diff -up nss/lib/nss/nssoptions.h.min_key_sizes nss/lib/nss/nssoptions.h
--- nss/lib/nss/nssoptions.h.min_key_sizes	2017-02-20 16:42:23.456894585 +0100
+++ nss/lib/nss/nssoptions.h	2017-02-20 16:43:02.687942525 +0100
@@ -16,5 +16,5 @@
 /* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
  * only 1023 bits and similar.  We don't have good data on whether this
  * happens because NSS used to count bit lengths incorrectly. */
-#define SSL_DH_MIN_P_BITS 1023
+#define SSL_DH_MIN_P_BITS 768
 #define SSL_DSA_MIN_P_BITS 1023
diff -up nss/lib/ssl/ssl3con.c.min_key_sizes nss/lib/ssl/ssl3con.c
--- nss/lib/ssl/ssl3con.c.min_key_sizes	2017-02-20 16:42:23.459894513 +0100
+++ nss/lib/ssl/ssl3con.c	2017-02-20 16:43:42.744970411 +0100
@@ -7093,7 +7093,7 @@ ssl_HandleDHServerKeyExchange(sslSocket
         minDH = SSL_DH_MIN_P_BITS;
     }
     dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
-    if (dh_p_bits < minDH) {
+    if (dh_p_bits < SSL_DH_MIN_P_BITS) {
         errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
         goto alert_loser;
     }