TLS Diffie-Hellman parameter size is too small
Production Risk
High — small DH params weaken TLS; regenerate with 2048 bits minimum.
Thrown when a TLS server is configured with a Diffie-Hellman parameter (dhparam) that is smaller than the minimum recommended size. Node.js requires at least 1024 bits, but modern best practice is 2048 bits. Small DH parameters are vulnerable to Logjam-style attacks.
- 1dhparam generated with fewer than 1024 bits
- 2Using legacy dhparam files from old server configurations
- 3Copying outdated TLS configuration without updating key sizes
Triggered when tls.createServer() loads a dhparam file that is smaller than the minimum allowed size.
const tls = require('tls');
const fs = require('fs');
tls.createServer({
dhparam: fs.readFileSync('dh512.pem'), // 512 bits — too small
});expected output
Error [ERR_TLS_DH_PARAM_SIZE]: DH parameter size 512 is less than 1024
Fix
Generate a 2048-bit (or larger) DH parameter file
WHEN When setting up TLS servers with DHE cipher suites
# Generate a 2048-bit DH param file (run in shell) openssl dhparam -out dh2048.pem 2048
Why this works
A 2048-bit DH parameter satisfies the minimum and provides adequate security against known attacks.
const tls = require('tls');
const fs = require('fs');
tls.createServer({
dhparam: fs.readFileSync('dh512.pem'), // 512 bits — too small
}); // this triggers ERR_TLS_DH_PARAM_SIZEtry {
// operation that may throw ERR_TLS_DH_PARAM_SIZE
riskyOperation()
} catch (err) {
if (err.code === 'ERR_TLS_DH_PARAM_SIZE') {
console.error('ERR_TLS_DH_PARAM_SIZE:', err.message)
} else {
throw err
}
}// Validate inputs before calling the operation
function safe_err_tls_dh_param_size(...args) {
// validate args here
return performOperation(...args)
}✕ Use DH parameters smaller than 2048 bits in production
Small DH parameters are vulnerable to the Logjam attack (precomputed discrete logarithms).
Node.js Error Codes Documentation
Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev