diff --git a/programs/.gitignore b/programs/.gitignore
index deb104a401..550239eff6 100644
--- a/programs/.gitignore
+++ b/programs/.gitignore
@@ -57,6 +57,7 @@ ssl/ssl_server2
 test/benchmark
 test/cpp_dummy_build
 test/cpp_dummy_build.cpp
+test/dlopen
 test/ecp-bench
 test/query_compile_time_config
 test/selftest
diff --git a/programs/Makefile b/programs/Makefile
index 7f9d11e80d..1ebf8d241e 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -17,6 +17,12 @@ LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
 		-lmbedx509$(SHARED_SUFFIX)	\
 		-lmbedcrypto$(SHARED_SUFFIX)
 
+ifeq ($(shell uname -s),Linux)
+DLOPEN_LDFLAGS ?= -ldl
+else
+DLOPEN_LDFLAGS ?=
+endif
+
 include ../3rdparty/Makefile.inc
 LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
 
@@ -55,6 +61,18 @@ else
 PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi)
 endif
 
+# Only build the dlopen test in shared library builds, and not when building
+# for Windows.
+ifdef BUILD_DLOPEN
+# Don't override the value
+else ifdef WINDOWS_BUILD
+BUILD_DLOPEN =
+else ifdef SHARED
+BUILD_DLOPEN = y
+else
+BUILD_DLOPEN =
+endif
+
 ## The following assignment is the list of base names of applications that
 ## will be built on Windows. Extra Linux/Unix/POSIX-only applications can
 ## be declared by appending with `APPS += ...` afterwards.
@@ -118,6 +136,10 @@ ifdef PTHREAD
 APPS +=	ssl/ssl_pthread_server
 endif
 
+ifdef BUILD_DLOPEN
+APPS +=	test/dlopen
+endif
+
 ifdef TEST_CPP
 APPS += test/cpp_dummy_build
 endif
@@ -344,6 +366,15 @@ test/cpp_dummy_build$(EXEXT): test/cpp_dummy_build.cpp $(DEP)
 	echo "  CXX   test/cpp_dummy_build.cpp"
 	$(CXX) $(LOCAL_CXXFLAGS) $(CXXFLAGS) test/cpp_dummy_build.cpp   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
+ifdef BUILD_DLOPEN
+test/dlopen$(EXEXT): test/dlopen.c $(DEP)
+	echo "  CC    test/dlopen.c"
+# Do not link any test objects (that would bring in a static dependency on
+# libmbedcrypto at least). Do not link with libmbed* (that would defeat the
+# purpose of testing dynamic loading).
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/dlopen.c $(LDFLAGS) $(DLOPEN_LDFLAGS) -o $@
+endif
+
 test/query_config.o: test/query_config.c test/query_config.h $(DEP)
 	echo "  CC    test/query_config.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c test/query_config.c -o $@
@@ -405,6 +436,7 @@ ifndef WINDOWS
 	rm -f $(EXES)
 	-rm -f ssl/ssl_pthread_server$(EXEXT)
 	-rm -f test/cpp_dummy_build.cpp test/cpp_dummy_build$(EXEXT)
+	-rm -f test/dlopen$(EXEXT)
 else
 	if exist *.o del /Q /F *.o
 	if exist *.exe del /Q /F *.exe
diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
index 142a831667..c3e7d2e98e 100644
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@@ -27,6 +27,13 @@ if(TEST_CPP)
     target_link_libraries(cpp_dummy_build ${mbedcrypto_target})
 endif()
 
+if(USE_SHARED_MBEDTLS_LIBRARY AND
+   NOT ${CMAKE_SYSTEM_NAME} MATCHES "[Ww][Ii][Nn]")
+    add_executable(dlopen "dlopen.c")
+    target_include_directories(dlopen PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include)
+    target_link_libraries(dlopen ${CMAKE_DL_LIBS})
+endif()
+
 if(GEN_FILES)
     find_package(Perl REQUIRED)
 
diff --git a/programs/test/dlopen.c b/programs/test/dlopen.c
new file mode 100644
index 0000000000..3b88df4cf3
--- /dev/null
+++ b/programs/test/dlopen.c
@@ -0,0 +1,112 @@
+/*
+ *  Test dynamic loading of libmbed*
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_fprintf    fprintf
+#define mbedtls_printf     printf
+#define mbedtls_exit       exit
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/x509_crt.h"
+#endif
+
+#if defined(__APPLE__)
+#define SO_SUFFIX ".dylib"
+#else
+#define SO_SUFFIX ".so"
+#endif
+
+#define CRYPTO_SO_FILENAME "libmbedcrypto" SO_SUFFIX
+#define X509_SO_FILENAME "libmbedx509" SO_SUFFIX
+#define TLS_SO_FILENAME "libmbedtls" SO_SUFFIX
+
+#include <dlfcn.h>
+
+#define CHECK_DLERROR( function, argument )                             \
+    do                                                                  \
+    {                                                                   \
+        char *CHECK_DLERROR_error = dlerror ( );                        \
+        if( CHECK_DLERROR_error != NULL )                               \
+        {                                                               \
+            fprintf( stderr, "Dynamic loading error for %s(%s): %s\n",  \
+                     function, argument, CHECK_DLERROR_error );         \
+            mbedtls_exit( MBEDTLS_EXIT_FAILURE );                       \
+        }                                                               \
+    }                                                                   \
+    while( 0 )
+
+int main( void )
+{
+#if defined(MBEDTLS_MD_C) || defined(MBEDTLS_SSL_TLS_C)
+    unsigned n;
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+    void *tls_so = dlopen( TLS_SO_FILENAME, RTLD_NOW );
+    CHECK_DLERROR( "dlopen", TLS_SO_FILENAME );
+    const int *( *ssl_list_ciphersuites )( void ) =
+        dlsym( tls_so, "mbedtls_ssl_list_ciphersuites" );
+    CHECK_DLERROR( "dlsym", "mbedtls_ssl_list_ciphersuites" );
+    const int *ciphersuites = ssl_list_ciphersuites( );
+    for( n = 0; ciphersuites[n] != 0; n++ )
+        /* nothing to do, we're just counting */;
+    mbedtls_printf( "dlopen(%s): %u ciphersuites\n",
+                    TLS_SO_FILENAME, n );
+    dlclose( tls_so );
+    CHECK_DLERROR( "dlclose", TLS_SO_FILENAME );
+#endif  /* MBEDTLS_SSL_TLS_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    void *x509_so = dlopen( X509_SO_FILENAME, RTLD_NOW );
+    CHECK_DLERROR( "dlopen", X509_SO_FILENAME );
+    const mbedtls_x509_crt_profile *profile =
+        dlsym( x509_so, "mbedtls_x509_crt_profile_default" );
+    CHECK_DLERROR( "dlsym", "mbedtls_x509_crt_profile_default" );
+    mbedtls_printf( "dlopen(%s): Allowed md mask: %08x\n",
+                    X509_SO_FILENAME, (unsigned) profile->allowed_mds );
+    dlclose( x509_so );
+    CHECK_DLERROR( "dlclose", X509_SO_FILENAME );
+#endif  /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_MD_C)
+    void *crypto_so = dlopen( CRYPTO_SO_FILENAME, RTLD_NOW );
+    CHECK_DLERROR( "dlopen", CRYPTO_SO_FILENAME );
+    const int *( *md_list )( void ) =
+        dlsym( crypto_so, "mbedtls_md_list" );
+    CHECK_DLERROR( "dlsym", "mbedtls_md_list" );
+    const int *mds = md_list( );
+    for( n = 0; mds[n] != 0; n++ )
+        /* nothing to do, we're just counting */;
+    mbedtls_printf( "dlopen(%s): %u hashes\n",
+                    CRYPTO_SO_FILENAME, n );
+    dlclose( crypto_so );
+    CHECK_DLERROR( "dlclose", CRYPTO_SO_FILENAME );
+#endif  /* MBEDTLS_MD_C */
+
+    return( 0 );
+}
+
diff --git a/programs/test/dlopen_demo.sh b/programs/test/dlopen_demo.sh
new file mode 100755
index 0000000000..2dde3ebeda
--- /dev/null
+++ b/programs/test/dlopen_demo.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Run the shared library dynamic loading demo program.
+# This is only expected to work when Mbed TLS is built as a shared library.
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e -u
+
+program_dir="${0%/*}"
+program="$program_dir/dlopen"
+top_dir="$program_dir/../.."
+library_dir="$top_dir/library"
+
+# ELF-based Unix-like (Linux, *BSD, Solaris, ...)
+if [ -n "${LD_LIBRARY_PATH-}" ]; then
+    LD_LIBRARY_PATH="$library_dir:$LD_LIBRARY_PATH"
+else
+    LD_LIBRARY_PATH="$library_dir"
+fi
+export LD_LIBRARY_PATH
+
+# OSX/macOS
+if [ -n "${DYLD_LIBRARY_PATH-}" ]; then
+    DYLD_LIBRARY_PATH="$library_dir:$DYLD_LIBRARY_PATH"
+else
+    DYLD_LIBRARY_PATH="$library_dir"
+fi
+export DYLD_LIBRARY_PATH
+
+echo "Running dynamic loading test program: $program"
+echo "Loading libraries from: $library_dir"
+"$program"
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 241b1b6d0a..b67758705c 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2277,6 +2277,7 @@ component_test_make_shared () {
     msg "build/test: make shared" # ~ 40s
     make SHARED=1 all check
     ldd programs/util/strerror | grep libmbedcrypto
+    programs/test/dlopen_demo.sh
 }
 
 component_test_cmake_shared () {
@@ -2285,6 +2286,7 @@ component_test_cmake_shared () {
     make
     ldd programs/util/strerror | grep libmbedcrypto
     make test
+    programs/test/dlopen_demo.sh
 }
 
 test_build_opt () {