Logjam and freak vulnerabilities

[warbot]

Based on this link https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ jruby-openssl is vulnerable to logjam.

Tested on Yosemite 10.10.3, jruby 1.7.19 (1.9.3p551), java 1.8.0_20-b2, OpenSSL 1.0.2a 19 Mar 2015 for testing and cert generation
So I've generated certificate and tried with localhost and WEBrick on a dummy app.

Here's the output from commands to test from openssl blog:

openssl s_client -connect localhost:3043 -cipher "EDH" | grep "Server Temp Key"’ 
=> Server Temp Key: DH, 1024 bits, which is lower than recommended(2048), but still good.

openssl s_client -connect localhost:3043 -cipher "ECDHE" | grep "Server Temp Key"` 
=> Server Temp Key: ECDH, B-571, 570 bits -- which is fine;

openssl s_client -connect localhost:3043 -cipher "EXP"
=> CONNECTED(00000003) and handshake succeed, which is bad.
One should have seen connection refused here

Dummy app: https://github.com/warbot/testopenssl

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/17561458-logjam-and-freak-vulnerabilities?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).

[mohamedhafez]

Is jruby-openssl still vulnerable to logjam?