Hi Ananda,
The short answer, no, cipher suite "AES128-SHA256" does not work, because it requires OpenSSL libraries 1.0.1 or higher.
To answer your other questions, yes, I did use SSLv3 as a fallback, and yes, if you add in the cipher AES128-SHA256, which is TLS 1.2 compliant...you will have to add in the SSLv3 for the fallback, or it will not work. So basically, there is no need to add AES128-SHA256. Just put in the SSLv3 cipher.
So instead of this: AES128-SHA256:RC4-SHA
Just use this: RC4-SHA
The reason being is because the system probes (i.e. ntservices, ntevl, cdm, etc), as of today (4.10.2018), only support OpenSSL 1.0.0m (This can be confirmed in the release notes of each probe). CA will need to implement at least OpenSSL 1.0.1 libraries in to their probes, before we (the customer) can begin encrypting our internal probe communications over TLS 1.2.
The CA Support engineer I spoke with stated that there currently is no talk of dev implementing these libraries into their probes. In order for them (CA dev) to move this up the priority list, we will need to submit an Idea, and then hope that enough people back it.
Do note that the hub probe does support the appropriate OpenSSL libraries for TLS 1.2 encryption. So if you create a tunnel from client side hub to server side hub, you can encrypt that traffic in TLS 1.2.
Thanks,
Chris A.