Re: What?
Think DH key exchange on TLS (ECDHE is too advanced). Once the identity of both parties are verified, the DH key exchange is done (simplifying TLS). If one of the identities is unknown, DH is not performed and data is sent in clear. One can have TLS auth without encryption.
The problem is one can run DH variations on the top of it and still get encrypted communications.