When you connect, you specify supported ciphers. If the server doesn't support them, there's standard "insufficient security" (71) error that was there since at least TLS 1.0, maybe earlier.
Confidentiality of the TLS connection is indeed easy to handle here.
The hard part is certificate authentication. And that's not included in the cipher suite setting.