diff --git a/reg-tests/converter/sha2.vtc b/reg-tests/converter/sha2.vtc
index 0354b0a209..6ca021a8b7 100644
--- a/reg-tests/converter/sha2.vtc
+++ b/reg-tests/converter/sha2.vtc
@@ -8,7 +8,7 @@ feature ignore_unknown_macro
 server s1 {
 	rxreq
 	txresp
-} -repeat 3 -start
+} -repeat 2 -start
 
 haproxy h1 -conf {
     defaults
@@ -28,7 +28,6 @@ haproxy h1 -conf {
 	http-response set-header SHA2-256   "%[var(txn.hash),sha2(256),hex,lower]"
 	http-response set-header SHA2-384   "%[var(txn.hash),sha2(384),hex,lower]"
 	http-response set-header SHA2-512   "%[var(txn.hash),sha2(512),hex,lower]"
-	http-response set-header SHA2-invalid   "%[var(txn.hash),sha2(1),hex,lower]"
 
 	default_backend be
 
@@ -46,7 +45,6 @@ client c1 -connect ${h1_fe_sock} {
 	expect resp.http.sha2-256 == "6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b"
 	expect resp.http.sha2-384 == "47f05d367b0c32e438fb63e6cf4a5f35c2aa2f90dc7543f8a41a0f95ce8a40a313ab5cf36134a2068c4c969cb50db776"
 	expect resp.http.sha2-512 == "4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a"
-	expect resp.http.sha2-invalid == ""
 	txreq -url "/" \
 	  -hdr "Hash: 2"
 	rxresp
@@ -56,5 +54,4 @@ client c1 -connect ${h1_fe_sock} {
 	expect resp.http.sha2-256 == "d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35"
 	expect resp.http.sha2-384 == "d063457705d66d6f016e4cdd747db3af8d70ebfd36badd63de6c8ca4a9d8bfb5d874e7fbd750aa804dcaddae7eeef51e"
 	expect resp.http.sha2-512 == "40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114"
-	expect resp.http.sha2-invalid == ""
 } -run
diff --git a/src/sample.c b/src/sample.c
index b124c4b861..82078fce1d 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -1531,6 +1531,29 @@ static int sample_conv_sha1(const struct arg *arg_p, struct sample *smp, void *p
 }
 
 #ifdef USE_OPENSSL
+static int smp_check_sha2(struct arg *args, struct sample_conv *conv,
+                          const char *file, int line, char **err)
+{
+	if (args[0].type == ARGT_STOP)
+		return 1;
+	if (args[0].type != ARGT_SINT) {
+		memprintf(err, "Invalid type '%s'", arg_type_names[args[0].type]);
+		return 0;
+	}
+
+	switch (args[0].data.sint) {
+		case 224:
+		case 256:
+		case 384:
+		case 512:
+			/* this is okay */
+			return 1;
+		default:
+			memprintf(err, "Unsupported number of bits: '%lld'", args[0].data.sint);
+			return 0;
+	}
+}
+
 static int sample_conv_sha2(const struct arg *arg_p, struct sample *smp, void *private)
 {
 	struct buffer *trash = get_trash_chunk();
@@ -3362,7 +3385,7 @@ static struct sample_conv_kw_list sample_conv_kws = {ILH, {
 	{ "regsub", sample_conv_regsub,    ARG3(2,REG,STR,STR), sample_conv_regsub_check, SMP_T_STR, SMP_T_STR },
 	{ "sha1",   sample_conv_sha1,      0,            NULL, SMP_T_BIN,  SMP_T_BIN  },
 #ifdef USE_OPENSSL
-	{ "sha2",   sample_conv_sha2,      ARG1(0, SINT),            NULL, SMP_T_BIN,  SMP_T_BIN  },
+	{ "sha2",   sample_conv_sha2,      ARG1(0, SINT), smp_check_sha2, SMP_T_BIN,  SMP_T_BIN  },
 #endif
 	{ "concat", sample_conv_concat,    ARG3(1,STR,STR,STR), smp_check_concat, SMP_T_STR,  SMP_T_STR },
 	{ "strcmp", sample_conv_strcmp,    ARG1(1,STR), smp_check_strcmp, SMP_T_STR,  SMP_T_SINT },