• The Etcd service, which runs on 3 hosts per vCenter cluster, starts a server on ports 2379 and 2380. This server is configured to use only TLS 1.2 by default, even if the host's TLS Profile specified TLS 1.3.

• ESXi 9.0.0 (when added to a vCenter cluster)

• The Golang runtime previously used a cryptography library whose TLS 1.3 implementation was not FIPS-compliant, so it was not enabled by default. The library has been updated to fix compliance, but the default remained at TLS 1.2.

This issue will be fixed in a future version of ESX to enable TLS 1.3 by default.

If TLS 1.3 is needed for these ports on ESX 9.0.0, it can be enabled with the following workaround:
  1. Set the host's TLS profile to "MANUAL".
  2. Modify the Etcd config to enable the desired combination of TLS versions.
  3. Reboot the host.

• Although the Etcd service only runs on 3 hosts at a time per cluster, that set of hosts can change in response to inventory operations. If inventory-wide TLS 1.3 usage is needed, then the configuration or upgrade needs to be applied to all hosts, not just the ones currently running Etcd.