diff --git a/cht/tls/clickhouse_test_ca.crt b/cht/tls/clickhouse_test_ca.crt
new file mode 100644
index 00000000..2dcfce0c
--- /dev/null
+++ b/cht/tls/clickhouse_test_ca.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWoCCQCC7Dz9F36rcTAKBggqhkjOPQQDAjBqMQswCQYDVQQGEwJVUzER
+MA8GA1UECAwIQ29sb3JhZG8xDzANBgNVBAcMBkRlbnZlcjEYMBYGA1UECgwPQ2xp
+Y2tIb3VzZSBJbmMuMR0wGwYDVQQDDBRjbGlja2hvdXNlX3Rlc3Rfcm9vdDAeFw0y
+MzA0MjYyMTM4MzhaFw00MzA0MjYyMTM4MzhaMGoxCzAJBgNVBAYTAlVTMREwDwYD
+VQQIDAhDb2xvcmFkbzEPMA0GA1UEBwwGRGVudmVyMRgwFgYDVQQKDA9DbGlja0hv
+dXNlIEluYy4xHTAbBgNVBAMMFGNsaWNraG91c2VfdGVzdF9yb290MFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAE8ajzpmv1YDspmgGcE+KjB2SxAQJ2/awkkP/SBvjw
+enD0ibQG5fyA5vxhPv7ImbnqebPS1NXwIt4HCkLXKVPDnzAKBggqhkjOPQQDAgNI
+ADBFAiAlQ8IWL7OQua7/dFaE8xbFy/hoKnLvuigDg9MAJNJUXwIhAIa0c3pT6z9P
+OX2Sw5mfl/YEDTgsG033S1MeAha3707H
+-----END CERTIFICATE-----
diff --git a/cht/tls/clickhouse_test_ca.key b/cht/tls/clickhouse_test_ca.key
new file mode 100644
index 00000000..c3e8ae7a
--- /dev/null
+++ b/cht/tls/clickhouse_test_ca.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJnlsMN+3VCxicEQcANLIM+4gMiItWwFam3moYINelVfoAoGCCqGSM49
+AwEHoUQDQgAE8ajzpmv1YDspmgGcE+KjB2SxAQJ2/awkkP/SBvjwenD0ibQG5fyA
+5vxhPv7ImbnqebPS1NXwIt4HCkLXKVPDnw==
+-----END EC PRIVATE KEY-----
diff --git a/cht/tls/clickhouse_test_client.crt b/cht/tls/clickhouse_test_client.crt
new file mode 100644
index 00000000..366e1985
--- /dev/null
+++ b/cht/tls/clickhouse_test_client.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV8CCQCvYwZhuT/WEjAKBggqhkjOPQQDAjBqMQswCQYDVQQGEwJVUzER
+MA8GA1UECAwIQ29sb3JhZG8xDzANBgNVBAcMBkRlbnZlcjEYMBYGA1UECgwPQ2xp
+Y2tIb3VzZSBJbmMuMR0wGwYDVQQDDBRjbGlja2hvdXNlX3Rlc3Rfcm9vdDAeFw0y
+MzA0MjYyMjAzMjZaFw00MzA0MjYyMjAzMjZaMF8xCzAJBgNVBAYTAlVTMREwDwYD
+VQQIDAhDb2xvcmFkbzEPMA0GA1UEBwwGRGVudmVyMRgwFgYDVQQKDA9DbGlja0hv
+dXNlIEluYy4xEjAQBgNVBAMMCWNlcnRfdXNlcjBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABIEhqR0FcbBp0ZdQ6t9c9+rxRVS8TZXlPY2kGlFMkW5AY8/Y05L1q7Cx
+mJiwZl6+4U/j8m0EhtVREywb1PENR20wCgYIKoZIzj0EAwIDRwAwRAIgRp0AWMOq
+OA8lJTd1h2GrAWDMpiNamMUvLyksxLq5SrgCIA5AwncaSEqGHboq1zHMj0Qnqnua
+JQJAbhcsh4sxk8AY
+-----END CERTIFICATE-----
diff --git a/cht/tls/clickhouse_test_client.key b/cht/tls/clickhouse_test_client.key
new file mode 100644
index 00000000..0e66571b
--- /dev/null
+++ b/cht/tls/clickhouse_test_client.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJOyEogF0IPoVr1hkJ9wjp/6zhUH1LDgtay+OjG1/9XnoAoGCCqGSM49
+AwEHoUQDQgAEgSGpHQVxsGnRl1Dq31z36vFFVLxNleU9jaQaUUyRbkBjz9jTkvWr
+sLGYmLBmXr7hT+PybQSG1VETLBvU8Q1HbQ==
+-----END EC PRIVATE KEY-----
diff --git a/cht/tls/clickhouse_test_server.crt b/cht/tls/clickhouse_test_server.crt
new file mode 100644
index 00000000..1adb2502
--- /dev/null
+++ b/cht/tls/clickhouse_test_server.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrjCCAlSgAwIBAgIJAK9jBmG5P9YRMAoGCCqGSM49BAMCMGoxCzAJBgNVBAYT
+AlVTMREwDwYDVQQIDAhDb2xvcmFkbzEPMA0GA1UEBwwGRGVudmVyMRgwFgYDVQQK
+DA9DbGlja0hvdXNlIEluYy4xHTAbBgNVBAMMFGNsaWNraG91c2VfdGVzdF9yb290
+MB4XDTIzMDQyNjIxNTAxOVoXDTQzMDQyNjIxNTAxOVowbTELMAkGA1UEBhMCVVMx
+ETAPBgNVBAgMCENvbG9yYWRvMQ8wDQYDVQQHDAZEZW52ZXIxGDAWBgNVBAoMD0Ns
+aWNrSG91c2UgSW5jLjEgMB4GA1UEAwwXc2VydmVyMS5jbGlja2hvdXNlLnRlc3Qw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARhjivoy18D47i18Jqg6m9yI17ndMWA
+kuyPhXFLgW1PpU2wk3DvpUbkKUxUPlKsNwuHEKJ4kcparrrwWGxKT2Dmo4HfMIHc
+MIGEBgNVHSMEfTB7oW6kbDBqMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh
+ZG8xDzANBgNVBAcMBkRlbnZlcjEYMBYGA1UECgwPQ2xpY2tIb3VzZSBJbmMuMR0w
+GwYDVQQDDBRjbGlja2hvdXNlX3Rlc3Rfcm9vdIIJAILsPP0XfqtxMAkGA1UdEwQC
+MAAwCwYDVR0PBAQDAgTwMDsGA1UdEQQ0MDKCF3NlcnZlcjEuY2xpY2tob3VzZS50
+ZXN0ghdzZXJ2ZXIyLmNsaWNraG91c2UudGVzdDAKBggqhkjOPQQDAgNIADBFAiBM
+71Vx9q964BRd9+N0zpbax+N+jWFJQfkOic4wlsPZ7QIhAPBU9Kfbi3Iwy3XwWBOv
+YZsvoFRxUfG2RRRlz5cGgKIa
+-----END CERTIFICATE-----
diff --git a/cht/tls/clickhouse_test_server.key b/cht/tls/clickhouse_test_server.key
new file mode 100644
index 00000000..ecaca09e
--- /dev/null
+++ b/cht/tls/clickhouse_test_server.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHU7VYTo4pduP7Q2wlE4zgg0Ruh3KFlwfdz1EHIanFgIoAoGCCqGSM49
+AwEHoUQDQgAEYY4r6MtfA+O4tfCaoOpvciNe53TFgJLsj4VxS4FtT6VNsJNw76VG
+5ClMVD5SrDcLhxCieJHKWq668FhsSk9g5g==
+-----END EC PRIVATE KEY-----
diff --git a/cht/tls/tls_test.go b/cht/tls/tls_test.go
new file mode 100644
index 00000000..325fe64a
--- /dev/null
+++ b/cht/tls/tls_test.go
@@ -0,0 +1,100 @@
+/*
+
+This optional test is for checking mutual TLS connectivity.  It is normally disabled but can be enabled
+by setting the environment variable CH_GO_TLS_TESTS=True.  You should also add server1.clickhouse.test
+as an alias to localhost in /etc/hosts, or otherwise ensure that server1.clickhouse.test points to
+your test clickhouse server.
+
+
+Configure your clickhouse server configuration using the certificates in this directory
+
+<openSSL>
+    <server>
+        <certificateFile>clickhouse_test_server.crt</certificateFile>
+        <privateKeyFile>clickhouse_test_server.key</privateKeyFile>
+        <verificationMode>strict</verificationMode>
+        <caConfig>clickhouse_test_ca.crt</caConfig>
+        <cacheSessions>true</cacheSessions>
+        <disableProtocols>sslv2,sslv3,tlsv1</disableProtocols>
+        <preferServerCiphers>true</preferServerCiphers>
+    </server>
+</openSSL>
+
+Sample xml user for clickhouse server configuration (within the <users> element in users.xml)
+<cert_user>
+    <ssl_certificates>
+        <common_name>cert_user</common_name>
+    </ssl_certificates>
+    <profile>default</profile>
+</cert_user>
+
+*/
+
+package tls_test
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"github.com/ClickHouse/ch-go"
+	"github.com/ClickHouse/ch-go/chpool"
+	"github.com/stretchr/testify/require"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"testing"
+)
+
+func TestMutualTLS(t *testing.T) {
+	if run, _ := strconv.ParseBool(os.Getenv("CH_GO_TLS_TESTS")); !run {
+		t.Skip("Not configured to run TLS tests")
+	}
+
+	_, b, _, _ := runtime.Caller(0)
+	testDir := filepath.Join(filepath.Dir(b), ".")
+
+	certTxt, err := os.ReadFile(testDir + "/clickhouse_test_client.crt")
+	require.NoError(t, err)
+
+	certKey, err := os.ReadFile(testDir + "/clickhouse_test_client.key")
+	require.NoError(t, err)
+
+	cert, err := tls.X509KeyPair(certTxt, certKey)
+	require.NoError(t, err)
+
+	rootCA, err := os.ReadFile(testDir + "/clickhouse_test_ca.crt")
+	require.NoError(t, err)
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(rootCA)
+
+	tlsCfg := tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      caCertPool,
+	}
+
+	opts := ch.Options{
+		User:     "cert_user",
+		Password: "",
+		Address:  "server1.clickhouse.test:9440",
+		TLS:      &tlsCfg,
+	}
+
+	conn, err := ch.Dial(context.Background(), opts)
+	require.NoError(t, err)
+	require.NoError(t, conn.Ping(context.Background()))
+
+	_ = conn.Close()
+
+	pool, err := chpool.Dial(context.Background(), chpool.Options{
+		ClientOptions: opts,
+		MaxConns:      2,
+	})
+
+	require.NoError(t, err)
+	require.NoError(t, pool.Ping(context.Background()))
+
+	pool.Close()
+
+}