diff --git a/configure.ac b/configure.ac
index d54701f..64664e9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -76,6 +76,9 @@ AC_CHECK_LIB([gnutls], [gnutls_protocol_set_enabled],
 AC_CHECK_LIB([gnutls], [gnutls_get_system_config_file],
              [AC_DEFINE([HAVE_GNUTLS_GET_SYSTEM_CONFIG_FILE], [1],
                         [Define to 1 if you have the gnutls_get_system_config_file function.])])
+AC_CHECK_LIB([gnutls], [gnutls_psk_allocate_client_credentials2],
+             [AC_DEFINE([HAVE_GNUTLS_PSK_ALLOCATE_CREDENTIALS2], [1],
+                        [Define to 1 if you have the gnutls_psk_allocate_client_credentials2 function.])])
 AC_SUBST([AM_CPPFLAGS])
 
 AC_CONFIG_FILES([Makefile src/Makefile src/tlshd/Makefile systemd/Makefile])
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index d235db2..4940256 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -341,8 +341,14 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 static void tlshd_tls13_client_psk_handshake_one(struct tlshd_handshake_parms *parms,
 						 key_serial_t peerid)
 {
+#ifdef HAVE_GNUTLS_PSK_ALLOCATE_CREDENTIALS2
+	gnutls_mac_algorithm_t mac = GNUTLS_MAC_SHA256;
+#endif
 	gnutls_psk_client_credentials_t psk_cred;
 	gnutls_session_t session;
+#ifdef HAVE_GNUTLS_PSK_ALLOCATE_CREDENTIALS2
+	int version, type, hash;
+#endif
 	gnutls_datum_t key;
 	unsigned int flags;
 	char *identity;
@@ -359,7 +365,27 @@ static void tlshd_tls13_client_psk_handshake_one(struct tlshd_handshake_parms *p
 		return;
 	}
 
+#ifdef HAVE_GNUTLS_PSK_ALLOCATE_CREDENTIALS2
+	if (sscanf(identity, "NVMe%01d%c%02d %*s",
+		   &version, &type, &hash) == 3) {
+		switch (hash) {
+		case 1:
+			mac = GNUTLS_MAC_SHA256;
+			break;
+		case 2:
+			mac = GNUTLS_MAC_SHA384;
+			break;
+		default:
+			tlshd_log_error("invalid key identity");
+			free(identity);
+			return;
+		}
+	}
+
+	ret = gnutls_psk_allocate_client_credentials2(&psk_cred, mac);
+#else
 	ret = gnutls_psk_allocate_client_credentials(&psk_cred);
+#endif
 	if (ret != GNUTLS_E_SUCCESS) {
 		tlshd_log_gnutls_error(ret);
 		free(identity);
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 48aed38..9468a61 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -327,7 +327,12 @@ static void tlshd_tls13_server_psk_handshake(struct tlshd_handshake_parms *parms
 	gnutls_session_t session;
 	int ret;
 
+#ifdef HAVE_GNUTLS_PSK_ALLOCATE_CREDENTIALS2
+	ret = gnutls_psk_allocate_server_credentials2(&psk_cred,
+						      GNUTLS_MAC_NONE);
+#else
 	ret = gnutls_psk_allocate_server_credentials(&psk_cred);
+#endif
 	if (ret != GNUTLS_E_SUCCESS) {
 		tlshd_log_gnutls_error(ret);
 		return;