diff --git a/doc/api/tls.md b/doc/api/tls.md
index 292b27ae05d981..c6cf5041c35402 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -115,6 +115,26 @@ SNI (Server Name Indication) are TLS handshake extensions:
 * SNI - Allows the use of one TLS server for multiple hostnames with different
   SSL certificates.
 
+### Pre-shared keys
+
+<!-- type=misc -->
+
+TLS-PSK support is also available as an alternative to normal certificate-based
+authentication. TLS-PSK uses a pre-shared key instead of certificates to
+authenticate a TLS connection, providing mutual authentication.
+
+TLS-PSK and public key infrastructure are not mutually exclusive; clients and
+servers can accommodate both, with the variety determined by the normal cipher
+negotiation step.
+
+Note that TLS-PSK is only a good choice where means exist to securely share a
+key with every connecting machine, so it does not replace PKI for the majority
+of TLS uses.
+
+The TLS-PSK implementation in OpenSSL has also seen many security flaws in
+recent years, mostly because it is used only by a minority of applications.
+Please consider all alternative solutions before switching to PSK ciphers.
+
 ### Client-initiated renegotiation attack mitigation
 
 <!-- type=misc -->
@@ -851,6 +871,9 @@ similar to:
 <!-- YAML
 added: v0.11.3
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/14978
+    description: The `pskCallback` option is now supported.
   - version: v8.0.0
     pr-url: https://github.com/nodejs/node/pull/12839
     description: The `lookup` option is supported now.
@@ -884,6 +907,17 @@ changes:
     verified against the list of supplied CAs. An `'error'` event is emitted if
     verification fails; `err.code` contains the OpenSSL error code. **Default:**
     `true`.
+  * `pskCallback(hint)` {Function} When negotiating TLS-PSK, this optional
+    function is called with the identity hint provided by the server. If the
+    client should continue to negotiate PSK ciphers, the return value of this
+    function must be an object in the form `{psk: <string>, identity:
+    <string>}`.
+    Note that PSK ciphers are disabled by default, and using TLS-PSK thus
+    requires explicitly specifying a cipher suite with the `ciphers` option.
+    Additionally, it may be necessary to disable `rejectUnauthorized` if a
+    client attempts to specify a certificate for the session.
+    Note that `psk` must be a hexadecimal string, `identity` must use UTF-8
+    encoding.
   * `ALPNProtocols`: {string[]|Buffer[]|Uint8Array[]|Buffer|Uint8Array}
     An array of strings, `Buffer`s or `Uint8Array`s, or a single `Buffer` or
     `Uint8Array` containing the supported ALPN protocols. `Buffer`s should have
@@ -1168,7 +1202,8 @@ changes:
     a 16-byte HMAC key, and a 16-byte AES key. This can be used to accept TLS
     session tickets on multiple instances of the TLS server.
   * ...: Any [`tls.createSecureContext()`][] option can be provided. For
-    servers, the identity options (`pfx` or `key`/`cert`) are usually required.
+    servers, the identity options (`pfx`, `key`/`cert` or `pskCallback`)
+    are usually required.
 * `secureConnectionListener` {Function}
 
 Creates a new [`tls.Server`][]. The `secureConnectionListener`, if provided, is
diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index 2401bd0b4b1fa5..1a6ba11c023c00 100644
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -25,6 +25,7 @@ const { parseCertString } = require('internal/tls');
 const { isArrayBufferView } = require('internal/util/types');
 const tls = require('tls');
 const {
+  ERR_ASSERTION,
   ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED,
   ERR_INVALID_ARG_TYPE
 } = require('internal/errors').codes;
@@ -68,6 +69,83 @@ function validateKeyCert(name, value) {
 
 exports.SecureContext = SecureContext;
 
+function onpskexchange(pskCallback) {
+  return (identity, maxPskLen, maxIdentLen) => {
+    let ret = pskCallback(identity);
+    if (typeof ret !== 'object' || ret == null) {
+      ret = undefined;
+    }
+
+    if (ret) {
+      ret = { psk: ret.psk, identity: ret.identity };
+
+      if (!typeof ret.psk === 'string') {
+        throw new ERR_INVALID_ARG_TYPE('psk', ['string']);
+      }
+      if (ret.psk.length / 2 > maxPskLen) {
+        throw new ERR_ASSERTION(`Pre-shared key exceeds ${maxPskLen} bytes`);
+      }
+
+      // Only set for the client callback, which must provide an identity.
+      if (maxIdentLen) {
+        if (typeof ret.identity !== 'string') {
+          throw new ERR_INVALID_ARG_TYPE('identity', 'string');
+        }
+        if (ret.identity.length > maxIdentLen) {
+          throw new ERR_ASSERTION(`PSK identity exceeds ${maxIdentLen} bytes`);
+        }
+      }
+    }
+
+    return ret;
+  };
+}
+
+function ecdhCurveWarning() {
+  if (ecdhCurveWarning.emitted) return;
+  process.emitWarning('{ ecdhCurve: false } is deprecated.',
+                      'DeprecationWarning',
+                      'DEP0083');
+  ecdhCurveWarning.emitted = true;
+}
+ecdhCurveWarning.emitted = false;
+
+function onpskexchange(pskCallback) {
+  return (identity, maxPskLen, maxIdentLen) => {
+    let ret = pskCallback(identity);
+    if (typeof ret !== 'object' || ret == null) {
+      ret = undefined;
+    }
+
+    if (ret) {
+      ret = { psk: ret.psk, identity: ret.identity };
+
+      if (!typeof ret.psk === 'string') {
+        throw new ERR_INVALID_ARG_TYPE('psk', ['string']);
+      }
+      if (ret.psk.length / 2 > maxPskLen) {
+        throw new ERR_ASSERTION(
+          `Pre-shared key exceeds ${maxPskLen} bytes`
+        );
+      }
+
+      // Only set for the client callback, which must provide an identity.
+      if (maxIdentLen) {
+        if (typeof ret.identity !== 'string') {
+          throw new ERR_INVALID_ARG_TYPE('identity',
+                                         'string');
+        }
+        if (ret.identity.length > maxIdentLen) {
+          throw new ERR_ASSERTION(
+            `PSK identity exceeds ${maxIdentLen} bytes`
+          );
+        }
+      }
+    }
+
+    return ret;
+  };
+}
 
 exports.createSecureContext = function createSecureContext(options, context) {
   if (!options) options = {};
@@ -161,6 +239,29 @@ exports.createSecureContext = function createSecureContext(options, context) {
     }
   }
 
+  if (options.pskCallback && c.context.enablePskCallback) {
+    if (typeof options.pskCallback !== 'function') {
+      throw new ERR_INVALID_ARG_TYPE('pskCallback',
+                                     'function',
+                                     options.pskCallback);
+    }
+
+    c.context.onpskexchange = onpskexchange(options.pskCallback);
+    c.context.enablePskCallback();
+
+    if (options.pskIdentityHint) {
+      if (typeof options.pskIdentityHint !== 'string') {
+        throw new ERR_INVALID_ARG_TYPE(
+          'options.pskIdentityHint',
+          'string',
+          options.pskIdentityHint
+        );
+      }
+
+      c.context.setPskIdentity(options.pskIdentityHint);
+    }
+  }
+
   if (options.sessionIdContext) {
     c.context.setSessionIdContext(options.sessionIdContext);
   }
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 7df4b6612229aa..fda08d9545f8d0 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -689,7 +689,7 @@ TLSSocket.prototype.getCipher = function(err) {
   return null;
 };
 
-// TODO: support anonymous (nocert) and PSK
+// TODO: support anonymous (nocert)
 
 
 function onSocketSecure() {
@@ -846,6 +846,8 @@ function Server(options, listener) {
     dhparam: this.dhparam,
     secureProtocol: this.secureProtocol,
     secureOptions: this.secureOptions,
+    pskCallback: this.pskCallback,
+    pskIdentityHint: this.pskIdentityHint,
     honorCipherOrder: this.honorCipherOrder,
     crl: this.crl,
     sessionIdContext: this.sessionIdContext
@@ -934,6 +936,8 @@ Server.prototype.setOptions = function(options) {
   else
     this.honorCipherOrder = true;
   if (secureOptions) this.secureOptions = secureOptions;
+  if (options.pskIdentityHint) this.pskIdentityHint = options.pskIdentityHint;
+  if (options.pskCallback) this.pskCallback = options.pskCallback;
   if (options.ALPNProtocols)
     tls.convertALPNProtocols(options.ALPNProtocols, this);
   if (options.sessionIdContext) {
diff --git a/src/env.h b/src/env.h
index feeeda661cec66..c420ad850ebcd7 100644
--- a/src/env.h
+++ b/src/env.h
@@ -154,6 +154,8 @@ struct PackageConfig {
   V(duration_string, "duration")                                              \
   V(emit_warning_string, "emitWarning")                                       \
   V(exchange_string, "exchange")                                              \
+  V(identity_string, "identity")                                              \
+  V(enablepush_string, "enablePush")                                          \
   V(encoding_string, "encoding")                                              \
   V(entries_string, "entries")                                                \
   V(entry_type_string, "entryType")                                           \
@@ -223,6 +225,7 @@ struct PackageConfig {
   V(onmessage_string, "onmessage")                                            \
   V(onnewsession_string, "onnewsession")                                      \
   V(onocspresponse_string, "onocspresponse")                                  \
+  V(onpskexchange_string, "onpskexchange")                                    \
   V(ongoawaydata_string, "ongoawaydata")                                      \
   V(onorigin_string, "onorigin")                                              \
   V(onpriority_string, "onpriority")                                          \
@@ -257,6 +260,7 @@ struct PackageConfig {
   V(promise_string, "promise")                                                \
   V(pubkey_string, "pubkey")                                                  \
   V(query_string, "query")                                                    \
+  V(psk_string, "psk")                                                        \
   V(raw_string, "raw")                                                        \
   V(read_host_object_string, "_readHostObject")                               \
   V(readable_string, "readable")                                              \
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 153bfd2d018466..e7861feef00efd 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -68,6 +68,7 @@ using v8::DontDelete;
 using v8::EscapableHandleScope;
 using v8::Exception;
 using v8::External;
+using v8::Function;
 using v8::FunctionCallbackInfo;
 using v8::FunctionTemplate;
 using v8::HandleScope;
@@ -355,6 +356,13 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
   env->SetProtoMethodNoSideEffect(t, "getCertificate", GetCertificate<true>);
   env->SetProtoMethodNoSideEffect(t, "getIssuer", GetCertificate<false>);
 
+#ifdef OPENSSL_PSK_SUPPORT
+  env->SetProtoMethod(t, "setPskIdentity", SecureContext::SetPskIdentity);
+  env->SetProtoMethod(t,
+                      "enablePskCallback",
+                      SecureContext::EnablePskCallback);
+#endif
+
   t->Set(FIXED_ONE_BYTE_STRING(env->isolate(), "kTicketKeyReturnIndex"),
          Integer::NewFromUnsigned(env->isolate(), kTicketKeyReturnIndex));
   t->Set(FIXED_ONE_BYTE_STRING(env->isolate(), "kTicketKeyHMACIndex"),
@@ -1379,6 +1387,175 @@ void SecureContext::GetCertificate(const FunctionCallbackInfo<Value>& args) {
 }
 
 
+#ifdef OPENSSL_PSK_SUPPORT
+
+void SecureContext::SetPskIdentity(const FunctionCallbackInfo<Value>& args) {
+  SecureContext* wrap = Unwrap<SecureContext>(args.Holder());
+  Environment* env = wrap->env();
+
+  CHECK(args[0]->IsString());
+
+  String::Utf8Value identity(args.GetIsolate(), args[0]);
+  if (!SSL_CTX_use_psk_identity_hint(wrap->ctx_.get(), *identity)) {
+    return ThrowCryptoError(env,
+                            ERR_get_error(),
+                            "Failed to set PSK identity hint");
+  }
+}
+
+void SecureContext::EnablePskCallback(
+    const FunctionCallbackInfo<Value>& args) {
+  SecureContext* wrap = Unwrap<SecureContext>(args.Holder());
+
+  SSL_CTX_set_psk_server_callback(wrap->ctx_.get(),
+                                  SecureContext::PskServerCallback);
+  SSL_CTX_set_psk_client_callback(wrap->ctx_.get(),
+                                  SecureContext::PskClientCallback);
+}
+
+unsigned int SecureContext::PskServerCallback(SSL* ssl,
+                                              const char* identity,
+                                              unsigned char* psk,
+                                              unsigned int max_psk_len) {
+  SecureContext* sc = static_cast<SecureContext*>(
+      SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));
+
+  Environment* env = sc->env();
+  Isolate* isolate = env->isolate();
+  HandleScope scope(isolate);
+
+  MaybeLocal<String> maybe_hint_str = String::NewFromOneByte(
+    isolate,
+    reinterpret_cast<const uint8_t*>(identity),
+    v8::NewStringType::kNormal);
+
+  Local<String> hint_str;
+  if (!maybe_hint_str.ToLocal(&hint_str))
+    return 0;
+
+  Local<Value> argv[] = {
+    hint_str,
+    Integer::NewFromUnsigned(isolate, max_psk_len),
+    Integer::NewFromUnsigned(isolate, 0)
+  };
+
+  MaybeLocal<Value> maybe_ret = node::MakeCallback(env->isolate(),
+                                                   sc->object(),
+                                                   env->onpskexchange_string(),
+                                                   arraysize(argv),
+                                                   argv,
+                                                   {0, 0});
+
+
+  Local<Value> ret;
+  if (!maybe_ret.ToLocal(&ret) || !ret->IsObject())
+    return 0;
+  Local<Object> obj = ret.As<Object>();
+
+  MaybeLocal<Value> maybe_psk_val = obj->Get(env->context(), env->psk_string());
+  Local<Value> psk_val;
+  if (!maybe_psk_val.ToLocal(&psk_val) || !psk_val->IsString())
+    return 0;
+  Local<String> psk_str = psk_val.As<String>();
+
+  Local<String> enc = String::Empty(isolate);
+  StringBytes::InlineDecoder decoder;
+  if (!decoder.Decode(env, psk_str, enc, HEX).FromMaybe(false))
+    return 0;
+
+  char* psk_buf = decoder.out();
+  size_t psk_len = decoder.size();
+
+  if (psk_len > max_psk_len)
+    return 0;
+
+  memcpy(psk, psk_buf, psk_len);
+
+  return psk_len;
+}
+
+unsigned int SecureContext::PskClientCallback(SSL* ssl,
+                                              const char* hint,
+                                              char* identity,
+                                              unsigned int max_identity_len,
+                                              unsigned char* psk,
+                                              unsigned int max_psk_len) {
+  SecureContext* sc = static_cast<SecureContext*>(
+      SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));
+
+  Environment* env = sc->env();
+  Isolate* isolate = env->isolate();
+  HandleScope scope(isolate);
+
+  Local<Value> argv[] = {
+    Null(isolate),
+    Integer::NewFromUnsigned(isolate, max_psk_len),
+    Integer::NewFromUnsigned(isolate, max_identity_len)
+  };
+  if (hint != nullptr) {
+    MaybeLocal<String> maybe_hint_str = String::NewFromOneByte(
+      isolate,
+      reinterpret_cast<const uint8_t*>(hint),
+      v8::NewStringType::kNormal);
+
+    Local<String> hint_str;
+    if (!maybe_hint_str.ToLocal(&hint_str))
+      return 0;
+
+    argv[0] = hint_str;
+  }
+  MaybeLocal<Value> maybe_ret = node::MakeCallback(env->isolate(),
+                                                   sc->object(),
+                                                   env->onpskexchange_string(),
+                                                   arraysize(argv),
+                                                   argv,
+                                                   {0, 0});
+
+  Local<Value> ret;
+  if (!maybe_ret.ToLocal(&ret) || !ret->IsObject())
+    return 0;
+  Local<Object> obj = ret.As<Object>();
+
+  MaybeLocal<Value> maybe_psk_val = obj->Get(env->context(), env->psk_string());
+  Local<Value> psk_val;
+  if (!maybe_psk_val.ToLocal(&psk_val) || !psk_val->IsString())
+    return 0;
+  Local<String> psk_str = psk_val.As<String>();
+
+  Local<String> enc = String::Empty(isolate);
+  StringBytes::InlineDecoder decoder;
+  if (!decoder.Decode(env, psk_str, enc, HEX).FromMaybe(false))
+    return 0;
+
+  char* psk_buf = decoder.out();
+  size_t psk_len = decoder.size();
+
+  if (psk_len > max_psk_len)
+    return 0;
+
+  memcpy(psk, psk_buf, psk_len);
+
+  MaybeLocal<Value> maybe_identity_val =
+      obj->Get(env->context(), env->identity_string());
+  Local<Value> identity_val;
+  if (!maybe_identity_val.ToLocal(&identity_val) || !identity_val->IsString())
+    return 0;
+  Local<String> identity_str = identity_val.As<String>();
+
+  size_t identity_len = identity_str->Length();
+  String::Utf8Value identity_buf(isolate, identity_str);
+
+  if (identity_len > max_identity_len)
+    return 0;
+
+  memcpy(identity, *identity_buf, identity_len);
+
+  return psk_len;
+}
+
+#endif
+
+
 template <class Base>
 void SSLWrap<Base>::AddMethods(Environment* env, Local<FunctionTemplate> t) {
   HandleScope scope(env->isolate());
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 714afd0d3bb868..00ead42a93857a 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -53,6 +53,10 @@
 #include <openssl/rand.h>
 #include <openssl/pkcs12.h>
 
+#ifndef OPENSSL_NO_PSK
+#define OPENSSL_PSK_SUPPORT
+#endif
+
 namespace node {
 namespace crypto {
 
@@ -175,6 +179,23 @@ class SecureContext : public BaseObject {
   template <bool primary>
   static void GetCertificate(const v8::FunctionCallbackInfo<v8::Value>& args);
 
+#ifdef OPENSSL_PSK_SUPPORT
+  static void SetPskIdentity(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void EnablePskCallback(
+      const v8::FunctionCallbackInfo<v8::Value>& args);
+
+  static unsigned int PskServerCallback(SSL* ssl,
+                                        const char* identity,
+                                        unsigned char* psk,
+                                        unsigned int max_psk_len);
+  static unsigned int PskClientCallback(SSL* ssl,
+                                        const char* hint,
+                                        char* identity,
+                                        unsigned int max_identity_len,
+                                        unsigned char* psk,
+                                        unsigned int max_psk_len);
+#endif
+
   static int TicketKeyCallback(SSL* ssl,
                                unsigned char* name,
                                unsigned char* iv,
diff --git a/test/parallel/test-tls-psk-circuit.js b/test/parallel/test-tls-psk-circuit.js
new file mode 100644
index 00000000000000..ffca514b9a7de1
--- /dev/null
+++ b/test/parallel/test-tls-psk-circuit.js
@@ -0,0 +1,105 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const CIPHERS = 'PSK+HIGH';
+const USERS = {
+  UserA: 'd731ef57be09e5204f0b205b60627028',
+  UserB: '82072606b502b0f4025e90eb75fe137d'
+};
+const CLIENT_IDENTITIES = [
+  { psk: USERS.UserA, identity: 'UserA' },
+  { psk: USERS.UserB, identity: 'UserB' },
+  // unrecognized user should fail handshake
+  { psk: USERS.UserB, identity: 'UserC' },
+  // recognized user but incorrect secret should fail handshake
+  { psk: USERS.UserA, identity: 'UserB' },
+  { psk: USERS.UserB, identity: 'UserB' }
+];
+const TEST_DATA = 'Hello from test!';
+
+const clientResults = [];
+const connectingIds = [];
+
+const serverOptions = {
+  ciphers: CIPHERS,
+  pskCallback(id) {
+    connectingIds.push(id);
+    if (id in USERS) {
+      return { psk: USERS[id] };
+    }
+  }
+};
+
+const server = tls.createServer(serverOptions, common.mustCall((c) => {
+  c.once('data', (data) => {
+    assert.strictEqual(data.toString(), TEST_DATA);
+    c.end(data);
+  });
+}, 3));
+
+server.listen(0, () => {
+  startTest(server.address().port);
+});
+
+function startTest(port) {
+  function connectClient(options, next) {
+    const client = tls.connect(port, 'localhost', options, () => {
+      clientResults.push('connect');
+
+      client.end(TEST_DATA);
+
+      client.on('data', common.mustCallAtLeast((data) => {
+        assert.strictEqual(data.toString(), TEST_DATA);
+      }));
+
+      client.on('close', common.mustCall(next));
+    });
+
+    let errored = false;
+    client.on('error', (err) => {
+      if (!errored) {
+        clientResults.push(err.message);
+        errored = true;
+        next();
+      }
+    });
+  }
+
+  function doTestCase(tcnum) {
+    if (tcnum >= CLIENT_IDENTITIES.length) {
+      server.close();
+    } else {
+      connectClient({
+        ciphers: CIPHERS,
+        rejectUnauthorized: false,
+        pskCallback: () => CLIENT_IDENTITIES[tcnum]
+      }, () => {
+        doTestCase(tcnum + 1);
+      });
+    }
+  }
+  doTestCase(0);
+}
+
+const DISCONNECT_MESSAGE =
+  'Client network socket disconnected before ' +
+  'secure TLS connection was established';
+
+process.on('exit', () => {
+  assert.deepStrictEqual(clientResults, [
+    'connect',
+    'connect',
+    DISCONNECT_MESSAGE,
+    DISCONNECT_MESSAGE,
+    'connect'
+  ]);
+  assert.deepStrictEqual(connectingIds, [
+    'UserA', 'UserB', 'UserC', 'UserB', 'UserB'
+  ]);
+});
diff --git a/test/parallel/test-tls-psk-client.js b/test/parallel/test-tls-psk-client.js
new file mode 100644
index 00000000000000..f07c4b2983cf80
--- /dev/null
+++ b/test/parallel/test-tls-psk-client.js
@@ -0,0 +1,96 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const spawn = require('child_process').spawn;
+
+const CIPHERS = 'PSK+HIGH';
+const KEY = 'd731ef57be09e5204f0b205b60627028';
+const IDENTITY = 'Client_identity';  // Hardcoded by `openssl s_server`
+
+const server = spawn(common.opensslCli, [
+  's_server',
+  '-accept', 54323 /* common.PORT */,
+  '-cipher', CIPHERS,
+  '-psk', KEY,
+  '-psk_hint', IDENTITY,
+  '-nocert'
+]);
+
+
+let state = 'WAIT-ACCEPT';
+
+let serverStdoutBuffer = '';
+server.stdout.setEncoding('utf8');
+server.stdout.on('data', (s) => {
+  serverStdoutBuffer += s;
+  switch (state) {
+    case 'WAIT-ACCEPT':
+      if (/ACCEPT/g.test(serverStdoutBuffer)) {
+        // Give s_server half a second to start up.
+        setTimeout(startClient, 500);
+        state = 'WAIT-HELLO';
+      }
+      break;
+
+    case 'WAIT-HELLO':
+      if (/hello/g.test(serverStdoutBuffer)) {
+
+        // End the current SSL connection and exit.
+        // See s_server(1ssl).
+        server.stdin.write('Q');
+
+        state = 'WAIT-SERVER-CLOSE';
+      }
+      break;
+
+    default:
+      break;
+  }
+});
+
+const timeout = setTimeout(() => {
+  server.kill();
+  process.exit(1);
+}, 5000);
+
+let gotWriteCallback = false;
+let serverExitCode = -1;
+
+server.on('exit', (code) => {
+  serverExitCode = code;
+  clearTimeout(timeout);
+});
+
+
+function startClient() {
+  const s = tls.connect(54323 /* common.PORT */, {
+    ciphers: CIPHERS,
+    rejectUnauthorized: false,
+    pskCallback(hint) {
+      if (hint === IDENTITY) {
+        return {
+          identity: IDENTITY,
+          psk: KEY
+        };
+      }
+    }
+  });
+
+  s.on('secureConnect', () => {
+    s.write('hello\r\n', () => {
+      gotWriteCallback = true;
+    });
+  });
+}
+
+
+process.on('exit', () => {
+  assert.strictEqual(0, serverExitCode);
+  assert.strictEqual('WAIT-SERVER-CLOSE', state);
+  assert.ok(gotWriteCallback);
+});
diff --git a/test/parallel/test-tls-psk-server.js b/test/parallel/test-tls-psk-server.js
new file mode 100644
index 00000000000000..c1c84c37fc751c
--- /dev/null
+++ b/test/parallel/test-tls-psk-server.js
@@ -0,0 +1,76 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+
+const tls = require('tls');
+const spawn = require('child_process').spawn;
+
+const CIPHERS = 'PSK+HIGH';
+const KEY = 'd731ef57be09e5204f0b205b60627028';
+const IDENTITY = 'TestUser';
+
+const server = tls.createServer({
+  ciphers: CIPHERS,
+  pskIdentityHint: IDENTITY,
+  pskCallback(identity) {
+    if (identity === IDENTITY) {
+      return {
+        psk: KEY
+      };
+    }
+  }
+});
+
+server.on('connection', common.mustCall((socket) => {}, 1));
+
+server.on('secureConnection', (socket) => {
+  socket.write('hello\r\n');
+
+  socket.on('data', (data) => {
+    socket.write(data);
+  });
+});
+
+let gotHello = false;
+let sentWorld = false;
+let gotWorld = false;
+
+server.listen(0, () => {
+  const client = spawn(common.opensslCli, [
+    's_client',
+    '-connect', '127.0.0.1:' + server.address().port,
+    '-cipher', CIPHERS,
+    '-psk', KEY,
+    '-psk_identity', IDENTITY
+  ]);
+
+  let out = '';
+
+  client.stdout.setEncoding('utf8');
+  client.stdout.on('data', (d) => {
+    out += d;
+
+    if (!gotHello && /hello/.test(out)) {
+      gotHello = true;
+      client.stdin.write('world\r\n');
+      sentWorld = true;
+    }
+
+    if (!gotWorld && /world/.test(out)) {
+      gotWorld = true;
+      client.stdin.end();
+    }
+  });
+
+  client.on('exit', common.mustCall((code) => {
+    assert.ok(gotHello);
+    assert.ok(sentWorld);
+    assert.ok(gotWorld);
+    assert.strictEqual(0, code);
+    server.close();
+  }));
+});