A patch to nginx allows you to change TLS 1.3 cipher suites

nginx-tls1.3-openssl.patch

You can specify a perfered TLS 1.3 cipher suites list in Nginx by the following setting:

  ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256|ECDHE+AESGCM:HIGH:!aNULL:!eNULL:!MD5;

The TLS 1.3 and TLS 1.2- cipher suites are separated by a '|', notice that you neet to list the full name of TLS 1.3 cipher suites according to OpenSSL Wiki.
Only tested on nginx/1.15.7 with OpenSSL 1.1.1a.
See https://x-nagi.com/2018/11/nginx-tls1-3-patch.html for details.
---
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index a281fba..7e2809b 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -662,7 +662,35 @@ ngx_int_t
 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
     ngx_uint_t prefer_server_ciphers)
 {
-    if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
+    u_char *ciphers_data;
+
+    ciphers_data = ciphers->data;
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+    /* Find TLS 1.3 ciphersuite config */
+    size_t i;
+    for (i = 0; i < ciphers->len; i++)
+    {
+        if (ciphers->data[i] == '|')
+        {
+            break;
+        }
+    }
+    if (i < ciphers->len)
+    {
+        ciphers->data[i] = '\0';
+        if (SSL_CTX_set_ciphersuites(ssl->ctx, (char *)ciphers->data) == 0)
+        {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "SSL_CTX_set_ciphersuites(\"%V\") failed",
+                          ciphers);
+            return NGX_ERROR;
+        }
+        ciphers->data[i] = '|';
+        ciphers_data = &(ciphers->data[i + 1]);
+    }
+#endif
+
+    if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers_data) == 0) {
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                       "SSL_CTX_set_cipher_list(\"%V\") failed",
                       ciphers);