@Stephen:
If the client does not offer the cipher you want to see, you cannot assume anything. The client might have good reasons not to offer SHA256.
So, you still have only those options I described. I would suggest option 2. In your example, the client MIGHT be able to handle SHA256, but you don't know, as it did not indicate that by offering the right cipher. If you answer with SHA256, and the client is not able to handle it, you will create an ssl handshake error and you have no chance at all to tell the client to try again with a different cipher set.
So, in your example, the remaining option is to use a "weak" ssl client profile for that request, redirect the client to an error page and tell it to upgrade or change the configuration/cipher set.
Regards
Kurt Knochner