Hmm... While poking around, it's just noticed it's not possible in an all TLS 1.2 environment to prohibit TLS 1.0 from being used in FreeRADIUS. This is very atypical desire today but the ability to configure this is likely to be useful down the line. Nick