So, in general, I think we should do whatever FreeRADIUS does for its default SSL server, with the exception that abfab-tls needs to enable psk ciphers. Perhaps starting with TLS1.2:HIGH:!ANULL:!ENULL for abfab-tls and adding an !PSK to the non-abfab server. I just don't think it makes sense to consider this an abfab problem.