The response I got from blizzard was from security@blizzard There is a thread option Blizzard only needs to add TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 to the supported list of ciphers. battlenet app and the games all have that cipher is the TLS client hello. So the new clients can use better encryption.
The server is choosing the best cipher that is configured and is first in the client hello cipher list.
There is a very good reason why TLS 1.3 have removed so many ciphers.
A VPN will not work. I don’t know of a VPN provider that has an exit node in AS57976. The VPN I use Cloudflare WARP also have problems with the battlenet app and the AS path to blizzard is AS13335 AS1299 AS57976 so the transit provide can save the session and decrypt them later due to there re no DH in the cythers