diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 92fc975035..fe8eb7a7f5 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -41,8 +41,7 @@ jobs:
           - test: printf-builtin
             monolithic: yes
         include:
-          - os: ubuntu-24.04
-            test: apidoc
+          - test: apidoc
           - test: coverage
           - test: dist
           - test: nm
@@ -97,17 +96,25 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ ubuntu-latest, ubuntu-20.04 ]
+        os: [ ubuntu-latest, ubuntu-22.04, ubuntu-20.04 ]
         test: [ botan, wolfssl, openssl, openssl-3, openssl-awslc, gcrypt ]
         leak-detective: [ no, yes ]
         exclude:
-          # test custom-built libs only on one platform
-          - os: ubuntu-20.04
+          # test custom-built libs only on the latest platform
+          - os: ubuntu-22.04
             test: botan
           - os: ubuntu-20.04
+            test: botan
+          - os: ubuntu-22.04
             test: wolfssl
           - os: ubuntu-20.04
+            test: wolfssl
+          - os: ubuntu-22.04
             test: openssl-3
+          - os: ubuntu-20.04
+            test: openssl-3
+          - os: ubuntu-22.04
+            test: openssl-awslc
           - os: ubuntu-20.04
             test: openssl-awslc
     env:
@@ -147,7 +154,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ ubuntu-20.04 ]
+        os: [ ubuntu-22.04, ubuntu-20.04 ]
         test: [ all, nm ]
         compiler: [ gcc, clang ]
         exclude:
@@ -157,13 +164,16 @@ jobs:
       LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
       CC: ${{ matrix.compiler || 'gcc' }}
       TEST: ${{ matrix.test }}
-      # LSan causes spurious SIGSEGV after tests due to DTLS handling by glibc
+      # LSan causes spurious SIGSEGV after tests due to DTLS handling by glibc (on 20.04)
       ASAN_OPTIONS: intercept_tls_get_addr=0
     steps:
       - uses: actions/checkout@v4
       - uses: actions/cache@v4
         with:
-          path: ~/.ccache
+          # path is different on newer systems
+          path: |
+            ~/.cache/ccache
+            ~/.ccache
           key: ccache-${{ matrix.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.sha }}
           restore-keys: |
             ccache-${{ matrix.os }}-${{ env.CC }}-${{ matrix.test }}-
diff --git a/scripts/test.sh b/scripts/test.sh
index 8c5c2791ee..83a2242239 100755
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -173,7 +173,7 @@ system_uses_openssl3()
 
 prepare_system_openssl()
 {
-	# On systems that ship OpenSSL 3 (e.g. Ubuntu 22.04), we require debug
+	# On systems that ship OpenSSL 3 (e.g. Ubuntu 22.04+), we require debug
 	# symbols to whitelist leaks
 	if test "$1" = "deps"; then
 		echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted
@@ -181,13 +181,17 @@ prepare_system_openssl()
 			deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted" | \
 			sudo tee -a /etc/apt/sources.list.d/ddebs.list
 		sudo apt-get install -qq ubuntu-dbgsym-keyring
-		DEPS="$DEPS libssl3-dbgsym"
+		if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "24.04" ]; then
+			DEPS="$DEPS libssl3t64-dbgsym"
+		else
+			DEPS="$DEPS libssl3-dbgsym"
+		fi
 	fi
 	if test "$LEAK_DETECTIVE" = "yes"; then
 		# make sure we can properly whitelist functions with leak detective
 		DEPS="$DEPS binutils-dev"
 		CONFIG="$CONFIG --enable-bfd-backtraces"
-	else
+	elif [ "$ID" = "ubuntu" -a "$VERSION_ID" != "24.04" ]; then
 		# with ASan we have to use the (extremely) slow stack unwind as the
 		# shipped version of the library is built with -fomit-frame-pointer
 		export ASAN_OPTIONS=fast_unwind_on_malloc=0