
--- /dev/null
+++ b/bin/tests/system/cipher-suites/ns1/named.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls tls-perfect-forward-secrecy {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+	key-file "../self-signed-key.pem";
+	cert-file "../self-signed-cert.pem";
+	session-tickets no;
+};
+
+tls tls-pfs-aes256 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_AES_256_GCM_SHA384";
+	key-file "../self-signed-key.pem";
+	cert-file "../self-signed-cert.pem";
+	session-tickets no;
+};
+
+tls tls-pfs-aes128 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_AES_128_GCM_SHA256";
+	key-file "../self-signed-key.pem";
+	cert-file "../self-signed-cert.pem";
+	session-tickets no;
+};
+
+tls tls-pfs-chacha20 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_CHACHA20_POLY1305_SHA256";
+	key-file "../self-signed-key.pem";
+	cert-file "../self-signed-cert.pem";
+	session-tickets no;
+};
+
+options {
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on-v6 { none; };
+	listen-on { 10.53.0.1; };
+	listen-on tls tls-perfect-forward-secrecy { 10.53.0.1; };
+	listen-on port @EXTRAPORT1@ tls tls-pfs-aes128 { 10.53.0.1; };
+	listen-on port @EXTRAPORT2@ tls tls-pfs-aes256 { 10.53.0.1; };
+	listen-on port @EXTRAPORT3@ tls tls-pfs-chacha20 { 10.53.0.1; };
+	recursion no;
+	notify explicit;
+	also-notify { 10.53.0.2 port @PORT@; };
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	transfers-in 100;
+	transfers-out 100;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+	allow-transfer port @TLSPORT@ transport tls { any; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer port @TLSPORT@ transport tls { any; };
+};
+
+zone "example-aes-128" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT1@ transport tls { any; };
+};
+
+zone "example-aes-256" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT2@ transport tls { any; };
+};
+
+zone "example-chacha-20" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT3@ transport tls { any; };
+};
diff --git a/bin/tests/system/cipher-suites/ns2/named.conf.in b/bin/tests/system/cipher-suites/ns2/named.conf.in
new file mode 100644
index 0000000000..58189524b8
--- /dev/null
+++ b/bin/tests/system/cipher-suites/ns2/named.conf.in
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+	key-file "../self-signed-key.pem";
+	cert-file "../self-signed-cert.pem";
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on tls local { 10.53.0.2; };             // DoT
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	ixfr-from-differences yes;
+	check-integrity no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+tls tls-v1.3 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+	prefer-server-ciphers no;
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls tls-v1.3; };
+	file "example.db";
+	allow-transfer { any; };
+};
+
+tls tls-v1.3-aes-128 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_AES_128_GCM_SHA256";
+	prefer-server-ciphers no;
+};
+
+zone "example-aes-128" {
+	type secondary;
+	primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-v1.3-aes-128; };
+	file "example-aes-128.db";
+	allow-transfer { any; };
+};
+
+zone "example-aes-256" {
+	type secondary;
+	primaries port @EXTRAPORT2@ { 10.53.0.1 tls tls-v1.3-aes-128; };
+	file "example-aes-256.db";
+	allow-transfer { any; };
+};
+
+zone "example-chacha-20" {
+	type secondary;
+	primaries port @EXTRAPORT3@ { 10.53.0.1 tls tls-v1.3-aes-128; };
+	file "example-chacha-20.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/cipher-suites/ns3/named.conf.in b/bin/tests/system/cipher-suites/ns3/named.conf.in
new file mode 100644
index 0000000000..9a78903d98
--- /dev/null
+++ b/bin/tests/system/cipher-suites/ns3/named.conf.in
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+	key-file "../self-signed-key.pem";
+	cert-file "../self-signed-cert.pem";
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on tls local { 10.53.0.3; };             // DoT
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	ixfr-from-differences yes;
+	check-integrity no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+tls tls-v1.3 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+	prefer-server-ciphers no;
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls tls-v1.3; };
+	file "example.db";
+	allow-transfer { any; };
+};
+
+tls tls-v1.3-aes-256 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_AES_256_GCM_SHA384";
+	prefer-server-ciphers no;
+};
+
+zone "example-aes-128" {
+	type secondary;
+	primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-v1.3-aes-256; };
+	file "example-aes-128.db";
+	allow-transfer { any; };
+};
+
+zone "example-aes-256" {
+	type secondary;
+	primaries port @EXTRAPORT2@ { 10.53.0.1 tls tls-v1.3-aes-256; };
+	file "example-aes-256.db";
+	allow-transfer { any; };
+};
+
+zone "example-chacha-20" {
+	type secondary;
+	primaries port @EXTRAPORT3@ { 10.53.0.1 tls tls-v1.3-aes-256; };
+	file "example-chacha-20.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/cipher-suites/ns4/named.conf.in b/bin/tests/system/cipher-suites/ns4/named.conf.in
new file mode 100644
index 0000000000..cf52f98b0d
--- /dev/null
+++ b/bin/tests/system/cipher-suites/ns4/named.conf.in
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+	key-file "../self-signed-key.pem";
+	cert-file "../self-signed-cert.pem";
+};
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on tls local { 10.53.0.4; };             // DoT
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	ixfr-from-differences yes;
+	check-integrity no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+tls tls-v1.3 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+	prefer-server-ciphers no;
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls tls-v1.3; };
+	file "example.db";
+	allow-transfer { any; };
+};
+
+tls tls-v1.3-chacha20 {
+	protocols { TLSv1.3; };
+	cipher-suites "TLS_CHACHA20_POLY1305_SHA256";
+	prefer-server-ciphers no;
+};
+
+zone "example-aes-128" {
+	type secondary;
+	primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-v1.3-chacha20; };
+	file "example-aes-128.db";
+	allow-transfer { any; };
+};
+
+zone "example-aes-256" {
+	type secondary;
+	primaries port @EXTRAPORT2@ { 10.53.0.1 tls tls-v1.3-chacha20; };
+	file "example-aes-256.db";
+	allow-transfer { any; };
+};
+
+zone "example-chacha-20" {
+	type secondary;
+	primaries port @EXTRAPORT3@ { 10.53.0.1 tls tls-v1.3-chacha20; };
+	file "example-chacha-20.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/cipher-suites/ns5/named.conf.in b/bin/tests/system/cipher-suites/ns5/named.conf.in
new file mode 100644
index 0000000000..9187d0e94a
--- /dev/null
+++ b/bin/tests/system/cipher-suites/ns5/named.conf.in
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+	key-file "../self-signed-key.pem";
+	cert-file "../self-signed-cert.pem";
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on tls local { 10.53.0.5; };             // DoT
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	ixfr-from-differences yes;
+	check-integrity no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+tls tls-v1.2 {
+	protocols { TLSv1.2; };
+	prefer-server-ciphers no;
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls tls-v1.2; };
+	file "example.db";
+	allow-transfer { any; };
+};
+
+zone "example-aes-128" {
+	type secondary;
+	primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-v1.2; };
+	file "example-aes-128.db";
+	allow-transfer { any; };
+};
+
+zone "example-aes-256" {
+	type secondary;
+	primaries port @EXTRAPORT2@ { 10.53.0.1 tls tls-v1.2; };
+	file "example-aes-256.db";
+	allow-transfer { any; };
+};
+
+zone "example-chacha-20" {
+	type secondary;
+	primaries port @EXTRAPORT3@ { 10.53.0.1 tls tls-v1.2; };
+	file "example-chacha-20.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/cipher-suites/prereq.sh b/bin/tests/system/cipher-suites/prereq.sh
new file mode 100644
index 0000000000..910359535c
--- /dev/null
+++ b/bin/tests/system/cipher-suites/prereq.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$FEATURETEST --have-openssl-cipher-suites || {
+  echo_i "SSL_CTX_set_ciphersuites() is required for the test."
+  exit 255
+}
+
+exit 0
diff --git a/bin/tests/system/cipher-suites/self-signed-cert.pem b/bin/tests/system/cipher-suites/self-signed-cert.pem
new file mode 100644
index 0000000000..8fd6db35b9
--- /dev/null
+++ b/bin/tests/system/cipher-suites/self-signed-cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpDCCAkmgAwIBAgIUCgppsffsoMFrEULJBNaABqUJGl8wCgYIKoZIzj0EAwIw
+gaYxCzAJBgNVBAYTAlVBMRwwGgYDVQQIDBNLaGFya2l2cydrYSBvYmxhc3QnMRAw
+DgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5ldCBTeXN0ZW1zIENvbnNv
+cnRpdW0xHzAdBgNVBAsMFkJJTkQ5IERldmVsb3BtZW50IFRlYW0xIDAeBgNVBAMM
+F3NlbGYtc2lnbmVkLmV4YW1wbGUuY29tMB4XDTIzMTIwMTE1NTU0OVoXDTQzMTEz
+MDE1NTU0OVowgaYxCzAJBgNVBAYTAlVBMRwwGgYDVQQIDBNLaGFya2l2cydrYSBv
+Ymxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5ldCBTeXN0
+ZW1zIENvbnNvcnRpdW0xHzAdBgNVBAsMFkJJTkQ5IERldmVsb3BtZW50IFRlYW0x
+IDAeBgNVBAMMF3NlbGYtc2lnbmVkLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEAvOwTFQkxZ5buinXL2II3F2Bkq7BfycqugoRJohm6avxEqKF
+pByu6gWQxgWFFelXAz2FRhT4SK+E1o/b9X2EGKNTMFEwHQYDVR0OBBYEFPcvo8eC
+k8kDoF2Lmpua+qMJdV5eMB8GA1UdIwQYMBaAFPcvo8eCk8kDoF2Lmpua+qMJdV5e
+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJh6QFBC8JnHTEjD
+GLevzFzjbxSNjMj0xgrX4eK+9JjCAiEAqFkj9wGs7U1cZrZI0Mnje9itHgQrMl1u
+olvLJ/W2LBc=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/cipher-suites/self-signed-key.pem b/bin/tests/system/cipher-suites/self-signed-key.pem
new file mode 100644
index 0000000000..075b4d9ca0
--- /dev/null
+++ b/bin/tests/system/cipher-suites/self-signed-key.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIME55eKuHtLyCHYCvJcIU1o8FdATceC7rQWwEyIhnzINoAoGCCqGSM49
+AwEHoUQDQgAEAvOwTFQkxZ5buinXL2II3F2Bkq7BfycqugoRJohm6avxEqKFpByu
+6gWQxgWFFelXAz2FRhT4SK+E1o/b9X2EGA==
+-----END EC PRIVATE KEY-----
diff --git a/bin/tests/system/cipher-suites/setup.sh b/bin/tests/system/cipher-suites/setup.sh
new file mode 100644
index 0000000000..9d7d0a928e
--- /dev/null
+++ b/bin/tests/system/cipher-suites/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 >ns1/example.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bin/tests/system/cipher-suites/tests.sh b/bin/tests/system/cipher-suites/tests.sh
new file mode 100644
index 0000000000..2c8076717c
--- /dev/null
+++ b/bin/tests/system/cipher-suites/tests.sh
@@ -0,0 +1,88 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+testing="testing zone transfer over TLS (XoT): "
+
+common_dig_options="+noadd +nosea +nostat +noquest +nocmd"
+
+status=0
+n=0
+
+dig_with_tls_opts() {
+  # shellcheck disable=SC2086
+  "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@"
+}
+
+wait_for_tls_xfer() (
+  srv_number="$1"
+  shift
+  zone_name="$1"
+  shift
+  # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces
+  dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1
+  grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1
+  return 0
+)
+
+tls_xfer_expect_success() {
+  test_message="$1"
+  shift
+  n=$((n + 1))
+  echo_i "$test_message - zone \"$2\" at \"ns$1\" ($n)"
+  ret=0
+  retry_quiet 10 wait_for_tls_xfer "$@" || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+}
+
+tls_xfer_expect_failure() {
+  test_message="$1"
+  shift
+  n=$((n + 1))
+  echo_i "$test_message - zone \"$2\" at \"ns$1\", failure expected ($n)"
+  ret=0
+  retry_quiet 10 wait_for_tls_xfer "$@" && ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+}
+
+tls_xfer_expect_success "$testing" 2 example
+tls_xfer_expect_success "$testing" 3 example
+tls_xfer_expect_success "$testing" 4 example
+
+tls_xfer_expect_success "$testing" 2 example-aes-128
+tls_xfer_expect_success "$testing" 3 example-aes-256
+tls_xfer_expect_success "$testing" 4 example-chacha-20
+
+tls_xfer_expect_failure "$testing" 2 example-aes-256
+tls_xfer_expect_failure "$testing" 2 example-chacha-20
+
+tls_xfer_expect_failure "$testing" 3 example-aes-128
+tls_xfer_expect_failure "$testing" 3 example-chacha-20
+
+tls_xfer_expect_failure "$testing" 4 example-aes-128
+tls_xfer_expect_failure "$testing" 4 example-aes-256
+
+# NS5 tries to download the zone over TLSv1.2
+tls_xfer_expect_failure "$testing" 5 example
+tls_xfer_expect_failure "$testing" 5 example-aes-128
+tls_xfer_expect_failure "$testing" 5 example-aes-256
+tls_xfer_expect_failure "$testing" 5 example-chacha-20
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/cipher-suites/tests_sh_cipher_suites.py b/bin/tests/system/cipher-suites/tests_sh_cipher_suites.py
new file mode 100644
index 0000000000..78095ba719
--- /dev/null
+++ b/bin/tests/system/cipher-suites/tests_sh_cipher_suites.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_cipher_suites(run_tests_sh):
+    run_tests_sh()
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
index 5b3c504d62..66731c513d 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -49,6 +49,7 @@ usage(void) {
 	fprintf(stderr, "\t--have-geoip2\n");
 	fprintf(stderr, "\t--have-json-c\n");
 	fprintf(stderr, "\t--have-libxml2\n");
+	fprintf(stderr, "\t--have-openssl-cipher-suites\n");
 	fprintf(stderr, "\t--ipv6only=no\n");
 	fprintf(stderr, "\t--md5\n");
 	fprintf(stderr, "\t--rsasha1\n");
@@ -184,6 +185,14 @@ main(int argc, char **argv) {
 #endif /* ifdef HAVE_LIBXML2 */
 	}
 
+	if (strcmp(argv[1], "--have-openssl-cipher-suites") == 0) {
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+		return (0);
+#else  /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
+		return (1);
+#endif /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
+	}
+
 	if (strcmp(argv[1], "--tsan") == 0) {
 #if defined(__has_feature)
 #if __has_feature(thread_sanitizer)