I'm having a problem with disabling 3DES on my AS. When scanned by PCI, it detects that 3DES ciphers are available for negotiation on the web interface of the AS. I have disabled everything except AES-256-CBC on the server and client negotiation for tunnels, but it appears that the website itself accepts 3DES which is where the problem is? I'm not 100% positive about that but I can't think of anything else if all other ciphers are disabled. For testing, I'm using SSLLabs SSLTest and it shows that the following ciphers are still supported:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS 112
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH sect571r1 (eq. 15360 bits RSA) FS 112
Am I correct that the website itself is causing this or am I incorrectly disabling the other ciphers in the config. I am disabling them under Advanced VPN and under Server Config Directives and Client Config Directives, I am using -cipher ciphername for all available ciphers except AES-256-CBC.
Thanks in advance.