You can get the full output which ciphers have been enumerated (which is the base for the VT in question) in the result of the following VT in your report (you need to update your filter to show “Log” level results accordingly):
Name: SSL/TLS: Report Supported Cipher Suites
OID: 1.3.6.1.4.1.25623.1.0.802067
As i haven’t seen any false reporting of the supported ciphers in all these years (the enumeration should be quite reliable as it looks for a specific hex string the server is choosing in the SSL/TLS handshake) there are two options left:
- The nmap call is done against the 443/tcp port but the result of the mentioned VT is coming from another service (e.g. some third party software on a higher port)
- nmap is internally calling some libraries (like e.g. openssl or some LUA internal libs) which doesn’t support
TLS_RSA_WITH_3DES_EDE_CBC_SHAanymore
I would cross check with https://github.com/rbsec/sslscan (make sure to build it with make static so that the older openssl library is used).