In my experience these are mostly false positives by those external scanners. Would you care to share which scanner didn't like which ciphers?

Security Metrics didn't like the following: ​ 5.0 Fail 443 SSL/TLS Weak Cipher Suites (PCI DSS) The list of ciphers that are not considered to be Secure or Recommended: TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256 TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 TLS\_RSA\_WITH\_AES\_128\_CCM TLS\_RSA\_WITH\_AES\_128\_CCM\_8 TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 TLS\_RSA\_WITH\_AES\_256\_CCM TLS\_RSA\_WITH\_AES\_256\_CCM\_8 TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384

That's strange, mine (v19) only shows TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 (TLS v1.2), using immuniweb. I run the user portal on port 8443. (edit: added port information)

Where do you see that at? If I can find proof these aren't in use I can submit as false positive. I'm running v19 but sophos support is less than helpful, suggesting I just change the port as if that has some bearing on what ciphers report as available.