diff --git a/pkgs/racket-doc/openssl/openssl.scrbl b/pkgs/racket-doc/openssl/openssl.scrbl
index 9e496b60c8..2a197c7fba 100644
--- a/pkgs/racket-doc/openssl/openssl.scrbl
+++ b/pkgs/racket-doc/openssl/openssl.scrbl
@@ -652,7 +652,7 @@ collection for testing purposes where the peer identifies itself using
 @deftogether[[
 @defproc[(ssl-server-context-enable-dhe!
            [context ssl-server-context?]
-           [dh-param-path path-string? ssl-dh4096-param-path])
+           [dh-param (or/c path-string? bytes?) ssl-dh4096-param-bytes])
          void?]
 @defproc[(ssl-server-context-enable-ecdhe!
            [context ssl-server-context?]
@@ -665,8 +665,9 @@ Enables cipher suites that provide
 forward secrecy} via ephemeral Diffie-Hellman (DHE) or ephemeral
 elliptic-curve Diffie-Hellman (ECDHE) key exchange, respectively.
 
-For DHE, the @racket[dh-param-path] must be a path to a PEM file
-containing DH parameters.
+For DHE, the @racket[dh-param] must be a path to a @filepath{.pem}
+file containing DH parameters or the content of such a file as a byte
+string.
 
 For ECDHE, the @racket[curve-name] must be one of the following
 symbols naming a standard elliptic curve:
@@ -677,12 +678,16 @@ symbols naming a standard elliptic curve:
          secp160k1 secp160r1 secp160r2 secp192k1 secp224k1 secp224r1 secp256k1
          secp384r1 secp521r1 prime192v prime256v))
   ", ").
-}
 
-@defthing[ssl-dh4096-param-path path?]{
+@history[#:changed "7.7.0.4" @elem{Allow a byte string as the @racket[dh-param]
+                                   argument to @racket[ssl-server-context-enable-dhe!].}]}
 
-Path for 4096-bit Diffie-Hellman parameters.
-}
+@defthing[ssl-dh4096-param-bytes bytes?]{
+
+Byte string describing 4096-bit Diffie-Hellman parameters in @filepath{.pem} format.
+
+@history[#:changed "7.7.0.4" @elem{Added as a replacement for
+                                   @racketidfont{ssl-dh4096-param-path}.}]}
 
 @defproc[(ssl-set-server-name-identification-callback!
            [context ssl-server-context?]
diff --git a/pkgs/racket-test/tests/openssl/test-ephemeral.rkt b/pkgs/racket-test/tests/openssl/test-ephemeral.rkt
index a4b25c63e4..00bf60f055 100644
--- a/pkgs/racket-test/tests/openssl/test-ephemeral.rkt
+++ b/pkgs/racket-test/tests/openssl/test-ephemeral.rkt
@@ -47,7 +47,7 @@
  [(memq 'tls12 (supported-server-protocols))
   ;; Test DHE ciphers (note: cipher spec is "EDH", contrary to openssl ciphers docs)
   (test-ephemeral (lambda (server-ctx)
-                    (ssl-server-context-enable-dhe! server-ctx ssl-dh4096-param-path))
+                    (ssl-server-context-enable-dhe! server-ctx ssl-dh4096-param-bytes))
                   "AES+EDH")
 
   ;; Test ECDHE ciphers
diff --git a/racket/collects/openssl/mzssl.rkt b/racket/collects/openssl/mzssl.rkt
index 7429818cd6..63ed823d51 100644
--- a/racket/collects/openssl/mzssl.rkt
+++ b/racket/collects/openssl/mzssl.rkt
@@ -36,9 +36,10 @@ TO DO:
          racket/tcp
          racket/string
          racket/lazy-require
-         racket/runtime-path
+         racket/include
          "libcrypto.rkt"
-         "libssl.rkt")
+         "libssl.rkt"
+         (for-syntax racket/base))
 (lazy-require
  ["private/win32.rkt" (load-win32-store)]
  ["private/macosx.rkt" (load-macosx-keychain)])
@@ -84,7 +85,7 @@ TO DO:
         (list/c 'macosx-keychain path-string?)))
 
 (provide
- ssl-dh4096-param-path
+ ssl-dh4096-param-bytes
  (contract-out
   [ssl-available? boolean?]
   [ssl-load-fail-reason (or/c #f string?)]
@@ -103,7 +104,7 @@ TO DO:
          #:certificate-chain (or/c path-string? #f))
         ssl-server-context?)]
   [ssl-server-context-enable-dhe!
-   (->* (ssl-server-context?) (path-string?) void?)]
+   (->* (ssl-server-context?) ((or/c path-string? bytes?)) void?)]
   [ssl-server-context-enable-ecdhe!
    (->* (ssl-server-context?) (curve/c) void?)]
   [ssl-client-context?
@@ -473,7 +474,15 @@ TO DO:
 (define SSL_TLSEXT_ERR_OK 0)
 (define SSL_TLSEXT_ERR_NOACK 3)
 
-(define-runtime-path ssl-dh4096-param-path "dh4096.pem")
+(define ssl-dh4096-param-bytes
+  (include/reader "dh4096.pem" (lambda (src port)
+                                 (let loop ([accum '()])
+                                   (define bstr (read-bytes 4096 port))
+                                   (if (eof-object? bstr)
+                                       (if (null? accum)
+                                           eof
+                                           (datum->syntax #'here (apply bytes-append (reverse accum))))
+                                       (loop (cons bstr accum)))))))
 
 ;; Make this bigger than 4096 to accommodate at least
 ;; 4096 of unencrypted data
@@ -744,8 +753,10 @@ TO DO:
   (SSL_CTX_ctrl ctx SSL_CTRL_OPTIONS SSL_OP_SINGLE_ECDH_USE #f)
   (void))
 
-(define (ssl-server-context-enable-dhe! context [path ssl-dh4096-param-path])
-  (define params (call-with-input-file path port->bytes))
+(define (ssl-server-context-enable-dhe! context [ssl-dh4096-param ssl-dh4096-param-bytes])
+  (define params (if (bytes? ssl-dh4096-param)
+                     ssl-dh4096-param
+                     (call-with-input-file* ssl-dh4096-param port->bytes)))
   (define params-bio (BIO_new_mem_buf params (bytes-length params)))
   (check-valid params-bio 'ssl-server-context-enable-dhe! "loading Diffie-Hellman parameters")
   (with-failure