Awesome- thank you so much as I would probably never teased this out! Enabling strong crypto for .NET was all we needed to do. As kloostec mentioned, we’ve tweaked our httpd services to bump up the security. As most browsers are happy with those tweaks it didn’t occur to us to check (or that .NET did it’s own thing).
Specifically, via powershell we did:
set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord