TLS1.3 sucks way less than its predecessors for a myriad of reasons,
and the main one being that it got rid of a metric fuckton of legacy stuff,
allowing OpenSSL to only implement 5 ciphersuites,
with only 3 enabled by default:
So the problem boils down to "how do I disable
Because people tend to not read documentation, old cipher strings may have inadvertently disabled TLS1.3 ciphers, causing issues. This is why OpenSSL split the configuration mechanisms for TLS1.3 and TLS<1.3 in 2018.
Unfortunately, the nginx developers aren't happy with this,
calling it a band-aid, so they didn't bother making use of the new API,
meaning that it's impossible to tweak TLS1.3 ciphers on nginx with OpenSSL
Anyway, just slap
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
in your nginx configuration, and enjoy post-quantum ciphers for TLS1.3!
Apart from bragging rights this change is pretty useless, since: