diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 960412a95..eabcbdc64 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -95,6 +95,7 @@ int main( void )
 #define DFL_MFL_CODE            MBEDTLS_SSL_MAX_FRAG_LEN_NONE
 #define DFL_TRUNC_HMAC          -1
 #define DFL_RECSPLIT            -1
+#define DFL_DHMLEN              -1
 #define DFL_RECONNECT           0
 #define DFL_RECO_DELAY          0
 #define DFL_TICKETS             MBEDTLS_SSL_SESSION_TICKETS_ENABLED
@@ -164,6 +165,13 @@ int main( void )
 #define USAGE_RECSPLIT
 #endif
 
+#if defined(MBEDTLS_DHM_C)
+#define USAGE_DHMLEN \
+    "    dhmlen=%%d           default: (library default: 1024 bits)\n"
+#else
+#define USAGE_DHMLEN
+#endif
+
 #if defined(MBEDTLS_SSL_ALPN)
 #define USAGE_ALPN \
     "    alpn=%%s             default: \"\" (disabled)\n"   \
@@ -246,6 +254,7 @@ int main( void )
     USAGE_EMS                                               \
     USAGE_ETM                                               \
     USAGE_RECSPLIT                                          \
+    USAGE_DHMLEN                                            \
     "\n"                                                    \
     "    arc4=%%d             default: (library default: 0)\n" \
     "    min_version=%%s      default: (library default: tls1)\n"       \
@@ -289,6 +298,7 @@ struct options
     unsigned char mfl_code;     /* code for maximum fragment length         */
     int trunc_hmac;             /* negotiate truncated hmac or not          */
     int recsplit;               /* enable record splitting?                 */
+    int dhmlen;                 /* minimum DHM params len in bits           */
     int reconnect;              /* attempt to resume session                */
     int reco_delay;             /* delay in seconds before resuming session */
     int tickets;                /* enable / disable session tickets         */
@@ -468,6 +478,7 @@ int main( int argc, char *argv[] )
     opt.mfl_code            = DFL_MFL_CODE;
     opt.trunc_hmac          = DFL_TRUNC_HMAC;
     opt.recsplit            = DFL_RECSPLIT;
+    opt.dhmlen              = DFL_DHMLEN;
     opt.reconnect           = DFL_RECONNECT;
     opt.reco_delay          = DFL_RECO_DELAY;
     opt.tickets             = DFL_TICKETS;
@@ -758,6 +769,12 @@ int main( int argc, char *argv[] )
             if( opt.recsplit < 0 || opt.recsplit > 1 )
                 goto usage;
         }
+        else if( strcmp( p, "dhmlen" ) == 0 )
+        {
+            opt.dhmlen = atoi( q );
+            if( opt.dhmlen < 0 )
+                goto usage;
+        }
         else
             goto usage;
     }
@@ -1091,6 +1108,11 @@ int main( int argc, char *argv[] )
                                     : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
 #endif
 
+#if defined(MBEDTLS_DHM_C)
+    if( opt.dhmlen != DFL_DHMLEN )
+        mbedtls_ssl_conf_dhm_min_bitlen( &conf, opt.dhmlen );
+#endif
+
 #if defined(MBEDTLS_SSL_ALPN)
     if( opt.alpn_string != NULL )
         if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 )