The only reason you would need the CLI is to perform the
tmm --clientciphers
command to detail what ciphers a string will create.
How about this one? You then just need to add this to the cipher string in the clientssl profile
tmm --clientciphers 'ECDHE_ECDSA:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AESGCM:-MD5:-SSLv3:-RC4:-3DES'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA
1: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_ECDSA
2: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1 Native AES SHA ECDHE_ECDSA
3: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.1 Native AES SHA ECDHE_ECDSA
4: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.2 Native AES SHA ECDHE_ECDSA
5: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA
6: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_ECDSA
7: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1 Native AES SHA ECDHE_ECDSA
8: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.1 Native AES SHA ECDHE_ECDSA
9: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.2 Native AES SHA ECDHE_ECDSA
10: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
11: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
12: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
13: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
14: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
16: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
18: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
19: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
20: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA
21: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA
22: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA
23: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
24: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA
25: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
26: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA
27: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA
28: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
29: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA
30: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
31: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA
By the way, you didn't specify TLS version so this includes all TLS versions. If you add -TLSv1 at the end that would disallow TLS 1.0
Rgds
N