diff --git a/webserver/testing/junit5/junit5/src/main/java/io/helidon/webserver/testing/junit5/HelidonServerJunitExtension.java b/webserver/testing/junit5/junit5/src/main/java/io/helidon/webserver/testing/junit5/HelidonServerJunitExtension.java
index 58c32bd66e0..9d3062eaf72 100644
--- a/webserver/testing/junit5/junit5/src/main/java/io/helidon/webserver/testing/junit5/HelidonServerJunitExtension.java
+++ b/webserver/testing/junit5/junit5/src/main/java/io/helidon/webserver/testing/junit5/HelidonServerJunitExtension.java
@@ -97,7 +97,11 @@ public void beforeAll(ExtensionContext context) {
                 .shutdownHook(false);
 
         server = builder.build().start();
-        uris.put(DEFAULT_SOCKET_NAME, URI.create("http://localhost:" + server.port() + "/"));
+        if (server.hasTls()) {
+            uris.put(DEFAULT_SOCKET_NAME, URI.create("https://localhost:" + server.port() + "/"));
+        } else {
+            uris.put(DEFAULT_SOCKET_NAME, URI.create("http://localhost:" + server.port() + "/"));
+        }
     }
 
     @Override
@@ -179,6 +183,9 @@ private URI uri(Executable declaringExecutable, String socketName) {
             if (port == -1) {
                 return null;
             }
+            if (server.hasTls(it)) {
+                return URI.create("https://localhost:" + port + "/");
+            }
             return URI.create("http://localhost:" + port + "/");
         });
 
diff --git a/webserver/tests/webserver/src/test/java/io/helidon/webserver/tests/CipherSuiteTest.java b/webserver/tests/webserver/src/test/java/io/helidon/webserver/tests/CipherSuiteTest.java
new file mode 100644
index 00000000000..10ec9fff3c5
--- /dev/null
+++ b/webserver/tests/webserver/src/test/java/io/helidon/webserver/tests/CipherSuiteTest.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.webserver.tests;
+
+import java.io.UncheckedIOException;
+import java.net.URI;
+import java.util.List;
+
+import javax.net.ssl.SSLHandshakeException;
+
+import io.helidon.config.Config;
+import io.helidon.config.ConfigSources;
+import io.helidon.webclient.api.WebClient;
+import io.helidon.webserver.WebServerConfig;
+import io.helidon.webserver.http.HttpRouting;
+import io.helidon.webserver.testing.junit5.ServerTest;
+import io.helidon.webserver.testing.junit5.SetUpRoute;
+import io.helidon.webserver.testing.junit5.SetUpServer;
+import io.helidon.webserver.testing.junit5.Socket;
+
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.instanceOf;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+@ServerTest
+class CipherSuiteTest {
+
+    private static final Config CONFIG = Config.just(() -> ConfigSources.classpath("cipherSuiteConfig.yaml").build());
+
+    private final WebClient defaultClient;
+    private final WebClient invalidClient;
+
+    CipherSuiteTest(@Socket("@default") URI defaultUri, @Socket("invalid") URI invalidUri) {
+        this.defaultClient = WebClient.builder()
+                .baseUri(defaultUri)
+                .tls(tls -> tls.enabledCipherSuites(List.of("TLS_RSA_WITH_AES_128_GCM_SHA256"))
+                        .trustAll(true)
+                        .endpointIdentificationAlgorithm("NONE"))
+                .build();
+        this.invalidClient = WebClient.builder()
+                .baseUri(invalidUri)
+                .tls(tls -> tls.enabledCipherSuites(List.of("TLS_RSA_WITH_AES_128_GCM_SHA256"))
+                        .trustAll(true)
+                        .endpointIdentificationAlgorithm("NONE"))
+                .build();
+    }
+
+    private static final String DEFAULT_ENDPOINT = "Allowed cipher: \"TLS_RSA_WITH_AES_128_GCM_SHA256\"";
+
+    @SetUpServer
+    static void setupServer(WebServerConfig.Builder server) {
+        server.config(CONFIG.get("server"));
+    }
+
+    @SetUpRoute
+    static void routeSetupDefault(HttpRouting.Builder builder) {
+        builder.get("/", (req, res) -> res.send(DEFAULT_ENDPOINT));
+    }
+
+    @SetUpRoute("invalid")
+    static void routeSetupInvalid(HttpRouting.Builder builder) {
+        builder.get("/", (req, res) -> res.send("This endpoint should not be reached!"));
+    }
+
+    @Test
+    void testDefaultCipherSuite() {
+        String entity = defaultClient.get().requestEntity(String.class);
+        assertThat(entity, is(DEFAULT_ENDPOINT));
+    }
+
+    @Test
+    void testInvalidCipherSuite() {
+        UncheckedIOException exception = assertThrows(UncheckedIOException.class, () -> invalidClient.get().request());
+        assertThat(exception.getCause(), instanceOf(SSLHandshakeException.class));
+        assertThat(exception.getCause().getMessage(), is("Received fatal alert: handshake_failure"));
+    }
+
+}
diff --git a/webserver/tests/webserver/src/test/resources/certificate.p12 b/webserver/tests/webserver/src/test/resources/certificate.p12
new file mode 100644
index 00000000000..27aa67b63c4
Binary files /dev/null and b/webserver/tests/webserver/src/test/resources/certificate.p12 differ
diff --git a/webserver/tests/webserver/src/test/resources/cipherSuiteConfig.yaml b/webserver/tests/webserver/src/test/resources/cipherSuiteConfig.yaml
new file mode 100644
index 00000000000..005825dfaa5
--- /dev/null
+++ b/webserver/tests/webserver/src/test/resources/cipherSuiteConfig.yaml
@@ -0,0 +1,47 @@
+#
+# Copyright (c) 2023 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+server:
+  tls:
+    trust:
+      keystore:
+        passphrase: "helidon"
+        trust-store: true
+        resource:
+          resource-path: "certificate.p12"
+    private-key:
+      keystore:
+        passphrase: "helidon"
+        resource:
+          resource-path: "certificate.p12"
+    cipher-suite:
+      - "TLS_RSA_WITH_AES_128_GCM_SHA256"
+  sockets:
+    - name: "invalid"
+      tls:
+        trust:
+          keystore:
+            passphrase: "helidon"
+            trust-store: true
+            resource:
+              resource-path: "certificate.p12"
+        private-key:
+          keystore:
+            passphrase: "helidon"
+            resource:
+              resource-path: "certificate.p12"
+        cipher-suite:
+          - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"
\ No newline at end of file