[Logjam]HTTPS-crippling attack threatens tens of thousands of Web and mail servers

I did that but this logjam vulnerability test https://www.ssllabs.com:10445/ still connects with a DHE cipher. I closed out the browser and double checked to make sure all the DHE ciphers are disabled in the config and they are but it connects to that test using;
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 112 bit keys
I am going through the rest of the ciphers and finding out what else needs to be disabled.

Edit: That was a glitch, I rebooted and now it passes the test with the DHE ciphers disabled in config.
I guess this means we can fix browsers to some extent although I am not entirely convinced especially after reading Mathew Green's article which suggests any cipher suites that do not use elliptic curve and use less than 2028bit primes are not secure but aside from that what about other apps like email clients we have no way to know what cipher they use.

 

DH lower than 1024 bit is blocked in Opera 30:
http://blogs.opera.com/security/2015/06/unjam-the-logjam/

Yes, 1024 bit DH is still not good, especially when the webserver uses a common DH Prime. Other apps is also a problem though if you use Thunderbird there is also a Config editor like about:config under Settings -> Advanced where you can disable ciphers and older TLS/SSL versions, though there is no quick way to find out what the email server supports, so it's a bit trial and error.(Note that TB needs to restart as well before the changes are applied.)

 

Web browsers should pop up a warning when a website negotiates a cipher that is not ECDH, that should cause website admins to disable weak ciphers not least as a response to users complaints.

 

Pale Moon 25.5.0 blocks DHE keys lower than 1024 bit.

Cyberfox 38.0.5 has DHE ciphers disabled.

 

I think we can use wireshark to see which ciphers are used I'm going to try it.

 

Yes, that can work but I'm not sure if you can see just the used cipher after handshake has been finished or also the whole list of supported ciphers from the server.

 

Torbrowser 4.5.2 and 5.0a2 both block lower than 1024 bit.

 

I got around to installing wireshark and testing this, you are right you can't see which ciphers the server supports, the server never sends that information, but you can see the list of ciphers the client sends to the server and the one the server chooses.

 

The new Apple security updates change the minimum DH bits requirements, but only to 768 bits.
https://support.apple.com/nl-nl/HT204942

 

Firefox 39 now has a minimum of 1023 bits.

 

Finally, Chrome has now also a 1024 bits minimum since v45.