I have used the following two SKs to disable a number of ciphers and limited to TLS1.2
SK126613: Change the ciphersuite using cipher utility
SK147272: Change the cipher suite settings in httpd-ssl.conf.templ
They were successful, up to a certain point. That point is the remove of further "weak" ciphers (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA), which my security team identified as static cipher suites.
I've tried to reapply these SKs but when I run nmap, the three ciphers still return.
For SK147272, we had replaced the existing ciphersuite as proposed by the SK “SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1” to
But nothing helped. Anyone has any clue? I have raised this to TAC but no updates yet.