diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
index 657f690343ff03..b108c6edf2657c 100644
--- a/doc/api/tls.markdown
+++ b/doc/api/tls.markdown
@@ -183,8 +183,9 @@ automatically set as a listener for the [secureConnection][] event.  The
 
   - `dhparam`: A string or `Buffer` containing Diffie Hellman parameters,
     required for Perfect Forward Secrecy. Use `openssl dhparam` to create it.
-    If omitted or invalid, it is silently discarded and DHE ciphers won't be
-    available.
+    Its key length should be greater than or equal to 1024bits, otherwise
+    it throws an error. If omitted or invalid, it is silently discarded and
+    DHE ciphers won't be available.
 
   - `handshakeTimeout`: Abort the connection if the SSL/TLS handshake does not
     finish in this many milliseconds. The default is 120 seconds.
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 03dc7d61807d58..6502a4ccfda302 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -757,6 +757,10 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
   if (dh == nullptr)
     return;
 
+  if (BN_num_bits(dh->p) < 1024) {
+    return env->ThrowError("DH parameter is less than 1024bits");
+  }
+
   SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_DH_USE);
   int r = SSL_CTX_set_tmp_dh(sc->ctx_, dh);
   DH_free(dh);
diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js
index 5c9eb87b2e2935..4a208356f0dc40 100644
--- a/test/parallel/test-tls-dhe.js
+++ b/test/parallel/test-tls-dhe.js
@@ -62,8 +62,11 @@ function test(keylen, expectedCipher, cb) {
 }
 
 function test512() {
-  test(512, 'DHE-RSA-AES128-SHA256', test1024);
-  ntests++;
+  assert.throws(function() {
+    test(512, 'DHE-RSA-AES128-SHA256', test1024);
+  },
+    /DH parameter is less than 1024bits/
+  );
 }
 
 function test1024() {