diff --git a/test/parallel/test-strace-openat-openssl.js b/test/parallel/test-strace-openat-openssl.js
new file mode 100644
index 00000000000000..c49edb075b4c19
--- /dev/null
+++ b/test/parallel/test-strace-openat-openssl.js
@@ -0,0 +1,50 @@
+'use strict';
+
+const common = require('../common');
+const { spawn, spawnSync } = require('node:child_process');
+const { createInterface } = require('node:readline');
+const assert = require('node:assert');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+if (!common.isLinux)
+  common.skip('linux only');
+if (spawnSync('strace', ['-V']).status !== 0) {
+  common.skip('missing strace');
+}
+
+{
+  const allowedOpenCalls = new Set([
+    '/etc/ssl/openssl.cnf',
+  ]);
+  const strace = spawn('strace', [
+    '-f', '-ff',
+    '-e', 'trace=open,openat',
+    '-s', '512',
+    '-D', process.execPath, '-e', 'require("crypto")',
+  ]);
+
+  // stderr is the default for strace
+  const rl = createInterface({ input: strace.stderr });
+  rl.on('line', (line) => {
+    if (!line.startsWith('open')) {
+      return;
+    }
+
+    const file = line.match(/"(.*?)"/)[1];
+    // skip .so reading attempt
+    if (file.match(/.+\.so(\.?)/) !== null) {
+      return;
+    }
+    assert(allowedOpenCalls.delete(file), `${file} is not in the list of allowed openat calls`);
+  });
+
+  strace.on('error', common.mustNotCall());
+  strace.on('exit', common.mustCall((code) => {
+    assert.strictEqual(code, 0);
+    const missingKeys = Array.from(allowedOpenCalls.keys());
+    if (missingKeys.length) {
+      assert.fail(`The following openat call are missing: ${missingKeys.join(',')}`);
+    }
+  }));
+}