diff --git a/cyassl/internal.h b/cyassl/internal.h
index 50ae3929d..a506d6cf8 100644
--- a/cyassl/internal.h
+++ b/cyassl/internal.h
@@ -160,6 +160,10 @@ void c32to24(word32 in, word24 out);
     #endif
 #endif
 
+#if !defined(NO_TLS) && !defined(NO_PSK) && defined(HAVE_NULL_CIPHER)
+   #define BUILD_TLS_PSK_WITH_NULL_SHA
+#endif
+
 #if !defined(NO_HC128) && !defined(NO_TLS)
     #define BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
     #define BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
@@ -267,6 +271,7 @@ enum {
     TLS_RSA_WITH_AES_128_CBC_SHA      = 0x2F,
     TLS_PSK_WITH_AES_256_CBC_SHA      = 0x8d,
     TLS_PSK_WITH_AES_128_CBC_SHA      = 0x8c,
+    TLS_PSK_WITH_NULL_SHA             = 0x2c,
     SSL_RSA_WITH_RC4_128_SHA          = 0x05,
     SSL_RSA_WITH_RC4_128_MD5          = 0x04,
     SSL_RSA_WITH_3DES_EDE_CBC_SHA     = 0x0A,
diff --git a/src/internal.c b/src/internal.c
index bf76cf821..d40c667a9 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -842,6 +842,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
     }
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
+    if (tls & havePSK) {
+        suites->suites[idx++] = 0;
+        suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA;
+    }
+#endif
+
 #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
     if (haveRSA ) {
         suites->suites[idx++] = 0; 
@@ -2784,6 +2791,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
                 break;
         #endif
 
+        #ifdef HAVE_NULL_CIPHER
+            case cipher_null:
+                break;
+        #endif
+
             default:
                 CYASSL_MSG("CyaSSL Encrypt programming error");
                 return ENCRYPT_ERROR;
@@ -2862,6 +2874,11 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input,
                 break;
         #endif
 
+        #ifdef HAVE_NULL_CIPHER
+            case cipher_null:
+                break;
+        #endif
+                
             default:
                 CYASSL_MSG("CyaSSL Decrypt programming error");
                 return DECRYPT_ERROR;
@@ -4427,6 +4444,10 @@ const char* const cipher_names[] =
     "PSK-AES256-CBC-SHA",
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
+    "PSK-NULL-SHA",
+#endif
+
 #ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
     "HC128-MD5",
 #endif
@@ -4627,6 +4648,10 @@ int cipher_name_idx[] =
     TLS_PSK_WITH_AES_256_CBC_SHA,
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
+    TLS_PSK_WITH_NULL_SHA,
+#endif
+
 #ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
     TLS_RSA_WITH_HC_128_CBC_MD5,    
 #endif
@@ -6691,6 +6716,11 @@ int SetCipherList(Suites* s, const char* list)
                 return 1;
             break;
 
+        case TLS_PSK_WITH_NULL_SHA :
+            if (requirement == REQUIRES_PSK)
+                return 1;
+            break;
+
         case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
             if (requirement == REQUIRES_RSA)
                 return 1;
diff --git a/src/keys.c b/src/keys.c
index c40fb5f51..ba6d7a3f9 100644
--- a/src/keys.c
+++ b/src/keys.c
@@ -666,6 +666,23 @@ int SetCipherSpecs(CYASSL* ssl)
         break;
 #endif
 
+#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
+    case TLS_PSK_WITH_NULL_SHA :
+        ssl->specs.bulk_cipher_algorithm = cipher_null;
+        ssl->specs.cipher_type           = stream;
+        ssl->specs.mac_algorithm         = sha_mac;
+        ssl->specs.kea                   = psk_kea;
+        ssl->specs.hash_size             = SHA_DIGEST_SIZE;
+        ssl->specs.pad_size              = PAD_SHA;
+        ssl->specs.static_ecdh           = 0;
+        ssl->specs.key_size              = 0;
+        ssl->specs.block_size            = 0;
+        ssl->specs.iv_size               = 0;
+
+        ssl->options.usingPSK_cipher     = 1;
+        break;
+#endif
+
 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
     case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
         ssl->specs.bulk_cipher_algorithm = aes;
@@ -1077,6 +1094,13 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
     }
 #endif
 
+#ifdef HAVE_NULL_CIPHER
+    if (specs->bulk_cipher_algorithm == cipher_null) {
+        enc->setup = 1;
+        dec->setup = 1;
+    }
+#endif
+
     keys->sequence_number      = 0;
     keys->peer_sequence_number = 0;
     keys->encryptionOn         = 0;
diff --git a/tests/suites.c b/tests/suites.c
index 24590c6cd..d2f4d047b 100644
--- a/tests/suites.c
+++ b/tests/suites.c
@@ -270,6 +270,15 @@ int SuiteTest(void)
         printf("error from script %d\n", args.return_code);
         exit(EXIT_FAILURE);  
     }
+    #ifdef HAVE_NULL_CIPHER
+        strcpy(argv0[1], "tests/test-psk-null.conf");
+        printf("starting psk extra null cipher suite tests\n");
+        test_harness(&args);
+        if (args.return_code != 0) {
+            printf("error from script %d\n", args.return_code);
+            exit(EXIT_FAILURE);  
+        }
+    #endif
 #endif
 
 #ifdef HAVE_NTRU
diff --git a/tests/test-psk-null.conf b/tests/test-psk-null.conf
new file mode 100644
index 000000000..7cb288ead
--- /dev/null
+++ b/tests/test-psk-null.conf
@@ -0,0 +1,30 @@
+# server TLSv1.0 PSK-NULL
+-s
+-v 1
+-l PSK-NULL-SHA
+
+# client TLSv1.0 PSK-NULL
+-s
+-v 1
+-l PSK-NULL-SHA
+
+# server TLSv1.1 PSK-NULL
+-s
+-v 2
+-l PSK-NULL-SHA
+
+# client TLSv1.1 PSK-NULL
+-s
+-v 2
+-l PSK-NULL-SHA
+
+# server TLSv1.2 PSK-NULL
+-s
+-v 3
+-l PSK-NULL-SHA
+
+# client TLSv1.2 PSK-NULL
+-s
+-v 3
+-l PSK-NULL-SHA
+