diff --git a/etc/emqx.conf b/etc/emqx.conf
index 65d96cd33..ac2415649 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1468,7 +1468,7 @@ listener.ssl.external.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TL
 ## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-#listener.ssl.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+#listener.ssl.external.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
 
 ## SSL parameter renegotiation is a feature that allows a client and a server
 ## to renegotiate the parameters of the SSL connection on the fly.
@@ -1993,7 +1993,7 @@ listener.wss.external.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TL
 ## Note that 'listener.wss.external.ciphers' and 'listener.wss.external.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-## listener.wss.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+## listener.wss.external.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
 
 ## See: listener.ssl.$name.secure_renegotiate
 ##
diff --git a/priv/emqx.schema b/priv/emqx.schema
index cfd3fa337..22c91ab7c 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -2060,13 +2060,31 @@ end}.
                           {reuseaddr, cuttlefish:conf_get(Prefix ++ ".reuseaddr", Conf, undefined)}])
               end,
     SplitFun = fun(undefined) -> undefined; (S) -> string:tokens(S, ",") end,
+    %% In erlang, we only support the following PSK ciphers (ssl_cipher:psk_suites(3))
+    AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
+                       "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
+                       "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
+                      ],
+    %% Compatible with legacy PSK Cipher strings
+    PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
+                    ("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
+                    ("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
+                    ("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
+                    (C) -> case lists:member(C, AvaiableCiphers) of
+                               true -> {true, C};
+                               false -> false
+                           end
+                 end,
     MapPSKCiphers = fun(PSKCiphers) ->
-                      lists:map(
-                          fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
-                             ("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
-                             ("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
-                             ("PSK-RC4-SHA") -> {psk, rc4_128, sha}
-                          end, PSKCiphers)
+                      lists:filtermap(fun(C0) ->
+                        case PskMapping(C0) of
+                            false ->
+                              cuttlefish:invalid(
+                                io_lib:format("psk_ciphers: not support ~s", [C0]));
+                            {true, C} ->
+                                {true, C}
+                        end
+                      end, PSKCiphers)
                     end,
     SslOpts = fun(Prefix) ->
                   Versions = case SplitFun(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf, undefined)) of