diff --git a/examples/server/server.c b/examples/server/server.c
index d088d612a..8c379d363 100644
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -63,17 +63,19 @@ THREAD_RETURN CYASSL_API server_test(void* args)
     ctx    = SSL_CTX_new(method);
 
 #ifndef NO_PSK
+    /* do PSK */
     SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
     SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
+    SSL_CTX_set_cipher_list(ctx, "PSK-AES256-CBC-SHA");
+#else
+    /* not using PSK, verify peer with certs */
+    SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
 #endif
 
 #ifdef OPENSSL_EXTRA
     SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
 #endif
 
-    SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
-
-
 #ifndef NO_FILESYSTEM
     /* for client auth */
     if (SSL_CTX_load_verify_locations(ctx, cliCert, 0) != SSL_SUCCESS)
@@ -117,7 +119,9 @@ THREAD_RETURN CYASSL_API server_test(void* args)
 #endif
 
     SSL_set_fd(ssl, clientfd);
-    SetDH(ssl);
+#ifdef NO_PSK
+    SetDH(ssl);   /* will repick suites with DHE, higher priority than PSK */
+#endif
 
 #ifdef NON_BLOCKING
     tcp_set_nonblocking(&clientfd);
diff --git a/src/cyassl_int.c b/src/cyassl_int.c
index 33d91fd00..48be476cc 100644
--- a/src/cyassl_int.c
+++ b/src/cyassl_int.c
@@ -4960,6 +4960,7 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
         ssl->chVersion = pv;  /* store */
 
         if (ssl->version.minor > pv.minor) {
+            byte havePSK = 0;
             if (!ssl->options.downgrade) {
                 CYASSL_MSG("Client trying to connect with lesser version"); 
                 return VERSION_ERROR;
@@ -4981,7 +4982,11 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
                 CYASSL_MSG("    downgrading to TLSv1.1");
                 ssl->version.minor  = TLSv1_1_MINOR;
             }
-            InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, FALSE,
+#ifndef NO_PSK
+            havePSK = ssl->options.havePSK;
+#endif
+
+            InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
                        ssl->options.haveNTRU, ssl->options.haveECDSA,
                        ssl->ctx->method->side);
         }
@@ -5084,6 +5089,7 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
         ssl->chVersion = pv;   /* store */
         i += sizeof(pv);
         if (ssl->version.minor > pv.minor) {
+            byte havePSK = 0;
             if (!ssl->options.downgrade) {
                 CYASSL_MSG("Client trying to connect with lesser version"); 
                 return VERSION_ERROR;
@@ -5105,7 +5111,10 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
                 CYASSL_MSG("    downgrading to TLSv1.1");
                 ssl->version.minor  = TLSv1_1_MINOR;
             }
-            InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, FALSE,
+#ifndef NO_PSK
+            havePSK = ssl->options.havePSK;
+#endif
+            InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
                        ssl->options.haveNTRU, ssl->options.haveECDSA,
                        ssl->ctx->method->side);
         }