Comment 11 for bug 1836366

I can confirm that it does work as expected with package 1.14.0-0ubuntu1.3 from bionic-proposed. I tested on my personal site.

Before (1.2 and 1.3 work despite 1.3 not being explicitly enabled):

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_2 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_3 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

# apt-get dist-upgrade
Calculating upgrade... Done
The following packages will be upgraded:
   libnginx-mod-http-geoip (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   libnginx-mod-http-image-filter (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   libnginx-mod-http-xslt-filter (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   libnginx-mod-mail (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   libnginx-mod-stream (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   nginx-common (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)
   nginx-core (1.14.0-0ubuntu1.2 => 1.14.0-0ubuntu1.3)

After (only 1.2 works == bug fixed):

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_2 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_3 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, (NONE), Cipher is (NONE)

After the update and manually enabling TLS 1.3 (1.2 and 1.3 work):

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_2 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

$ echo q | openssl s_client -connect sdeziel.info:443 -tls1_3 -no_ign_eof 2>/dev/null | grep 'Cipher is'
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384