TLS v1.3 active despite not being enabled in Nginx config

Nginx 1.14.1 built with OpenSSL 1.1.0g

OpenSSL 1.1.0 does not support TLS 1.3

Ubuntu Server 18.04.1, OpenSSL 1.1.1 11 Sep 2018

Ubuntu 18.04.1 comes with OpenSSL 1.1.0g not with OpenSSL 1.1.1.

My guess is that you somehow installed OpenSSL 1.1.1 on your system in a way that replaced the version which comes with the OS. Because nginx uses shared libraries it will use the OpenSSL 1.1.1 you have installed even though it was compiled against OpenSSL 1.1.0g.

The option ssl_protocols TLSv1.2; in nginx is not implemented by only enabling TLS 1.2. Instead all useful protocols are enabled by default and restricting it to TLS 1.2 effectively means that everything but TLS 1.2 gets disabled. But, it can only disable protocols it is aware of and given that nginx was compiled against an OpenSSL version without TLS 1.3 support it is not aware that TLS 1.3 exists and also has no way to disable it, which means that it stays enabled.