CirrusThe virtual server in questions tests appropriately (only TLS v1.2) via testssl.sh and the ssllabs.com tool. So why does curl -tls1 show connected?
openssl s_client -connect abc.def.com:443 -tls1
CONNECTED(00000003)
Nacreous-connect option first makes TCP connection on port 443 (default) if host port is not defined. Before every TLS handhsake, TCP connection is made. So you would see CONNECTED as 443 TCP connection is open.
you can use -msg in the command and you will see immediately after CLIENT_HELLO the connection is getting reset, failing TLS handshake which proves TLS1 is disabled.
eg.
openssl s_client -connect www.example.com:443 -tls1 -msg
CONNECTED(00000004)
>>> ??? [length 0005]
16 03 01 00 79
>>> TLS 1.0, Handshake [length 0079], ClientHello
01 00 00 75 03 01 82 43 99 b4 95 de 40 94 7a 73
44 8c aa e9 92 2e 65 ad 84 a2 3d 66 1e e8 1a d7
ce ed 6b 1b 0d 67 00 00 12 c0 0a c0 14 c0 09 c0
13 00 35 00 2f 00 39 00 33 00 ff 01 00 00 3a 00
00 00 12 00 10 00 00 0d 77 77 77 2e 61 65 67 6f
6e 2e 63 6f 6d 00 0b 00 04 03 00 01 02 00 0a 00
0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00
00 00 16 00 00 00 17 00 00
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 126 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1639142869
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---Try same command with tls1_2 option and you will successful TLS hanshake taking place along with certficate details.
You can read more in below link