I've mentioned this in other posts; there are now many sites that will reject clients allowing weak SSL settings--regardless of what stronger settings you allow. SSL v3 is a common one to be rejected, but there are others.
I suggest setting up a rule that uses different SSL settings for destinations like this.
I highly recommend Qualys SSL Labs Server Test, and they give the destination you mentioned a grade of 'C': SSL Server Test: www.web.statistik.zh.ch (Powered by Qualys SSL Labs)
The summary from that test states:
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
This server does not mitigate the CRIME attack. Grade capped to C.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
The server does not support Forward Secrecy with the reference browsers.
And, given the cipher suites listed in that test, I recommend these cipher settings: HIGH:SSLv3:!SEED:!IDEA:!aNULL:!eNULL:!ADH:!CAMELLIA:!PSK:!RC4:!MD5:-ECDH:ECDHE:- DH:-kEDH:DHE:@STRENGTH:+RSA
Note that this includes SHA1 and 3DES, which are not recommended, but that site can't do better.
Other settings may also be needed.
You'll find more detail here: sslv3 errors
EDIT: Eeek! Just realized SSL Labs Server Test won't do ports other than 443. So, we'd be guessing that the test results would be the same--however likely.
I found the problem. I realized that this server runs two different websites on the same name and IP. The standard one on 443 only supports weak ciphers and I overlooked that we had this one already in our special rule for weak ciphers (by name). Now the website on port 8443 requires strong ssl settings and therefore refuses to talk with the weak ciphers we offer for that server.
I guess I have to set up a special rule for this case. Too bad they don't have a consistent setup on their server.
I've done plenty of research on this. It's amazing how much inconsistency there is. Yet, security is a moving target, and it had been difficult to find authoritative answers on what would be a could configuration. Tip of the hat to Qualys SSL Labs.