diff -up nss/lib/nss/nssoptions.h.min_key_sizes nss/lib/nss/nssoptions.h
--- nss/lib/nss/nssoptions.h.min_key_sizes 2017-02-20 16:42:23.456894585 +0100
+++ nss/lib/nss/nssoptions.h 2017-02-20 16:43:02.687942525 +0100
@@ -16,5 +16,5 @@
/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
* only 1023 bits and similar. We don't have good data on whether this
* happens because NSS used to count bit lengths incorrectly. */
-#define SSL_DH_MIN_P_BITS 1023
+#define SSL_DH_MIN_P_BITS 768
#define SSL_DSA_MIN_P_BITS 1023
diff -up nss/lib/ssl/ssl3con.c.min_key_sizes nss/lib/ssl/ssl3con.c
--- nss/lib/ssl/ssl3con.c.min_key_sizes 2017-02-20 16:42:23.459894513 +0100
+++ nss/lib/ssl/ssl3con.c 2017-02-20 16:43:42.744970411 +0100
@@ -7093,7 +7093,7 @@ ssl_HandleDHServerKeyExchange(sslSocket
minDH = SSL_DH_MIN_P_BITS;
}
dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
- if (dh_p_bits < minDH) {
+ if (dh_p_bits < SSL_DH_MIN_P_BITS) {
errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
goto alert_loser;
}