SSL key length

I've written a HTTP server using Indy 9.0.3 and the latest OpenSSL. I
have a 128 bit certificate from Thawte. Connecting from IE5 to the
server with https works fine.

However we have some ColdFusion applications that don't work at 128
bits. They need 56 (or maybe 40) bit encryption. These will not
connect to my server.

Does anyone know why this should be. Should SSL not negotiate its
keylength when a client connects? I wonder if it is an issue with the