TLS 1.2 handshake still possible after only allowing TLS 1.0

Question

A customer of mine turned off TLS 1.0 at the OS-level. After that the connection to our product didn't work anymore. The customer does not have the latest version which uses .NET 4.6.1.

As we don't specify the protocol used, we are relying on the default value. According to https://support.microsoft.com/en-us/help/3069494/cannot-connect-to-a-server-by-using-the-servicepointmanager-or-sslstre .NET 4.6 enables TLS 1.2 by default, which would be perfect and what we want.

I wanted to play around with some configurations, for a better understanding. I specified to only allow TLS 1.0 at the code-level with:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

To test the handshake I used openssl. It works perfectly with TLS 1.0, as it should. But to my astonishment the handshake also works with TLS 1.2.

$ openssl s_client -connect localhost:30050 -tls1_2
<..snip..>
SSL-Session:
    Protocol  : TLSv1.2
    <..snip..>

Are there some .NET or TLS rules I am overseeing? To my understanding TLS 1.2 should not be possible, when specifying TLS 1.0 as the only protocol.

Answer 1

mjwills in the comments asked, if the SecurityProtocol -Property impacts inbound or outbound connections.

After some research I found the post How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation) which had a comment that would answer the question:

You only need to set System.Net.ServicePointManager.SecurityProtocol if you are initiating outbound connections from .NET code , eg connecting to a web service or API from custom code running on your server. If you are only running a simple web site, and you are only accepting incoming connections from browsers, then the registry fix is enough.