How do I disable some cipher suites in Webserver Protection?

Question

After running an SSL check for one of our sites, which is served by our UTM, it turned up that we have 3 weak ciphers being supported by the UTM: 
 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA _0xc012_ ECDH secp256r1 _eq. 3072 bits RSA_ FS WEAK 112 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA _0x16_ DH 2048 bits FS WEAK 112 TLS_RSA_WITH_3DES_EDE_CBC_SHA _0xa_ WEAK 112 
 How do I disable these ciphers?

DouglasFoster · Accepted Answer

I have chased these issues, and what follows below are from my notes. The current settings vary with the UTM release. The new settings are suggestions, which you should be able to tailor to your preference by mimicking the examples. 
 HIGH, MEDIUM, and LOW are OpenSSL keywords which correspond to a bundle of ciphers. Only HIGH ciphers are considered acceptable anymore. 
 To test the cipher results for any given keyword combination, you can use this command from the shell 
 openssl ciphers keywordlist 
 Except that not (like !MD5 ) commands, you need to add an escape from the shell, 
 for example: 
 openssl ciphers HIGH:\!MD5:\!SHA1 
 -------------------------------------------------

Applies to: WebAdmin, User Portal, Mail Manager, SPX Reply Portal 
 cd /var/sec/chroot-httpd/etc/httpd/ 
 vi httpd.conf --- Current ----- SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5:!DSS:!3DES SSLProtocol +TLSv1.1 +TLSv1.2 --- New ----- SSLCipherSuite HIGH:!MD5:!SHA1 SSLProtocol +TLSv1.2 ------------- 
 /etc/init.d/httpd restart 
 *** completed **** still have cert issue ================================================================== 
 Applies to: WAF ReverseProxy 
 cd /var/chroot-reverseproxy/usr/apache/conf/ 
 vi httpd.conf --- Current ----- SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS SSLProtocol all -SSLv2 -SSLv3 --- New ----- SSLCipherSuite HIGH:!MD5:!SHA1 SSLProtocol +TLSv1.2 ------------- 
 /var/mdw/scripts/reverseproxy restart

floppyraid · Answer

So the long story short is if you enable the 'Strict Policy' option on the IPSec policy it resolves the issue. Why that isn't by default, I have no idea. And why the Sophos will respond to IPSec policies that aren't even listed in profiles, and in fact claim to be disabled entirely in the config files under the hood, Sophos support doesn't know. 
 I did my own scanning to verify and found that without the 'Strict Policy' option enabled the Sophos will respond to and negotiate a SA with the following:

Encryption

Hash

DH group

Blowfish

MD5

1

Blowfish

MD5

2

Blowfish

MD5

5

Blowfish

MD5

14

Blowfish

SHA1

1

Blowfish

SHA1

2

Blowfish

SHA1

5

Blowfish

SHA1

14

Blowfish

SHA2-256

1

Blowfish

SHA2-256

2

Blowfish

SHA2-256

5

Blowfish

SHA2-256

14

Blowfish

SHA2-384

1

Blowfish

SHA2-384

2

Blowfish

SHA2-384

5

Blowfish

SHA2-384

14

Blowfish

SHA2-512

1

Blowfish

SHA2-512

2

Blowfish

SHA2-512

5

Blowfish

SHA2-512

14

3DES

MD5

1

3DES

MD5

2

3DES

MD5

5

3DES

MD5

14

3DES

SHA1

1

3DES

SHA1

2

3DES

SHA1

5

3DES

SHA1

14

3DES

SHA2-256

1

3DES

SHA2-256

2

3DES

SHA2-256

5

3DES

SHA2-256

14

3DES

SHA2-384

1

3DES

SHA2-384

2

3DES

SHA2-384

5

3DES

SHA2-384

14

3DES

SHA2-512

1

3DES

SHA2-512

2

3DES

SHA2-512

5

3DES

SHA2-512

14

AES128

MD5

1

AES128

MD5

2

AES128

MD5

5

AES128

MD5

14

AES128

SHA1

1

AES128

SHA1

2

AES128

SHA1

5

AES128

SHA1

14

AES128

SHA2-256

1

AES128

SHA2-256

2

AES128

SHA2-256

5

AES128

SHA2-256

14

AES128

SHA2-384

1

AES128

SHA2-384

2

AES128

SHA2-384

5

AES128

SHA2-384

14

AES128

SHA2-512

1

AES128

SHA2-512

2

AES128

SHA2-512

5

AES128

SHA2-512

14

AES192

MD5

1

AES192

MD5

2

AES192

MD5

5

AES192

MD5

14

AES192

SHA1

1

AES192

SHA1

2

AES192

SHA1

5

AES192

SHA1

14

AES192

SHA2-256

1

AES192

SHA2-256

2

AES192

SHA2-256

5

AES192

SHA2-256

14

AES192

SHA2-384

1

AES192

SHA2-384

2

AES192

SHA2-384

5

AES192

SHA2-384

14

AES192

SHA2-512

1

AES192

SHA2-512

2

AES192

SHA2-512

5

AES192

SHA2-512

14

AES256

MD5

1

AES256

MD5

2

AES256

MD5

5

AES256

MD5

14

AES256

SHA1

1

AES256

SHA1

2

AES256

SHA1

5

AES256

SHA1

14

AES256

SHA2-256

1

AES256

SHA2-256

2

AES256

SHA2-256

5

AES256

SHA2-256

14

AES256

SHA2-384

1

AES256

SHA2-384

2

AES256

SHA2-384

5

AES256

SHA2-384

14

AES256

SHA2-512

1

AES256

SHA2-512

2

AES256

SHA2-512

5

AES256

SHA2-512

14