I was using a SSL Scanner ruleset that I had imported from my earlier version of MWG. A slight change was made to the newer version's SSL Scanner (Verify Safe Signature Algorithms rule made into a ruleset of its own and placed above Verify Common Name (Proxy Setup) ruleset). After importing the new version, MWG had no problems realizing a CN Mismatch error.
Still, BadSSL.com is a great resource.
Did you ever figure out about the dh1024 setting? I'm having a similar issue with our internal compliance folks complaining about the fact that my policy trips on the same thing on badssl.com. Haven't figured out if we need to disable it and if so how would you do that. I'm assuming its a change to the server side cipher list in the certificate verification settings but not 100% sure.
I recently did a workup of a cipher-suite spec. for our configuration. This it based on cipher-suite listing provided at: Qualys SSL Labs - Projects / User Agent Capabilities: Firefox 49 / Win 7
After tinkering with openssl cipher command, this is what I came up with:
I believe this excludes all CBC (Cipher block chaining) suites, but it also seems to exclude all plain vanilla DH suites.
Note that there were a couple of cipher suites available in the latest Firefox and Chrome version that are not available in Web Gateway. I don't remember what they were, but it's easy enough to figure it out if anyone's interested.