How to verify IIS, Apache & SMTP is vulnerable to Logjam

For SMTP test, what's given in the link doesn't quite work for me
(though for SSL websites, this same openssl.exe utility works):

C:\Openssl102>openssl s_client -connect gmail.com:25 -starttls smtp -cipher "EDH
" -
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
unknown option -
usage: s_client args

 -host host     - use -connect instead
 -port port     - use -connect instead
 -connect host:port - who to connect to (default is localhost:4433)
 -verify_host host - check peer certificate matches "host"
 -verify_email email - check peer certificate matches "email"
 -verify_ip ipaddr - check peer certificate matches "ipaddr"
 -verify arg   - turn on peer certificate verification
 -verify_return_error - return verification errors
 -cert arg     - certificate file to use, PEM format assumed
 -certform arg - certificate format (PEM or DER) PEM default
 -key arg      - Private key file to use, in cert file if
                 not specified but cert file is.
 -keyform arg  - key format (PEM or DER) PEM default
 -pass arg     - private key file pass phrase source
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -reconnect    - Drop and re-make the connection with the same Session-ID
 -pause        - sleep(1) after each read(2) and write(2) system call
 -prexit       - print session information even on connection failure
 -showcerts    - show all certificates in the chain
 -debug        - extra output
 -msg          - Show protocol messages
 -nbio_test    - more ssl protocol testing
 -state        - print the 'ssl' states
 -nbio         - Run with non-blocking IO
 -crlf         - convert LF from terminal into CRLF
 -quiet        - no s_client output
 -ign_eof      - ignore input eof (default when -quiet)
 -no_ign_eof   - don't ignore input eof
 -psk_identity arg - PSK identity
 -psk arg      - PSK in hex (without 0x)
 -srpuser user     - SRP authentification for 'user'
 -srppass arg      - password for 'user'
 -srp_lateuser     - SRP username into second ClientHello message
 -srp_moregroups   - Tolerate other than the known g N values.
 -srp_strength int - minimal length in bits for N (default 1024).
 -ssl2         - just use SSLv2
 -ssl3         - just use SSLv3
 -tls1_2       - just use TLSv1.2
 -tls1_1       - just use TLSv1.1
 -tls1         - just use TLSv1
 -dtls1        - just use DTLSv1
 -fallback_scsv - send TLS_FALLBACK_SCSV
 -mtu          - set the link layer MTU
 -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
 -bugs         - Switch on all SSL implementation bug workarounds
 -serverpref   - Use server's cipher preferences (only SSLv2)
 -cipher       - preferred cipher to use, use the 'openssl ciphers'
                 command to see what is available
 -starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp", "pop3", "imap", "ftp" and "xmpp"
                 are supported.
 -engine id    - Initialise and use the specified engine
 -rand file;file;...
 -sess_out arg - file to write SSL session to
 -sess_in arg  - file to read SSL session from
 -servername host  - Set TLS extension servername in ClientHello
 -tlsextdebug      - hex dump of all TLS extensions received
 -status           - request certificate status from server
 -no_ticket        - disable use of RFC4507bis session tickets
 -serverinfo types - send empty ClientHello extensions (comma-separated numbers)

 -nextprotoneg arg - enable NPN extension, considering named protocols supported
 (comma-separated list)
 -alpn arg         - enable ALPN extension, considering named protocols supporte
d (comma-separated list)
 -legacy_renegotiation - enable use of legacy renegotiation (dangerous)
 -use_srtp profiles - Offer SRTP key management with a colon-separated profile l
ist
 -keymatexport label   - Export keying material using label
 -keymatexportlen len  - Export len bytes of keying material (default 20)

So are TLSv1.0 or TLSv1.1 vulnerable?


Looks like the openssl command I used previously is meant for Linux openssl.

Windows openssl has different syntax but I still don't know how to interpret if
the output below means it's vulnerable or otherwise:

C:\Openssl102>openssl s_client -connect internet-banking.dbs.com.sg:443 -tls1_1
-cipher "EDH"

CONNECTED(000001AC)
1148:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:.
\ssl\s3_pkt.c:1456:SSL alert number 40
1148:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:.\ssl\s3
_pkt.c:644:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1432922310
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

C:\Openssl102> openssl s_client -connect  internet-banking.dbs.com.sg:443 -starttls imap -cipher EDH -msg

Loading 'screen' into random state - done
CONNECTED(000001C0)
didn't found STARTTLS in server response, try anyway...
>>> TLS 1.2  [length 0005]
    16 03 01 00 8c
>>> TLS 1.2 Handshake [length 008c], ClientHello
    01 00 00 88 03 03 b6 de f1 f7 ce c0 b0 ca e2 86
    . . .
    03 02 01 02 02 02 03 00 0f 00 01 01
write:errno=10053
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 171 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---