My appliances are running version 8.5.6-063 are are in FIPS mode, see below:

(Machine removed)> sslconfig

This command is restricted to "cluster" mode.  Would you like to switch to "cluster" mode? [Y]>

sslconfig settings:
  GUI HTTPS method:  tlsv1
  GUI HTTPS ciphers: FIPS
  Inbound SMTP method:  tlsv1
  Inbound SMTP ciphers: FIPS
  Outbound SMTP method:  tlsv1
  Outbound SMTP ciphers: FIPS:-aNULL

You cannot change server and client methods and cipher suites in the FIPS 140-2 compliance mode.

(Cluster IronPort_Cluster)> version

This command is restricted to "machine" mode.  Would you like to switch to "machine" mode? [Y]>

Choose a machine.
1. removed (group Main_Group)
2. removed (group Main_Group)
[1]>

Current Version
===============
Product: Cisco IronPort C670 Messaging Gateway(tm) Appliance
Model: C670
Version: 8.5.6-063
Build Date: 2014-05-23

I'd like to know what TLS ciphers these appliances can negotiate, please.

Please see page 24-2

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0-2/user_guide/ESA_8-0-2_User_Guide.pdf

It states "Only the following SSL ciphers are supported in FIPS mode: AES256-SHA:AES128-SHA:DES-CBC3-SHA"

Thank you for the link, that helps.  However, I am seeing the following TLS ciphers used by my appliance and connections successfully established with the following:

8.0.2 has the FIPSCHECK command that will verify if you have anything that is non-compliant set up. You could try disabling FIPS, make sure that only the supported ciphers are enabled and then go back to FIPS mode.

If that doesn't work you might need to contact TAC about help with a downrev.

Hmm, FIPSCHECK is an unknown command on 8.5.6.

I believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL

[]> FIPS:-aNULL

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1

AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1

AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1

EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1

DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

-Robert

OK, but doesn't enabling FIPS mode change the TLS ciphers that the appliance uses?

Correct - once you do enable FIPS mode - it changes the ciphers to the FIPS cipher suite --- this is just the verification of that suite.  With FIPS enabled, you cannot run the verify option against it... 

> sslconfig

sslconfig settings:
  GUI HTTPS method:  tlsv1
  GUI HTTPS ciphers: FIPS
  Inbound SMTP method:  tlsv1
  Inbound SMTP ciphers: FIPS
  Outbound SMTP method:  tlsv1
  Outbound SMTP ciphers: FIPS:-aNULL

You cannot change server and client methods and cipher suites in the FIPS 140-2 compliance mode.

So - outside of FIPS mode enabled - that is the string return against the FIPS cipher suite.

-Robert