Despite having the latest nginx and OpenSSL does not yield TLS1.3 on my server (www.baldeonline.com for reference) even though it is enabled in my configuration files. Furthermore, my instance of nginx was compiled with OpenSSL 1.1.1-pre9 installed.
$ nginx -V returns:
nginx version: nginx/1.15.2
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018
Most of the tutorials I have seen so far include CloudFlare so I suspect it works in that case as TLS1.2 between Server and CloudFlare and then TLS1.3 between CloudFlare and Client although I have nothing concrete to suggest this.
EDIT
As Patrick mentioned, running the command:
$ openssl s_client -connect www.baldeonline.com:443
shows that TLS1.3 is enabled. TLS1.3 should work with browsers when they are updated to fully support the final TLS1.3 (August 15, 2018) standard, not just the draft standards.
For those interested:
https://wiki.openssl.org/index.php/TLS1.3#Current_status_of_the_TLSv1.3_standard
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.
TLDR: If you want TLS1.3 to work now with draft 28 use OpenSSL 1.1.1-pre8
https://fearby.com/article/enabling-tls-1-3-ssl-on-a-nginx-website-on-an-ubuntu-16-04-server-that-is-using-cloudflare/
Skip to "Time to update Open SSL" and use https://www.openssl.org/source/openssl-1.1.1-pre8.tar.gz in place of the git clone.
Best Answer
In OpenSSL 1.1.1-pre9, all draft support except TLS1.3 final version has been removed. However, browsers only support draft versions.