Hi,
at least that it's a good news that it does not enable SSLv3. It sounds like a bug that it falls back to SSLv3 when it can't agree on TLS cipher suite.
Regarding lack of support for new stuff. I agree that it should be better. I think it would be really nice if we could have at least a ciphersuite with perfect forward secrecy. The possible workaround is to use some other reverse proxy with more modern TLS implementation. Regarding 3DES you can disable it. Here is a quote from 510007.
You can use the category to define which ciphersuites are relevant and you can use the category sequence to define which are the preferred ciphersuites; you can specify
"!mMD5", "!mSHA1", or "!eNULL", "!eRC4", "!eDES", "!eRC2"
to remove specific ciphersuites from the selected categories in the list of selectable ciphersuites.
So adding !e3DES should turn it off.
Cheers