diff --git a/doc/Changelog b/doc/Changelog
index 28ff7f89c..c9d868a67 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,7 @@
 25 March 2019: Wouter
 	- Fix that tls-session-ticket-keys: "" on its own in unbound.conf
 	  disables the tls session ticker key calls into the OpenSSL API.
+	- Fix crash if tls-servic-pem not filled in when necessary.
 
 21 March 2019: Wouter
 	- Fix #4240: Fix whitespace cleanup in example.conf.
diff --git a/util/net_help.c b/util/net_help.c
index 2b1be9246..a6c3fd5cc 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -802,6 +802,16 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		log_crypto_err("could not SSL_CTX_new");
 		return NULL;
 	}
+	if(!key || key[0] == 0) {
+		log_err("error: no tls-service-key file specified");
+		SSL_CTX_free(ctx);
+		return NULL;
+	}
+	if(!pem || pem[0] == 0) {
+		log_err("error: no tls-service-pem file specified");
+		SSL_CTX_free(ctx);
+		return NULL;
+	}
 	if(!listen_sslctx_setup(ctx)) {
 		SSL_CTX_free(ctx);
 		return NULL;