This should be fixed with https://cvsweb.openbsd.org/src/lib/libssl/tls13_legacy.c#rev1.43
which you should be able to backport to 7.4 without issues if you don't want to use current. The short version is that it is an unfortunate interaction between nginx fiddling with internal state of the library (which it should not be able to but is) and the SSL_shutdown() implementation for the TLSv1.3 stack not reacting as expected.
